Category Archives: defcon
Wifi Box of Doom meets ManaPi. (Write-up Part 1)

So after building the first version of ManaPi I decided to expand the platform to allow more wifi related stuff. The goal was not to build a wifi pen-testing-rogue-AP box but a more comprehensive platform that would allow for future development regarding Wifi.

I have a vague idea on what the end goal is but baby steps gets you going so this is the first baby step. Also I wanted to build this box without any exotic parts , almost everything (except the antenna cables) you can get on Amazon. Yes, even Amazon Japan.

For now this project will be named WBDM (Wifi Box of Doom and ManaPi -or- Whistler-Bishop-Donald-Mother -if you have to ask , you just don’t know.)

Baby Step 1:

The first functionality I needed was being able to monitor wifi signals on 3 of the major channels (1,6,11.)

Since 1,6,11 are the only channels that are fully separated (technically there is 14 too in Japan , but from my experiments most routers will not use 14 by default) by monitoring 1,6,11 the box is able to pretty much cover the whole spectrum.

Basic Hardware:
I used the Rasperry Pi Model B+ as the base platform. Initially I just connected the 3 different alfa cards, 2 Alfa AWUS 036NHA (the black ones) and 1 Alfa AWUS036H (the silver one) , no particular reason for the different versions of Alfa cards, I could have used 3 of the same one but I wanted diversity in the wlans for future development and those where the 3 cards I had available. I stripped the outside shell off to save some physical space. Note: This will void your WARRANTY! if you want to keep it, do not strip.

IMG_2649

The AWUS036NHA is a bit more flexible because of the Atheros chip it runs. After some initially testing , monitoring on 3 channels or even 1 channel with one Alfa card seems to draw too much power for the Raspberry Pi to handle, after awhile the Pi would just dump the USB controller (which also runs the ethernet port) and cause the wlan interface to drop. @philips321pointed out that I could solder directly the power to the usb port solve the issue, but that seemed a bit extreme.

So I decided to go the powered-usb hub route. One word of advice here, there are no battery powered usb hubs on the market now (unless there is a kickstarted project I’m not aware off..hint..hint).

While capturing the CPU usage easily goes to 100% , so I added a secondary Raspberry Pi to control the other one and provide the upstream for remote management. The two Raspberry Pies are connected via each eth0 with a static ip address and a 3 port pocket hub. Since most of the components are wifi related and most of the code runs Wifi related software I found myself often locked out of the box when the Wifi /adaptors/ drivers started to act up during the development, rather than having to connect a UART-USB cable or a screen and keyboard and reboot the Pi by having 1 port open via the ethernet hub allowed me to get into the Pi and reboot it properly.

Basic Schematics:

Screen Shot 2014-11-18 at 1.26.03 AM

IMG_2591

Powered USB Hub. (Anker works great together)
Back in the days there seemed some out there but now there aren’t any. Yes you can make one too by butchering some USB cables to power a hub’s dc input. I started with a similar approach , however if you get an Anker Pro2 Series Battery then the DC cable that comes with it is the exact same diameter as their USB 3.0 hub. The Anker Astro Pro2 20000mAh Multi-Voltage battery is a god send for projects like this, not only has it 3 usb ports to charge devices it also has a multi-voltage DC port (9v or 12v ) The WBDM main components are all running of this one battery pack. There is a secondary smaller mobile battery to power the exhaust fan. (reason:basic physics)

I also decided to throw in a mifi-hotspot router(self battery powered)  to provide an upstream to the internet so I could remotely monitor and manage the box.

Velcro , velcro velcro and more velcro…oh did I mention velcro?

IMG_2637
The first version of the box I had everything secured by screws and glue, while it gives it a very cool steampunk/industrial look in practicality it was a disaster.

