Category Archives: WBDM
Raspberry Pi. Eth->Wlan connection

I needed to configure the network in reverse what others were doing, run a dhcpd server on eth0 then allow access from the eth0 to the internet via the wlan interface. If you struggled to do this here is a simple script:

Prerequisites:

1.Wlan gets IP via wpa_supplicant from upstream.
2.Eth0 distributes dhcp-leases to stuff connected to the eth0 interface.

 

#!/bin/sh
#get the ip assigned by the upstream dhcpd server to wlan interface (in my case wlan3) 
MYIP="$(/sbin/ifconfig wlan3 | grep 'inet addr' | cut -d: -f2 | awk '{print $1}')"

dhcpd &&
IPT=/sbin/iptables
LOCAL_IFACE=eth0
INET_IFACE=wlan3
INET_ADDRESS=$MYIP

# clean out all the tables
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

# Allow forwarding packets:
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# Packet masquerading
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_ADDRESS

Posted on 2014年12月8日, 7:29 PM By
Categories: MannaPi, stuff, WBDM
Point and shoot wifi scanner

So my adventures in Wifi land continues.

As seen in a previous post I build the WBDM wifi pod. The pod is great but I live in Tokyo a highly urbanized city with wifi everywhere, it seems that everybody and their cat have their own wifi network. This poses an interesting challenge in locating a specific AP when you don’t know what the essid or bssid is.

One of those times when too much wifi is a bad thing.

I needed something like an old skool frequency counter, you know the ones you see in old spy movies where you click a button and it shows the strongest frequency in the vicinity.

I needed a better solution to pinpoint a wifi spot. I realized that earlier this year I build a wifi Pineapple Mark IV clone. If you don’t know what a wifi Pineapple is then head over to https://wifipineapple.com and check it out , basically is a wifi pen testing kit in a box. The current version is Mark V , and Mark IV is the previous version.

The Mark V is a completely new platform and runs in a unique hardware environment.

However the previous version Mark IV is based of an access point called Alfa AP121U. Its a regular wifi access point , well sort of. Getting this AP in Japan is nearly impossible so I needed to find one online, there are vendors who sell this however many of them will not ship them to Japan.

So time to ebay, sure enough I found a vendor in Hong Kong that would send me one. So off I go, first I needed a burner credit card thankfully my online bank gives me a debit/cc card number that is different that my regular cc number. So ordered it and waited, the unit arrive in a couple of days. Now I needed to flash the rom with the Pineapple ROM,

Step 1. Flash ROM.

Equipment needed:
1. Alfa AP121U. Make sure its the U version which has an USB port.
2. USB to TTL serial Cable. Could also be the Alfa Console board but this cable is easier to get.

3. A computer with a tftp server running. I decided to use my mac with TftpsServer which is graphical front end to the internal tftpserver of Mac OS X.

Connect the USB/TTL cable to AP121U. You need to hook up the TX,RX,GND to the cable. DO NOT CONNECT THE VDD IT WILL BRICK YOUR AP.

USB to TTL serial cable connectors:
1 - Black:GND 
2 - Blue:CTS 
3 - Red:5V 
4 - Green:TXD 
5 - White:RXD 
6 - Yellow:RTS 

So you connect the cable’s TXD to the AP121U’s RXD and visa versa. and the GND to the GND.

connections

connections (click to see actual image)

OH YEA DID I MENTION: DO NOT CONNECT THE VDD!

Also connect an ethernet cable to the PoE/LAN port of the AP and your computer (TFTP server ) and set your computer eth interface to 192.168.2.7 or something.

Now connect to the AP via the USB/TTL cable( 115200 baud, 8 data bits, no parity, 1 stop bit, no flow control.) execute the next commands:

setenv bootargs "board=ALFA console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd"
saveenv
tftp 0x80600000 kernel.bin
erase 0x9f650000 +0x190000
cp.b 0x80600000 0x9f650000 d695a
tftp 0x80600000 rootfs.bin
erase 0x9f050000 +0x600000
cp.b 0x80600000 0x9f050000 23d004
bootm 0x9f650000
reboot

Once you are inside issue the passwd command to change the password then start dropbear (/etc/init.d/dropbear start)
Now scp the firmware to /tmp inside the AP.

