Tuesday, February 9, 2016

How to build a MiniPwner with a TP-LINK TL-MR3040

A MiniPwner is a penetration testing drop box which can provide some interesting capabilities if you're able to insert one into a target's network. It is a small device and with the MR3040 in particular, it contains a battery which means you don't have to worry about power for at least a few hours. Because it runs OpenWRT there are a variety of infosec friendly packages which can facilitate things such as reverse SSH or VPN tunneling, port scanning with nmap, and while it may not have the horsepower to run Metasploit you can certainly use a MiniPwner as a conduit to forward traffic from a Metasploit install elsewhere. The tutorial that follows is more or less what is described on their website, but some steps are glossed over which I cover here so hopefully this helps fill in the gaps for people that may not be comfortable fiddling with embedded devices.

First take a USB drive (the tutorial suggests a 16gb USB stick, but I'm using 8gb in this tutorial) and format it such that the first partition is a 500mb swap and the remaining partition is ext4. I did this in Kali and the utility gparted. Here is a screenshot of what gparted looked like.


Next, download the OpenWRT firmware that is appropriate for the MR-3040 here.

Using the ethernet cable plug the MR3040 into a computer. Authenticate to the router by navigating to 192.168.0.1 and use admin/admin as the credentials.

Navigate to the Firmware Upgrade endpoint by clicking on System Tools on the left hand side to expand those options. Then click on Firmware Upgrade.

Click on the Choose File button and select the openwrt-ar71xx-generic-tl-mr3040-v2-squashfs-factory.bin file you downloaded earlier.

Click Upgrade. A confirmation dialog will appear and the MR3040 will proceed to be flashed with OpenWRT.


After the flashing process finishes, the MR3040 will reboot. After flashing the MR3040, the default IP address gets updated to 192.168.1.1 instead of 192.168.0.1. Access the newly flashed MR3040 by pointing your browser to 192.168.1.1. You may have to disconnect your host computer from your home Internet connection while this happens since 192.168.1.0/24 is a common network for home routers.

After pointing your browser to 192.168.1.1 you can authenticate to the MR3040 with a username of root and a blank password.



The next task will be to install packages the will enable the MR3040 to interface with the USB drive. In order to do that we will need to get Internet access for the MR3040. In this case, I used the MR3040 to connect to my home wifi network. To do this I clicked on Network and then Wifi. Then I clicked on Scan to have the MR3040 identify my home wifi network.


After the scan identified my home wifi network, I clicked on Join Network. The next screen asks for the passphrase, allows you to set a network name, and configure firewall rules. I left the network name as the default wwan, and the firewall rules to wan which was empty for me. Another screen comes after this which confirms all of the details and I clicked on Save & Apply.

Next, open a terminal and telnet into the MR3040. You should not have to supply credentials at this point.


Confirm that you have Internet access by pinging 8.8.8.8. DNS is not working properly at this point though, so we'll need to update the network configuration for the br-lan interface. Configure the /etc/config/network file and add the line, option dns '8.8.8.8' to the entry for the lan interface. It should look like this:


Reboot the MR3040 by typing reboot -f and when it comes back up telnet back in and attempt to ping a domain name. It should work this time. Now we should be able to update the MR3040 appropriately. From your telnet session, type opkg update to update the list of packages that can be installed. Now we'll install all of the packages for USB by typing: opkg install kmod-scsi-core kmod-usb-storage block-mount kmod-lib-crc16 kmod-crypto-hash kmod-fs-ext4


Insert the USB stick in to the 3G port and reboot by typing, reboot -f from the telnet session. Telnet back into the MR3040. Our next task is to get the MR3040 to recognize the USB drive. We'll do this by modifying the /etc/config/fstab file. First make a backup of the file and then proceed to edit fstab until it resembles this:


Then copy the contents of the flash memory on the MR3040 onto the USB drive with the following commands:
mkdir -p /tmp/cproot
mount --bind / /tmp/cproot
mkdir /mnt/sda2
mount /dev/sda2 /mnt/sda2/
tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda2 -xf -
umount /tmp/cproot

Then update /etc/config/fstab so that the MR3040 will use the USB drive as the root folder. Update /etc/config/fstab so it resembles this:


Reboot the MR3040 by typing reboot -f again. Now we will verify that the MR3040 is identifying the USB drive correctly by typing, df -h, to look at the disk space usage. You should see that /dev/sda2 is there and has gigabytes of space available.


Now we will install the MiniPwner overlay. Change directory into /tmp and download the overlay with this command, wget http://minipwner.com/images/Overlay/minipwner-overlay_2.0.0.tar.