Everytime I moved parts around I had to unscrew the part , drill another hole etc etc. So I decided to use my other favorite DIY material Velcro. By using velcro I can add/remove devices as I seem fit. Also because once assembled the box looks very much like some kind of explosive device. (i.e.: Not TSA, travel friendly) To avoid awkward conversations at the airport like:

TSA Agent: What is this box sir?
Me: Its my wifi spot.
TSA Agent: Why are there so many cables?
Me: Well this one is power , this one runs the wifi card for channel 1, and this one is for….
(at this time most likely I will be escorted away to a secret small room)

By using Velcro all parts can be removed and the box just becomes a box , just the way it was born. Well somewhat.

IMG_2632

bare naked like the days the parts were born

Make sure you get “industrial” velcro, not your mother/grandmother’s velcro for sewing. I usually buy it in rolls and cut it to my needs. 3M makes some great velcro with adhesive backing.I like to line the box-side with the fluffy loop side of velcro cause all my other velcro stuff, patch board , soft shell jacket backpack etc etc. So loop side to the box it is.

IMG_2648

 

To create the panels to mount the some of the hardware I used thermoplastic sheets. Love this stuff, get a heat gun and you can easily form hardware mounts for the parts.

Software:
Both Raspberry Pis are running the Offensive Security’s Kali Raspberry Pi image,however after a vanilla install I removed the stuff I wasn’t going to use on it, like windows manager or network-manager etc etc. (apt-get remove “whatever you want to remove”)

The MonitorPi (ManaPi) runs the initial Sensepost Mana from Github and the Controller/Doom Pi runs the mana-toolkit version. No particular reason for this except for the fact that this is an experiment and I wanted both version within the environment so I could play around it.

Heat issue:

IMG_2623
After some trial runs I noticed that the box could get extremely hot inside causing the battery to drain way too fast , so I decided to add a heat sensor switch ,heat sinks and an  exhaust fan to suck the hot air out of the box, once the sensor was tuned and the fan installed the inside of the box would get warm but not to a ridiculous, “shit this can’t be good” temperature. The fan and switch are powered by a small battery and not the main battery. reason:Basic physics stuff. So far this setup will run for about 5 hours continuously , longer if you selectively turn on monitoring.

Remote Maintenance/Operations.
I have the Controller Pi setup so that it connects to a private server via its upstream and establish a remote ssh shell back to the box. (i.e.:crontab with @reboot -> getupstream shell script)

Syncronicity:
If the controller gets rebooted then the controller will also reboot the Monitor/ManaPi to ensure that the shared data area is in sync.

Data sharing to upload.
The Monitor/ManaPi’s main functionality is either to monitor or launch a Mana/Karma attack. The controller’s main functionality is to secure the upstream to the net and if required to launch a death attack(MDK3) while the Monitor Pi is monitoring to capture a wifi handshake.

Crunching the numbers.
No mater how fancy its still a box with a raspberry pi in it, its not fit to do any major number crunching so for the CPU heavy stuff or so the Controller Pi can upload the data to an external server to do the crunching. (At this point since its more of a PoC (proof of concept) , I haven’t coded the ability to launch an AWS server cluster yet however technically it should be capable)

Final Toughts:

Well technically final thoughts for this write up, since the project is still in its infantile stages.

Many of the elements that build this project are not mine, I do not claim to have developed any of the major components that run this box. I am grateful to all the other who did the heavy lifting. But when I started this journey I struggled to find a single source that combined all these parts into one, I hope that by sharing this,  others will build their own versions of these type of boxes.

Things to always keep in mind:

  1. Can I get rid of this component?
  2. is there a less power hungry solution?
  3. Velcro
  4. Go back to 1.

 

References/Inspirations/Respects/Thanxz/Kudos:

Mana by SensePost

Kali On Raspberry Pi

Anker

Aircrack-ng

Pyrit Benchmark for raspberry pi

Fruity Wifi

Wifi Pineaple

 

oh yea and max thanks to the George de Mestral

 

just in case you didn’t know:

Do not use against equipment you don’t own. Doing so is usually illegal and can get you in serious legal trouble. I can’t be responsible for any legal trouble you get in.

