beakmyn

Thanks. It is a simple process and it really shouldn't have taken me as long as it did but I initially made some mistakes about how the interceptor worked and how the Fon worked. I did learn a fair bit about the internal networking so I'm glad it went the way it did. I am still curious as to why OpenVPN segfaults when it's on the Fon with karma.

Typical of noise when the cables are too long. The noise is most likely entering through the video cable itself though it could be coming in on the AC. Although I'm relunctant to blame that as once it gets to the monitor is rectified to DC. I would try putting a ferrite core on one end of the video cable see if that knocks down the noise. Try a shorter cable to see if the noise is on the cable or power.

Here's the first go at the writeup. I wrote it up as I did a fresh install so I don't think I missed any steps. I'm 3 for 3 on successful installation so it should work for all. JasagerIntercept Howto

It's 4 people! (+-/ # guests) It's not like there's 30 hosts on the show. I'm sorry but if your memory for names is worse then mine and I've got the memory length of a goldfish for names. Sorry to see you go Matt, good luck in your future endevours. Have fun.

$29.00 for the Accton that is the same as the Fonera https://www.open-mesh.com/store/products.ph...Mini%252dRouter That Alfa and the above only have 1 RJ45 port. I haven't found a fon+ replacement yet. The Accton Fon+ is http://accton.com/products/product_range/21_weap/MR3202A.htm Try the Robin open-mesh forums maybe someone can tell you a reseller: MR3202A 2 Port Mini Router

With Jasager on the Fon+ you can hook the WAN port to the internet. I'm trying to get the LAN to act as a monitor port but so far it's not working out too well. I can get the Jasager running on the FON+. I can get the interceptor to sniff the WIFI and replicate traffic to the LAN port. Right now I can't the two on a single FON+ and play nice. I'm getting kernel panics when I try to get everything running. Karma installed. iptables removed. Router reboot and kernel panic just when it loads the ath0 driver. One last try before I give up. I'm going to see what will happen if I just try using daemonlogger br-wan to eth0.0 I know digininja had issues when he was doing this to the wifi but I want to know if I'll have the same problems. Right now I know something related to openvpn/openssl/et. al is causing kernel panics when it's running in the Jasager environment. EDIT: 28JAN2010 2:04 EST IT'S ALIVE!!! So, daemonlogger and br-wan to eth0.0 and not mangle the packets. Need further clarification on "Mangle" from digininja though. Here's what I was able to have victim laptop get Jasager'd then on the LAN I was be able to capture packets and watch IronGeek's wall of shame in action. I'm not using VPN so no segfaults or added stress on the FON. Basically it's a Jasager with a mirror port. A simple concept now that I figured out the right way to do it. a full writeup will follow or find me at Shmoocon and I'll hook you up.

Woot! Part 1 is working. I am currently connected to the internet through wifi via the interceptor. My other laptop is VPNd into the Interceptor on 10.255.255.253 via LAN and wireshark is happily sniffing the wifi packets. Oh Goody. Intercept Laptop also connected serial just in case I fsck something up. Here is the code so far: $\brctl show bridge name bridge id STP enabled interfaces br-wan 8000.001884a23740 no ath0 eth0.1 $\etc\config\network config 'interface' 'loopback' option 'ifname' 'lo' option 'proto' 'static' option 'ipaddr' '127.0.0.1' option 'netmask' '255.0.0.0' config 'interface' 'lan' # option 'type' 'bridge' option 'proto' 'static' option 'ipaddr' '10.255.255.254' option 'netmask' '255.255.255.0' option 'ifname' 'eth0.0' config 'interface' 'wan' option 'ifname' 'eth0.1' # option 'proto' 'dhcp' option 'type' 'bridge' $\etc\config\wireless config wifi-device wifi0 option type atheros option channel auto # REMOVE THIS LINE TO ENABLE WIFI: option disabled 0 config wifi-iface option device wifi0 # option type bridge option network wan option mode ap option ssid interceptor option encryption psk2 option key is_sekret_kep_outz \interceptor\bin\startup.sh #!/usr/bin/env sh if [[ -f /interceptor/openvpn/client/client1.key && -f /interceptor/openvpn/client/client1.crt && -f /interceptor/openvpn/client/ca.crt ]] then if [[ "$1" != "" ]] then /bin/date $1 fi /usr/sbin/openvpn /interceptor/openvpn/client/client.conf & /bin/sleep 10 /interceptor/bin/daemonlogger -i br-wan -o tap0 -d else echo "Openvpn certificates not found, please see www.digininja.org/interceptor for more information" fi Next step is to replicate this setup to the Jasager. Lost my edits :( 28JAN2010 I've tried to implement the code on the FON that is running Jasager. So far I'm running into issues with Openvpn. It appears that the client is connecting to the server however, after that the tap and lan networks appear to die. I get no repsonse on ssh and the serial connection is unresponsive. OpenVPN on the server is responding HOST UNREACH. THE PROBLEM IS RELATED TO OPENVPN. I know that much. Well I tried changing OpenVPNs IP just to see and I thought I had it fixed, for about 3 seconds then I got a kernel panic and Fon rebooted. :( Disabling iptables didn't help Going to install 8.09 fresh. Install Interceptor. Make the changes to make it work on LAN. Try it out. If it works like it did last time I'll introduce Karma ________________________________________________________________________________ Notes: If you want to connect serial to the Fon this little guy is the way to go: http://www.sparkfun.com/commerce/product_i...roducts_id=8772 $13.95 + $4.95 Postal in US Native drivers in B|T 4 Download drivers for Windows

