How to Install a Hidden Backdoor in a Home Router
In this short tutorial I will show you the basic concepts on how to install your own software in a home router. It can be a backdoor but it can also be a special monitoring tool or service. We will made some assumptions to keep this tutorial short and simple.
- You have access to the router's control panel. This is the case when you own your router and you are practising your security skills on your own network.
- The router is running some Open Firmware. In this tutorial I'm assuming it is running DD-wrt.
You can find out how to do that in the official page. Basically you have to click a couple of radio buttons, or type some commands on the command-line.
ssh access will be required to copy our SW in the router and also to launch it.
As you are using your own router you already know that, but just in case these are some tips.
- Log in the router using ssh (you had just enable it)
- In the command-line type uname -m. This command will tell you the type of processor installed in your router. It will probably be a MIPS SoC
- Also type cat /proc/cpuinfo to get further details.
Now you need to get (or build) a toolchain for your router platform. In my case I just got one of the official DD-WRT toolchains for MIPS. I'd got the information from one of the messages in the dd-wrt forums.
Download the toolchain and install it.
In general, you just need to do two things to install a toolchain.
- Uncompress the toolchain package somewhere in your disk
- Add to the PATH the directory with all the toolchain binaries.
The whole sequence is shown in the screen-shot below.
The tools will all be prefixed by mips-.
For the specific toolchain I am using it is actually mips-linux-. That's important if you have to cross-compile autotools packages... but we are not going to talk about this here.
To keep this tutorial simple, I'm going to use, once again, Netkitty. This tool is pretty convenient because it does not rely on any external library and therefore, we can just compile it. I'm not covering in this tutorial how to compile other tools that requires libraries. You can found a lot of information on the Internet about cross-compiling and staging packages, in case you need to do that.
To compile NetKitty we just need to do:
You will need to edit the source code to make three changes
- In line 362 change bash to sh.
- In line 424 just before the while add a line saying daemon(0,1); (man daemon for details).
- In line 517 delete "use_sin =" at the beginning of the line.
Those changes converts NetKitty into a daemon so we won't need to use screen or nohup to keep it running when our ssh session is closed.
Now you just need to move the file into the router. We will copy our nk-mips to the /tmp/ directory. This folder always have write permissions and usually also execution permissions. As we've enabled ssh, we can copy the file using scp and execute it remotely using ssh.
scp nk-mips root@router-ip:/tmp
ssh root@router-ip "/tmp/nk-mips -shell -s T,5001
Now that your remote shell is running you can disable SSH access in the control panel and log into the router just Netcatting to port 5001
nc router-ip 5001
This was a pretty simple example to demonstrate how to run your own SW on your home router. From here you can explore how to deploy more complex tools that depends on external libraries, how to get your applications installed in the router so they can be re-launched after a reboot... Lots of fun!