Uses for WRT54G router

[sunapi386]

Uses for WRT54G

Hello. This is an article to introduce the Linksys WRT54G and its capabilities.
Some of us may know about this, some may not. Hopefully this post will open some new insights and ideas on using the WRT54G to its full capacity.

As of now, this router is flashed with: v4.71.1, Hyperwrt 2.1b1 + Thibor15c. My router is originally WRT54G, after the flash it shows up as WRT54GS. The difference is the size of ram the router has.

Warning: When flashing your router, make sure the firmware supports it. Specifically your version.
Flashing this firmware on a version earlier than version 6 will cause it to be bricked. I've bricked a version 4 myself; I've bought another one since then.

Anyhow, once you've flashed the firmware, it is time to have some fun.
Lets get started.
Navigate to Administration
Under Management tab, you should see options for SSH.
Check the check-boxes, fill the necessary boxes and save.
Now you should be able to SSH in.

Open up Konsole:

Code:

bt ~ # ssh 192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
RSA key fingerprint is f3:f3:8b:2d:39:1c:20:c4:0b:ee:c7:f0:b8:31:e5:14.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
root@192.168.1.1's password:


BusyBox v1.1.2 (2006.04.29-14:07+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

#

Now you are in. Everything should look similar to bash.

A ls command should reveal:

Code:

# ls
bin   dev   etc   lib   mnt   proc  sbin  tmp   usr   var   www
#

Due to the physical size of its RAM, the commands are limited.

Code:

# cd bin
# ls
ash        df         gunzip     mknod      pwd        sync       watch
busybox    dmesg      gzip       more       rm         tar        zcat
cat        echo       hostname   mount      rmdir      touch
chmod      egrep      kill       mv         run-parts  true
chown      false      ln         netstat    sed        umount
cp         fgrep      login      pidof      sh         uname
date       getopt     ls         ping       sleep      usleep
dd         grep       mkdir      ps         stty       vi

Other commands include

Code:

# cd /sbin/
# ls
check_ps            ifconfig            process_monitor
check_ses_led       ifdown              qos
ddns_checkip        ifstat              rc
ddns_success        ifup                reboot
detectwan           init                redial
disconnected_pppoe  insmod              resetbutton
eou_status          ipupdated           restore
erase               klogd               rmmod
fdisk               led                 route
filter              listen              sendudp
filtersync          lsmod               ses_led
gpio                misc                stats
gtime               mkswap              swapoff
halt                modprobe            swapon
hb_connect          ntpd                sysctl
hb_disconnect       poptop              syslogd
hotplug             poweroff            udhcpc
hwclock             ppp_event           write
#

It may be possible to edit the firmware to include your favorite applications. However, I cannot provide expertise on that topic.

Keep in mind, this firmware uses SquashFS, so it is read-only.

Code:

# mount
/dev/root on / type squashfs (ro)
none on /dev type devfs (rw)
proc on /proc type proc (rw)
ramfs on /tmp type ramfs (rw)
#

You may be able to edit the firmware to change the file system? I'm not too sure.
Note: WRT54G has its source code released under GNU license.

You may use a networked drive, using mount, to use other programs, such as ettercap.

And, yes, network interfaces show up:

Code:

# ifconfig
br0        Link encap:Ethernet  HWaddr 00:14:BF:1F:47:5E
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6234 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4606 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:738247 (720.9 KiB)  TX bytes:3662624 (3.4 MiB)

eth0       Link encap:Ethernet  HWaddr 00:14:BF:1F:47:5E
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:49894534 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2577586 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:3104262220 (2.8 GiB)  TX bytes:300208107 (286.2 MiB)
          Interrupt:4 Base address:0x1000

eth1       Link encap:Ethernet  HWaddr 00:14:BF:1F:47:60
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2566507 errors:0 dropped:0 overruns:0 frame:7411492
          TX packets:3149620 errors:239 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:282062671 (268.9 MiB)  TX bytes:4007789503 (3.7 GiB)
          Interrupt:2 Base address:0x5000

lo         Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:11 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:884 (884.0 B)  TX bytes:884 (884.0 B)

vlan0      Link encap:Ethernet  HWaddr 00:14:BF:1F:47:5E
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:720 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:292732 (285.8 KiB)

vlan1      Link encap:Ethernet  HWaddr 00:14:BF:1F:47:5F
          inet addr:207.210.26.88  Bcast:207.210.27.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:163286 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4811 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:11483493 (10.9 MiB)  TX bytes:726737 (709.7 KiB)

#

We may find it interesting to run commands from ssh. There are a lot of uses for this.
As a side note, when you create a tunnel directly to your router, which is connected to the cable modem, the information transmitted from your computer to the WAN is encrypted.
Thanks for reading the post, and hopefully it opens some doors for interesting pentesting.

[sunapi386]

And, yes, network interfaces show up

On a side note,
eth0 is to cable modem
eth1 to a lan computer server
vlan0, vlan1 are wireless clients.

[purehate]

I appreciate the post however it has nothing to do with backtrack and we already have quite a few threads for wrt routers already going so feel free to read through those for some more tips for yourself.

I prefer the openwrt firmware which is what i run on all my routers at home. I also have sd card mods on all my routers and the all run tcpdump,dsniff, ettercap and varios other sniffer tools.

You may also look into dd-wrt which has a very cool project called autoap. I have a mobile wrt54L which runs that and all the sniffer tools and the sends the info home via ssh. I love working with the routers. My next project actually is to upgrade my "evilAP's" flash memory from 16mb to 64mb.

[sunapi386]

My next project actually is to upgrade my "evilAP's" flash memory from 16mb to 64mb.

Now that HAS to be a good tutorial! I'll be waiting.

[Thorn]

If you really want to do odd and fantastic things with a WRT54g, buy "Linksys WRT54G Ultimate Hacking" by Paul Asadoorian and Larry Pesce. Yes, that's Paul and Uncle Larry of pauldotcom.com, the guys who heralded the release of BT3 Final just this week.

I've been fiddling around with the WRT54g since v1 was released, and the book taught me more than a few tricks. Buy this book! (Besides, Larry is a friend, and he could use the cash! )

[purehate]

I bought it It is very helpful in the beginning stages of wrt building.