From the AP’s console issue:

scp firmware.bin [email protected]:/tmp/
(192.168.2.1 is the IP of the AP21U)

then issue a system upgrade call

sysupgrade -n -v /tmp/firmware.bin

And now you have your own WIFI Pineapple Mark IV clone!!

We gotz zie pineapple

We gotz zie pineapple

Theoretically you can now build the rest however there is one caveat the AP121U was never meant to host something more complex than a basic operating system its internal flash is a whooping 8MB. So we need to give it a bigger storage space. So I grabbed a 8GB thumb drive .

Here is a link to Darren’s post on formatting a drive to be used with the Pineapple:

https://forums.hak5.org/index.php?/topic/25882-how-to-enable-usb-mass-storage-with-swap-partition/

Now thats all on building the basics. In the pineapple configuration you can set the WPS button to execute a script I decided to use the WPS infusion cause it would add a bit more scripting capabilities to the button.

WPS infusion config screen

WPS infusion config screen

Initially I installed a kismet server to take the dump but then I realized that it would be a bit of overkill for basic wardriving since especially this one was more to locate an access point.

I also needed a way to figure out by looking at the Pineapple to see if I was capturing or not so I added the led control commands to the script.

If it was capturing all leds would light up , if not just the power and wlan would light up. The following is the actual script:

#!/bin/sh
#Custom Script 1
export LD_LIBRARY_PATH='/lib:/usr/lib:/usb/lib:/usb/usr/lib'
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usb/usr/bin:/usb/usr/sbin

if [ ! -f /tmp/kissing.touch ]; then
ifconfig wlan0 down
ledcontrol lan off
ledcontrol usb off
ledcontrol wan off
wait
iwconfig wlan0 mode monitor
wait
ifconfig wlan0 up
wait
filename=$(date '+%d_%b_%Y_%H_%M_%S')
airodump-ng -c 1 -w /usb/tcpdump/$filename wlan0 >/dev/null 2>/dev/null &

#above I'm suppressing all output of airodump-ng to the screen captures are all written to a file with a date prefix
touch /tmp/kissing.touch
# I named the file kissing.touch cause initially I was using kismet server.
ledcontrol lan on
ledcontrol usb on
ledcontrol wan on
else
#if [ -f /tmp/kissing.touch ]; then
iwconfig wlan0 txpower 20
pkill airodump-ng &&
rm /tmp/kissing.touch
ledcontrol lan off
ledcontrol usb off
ledcontrol wan off
fi

 

LEDs galore

LEDs galore

So now the AP is ready for deployment but I still need a mobile power source, I love my Anker Astro Pro 2 batteries but I wanted a more narrow solution. So I picked up a RAVPower 158000mAh mobile battery. Which has a 12v dc output , perfect for the Wifi Pineapple also the DC power cable that comes with the RAVPower battery fits perfectly to the Pineapple so no need to hack together some zombie DC cable. Some industrial velcro binds both of them together like they were meant to be together.

After some initial tests I realized that the omni directional antenna still was picking up way too much wifi AP noise, so digging through my box of “wifi shit I collected” I dug up a 8dbi wifi panel antenna. Now the setup is truly a point-and-shoot wifi scanner.

Compare the following : clearly the panel antenna reduces noise coming from the back of the device.

Click to see larger image

Click to see larger image

 

The point and shoot wifi scanner:

IMG_2746

 

it totally looks like I’m just texting on my smartphone…well sort of….