Extract it with this command, tar -xvf minipwner-overlay_2.0.0.tar. It appears that the setup.sh that got archived in this tar was edited using Windows style line endings. Edit the setup.sh file and manually delete the dos line ending ^M characters at the end of each line. I attempted to set the file format to be unix, using :set ff=unix, but was unsuccessful. Save setup.sh and execute it with, sh setup.sh. Flip the 3-way switch to be WISP and reboot.

Telnet back in and you should be welcomed with a MiniPwner banner instead.


Now we will go through the process of installing security related packages. Type, opkg update, to update the list of packages the MR3040 is aware of. Next install the packages with the following commands (I ran into a character limit on the terminal so I had to split it up into two commands):
opkg install libpcap libstdcpp libpthread zlib libopenssl libbz2 bzip2 terminfo libnet1 libpcre libltdl libncurses librt libruby wireless-tools hostapd-common-old kmod-madwifi ruby uclibcxx libnl libcap libreadline libdnet libdaq libuuid libffi python-mini openssl-util kmod-tun liblzo libevent2-core libevent2-extra libevent2-openssl libevent2-pthreads libevent2 aircrack-ng elinks ettercap karma kismet-client kismet-drone kismet-server netcat nmap openvpn-easy-rsa openvpn-openssl perl samba36-client

opkg install samba36-server snort tar tcpdump tmux yafc wget python vim unzip

If you want to install any other packages at a later date, be sure to run, opkg update, before attempting to opkg install your desired package.

Finally, don't forget to run the passwd command to set a password, disable telnet, and enable SSH. The next time you try to remote into your device you will have to use SSH to access it.

69 comments:

  1. Great Guide thanks...
    but I'm stuck when rebooting after the second time editing the fstab file. When my mr3040 reboots I can't connect to it via telnet, ssh or the web gui.

    Thanks again and any advice on where I'm stuck?

    ReplyDelete
  2. Thank you for your guide, it was epic and filled in the gaps that the main guide on the minipwner website left out. An IMPORTANT NOTE for noobs using gparted for the first time, MAKE SURE YOU ACTUALLY PARTITION YOUR USB prior to going ahead with anything. I had set the partitions, but forgot to actually write them to the usb, so was getting Storage errors and could not install anything. This took me 2 days to figure out lol.

    ReplyDelete
  3. Great post! I am actually getting ready to across this information, It's very helpful for this blog.Also great with all of the valuable information you have Keep up the good work you are doing well.

    ccna training in chennai velachery

    ReplyDelete
    Replies
    1. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Java developer learn from Java Training in Chennai. or learn thru Java EE Online Training from India . Nowadays Java has tons of job opportunities on various vertical industry.

      Delete
  4. Wow amazing i saw the article with execution models you had posted. It was such informative. Really its a wonderful article. Thank you for sharing and please keep update like this type of article because i want to learn more relevant to this topic.

    Digital Marketing Company in Chennnai

    ReplyDelete
  5. Thank you for taking time to provide us some of the useful and exclusive information with us.
    ccna Training in Chennai | ccna course in Chennai | ccna Training institute in Chennai

    ReplyDelete
  6. I had problems with the ext4 partition in the usb drive. to solve this i used ext3 and it works without problem

    ReplyDelete
  7. I'm stuck trying to pivot root to the usb, once I create the /mnt/sda2 I cannot mount it because it says it is not there, and then when I create it again it says it already exists. I have tried reflashing my router and nothing has helped. Can anyone help? :(

    ReplyDelete
    Replies
    1. I'm having is issue as well, was there ever a fix found?

      Delete
    2. I also have this issue, I've been at it for a few days and could not get it to work. Did you?

      Delete
    3. install kmod-lib-crc32c and kmod-crypto-crc32c then try again.

      Delete
    4. that doesn't work, after research I found that is because new kernels format partitions with crc32 instead of crc16 which is supported, for solve this I did downloaded an old livecd with an old kernel, format the USB all over again and that's it!

      Delete
  8. Thank you for sharing in this webpage, I can learn a lot and could also be a reference, I hope to read the next your article updates.
    Regards,
    ccna Training in Chennai | ccna institutes in Velachery | ccna Training institutes in Velachery

    ReplyDelete
  9. I have been tying to get this set up for the past few 2 days. When I came across your article and wanted to know id others have been able to get it to work. Glad to hea from anyone with updated info blancomichael0@gmail.com...

    ReplyDelete
  10. The screenshots help with the tutorial.

