Forum Topic

The OpenWRT Thread

baratzki on 06 Feb 24 @ 05:30 AM #

How do I know? Nag setup ako ng Kali linux na nakamonitor lang ng wifi. Meron din nagcacapture ng password, pag input ng password ng wifi ayaw magconnect agad,

The thing is, getting the password is the hard part, what I'm saying is, mahirap makapasok sa wifi ng iba basta-basta, and if you don't have definite proof nakapasok sila, then hinde sila nakapasok sa wifi mo, the only way na makapasok sila sa wifi mo is via your password period. There is no shortcut sa paghack ng wifi other than getting the password, and with a good enough password it will take ages bago nila macrack password mo. Yung mga deauth attack is just that, i-DC ka lang sa wifi, and other technical terms na makita mo sa internet.

Don't remember what I did, pero mukhang umayos na so far.
good to know.
polka on 06 Feb 24 @ 11:49 AM #

and deauth attack should be preventable by enabling "802.11w Management Frame Protection" under wireless setting sa openwrt. But I recommend only enabling this on SSID na puro modern device lang yung mga naka connect, any legacy device kasi hindi siya supported and will cause issue same with any IoT device.
magichunter on 06 Feb 24 @ 05:23 PM #

The thing is, getting the password is the hard part, what I'm saying is, mahirap makapasok sa wifi ng iba basta-basta, and if you don't have definite proof nakapasok sila, then hinde sila nakapasok sa wifi mo, the only way na makapasok sila sa wifi mo is via your password period.

That's the thing. What if they don't have to crack the password? What if there is a compromised device in the network? What if they used bluetooth or RF instead? Haven't tested it, but articles say you can hijack a device via bt or rf. I disabled bluetooth on all devices, but one TV's bluetooth keep on turning on. If it was that easy to detect and track illegal connection, I would be reporting the issue to "authorities" to kick out or apprehend the perpetrators. For now, observe ulit and log everything, including neighborhood APs (and fake APs).

and deauth attack should be preventable by enabling "802.11w Management Frame Protection" under wireless setting sa openwrt. But I recommend only enabling this on SSID na puro modern device lang yung mga naka connect, any legacy device kasi hindi siya supported and will cause issue same with any IoT device.

Yup I enabled it. Yung deauth attacks that was with my other router, before I use OpenWRT. Nakaka one month pa lang ako sa OWRT. So far wala pa na encounter na deauth. I'm planning of using 2.4GHz with disabled management frame protection for older devices. BTW sobrang bagal ng 2.4GHz, 2~5mbps lang.
baratzki on 06 Feb 24 @ 05:53 PM #

That's the thing. What if they don't have to crack the password? What if there is a compromised device in the network?
Hmmmn. That's a different issue altogether, wifi is actually secure enough(unless you leak your password), and whatever device you have that's leaking the password, you need to find that... if you suspect your TV to leak the password, just put it on a guest network of somesort that you only turn on when you need it (or have the guest network only have access to netflix' IPs)

What if they used bluetooth or RF instead? Haven't tested it, but articles say you can hijack a device via bt or rf.
well, everything you've said so far are what-ifs, I was trying to ask you for screenshot of your dashboard when you suspected that there's an outside connection (a few posts ago), but all replies are just hypotheticals. Well, I'm on the field relating to security research, that's why I'm a bit skeptic when someone tells me that a wifi can be hacked so 'easily', since that will be a security researcher's nightmare (or party, whichever you look at).

If it was that easy to detect and track illegal connection,
Actually, with openwrt, it's *very easy* to determine, the dashboard tells everything, if you want finer details, just do a "iw dev <wlandev> station dump", if you want to know what are the active connections being routed, just dump /proc/net/nf_conntrack

EDIT: I saw that you've posted a screenshot, malapit ba sa dingding yung router mo? looks like the device connected is very near the router, the signal strenght looks like it's only 3-5meters away unobstructed.

About it not having any information other than the MAC and IP, That's normal, my Nintendo Switch is like that on the dashboard. (https://i.imgur.com/485pczq.png / https://i.imgur.com/JgRq6xz.png)

^ you can easily check kung anong mga IP yung pinupuntahan by just "grep 192.168.6.193 /proc/net/nf_conntrack", then investigate from there.

