Hacking Your Linux-Based Wireless Router

转载 2007年09月17日 00:13:00
 WRT54GL History
Linksys found a place in many a geek's heart when it released the original WRT54G router back in 2003. A network router, 10/100 Ethernet switch, and wireless access point all rolled into one, the WRT54G blazed a happy trail as one of the earliest home networking devices to have its firmware source code made publicly available under the GNU General Public License (GPL). Soon after, a number of third-party firmware options became available, letting networking and Linux enthusiasts utilize their routers in ever more powerful and creative ways.
Linksys WRT54GL Router
click on image for full view

Earlier this year, Linksys modified the design of its most recent WRT54G. They halved the amount of flash memory and RAM to just 2MB Flash and 8MB RAM and switched to a VxWorks firmware. According to Linksys, this change allowed them to decrease the memory footprint of the OS and reduce the hardware requirements while maintaining a similar feature set at a reduced cost.

Carrying on the Linux heritage for enthusiasts is the WRT54GL, a device with essentially the same Linux kernel, 200MHz processor, 4MB Flash, and 16MB RAM as the old WRT54G v4. Since the majority of aftermarket firmware won't work on the WRT54G v5's crippled hardware, the WRT54GL is now your only Linksys option for third-party-compatible fun if you can't score an older model. It's the same story with the neutered WRT54GS v5, Linksys's SpeedBooster–equipped line that flaunts enhanced Wireless-G speeds.

Here we'll show you how to use these firmware utilities to optimize your wireless internet performance for gaming, VOIP, security, or increased signal strength. Continued...


Aftermarket Firmware Options and Flashing the Firmware

Here's a list of some of the popular third-party firmware available for the WRT54GL:

Sveasoft (www.sveasoft.com): Comes in two versions: Alchemy  and Talisman. Alchemy is the free public release, but later versions of the WRT54G (v4.0 or higher), WRT54GS (v3.0 or higher), or the WRT54GL (v1.0) are not supported. If you own one of these, you can purchase the latest-release Talisman. The subscription fee is $20/year and includes unlimited support and access to new releases.

DD-WRT (www.dd-wrt.com): Created in response to Sveasoft's $20 fee, early versions of DD-WRT were based on Sveasoft's Alchemy. The current version (v23), however, is an entirely new project that boasts an extensive feature set. It comes in four flavors: Mini, Standard, VoIP (includes SIPatH, a tool for VoIP serving from a Broadcom-based router), and VPN (includes OpenVPN).

HyperWRT (Thibor, www.thibor.co.uk): Thibor 14, the latest version of HyperWRT, only works with the WRT54GS (v1-v4) and WRT54GL. The GUI retains the same look and feel of the Linksys factory firmware. It doesn't have as many features as DD-WRT, but the configuration instructions on the website are fairly straightforward.

OpenWRT (openwrt.org): Built from the ground up without using Linksys sources, this is a purely command-line-based firmware for the serious Linux enthusiast who doesn't need or want a GUI. Their warning states: "Users are expected to have working knowledge of the GNU/Linux command line and basic networking concepts".

This Linksys page has a nice breakdown of features supported by HyperWRT, Sveasoft Alchemy, Talisman, and DD-WRT.

Flashing the Firmware
You can install DD-WRT and HyperWRT using the Linksys firmware flashing utility in the GUI. It is highly recommended to flash over a wired connection. For command-line-only firmware, such as OpenWRT, you can use Trivial File Transfer Protocol (TFTP). This is also an option for restoring the firmware back to a working state if the GUI flashing utility is unreachable for some reason.

For the following examples, we tested DD-WRT.v23 and HyperWRT Thibor 14. We barely scratch the surface in terms of what one is capable of with the WRT54GL and various firmware options. Continued...

Flashing Firmware

Traffic Shaping Using DD-WRT

Traffic shaping  is a way of optimizing network performance with emphasis on latency and bandwidth. Normally, without any shaping, your home broadband router deals with requests on a first come, first served basis. This strategy works just fine at McDonald's, but it comes up short in situations where high and low-priority traffic compete for limited resources.

