exploring open source wireless tools · options for todays presentation: intel nuc $436 nuc5cpyh:...
TRANSCRIPT
Exploring Open Source Wireless Tools
By Jake Snyder (The Dread Pirate Roberts)
@jsnyder81
Who am I?
• Wireless Engineer at CompuNet Inc
• CCIE-W #43153
• CWNE #161
• Security Enthusiast
• Linux hobbiest
• Wireless Field Day Delegate (http://techfieldday.com/event/wfd8/)
• Blogger
• Maker
What does a set of professional tools cost?
What I use at work:
Ekahau ESS: $4000
Omnipeek: $2500
Chanalyzer + WiSpy: $1250
Aircheck: $2000
*All prices are approximates
Professional tools in my first year.
• Airmagnet Survey pro
• Yup, that was it.
http://www.popsugar.com/entertainment/Princess-Bride-Quotes-35919789#photo-35919789
“I mean, if we only had a wheelbarrow, that would be something.” -Westley
Sometimes you have to build a wheelbarrow• Linux VM• Proxim 8494• Airmon-NG• Wireshark
“Well, why didn’t you list that among our assets in the first place” -Westley
All these tools… Why Open Source?
Pros:
• Low Cost
• Flexibility
• Lots of available tools
• Low barrier to entry
Cons:
• Free if your time is worth nothing
• Pieces of a solution, you have to put it together
• Requires knowledge
• Time = investment
“Please consider opensource as an alternative to suicide.” – Prince Humperdink
What are my hobbiest opensource costs?
Options for todays presentation:
Intel NUC $436NUC5CPYH: $134.008G Memory: $34SSD: $40Intel 7265 $28WiSpy 2.4Ghz: $200
Raspberry PI: $223Raspberry PI 2B $38ASUS USB-N53 $45Micro SD Card: $15Case: $5Ubertooth: $120
Existing Laptop: $8• USB stick to boot linux• The chocolate coating makes it go down easier• VM is an option, albeit not a good one
My Preferred Wireless Adapters
• Asus USB-N53• 802.11n• 2x2:2• USB 2.0• Ralink RT3572 using RT2800 Driver• Works on Raspberry PI• $45 on Amazon• Has issues with Deauth/Dissassoc
packets not being passed to host.
• Intel 726x• 802.11ac• 2x2:2• Mini PCIe half height and m.2• Intel IWLWIFI: Non-Free firmware
required• $27 on amazon• Lots of clients using them
Currently exploring Compex WLE600VX QCA AR9982 (ATH10k)
Not all drivers are created equal
• Drivers need to support a variety of functionality• STA Mode: Station Infrastructure (default)• AP Mode: Access Point Infrastructure• MON: Monitor Mode
• Frame Injection
• IBSS: Ad-Hoc Mode• WDS: Wireless Distribution System Mode• Mesh Mode
• Mac80211• Preferred Driver Framework• Built-in support for the majority of modes you need• https://wikidevi.com/wiki/Wireless_adapters/Chipset_table
https://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers
Ifconfig, iwconfig and iw
• IFCONFIG: • Setting interface status, ip addressing, netmask, gateway broadcast etc.• Deprecated
• IP:• IP is the replacement for IFCONFIG.
• IWCONFIG:• Like IFCONFIG except it’s for parameters specific to wireless• Essid, frequency, mode, etc.
• IW• IW is the replacement for IWCONFIG• My name is IW. You killed my father. Prepare to die!
A look at IW
• jsnyder@NUC-1:~$ iw dev
phy#0
Interface mon0
ifindex 4
wdev 0x2
addr 10:02:b5:59:80:7b
type monitor
channel 116 (5580 MHz), width: 80 MHz, center1: 5610 MHz
Interface wlp2s0
ifindex 3
wdev 0x1
addr 10:02:b5:59:80:7b
type managed
Wireless Scanning ToolsHorst, Scapy, Kismet
HORST - Highly Optimized Radio Scanning Tool
• Lightweight packet statistics• Made for use with MAC80211
drivers supporting monitor mode• Support Client/Server modes• Graphical output• Logs output to file
https://github.com/br101/horst
Getting Started
#Create Monitor Interfacesudo iw wlan0 interface add mon0 type monitor#Delete wlan0 interface*sudo iw dev wlan0 del
#Start Horst on mon0sudo /opt/horst/horst -i mon0
*May not be necessary on all drivers
Horst – Stations, APs and Packets…. Oh My!
HORST – Realtime Statistics
Beware: Becons of unusual size
HORST – Spectrum Analyzer? Not Really
Scapy – Packet Manipulation
• Packet Sniffing
• Packet Generation
• Packet Analysis
• Python based
• Unlimited use cases
“We’ll never survive!” “Nonsense. You’re only saying that because no one ever has.”
Scapy – 2 ways to use
Native Scapy
• Python like interpreter for Scapy
• Quick, easy and self contained
Scapy in a python script
• Import and go
• Full scapy functionality
Some popular Scapy scripts
• Airoscapy: • Passive AP Scanner
• http://www.thesprawl.org/projects/airoscapy/
• Association Frame Randomizer• Mike Albano’s client capabilities
• https://github.com/mike-albano/frame-randomizer
Kismet - As you wish…
• Great for packet capture, logging and mining of data
• Client server architecture (kismet drone)
• Works offline (saves logs for later)
Kismet
Spectools – Ubertooth and Wispy
• Spectrum analyzer for Ubertooth and Metageek WiSpy hardware
• Runs on Linux
• Multiple remote viewing options
• Plugin to Kismet
Aircrack-NG not just for cracking wireless
• Suite of tools, not a single tool:• Airmon-ng – wireless promiscuous mode• Airgraph-ng – Creates AP to client relationships• Airdrop-ng – Deauthentication of targeted users• Aireplay-ng – Frame injection for multiple attacks• Airodump-ng – Packet capturing of raw frames• And more
http://www.aircrack-ng.org/
Wireshark and TCPDump
• CLI: TSHARK• Automated rollover: DUMPCAP• TCPdump has several options that make remote
work easier.
#Set Channel Firstiw dev <devname> set freq <freq> [HT20|HT40+|HT40-]
#Start packet capture with a duration of 3600 seconds and a file maximum of 64MB on Mon0sudo dumpcap -a duration:3600 -b filesize:65536 -w /home/jsnyder/test.pcap -i mon0
http://booktrib.com/2014/12/the-princess-bride-what-the-cia-could-have-learned-about-torture-from-william-goldman/
Thank you
https://www.pinterest.com/hennesseandrews/the-princess-bride/