Open in app

Sign in

Write

Sign in

Pentest Lab — Part 1: OpenWRT with Extroot

Nicole Murillo
Code|Beta Blog
Published in
7 min readAug 9, 2019

Had the opportunity to change the focus on my IT career from a SAP Basis Admin to Infosec, couldn’t waste that change so I had to take it. This meant that I needed to better my knowledge in this area.

Following the recommendation by The Lock Picking Lawyer, one should practice their craft in multiple different ways, he mentions in this video that

there is a difference between learning how to pick a lock and learning how to pick locks

— The Lock Picking Lawyer

He also mentions, in that same video, that practice should be made on several different locks so that one doesn’t get used to the intricacies of one particular lock.

Taking that advice and applying it to my infosec career, it means that I should further practice, aside from the fact that I learn better by being hands-on and documenting my process.

So this series talks about the lab environment that I’m setting up at home just for this reason. My idea is to have a network where I can have vulnerable services to practice penetration testing techniques and also to run malware for analysis, this means that there are multiple aspects that need to be configured in order to prevent any of my other devices from becoming infected by any malware or having anyone else leverage the vulnerable systems that I’m running and gain access to my network.

The Test Network

I have an unusual home network, with multiple vlans and other aspects that I have implemented, and written about in this blog, to secure the network in different aspects.

So I changed my network setup to create what I now refer to as the test network, and this is a segregated area where I can run vulnerable systems and malware without it causing any issues to my other devices or to other systems outside of my home network.

The reasoning as to why I didn’t completely segregate this network, is because I wanted to be able to connect to it from anywhere so that if I had some downtime at the office or when visiting my parents, I could carry out tests.

I had a Netgear WNDR3700 router laying around, having changed routers relatively often it means that I have a couple available in storage, so I brought it back to life and will use it to further segregate the test network and to also have an openvpn server so that I’m able to access this network.

The Netgear router is set to allow connections via SSH and OpenVPN from the WAN port and block pretty much any connection attempts from the LAN side, with the exception of DHCP, DNS, and NTP protocols. The Netgear router is also not forwarding any traffic, this means that the hosts inside the test network are able to resolve addresses to IP addresses, even of outside addresses, but they are unable to connect to anything outside of that network.

OpenWRT on the Netgear WNDR3700

Ever since I obtained the Netgear router, I replaced the OEM firmware with OpenWRT firmware, though it was with the stock image and using the internal storage, which is about 4MB.

I was happy to find that I was able to upgrade the firmware to the latest version, so I installed 18.06.4. I managed to configure it so that it would hand out IP addresses via DHCP, act as a DNS server and resolve the hostnames. I don’t really intend on the router doing much more, to be quite honest, just find that making it do too much doesn’t make sense and may make it more vulnerable.

But I did try to install several packages and ended up filling up the internal storage to 100%, which is not the first time I ran into that issue. So I looked into using the USB port on the router and moving the root to the external storage.

Creating a Custom OpenWRT Firmware

I looked into the documentation from OpenWRT on the Extroot Configuration and created a simple firmware version that contained the necessary tools to mount the USB thumb drive as root.

After downloading the image builder package from the Releases page at OpenWRT, I proceeded to check that my router was still supported by running the following command

make info | grep -A 2 -i 'wndr3700'

Be sure to run that command on the directory that is created when extracting the contents of the image builder archive. The output of that command should look something like this

wndr3700:
    NETGEAR WNDR3700
    Packages: kmod-usb-core kmod-usb-ohci kmod-usb2 kmod-usb-ledtrig-usbport kmod-leds-wndr3700-usb

If you are doing this for another router, replace wndr3700 with whatever your router’s model number is.

Now we can proceed to create the base firmware for the router by running the command below

make image PROFILE=wndr3700 PACKAGES="kmod-fs-ext4 kmod-usb-storage kmod-usb-ohci kmod-usb-uhci"

This will take a while to complete, specially when other components need to be downloaded to the system. If all ended successfully, then we should have several .bin files created under bin/targets/ar71xx/generic .

Since I was already running OpenWRT on the router, I used the bin file with sysupgrade in the name. Just upload the firmware through the web interface and reset the router to factory defaults.

