Original Gangster 150

TUTORIALS

To fully realise the power and flexibility of the OG150, I will be creating 'Tutorials' which will walk the user through various demonstrations. The demonstrations will range from explaining how to change the default login password on the OG150 through to configuring Reverse SSH tunnels between the OG150 and a remote BackTrack 5 machine.

The content on this page will be updated regularly. The current 'To do list' has 50+ scenarios that I will demonstrate using the OG150. I encourage you to follow me on Twitter - @theog150 – to keep updated on the latest tutorials that have been added.

Note: If you have any comments/corrections regarding the content within the Tutorials, please let me know using the Contact page.

Getting Started Guide

This is the starting place for users who have bought the OG150. This guide covers how to connect to the OG150 for the first time, how to change the default login password and how to change the timezone to your local area (to ensure accurate timestamps). Experienced users may choose to skip this guide.

Difficulty rating: 3/10

pdf Download Tutorial

Automated Penetration Test

This tutorial will demonstrate how to use the pre-configured Automated Penetration Test feature. When this feature is invoked, the OG150 will run through 11 pre-configured tests to provide a wealth of information about the target infrastructure. This information includes, but is not limited to, the following; services running on host machines (NMAP scan), FHRP (First Hop Redundancy Protocols) in use, routing protocols in use, wireless networks (and the associated security settings) within range of the OG150, and much more. This information could be used for more focussed attacks. The tutorial explains how to invoke the penetration test manually and automatically upon bootup. In addition, a bonus section explains how you can configure the OG150 to automatically email you the 'Security Report' (penetration test results).

Difficulty rating: 5/10

pdf Download Tutorial pdf Download Sample Security Report

Using Reverse SSH Tunnels with AutoSSH

This tutorial will demonstrate how to setup reverse SSH tunnels between the OG150 (SSH Client) and a Back Track 5 Virtual Machine (SSH Server). This allows the OG150 to be managed from any location on the Internet, once it has been connected to the target network infrastructure. In addition, AutoSSH will be deployed to monitor the health of the SSH connection and attempt to re-establish the SSH connection if it is deemed 'down'.

Difficulty rating: 9/10

pdf Download Tutorial

"Razzlerock Hack" - CVE ID CVE-2013-1105

This is a vulnerability related to Cisco Wireless LAN Controllers that I discovered and reported to Cisco PSIRT in June 2012. A public disclosure was released by Cisco 23rd January 2013. The full advisory can be viewed here;

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa- 20130123-wlc

In simple terms, a wireless user can assume full administrative control of the Cisco Wireless LAN Controller - even if the 'Management via Wireless' option has been disabled (Note: Assumes that some basic default settings have not been changed). The attached tutorial, code-named the "Razzlerock Hack", demonstrates the end to end process using the OG150. You will see how a wireless user systematically takes full administrative control of the Cisco Wirelesss LAN Controller. Once this is achieved, the Cisco Wireless Infrastructure is compromised.

Difficulty rating: 8/10

pdf Download Tutorial

CDP Prank

This tutorial will demonstrate how to spoof CDP (Cisco Discovery Protocol) messages from your OG150 to confuse your Network Admin or Network Support peers. You will see how simple it is to create your own customised CDP message and see how it is displayed on a Cisco device (the tutorial uses a Cisco router for demonstration purposes). This is considered a prank, however it can also be used for malicious purposes.

Difficulty rating: 2/10

pdf Download Tutorial

Wireless Pre-Shared Key Cracking (WPA, WPA2)

This 10-page tutorial starts with a theoretical analysis of WPA/WPA2 PSK security. You will understand the process that is used by WPA/WPA2 PSKs, according to the IEEE 802.11i standard, to secure wireless traffic and how this process can be manipulated to crack the WPA/WPA2 PSK. A practical demonstration of the cracking process using the OG150 follows. The practical demonstration cracks a WPA2 (AES) PSK configured on a Cisco access-point using the OG150s built-in software packages. If your OG150 has been deployed with 'Reverse SSH Tunnel' functionality, you can literally crack wireless WPA/WPA2 PSKs from ANY location in the world. Finally, I discuss the myths, limitations and security prevention measures when using WPA/WPA2 PSKs.