 

texting

Posted on 2014年12月3日, 2:00 PM By
Categories: stuff, WBDM
Wifi冒険の旅は続く(パート1)

今年のDEFCONで発表された、@sensepostのカルマ攻撃の進化系攻撃のマナを実装したManaPiを作ってみて、wifiの面白さを改めて感じたので、せっかくなのでもう少しプラットフォームを拡張する事にした。

まず最初に周りのwifi状況をより詳細にキャプチャーできるように3チャンネル同時でのwifiパケットのキャプチャーができるRaspberry Piを作る事にした。wifiのチャンネルは一般的に全部で11(日本では14まであるが)チャンネルがあるが全部のチャンネルがかぶさっていて、1、6、11だけがお互いに干渉していない。なのでこの3つのチャンネルをキャプチャーすれば、ほぼ全チャンネルを同時に監視できる。もちろん、一枚のwifiでもチャネルホップするばキャプチャーが可能だが、別チャンネルをモニタリングしている間にクライアントが接続すると接続情報が取れないのでやはり3つのチャンネルを同時にキャプチャーした方が楽。似たような箱はいろんなバージョンが巷で作られており一般的にはWifi box of doomのようなニックネームがついている、という事で今回の箱のニックネームをWifi Box of Doom and ManaPi WBDMと名付けた。

IMG_2591

基本ハードウェア:
今回は利便性と制作工数の圧縮ということでアリ物を使う事にした。基本ベースにはRaspberry Pi B+モデルを使って、OSにはOffensive Securityが提供しているKali for Raspberry Piを使う事にした。

wifiカードには一部wifiハッカーに人気のalfa系のカードを使う事にした、2枚はAlfaのAWUS036NHA(黒Alfa)と1枚はAWUS36H(シルバーAlfa)。2種類のカードを使った特別な理由は無いが、たまたま手元に合ったから。

またと同じようなカードでありながら、黒Alfaはパケットインジェクション等が簡単なAtheros系のチップセットを使っている。(Mana系攻撃はこのカードでないと現在は行えない)。箱の中の空間を有効利用する為にカードの外部ケースを外して簡単なマウントを作って収納した。(この作業はメーカー保証を無効にするので、嫌ならケースから出す事は勧められない)

散々試行錯誤した後、Rapsberry Pi B+モデルにはUSBポートが4つあるが、Alfa系のカード1枚が100mAh程度の電力を使うので直接ボードから電力を引くと、usbコントローラーが停止してしまいキャプチャーに失敗するので結局、別電源をつかうUSBハブを使う事にした。散々探したが、バッテリー内臓のUSBハブという物は市場に無い(その昔はあったみたいだがどれも現在はすでに製造中止になっていた)色んなタイプのusbハブを試してみたが、どれもDC電源のアダプターを改造してバッテリーに繋げる為のゾンビケーブルを作らざるおえず、イマイチ見栄えが悪かった。そこで、だめもとでAnker社が発売しているUSB3.0のハブを使うとしたが、これが功を奏した。メインのバッテリーに使っているAnker Astro Pro 2 (20000mAh)はusbポートが3つに9v/12vのマルチ電圧対応に付属していたケーブルの口径がAnkerのハブの電源ポートと同じ大きさで容易に接続できた。Ankerのハブはusbポートが4つ+電源用USBポートが1つと合計5つのポートがあり、他のパーツの電源供給もできる。

構成:
3チャンネルを同時にモニタリングするとすでにCPUの稼働率が100%に達し、他のプロセスを走らせると不安定になるのでもう一枚のRasperry Piにをシステム全体の制御とインターネットへの上流提供に使う事にした。

Screen Shot 2014-11-18 at 1.26.03 AM

2つのRaspberry Piはeth0のインタフェースを介して接続されているが、直接繋ぐよりもミニハブ経由で接続するようにした。Wifi系に特化しているRaspberry Piなので、熱暴走等が始まると接続管理が不可能のためのこのミニハブを入れる事でwifiのドライバーが停止していてもPiにログイン、管理、再起同等などが行えるようになった。また、インターネットへの上流は手元に合ったPocket Wifi GL01Pを使う事にした。GL01PはSIMロックフリーなので必要に合わせてSIMを差し替える事が可能。

マジックテープの魔法:
この箱を作り始めた当初は全パーツを接着剤やネジで止めていたが、構成を変えるたびに新しい穴を開けたりする事で箱がボロボロになった。そこで、マジックテープを使う事にする事でパーツ交換、追加、変更が容易になった。気をつける点としては、裁縫用のマジックテープは粘着力が弱くすぐに剥がれるので工業用のマジックテープを使うことお勧めする。今回は3M社のマジックテープをロールで買って使っている。