Mounting Root in the USB Thumb Drive

Because the firmware I created for the router is the base version, it doesn’t have a web interface, so access is only available via ssh and there is no default password for root, also it is only accessible from the LAN side.

Once we have access to the router, I first proceeded to update the packages and install the block-mount package by running the following commands

opkg update
opkg install block-mount

Validate that the necessary kernel modules are loaded by running the command

lsmod | grep -Ei 'sd_mod|usb-storage|ext4'

The output should be something along the lines of

crc16                    960  1 ext4
crypto_hash             8288  3 ext4,jbd2,crc32c_generic
ext4                  326304  0
jbd2                   45616  1 ext4
mbcache                 2768  1 ext4
scsi_mod               86752  2 usb_storage,sd_mod
sd_mod                 25424  0

I wanted to make sure that after I made the necessary changes, that they were in fact applied, so I checked the current status of storage by running the df -h command before and after making the changes, being sure to document all of the output.

Since I have a lot of headless devices running in my network, I always want to make sure that they’re able to boot up successfully without user interaction, so I always run through a reboot process after configuring a service or system.

At this point we can mount the USB thumb drive, be sure to format the storage device with ext4 partition type previously as we will not run through that process in the router due to lack of tools. Mount the storage device using the command below

mount /dev/sda1 /mnt

If there are multiple partitions made on the USB thumb drive, then be sure to replace /dev/sda1 accordingly. I’m using an 8GB thumb drive so I only created one partition. Now, 8GB is quite overkill, but I didn’t have any smaller thumb drives, not that they’re easily available anyways.

Once mounted, verify that it is in fact mounted, we need to copy over all of the current data in /overlay to the /mnt directory and we do this by running this command

tar -C /overlay/ -c . -f - | tar -C /mnt/ -xf -

Once this copy process is completed, run the sync command, then unmount the thumb drive with the command umount /dev/sda1 and run the command below to create the fstab for this thumb drive

block detect > /etc/config/fstab

The file that is created should look something like the one below

config 'global'
       option  anon_swap       '0'
       option  anon_mount      '0'
       option  auto_swap       '1'
       option  auto_mount      '1'
       option  delay_root      '5'
       option  check_fs        '0'

config 'mount'
       option  target  '/mnt/sda1'
       option  uuid    '01234567-89AB-CDEF-1234-567890ABCDEF'
       option  enabled '0'

We need to change it to reflect that this is the new /overlay by changing the target and enabled options to the ones below

config 'mount'
       option  target  '/overlay'
       option  uuid    '01234567-89AB-CDEF-1234-567890ABCDEF'
       option  enabled '1'

Save the file and enable the fstab configuration with the command below

/etc/init.d/fstab enable

At this point reboot the router and wait for it to come back up. There are a couple of steps more that we need to take, but at this point the router should come back up and be using the thumb drive as the primary storage, we can validate this using the df -h command.

We also need to check that uci sees the changes, so run the following command

uci show fstab

If the output comes back like the one below

fstab.@global[0]=global
fstab.@global[0].anon_swap='0'
fstab.@global[0].anon_mount='0'
fstab.@global[0].auto_swap='1'
fstab.@global[0].auto_mount='1'
fstab.@global[0].delay_root='5'
fstab.@global[0].check_fs='0'
fstab.@mount[0]=mount
fstab.@mount[0].target='/mnt/sda1'
fstab.@mount[0].uuid='01234567-89AB-CDEF-1234-567890ABCDEF'
fstab.@mount[0].enabled='0'

We will need to make some changes by running the two commands below

uci set fstab.@mount[0].target='/overlay'
uci set fstab.@mount[0].enabled='1'
uci commit fstab
service fstab boot

We can reboot the device once more and make sure that the external storage is still being mounted.

Conclusion

This is just the beginning, this series will have several parts as there are many aspects to setting up this test network so be sure to check back.

Next, we will be setting up the OpenVPN server and firewall to allow connecting to the network from the outside of the Netgear router and being able to carry out attacks to the vulnerable hosts that are inside the test network.

Tech
Pentesting
Openwrt
Netgear Router Setup
Infosec

--

--

Nicole Murillo
Code|Beta Blog

Written by Nicole Murillo

83 Followers
Editor for

[ Feminist | Queer Trans Woman | Technical Consultant | Infosec | Fan of Vinyl Records and Film Photography ]

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams