Raspberry Pi as a Wireless Network Scanner

By Dmitry Kolyvagin IASP-560 Professor Dr. John Yoon

Table of Contents:

I. Introduction 1) Home Wireless Networks 2) Common Security Issues 3) Typical Attacks II. Network Scanner 1) Objective 2) Hardware 3) Software a. Raspbian b. Kismet 4) Network Configuration III. Alerts and WIDS 1) Configuration 2) Alerts IV. Deployment 1) Scanning and Monitoring 2) Testing Alerts a. Evil Twin b. Deauth V. Conclusion

I. Introduction

Home Wireless Networks

In our day and age, most homes have a variety of wireless devices on the network ranging from laptops and cell phones to smart TVs and IP cameras. Some homes have remote temperature control sensors installed, smart light bulbs that can be controlled wirelessly and so one. The point is that the average home in the United States has way too many devices nowadays and all of them are connected to the network. Below is an image that illustrates an example of a home network topology and some of the common wireless devices that are connected. On the left, you can see most general devices like a laptop, phone, printer, and on the right side of the picture, there are plenty called “Internet of Things” devices.

Common Security Issues

As you can tell from the above image, the most typical configuration for a home network

consists of a modem for the Internet and a Wi-Fi router for devices to connect to it. This makes

the Wi-Fi router constantly exposed to the outside environment and anyone can see the name

(SSID) of the network, what security protocol it is using and the mac address (BSSID) of the

device. Knowing this information, attackers can easily orchestrate a wide range of attacks that

fall into three main categories - denial of service, man in the middle and spoofing attacks.

Additionally, some wireless networks can be using older and outdated encryption protocol known as Wired Equivalent Privacy (WEP) that has major security flaws and can be cracked in a matter of minutes. For example, hackers can easily find such vulnerable networks by using a method called wardriving. In this act of searching, an attacker typically scans wireless networks from a moving vehicle. Once found, it takes less than 5 minutes to get in the wireless network using tools like aircrack-ng, besside-ng and fluxion.

Typical Attacks

Furthermore, there are other attacks that hackers can initiate on a wireless network; one of the

most popular is called an evil twin attack. Hackers can replicate the SSID and BSSID of an

access point (AP) and force users to connect to it by kicking everyone from their original

network. The attacker then can use IP forwarding and monitoring tools to analyze the traffic and

pass it along without any indication. In most cases, users never realize that they are connected to

a different network because of this simple spoofing technique. An authentication attack is

another popular one and it is used to deauthenticate clients from their wireless networks in order to capture the frame exchange when they try to connect back. After capturing the encrypted authentication frame, attackers can run a dictionary attack offline and brute force the password with tools like aircrack-ng, John the Riper and Rainbow Crack. These are just some of the most common attacks that black hats use today when targeting wireless networks, they are very

simplistic in their nature and most intruders use software toolkits that automate all of the

malicious algorithms without having to know or write the code.

II. Network Scanner

Objective

The main objective of this project is to configure a fully operational network scanner capable of

analyzing wireless traffic and be able to provide wireless intrusion detection features in a form of

scripted alerts that will be displayed and logged on the Raspberry Pi. This software package is

also capable of monitoring Bluetooth devices but we are not going to concentrate on that.

Instead, we will monitor the traffic of my Wi-Fi router with SSID named “Chocolate_Candy” and set up the WIDS (Wireless Intrusion Detection System) to report on it if any suspicious activities are detected. Finally, upon the implementation of the network scanner, it will be possible to connect to it from an outside network by using remote desktop connection and check on the status, alerts and the environment.

Hardware

Let’s start with the easiest – the hardware, all that is going to be required for this to work are

Raspberry Pi with all the accessories, microSDHC and an external wireless adapter capable of

switching to . From the hardware side of things, there isn’t much to set up and it’s

pretty straightforward. One important thing to note here is that the in-build wireless card has to

be disabled and we will need to use Ethernet cable to provide connectivity to Raspberry Pi so that we can remotely access it. Below is a picture of my setup and everything that needs to be connected to the device.

Software

My initial intent was to use Arch because of its lightweight and low resource requirements, but after trying to configure it for days and installing all the dependencies that were needed for Kismet, I decided to switch to a more user-friendly OS that comes ready for installing the network scanner package.

Raspbian

The quickest and easiest way to install Raspbian OS image on to SD card is to use NOOBS (new out of the box software). After downloading and extracting NOOBS file contents on to a formatted SD card (FAT32) we are ready to install the Raspbian Lite OS. By booting up the pi, with the SD card inside, a NOOBS installation menu will be displayed, after that, we can select the Raspbian Lite version of the OS and click install on the top left corner of the menu. Below is an image with the NOOBS menu.

Kismet

After installing the OS, the final step is to install the actual Kismet network scanner package.