IMG_2632

熱暴走対策:
箱が完成してから試験を数回行っているうちに、パーツによって放熱された熱が箱の中に捕われる性でバッテリーが暖まり効率が悪くなる事を発見したので、バッテリーにヒートシンク、箱の横にドリルで穴をあけて、熱排気用のファンを取り付けた。またファンが常に回っている必要は無いので簡易温感センサー回路をつけることで箱の中が一定の温度に達した状態時だけファンを回るように設定。ファンの為のバッテリーを別に追加した。

IMG_2623

緑の回路が温感センサースイッチ

モニタリングと分析:
実際に複数のチャネルのキャプチャーは問題なく行えるがキャプチャーされたパケットの解析にはRaspberry Piでは力不足のため、現在はキャプチャーしたデータをネット上のサーバーに自動的にアプロードして分析するようにしてある。現在ではまだシングルサーバーだが理論的にはAWSを使って構築したインスタンスクラスターへアップロード、分析後、分析結果をWBDMへ戻す事も可能だろう。

役割:
Pi 1 (モニタリング/MANA攻撃)このPiのメインの役割は3チャンネルの同時キャプチャー。
Pi 2(上流、deauth攻撃) このPiはPi 1がモニタリングしている状況でクライアントの接続を切るdeauth攻撃を展開する他、インターネットへの上流提供(wlan0)、システム全体の管理の為のリバースSSHトンネルの構築。また、自分が再起動した際にデータ共有の為のネットワークマウントやゴーストプロセス排除の為にPi 1を再起動するように設定してある。

 

MANA攻撃:
Mana攻撃は、強いて言えば “wifi ダチョウ倶楽部攻撃”言えるだろう、端末に残されてる過去接続経験があるAPに対して端末が”○○いますか?”という問い合わせをする事にたいして”俺、俺、俺”って名乗ることで偽APにクライアントが接続する状況を作る。従来のKarma系攻撃はこの問い合わせがdirect probe リクエストの際のみに返事していたが最近の端末は以前に比べて遥かにpropeリクエストの数を減らしている上にiOSでは周りにSSIDが隠されたネットワークが無い場合はほとんど問い合わせを行わなくなっている、MANAではbroadcast probeに答える事で従来のKarma攻撃では騙せなかった端末も接続するようにする事を可能にしている。もっとも両方の攻撃は接続の為の認証がないオープンなSSIDのみに対応しているが、多くのWifiプロバイダーは古いクライアントが接続できるようにウェブ経由での認証を可能にする為にオープンなSSIDへの接続も提供している。また、コーヒーショップ等でも無料wifiは認証プロセスが無い所も多い。一度でも過去にこういったSSIDヘ接続があり、SSIDが登録されていればMANA攻撃で偽APへの接続をしてしまう危険性がある。また、多くの場合は利便性を重要視してwifiは常にオンしている一般ユーザーも多い。

IMG_2086

MANA攻撃実行(AVTokyoではなく、秘密基地で)

総括:
AVTokyoで公開した今回のこの箱まだまだ制作途中のプロジェクトであり今後も開発を続ける予定。確かにHak5のパイナップルやFruityWifiのような似た製品・プロジェクトも多いが、自分で作る事で色んな事が勉強にもなるのでぜひ似たようなプロジェクトを作ってもらいたい。

参考資料/ソフトウェア/プロジェクト:

Mana by SensePost

Kali On Raspberry Pi

Anker

Aircrack-ng

Pyrit Benchmark for raspberry pi

Fruity Wifi

Wifi Pineaple

 

自分のシステム、許諾を得たシステムのみで実験するようにしてください。他人のシステムへの事項は攻撃として法的な措置対象になる可能性があります。この投稿は実験の報告として掲載しており、この投稿内容を利用した結果、問題が発生しても一切責任は負いかねるのでご了承管さい。

Posted on 2014年11月19日, 4:57 PM By
Categories: MannaPi, stuff, WBDM
Wifi Box of Doom meets ManaPi. (Write-up Part 1)

So after building the first version of ManaPi I decided to expand the platform to allow more wifi related stuff. The goal was not to build a wifi pen-testing-rogue-AP box but a more comprehensive platform that would allow for future development regarding Wifi.