Thanks. I think the problem is/was that I never really sat down and looked in depth at the two systems running seperately and how they operated. Last night I installed Interceptor on one Fon and Jasager on another and took a long look at how the two operate. I.E. what the bridges, iptables, etc/config/network, etc/config/wireless look like. I then realized I was going about it all wrong. I was trying to do the insane/impossible. I was trying to put everything on the same subnet and bridge and have the FON give out DHCP addresses and route traffic through WAN for WIFI AND LAN. Give everyone internet access and allow them to talk to each other and remain separate at the same time. I know realize the proper setup should be transparent to all So, the new setup is to swap eth0.0 with ath0 Instead of connecting to WIFI for intercept I connect to LAN for intercept LAN static network at 10.255.255.254. WIFI is bridged to WAN - WIFI clients get connected by Jasager and an IP from the WAN DHCP Server where ever it may be, it's NOT on the FON I set my laptop LAN to 10.255.255.253. I run the startup.sh script and it connects the VPN through. I can then sniff the tap0. I can ssh to 10.255.255.254 and run karma_cli I'm going to through the files again and note the differences and make sure I completely understand what needs to be done rather then the previous half-assed attempts. Maybe I'll actually get it right this time. My apologies for putting you through all this. You can slap me at Shmoo.

I'm trying everything right now.

@digininja Can you send me a copy or post the output of brctl show and other items you think might help Something isn't right here. I took a different fon+ and tried to set up just interceptor. I can ping 10.255.255.254 and get a response but on the fon+ I cannot ping 10.255.255.253 Something is only allowing the connection one-way. I'm not sure where but the issue is the same as I was having with the Jasager. So, what happens is the FON+ can't VPN to my laptop as it gets a HOST_UNREACH error.

Ok let's get this straight Fonera = Fon Fonera 1.0/1.5 (FON2100/2200/2201) - No longer for sale by FON Fon2100 = 1.0 Fon2200 = 1.5 Accton Model - MR3201A US - https://www.open-mesh.com/store/products.ph...Mini%252dRouter UK/AU/EU - https://www.open-mesh.com/store/products.ph...7%7DAU-MODEL%29 1.x version have 1 ethernet port Model 2201 (FON+) has 2 Ethernet ports - Interceptor Fonera 2.0G (FON2202) - No longer for sale by FON Model 2202 has 2 Ethernet and USB - Development run of ~1000 units no longer for sale Hardware identical to Fon2201 For the Fonera 2.0N (FON2303) - Currently for sale by Fon

Well it can be fixed but it'll take more time and skill. What you'd have to do is trace the circuit to a via and solder a wire there. A via is basically a connection through all layers of the board, it looks like a hole to the naked eye. However, looking at the picture it doensn't look like there are any via and that circuit goes from the pad and the other side to the capacitor. That's probably a 4 layer board with top/bottom populated with components an inner layer for circuit runs and then a ground plane in between the two. I've fixed 6 layer boards where the FET literally burned a hole through the board. It wasn't pretty. Of course I have full schematics and layer drawings. In the end I had to repair about a dozen circuits and the board ran when I was done. Which was good since it was the last prototype we had.