The entire installation is going to take over an hour and will require changing network

configuration files. The first step is to download the latest Kismet package (Kismet 2019-09-

R1); you can do it by using git repository or downloading it directly from Kismet website. Once

downloaded, navigate to Kismet directory and type “./configure”. Wait till the code gets

configured for the compilation and type “make”. This process will take over an hour and after that, we will need to install the package and configure user groups. By typing “sudo make

suidinstall” we will install Kismet and “sudo usermod -aG kismet pi” we will add pi user the

Kismet group. After this we are done, just need to restart the device, check user groups to make

sure Kismet was added by typing “groups” command.

Network Configuration

Finally, to make everything work we will need to set the external wireless adapter into monitor

mode. First, we will check which physical interface it belongs to by typing “iw dev”. After, we

will add another interface called mon1 that will be set in monitor mode with the command “sudo

iw phy phy1 interface add mon1 type monitor” and turn it on with the command “ifconfig mon1

up”. I have tried to make these settings permanent by adding these commands to network

interfaces configuration file but somehow it wasn`t working so I ended up making a tiny script

that will have to run every time before turning Kismet on. That is it; now that we configured the

wireless adapter we can run Kismet and start monitoring traffic.

III. Alerts and WIDS

Configuration

Now that we have set up the Raspbian OS, installed Kismet software package and configured the wireless adapter, all we need to do is to activate apspoof by adding “Chocolate_Candy” SSID and BSSID to be monitored. In order to do that, we will have to edit a configuration file called

“kismet_alerts.conf”. Below is a picture of the alerts configuration file for the local user, all of the alerts are enabled and access point spoofing detection is set up for “Chocolate Candy”.

Alerts

Kismet is most effective as a WIDS in a stationary mode so having it constantly in one location

increases its accuracy and coverage. There are a number of fingerprint alerts that can be triggered

at any time once a known-hostile specific behavior is detected. We will take a look at some of

the most common ones as an example. The first one – “apspoof”, looks at given SSID along with

all the accepted mac addresses if it detects a beacon or probe response for that SSID and that

device`s BSSID is not on the list, the alarm is raised. Another important alarm is “deauthflood”,

it detects spoofing of deauthenticate packets that typically are used to disconnect clients from a

network. There are plenty more Kismet signature alerts and their description can be found on the

official page of the software.

IV. Deployment

Scanning and Monitoring

After completing all of the above-mentioned steps and procedures, finally, we are ready to test

the network scanner. We will start by opening a terminal and typing “kismet” command, this will

run the network scanner. All we need to do now is to open a web browser and navigate to

“localhost: 2501”. After leaving the scanner running for about half a day, I have discovered many network-enabled devices such as Wi-Fi routers that would broadcast on different channels, cellphones, Smart TVs and others. Below are a couple of images of the Kismet scanning and monitoring wireless activities in my apartment building. The first image has messages displayed on the bottom alerting about events and the second image shows a graph of which frequencies most devices transmit.

Testing Alerts

For the final part of the project, we will test the WIDS features of the Kismet package. I will use

a Wi-Fi Pineapple Nano device from Hack 5 connected to a machine running to test the alerting system of the software package installed on Raspberry Pi.

We will test two attacks on my home`s access point “Chocolate_Candy”. The first one will be

evil twin and second one is deauth attacks. The goal here is to have both of these attacks detected by Kismet scanner and logged in alerts.

Evil Twin

The evil twin attack is pretty easy to implement with pineapple, all we need to do is scan for networks around, select a target and add it to SSID pool. The pineapple has everything automated and by clicking couple of buttons you can broadcast as any SSID from the list. In our

case, I have selected “Chocolate_Candy” and started broadcasting with its SSID. Right away,

Kismet picked it up and displayed a message alerting that “Unauthorized device is broadcasting

with the SSID ‘Chocolate Candy’ “. Below are two images that show the pineapple interface and

alert that Kismet displayed after the attack has been initiated.

Deauth

For the second and final attack simulation, we will disconnect my laptop that is connected to

“Chocolate_Candy” access point by sending deauthentication frames from Wi-Fi Pineapple

Nano. Once deauthentication packets are transmitted, our network scanner will pick it up and display alert notification. For this denial of service attack, we will use pineapple again because of how easy it is implemented, all we have to do is scan networks around, select one and click one button to deauthenticate all clients. After targeting my own router and doing so, my MacBook lost network connection immediately letting me know that the attack worked. Below you can see

Kismet detecting this attack and displaying notifications.

V. Conclusion

Our homes now have many devices connected to the Internet, most of them are wireless, ranging

from baby monitors to Wi-Fi enabled refrigerators, therefore; it becomes very important to make

sure that proper securities are implemented. Hackers can target anyone for various reasons and

no network is too small to be at risk of a cyberattack. Thus, having some additional securities

deployed on a network can only benefit its users and promote a safer environment. During this

project, we looked at some of the security concerns related to Wi-Fi along with common attacks

that hackers deploy. Additionally, we implemented a network scanner (Raspberry Pi) and tested its intrusion detection features by simulating some of the most common attacks such as evil twin and denial of service proving that it can easily detect and notify users about malicious wireless activities around their networks. I have wanted to try Kismet for some time now and this project provided me the opportunity to do so, I learned some new things and look forward to improving this set up in the near feature.