I have a vague idea on what the end goal is but baby steps gets you going so this is the first baby step. Also I wanted to build this box without any exotic parts , almost everything (except the antenna cables) you can get on Amazon. Yes, even Amazon Japan.

For now this project will be named WBDM (Wifi Box of Doom and ManaPi -or- Whistler-Bishop-Donald-Mother -if you have to ask , you just don’t know.)

Baby Step 1:

The first functionality I needed was being able to monitor wifi signals on 3 of the major channels (1,6,11.)

Since 1,6,11 are the only channels that are fully separated (technically there is 14 too in Japan , but from my experiments most routers will not use 14 by default) by monitoring 1,6,11 the box is able to pretty much cover the whole spectrum.

Basic Hardware:
I used the Rasperry Pi Model B+ as the base platform. Initially I just connected the 3 different alfa cards, 2 Alfa AWUS 036NHA (the black ones) and 1 Alfa AWUS036H (the silver one) , no particular reason for the different versions of Alfa cards, I could have used 3 of the same one but I wanted diversity in the wlans for future development and those where the 3 cards I had available. I stripped the outside shell off to save some physical space. Note: This will void your WARRANTY! if you want to keep it, do not strip.

IMG_2649

The AWUS036NHA is a bit more flexible because of the Atheros chip it runs. After some initially testing , monitoring on 3 channels or even 1 channel with one Alfa card seems to draw too much power for the Raspberry Pi to handle, after awhile the Pi would just dump the USB controller (which also runs the ethernet port) and cause the wlan interface to drop. @philips321pointed out that I could solder directly the power to the usb port solve the issue, but that seemed a bit extreme.

So I decided to go the powered-usb hub route. One word of advice here, there are no battery powered usb hubs on the market now (unless there is a kickstarted project I’m not aware off..hint..hint).

While capturing the CPU usage easily goes to 100% , so I added a secondary Raspberry Pi to control the other one and provide the upstream for remote management. The two Raspberry Pies are connected via each eth0 with a static ip address and a 3 port pocket hub. Since most of the components are wifi related and most of the code runs Wifi related software I found myself often locked out of the box when the Wifi /adaptors/ drivers started to act up during the development, rather than having to connect a UART-USB cable or a screen and keyboard and reboot the Pi by having 1 port open via the ethernet hub allowed me to get into the Pi and reboot it properly.

Basic Schematics:

Screen Shot 2014-11-18 at 1.26.03 AM

IMG_2591

Powered USB Hub. (Anker works great together)
Back in the days there seemed some out there but now there aren’t any. Yes you can make one too by butchering some USB cables to power a hub’s dc input. I started with a similar approach , however if you get an Anker Pro2 Series Battery then the DC cable that comes with it is the exact same diameter as their USB 3.0 hub. The Anker Astro Pro2 20000mAh Multi-Voltage battery is a god send for projects like this, not only has it 3 usb ports to charge devices it also has a multi-voltage DC port (9v or 12v ) The WBDM main components are all running of this one battery pack. There is a secondary smaller mobile battery to power the exhaust fan. (reason:basic physics)

I also decided to throw in a mifi-hotspot router(self battery powered)  to provide an upstream to the internet so I could remotely monitor and manage the box.

Velcro , velcro velcro and more velcro…oh did I mention velcro?

IMG_2637
The first version of the box I had everything secured by screws and glue, while it gives it a very cool steampunk/industrial look in practicality it was a disaster.

