So-net無料ブログ作成

【Buffalo WHR-G300N 無線ルータ OpenWrt】 [reaver-wps]

P1070053

Buffalo WHR-G300N の OpenWrt ビルドが出来上がった。
一通りの動作はチェックした。設定保存もちゃんとできた。

Starting kernel ...
[    0.000000] Linux version 3.2.5 (r645@bt) (gcc version 4.6.3 20120201 (prerelease) (Lina2
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 0001964c (MIPS 24Kc)
[    0.000000] Ralink RT3052   id:1 rev:2 running at 384.00 MHz
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 02000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone PFN ranges:
[    0.000000]   Normal   0x00000000 -> 0x00002000
[    0.000000] Movable zone start PFN for each node
[    0.000000] early_node_map[1] active PFN ranges
[    0.000000]     0: 0x00000000 -> 0x00002000
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
[    0.000000] Kernel command line:  board=WHR-G300N mtdparts=physmap-flash.0:192k(u-boot)r2
[    0.000000] PID hash table entries: 128 (order: -3, 512 bytes)
[    0.000000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
[    0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 16kB, 4-way, VIPT, no aliases, linesize 32 bytes
[    0.000000] Writing ErrCtl register=00000004
[    0.000000] Readback ErrCtl register=00000004
[    0.000000] Memory: 29992k/32768k available (1878k kernel code, 2776k reserved, 316k dat)
[    0.000000] SLUB: Genslabs=9, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:48
[    0.000000] console [ttyS1] enabled, bootconsole disabled
[    0.000000] console [ttyS1] enabled, bootconsole disabled
[    0.010000] Calibrating delay loop... 255.59 BogoMIPS (lpj=1277952)
[    0.090000] pid_max: default: 32768 minimum: 301
[    0.100000] Mount-cache hash table entries: 512
[    0.110000] NET: Registered protocol family 16
[    0.120000] MIPS: machine is Buffalo WHR-G300N
[    0.140000] bio: create slab <bio-0> at 0
[    0.150000] Switching to clocksource MIPS
[    0.160000] NET: Registered protocol family 2
[    0.170000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.180000] TCP established hash table entries: 1024 (order: 1, 8192 bytes)
[    0.200000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.210000] TCP: Hash tables configured (established 1024 bind 1024)
[    0.220000] TCP reno registered
[    0.230000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.240000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.250000] NET: Registered protocol family 1
[    0.300000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.310000] JFFS2 version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-.
[    0.330000] msgmni has been set to 58
[    0.340000] io scheduler noop registered
[    0.340000] io scheduler deadline registered (default)
[    0.360000] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[    0.370000] serial8250: ttyS0 at MMIO 0x10000500 (irq = 13) is a 16550A
[    0.380000] serial8250: ttyS1 at MMIO 0x10000c00 (irq = 20) is a 16550A
[    0.400000] physmap platform flash device: 00800000 at bf000000
[    0.410000] physmap-flash.0: Found 1 x16 devices at 0x0 in 16-bit bank. Manufacturer ID 8
[    0.430000] Amd/Fujitsu Extended Query Table at 0x0040
[    0.440000]   Amd/Fujitsu Extended Query version 1.1.
[    0.450000] number of CFI chips: 1
[    0.460000] 6 cmdlinepart partitions found on MTD device physmap-flash.0
[    0.470000] Creating 6 MTD partitions on "physmap-flash.0":
[    0.490000] 0x000000000000-0x000000030000 : "u-boot"
[    0.500000] 0x000000030000-0x000000040000 : "u-boot-env"
[    0.510000] 0x000000040000-0x000000050000 : "factory"
[    0.520000] 0x000000050000-0x000000120000 : "kernel"
[    0.540000] 0x000000120000-0x000000400000 : "rootfs"
[    0.550000] mtd: partition "rootfs" set to be root filesystem
[    0.560000] mtd: partition "rootfs_data" created automatically, ofs=280000, len=180000 
[    0.580000] 0x000000280000-0x000000400000 : "rootfs_data"
[    0.590000] 0x000000050000-0x000000400000 : "firmware"
[    0.610000] TCP westwood registered
[    0.620000] NET: Registered protocol family 17
[    0.630000] 8021q: 802.1Q VLAN Support v1.8
[    0.640000] VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
[    0.660000] Freeing unused kernel memory: 164k freed
[    2.180000] input: gpio-keys-polled as /devices/platform/gpio-keys-polled/input/input0
[    2.320000] Button Hotplug driver version 0.4.1
- preinit -
Press the [f] key and hit [enter] to enter failsafe mode
- regular preinit -
jffs2 not ready yet; using ramdisk
- init -
Please press Enter to activate this console. [    6.300000] Compat-wireless backport releas5
[    6.310000] Backport based on wireless-testing.git master-2012-02-06
[    6.350000] cfg80211: Calling CRDA to update world regulatory domain
[    6.810000] cfg80211: World regulatory domain updated:
[    6.820000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[    6.840000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[    6.850000] cfg80211:   (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[    6.870000] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[    6.880000] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[    6.900000] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[    7.070000] usbcore: registered new interface driver usbfs
[    7.080000] usbcore: registered new interface driver hub
[    7.090000] usbcore: registered new device driver usb
272+0 records in
272+0 records out
[    7.610000] PPP generic driver version 2.4.2
[    7.750000] ip_tables: (C) 2000-2006 Netfilter Core Team
[    7.980000] NET: Registered protocol family 24
[    8.020000] nf_conntrack version 0.5.0 (471 buckets, 1884 max)
[    8.360000] dwc_otg: version 2.72a 24-JUN-2008
[   11.890000] ramips-wdt: timeout value 60 must be 0 < timeout < 33
[   13.930000] device eth0.1 entered promiscuous mode
[   13.940000] device eth0 entered promiscuous mode
[   14.000000] br-lan: port 1(eth0.1) entering forwarding state
[   14.010000] br-lan: port 1(eth0.1) entering forwarding state
[   20.850000] jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
[   20.870000] jffs2_build_filesystem(): unlocking the mtd device... done.
[   20.880000] jffs2_build_filesystem(): erasing all blocks after the end marker... done.
[   33.610000] JFFS2 notice: (1181) jffs2_build_xattr_subsystem: complete building xattr su.
BusyBox v1.19.3 (2012-06-27 00:56:01 JST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 ATTITUDE ADJUSTMENT (bleeding edge, r30645) ----------
  * 1/4 oz Vodka      Pour all ingredients into mixing
  * 1/4 oz Gin        tin with ice, strain into glass.
  * 1/4 oz Amaretto
  * 1/4 oz Triple sec
  * 1/4 oz Peach schnapps
  * 1/4 oz Sour mix
  * 1 splash Cranberry juice
 -----------------------------------------------------
root@OpenWrt:/# cd /etc/config/
root@OpenWrt:/etc/config# ls
dhcp      dropbear  firewall  network   system    wireless
root@OpenWrt:/etc/config# reboot
root@OpenWrt:/etc/config# [   91.630000] br-lan: port 1(eth0.1) entering forwarding state
[   91.650000] device eth0 left promiscuous mode
[   91.670000] device eth0.1 left promiscuous mode
[   91.670000] br-lan: port 1(eth0.1) entering disabled state
[   94.160000] Restarting system.
U-Boot 1.1.3 for BUFFALO AIRSTATION (Aug 26 2008 - 13:08:44)
Board: Ralink APSoC DRAM:  32 MB
Top of RAM usable for U-Boot at: 82000000
Stack Pointer at: 81f4ff98
relocate_code Pointer at: 81fa0000
Now running in RAM - U-Boot at: 81fa0000
FLASH ID : 00h=[0xc2], 01h=[0x22a8], 0Eh=[0x0], 0Fh=[0x19]