-- edited by baratzki on Feb 06 2024, 02:13 AM
baratzki on 06 Feb 24 @ 06:29 PM #

^ takeaway, only those with password can connect to your wifi, as for your 192.168.6.193 device (from your screenshot), the display is normal, some devices really don't advertise their hostname or have ipv6 support, the question is, is that one of your device or just speculating that it's not your device since it only have a mac and ip? how long will an unknown device return after you changing the password?
magichunter on 06 Feb 24 @ 09:50 PM #

if you suspect your TV to leak the password, just put it on a guest network of somesort that you only turn on when you need it (or have the guest network only have access to netflix' IPs)

Android TV is now connected via LAN just recently. Bluetooth were disabled just recently but it still turns on sometimes. Maybe some apps or services doing that.

I was trying to ask you for screenshot of your dashboard when you suspected that there's an outside connection (a few posts ago), but all replies are just hypotheticals.

It is a matter of disconnecting it now and minimize damage, theft, intrusion or document and wait for it. Either way, if I capture it and say that that device is off, would you believe it? I dunno where the full log is located, I'm sure it is there if it isn't truncated/refreshed yet. All devices use passwords.

How about this one?
https://www.geeksforgeeks.org/how-to-install-super-bluetooth-hack-on-android/
https://www.wikihow.com/Install-Super-Bluetooth-Hack-on-Android

that it's not your device since it only have a mac and ip? how long will an unknown device return after you changing the password?

No idea. Just happened to check early morning (when I am usually still asleep) and I saw a device with my wife's macbook name connected. When I checked Macbook is off, closed lid and wifi is off. Macbook does not randomize mac address, so I use a script to manually change it. The connected rogue device used an older mac address that I used before. Haven't noticed it connecting yet. Should be in the log. WebUI and ssh was accessible through wifi until just a few days ago.

-- edited by magichunter on Feb 06 2024, 05:56 AM
magichunter on 07 Feb 24 @ 02:23 AM #

Ok, something weird happened. Nawalan ng internet sa wifi at lan. Pag check ko sa main router "Upstream port disconnected". Restart main router twice, same error/issue. Restarted OpenWrt router, bumalik na internet. Ano yun????
baratzki on 07 Feb 24 @ 06:47 AM #

When I checked Macbook is off, closed lid and wifi is off. Macbook does not randomize mac address, so I use a script to manually change it.
Ah, so it really is your device, but you are just suspecting an external entity since the device is off? no, that's not an external entity, it's just your device, an external entity will not just spoof the mac and magically connect to your wifi, they still need the password. It's just your device, and it's just listed, probably a driver issue on your router, as I checked your original post, your router doesn't show the noise level and suspected a driver issue.

also, searching the net: https://discussions.apple.com/thread/252406304?sortBy=best
>>>WiFi remains connected even in sleep mode

^^ probably the same issue as you.

Restarted OpenWrt router, bumalik na internet.
Yeah, most likely you have a somewhat faulty router (or driver issue). not somebody hacking you, or as i've added above, maybe it's just your device.

-- edited by baratzki on Feb 06 2024, 02:55 PM
magichunter on 07 Feb 24 @ 03:32 PM #

Ah, so it really is your device, but you are just suspecting an external entity since the device is off? no, that's not an external entity, it's just your device, an external entity will not just spoof the mac and magically connect to your wifi, they still need the password. It's just your device, and it's just listed, probably a driver issue on your router, as I checked your original post, your router doesn't show the noise level and suspected a driver issue.

Yeah, except I restart (wifi up down) every midnight. So every connected or stuck device will be cleared right? Have you tried the bluetooth hack? Will try that soon.

Yeah, most likely you have a somewhat faulty router (or driver issue). not somebody hacking you, or as i've added above, maybe it's just your device.

LOS light was blinking in the main router. Can secondary router cause that?
magichunter on 07 Feb 24 @ 09:44 PM #

also, searching the net: https://discussions.apple.com/thread/252406304?sortBy=best
>>>WiFi remains connected even in sleep mode

I have already seen this. First of all, this happens if the macbook in question was NOT OFF, it is in sleep mode or closed lid. Secondly, the wifi is ON and it was connected to a wifi network before going to sleep. Third, it should display the current, correct mac address.

I got an idea. If it was a zombie connection or could be a bug or issue on the router, then there shouldn't be any data transmission right? Is there a log for data transmission for a particular mac address/ip address at specific time?

