Network Sniffing
From Wiire
Contents |
Introduction
With the internet functionality of the WII there are of course many interesting tidbits about the console that can be learned from its network traffic. This article is focused mostly on setting up test scaffolding to facilitate reverse engineering of these protocols and communications. A lot of the traffic used by the WII is plain text http, and other plain text traffic. However, an equally large chunk is encrypted via SSL. The latter is much more complicated to peek at, but the plain text still has many hints to offer about the system.
WRT54G with Open-WRT
This is my preferred method for sniffing traffic, and you end up with a better router in the end anyway.
Requirements
- WRT54G
- Open-WRT
- NFS Client
- tcpdump
- iptables
- Open-WRT
- Linux Workstation
- NFS Server
- ssh client
- Ethernet connection to WRT54G
- WireShark network analyzer
Workstation
This is pretty Gentoo specific as that's what I use. The basic configuration information is here, but your installation will be different.It is assumed you already have the working Linux workstation.
SSH
Most people will already have this, but if not install the open-ssh package.
| System Command: |
Workstation ~ # emerge openssh |
You will need this to login to your router after installing Open-WRT
NFS server
Install the nfs package
| System Command: |
Workstation ~ # emerge nfs-utils |
Create a Directory for an exported file system.
| System Command: |
Workstation ~ # mkdir /mnt/store Workstation ~ # chmod +777 /mnt/store Workstation ~ # chown nobody:nobody /mnt/store |
Export the file system by editing /etc/exports
| File: /etc/exports |
#/etc/exports #Place directories here to be exported to other systems /mnt/store 192.168.1.0/255.255.255.0(rw,sync) |
Now start the NFS server, and add it to the default run level
| System Command: |
Workstation ~ # /etc/init.d/nfs start Workstation ~ # rc-update add nfs default |
WireShark
Wireshark is a network analyzer, due to its ability to open tcpdump output files (libpcap format) I use it to analyze dumps from the WRT54G router
| System Command: |
Workstation ~ # emerge wireshark |
Open-WRT
For detailed instructions and information about installing and configuring Open-WRT see OpenWrt wiki
Installation
Installation on the WRT54G from the original firmware is pretty straight forward.
- Download the correct .bin file from www.openwrt.org
- The TRX vs BIN section of the wiki has a list of downloads by WRT54 version.
- Log into your Linksys web interface.
- Go into the Firmware Update page.
- Browse to your file.
- Install the bin.
Configuration
For this example I will use a basic non-secure wireless configuration. The remote file system will need to be mounted and tcpdump will need to be installed.
Password
After installation you will need to telnet in to the router with its last address and set the root password
| System Command: |
Workstation ~ # telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
=== IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH
------------------------------------------
BusyBox v1.00 (2006.03.24-09:16+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
WHITE RUSSIAN -------------------------------------
* 2 oz Vodka Mix the Vodka and Kahlua together
* 1 oz Kahlua over ice, then float the cream or
* 1/2oz cream milk on the top.
---------------------------------------------------
root@OpenWrt:~# passwd
Changing password for root
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password:
Re-enter new password:
Password changed.
root@OpenWrt:~#
|
After setting the password you should be able to ssh into the router.
Wireless
The tool used to configure most of the settings of the router after upgrading is nvram. A few parameters will need to be configured.
- Set the SSID in wl0_ssid
- Reboot the router
| System Command: |
root@OpenWrt:~# nvram set wl0_ssid=<Your stations name> root@OpenWrt:~# reboot |
Mounting NFS
You will need to install the NFS kernel modules, load them and mount the filesystem
| System Command: |
root@OpenWrt:~# ipkg install kmod-nfs root@OpenWrt:~# insmod sunrpc root@OpenWrt:~# insmod lockd root@OpenWrt:~# insmod nfs root@OpenWrt:~# mount -o nolock <ip of server>:/mnt/store /mnt |
Installing tcpdump
Just install with ipkg
| System Command: |
root@OpenWrt:~# ipkg install tcpdump |
Capturing Data
To capture data you will probably want to see only data going to and from the WII. you can get it's address from dhcp. Then all you need to do is go to your /mnt directory and start the dump.
| System Command: |
root@OpenWrt:/mnt# cat /tmp/dhcp.leases 947298481 00:19:1d:f6:1e:26 192.168.1.124 Wii 01:00:19:1d:f6:1e:26 947298494 00:13:02:ba:4e:dd 192.168.1.108 * 01:00:13:02:ba:4e:dd 947298528 00:11:d8:8a:0f:d2 192.168.1.100 * 01:00:11:d8:8a:0f:d2 root@OpenWrt:/mnt# tcpdump -s 2048 -w wii.dump host 192.168.1.124 tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 2048 bytes |
Just press ctrl-C to stop the capture after you have generated the traffic you want to insepct.
