Exploring Open Source Wireless Tools

By Jake Snyder (The Dread Pirate Roberts)

@jsnyder81

Who am I?

• Wireless Engineer at CompuNet Inc

• CCIE-W #43153

• CWNE #161

• Security Enthusiast

• Linux hobbiest

• Wireless Field Day Delegate (http://techfieldday.com/event/wfd8/)

• Blogger

• Maker

What does a set of professional tools cost?

What I use at work:

Ekahau ESS: $4000

Omnipeek: $2500

Chanalyzer + WiSpy: $1250

Aircheck: $2000

*All prices are approximates

Professional tools in my first year.

• Airmagnet Survey pro

• Yup, that was it.

http://www.popsugar.com/entertainment/Princess-Bride-Quotes-35919789#photo-35919789

“I mean, if we only had a wheelbarrow, that would be something.” -Westley

Sometimes you have to build a wheelbarrow• Linux VM• Proxim 8494• Airmon-NG• Wireshark

“Well, why didn’t you list that among our assets in the first place” -Westley

All these tools… Why Open Source?

Pros:

• Low Cost

• Flexibility

• Lots of available tools

• Low barrier to entry

Cons:

• Free if your time is worth nothing

• Pieces of a solution, you have to put it together

• Requires knowledge

• Time = investment

“Please consider opensource as an alternative to suicide.” – Prince Humperdink

What are my hobbiest opensource costs?

Options for todays presentation:

Intel NUC $436NUC5CPYH: $134.008G Memory: $34SSD: $40Intel 7265 $28WiSpy 2.4Ghz: $200

Raspberry PI: $223Raspberry PI 2B $38ASUS USB-N53 $45Micro SD Card: $15Case: $5Ubertooth: $120

Existing Laptop: $8• USB stick to boot linux• The chocolate coating makes it go down easier• VM is an option, albeit not a good one

My Preferred Wireless Adapters

• Asus USB-N53• 802.11n• 2x2:2• USB 2.0• Ralink RT3572 using RT2800 Driver• Works on Raspberry PI• $45 on Amazon• Has issues with Deauth/Dissassoc

packets not being passed to host.

• Intel 726x• 802.11ac• 2x2:2• Mini PCIe half height and m.2• Intel IWLWIFI: Non-Free firmware

required• $27 on amazon• Lots of clients using them

Currently exploring Compex WLE600VX QCA AR9982 (ATH10k)

Not all drivers are created equal

• Drivers need to support a variety of functionality• STA Mode: Station Infrastructure (default)• AP Mode: Access Point Infrastructure• MON: Monitor Mode

• Frame Injection

• IBSS: Ad-Hoc Mode• WDS: Wireless Distribution System Mode• Mesh Mode

• Mac80211• Preferred Driver Framework• Built-in support for the majority of modes you need• https://wikidevi.com/wiki/Wireless_adapters/Chipset_table

https://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers

Ifconfig, iwconfig and iw

• IFCONFIG: • Setting interface status, ip addressing, netmask, gateway broadcast etc.• Deprecated

• IP:• IP is the replacement for IFCONFIG.

• IWCONFIG:• Like IFCONFIG except it’s for parameters specific to wireless• Essid, frequency, mode, etc.

• IW• IW is the replacement for IWCONFIG• My name is IW. You killed my father. Prepare to die!

A look at IW

• jsnyder@NUC-1:~$ iw dev

phy#0

Interface mon0

ifindex 4

wdev 0x2

addr 10:02:b5:59:80:7b

type monitor

channel 116 (5580 MHz), width: 80 MHz, center1: 5610 MHz

Interface wlp2s0

ifindex 3

wdev 0x1

addr 10:02:b5:59:80:7b

type managed

Wireless Scanning ToolsHorst, Scapy, Kismet

HORST - Highly Optimized Radio Scanning Tool

• Lightweight packet statistics• Made for use with MAC80211

drivers supporting monitor mode• Support Client/Server modes• Graphical output• Logs output to file

https://github.com/br101/horst

Getting Started

#Create Monitor Interfacesudo iw wlan0 interface add mon0 type monitor#Delete wlan0 interface*sudo iw dev wlan0 del

#Start Horst on mon0sudo /opt/horst/horst -i mon0

*May not be necessary on all drivers

Horst – Stations, APs and Packets…. Oh My!

HORST – Realtime Statistics

Beware: Becons of unusual size

HORST – Spectrum Analyzer? Not Really

Scapy – Packet Manipulation

• Packet Sniffing

• Packet Generation

• Packet Analysis

• Python based

• Unlimited use cases

“We’ll never survive!” “Nonsense. You’re only saying that because no one ever has.”

Scapy – 2 ways to use

Native Scapy

• Python like interpreter for Scapy

• Quick, easy and self contained

Scapy in a python script

• Import and go

• Full scapy functionality

Some popular Scapy scripts

• Airoscapy: • Passive AP Scanner

• http://www.thesprawl.org/projects/airoscapy/

• Association Frame Randomizer• Mike Albano’s client capabilities

• https://github.com/mike-albano/frame-randomizer

Kismet - As you wish…

• Great for packet capture, logging and mining of data

• Client server architecture (kismet drone)

• Works offline (saves logs for later)

Kismet

Spectools – Ubertooth and Wispy

• Spectrum analyzer for Ubertooth and Metageek WiSpy hardware

• Runs on Linux

• Multiple remote viewing options

• Plugin to Kismet

Aircrack-NG not just for cracking wireless

• Suite of tools, not a single tool:• Airmon-ng – wireless promiscuous mode• Airgraph-ng – Creates AP to client relationships• Airdrop-ng – Deauthentication of targeted users• Aireplay-ng – Frame injection for multiple attacks• Airodump-ng – Packet capturing of raw frames• And more

http://www.aircrack-ng.org/

Wireshark and TCPDump

• CLI: TSHARK• Automated rollover: DUMPCAP• TCPdump has several options that make remote

work easier.

#Set Channel Firstiw dev <devname> set freq <freq> [HT20|HT40+|HT40-]

#Start packet capture with a duration of 3600 seconds and a file maximum of 64MB on Mon0sudo dumpcap -a duration:3600 -b filesize:65536 -w /home/jsnyder/test.pcap -i mon0

http://booktrib.com/2014/12/the-princess-bride-what-the-cia-could-have-learned-about-torture-from-william-goldman/

Thank you

https://www.pinterest.com/hennesseandrews/the-princess-bride/