MiniPwner

What can you do with it?

In this mode, the MiniPwner used to establish rogue access to a target network during a penetration test. The penetration tester uses stealth or social engineering techniques to plug the MiniPwner into an available network port. (common locations include conference rooms, unoccupied workstations, the back of IP Telephones, etc.)

Once it is plugged in, the penetration tester can log into the MiniPwner and begin scanning and attacking the network. The MiniPwner can simultaneously establish SSH tunnels through the target network, and also allow the penetration tester to connect to the MiniPwner via WiFi.

The MiniPwner can run some software directly from the box, such as nmap to map the target network or the samba client to connect to windows shares. Other tools, such as Metasploit or Nessus can be run through the box using a VPN tunnel.

Pen Testing Drop Box

Here is a list of some of the pre-installed Applications

AirCrack

Aircrack-ng is a complete suite of tools to assess WiFi network security.

It focuses on different areas of WiFi security:

Monitoring: Packet capture and export of data to text files for further processing by third party tools
Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
Testing: Checking WiFi cards and driver capabilities (capture and injection)
Cracking: WEP and WPA PSK (WPA 1 and 2)

elinks

ELinks is an advanced and well-established feature-rich text mode web (HTTP/FTP/..) browser. ELinks can render both frames and tables, is highly customizable and can be extended via Lua or Guile scripts. It is quite portable and runs on a variety of platforms. Check the about page for a more complete description.

ELinks is an Open Source project covered by the GNU General Public License. It originates from the Links project written by Mikulas Patocka.

ettercap-ng

Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.

kismet

Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework.

nbtscan

NBTScan is a program for scanning IP networks for NetBIOS name information (similar to what the Windows nbtstat tool provides against single hosts). It sends a NetBIOS status query to each address in a supplied range and lists received information in human readable form.

netcat

netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP. The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts.

Nmap

Nmap ("Network Mapper") is a utility for network discovery and security auditing. Also useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Openssh-sftp-client

OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.

The OpenSSH suite consists of the following tools:

Remote operations are done using ssh, scp, and sftp.
Key management with ssh-add, ssh-keysign, ssh-keyscan, and ssh-keygen.

OpenVPN

OpenVPN implements a virtual private network to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange

Perl 5

Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages. "Perl" refers to Perl 5, but from 2000 to 2019 it also referred to its redesigned "sister language", Perl 6, before the latter's name was officially changed to Raku in October 2019.

SAMBA2 - client

ftp-like client to access SMB/CIFS resources on servers

snort

Snort is a lightweight network intrusion detection system (NIDS) to detect emerging threats.

tar

tar is a computer software utility for collecting many files into one archive file, often referred to as a tarball, for distribution or backup purposes.

TCPDump

tcpdump is a data-network packet analyzer allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached

yafc

FTP client

Configuring the TP-Link MR3040 router into a MiniPwner.

What You'll Need

TP-Link MR3040 (buy here)
SanDisk 16GB USB drive (or equivalent)
MiniPwner Overlay - found here

(1) Format The USB Drive

Setup two partitions on the USB drive, a single 500 MB partition for swap space and the rest of the space for storage.
This can be done on a Linux system using fdisk or gparted
Partition 1 = 500 MB SWAP
Partition 2 = 15.5GB ext4

Installation

(2) Install OpenWRT

Download OpenWRT Barrier Breaker - found here.
Boot your TP-Link MR3040 and login at http://192.168.0.1 (default credentials are admin/admin).
Select System Tools and then Firmware Upgrade.
Use the Choose File button to select the OpenWRT Barrier Breaker image.
Use the Upgrade button to apply the image.
Wait for the image to be applied.
After the TP-Link reboots it will now be at 192.168.1.1

(3) The Setup

Telnet to the TP-Link @ 192.168.1.1
Set a root password with the passwd command.
NOTE: You will need to get the TP-Link onto the Internet to download packages.
Install the following packages to enable USB support
- kmod-scsi-core
- kmod-usb-storage
- block-mount
- kmod-lib-crc16
- kmod-crypto-hash
- kmod-fs-ext4
- Plug the USB drive into the 3G port and reboot the TP-Link

Log back into the TPLink via ssh using the user root and the password you just set.