You may have noticed your network responsiveness suffer during heavy traffic. DSL modems employ large packet queues to maximize download speed and limit packet loss, but filling your upstream quota (mine is 384kbps at home) and maxing out the queue can result in high latency. That causes severe performance degradation for interactive applications where response time really matters—VoIP calls suck, VNC takes forever to respond, or you get killed easily when playing an online FPS. VoIP traffic is especially dependent on Quality of Service (QoS), a component of traffic shaping. Network aberrations like latency, packet loss, and jitter can have a crippling effect on call quality and cause delayed speech, overlapping, echoing, and other undesirable effects.

Lowering the uplink Kbps in DD-WRT's QoS settings is the first step to making traffic shaping more efficient. That is, we set aside some extra bandwidth to guarantee service for our high-priority applications. DD-WRT recommends limiting bandwidth allocation to 80% to 95% of maximum for uploads. The downlink speed is a different story, since downstream queuing is essentially controlled by the ISP. In other words, you don't have much say about when the packets arrive, but you can control how they go out. That's where you can free up the congestion bottleneck. DD-WRT suggests setting downlink Kbps between 80% to 100% of maximum.

Say you're sharing a DSL or cable connection over a WRT54GL with bandwidth-hogging BitTorrenters and need low pings for World of Warcraft and Battlefield 2. You can customize traffic prioritization by assigning different bandwidth classes to selected services, netmasks, MACs, or Ethernet ports. The four classes are broken down into premium, express, standard, and bulk. Premium, the highest priority class where you want minimum delay, should be assigned very selectively. It'll include top-priority traffic like ICMP, DNS, handshaking, maybe VoIP. Other interactive stuff that doesn't quite fit into premium, such as browsing and SSH, fits under express. Standard includes everything else. Down at the bottom there's the bulk classification for P2P, BitTorrent, FTP, and other applications for which latency isn't a vital consideration.


If you prefer the Telnet/SSH method, you could also classify packet priority with IPtables through the command line. Continued...

DD-WRT: Boosting Wireless Range

Under the Wireless>>Advanced Settings  tab, DD-WRT has a customizable setting for transmit power. Labeled "Xmit Power", this entry is 28Mw by default, but it can be set anywhere between 0 to 251mW. The "Help" menu indicates up to 70mW is safe for improving range. Raising the power level above that, they warn, may generate excess heat in the chipset, which could shorten the life of the router.

And setting it too high probably won't boost your wireless range by much. Additional power output might actually generate enough interference to diminish SNR, hurting range and throughput performance. Finally, clients, typically power-saving laptops, probably won't be able to generate an equivalent mW radio response at the edge of the router's maximum boosted range to capitalize on the gains on one side of the transmission anyway. Continued...

Transmit Power Tweaking
Wireless Repeating with WDS

Trying to extend your WiFi reach is by no means a lost cause. In fact, it's possible to get viable range extension with DD-WRT's Wireless Distribution System (WDS) protocol. WDS provides bridging and repeating capabilities for routers. For example, you might want to share a single broadband connection through two routers, using the second router to expand your wireless range.

With WDS, two or more routers are connected wirelessly by their MAC addresses. Both the router connected directly to the internet and the remote router can accept client connections. Regardless of which router they're on, clients share the same subnet and are visible to one another across the WDS link. They also share the same network channel and encryption keys. Under this configuration, if you're planning on using WPA encryption, the same SSID should be used for both routers. For WEP, assign a different SSID for each.

Because 802.11b/g radios are half-duplex and the routers share a single channel, the additional backhaul traffic for each additional node consumes some of the available bandwidth and degrades network performance to some degree.


Using directional or high-gain antennas with boosted signal power, WRT54G buffs have managed to extend stable WDS networks over distances of many miles. Such long links usually require line of sight, so you'll often find the routers perched high atop towers and buildings with some kind of protection from the elements.

DD-WRT: Other Features

Management: DD-WRT adds features like Samba FS Automount (to mount shared folders from Windows PCs), boot wait (creates a 5 second delay while booting for flashing new firmware, typically used when the firmware is unreachable through the web interface), and support for IPv6 and Journaling Flash File System 2 (JFFS2).

click on image for full view

Chillispot: This tool is useful for configuring your own captive portal hotspot with RADIUS server authentication support.

click on image for full view

Firewall: Additional filter settings for proxies, cookies, java applets, and cookies.

click on image for full view

Kai Daemon: Tunneling for LAN/system-link console gaming that works with the XBox, Playstation 2, PSP, and Gamecube.

HyperWRT Thibor: Screens

HyperWRT Thibor 14: Looks and feels just like the factory Linksys firmware with a few tweaks.