Oh yea also go check out AVTokyo the best hacker con in Japan!

Posted on 2014年11月18日, 3:07 AM By
Categories: defcon, MannaPi, WBDM
MannaPi V.01

After seeing the Sensepost’s Dominic White and Ian de Villiers presenting their new Manna attack video I thought it would be great if this attack could be ported to a smaller form factor.

I have an old laptop that has Kali installed on it with a Alfa awus036nha wifi-adaptor. So first I tried to replicate the demo shown in the video on the laptop. With some  sleepless nights and lots of caffeine and bad food choices I finally got it up and running.

Next I needed to find a smaller form factor, I knew about the wifi-pineapple from Hak5 but didn’t pick one up at this year’s DEFCON. (No particular reason,figured I could order it later online, only to find out they don’t ship to Japan. Dumb me should have been obvious) So I ordered a alfa ap121u from a vendor in HK on ebay.com . A week later I got the hardware , flushed the firmware installed the Pineapple Mark IV firmware on it. I figure maybe I could port the Manna-hostapd to the Pineapple but my coding skills are no where near to do this. Nor do I think the Mark IV platform could handle the current Manna implementation.

So I knew Kali could run on a Raspberry Pi and that a newer version just came out so I picked one up installed the latest Kali 1.0.9 Pi Image file on a SD card and the Pi came up and running.

IMG_2091

From there it was just replicating the steps I took on the original laptop Kali to get Manna up and running on the Pi. And MannaPi was born.

Here is shot of Manna running:

IMG_2086

 

The Setup:

IMG_2089

  1. Raspberry Pi B+ model.
  2. Offensive Security Kali 1.0.9 IMG
  3. Class (4) SD 16GB card.
  4. Self powered USB HUB
  5. Antenna extending pigtail
  6. Aterm W500P mobile router. <- upstream on eth0
  7. Alfa Awus036nha <- Connection point on wlan1

IMG_2093

I chose the Aterm W500P mobile router because it can be powered with a micro-usb cable and it has an ethernet-converter mode which can convert the on-board ethernet of the Pi and turn it into a wireless point. I could have added another wifi-adaptor on the usb but this particular mobile router has an interesting mode pre-installed. Its called the public-hotspot wifi mode and it allows you to preconfigure the router to connect to public wifi-spots when they are available. Now this might not be something spectacular however, the configuration allows you to disable automatic web-login. i.e.) when the router detects a http request it pops up the public wifi spot’s weblogin page….(hint: no need to evil portal cause the traffic is already coming from wlan1 to eth0->public wifi spot)

So when the Manna attack happens:

User device’s NPL list sends out probing beacon -> Manna Replies -> User Device Associates with Manna-hostapd -> traffic bridged to eth0 -> Aterm W500P mobile router -> either tethered internet or Public Wifi weblogin -> to the internet.

wlan1< -> Manna -> eth0 <-> W500p <-> Internet

Ideally if I can find a way to power this whole setup from a mobile battery that would make this one evil rogue AP. However , after some fiddling around drawing power from the Pi board to power both the Alfa and upstream router seemed a bit too much for the Pi. Once manna starts to run the Pi would just drop the usb hence killing the whole process.

-70mA for the keyboard
-500mA for the Alfa
-100mA for the ethernet converter

IMG_2081

Theoretically this whole setup could be powered with a laptop mobile battery like HyperJuice or GoalZero’s Sherpa line. Since I don’t have either there is no way for me to test this.

I got some other ideas regarding this implementation and will continue to explore some more stuff. Like I said this is MannaPi V.01.

References:

Manna from Heaven; Improving the state of wireless rogue AP attacks – Dominic White & Ian de Villiers:

-SensePost Manna Github

Security Tube’s Wifi Security Mega Primer
This is a great primer even if you think you know wifi.