Modify the /etc/config/fstab to match the following:

config 'global'
option anon_swap '0'
option anon_mount '0'
option auto_swap '1'
option auto_mount '1'
option delay_root '10'
option check_fs '0'

config 'swap'
option device '/dev/sda1'
option enabled '1'

config 'mount'
option target '/'
option device '/dev/sda2'
option fstype 'ext4'
option options 'rw,sync'
option enabled '1'
option enabled_fsck '0'

Run the following commands to "pivot root" to the USB drive:

mkdir -p /tmp/cproot
mount --bind / /tmp/cproot
mkdir /mnt/sda2
mount /dev/sda2 /mnt/sda2
tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda2 -xf -
umount /tmp/cproot

You now need to modifiy the /etc/config/fstab again, so it will boot off the USB drive.
Reboot the TP-Link (and now it becomes a MiniPwner).
Verify the USB drive is mounted correctly by issuing the df -h command.
Choose one of the two methods listed under Install to install and configure the MiniPwner Overlay.
Make sure the three position switch is in the middle position (WISP) and then reboot the MiniPwner

There are two methods for installing TP-Link MR3040 router into a MiniPwner.

Method One:

wget -O /tmp/minipwner.zip https://github.com/nicholasadamou/minipwner/archive/master.zip && \
unzip /tmp/minipwner.zip && \
cd /tmp/minipwner && \
bash src/setup.sh

Method Two:

wget -O /tmp/minipwner-overlay_2.0.0.tar https://raw.githubusercontent.com/nicholasadamou/minipwner/master/OVERLAY/minipwner-overlay_2.0.0.tar && \
mkdir /tmp/minipwner-overlay_2.0.0 && \
tar -C /tmp/minipwner-overlay_2.0.0 -xvf /tmp/minipwner-overlay_2.0.0.tar && \
cd /tmp/minipwner-overlay_2.0.0 && \
sh src/setup.sh

FAQ

Where can I download the firmware for MR3040 Version 1?

There are three version of Firmware that aply to the MR3040 Version 1. You MUST ensure that you use the correct version of fiormware for your MR3040 V1

For TLMR3040 Version 1 the Full Install binary version 17.01.5 is located here:
http://downloads.openwrt.org/releases/17.01.5/targets/ar71xx/generic/openwrt-17.01.5-ar71xx-generic-tl-mr3040-v1-squashfs-factory.bin

For TLMR3040 Version 1 the UPGRADE Install binary version 17.01.5 is located here:
http://downloads.openwrt.org/releases/17.01.5/targets/ar71xx/generic/openwrt-17.01.5-ar71xx-generic-tl-mr3040-v1-squashfs-sysupgrade.bin

For TLMR3040 Version 1 the original TP-LINK firmware is located here:
http://www.tp-link.com/en/download/TL-MR3040_V1.html

Where can I download the firmware for MR3040 version 2?

There are three version of Firmware that aply to the MR3040 Version 2. You MUST ensure that you use the correct version of fiormware for your MR3040 V2

For TLMR3040 Version 2 the Full Install binary version 17.01.5 is located here:
http://downloads.openwrt.org/releases/17.01.5/targets/ar71xx/generic/openwrt-17.01.5-ar71xx-generic-tl-mr3040-v2-squashfs-factory.bin

For TLMR3040 Version 2 the UPGRADE Install binary version 17.01.5 is located here:
http://downloads.openwrt.org/releases/17.01.5/targets/ar71xx/generic/openwrt-17.01.5-ar71xx-generic-tl-mr3040-v2-squashfs-sysupgrade.bin

For TLMR3040 Version 2 the original TP-LINK firmware is located here:
http://www.tp-link.de/support/download/?model=TL-MR3040&version=V2

Help, I flashed with the wrong version, my device no longer works!

If your device was purchased form Crownhill and you ahve NOT opened or Physically damaged the deveice, Crownhill will flash it back to Factory - like new, for a fixed fee to cover return postage in the UK or Eu. Contact sales at crownhill.co.uk

What is MINI PWNER