Atheros based WIFI adapter
Before upgrading my router to Open-WRT I used this method, with an extra WiFi adapter in AP mode. For this setup I used a Gentoo linux workstation.
Requirements
- Atheros chipset based WiFi adapter
- Linux workstation with
- madwifi-ng drivers
- Working network connection (not the Atheros card)
- Iptables
- Kernel with IP_FORWARD enabled
Building the Kernel
I like to use genkernel to build my kernel. This example is assuming you have already built and installed a kernel, so a few options will be used to skip the clean and the mrproper.
| System Command: |
Workstation ~ # genkernel --no-clean --no-mrproper --menuconfig all |
That command should put you in the menuconfig for the Linux kernel. You need to enable some things. Go to Networking then Networking options. Here you will need to enable Network packet filtering if not already enabled. After enabling that option go into it's menu. go under IP:, here I just enable everything as a module. but the only things required are:
- IP tables support
- MASQUERADE
exit out of the menus and let the kernel compile and install then reboot.
Installing the Madwifi-ng drivers
This is an easy one in gentoo.
| System Command: |
Workstation ~ # emerge madwifi-ng Workstation ~ # modprobe wlan |
Configuring the Atheros adapter
This is the interface that will act as the Access Point for the WII to connect to. It is assumed you already have a network connection that is up and working, for simplicity I use two interfaces rather than both interfaces on the Atheros interface.
- Remove all the VAPs
- Create a new VAP in AP mode
- Configure the AP
| System Command: |
Workstation ~ # wlanconfig ath0 destroy Workstation ~ # # The above will need to be run for any athXXX interfaces need in '''ifconfig -a''' Workstation ~ # wlanconfig ath0 create wlandev wifi0 wlanmode ap Workstation ~ # # Replace wifi0 above with the wifiXXX interface your card is using Workstation ~ # iwconfig athXXX essid "MYACCESSPOINT" Workstation ~ # # athXXX above is whatever interface was created with wlanconfig Workstation ~ # ifconfig athXXX 192.168.3.1 netmask 255.255.255.0 up |
With that your AP is up and running.
Configuring IPTABLES
Now we need to configure iptables to MASQUERADE connections from the AP to the real network connection. We will assume that the network connection is another card with the address 192.168.1.100 and the network is 192.168.1.0/255.255.255.0
| System Command: |
Workstation ~ # echo 1 > /proc/sys/net/ipv4/ip_forward Workstation ~ # iptables -t nat -I POSTROUTING -s 192.168.3.0/255.255.255.0 -d 0.0.0.0/0 -j MASQUERADE |
Tcpdump
Just a quick install of tcpdump and wireshark
| System Command: |
Workstation ~ # emerge tcpdump Workstation ~ # emerge wireshark |
Capturing Packets
Your WII should be able to connect to the AP created on the Atheros card now. Without DHCP you will need to manually configure the connection on the wii.
- IP: 192.168.3.2
- NETMASK: 255.255.255.0
- Default Router: 192.168.3.1
- Nameservers: <whatever you use>
In this setup you can run tcpdump as in the WRT54G method or you can just run wireshark and watch the packets in real time.
Tcpdump
| System Command: |
Workstation ~ # tcpdump -s 2048 -w wii.dump -i athXXX |
WireShark
| System Command: |
Workstation ~ # wireshark |
Capture->Interfaces then click Options for the athXXX interface, put the check in Update list of packets in real time and click Start. When done click Stop on the Captured Packets window and save with File->Save As and just type wii.dump in the blank and save
Viewing Captured Data
On your workstation go into your exported directory and start wireshark with your dump file as the only argument
| System Command: |
username@localhost ~ $ cd /mnt/store/ username@localhost /mnt/store $ wireshark wii.dump |
 |
Tools
There is a plethora of tools and utilities out there to assist in reverse engineering things a bit.