Difficulty rating: 7/10

pdf Download Tutorial

ARP Spoofing MITM Attack, Capturing Telnet Data

This 8-page tutorial explains and demonstrates the ARP spoofing attack using the OG150. Once the ARP spoofing attack is executed, a DOS (Denial of Service) condition is initially created (based on default OG150 firewall settings). The tutorial then illustrates how to configure the OG150 to forward IP traffic, leading to a MITM (Man in the Middle) attack. Finally, we leverage the MITM condition to capture Telnet session data (including username/password credentials) using the 'Dsniff' package that is pre-built into the OG150.

Difficulty rating: 7/10

pdf Download Tutorial

URL Snarfing

This short 5-page tutorial demonstrates URL snarfing using the OG150. In summary, URL snarfing displays the URLs (websites) that a user is browsing in real-time. This attack typically leverages an existing MITM (Man in the Middle) setup. Being able to view/record all URLs being used by a user can lead to further, more focussed, web-based attacks.

Difficulty rating: 2/10

pdf Download Tutorial

Iperf Bandwidth Performance Testing

Iperf is an application that can be used to measure maximum TCP and/or UDP throughput/bandwidth performance. Iperf can report bandwidth, delay jitter and packet loss. Iperf can be used for numerous reasons, a few examples include; to validate the speed of your Internet connection, Internet bandwidth starvation DOS (Denial of Service) attack, testing QoS (Quality of Service) configurations. This tutorial will demonstrate Iperf using the OG150 to determine the bandwidth available between the OG150 and a Windows 7 laptop.

Difficulty rating: 2/10

pdf Download Tutorial youtube Watch YouTube Video

VRRP (Virtual Router Redundancy Protocol) Attack

VRRP (Virtual Router Redundancy Protocol) is one of a suite of protocols referred to as FHRPs (First Hop Redundancy Protocols). In this tutorial, we will configure the OG150 to be elected as the ‘Master’ default-gateway for the local IP subnet using the VRRPD package that is pre-built into the OG150. Once this is achieved, the hosts on the local IP subnet will think that the OG150 is the default-gateway. Once this is achieved, I will demonstrate a DOS (Denial of Service) attack where the OG150 simply drops all the traffic destined to the VRRP IP address (alternatively, you can configure the OG150 to forward/route the traffic and become a MITM (Man in the Middle) from which additional hacks can be launched).

Difficulty rating: 4/10

pdf Download Tutorial

TTCP (Test TCP) Bandwidth Performance Testing

TTCP (Test TCP) is similar to Iperf (see previous tutorial) in that it is a performance measurement tool. One of the benefits of TTCP however, is that you can use Cisco devices (switches/routers). It should be cautiously noted, that this is an undocumented and unsupported feature on Cisco devices and that functionality between hardware and software will vary. In this tutorial, I will demonstrate TTCP between the OG150 (deployed at a 'remote location') and a Cisco router located at the users home.

Difficulty rating: 4/10

This tutorial is currently being developed. To be notified when this is complete, please follow me on Twitter - @theog150.

SSH MITM Downgrade Attack, Capturing Username Password Credentials NEW CONTENT!

In this tutorial, I will demsonstrate how you can capture username/password credentials using an SSH MITM downgrade attack. This attack uses Ettercap to perform both the MITM (ARP spoofing) and the SSH downgrade.