    ReplyDelete
  11. There was very wonderful information and that's great one. I really appreciate the kind words, thanks for sharing that valuable information.
    Digital marketing course in chennai

    ReplyDelete
  12. You are doing a great job. You inspire me to write for other. Thank you very much. I would like to appreciate your work for good accuracy and got informative knowledge from here.

    iOS App Development Company

    ReplyDelete
  13. I have completely read your post and the content is crisp and clear.Thank you for posting such an informative article, I have decided to follow your blog so that I can myself updated. Java Training in Chennai

    ReplyDelete
  14. 192.168.0.1 is the address of an array of D-Link and Netgear model routers, similar to 192.168.1.1

    ReplyDelete
  15. I can continue perusing this blog like until the end of time.
    buy backlinks

    ReplyDelete
  16. It's Really A Great Post. Looking For Some More Stuff
    I really enjoyed reading the Post. It was very informative and useful for me.
    Best Java Training institute in Bangalore

    ReplyDelete
  17. Great tips and its so easy to understand. really You explain everything in detailed manner and it was very interesting to read. Thank you. Best Dot Net Training in Chennai | Best Java Training in Chennai | Best Web Design Training in Chennai

    ReplyDelete
  18. Well Said, you have furnished the right information that will be useful to anyone at all time. Thanks for sharing your Ideas.
    No.1 Software Testing Training Institute in Chennai | Best Selenium Training Institute in Chennai | Java Training in Chennai

    ReplyDelete
  19. I believe there are many more pleasurable opportunities ahead for
    individuals that looked at your site.


    Selenium Training in Chennai

    ReplyDelete
  20. This comment has been removed by the author.

    ReplyDelete
  21. Existing without the answers to the difficulties you’ve sorted out through this guide is a critical case, as well as the kind which could have badly affected my entire career if I had not discovered your website.
    Besant technologies Marathahalli


    ReplyDelete
  22. Needed to compose you a very little word to thank you yet again regarding the nice suggestions you’ve contributed here. php training in chennai

    ReplyDelete
  23. I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.
    Java Training in Marathahalli

    ReplyDelete
  24. That was a very frequent mistake which is occurred every where.

    Please click on the link below.
    CEH training in bangalore

    ReplyDelete
  25. Bookmark your website on several social bookmarking websites. online link building

    ReplyDelete
  26. This topic has always been one of my favorite subjects to read about. I have found your post to be very rousing and full of good information. router ip address

    ReplyDelete
  27. Best Digital Marketing company Anantapur

    helpful information, thanks for writing and share this information

    ReplyDelete
  28. Great article,i get new ideas because of all given information very excellent and real words
    No.1 Dot Net Project Center in Chennai | No.1 Dot Net Project Center in Velachery

    ReplyDelete
  29. Excellent blog. Your blog gives lots of information, keep up the good work and share more.
    Digital Marketing Course in Chennai
    Digital Marketing Course

    ReplyDelete
  30. I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.

    java training in bangalore

    ReplyDelete
  31. Those guidelines additionally worked to become a good way to recognize that other people online have the identical fervor like mine to grasp great deal more around this condition.

    java training in bangalore

    ReplyDelete
  32. Those guidelines additionally worked to become a good way to recognize that other people online have the identical fervor like mine to grasp great deal more around this condition.

    oracle training in Bangalore

    ReplyDelete
  33. It has been just unfathomably liberal with you to give straightforwardly what precisely numerous people would've promoted for an eBook to wind up making some money for their end, basically given that you could have attempted it in the occasion you needed.
    Big Data Training in Marathahalli

    ReplyDelete
  34. Thanks for sharing amazing information !!!!!!
    Please keep up sharing.

    ReplyDelete
  35. What Should the Link Entail? What Should You Put on Your Link Page? When you have focused on an inbound link opportunity, you will need to recommend the link area and the correct link dialect you wish to show up on their site. 41 High Domain And Page Authority Backlinks

    ReplyDelete
  36. Really cool post, highly informative and professionally written and I am glad to be a visitor of this perfect blog..Embedded Project Center in Chennai | Embedded Project Center in Velachery

    ReplyDelete
  37. Awesome Post! I like writing style, how you describing the topics throughout the post. I hope many web reader will keep reading your post at the end, Thanks for sharing your view.
    Regards,

    white label website builder

    ReplyDelete
  38. Really a very nice blog i really appreciate all your effort, thank you so much for sharing...Java Project Center in Chennai | Java Project Center in Velachery

    ReplyDelete
  39. Nice article.Thanks for sharing this valuable post which is very helpful.

    Power System Project Center in Chennai | Power System Projects in Velachery

    ReplyDelete
  40. Your Blog is really awesome with impressive content.keep updating such an wonderful post.
    Cloud Computing Project Center in Chennai | IEEE Cloud Computing Projects in Velachery

    ReplyDelete
  41. This is what I am looking for since days ago, finally found here with good content. Thanks for sharing...
    Best Online Software Training Institute | Data Science Training

    ReplyDelete
  42. Thanks for your effort to put this information here. I think its useful.for more information about machine learning go through this link. machine learning training in hyderabad

    ReplyDelete