Exploring Open Source Wireless Tools by Jake Snyder (The Dread Pirate Roberts) @Jsnyder81 Who Am I?

Exploring Open Source Wireless Tools By Jake Snyder (The Dread Pirate Roberts) @jsnyder81 Who am I?

• Wireless Engineer at CompuNet Inc • CCIE-W #43153 • CWNE #161 • Security Enthusiast • Linux hobbiest • Wireless Field Day Delegate (http://techfieldday.com/event/wfd8/) • Blogger • Maker What does a set of professional tools cost?

What I use at work:

Ekahau ESS: $4000 Omnipeek: $2500 Chanalyzer + WiSpy: $1250 Aircheck: $2000

*All prices are approximates Professional tools in my first year.

• Airmagnet Survey pro • Yup, that was it.

http://www.popsugar.com/entertainment/Princess-Bride-Quotes-35919789#photo-35919789 “I mean, if we only had a wheelbarrow, that would be something.” -Westley

Sometimes you have to build a wheelbarrow • Linux VM • Proxim 8494 • Airmon-NG • Wireshark

“Well, why didn’t you list that among our assets in the first place” -Westley All these tools… Why Open Source?

Pros: Cons: • Low Cost • Free if your time is worth • Flexibility nothing • Lots of available tools • Pieces of a solution, you have to put it together • Low barrier to entry • Requires knowledge • Time = investment

“Please consider opensource as an alternative to suicide.” – Prince Humperdink What are my hobbiest opensource costs?

Options for todays presentation:

Raspberry PI: $223 Intel NUC $436 Raspberry PI 2B $38 NUC5CPYH: $134.00 ASUS USB-N53 $45 8G Memory: $34 Micro SD Card: $15 SSD: $40 Case: $5 Intel 7265 $28 Ubertooth: $120 WiSpy 2.4Ghz: $200

Existing Laptop: $8 • USB stick to boot linux • The chocolate coating makes it go down easier • VM is an option, albeit not a good one My Preferred Wireless Adapters

• Asus USB-N53 • Intel 726x • 802.11n • 802.11ac • 2x2:2 • 2x2:2 • USB 2.0 • Mini PCIe half height and m.2 • Ralink RT3572 using RT2800 Driver • Intel IWLWIFI: Non-Free firmware • Works on Raspberry PI required • $45 on Amazon • $27 on amazon • Has issues with Deauth/Dissassoc • Lots of clients using them packets not being passed to host.

Currently exploring Compex WLE600VX QCA AR9982 (ATH10k) Not all drivers are created equal https://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers • Drivers need to support a variety of functionality • STA Mode: Station Infrastructure (default) • AP Mode: Access Point Infrastructure • MON: Monitor Mode • Frame Injection • IBSS: Ad-Hoc Mode • WDS: Wireless Distribution System Mode • Mesh Mode

• Mac80211 • Preferred Driver Framework • Built-in support for the majority of modes you need • https://wikidevi.com/wiki/Wireless_adapters/Chipset_table Ifconfig, iwconfig and iw

• IFCONFIG: • Setting interface status, ip addressing, netmask, gateway broadcast etc. • Deprecated • IP: • IP is the replacement for IFCONFIG. • IWCONFIG: • Like IFCONFIG except it’s for parameters specific to wireless • Essid, frequency, mode, etc. • IW • IW is the replacement for IWCONFIG • My name is IW. You killed my father. Prepare to die! A look at IW

• jsnyder@NUC-1:~$ iw dev phy#0 Interface mon0 ifindex 4 wdev 0x2 addr 10:02:b5:59:80:7b type monitor channel 116 (5580 MHz), width: 80 MHz, center1: 5610 MHz Interface wlp2s0 ifindex 3 wdev 0x1 addr 10:02:b5:59:80:7b type managed Wireless Scanning Tools Horst, Scapy, Kismet HORST - Highly Optimized Radio Scanning Tool

• Lightweight packet statistics Getting Started • Made for use with MAC80211 drivers supporting monitor mode #Create Monitor Interface • Support Client/Server modes sudo iw wlan0 interface add mon0 type monitor • Graphical output #Delete wlan0 interface • Logs output to file *sudo iw dev wlan0 del

#Start Horst on mon0 sudo /opt/horst/horst -i mon0

*May not be necessary on all drivers

https://github.com/br101/horst Horst – Stations, APs and Packets…. Oh My! HORST – Realtime Statistics

Beware: Becons of unusual size HORST – Spectrum Analyzer? Not Really Scapy – Packet Manipulation

• Packet Sniffing • Packet Generation • Packet Analysis • Python based • Unlimited use cases

“We’ll never survive!” “Nonsense. You’re only saying that because no one ever has.” Scapy – 2 ways to use

Native Scapy • Python like interpreter for Scapy • Quick, easy and self contained

Scapy in a python script • Import and go • Full scapy functionality Some popular Scapy scripts

• Airoscapy: • Passive AP Scanner • http://www.thesprawl.org/projects/airoscapy/ • Association Frame Randomizer • Mike Albano’s client capabilities • https://github.com/mike-albano/frame-randomizer Kismet - As you wish…

• Great for packet capture, logging and mining of data • Client server architecture (kismet drone) • Works offline (saves logs for later) Kismet Spectools – Ubertooth and Wispy

• Spectrum analyzer for Ubertooth and Metageek WiSpy hardware • Runs on Linux • Multiple remote viewing options • Plugin to Kismet Aircrack-NG not just for cracking wireless

• Suite of tools, not a single tool: • Airmon-ng – wireless promiscuous mode • Airgraph-ng – Creates AP to client relationships • Airdrop-ng – Deauthentication of targeted users • Aireplay-ng – Frame injection for multiple attacks • Airodump-ng – Packet capturing of raw frames • And more http://www.aircrack-ng.org/ Wireshark and TCPDump

• CLI: TSHARK • Automated rollover: DUMPCAP • TCPdump has several options that make remote work easier.

http://booktrib.com/2014/12/the-princess-bride-what-the-cia-could-have-learned-about-torture-from-william-goldman/

#Set Channel First iw dev set freq [HT20|HT40+|HT40-]

#Start packet capture with a duration of 3600 seconds and a file maximum of 64MB on Mon0 sudo dumpcap -a duration:3600 -b filesize:65536 -w /home/jsnyder/test.pcap -i mon0 Thank you

https://www.pinterest.com/hennesseandrews/the-princess-bride/