Exploring Open Source Wireless Tools By Jake Snyder (The Dread Pirate Roberts) @jsnyder81 Who am I?
• Wireless Engineer at CompuNet Inc • CCIE-W #43153 • CWNE #161 • Security Enthusiast • Linux hobbiest • Wireless Field Day Delegate (http://techfieldday.com/event/wfd8/) • Blogger • Maker What does a set of professional tools cost?
What I use at work:
Ekahau ESS: $4000 Omnipeek: $2500 Chanalyzer + WiSpy: $1250 Aircheck: $2000
*All prices are approximates Professional tools in my first year.
• Airmagnet Survey pro • Yup, that was it.
http://www.popsugar.com/entertainment/Princess-Bride-Quotes-35919789#photo-35919789 “I mean, if we only had a wheelbarrow, that would be something.” -Westley
Sometimes you have to build a wheelbarrow • Linux VM • Proxim 8494 • Airmon-NG • Wireshark
“Well, why didn’t you list that among our assets in the first place” -Westley All these tools… Why Open Source?
Pros: Cons: • Low Cost • Free if your time is worth • Flexibility nothing • Lots of available tools • Pieces of a solution, you have to put it together • Low barrier to entry • Requires knowledge • Time = investment
“Please consider opensource as an alternative to suicide.” – Prince Humperdink What are my hobbiest opensource costs?
Options for todays presentation:
Raspberry PI: $223 Intel NUC $436 Raspberry PI 2B $38 NUC5CPYH: $134.00 ASUS USB-N53 $45 8G Memory: $34 Micro SD Card: $15 SSD: $40 Case: $5 Intel 7265 $28 Ubertooth: $120 WiSpy 2.4Ghz: $200
Existing Laptop: $8 • USB stick to boot linux • The chocolate coating makes it go down easier • VM is an option, albeit not a good one My Preferred Wireless Adapters
• Asus USB-N53 • Intel 726x • 802.11n • 802.11ac • 2x2:2 • 2x2:2 • USB 2.0 • Mini PCIe half height and m.2 • Ralink RT3572 using RT2800 Driver • Intel IWLWIFI: Non-Free firmware • Works on Raspberry PI required • $45 on Amazon • $27 on amazon • Has issues with Deauth/Dissassoc • Lots of clients using them packets not being passed to host.
Currently exploring Compex WLE600VX QCA AR9982 (ATH10k) Not all drivers are created equal https://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers • Drivers need to support a variety of functionality • STA Mode: Station Infrastructure (default) • AP Mode: Access Point Infrastructure • MON: Monitor Mode • Frame Injection • IBSS: Ad-Hoc Mode • WDS: Wireless Distribution System Mode • Mesh Mode
• Mac80211 • Preferred Driver Framework • Built-in support for the majority of modes you need • https://wikidevi.com/wiki/Wireless_adapters/Chipset_table Ifconfig, iwconfig and iw
• IFCONFIG: • Setting interface status, ip addressing, netmask, gateway broadcast etc. • Deprecated • IP: • IP is the replacement for IFCONFIG. • IWCONFIG: • Like IFCONFIG except it’s for parameters specific to wireless • Essid, frequency, mode, etc. • IW • IW is the replacement for IWCONFIG • My name is IW. You killed my father. Prepare to die! A look at IW
• jsnyder@NUC-1:~$ iw dev phy#0 Interface mon0 ifindex 4 wdev 0x2 addr 10:02:b5:59:80:7b type monitor channel 116 (5580 MHz), width: 80 MHz, center1: 5610 MHz Interface wlp2s0 ifindex 3 wdev 0x1 addr 10:02:b5:59:80:7b type managed Wireless Scanning Tools Horst, Scapy, Kismet HORST - Highly Optimized Radio Scanning Tool
• Lightweight packet statistics Getting Started • Made for use with MAC80211 drivers supporting monitor mode #Create Monitor Interface • Support Client/Server modes sudo iw wlan0 interface add mon0 type monitor • Graphical output #Delete wlan0 interface • Logs output to file *sudo iw dev wlan0 del
#Start Horst on mon0 sudo /opt/horst/horst -i mon0
*May not be necessary on all drivers
https://github.com/br101/horst Horst – Stations, APs and Packets…. Oh My! HORST – Realtime Statistics
Beware: Becons of unusual size HORST – Spectrum Analyzer? Not Really Scapy – Packet Manipulation
• Packet Sniffing • Packet Generation • Packet Analysis • Python based • Unlimited use cases
“We’ll never survive!” “Nonsense. You’re only saying that because no one ever has.” Scapy – 2 ways to use
Native Scapy • Python like interpreter for Scapy • Quick, easy and self contained
Scapy in a python script • Import and go • Full scapy functionality Some popular Scapy scripts
• Airoscapy: • Passive AP Scanner • http://www.thesprawl.org/projects/airoscapy/ • Association Frame Randomizer • Mike Albano’s client capabilities • https://github.com/mike-albano/frame-randomizer Kismet - As you wish…
• Great for packet capture, logging and mining of data • Client server architecture (kismet drone) • Works offline (saves logs for later) Kismet Spectools – Ubertooth and Wispy
• Spectrum analyzer for Ubertooth and Metageek WiSpy hardware • Runs on Linux • Multiple remote viewing options • Plugin to Kismet Aircrack-NG not just for cracking wireless
• Suite of tools, not a single tool: • Airmon-ng – wireless promiscuous mode • Airgraph-ng – Creates AP to client relationships • Airdrop-ng – Deauthentication of targeted users • Aireplay-ng – Frame injection for multiple attacks • Airodump-ng – Packet capturing of raw frames • And more http://www.aircrack-ng.org/ Wireshark and TCPDump
• CLI: TSHARK • Automated rollover: DUMPCAP • TCPdump has several options that make remote work easier.
http://booktrib.com/2014/12/the-princess-bride-what-the-cia-could-have-learned-about-torture-from-william-goldman/
#Set Channel First iw dev
#Start packet capture with a duration of 3600 seconds and a file maximum of 64MB on Mon0 sudo dumpcap -a duration:3600 -b filesize:65536 -w /home/jsnyder/test.pcap -i mon0 Thank you
https://www.pinterest.com/hennesseandrews/the-princess-bride/