The JasagerIntercept

The JasagerIntercept

Beakmyn <at> frontiernet <dot> net
March 1, 2010 rev 1.3

Background: 

    When Digininja introduced the Jasager platform for the Fonera and then later the interceptor for the Fonera+ I set about trying to marry the two together into a single device. I wanted to be able to be able to see everything the wireless clients were doing but I didn't want to do it through ICS and tethering. It started out simply as modifying the existing LAN bridge which never got me where I was going. After many failed attempts at different techniques I took a step back and realized that the bridge was in the wrong place.

The JasagerIntercept works by isolating the LAN from network completely and bridging the wifi to the WAN. We then use daemonlogger to mirror the traffic from the WAN bridge (br-wan) to the LAN (eth0.0). Since this is a wired connection, the WAN network and LAN network are on the same layer and we don't have the issue of mangled packets when mirroring. As such we don't need to use OpenVPN to tunnel the traffic. In fact, I found that for reasons unknown trying to tunnel the traffic through OpenVPN will seqfault the Fonera. Not a good thing. Also because now where mirroring a 54mbps connection on a 100mbps connection we shouldn't run into lost/dropped packets due to bandwidth limitations. 

Please note that I have not done full regression testing so I can not say with 100% certainty that the LAN subnet and subsequently the Fon's services are isolated from wireless/wan attack.

Assumptions:

This is not a detailed walkthrough. The author assumes that the reader has basic knowledge of the required concepts such as installing, transferring and editing files in Linux. If you're unsure send me an email beakmyn <at> frontiernet <dot> net

Caveat:

Because the FON+ is not the DHCP server you will not see the IPs on the karma web page. You will of course see them when you sniff with wireshark or if you have ettercap running you'll also see the DHCP requests/solicitations.

Usage: 

    All wireless clients will be served by an external DHCP server connected to the WAN port. This can be your home network or a laptop running ICS tethered to a Droid. Or is could be another device acting as a wireless bridge. 

The monitoring laptop will be connected to the LAN port and will have a static IP. It will not have services outside of the FON+. I.E. it doesn't get internet.

So let's get into the fun part. Creating the JasagerIntercept!



Requirements:


Installation:

In order for the Jasager to play nice we need remove the iptables rule from startup:

Make Jasager compliant

root@JasagerIntercept:~# vi /etc/init.d/jasager
#!/bin/sh /etc/rc.common
# Copyright (C) 2008 dninja@gmail.com
START=50

start() {
include /lib/network
scan_interfaces
/karma/bin/create_option_list.rb
[ -d /karma/www -a -f /karma/etc/httpd.conf ] && httpd -p 1471 -h /karma/www -r karma -c /karma/etc/httpd.conf
# iptables -I FORWARD -i ath0 -o br-lan -j ACCEPT
logread -f | awk '{if ($0 ~ /(KARMA: |DHCPACK|DHCPDISCOVER|DHCPOFFER|DHCPREQUEST)/) {sub (/ \(.*\).*: /, ": ", $0); print $0 ;}} ' > /tmp/status.log &
tail -f /tmp/status.log | /karma/bin/logwatch &
}

stop() {
killall httpd }

Install daemonlogger

Now we need to get daemonlogger's dependencies onto the Fon+. There's a few ways to do this

For the Noob:
    Connect the Fonera+ to the internet. do a full interceptor package install. Yes, this will install openvpn and a whole bunch of  unneeded files but in the end you'll have daemonlogger

For the rest of use:
You can do this by scp the files over or have opkg  install the latest from the openwrt repository.
root@JasagerIntercept:~# opkg update
root@JasagerIntercept:~# opkg install libdnet
root@JasagerIntercept:~# opkg install libpcap

Get the daemonlogger binary from the interceptor.ipk. The .ipk is basically just a bunch of compressed files so use Ark, tar whatever to get it out. Copy it to /interceptor/bin and make it executable chmod +x /interceptor/bin/daemonlogger


At this point you can copy the /etc/init.d/interceptor script from the ipk or create it manually. Either way I've changed it to this

root@JasagerIntercept:~# vi /etc/init.d/interceptor
#!/bin/sh /etc/rc.common

start() {
    /interceptor/bin/daemonlogger -i br-wan -o eth0.0 -d
}

stop() {
    pid=`pidof daemonlogger`
    if [[ "$pid" != "" ]]
    then
        kill $pid
    fi
}

At this point you'll want to make a decision as to how you'll start it. You can ssh into the FON+

root@JasagerIntercept:~# /etc/init.d/interceptor start
OR
you can create a link to automatically start it at boot
root@JasagerIntercept:~#  ln -sf /etc/init.d/interceptor /etc/rc.d/S60interceptor

Building a Bridge

This will set the up the WAN interface as a bridge and set the LAN with a static  IP of  10.255.255.254
root@JasagerIntercept:~# vi /etc/config/network
config 'interface' 'loopback'
    option 'ifname' 'lo'
    option 'proto' 'static'
    option 'ipaddr' '127.0.0.1'
    option 'netmask' '255.0.0.0'

config 'interface' 'lan'
    option 'proto' 'static'
    option 'ipaddr' '10.255.255.254'
    option 'netmask' '255.255.255.0'
    option 'ifname' 'eth0.0'

config 'interface' 'wan'
    option 'ifname' 'eth0.1'
    option 'type' 'bridge
    option 'proto' 'dhcp


Now put the wifi on the WAN bridge and give a nice inviting name
root@JasagerIntercept:~# vi /etc/config/wireless
config wifi-device  wifi0
    option type     atheros
    option channel  auto


config wifi-iface
    option device    wifi0
    option network    wan
    option mode    ap
    option ssid    AvayaWireless
    option encryption none

Get rid of DHCP/DNS on the LAN

root@JasagerIntercept:~# rm /etc/rc.d/*dnsmasq

All Done

Reboot the FON+ and set your IP to 10.255.255.253 and should be able to see Wifi traffic on your LAN
root@JasagerIntercept:~# reboot

Tweaks

If you want to change your Hostname to something different then OpenWRT
root@JasagerIntercept:~# vi /etc/config/system