HyperWRT Thibor 14 Firmware
click on image for full view

Advanced Wireless Settings: Transmit power can be set to a maximum of 84mW. The transmission rate can also be set manually from 1 to 54Mbps.

Advanced Wireless Settings
click on image for full view

Port Triggers: Dynamically forward ports based on specific applications and customizable port ranges.

Port Triggering
click on image for full view

QoS: Additional QoS settings such as prioritizing ACK and ICMP. Low, medium, high, and highest classifications can be assigned to various P2P applications: BitTorrent, Kazaa, eDonkey, and Gnutella.

click on image for full view

Factory Defaults: There's an additional "Clear NVRAM" option added to "Restore factory defaults" option.

Restore Factory Defaults
click on image for full view

Firewall: Extra firewall options like filters for proxy, Java applets, cookies, ActiveX, P2P, and blocking port scans. Continued...

What to Do If You Brick It

With any kind of tweaking or modding, you run the risk of bricking (rendering your router useless) with a bad flash or buggy software. If that unfortunate circumstance befalls you, there are a few methods of last resort you can try before assigning the black and blue plastic box permanent paperweight status.

Pointer Graphic for FingerlinksRead more Wireless Networking articles on ExtremeTech.

Final Thoughts: Should You?

Not everyone needs a router that accepts customized firmware. Most home users would be perfectly happy with the lesser WRT54G. But the WRT54GL opens up a host of possibilities for more demanding users. So if your wireless networking environment needs more power, or if you're interested in VOIP, you need improved security for a Wi-Fi hotspot, or you have other needs not served by standard firmware in consumer routers, check out the WRT54GL and the wealth of emerging open-source firmware.

《Web Hacking 101》中的链接整理

《Web Hacking 101》中的链接整理 原书:Web Hacking 101 HTML 注入 Coinbase Comments HackerOne Unintended HTML Inc...
  • wizardforcel
  • wizardforcel
  • 2017年01月24日 17:43
  • 980

Hacking.Exposed.Wireless.3rd.Edition.2015.3.pdf 英文原版 免费下载

下载地址: Hacking.Exposed.Wireless.3rd.Edition.2015.3.pdf
  • jiongyi1
  • jiongyi1
  • 2017年12月30日 10:39
  • 50

Wireless Hacking: Breaking Through

"To advance irresistibly, push through their gaps."—Sun TzuIf you have already read the wireless pen...
  • moonet
  • moonet
  • 2005年02月13日 14:59
  • 4270

Hacking Exposed Wireless

版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章原始出版、作者信息和本声明。否则将追究法律责任。http://blog.csdn.net/topmvp - topmvpSecure Yo...
  • topmvp
  • topmvp
  • 2008年11月21日 23:15
  • 293

Hacking Wireless Networks for DUMMIES

  • linhanshi
  • linhanshi
  • 2008年01月12日 19:28
  • 409

Wi-Foo: The Secrets of Wireless Hacking

版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章原始出版、作者信息和本声明。否则将追究法律责任。http://blog.csdn.net/topmvp - topmvpThe defin...
  • topmvp
  • topmvp
  • 2008年10月31日 19:31
  • 331

ECSHOP开发出现hacking attempt

转自:http://bbs.ecshop.com/thread-74580-1-1.html 网页上出现hacking attempt ,这是由于我们对程序安全判断做的处理。 您需要判断的是adm...
  • phoenixdsf
  • phoenixdsf
  • 2011年05月05日 14:49
  • 3982

Router Hacking with Hydra - Very Fast

root@bt:~# hydra -l admin -P wordlist.txt http-get -v 经测试效果不错
  • fengling132
  • fengling132
  • 2012年10月17日 18:19
  • 741

Hacking Team 事件

昨天上午看到圈子里有人在讨论hacking team被黑引起的那个flash漏洞,准备晚上研究一下呢。下午在教室上自习备考期末,无奈对课本上的知识一点都不敏感,就刷刷微博,看到圈子里爆炸似的转载Hac...
  • u013648937
  • u013648937
  • 2015年07月08日 22:17
  • 450

Hacking: The Art of Exploitation 读书笔记(一)代码调试技巧

Linux 下调试程序
  • kids412kelly
  • kids412kelly
  • 2017年02月25日 18:01
  • 225
您举报文章:Hacking Your Linux-Based Wireless Router