Monday, 18 February 2019

RPI & WiFi probes



HARDWARE:
- RPI3 B+
- HDMI cable for connection to monitor during initial setup
- USB keyboard for initial setup
- USB mouse for initial setup
- 16GB MicroSD card and adapter for Kali image installation
- Wireless dongle

INSTALLATION & PREPARATION FOR A HEADLESS (NO KEYBOARD/NO MONITOR) SETUP
1. Download the Kali image for the Raspberry Pi
https://www.offensive-security.com/kali-linux-arm-images/
https://images.offensive-security.com/arm-images/kali-linux-2018.4-rpi3-nexmon.img.xz
Validate the hash..

2. Flash the Kali image onto the MicroSD card using a tool such as Etcher
https://www.balena.io/etcher/

3. Edit the default password
- Log in with the default root:toor username/password .
- In console enter 'passwd'
- Enter your new password and confirm by entering a second time.

4. Edit the SSH host keys
All ARM images are pre-configured with the same keys, so it's imperative to edit the SSH keys.
update-rc.d -f ssh remove
update-rc.d -f ssh defaults
cd /etc/ssh/
mkdir insecure_old
mv ssh_host_* insecure_old
dpkg-reconfigure openssh-server
service ssh restart

5. Allow for autologin as it will be running as a headless unit and being plugged in and out a bit.
- Edit file (uncomment 2 lines) /etc/lightdm/lightdm.conf
autologin-user=root
autologin-user-timeout=0


- Edit file (comment out a line) /etc/pam.d/lightdm-autologin
#auth required pam_succeed_if.so user != root quiet_success


6. reboot to test if all working OK, the device should boot straight into desktop!


!NB 
I did try updating/upgrading the system and it fubarred the system, requiring a full reinstall.
So for this project no other tools or upgrades were installed.


So now the RPI is setup, all that remains is to plug in the WiFi dongle and put a few scripts on the RPI to assist in the logging and viewing of WiFi probes.

Before setting up the scripts, I first prepared a working directory;
mkdir /root/probemon

and then download a oui.txt file to the RPI to view Vendor information when available, you can download the sanitized version or the original version, they will both work in providing Vendor information when available, on the MAC addresses;
wget https://linuxnet.ca/ieee/oui.txt -O /root/probemon/oui.txt



The idea runs off 3 scripts; 
1) probemon.sh
The main script to monitor for WiFi probes, write backup files after reaching a certain size and logging restarts of the script.

#!/usr/bin/bash
DIR="/root/probemon/"                   # Directory for the working file and logs
PROBELOG=probemon.txt             # Working file logging WiFi probes
STARTLOG=monlog.txt                  # File logging script start times and backup creation
#
#
# Identify which interface is network connected and which is free for placing in monitor mode
for i in $(/usr/sbin/ifconfig | grep wlan | sed 's/:.*$//g'); do
        INET=$(/usr/sbin/ifconfig "$i" | grep inet)
        if [ "$INET" == "" ] ; then IFACE=$i ; fi
        break
done
#
#
DATE=$(date +%F_%T)                             # Current date in human readable format
SIZE=$(ls -l "$DIR$PROBELOG" | awk '{print $5}') #Working file size
BKUP="$DATE"_"$PROBELOG"                # Dated backup filename
#
# Check size of working file, if over 2MB move to backup file.
if (($SIZE > 2000000)) ; then
        mv "$DIR$PROBELOG" "$DIR$BKUP"
        # Create entry of backup file created in log.
        echo "moved log $PROBELOG to $BKUP" >> "$DIR$STARTLOG"
fi
#
/usr/sbin/ifconfig $IFACE down
/usr/sbin/iwconfig $IFACE mode monitor
/usr/sbin/ifconfig $IFACE up
#
#
echo -ne "started with $IFACE -- " >> "$DIR$STARTLOG" && date +%F_%T >> "$DIR$STARTLOG"
#
tshark -i $IFACE -n -l -f "subtype probereq" -T fields -e frame.time_epoch -e wlan.sa -e radiotap.dbm_antsignal -e wlan.ssid -E quote=d 2> /dev/null >> "$DIR$PROBELOG"

2) moncheck.sh
A very basic script which I saved to /etc/cron.hourly/ and called by a cronjob every minute to check whether probemon.sh is running and if not, to restart it.
#!/usr/bin/bash
#
RUNNING=$(ps -aux | grep probemon.sh | grep -v grep)
#
if [ "$RUNNING" == "" ] ; then
        /usr/bin/bash /root/scripts/probemon.sh
fi
Make sure the script is executable;
chmod 755 /etc/cron.hourly/moncheck.sh

and then make a crontab entry;
crontab -e
*/1 * * * * /etc/cron.hourly/moncheck.sh

