Raspberry Pi as a Wireless Network Scanner By Dmitry Kolyvagin IASP-560 Professor Dr. John Yoon Table of Contents: I. Introduction 1) Home Wireless Networks 2) Common Security Issues 3) Typical Attacks II. Network Scanner 1) Objective 2) Hardware 3) Software a. Raspbian b. Kismet 4) Network Configuration III. Alerts and WIDS 1) Configuration 2) Alerts IV. Deployment 1) Scanning and Monitoring 2) Testing Alerts a. Evil Twin b. Deauth V. Conclusion I. Introduction Home Wireless Networks In our day and age, most homes have a variety of wireless devices on the network ranging from laptops and cell phones to smart TVs and IP cameras. Some homes have remote temperature control sensors installed, smart light bulbs that can be controlled wirelessly and so one. The point is that the average home in the United States has way too many devices nowadays and all of them are connected to the network. Below is an image that illustrates an example of a home network topology and some of the common wireless devices that are connected. On the left, you can see most general devices like a laptop, phone, printer, and on the right side of the picture, there are plenty called “Internet of Things” devices. Common Security Issues As you can tell from the above image, the most typical configuration for a home network consists of a modem for the Internet and a Wi-Fi router for devices to connect to it. This makes the Wi-Fi router constantly exposed to the outside environment and anyone can see the name (SSID) of the network, what security protocol it is using and the mac address (BSSID) of the device. Knowing this information, attackers can easily orchestrate a wide range of attacks that fall into three main categories - denial of service, man in the middle and spoofing attacks. Additionally, some wireless networks can be using older and outdated encryption protocol known as Wired Equivalent Privacy (WEP) that has major security flaws and can be cracked in a matter of minutes. For example, hackers can easily find such vulnerable networks by using a method called wardriving. In this act of searching, an attacker typically scans wireless networks from a moving vehicle. Once found, it takes less than 5 minutes to get in the wireless network using tools like aircrack-ng, besside-ng and fluxion. Typical Attacks Furthermore, there are other attacks that hackers can initiate on a wireless network; one of the most popular is called an evil twin attack. Hackers can replicate the SSID and BSSID of an access point (AP) and force users to connect to it by kicking everyone from their original network. The attacker then can use IP forwarding and monitoring tools to analyze the traffic and pass it along without any indication. In most cases, users never realize that they are connected to a different network because of this simple spoofing technique. An authentication attack is another popular one and it is used to deauthenticate clients from their wireless networks in order to capture the frame exchange when they try to connect back. After capturing the encrypted authentication frame, attackers can run a dictionary attack offline and brute force the password with tools like aircrack-ng, John the Riper and Rainbow Crack. These are just some of the most common attacks that black hats use today when targeting wireless networks, they are very simplistic in their nature and most intruders use software toolkits that automate all of the malicious algorithms without having to know or write the code. II. Network Scanner Objective The main objective of this project is to configure a fully operational network scanner capable of analyzing wireless traffic and be able to provide wireless intrusion detection features in a form of scripted alerts that will be displayed and logged on the Raspberry Pi. This software package is also capable of monitoring Bluetooth devices but we are not going to concentrate on that. Instead, we will monitor the traffic of my Wi-Fi router with SSID named “Chocolate_Candy” and set up the WIDS (Wireless Intrusion Detection System) to report on it if any suspicious activities are detected. Finally, upon the implementation of the network scanner, it will be possible to connect to it from an outside network by using remote desktop connection and check on the status, alerts and the environment. Hardware Let’s start with the easiest – the hardware, all that is going to be required for this to work are Raspberry Pi with all the accessories, microSDHC and an external wireless adapter capable of switching to monitor mode. From the hardware side of things, there isn’t much to set up and it’s pretty straightforward. One important thing to note here is that the in-build wireless card has to be disabled and we will need to use Ethernet cable to provide connectivity to Raspberry Pi so that we can remotely access it. Below is a picture of my setup and everything that needs to be connected to the device. Software My initial intent was to use Arch Linux operating system because of its lightweight and low resource requirements, but after trying to configure it for days and installing all the dependencies that were needed for Kismet, I decided to switch to a more user-friendly OS that comes ready for installing the network scanner package. Raspbian The quickest and easiest way to install Raspbian OS image on to SD card is to use NOOBS (new out of the box software). After downloading and extracting NOOBS file contents on to a formatted SD card (FAT32) we are ready to install the Raspbian Lite OS. By booting up the pi, with the SD card inside, a NOOBS installation menu will be displayed, after that, we can select the Raspbian Lite version of the OS and click install on the top left corner of the menu. Below is an image with the NOOBS menu. Kismet After installing the OS, the final step is to install the actual Kismet network scanner package. The entire installation is going to take over an hour and will require changing network configuration files. The first step is to download the latest Kismet package (Kismet 2019-09- R1); you can do it by using git repository or downloading it directly from Kismet website. Once downloaded, navigate to Kismet directory and type “./configure”. Wait till the code gets configured for the compilation and type “make”. This process will take over an hour and after that, we will need to install the package and configure user groups. By typing “sudo make suidinstall” we will install Kismet and “sudo usermod -aG kismet pi” we will add pi user the Kismet group. After this we are done, just need to restart the device, check user groups to make sure Kismet was added by typing “groups” command. Network Configuration Finally, to make everything work we will need to set the external wireless adapter into monitor mode. First, we will check which physical interface it belongs to by typing “iw dev”. After, we will add another interface called mon1 that will be set in monitor mode with the command “sudo iw phy phy1 interface add mon1 type monitor” and turn it on with the command “ifconfig mon1 up”. I have tried to make these settings permanent by adding these commands to network interfaces configuration file but somehow it wasn`t working so I ended up making a tiny script that will have to run every time before turning Kismet on. That is it; now that we configured the wireless adapter we can run Kismet and start monitoring traffic. III. Alerts and WIDS Configuration Now that we have set up the Raspbian OS, installed Kismet software package and configured the wireless adapter, all we need to do is to activate apspoof by adding “Chocolate_Candy” SSID and BSSID to be monitored. In order to do that, we will have to edit a configuration file called “kismet_alerts.conf”. Below is a picture of the alerts configuration file for the local user, all of the alerts are enabled and access point spoofing detection is set up for “Chocolate Candy”. Alerts Kismet is most effective as a WIDS in a stationary mode so having it constantly in one location increases its accuracy and coverage. There are a number of fingerprint alerts that can be triggered at any time once a known-hostile specific behavior is detected. We will take a look at some of the most common ones as an example. The first one – “apspoof”, looks at given SSID along with all the accepted mac addresses if it detects a beacon or probe response for that SSID and that device`s BSSID is not on the list, the alarm is raised. Another important alarm is “deauthflood”, it detects spoofing of deauthenticate packets that typically are used to disconnect clients from a network. There are plenty more Kismet signature alerts and their description can be found on the official page of the software. IV. Deployment Scanning and Monitoring After completing all of the above-mentioned steps and procedures, finally, we are ready to test the network scanner. We will start by opening a terminal and typing “kismet” command, this will run the network scanner. All we need to do now is to open a web browser and navigate to “localhost: 2501”. After leaving the scanner running for about half a day, I have discovered many network-enabled devices such as Wi-Fi routers that would broadcast on different channels, cellphones, Smart TVs and others. Below are a couple of images of the Kismet scanning and monitoring wireless activities in my apartment building.