Everytime I moved parts around I had to unscrew the part , drill another hole etc etc. So I decided to use my other favorite DIY material Velcro. By using velcro I can add/remove devices as I seem fit. Also because once assembled the box looks very much like some kind of explosive device. (i.e.: Not TSA, travel friendly) To avoid awkward conversations at the airport like:

TSA Agent: What is this box sir?
Me: Its my wifi spot.
TSA Agent: Why are there so many cables?
Me: Well this one is power , this one runs the wifi card for channel 1, and this one is for….
(at this time most likely I will be escorted away to a secret small room)

By using Velcro all parts can be removed and the box just becomes a box , just the way it was born. Well somewhat.

IMG_2632

bare naked like the days the parts were born

Make sure you get “industrial” velcro, not your mother/grandmother’s velcro for sewing. I usually buy it in rolls and cut it to my needs. 3M makes some great velcro with adhesive backing.I like to line the box-side with the fluffy loop side of velcro cause all my other velcro stuff, patch board , soft shell jacket backpack etc etc. So loop side to the box it is.

IMG_2648

 

To create the panels to mount the some of the hardware I used thermoplastic sheets. Love this stuff, get a heat gun and you can easily form hardware mounts for the parts.

Software:
Both Raspberry Pis are running the Offensive Security’s Kali Raspberry Pi image,however after a vanilla install I removed the stuff I wasn’t going to use on it, like windows manager or network-manager etc etc. (apt-get remove “whatever you want to remove”)

The MonitorPi (ManaPi) runs the initial Sensepost Mana from Github and the Controller/Doom Pi runs the mana-toolkit version. No particular reason for this except for the fact that this is an experiment and I wanted both version within the environment so I could play around it.

Heat issue:

IMG_2623
After some trial runs I noticed that the box could get extremely hot inside causing the battery to drain way too fast , so I decided to add a heat sensor switch ,heat sinks and an  exhaust fan to suck the hot air out of the box, once the sensor was tuned and the fan installed the inside of the box would get warm but not to a ridiculous, “shit this can’t be good” temperature. The fan and switch are powered by a small battery and not the main battery. reason:Basic physics stuff. So far this setup will run for about 5 hours continuously , longer if you selectively turn on monitoring.

Remote Maintenance/Operations.
I have the Controller Pi setup so that it connects to a private server via its upstream and establish a remote ssh shell back to the box. (i.e.:crontab with @reboot -> getupstream shell script)

Syncronicity:
If the controller gets rebooted then the controller will also reboot the Monitor/ManaPi to ensure that the shared data area is in sync.

Data sharing to upload.
The Monitor/ManaPi’s main functionality is either to monitor or launch a Mana/Karma attack. The controller’s main functionality is to secure the upstream to the net and if required to launch a death attack(MDK3) while the Monitor Pi is monitoring to capture a wifi handshake.

Crunching the numbers.
No mater how fancy its still a box with a raspberry pi in it, its not fit to do any major number crunching so for the CPU heavy stuff or so the Controller Pi can upload the data to an external server to do the crunching. (At this point since its more of a PoC (proof of concept) , I haven’t coded the ability to launch an AWS server cluster yet however technically it should be capable)

Final Toughts:

Well technically final thoughts for this write up, since the project is still in its infantile stages.

Many of the elements that build this project are not mine, I do not claim to have developed any of the major components that run this box. I am grateful to all the other who did the heavy lifting. But when I started this journey I struggled to find a single source that combined all these parts into one, I hope that by sharing this,  others will build their own versions of these type of boxes.

Things to always keep in mind:

  1. Can I get rid of this component?
  2. is there a less power hungry solution?
  3. Velcro
  4. Go back to 1.

 

References/Inspirations/Respects/Thanxz/Kudos:

Mana by SensePost

Kali On Raspberry Pi

Anker

Aircrack-ng

Pyrit Benchmark for raspberry pi

Fruity Wifi

Wifi Pineaple

 

oh yea and max thanks to the George de Mestral

 

just in case you didn’t know:

Do not use against equipment you don’t own. Doing so is usually illegal and can get you in serious legal trouble. I can’t be responsible for any legal trouble you get in.

Oh yea also go check out AVTokyo the best hacker con in Japan!

Posted on 2014年11月18日, 3:07 AM By
Categories: defcon, MannaPi, WBDM