3) liveparse.sh
A script that parses information piped to it and makes the date human readable, checks for Vendor information and allows to filter with a whitelist, blacklist or no filter.
whitelist / blacklist are text files with line separated MAC addresses.
#!/bin/bash
#liveparse.sh                                            #Script to pipe info into.
HOMEDIR="/root/probemon/"               #specify home directory
OUI="$HOMEDIR"oui.txt
WHITE="$HOMEDIR"whitelist.txt
BLACK="$HOMEDIR"blacklist.txt
BLACKLIST=false
WHITELIST=false
SIMPLE=false
#
#
if [ ! -f "$HOMEDIR"oui.txt ] ; then
        OUI=$(locate oui.txt | head -n 1)       #Find a file with oui information
fi
#
f_blacklist() {
while read line ; do
        MAC=$(echo $line | cut -d \" -f 4)
        BLACKLISTED=$(grep -i $MAC $BLACK)
        if [ ! "$BLACKLISTED" == "" ] ; then
                MACB16=$(echo $MAC | sed 's/://g' | cut -c 1-6)
                MACOUI=$(grep -i "$MACB16" "$OUI" | sed -e 's/^.*(base 16)//' -e 's/[ \t]*//')
                if [[ "$MACOUI" == "" ]] ; then
                        MACOUI="No Info"
                fi
                DT=$(echo $line | awk '{print $1}' | sed 's/"//g')
                DATE=$(date -d @"$DT" +%F_%T)
                PWR=$(echo $line | cut -d \" -f 6)
                SSID=$(echo $line | cut -d \" -f 8)
                printf '%-22s %-20s %-8s %-15s %-10s\n' "$DATE" "$MAC" "$PWR" "$SSID" "$MACOUI"
        fi
done
}
#
f_whitelist() {
while read line ; do
        MAC=$(echo $line | cut -d \" -f 4)
        WHITELISTED=$(grep -i $MAC $WHITE)
        if [ "$WHITELISTED" == "" ] ; then
        MACB16=$(echo $MAC | sed 's/://g' | cut -c 1-6)
        MACOUI=$(grep -i "$MACB16" "$OUI" | sed -e 's/^.*(base 16)//' -e 's/[ \t]*//')
        if [[ "$MACOUI" == "" ]] ; then
                        MACOUI="No Info"
        fi
        PWR=$(echo $line | cut -d \" -f 6)
        SSID=$(echo $line | cut -d \" -f 8)
        DT=$(echo $line | awk '{print $1}' | sed 's/"//g')
        DATE=$(date -d @"$DT" +%F_%T)
                printf '%-22s %-20s %-8s %-15s %-10s\n' "$DATE" "$MAC" "$PWR" "$SSID" "$MACOUI"
        fi
done
}
#
f_simple() {
while read line ; do
        DT=$(echo $line | awk '{print $1}' | sed 's/"//g')
        DATE=$(date -d @"$DT" +%F_%T)
        MAC=$(echo $line | cut -d \" -f 4)
        MACB16=$(echo $MAC | sed 's/://g' | cut -c 1-6)
        MACOUI=$(grep -i "$MACB16" "$OUI" | sed -e 's/^.*(base 16)//' -e 's/[ \t]*//')
        if [[ "$MACOUI" == "" ]] ; then
                MACOUI="No Info"
        fi
        PWR=$(echo $line | cut -d \" -f 6)
        SSID=$(echo $line | cut -d \" -f 8)
                printf '%-22s %-20s %-8s %-15s %-10s\n' "$DATE" "$MAC" "$PWR" "$SSID" "$MACOUI"
done
}
#
#                                               OPTION FUNCTIONS
########################################################################
while getopts ":bsw" opt; do
  case $opt in
        b) BLACKLIST=true ;;
        s) SIMPLE=true ;;
        w) WHITELIST=true ;;
  esac
done
#
if [ $# -eq 0 ] ; then
        f_simple
elif [ $SIMPLE == true ] ; then
        f_simple
elif [ $BLACKLIST == true ] ; then
        f_blacklist
elif [ $WHITELIST == true ] ; then
        f_whitelist
fi
#


Some one liners as an example;

View the logfile as it is written, without a whitelist filter.
tail -f probemon/probemon.txt | bash scripts/liveparse.sh
with whitelist filter;
tail -f probemon/probemon.txt | bash scripts/liveparse.sh -w

Check when certain MAC addresses were in the vicinity;
grep -i  logfile.txt | bash scripts/liveparse.sh

Concatenating all log files into 1 large file, then doing some grepping can reveal interesting informaiton.

For instance, to see whether some may have accidentally entered a password into the SSID field of a device, you could sort all the SSIDs and see whether any SSIDs look like they may actually be a password;
cut -d \" -f 8 logfile.txt | sort -u

On finding a likely candidate, you can then grep the file for the MAC address and see what other SSIDs are associated with that MAC address.
Chances are the possible password will be for one of the SSIDs also being broadcasted.
Sites like wigle.net will even show you locations of SSIDs.

See which SSIDs are being broadcasted by which MAC addresses.
This will quickly show if a portable appliance is broadcasting multiple SSIDs
Note that some portable appliances now broadcast random MAC addresses.
cut -d \" -f 4,8 --output-delimiter=$'\t' logfile.txt | sort -u


Although this is all old as dirt, its still interesting.
The accidental password entry was what really surprised me as it appears to be more common than I would have imagined.






 
Google Analytics Alternative