Ok here we go again. So here's where I'm at. I've got Jasager and interceptor installed. If a client connects to the Jasager they get an IP assigned by the WAN DHCP Server not the Fon. Don't know why. Jasager reports giving them a LAN dhcp address but if I check my IP on my jasager'd machine it's a WAN DHCP address. If I manually set my IP to within the LAN range 192.168.253.1 I can access the Jasager and webif interface but I cannot get out to the internet. If I fire up interceptor things get REALLY slow. So, at this point I think I need to get the lan and wifi onto the internal DHCP server. Not sure how to do that. If I brctl show I get eth0.0, eth0.1, ath0 all on br-lan In the webif interface under lan it's set to static bridged. What gives?

Not yet....

That'll teach me to screw with brctl. I deleted my bridge and lost all ethernet access. Oopsy. Adding it back in from serial terminal didn't magically make it work. Ah poopy. Ok, start over. I think I'm going to start fresh. Install Gargoyle-router firmware made for Fon+ Install Jasager package Install Interceptor package Remove /etc/init.d/interceptor so it doesn't get started, I don't think I need it. Modify line /interceptor/bin/startup.sh to /interceptor/bin/daemonlogger -i ath0 -o tap0 -d Try starting Jasager Try starting interceptor I'll see how that goes.

Will do that. Something is really messed up. As soon as the VPN client starts on the FON I lose ALL access to the FON. Even the serial terminal stops responding. So, I think I've got something stuck in a loop. I.E. I think the traffic on lan/br-lan/ath0 is stuck continually replicating itself. on the serial terminal I start a ping of 192.168.254 my bt machine <ping responses> Start VPN device br-lan entered promiscuous mode watchdog expired, rebooting sytem <system is locked up>

Getting into it farther. The problem appears to be with the VPN not daemonlogger. I can run daemonlogger from the fon with br-lan ath0 br-lan eth0.1 Then on the on the fon I can tcpdump -i ath0,eth0.1 or br-lan and see "traffic" So, I've disabled the daemonlogger portion of the startup script on the FON. I run startup from backtrack and a few moments after the VPN starts up I lose the route to 192.168.1.1 Also, I can't ping 10.8.0.2 (Destination Host unreachable). At this point I'm not sure if the problem is the FON or backtrack as I don't know which one is severing the connection. I think I'll build a serial cable and get that running and then try tcpdump -i tap0 on the FON with the vpn running. I've got a 3.3v serial to usb breakout board from Sparkfun which should work. EDIT: Yep the adapter works. Fits nicely inside the Fon too! FTDI_SIO driver built into 2.6.9 kernel so it's plug and play. /dev/ttyUSB0 Something makes we wonder if iptables is somehow at fault.

For the latest version of XP mode your hardware has to support virtualization. Mine didn't. There's an app called securable that will check. Instead I use VMWare Player. The latest version allows you to create blank VM to load an operating system on. It didn't previously.

