Jump to content

FON+ as a router on a stick

Recommended Posts

Had a little fun with the FON+ tonight. My target was to work towards not needing a wired internet connection so the FON could be dropped somewhere and not needing a wired host / wall socket to do it's work. Just to do it's work with a battery. This without a 'back-to-back' setup with a second FON as digininja suggested. And this appears to work.

What you can do is adding an virtual interface (or VAP as Madwifi calls it) being a client connection to another wifi network, the uplink network. The weird thing is that this only seems to work with a third VAP in monitor mode. Basically I ended up with:

ath0 - (default) bridged with eth0.1 being the gateway interface holding on the br-lan

ath1 - monitor interface, not even needed to bring this up

ath2 - the client interface connecting to the 'internet enabled' network, the uplink.

I got this working using iptables to do some NAT'ing for me. MASQUERADING seemed usefull in this case since it's likely to switch between internet enabled WiFi networks.

Anyways, the literal steps:

wlanconfig ath1 create wlandev wifi0 wlanmode monitor

to create that required monitor interface (more on wlanconfig and all on madwifi manual: http://madwifi-project.org/users-guide/node14.html)

wlanconfig ath2 create wlandev wifi0 wlanmode sta nosbeacon

ifconfig ath2 up

to create an interface we will use to setup the internet connection on (see for the 'why' of the nosbeacon the previous link to the madwifi manual)

The channel/frequency of those virtual interfaces is the same, so we have to sync them with the channel our internet enabled wifi network is on, for example 4:

iwconfig ath0 channel 4

iwconfig ath2 channel 4

(not sure if it's required to do this on both, but better too much than too little huh)

The uplink network I used was a WPA secured network, so I used wpa_supplicant to connect to it:

wpa_supplicant -iath2 -c/etc/wpa_supplicant.conf

For a short example on how to setup a WPA config: http://www.enterprisenetworkingplanet.com/...cle.php/3594946

Let's request an IP from my uplink network router:

udhcpc -t 0 -i ath2 -b -p /var/run/ath2.pid -R

From here you should have internet access on your fon (assuming you don't have anything connected to the 'wan' interface of your fon or any other config to get a default route over the lan or wifi itnerfaces). You could test with some pings and all.

To give that lovely internet access also to the poor 'clients' connecting to your FON honeypot you can use some NAT'ing:

iptables -t nat -I POSTROUTING -s -o ath2 -j MASQUERADE

This way every packet from your 'clients' will be rewritten to be sourced from the IP of the FON has on the uplink / internet network. This way the uplink router just routes all traffic back to the FON and the FON keeps track of all the clients and knows who should get what response. The basic NAT'ing work so to say.

Anyway.. this gives a FON 'router on a stick' situation which only requires a working and internet capable internet WIFI network. It's not as portable as a mobile phone used for an uplink as post_break suggested.

As a suggestion I would like to tell that it's quite easy to install tcpdump and nmap on the FON. Giving it some more muscle power to do 'pentesting'.

What's next? Well... I'm thinking about some black hat fun writing a small footprint app for finding passwords and all in the traffic that passes. Or maybe a ferret/hamster alike setup, but maybe a remote setup. Just thinking out loud now but: the FON filtering cookies and sending it realtime over the internet to a server (or just e-mail it) where it can be picked up for 'further processing'.

Oh btw.. I have been trying to figure out how to add storage to my FON 2201+, but the docs I find are only about the 2100 / 2200, and the GPIO points on the PCB of the 2201+ aren't that obvious. So if someone has something regarding the 2201+ I would love to hear it!

Another thing I would like to know is how you can make your own images of the FON. It takes quite some time to install / flash everything I like, so to create some backups / setup archive it would be great to image that. Didn't search for this at all though, so it might be very easy... :D

Have fun playing!

Oh! before I forget: kudo's to digi ninja for the madwifi patched drivers and jasager!

Link to comment
Share on other sites

Good howto.

What are you using ath1, the monitor mode interface for? It seems redundant.

The only reason I suggested having two Fons back to back is to avoid having to channel hop between the AP and the internet connection as this reduces efficiency slightly.

Link to comment
Share on other sites

I don't get both the client uplink connection (ath2) to work and the AP (ath0) to work unless there is a interface in monitor mode. Seemed strange to me as well, but without it neither does connect. But, since the monitor interface exists it can be used for running mdk3 deauth from:

mdk3 ath1 d

For what I can see the madwifi driver doesn't do channel hopping between two interfaces. All VAP (athX) interfaces share the same channel the physical interface (wifi0) is on. This channel is the last one specified on any of the VAPs. So for example I have ath0 up in AP mode on channel 11 and there is a client connected to it. As soon as I start wpa_supplicant to have the FON connect to an uplink AP running on channel 4 all VAPs on the FON switch to channel 4. Thereby disconnecting all clients already connected to the AP on ath0. The clients start scanning again and do find the AP again on channel 4. And even if this behaviour can be changed so the AP stays on 11 and the internet connection is on 4 I can't think of reason to not have both AP and internet connection sharing the same channel...

Link to comment
Share on other sites

Weird about the monitor mode.

I just assumed that they would channel hop, I'll have to remember that because if you start them up the other way round you won't be able to connect to the AP, or does wpa_supplicant pull the driver to the channel it needs?

Link to comment
Share on other sites

wpa_supplicant scans for the network ssid you specify and hops to that channel (but as a result all clients do loose their connectivity to the AP due to the scanning process, even if the uplink network is on the same channel.

Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...