Do not use against equipment you don’t own. Doing so is usually illegal and can get you in serious legal trouble. I can’t be responsible for any legal trouble you get in.

===============Japanese================

ここ数週間の間、国内でwifiの盗聴が話題になっていたので、悪のAPを作ってみようと思った。そこで、思い出したのが今年のDEFCONのワイヤレスビレッジでSensepostのDominic White to Ian de Villiersがkarma攻撃の新しい形を発表してたのでこの攻撃方法を使う事にした。この攻撃は端末のwifiの接続先リストを元に、端末からの問い合わせに対して必ず答えるKarma攻撃をアップデートしたもので、現在の多くの端末では従来のKarma攻撃が通じない問題(?)を解決している。Manna攻撃では積極的に問い合わせビーコンに対して応答することで以前に繋がった事のあるAPが近くにあるように騙す事で端末が自動的に接続する問題点をついている。

ハードウェアには最近発売になったRaspberry Pi B+を使い、Offensive Security から出てるKali 1.0.9 イメージをOSとして使ってる。

インターネットへの接続はNECが出してるW500Pを使ってる、もちろんPiからのUSB経由でテザリング等を使う事も可能だがManna攻撃のためのリソースを最大限にする為にあえて有線からの上流リンクという選択肢を取った。ちなみにこのモバイルルータには面白いモードが2つあり、一つはコンバータモード(有線の無線化)ともう一つは公衆Wifiモード。とくに公衆wifiモードでは、公衆無線に自動接続する設定をオフにする事ができるので、Manna攻撃で繋がっていてもウェブログインが表示される事からエンドユーザーはManna経由で接続してる事が気がつかない危険性がある。

全部をモバイル電源で駆動できれば良いのだが、やはりAlfaのカードが500mAぐらい引くのでPiのオンボードでは無理だった。通常の接続には十分つかえるがManna攻撃を実行するとすぐに電力不足でusbが強制的に切断される。

まぁ、ラップトップ用モバイル電源を使えば可能だろうなと思うもの、手元に無いので実験が出来ない。

とりあえずバージョン0.1ということで、今後も研究を続ける。(かも)

自分のシステム、許諾を得たシステムのみで実験するようにしてください。他人のシステムへの事項は攻撃として法的な措置対象になる可能性があります。この投稿は実験の報告として掲載しており、この投稿内容を利用した結果、問題が発生しても一切責任は負いかねるのでご了承管さい。

 UPDATE/ 追記:

Sept.7.2014:04:00 JST.

After some thinking I figured out that I could probably power the whole setup if I could find a decent high capacity mobile battery. So I got hold of an Anker Astro Pro 2 (15000mah). Then I grabbed an old usb cable gutted it to create a usb-to-power frankenstein cable. So now MannaPi is fully mobile running of the Astro Pro.

[ ASTRO PRO] -> charges powered usb hub (via FrankenCable) -> Powers MannaPi and provide power for the wireless mobile router/converter (eth0)

 

歯を磨きながら、考えてたら、ある程度の容量のモバイルバッテリーで駆動が可能かもと思い、古いUSBケーブルからハブへ電源供給できるケーブルを作った。これでMannaPiはコンセントが不必要になり完全にモバイルな形に出来た。電源に使ったのはAnker Astro Pro2 という15000mahのモバイルバッテリ。

 

IMG_2102

Closed/ケースを閉じた状態 (MBA:13 inch for reference)

IMG_2107IMG_2108

ps. The cigarette pack is for reference and not intended as a advertisement or endorsement of particular brand of cigarette or the habit of smoking.
追伸:タバコはサイズの目安のためであり、広告もしくは喫煙を推奨する物ではありません。

 UPDATE Sept.9th

Current startup script. simple-start.sh


upstream=eth0
phy=wlan0

#conf=conf/hostapd-karma.conf
conf=../hostapd-manna/hostapd/hostapd.conf
hostapd=../hostapd-manna/hostapd/hostapd


