Building Bridges with Iron, Braun and Steel

After much pain, I’ve managed to build myself a network tap or bridge as it’s more commonly known using FreeBSD 8.0 and an array of network interfaces. I haven’t posted in a bit but I’ve been doing a lost of testing with various techniques to record network traffic wired and wireless bridges, various router firmwares, port spanning using additional interfaces etc. Currently, I have a basic set up working using two wired network interfaces. I abandoned the wireless interface bridging the WAN to the LAN using a network hub due to support (or lackthereof rather) issues in FreeBSD. It seemed to be working but I couldn’t associate with the network. Attempting various configurations open, closed, ad-hoc, wep enabled, wpa, wpa2[personal/enterprise] etc. to no avail. Taking bits from the attic, I’ve managed to build a box. The specs are primitive but usable; Pentium III Xeon/Celeron processor, 447.69MHz, 40GB hard drive, 2 network interfaces (rl0, vr0), video card, and power supply. A picture of this can be found below.

Using a Zyxel Prestiage router, a Linksys WRT54G and heaps of cables the netowrk was created. This included a hub and a wireless network to allow people in the house use the internet as normal.  The bridge needed to be configured correctly first. The following are the commands required to set up a bridge after the network interfaces were tested by assigning an addresses and pinging various machines around the netowrk both wired and on the wireless interfaces.

# ifconfig bridge create
bridge0
# ifconfig bridge0
bridge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 96:3d:4b:f1:79:7a
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0

Add the member network interfaces to the bridge. For the bridge to forward packets all member interfaces and the bridge need to be up:

# ifconfig bridge0 addm rl0 addm vr0 up
# ifconfig rl0 up
# ifconfig vr0 up

The bridge is now forwarding Ethernet frames between rl0 and vr0. The equivalent configuration in /etc/rc.conf so the bridge is created at startup is:

cloned_interfaces="bridge0"
ifconfig_bridge0="addm rl0 addm vr0 up"
ifconfig_rl0="up"
ifconfig_fvr0="up"

Finally, enabling IP forwarding by modifying the kernel parameters using sysctl:

# sysctl -w net.inet.ip.forwarding=1

Thus leaving us with a functioning bridge:

I need to start working on some keystroke logging. I have looked at several options; either hacking openssh to log keystrokes, writing a patch for bash to record it, or launching a script which uses tee() to record everything to a file. I’m currently running tests by seeing if i can get the bash patch to log via syslog-ng to a remote logging server. In the meantime, I shall complete a test of recording traffic to see the average data collected etc and then conduct a pilot when the ssh server is ready. I may write my own server in python also using the twisted framework – I’ve found some tutorials on this.

Basic Bridge Plan

Previously, I had decided to create a bridge to aid in traffic logging. I did up a quick plan for this (attached below) and aim to use FreeBSD 8.0 as the OS. The concept is simple, the bridge is to act completely transparent so the attacker has absoutely no knowledge or suspicion in the fact that they are being passed through a bridge, thus allowing for complete network logging (with the exception of SSH, of course). The SSH issue will be another milestone to overcome. I have the use of a static IP address at home so I may as well put it to use.

The idea behind this is thus; a single static address on the router which is configured to pass-through connections to the bridge. The interface connecting to the router will have no IP assigned to it and will be configured to pass-through all connections through a second interface with the help of ipf (aka ipfilter – which will be compiled into the kernel). The second interface will connect to a wireless access point (AP) which will allow the iPhone to connect to the network. This is where I enter unfamiliar territory. The fact that the AP is connected to the bridge via a wired connection (cross over cable), the AP will appear to have the external address. This is not exactly what we want as the iPhone will have to utilise some network address translation (NAT) to obtain any external access which will be problematic.

To overcome this I propose amalgamating the wireless AP and the bridge into a single system. Thus, the second interface will in-fact become a ad-hoc interface utilising a prism2 chipset and the 2.4GHz spectrum. This can be achieved by replacing the second interface with a wireless card, compiling wireless support into the kernel and setting up the interface using wiconfig. By associating the iPhone with the bridge in ad-hoc mode and configuring ipf to pass-through all connections to the wireless interface I believe our objective can be met.

It’s now just a matter of convincing the family they’ll survive without the internet for a few days while I take apart the network. I’ll work on getting the bridge set up. I may have to visit my computer graveyard in the attic and throw together anything I can find.

GCC on the iPhone

Originally, before upgrading to 3.1.3, it was possible to download and install GUN C Compiler via Cydia which worked without a problem. It was also possible to install libpcap via Cydia and a test was conducted to access the wireless interface. Inspecting ‘ifconfig’ while connected to my home network allowed me to identify the network interface of interest.

abnev-ip1:~ mobile$ ifconfig

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

inet 127.0.0.1 netmask 0xff000000

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

inet 192.168.1.50 netmask 0xffffff00 broadcast 192.168.1.255

ether f8:1e:df:ad:ec:5a

pdp_ip0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1450

inet 10.52.79.5 –> 10.52.79.5 netmask 0xffffffff

pdp_ip1: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1024

pdp_ip2: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1024

pdp_ip3: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1024

en1: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500

ether 0a:0b:ad:0b:ab:e0

This again matches the same as OSX. Writing some quick C code a test was conducted with success.

#include <stdio.h>
#include <pcap.h>

int main(int argc, char *argv[])
{
pcap_t *handle; /* Session handle */
char *dev; /* The device to sniff on */
char errbuf[PCAP_ERRBUF_SIZE]; /* Error string */
struct bpf_program fp; /* The compiled filter */
char filter_exp[] = "port 23"; /* The filter expression */
bpf_u_int32 mask; /* Our netmask */
bpf_u_int32 net; /* Our IP */
struct pcap_pkthdr header; /* The header that pcap gives us */
const u_char *packet; /* The actual packet */

/* Define the device */
dev = pcap_lookupdev(errbuf);
if (dev == NULL) {
fprintf(stderr, "Couldn't find default device: %s\n", errbuf);
return(2);
}
/* Find the properties for the device */
if (pcap_lookupnet(dev, &net, &mask, errbuf) == -1) {
fprintf(stderr, "Couldn't get netmask for device %s: %s\n", dev, errbuf);
net = 0;
mask = 0;
}
/* Open the session in promiscuous mode */
handle = pcap_open_live(dev, BUFSIZ, 1, 1000, errbuf);
if (handle == NULL) {
fprintf(stderr, "Couldn't open device %s: %s\n", somedev, errbuf);
return(2);
}
/* Compile and apply the filter */
if (pcap_compile(handle, &fp, filter_exp, 0, net) == -1) {
fprintf(stderr, "Couldn't parse filter %s: %s\n", filter_exp, pcap_geterr(handle));
return(2);
}
if (pcap_setfilter(handle, &fp) == -1) {
fprintf(stderr, "Couldn't install filter %s: %s\n", filter_exp, pcap_geterr(handle));
return(2);
}
/* Grab a packet */
packet = pcap_next(handle, &header);
/* Print its length */
printf("Jacked a packet with length of [%d]\n", header.len);
/* And close the session */
pcap_close(handle);
return(0);
}

This successfully captured and printed the packet length. However, since the upgrade to 3.1.3 this is no longer available. Further investigation showed that libgcc support was removed and is no longer available for the latest version. Following some threads, a google project was found which aims to port gcc over to the iPhone. http://code.google.com/p/iphone-gcc/wiki/Installing. In the mean time, a meeting has been set up with the supervisor (Stephen Blott) to discuss the various approaches I’d like to take towards the development of this project.