Difficulty rating: 7/10

pdf Download Tutorial

"Podo Attack" - Listening To Cisco IP Phone Calls

This is a hack which I have successfully demonstrated using the OG150. In very simple terms, the OG150 compromises the Cisco IP phone and then 'tells' it to send a copy of all voice traffic to the OG150. Once this is achieved, you can playback all voice calls at your pleasure – highly intrusive and highly sensitive. Note: Cisco PSIRT (Product Security Incident Response Team) have given me their permission to publically release the document. For reference the Cisco PSIRT case is: PSIRT-1066798373.

Difficulty rating: 9/10

pdf Download Tutorial

VPN Pivoting Using OpenVPN

Reverse SSH tunnels are a great way to get remote access to the target network, however you are restricted to the tools supported by the OG150. The OG150 supports most of the common security penetration testing tools currently used by security professionals, but there are some tools which are not currently supported by OpenWRT – such as Metasploit. If you want to run Metasploit against the target network, you would use VPN pivoting. In essence, you create a VPN tunnel from the OG150 on the target network to your VPN server (possibly a Linux VM on your home network). Once this is established you can run ANY tool you like over the VPN tunnel – it is as if you are literally connected to the same network. This tutorial uses OpenVPN to create the VPN pivot, and then demonstrates the use of Metasploit across the VPN tunnel to compromise a PC on the target LAN.

Difficulty rating: 8/10

This tutorial is currently being developed. To be notified when this is complete, please follow me on Twitter - @theog150.

Create Your Own Wi-Fi Hotspot

This tutorial will demonstrate how to configure your OG150 as a ‘Wi-Fi Hotpsot’ using CoovaChilli. The ‘Wi-Fi Hotpot’ can be linked to a payment provider such as Worldspot.net. In this scenario, Worldspot.net prompts the user for payment before granting wireless access – this payment is typically linked to your Paypal account and is processed automatically. This feature could be used maliciously, for example it could be deployed on a target network whereby you are using the targets Internet connection whilst wireless users pay YOU for wireless Internet access!

Difficulty rating: 9/10

This tutorial is currently being developed. To be notified when this is complete, please follow me on Twitter - @theog150.

OSPF (Open Shortest Path First) Routing Attack

This tutorial will demonstrate how to configure your OG150 as an OSPF (Open Shortest Path First) router on the target network. You can use this feature to manipulate the IP routing tables on the target’s internetwork. Once this is accomplished, you can perform a DOS (Denial of Service) attack against the target’s internetwork or you can use it as a MITM (Man in the Middle) pivot for further attacks.

Difficulty rating: 7/10

This tutorial is currently being developed. To be notified when this is complete, please follow me on Twitter - @theog150.

Physical Surveillance Using A Covert Wireless Webcam

This tutorial will demonstrate how you can use your OG150 with a covert wireless webcam to stream video and audio from the target infrastructure. The video and audio stream can be sent over a pre-existing Reverse SSH tunnel or an OpenVPN tunnel (see tutorials dedicated to the configuration of these technologies) to the user at a remote location – for example, to their home. If the OG150 is deployed in a sensitive area, such as a meeting room, you can understand the sensitive implications this could have.

Difficulty rating: 6/10

This tutorial is currently being developed. To be notified when this is complete, please follow me on Twitter - @theog150.

Cracking WEP (Wired Equivalent Privacy) Keys

This tutorial will demonstrate how you can use your OG150 to crack WEP (Wired Equivalent Privacy) keys. It is fairly common knowledge that WEP provides almost zero wireless security, given the flaws that have been exposed and demonstrated many times. This tutorial will re-affirm that WEP is not secure and demonstrates how quickly a wireless deployment that uses WEP keys can be exposed.

Difficulty rating: 6/10

pdf Download Tutorial

Reaver - Brute Force WPS Attack

This tutorial will demonstrate how you can use your OG150 to implement a brute force attack against WPS (Wi-Fi Protected Setup) registrar PINs in order to recover WPA/WPA2 passphrases. This tutorial will use the Reaver package that is pre-built into the OG150.

Difficulty rating: 4/10

pdf Download Tutorial youtube Watch YouTube Video