最新リビジョンでは,openwrt-rt305x-whr-g300n-*.bin が作成されなかった。リビジョンログを見て,うまくいきそうな r30645 をビルドすることにした。カーネルは 3.2.5。

svn co svn://svn.openwrt.org/openwrt/trunk/ –r30645

WHR-G300N は,フラッシュが 4MB しかないので,ファームは,3,866,624 バイト以内に収めないと問題がでる。全部は入らないので,web管理 の luci 版と,reaver, aircrack-ng 版2種を作った。

openwrt-whr-g300n-lcui.bin
openwrt-whr-g300n-aircrack.bin

reaver で,開封したばかりの FON2405e を WPS クラックしてみた。5時間かかったがパスがクラックできた。

res

reaver を実行する前にいろいろコマンドを打つのをもっと簡略したり,無線ルータとパソコンの接続を切っても,無線ルータだけでブルートフォースを続けられる仕組みを作りたい。

実行するコマンドは以下のとおり。

iwconfig wlan0 essid MyPlace channel 1
ifconfig wlan0 up
airmon-ng start wlan0
reaver –i mon0 –b 00-11-22-33-44-55 –c 1 -vv

haserl スクリプトで cgi を作れば,web でシェルスクリプトを実行できる。

ファームのビルドやファームの書き込みは一つ前の記事をみてほしい。
前記事同様 mach-nw718.c を書き換える必要があった他は,特になにもない。

このPDFも参考になる。



nice!(0)  コメント(2)  トラックバック(1) 

nice! 0

コメント 2

sya

できました!
aircrackの方のbinをシリアル半田付け+3CDaemonでインストールして無事reaverが動きました。
設定保存も、aircrackも、reaverのセッション再開も確認しました。
webUIもデフォで日本語になってて感激です。

以下はカスタムファームのFON2405Eに対してPINを指定して攻撃に成功したログです。
http://pastebin.com/WKXfGGKA

今度uciの方もやってみたいと思います
by sya (2012-12-24 15:58) 

atc-500

コメントありがとうございます。
試していただいて、こちらこそ感激です。

by atc-500 (2012-12-24 16:57) 

コメントを書く

お名前:
URL:
コメント:
画像認証:
下の画像に表示されている文字を入力してください。

Facebook コメント

トラックバック 1