Man In The Middle (MITM)
Man in the middle attacks are probably the most useful for WII hacking. There are many more options than what is presented here, but it's a start. The dsniff package has a hand full of great utilities.
| System Command: |
Workstation ~ # emerge dsniff |
DNS Spoofing
One of the easier ways to inject your own content into the requests/responses of the WII is with DNS spoofing and a proxy. The DNS spoof I use will respond to all DNS lookups with the IP address of my proxy. dnsspoof which is part of dsniff works well.
| System Command: |
Workstation ~ # dnsspoof dnsspoof: listening on eth1 [udp dst port 53 and not src 192.168.1.100] |
Now the fake DNS server is listening on 192.168.1.100, just point the WII to this as its DNS server and all requests will go here instead of the real servers. Although this methos works, I prefer using a transparent proxy.
Proxy
In order to do anything with the redirected connections we will need a proxy to handle the requests. The proxy will need to pass along.
Webmitm
This is the MITM server that comes as part of the dsniff package, this works well with the plain text traffic, but it uses a fake certificate for ssl that the WII will have nothing to do with. This package is designed to work with dnsspoof
| System Command: |
Workstation ~ # webmitm Generating RSA private key, 1024 bit long modulus ...................................++++++ ..........++++++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Signature ok subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd Getting Private key webmitm: certificate generated webmitm: relaying transparently |
Squid/Dansguardian
This is a much more robust package, designed as an enterprise caching proxy Squid can run in transparent mode, which comes in handy when using the WRT54G method. Dansguardian is a web content filter that can be coerced into modifying web traffic on the fly for you.
| System Command: |
Workstation ~ # emerge squid Workstation ~ # emerge dansguardian |
After installation you will need to do some configuration to make the server work. -more to come
Web Server
If you want to create your own application to feed the WII when it's trying to access the Nintendo servers a stand alone web server will do nicely. I have found Apache/PHP to do the job great.
Install Apache
| System Command: |
Workstation ~ # emerge apache |
Install PHP
First you want to edit the /etc/make.conf file and add apache2 to the USE flag. then install.
| System Command: |
Workstation ~ # emerge php |
Now just edit /etc/conf.d/apache2 and make the APACHE2_OPTS line look like the one below
| File: /etc/conf.d/apache2 |
APACHE_OPTS="-D DEFAULT_VHOST -D PHP5" |
Then start apache.
| System Command: |
Workstation ~ # /etc/init.d/apache2 start |
Network Diagnostic
There are a number of really great tools for network diagnostics that come in handy when reverse engineering in this manner
Nmap
Network Map has many features for scanning for ports and the like.
| System Command: |
Workstation ~ # nmap --help
Nmap 4.01 ( http://www.insecure.org/nmap/ )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is online
-P0: Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idlescan
-sO: IP protocol scan
-b <ftp relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F: Fast - Scan only the ports listed in the nmap-services file)
-r: Scan ports consecutively - don't randomize
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
-T[0-5]: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <msec>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <msec>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <msec>: Give up on target after this long
--scan-delay/--max-scan-delay <msec>: Adjust delay between probes
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--data-length <num>: Append random data to sent packets
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use twice for more effect)
-d[level]: Set or increase debugging level (Up to 9 is meaningful)
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Insecure.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enables OS detection and Version detection
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sP 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -P0 -p 80
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
|
Net Cat
Net Cat is great for sending/receiving raw data over TCP or UDP connections. You can easily have it listen on a port and pipe content from the command line it the connection. for instance on PC1 I ran:
| System Command: |
Workstation opt # ls -al | nc -l -p 5580 |
on PC2 I ran:
| System Command: |
Workstation ~ # telnet <ip of PC1> 5580 Trying <ip of PC1> Connected to <ip of PC1> Escape character is '^]' total 1 drwxr-xr-x 9 root root 272 May 2 08:51 . drwxr-xr-x 22 dnhutchins users 592 Apr 18 07:31 .. -rw-r--r-- 1 root root 0 Aug 3 2006 .keep drwxr-xr-x 4 root root 120 Dec 4 2006 Acrobat7 drwxr-xr-x 2 root root 96 Dec 6 2006 bin drwxr-xr-x 8 root root 192 Apr 23 15:48 blackdown-jdk-1.4.2.03 drwxr-xr-x 6 root root 144 May 2 08:51 ghc drwxr-xr-x 3 root root 72 Apr 23 15:49 libreadline-java drwxrwx--- 3 root users 304 Dec 6 2006 savalet drwxr-xr-x 8 root root 192 Dec 6 2006 sun-jdk-1.5.0.08 |
This makes quick work of building test cases with shell scripts.
