![Page 1: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/1.jpg)
Exploring Open Source Wireless Tools
By Jake Snyder (The Dread Pirate Roberts)
@jsnyder81
![Page 2: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/2.jpg)
Who am I?
• Wireless Engineer at CompuNet Inc
• CCIE-W #43153
• CWNE #161
• Security Enthusiast
• Linux hobbiest
• Wireless Field Day Delegate (http://techfieldday.com/event/wfd8/)
• Blogger
• Maker
![Page 3: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/3.jpg)
What does a set of professional tools cost?
What I use at work:
Ekahau ESS: $4000
Omnipeek: $2500
Chanalyzer + WiSpy: $1250
Aircheck: $2000
*All prices are approximates
![Page 4: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/4.jpg)
Professional tools in my first year.
• Airmagnet Survey pro
• Yup, that was it.
http://www.popsugar.com/entertainment/Princess-Bride-Quotes-35919789#photo-35919789
![Page 5: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/5.jpg)
“I mean, if we only had a wheelbarrow, that would be something.” -Westley
Sometimes you have to build a wheelbarrow• Linux VM• Proxim 8494• Airmon-NG• Wireshark
“Well, why didn’t you list that among our assets in the first place” -Westley
![Page 6: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/6.jpg)
All these tools… Why Open Source?
Pros:
• Low Cost
• Flexibility
• Lots of available tools
• Low barrier to entry
Cons:
• Free if your time is worth nothing
• Pieces of a solution, you have to put it together
• Requires knowledge
• Time = investment
“Please consider opensource as an alternative to suicide.” – Prince Humperdink
![Page 7: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/7.jpg)
What are my hobbiest opensource costs?
Options for todays presentation:
Intel NUC $436NUC5CPYH: $134.008G Memory: $34SSD: $40Intel 7265 $28WiSpy 2.4Ghz: $200
Raspberry PI: $223Raspberry PI 2B $38ASUS USB-N53 $45Micro SD Card: $15Case: $5Ubertooth: $120
Existing Laptop: $8• USB stick to boot linux• The chocolate coating makes it go down easier• VM is an option, albeit not a good one
![Page 8: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/8.jpg)
My Preferred Wireless Adapters
• Asus USB-N53• 802.11n• 2x2:2• USB 2.0• Ralink RT3572 using RT2800 Driver• Works on Raspberry PI• $45 on Amazon• Has issues with Deauth/Dissassoc
packets not being passed to host.
• Intel 726x• 802.11ac• 2x2:2• Mini PCIe half height and m.2• Intel IWLWIFI: Non-Free firmware
required• $27 on amazon• Lots of clients using them
Currently exploring Compex WLE600VX QCA AR9982 (ATH10k)
![Page 9: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/9.jpg)
Not all drivers are created equal
• Drivers need to support a variety of functionality• STA Mode: Station Infrastructure (default)• AP Mode: Access Point Infrastructure• MON: Monitor Mode
• Frame Injection
• IBSS: Ad-Hoc Mode• WDS: Wireless Distribution System Mode• Mesh Mode
• Mac80211• Preferred Driver Framework• Built-in support for the majority of modes you need• https://wikidevi.com/wiki/Wireless_adapters/Chipset_table
https://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers
![Page 10: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/10.jpg)
Ifconfig, iwconfig and iw
• IFCONFIG: • Setting interface status, ip addressing, netmask, gateway broadcast etc.• Deprecated
• IP:• IP is the replacement for IFCONFIG.
• IWCONFIG:• Like IFCONFIG except it’s for parameters specific to wireless• Essid, frequency, mode, etc.
• IW• IW is the replacement for IWCONFIG• My name is IW. You killed my father. Prepare to die!