#service network-manager stop
#rfkill unblock wlan

ifconfig $phy up

sed -i "s/^interface=.*$/interface=$phy/" $conf
$hostapd $conf | tee /var/log/Mana-simplerun.log&
sleep 5
ifconfig $phy 10.0.0.1 netmask 255.255.255.0
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1


dhcpd -cf conf/dhcpd.conf $phy

echo '1' > /proc/sys/net/ipv4/ip_forward
iptables --policy INPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables --policy OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t nat -A POSTROUTING -o $upstream -j MASQUERADE
iptables -A FORWARD -i $phy -o $upstream -j ACCEPT

echo "Hit enter to kill me"
read
pkill dhcpd
pkill sslstrip
pkill sslsplit
pkill hostapd
pkill python
iptables -t nat -F

ハッカーてさ、

いろんな活動で有名なJayson E.StreetがDEFCON 22でHak 5のインタビューに答えてた、内容が良かったので字幕を起こしてみた。8分ぐらいのインタビューだが、なかなか良い事を言ってる。本当は字幕を埋め込んだ動画を作りたかったが、OSをアップデートしたら動画エンコーダが動かなくなり、まともな動画が作れないので今回はYoutubeの字幕で対応。(kickstarterでケンタロウにちゃんとした機材を与えるプロジェクト希望・・・)原文を読みたい人は字幕ファイルをダウンロードしてテキストエディタで開けば読めるはず。

字幕ファイルはこちら:Jayson Street Interview at Hak 5 Translated.

動画に出てくるURL系:

Hak 5
Dissecting  The Hack
I am the cavalry
Jayson E.Streetツイッター

 

ps) Hak 5, Jayson E.Street  the interview was great.Wanted to share it with others in my community. Hope you guys/girls(snubs) don’t mind. If you ever get to Tokyo , let me buy you a beer.

Defcon wrap

So I got an iTaste MVP mod. I got the silver color version and found the finish ok.  I wanted some more personality and looked around for some custom wraps, there were some cool ones but none struck me as me. So I took the DEFCON logo bought some inkjet sticker sheets and made my own skin.

DEFCON patterned iTaste MVP.

DEFCON patterned iTaste MVP.

 

Here are some advices:

1.Get the right type of paper.
a) Make sure its the thin type not the thicker paper type. The thicker it is its more difficult to wrap around the corners.
b) Also get some UV protective adhesive sheets. You can buy some “make your own sticker” paper that has this extra sheet.

2.The voltage/wattage window square is really difficult to cut. Practice on some throwaway paper to make sure.

The way I did it was:

1) printed the pattern on the thinner “make your own sticker” paper. (I think it actually was called , “make your own label” paper)

2) then wrapped the MVP with the printed pattern.

3)carefully carved out the voltage/wattage window.

4) to remove air bubbles use a sewing needle to pop the bubble.

5) Wrap the whole MVP with the thin UV protective coat sheet.

Start vaping.

 

Here is the pattern: DEFCON pattern
(right click “save linked file”)

DEF CON Doc. Bonus Clip: No Money From U

字幕化はまだまだ続きます。今回はDTことDark TangentのAlexis Parkでの思い出話。

ハッカーって悲しいよって話?

Screen Shot 2013-08-28 at 1.07.07 PM

たまには気分を変えて、字幕化中のキャプチャー。DTが見つめてる・・

 

日本語字幕ファイル(Japanese subtitles file):NoMoney.ja.srt

字幕付き動画:http://www.youtube.com/watch?v=8S-Nc-Ca2T8

Dark Tangentってだれ?:The Dark Tangent

その昔、DTと撮ってもらった写真(via @gohsuket on flickr)

meetup with Jeff and Cayce P1020641

Black HatなBlackberry?

Posted on 2013年8月28日, 1:42 PM By
Categories: defcon, Hacklish Tags:

Next Page