Ok finally had some time to get this up and try to get it running. I'm about 50% there. Right now it's a somewhat manual process. Note: I have set the wifi interface to start up at boot. Jasager is manually started. @DigiNinja e.t. al I need some help seeing where I went wrong. Problems: 1. Before VPN is started I can access FON on 192.168.1.1 (web/ssh) After VPN is started "Host unreachable" so I can't start Jasager, etc. 2. I do not see the traffic being replicated to tap0 First I boot up my backtrack laptop and start eth0. It's manually set for 192.168.1.254 with a gateway of 192.168.1.1 (fon) Now, I plug in my WAN and LAN to the FON and fire it up. Start up Jasager from http://192.168.1.1:1471 Connect my victim to Jasager, it's get's an ip and can access the internet through WAN run startup.sh from backtrack laptop The following should allow the lan to see wifi traffic then daemonlogger handles replicating br-lan to tap0? root@OpenWrt:/etc/init.d# brctl addif br-lan ath0 root@OpenWrt:/etc/init.d# brctl show bridge name bridge id STP enabled interfaces br-lan 8000.001884a278f8 no ath0 eth0.0 Here's the startup.sh from backtrack root@bt:~# sh startup.sh Starting vpn server Mon Jan 18 10:01:49 2010 OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 15 2008 Mon Jan 18 10:01:49 2010 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. Mon Jan 18 10:01:49 2010 Diffie-Hellman initialized with 1024 bit key Giving server chance to start Mon Jan 18 10:01:49 2010 WARNING: file '/etc/openvpn/interceptor/interceptor.key' is group or others accessible Mon Jan 18 10:01:49 2010 /usr/bin/openssl-vulnkey -q -b 1024 -m &lt;modulus omitted&gt; Mon Jan 18 10:01:49 2010 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Jan 18 10:01:49 2010 TUN/TAP device tap0 opened Mon Jan 18 10:01:49 2010 TUN/TAP TX queue length set to 100 Mon Jan 18 10:01:49 2010 /sbin/ifconfig tap0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255 Mon Jan 18 10:01:49 2010 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Mon Jan 18 10:01:49 2010 GID set to nobody Mon Jan 18 10:01:49 2010 UID set to nobody Mon Jan 18 10:01:49 2010 Socket Buffers: R=[110592-&gt;131072] S=[110592-&gt;131072] Mon Jan 18 10:01:49 2010 UDPv4 link local (bound): [undef]:1194 Mon Jan 18 10:01:49 2010 UDPv4 link remote: [undef] Mon Jan 18 10:01:49 2010 MULTI: multi_init called, r=256 v=256 Mon Jan 18 10:01:49 2010 IFCONFIG POOL: base=10.8.0.2 size=253 Mon Jan 18 10:01:49 2010 IFCONFIG POOL LIST Mon Jan 18 10:01:49 2010 client1,10.8.0.2 Mon Jan 18 10:01:49 2010 Initialization Sequence Completed Starting remote services root@192.168.1.1's password: Mon Jan 18 10:01:00 UTC 2010 Mon Jan 18 10:01:02 2010 OpenVPN 2.0.9 mips-linux [SSL] [LZO] built on Feb 17 2009 Mon Jan 18 10:01:02 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Mon Jan 18 10:01:02 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Mon Jan 18 10:01:02 2010 WARNING: file '/interceptor/openvpn/client/client1.key' is group or others accessible Mon Jan 18 10:01:02 2010 LZO compression initialized Mon Jan 18 10:01:02 2010 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Jan 18 10:01:02 2010 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Mon Jan 18 10:02:12 2010 MULTI: multi_create_instance called Mon Jan 18 10:02:12 2010 192.168.1.1:49426 Re-using SSL/TLS context Mon Jan 18 10:02:12 2010 192.168.1.1:49426 LZO compression initialized Mon Jan 18 10:02:12 2010 192.168.1.1:49426 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Jan 18 10:02:12 2010 192.168.1.1:49426 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Mon Jan 18 10:02:12 2010 192.168.1.1:49426 Local Options hash (VER=V4): 'f7df56b8' Mon Jan 18 10:02:12 2010 192.168.1.1:49426 Expected Remote Options hash (VER=V4): 'd79ca330' Mon Jan 18 10:02:12 2010 192.168.1.1:49426 TLS: Initial packet from 192.168.1.1:49426, sid=47cbdf02 0797d88a Mon Jan 18 10:01:02 2010 Local Options hash (VER=V4): 'd79ca330' Mon Jan 18 10:01:02 2010 Expected Remote Options hash (VER=V4): 'f7df56b8' Mon Jan 18 10:01:02 2010 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Mon Jan 18 10:01:02 2010 UDPv4 link local: [undef] Mon Jan 18 10:01:02 2010 UDPv4 link remote: 192.168.1.254:1194 Mon Jan 18 10:01:02 2010 TLS: Initial packet from 192.168.1.254:1194, sid=edf73771 15139c2e Mon Jan 18 10:01:02 2010 VERIFY OK: depth=1, /C=US/ST=XX/L=Cyber/O=Interceptor/CN=Interceptor/emailAddress=me@myhost.mydomain Mon Jan 18 10:01:02 2010 VERIFY OK: depth=0, /C=US/ST=XX/L=Cyber/O=Interceptor/CN=interceptor/emailAddress=me@myhost.mydomain Mon Jan 18 10:02:13 2010 192.168.1.1:49426 VERIFY OK: depth=1, /C=US/ST=XX/L=Cyber/O=Interceptor/CN=Interceptor/emailAddress=me@myhost.mydomain Mon Jan 18 10:02:13 2010 192.168.1.1:49426 VERIFY OK: depth=0, /C=US/ST=XX/L=Cyber/O=Interceptor/CN=client1/emailAddress=me@myhost.mydomain Mon Jan 18 10:02:13 2010 192.168.1.1:49426 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Mon Jan 18 10:02:13 2010 192.168.1.1:49426 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jan 18 10:02:13 2010 192.168.1.1:49426 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Mon Jan 18 10:02:13 2010 192.168.1.1:49426 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jan 18 10:01:03 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Mon Jan 18 10:01:03 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jan 18 10:01:03 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Mon Jan 18 10:01:03 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jan 18 10:02:13 2010 192.168.1.1:49426 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Mon Jan 18 10:02:13 2010 192.168.1.1:49426 [client1] Peer Connection Initiated with 192.168.1.1:49426 Mon Jan 18 10:01:03 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Mon Jan 18 10:01:03 2010 [interceptor] Peer Connection Initiated with 192.168.1.254:1194 Mon Jan 18 10:02:15 2010 client1/192.168.1.1:49426 PUSH: Received control message: 'PUSH_REQUEST' Mon Jan 18 10:02:15 2010 client1/192.168.1.1:49426 SENT CONTROL [client1]: 'PUSH_REPLY,route-gateway 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' (status=1) Mon Jan 18 10:01:04 2010 SENT CONTROL [interceptor]: 'PUSH_REQUEST' (status=1) Mon Jan 18 10:01:04 2010 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' Mon Jan 18 10:01:04 2010 OPTIONS IMPORT: timers and/or timeouts modified Mon Jan 18 10:01:04 2010 OPTIONS IMPORT: --ifconfig/up options modified Mon Jan 18 10:01:04 2010 OPTIONS IMPORT: route options modified Mon Jan 18 10:01:04 2010 TUN/TAP device tap0 opened Mon Jan 18 10:01:04 2010 /sbin/ifconfig tap0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255 Mon Jan 18 10:01:04 2010 GID set to nogroup Mon Jan 18 10:01:04 2010 UID set to nobody Mon Jan 18 10:01:04 2010 Initialization Sequence Completed [-] Daemon mode set [-] Interface set to br-lan [-] Log filename set to "daemonlogger.pcap" [-] Tap output interface set to tap0[-] Pidfile configured to "daemonlogger.pid" [-] Pidpath configured to "/var/run" [-] Rollover size set to 2147483648 bytes [-] Rollover time configured for 0 seconds [-] Pruning behavior set to oldest IN DIRECTORY -*&gt; DaemonLogger &lt;*- Version 1.2.1 By Martin Roesch (C) Copyright 2006-2007 Sourcefire Inc., All rights reserved