![Page 11: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/11.jpg)
A look at IW
• jsnyder@NUC-1:~$ iw dev
phy#0
Interface mon0
ifindex 4
wdev 0x2
addr 10:02:b5:59:80:7b
type monitor
channel 116 (5580 MHz), width: 80 MHz, center1: 5610 MHz
Interface wlp2s0
ifindex 3
wdev 0x1
addr 10:02:b5:59:80:7b
type managed
![Page 12: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/12.jpg)
Wireless Scanning ToolsHorst, Scapy, Kismet
![Page 13: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/13.jpg)
HORST - Highly Optimized Radio Scanning Tool
• Lightweight packet statistics• Made for use with MAC80211
drivers supporting monitor mode• Support Client/Server modes• Graphical output• Logs output to file
https://github.com/br101/horst
Getting Started
#Create Monitor Interfacesudo iw wlan0 interface add mon0 type monitor#Delete wlan0 interface*sudo iw dev wlan0 del
#Start Horst on mon0sudo /opt/horst/horst -i mon0
*May not be necessary on all drivers
![Page 14: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/14.jpg)
Horst – Stations, APs and Packets…. Oh My!
![Page 15: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/15.jpg)
HORST – Realtime Statistics
Beware: Becons of unusual size
![Page 16: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/16.jpg)
HORST – Spectrum Analyzer? Not Really
![Page 17: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/17.jpg)
Scapy – Packet Manipulation
• Packet Sniffing
• Packet Generation
• Packet Analysis
• Python based
• Unlimited use cases
“We’ll never survive!” “Nonsense. You’re only saying that because no one ever has.”
![Page 18: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/18.jpg)
Scapy – 2 ways to use
Native Scapy
• Python like interpreter for Scapy
• Quick, easy and self contained
Scapy in a python script
• Import and go
• Full scapy functionality
![Page 19: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/19.jpg)
Some popular Scapy scripts
• Airoscapy: • Passive AP Scanner
• http://www.thesprawl.org/projects/airoscapy/
• Association Frame Randomizer• Mike Albano’s client capabilities
• https://github.com/mike-albano/frame-randomizer
![Page 20: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/20.jpg)
Kismet - As you wish…
• Great for packet capture, logging and mining of data
• Client server architecture (kismet drone)
• Works offline (saves logs for later)
![Page 21: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/21.jpg)
Kismet
![Page 22: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/22.jpg)
Spectools – Ubertooth and Wispy
• Spectrum analyzer for Ubertooth and Metageek WiSpy hardware
• Runs on Linux
• Multiple remote viewing options
• Plugin to Kismet
![Page 23: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/23.jpg)
Aircrack-NG not just for cracking wireless
• Suite of tools, not a single tool:• Airmon-ng – wireless promiscuous mode• Airgraph-ng – Creates AP to client relationships• Airdrop-ng – Deauthentication of targeted users• Aireplay-ng – Frame injection for multiple attacks• Airodump-ng – Packet capturing of raw frames• And more
http://www.aircrack-ng.org/
![Page 24: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/24.jpg)
Wireshark and TCPDump
• CLI: TSHARK• Automated rollover: DUMPCAP• TCPdump has several options that make remote
work easier.
#Set Channel Firstiw dev <devname> set freq <freq> [HT20|HT40+|HT40-]
#Start packet capture with a duration of 3600 seconds and a file maximum of 64MB on Mon0sudo dumpcap -a duration:3600 -b filesize:65536 -w /home/jsnyder/test.pcap -i mon0
http://booktrib.com/2014/12/the-princess-bride-what-the-cia-could-have-learned-about-torture-from-william-goldman/
![Page 25: Exploring Open Source Wireless Tools · Options for todays presentation: Intel NUC $436 NUC5CPYH: $134.00 8G Memory: $34 SSD: $40 Intel 7265 $28 WiSpy 2.4Ghz: $200 Raspberry PI: $223](https://reader034.vdocuments.net/reader034/viewer/2022042408/5f22fb5f9f4e533c332fa45c/html5/thumbnails/25.jpg)
Thank you
https://www.pinterest.com/hennesseandrews/the-princess-bride/