Security tools with ddwrt and optware – Part I.

Posted on November 6, 2011

1



On a small router like Netgear WNR3500L we can install and use many security open source tools. I tested the followings free softwares just for fun:

– Snort
– Nmap
– Tcptraceroute
– Hping

I do not know What performance degradation I could expect if those are running on the router, but there are some powerfull
router to your “home business” that has no problem with such a performance requests.

1. Snort

1.1 Look for snort

Check it on nslu2 (optware):

root@:~# ipkg-opt info snort
Package: snort
Version: 2.8.6.1-1
Depends: libpcap, pcre
Status: unknown ok not-installed
Section: net
Architecture: mipsel
maintainer: NSLU2 Linux
MD5Sum: 806a8a6a8b7a76df9ca6b21aad96f8b7
Size: 769585
Filename: snort_2.8.6.1-1_mipsel.ipk
Source: http://dl.snort.org/snort-current/snort-2.8.6.1.tar.gz
Description: A lightweight network intrusion detection system.Successfully terminated.

Check if ipkg has a newer version

root@:~# ipkg info snort
Package: snort
Version: 2.4.4-1
Depends: libnet, libpcap, libpcre
Section: net
Architecture: mipsel
Maintainer: OpenWrt Developers Team
MD5Sum: 692dcaaa481c1645f84d30180ab53f72
Size: 330376
Filename: snort_2.4.4-1_mipsel.ipk
Source: N/A
Description: a flexible Network Intrusion Detection System (NIDS),
built without database logging support

1.2 Install snort

root@:/# ipkg-opt install snort
Installing snort (2.8.6.1-1) to /opt/…
Downloading http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/snort_2.8.6.1-1_mipsel.ipk
Installing pcre (8.13-1) to /opt/…
Downloading http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/pcre_8.13-1_mipsel.ipk
Configuring pcre
Configuring snort
Successfully terminated.

1.3 Try snort

root@:/# snort -V
snort: can’t load library ‘libuClibc++.so.0’

1.4 Look for uclibc and install

Maybe I installed too much and the buildroot packet is not important in this case…

root@:/opt/share/doc/snort# ipkg-opt list | grep -i uclibc
buildroot – 4.1.1-13 – uClibc compilation toolchain
libuclibc++ – 0.2.2-9 – C++ standard library designed for use in embedded systems
uclibc-opt – 0.9.28-13 – micro C library for embedded Linux systemsroot@:/# ipkg-opt install buildroot
Installing buildroot (4.1.1-13) to /opt/…
Downloading http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/buildroot_4.1.1-13_mipsel.ipk
Configuring buildroot
Updating /opt/etc/ld.so.cacheroot@:/# ipkg-opt install libuclibc++
Installing libuclibc++ (0.2.2-9) to /opt/…
Downloading http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/libuclibc++_0.2.2-9_mipsel.ipk

1.5. Try now snort again

root@:/# snort -V,,_ -*> Snort! <*-
o” )~ Version 2.8.6.1 (Build 39)
”” By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using PCRE version: 8.13 2011-08-16This works! Great! With this build there will be no configuration file or rule file installed. This must be done manually.
I tested it with my own rule and configuration file, but the rules and the config file can be reachable on the snort.org page.

A) Create snort configuration file

# mkdir /opt/etc/snort
# vi /opt/etc/snort/snort.confinclude /opt/etc/snort/rules/icmp.rules

B) Create a rule file

# mkdir /opt/etc/snort/rules
# vi /opt/etc/snort/rules/icmp.rules# (rule options)
alert icmp any any -> any any (msg:”ICMP Packet”; sid:477; rev:3;)

C) Create a Logging path

# mkdir /tmp/mnt/snortlog

D) Start the snort

# snort -i vlan2 -c /opt/etc/snort/snort.conf -l /tmp/mnt/snortlog
Running in IDS mode–== Initializing Snort ==–
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file “/opt/etc/snort/snort.conf”
Tagged Packet Limit: 256
Log directory = /tmp/mnt/snortlog+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains…
1 Snort rules read
1 detection rules
0 decoder rules
0 preprocessor rules
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

-i set interface
-c set the config file with path
-l set the logging directory

2. nmap

Check it on nslu2 (optware):

root@:/# ipkg-opt info nmap
Package: nmap
Version: 5.35DC1-1
Depends: libpcap, openssl, pcre, libstdc++
Status: unknown ok not-installed
Section: net
Architecture: mipsel
maintainer: NSLU2 Linux
MD5Sum: 3c1925b70471bab6e33d03fa3414498a
Size: 2102122
Filename: nmap_5.35DC1-1_mipsel.ipk
Source: http://download.insecure.org/nmap/dist/nmap-5.35DC1.tar.bz2
Description: Nmap is a feature-rich portscanner

Check if ipkg has a newer version

root@:/# ipkg info nmap
Package: nmap
Version: 3.81-2
Depends: libgcc, libpcap, libpcre, uclibc++
Section: net
Architecture: mipsel
Maintainer: OpenWrt Developers Team
MD5Sum: 036923c7aa9999e13429e7dab69a9dce
Size: 382265
Filename: nmap_3.81-2_mipsel.ipk
Source: http://svn.openwrt.org/openwrt/branches/whiterussian/openwrt/package/nmap
Description: Nmap is a free open source utility for network exploration or security auditing.Package: nmap
Version: 4.01-1
Depends: libgcc, libdnet, libpcap, libpcre, uclibc++
Section: net
Architecture: mipsel
Maintainer: OpenWrt Developers Team
MD5Sum: b967a345fce1558ae3136b22da01c21d
Size: 526786
Filename: nmap_4.01-1_mipsel.ipk
Source: N/A
Description: Nmap is a free open source utility for network exploration or security auditing.