First get a multimeter and check the resistor it may not be bad. Then again it could be a capacitor but more then likely it's a reistor. Unfortunately it looks to be a 0610 in size which is too small to screen print the value on. Usually resistors in this size are black and capacitors are beige/white/brown. If you've got a decent soldering iron like (weller wtcpt) and a steady hand you may be able to do it by hand. Place that pin in the middle of the SMD to hold it down. Apply heat to the side that is currently attached and get the solder to flow, now wait a second and then apply heat to the other end. It should only take a couple seconds to get the solder to flow. If you apply heat too long you'll end up lifting the trace from the board. Another option would be to put it in the toaster oven and re-flow the whole board. You can search Google about this. If there's chips on both sides don't do this. You can get another resistor from digikey but you'll probably end up buying a reel of 100 or more. Search for surplus or samples from a manufacturer. You may want to hit up the local VoTech or technical college to see if they have an SMD class/lab. Most would have the equipment to do this and maybe offer to give you a quick lesson. **************** BIG FAT DISCLAIMER. These comments are coming from an experienced person. I've hand soldered 0610 and up with two soldering irons. I went through a 40HR course to learn how to solder the right way. It's not for the faint of heart, more then likely the chip will end up sticking to the end of your iron and then you're screwed.

I would think that leakage and possibly trace minerals will be an issue. Nice system by the way. What do you figure the efficiency is?

Worked fine for me. Running on my Inspiron 1318 without a hitch. Everything works, yey!

As Psychosis said you won't gain much from compression however file splitting should work. I would just "winzip" without compression and set file spanning on.

What you want is something that's called a color organ or light organ. Typically you have a small board mounted microphone or have a sound input that picks up the sound level and translates it to light output. Way back in 1996 I built one from scratch and had it running in my dorm room. It ran several lights through a series of relays. For you its much simpler. Personally I would not mount a LED in line with the output of the amplifier, that's just asking for trouble. With the kits and a relay you can all matter of lights (think marker lights, headlights, taillights, strobes, etc). Here's some links to various kits. http://www.apogeekits.com/light_organ_mk114.htm http://www.goldmine-elec-products.com/prod...&variation= http://www.electronickits.com/kit/complete/ligh/canck185.htm http://www.horrorseek.com/home/halloween/w...ColorOrgan.html

Network Miner Tamos NetResident Wireshark then open the capture in Cain&Abel and it will find the passwords.