Exploring Open Source Wireless Tools By Jake Snyder (The Dread Pirate Roberts) @jsnyder81 Who am I? • Wireless Engineer at CompuNet Inc • CCIE-W #43153 • CWNE #161 • Security Enthusiast • Linux hobbiest • Wireless Field Day Delegate (http://techfieldday.com/event/wfd8/) • Blogger • Maker What does a set of professional tools cost? What I use at work: Ekahau ESS: $4000 Omnipeek: $2500 Chanalyzer + WiSpy: $1250 Aircheck: $2000 *All prices are approximates Professional tools in my first year. • Airmagnet Survey pro • Yup, that was it. http://www.popsugar.com/entertainment/Princess-Bride-Quotes-35919789#photo-35919789 “I mean, if we only had a wheelbarrow, that would be something.” -Westley Sometimes you have to build a wheelbarrow • Linux VM • Proxim 8494 • Airmon-NG • Wireshark “Well, why didn’t you list that among our assets in the first place” -Westley All these tools… Why Open Source? Pros: Cons: • Low Cost • Free if your time is worth • Flexibility nothing • Lots of available tools • Pieces of a solution, you have to put it together • Low barrier to entry • Requires knowledge • Time = investment “Please consider opensource as an alternative to suicide.” – Prince Humperdink What are my hobbiest opensource costs? Options for todays presentation: Raspberry PI: $223 Intel NUC $436 Raspberry PI 2B $38 NUC5CPYH: $134.00 ASUS USB-N53 $45 8G Memory: $34 Micro SD Card: $15 SSD: $40 Case: $5 Intel 7265 $28 Ubertooth: $120 WiSpy 2.4Ghz: $200 Existing Laptop: $8 • USB stick to boot linux • The chocolate coating makes it go down easier • VM is an option, albeit not a good one My Preferred Wireless Adapters • Asus USB-N53 • Intel 726x • 802.11n • 802.11ac • 2x2:2 • 2x2:2 • USB 2.0 • Mini PCIe half height and m.2 • Ralink RT3572 using RT2800 Driver • Intel IWLWIFI: Non-Free firmware • Works on Raspberry PI required • $45 on Amazon • $27 on amazon • Has issues with Deauth/Dissassoc • Lots of clients using them packets not being passed to host. Currently exploring Compex WLE600VX QCA AR9982 (ATH10k) Not all drivers are created equal https://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers • Drivers need to support a variety of functionality • STA Mode: Station Infrastructure (default) • AP Mode: Access Point Infrastructure • MON: Monitor Mode • Frame Injection • IBSS: Ad-Hoc Mode • WDS: Wireless Distribution System Mode • Mesh Mode • Mac80211 • Preferred Driver Framework • Built-in support for the majority of modes you need • https://wikidevi.com/wiki/Wireless_adapters/Chipset_table Ifconfig, iwconfig and iw • IFCONFIG: • Setting interface status, ip addressing, netmask, gateway broadcast etc. • Deprecated • IP: • IP is the replacement for IFCONFIG. • IWCONFIG: • Like IFCONFIG except it’s for parameters specific to wireless • Essid, frequency, mode, etc. • IW • IW is the replacement for IWCONFIG • My name is IW. You killed my father. Prepare to die! A look at IW • jsnyder@NUC-1:~$ iw dev phy#0 Interface mon0 ifindex 4 wdev 0x2 addr 10:02:b5:59:80:7b type monitor channel 116 (5580 MHz), width: 80 MHz, center1: 5610 MHz Interface wlp2s0 ifindex 3 wdev 0x1 addr 10:02:b5:59:80:7b type managed Wireless Scanning Tools Horst, Scapy, Kismet HORST - Highly Optimized Radio Scanning Tool • Lightweight packet statistics Getting Started • Made for use with MAC80211 drivers supporting monitor mode #Create Monitor Interface • Support Client/Server modes sudo iw wlan0 interface add mon0 type monitor • Graphical output #Delete wlan0 interface • Logs output to file *sudo iw dev wlan0 del #Start Horst on mon0 sudo /opt/horst/horst -i mon0 *May not be necessary on all drivers https://github.com/br101/horst Horst – Stations, APs and Packets…. Oh My! HORST – Realtime Statistics Beware: Becons of unusual size HORST – Spectrum Analyzer? Not Really Scapy – Packet Manipulation • Packet Sniffing • Packet Generation • Packet Analysis • Python based • Unlimited use cases “We’ll never survive!” “Nonsense. You’re only saying that because no one ever has.” Scapy – 2 ways to use Native Scapy • Python like interpreter for Scapy • Quick, easy and self contained Scapy in a python script • Import and go • Full scapy functionality Some popular Scapy scripts • Airoscapy: • Passive AP Scanner • http://www.thesprawl.org/projects/airoscapy/ • Association Frame Randomizer • Mike Albano’s client capabilities • https://github.com/mike-albano/frame-randomizer Kismet - As you wish… • Great for packet capture, logging and mining of data • Client server architecture (kismet drone) • Works offline (saves logs for later) Kismet Spectools – Ubertooth and Wispy • Spectrum analyzer for Ubertooth and Metageek WiSpy hardware • Runs on Linux • Multiple remote viewing options • Plugin to Kismet Aircrack-NG not just for cracking wireless • Suite of tools, not a single tool: • Airmon-ng – wireless promiscuous mode • Airgraph-ng – Creates AP to client relationships • Airdrop-ng – Deauthentication of targeted users • Aireplay-ng – Frame injection for multiple attacks • Airodump-ng – Packet capturing of raw frames • And more http://www.aircrack-ng.org/ Wireshark and TCPDump • CLI: TSHARK • Automated rollover: DUMPCAP • TCPdump has several options that make remote work easier. http://booktrib.com/2014/12/the-princess-bride-what-the-cia-could-have-learned-about-torture-from-william-goldman/ #Set Channel First iw dev <devname> set freq <freq> [HT20|HT40+|HT40-] #Start packet capture with a duration of 3600 seconds and a file maximum of 64MB on Mon0 sudo dumpcap -a duration:3600 -b filesize:65536 -w /home/jsnyder/test.pcap -i mon0 Thank you https://www.pinterest.com/hennesseandrews/the-princess-bride/.