2.1. Install nmap

root@:/# ipkg-opt install nmap
Installing nmap (5.35DC1-1) to /opt/…
Downloading http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/nmap_5.35DC1-1_mipsel.ipk
Installing libuclibc++ (0.2.2-9) to /opt/…
Downloading http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/libuclibc++_0.2.2-9_mipsel.ipk
Configuring libuclibc++
Configuring nmap
Successfully terminated.

2.2 Try nmap

root@:/# nmap -v
nmap: can’t load library ‘liblua.so’

2.3 look for lua and install

root@:/# ipkg-opt list | grep lua
lua – 5.1.4-3 – Lua is a powerful light-weight programming language designed for extending applications.
luarocks – 2.0.4.1-1 – LuaRocks is a deployment and management system for Lua modules.
perlconsole – 0.4-2 – Perl Console is a small program that implements a Read-eval-print loop: it lets you evaluate Perl code interactively.
root@:/# ipkg-opt install lua
Installing lua (5.1.4-3) to /opt/…
Downloading http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/lua_5.1.4-3_mipsel.ipk
Installing readline (6.1-2) to /opt/…
Downloading http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/readline_6.1-2_mipsel.ipk
Installing ncurses (5.7-1) to /opt/…
Downloading http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/ncurses_5.7-1_mipsel.ipk
Configuring lua
Configuring ncurses
update-alternatives: Linking //opt/bin/clear to /opt/bin/ncurses-clear
Configuring readline
Successfully terminated.

2.4 Try nmap again

root@:/# nmap -vStarting Nmap 5.35DC1 ( http://nmap.org ) at 2011-10-31 13:03 UTC

Works, but not exaclty. The prompt is dead after stop nmap and it eats up my cpu…I have to dig in google.

3. tcptraceroute

I have not found tcptraceroute in optware yet, but with hping and tcpdump we can reach the same result! So we need to isntall hping first.

4. hping

4.1 install hping

root@:~# ipkg-opt install hping
Installing hping (20051105-4) to /opt/…
Downloading http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/hping_20051105-4_mipsel.ipk
Configuring hping
Successfully terminated.
root@:~#

4.2 tcptraceroute like solution

For Exmaple with tcptraceroute you can find the blocking firewall (the layer 3 device that droppes your packets) on the IP path if you cannot reach your destination.

A) start a sniffer trace for imcp time exceeded on your outgoing interface.

# tcpdump -i vlan2 -nvvvx icmp and icmp[icmptype] = 11 or host &
Example:
# tcpdump -i vlan2 -nvvvx icmp and icmp[icmptype] = 11 or host google.com &

icmp type 11 is the Time Exceeded Message.
Link:
http://en.wikipedia.org/wiki/ICMP_Time_Exceeded

B) start hping to the destination with increasing the ttl value

# hping -p 80 -S -t 1 -a 192.168.2.50

-p destination tcp port is now 80, http.
-S send tcp SYN flag
-t set ttl value
-a source IP used in packet, that is in my case 192.168.2.50 (The IP of the router interface)

Set ttl to one causes to get the first icmp time exceeded from our nexthop router:

root@:~# hping google.com -p 80 -S -t 1 -a 192.168.2.50
HPING google.com (lo 74.125.39.104): S set, 40 headers + 0 data bytes
18:25:50.887452 IP (tos 0x0, ttl 64, id 1014, offset 0, flags [none], proto ICMP (1), length 56)
192.168.2.1 > 192.168.2.50: ICMP time exceeded in-transit, length 36
IP (tos 0x0, ttl 1, id 59221, offset 0, flags [none], proto TCP (6), length 40)
192.168.2.50 > 74.125.39.104: [|tcp]
0x0000: 4500 0038 03f6 0000 4001 f14b c0a8 0201
0x0010: c0a8 0232 0b00 faf3 0000 0000 4500 0028
0x0020: e755 0000 0106 9dbb c0a8 0232 4a7d 2768# hping google.com -p 80 -S -t 12 -a 192.168.2.50

and so on till you reach a ttl value when there is no ICMP Time exceeded anymore and there is no SYN+ACK or RST from the destination as well, that means your tcpdump output stays empty.
You reached a firewall that drops your session initiation, but you have found at least its nexthop.

Advertisements
Tagged: ,
Posted in: ddwrt, Linux, Security