How to Turn Your Switch into a Snitch

Warning: The author takes no responsibility for any damage you may cause to your device. This post is meant for educational purposes and strictly NOT for malicious purposes.

This post is all about modifying your existing router firmware to perform cool things.

Hardware and Tools Needed:

For the router, I am using a TP-Link MR3020. You may use whatever router you like but make sure you won’t brick your device after or while uploading the modified firmware. Also make sure your firmware can be reversed and dumped using the FMK (Firmware Mod Kit).

Download Firmware Mod Kit

If you examine you firmware using Binwalk you will get lots of useful information such as headers, sections, compressions used, etc.

After installing the FMK I will extract my firmware for the MR3020.

Next, you will see your extracted firmware inside the fmk directory. You can explore the file system of your router like this.

Inside the “web” directory the source code for the web application for the router running on port 80 can be found. This is an example where I’ve modified the banner of the “top.htm” page.

After your modifications are done use this bash script inside the fmk directory and build the firmware.

My router uses Busybox. Busybox is a software that provides several stripped-down Unix tools in a single executable file.

We can first write a simple bind shell and test if it works. For that, I have written a simple bind shell in C using fork() so that it can handle multiple clients and won’t be needed to restart the router each time the socket closes 🙂

https://github.com/OsandaMalith/TP-Link/blob/master/bindshell.c

Compile using the GCC cross compiler for the MIPS architecture.

We give the static option to compile with all external libraries. This is because the router uses busybox and some libraries might not support. The march=24k is according to the CPU model.

Since the size is huge I’ll strip the debugging symbols, etc.

After that we can place this shell inside the “bin” directory and change the startup script to run our shell after booting. The “rcS” file can be found inside the “/etc/rc.d” folder. This script will help us run our backdoor after everything is in a ready state.

As you can see I have given the shell to run in the background after the httpd daemon is executed.

Next, build the firmware and update your new firmware 🙂

If I do a very basic nmap scan, you would see port 9999 is listening.

Here you go, my simple bind shell 🙂

You can add a password to restrict access to everyone.

What else can we do? We can do lots of cool things but remember we have a limited size for everything. Here’s a simple sniffer wrote by Vivek. https://github.com/OsandaMalith/TP-Link/blob/master/sniffer.c

Compile it, strip it, build the firmware and upload it your device. Put your interface in Promiscuous mode and give the interface and the packet count, I will give br0 which has the default gateway. Here’s a sample output.

Likewise, you could lots of cool things with your router. Also check out openwrt. After installing it in your router you can do lots of cool stuff than modifying the existing firmware.

If you are interested in embedded hacking you may have a look at this awesome series on PentesterAcademy Make your own Hacker Gadget.

My bind shell was included in the book IoT Penetration Testing Cookbook in Chapter 3 https://github.com/PacktPublishing/IoT-Penetration-Testing-Cookbook/blob/master/Chapter03/03_codefile.txt

Leave a Reply