-- edited by magichunter on Feb 07 2024, 05:48 AM
magichunter on 09 Feb 24 @ 11:59 PM #

Laptop connected to wifi today, but there was no internet. After I enable Cloudfare warp app, meron internet. Off, no internet. All other devices are OK with enabled or disabled warp app. Last night walang problema. Solution? Delete, format, fresh recover laptop. Ok na after. At nagdidisplay na ng maayos sa dashboard like 5 days ago (ip address, mac address, device name):

<click here for link>

-- edited by magichunter on Feb 09 2024, 07:59 AM
baratzki on 10 Feb 24 @ 08:36 AM #

Good to know you found the culprit, could just be a driver issue (or perhaps a malware) nuking the laptop would be my last resort too for a really sticky problem. - especially with apple devices, those devices works well if it works, but really hard to troubleshoot if there's an issue, usual fix for apple device is to nuke it or replace it entirely
polka on 17 Feb 24 @ 10:49 AM #

a very long debugging with openwrt specially with mediatek wifi chipset.

For some reason, the MT7603 drivers is very buggy on openwrt. Im wondering bakit nawawala yung 2.4ghz wifi for no reason and can be easily triggered if I do a 3 device simultaneously doing iperf at the same time, mahahalata mo na lang nawala na yung SSID sa 2.4ghz pero yung mga device na naka connect na meron parin network connection albeit very slow and if you stop the iperf, wala naglalaoko padin yung 2.4ghz, not even a radio restart sa MT7603 can fix it, only power cycle can fix the issue. After that inulit ko ulit yung iperf test but this time tuloy tuloy lang siya kahit nawala na yung 2.4ghz ssid but this time if I leave the router as is running iperf hanggang sa nagkaroon na lang ng kernel crash. But if I leave the 2.4ghz radio disabled and just the 5ghz working, super stable yung router and never crash for the entire day of iperf test, someone suggest on github na set to legacy mode yung wireless ng MT7603 and certainly that fixed the issue, albeit the wifi on 2.4ghz is bad, im sure the speed I get is not even Wifi G speed but B.

Well in short MT76xx is very buggy on openwrt, ni-restore ko na lang sa stock firmware yung router and kahit ilang iperf test ko pa super stable siya sa 2.4ghz wifi using stock OEM firmware niya.

Im now testing TP-Link Archer AX23 v1.20 that I recently purchased from shopee, flashed the router with OpenWrt (same as v1 lang din siya) and so far ok siya? entire day iperf test, not a single reboot required, though the wifi gets disconnected twice the entire day (probably just the noise around, I count this as normal occurrence since very noisy yung airspace sa bahay namin) but hey, the SSID is not gone, the speeds are good, the router never crashed.
baratzki on 17 Feb 24 @ 12:22 PM #

Well in short MT76xx is very buggy on openwrt,
hmmmn, I have an AX6S (MT7622), and it's quite OK (see previous pages), good think I waited a bit before diving into WiFi-AX, I usually upgrade to the latest ones, but WiFi-AC seems to be OK still (actually OK upto now, with how slow PH's internet)

-- edited by baratzki on Feb 16 2024, 08:28 PM
polka on 17 Feb 24 @ 05:16 PM #

^its probably limited only on MT7603 chipset which is only sole responsibility is wifi on 2.4ghz radio.

as stated here: <click here for link>

exact same issue sa nararanasan ko. still no fix for it, if you dig on github some of these issue is just a repost that is reported in year 2018.

its really a BAD idea na gumamit ng openwrt that runs a MT7603 chipset and just stick with stock firmware not until they finally can figure out what the heck is happening.

as for the 5ghz as I said wala siyang issue with current opensource driver, as in stable siya (based on MT7612/7613 chipset), sakit lang talaga sa ulo yung MT7603 for 2.4ghz wifi not only its not stable (kasi nawawala yung SSID at bumabagal yung wifi) it also can crash the entire router it self.

test were based on these routers:

Xiaomi Router 4a Gigabit
Tplink archer c6 v3
Netgear r6220

all exhibit the exact issue and also easily triggered with the same test and also all are only fixed if I flashed the firmware with stock firmware.
XaViEr_BaY on 17 Feb 24 @ 10:26 PM #

naka CPE OPENWRT AKO ANG GANDA SHET
newbie on 04 Mar 24 @ 01:03 PM #

@polka haha...

napa-iperf din tuloy ako sa aking Asus RT-AX53U. pero so far goods naman.

iperf server - 9 instances (diff. listen ports of course)
3 devices - 3 instances each looping upto 10000 of repeated bidir iperf using 2.4ghz connection, pero so far so good naman. whew!

Updated Forum Topics

Forum Topic

The OpenWRT Thread