The idea is fairly basic. It uses a Raspberry Pi connected to a USB WiFi Adapter capable of being put into monitor mode. The Pi 3B comes with on-board WiFi, but the chip on the Pi does not support monitor mode, so the adapter is required. Specifically, I used an Alfa AWUS036NHA long range USB Wifi Adapter, which utilizes an Atheros AR9271 chipset. There are probably better WiFi adapters I could have used, but I purchased this adapter years ago, specifically because it could be put into monitor mode, and the driver came preinstalled on Kali Linux. Conveniently enough, the driver is also included with Raspbian Lite, which is the OS I will be using. If we want to make this rig portable, we can't forget the 5V rechargeable Li-ion battery as well.
When I first conceived of this project, my intention was to use a Raspberry Pi Zero. I planned to use the Pi's UART to console into the Pi from a laptop, and then use a male micro USB OTG to female USB-A adapter to connect the WiFi adapter to the Pi. This would have worked well, and I still may build that in the future, but since the Pi uses 3.3V TTL for serial communication on it's UART, I would need either a TTL to RS-232 converter (max232) or TTL to USB converter, and I didn't have either lying around in my shop. I did order a couple 3.3V TTL to USB converters, but even with Prime 2-day shipping, I didn't have the patience to wait on it to arrive, so I redesigned the project using a Pi model 3B. With the Pi 3B I can use the Ethernet port and a cross-over Ethernet cable to connect my laptop to the Pi, so no level shifter is required, and the Wifi adapter can plug directly into one of the 3B's female USB-A ports. Bottom line, I ended up using a more expensive Pi, but saved some money on adapters, so based on cost there is little difference between the designs.
Setting up the Raspberry Pi
There really isn't too much set-up to this project. I installed Raspbian Lite on an SD card, stuck it in the Pi, and did the basic Pi set-up (changed password, expanded the file system, enabled SSH, changed locale, timezone, and keyboard configuration, etc.). If you need any instruction on doing basic set-up for the Pi, see my first Raspberry Pi post here. The Pi will need an internet connection to do installation from the repository, and I'll be using the Ethernet port to connect to my laptop, so I set the Pi's built-in wifi to connect to my home network. Another way to do this would be to change the settings on the laptop to allow the Pi to share the laptop's internet connections, but I chose not to do that. As I mentioned before, to connect the laptop to the Pi I used a cross-over Ethernet cable, which simply swaps pins 1&2 with 3&6. These days, thanks to auto-MDIX, you can use any old Ethernet cable and get away with it, but I'm stuck in the past, so I made a short cross-over cable for this project.
At this point, you will either need to assign static IP addresses in the same subnet on both your laptop and your Pi, or simply allow them to assign themselves their own link-local addresses via DHCP.
If the Ethernet ports on both your Pi and your laptop are set to DHCP, when you connect them directly they will soon realize that there is no DHCP server to give them an address. Once they become aware of this, they will assign themselves IP addresses from the link-local address space of 169.254.0.0/16. You will then need to find the Pi's self-assigned address by using the command: ifconfig.
If you choose to use static IP addresses, be sure to choose an obscure subnet such as: 172.30.253.0/30 to avoid conflicting with any wifi network you might be auditing. Using this example, the /30 subnet (or 255.255.255.252) only has two assignable IP addresses, so we'll call the Pi ".2" and the laptop ".1".
At this point, you will either need to assign static IP addresses in the same subnet on both your laptop and your Pi, or simply allow them to assign themselves their own link-local addresses via DHCP.
If the Ethernet ports on both your Pi and your laptop are set to DHCP, when you connect them directly they will soon realize that there is no DHCP server to give them an address. Once they become aware of this, they will assign themselves IP addresses from the link-local address space of 169.254.0.0/16. You will then need to find the Pi's self-assigned address by using the command: ifconfig.
If you choose to use static IP addresses, be sure to choose an obscure subnet such as: 172.30.253.0/30 to avoid conflicting with any wifi network you might be auditing. Using this example, the /30 subnet (or 255.255.255.252) only has two assignable IP addresses, so we'll call the Pi ".2" and the laptop ".1".
To change the IP address on the Pi, find your Ethernet interface name with ifconfig, and edit /etc/dhcpcd.conf to add the following lines:
interface enx... # replace enx... with your interface name
static ip_address=172.30.253.2/30
To change the IP on my laptop running Kali Linux I went to Settings>Network>Wired>Add Profile... and created a new profile with the following settings:
Address: 172.30.253.1
Netmask: 255.255.255.252
Leave Gateway and DNS blank
To change the IP on my laptop running Windows 10 go to Control Panel>Network and Internet>Network Connections>Ethernet>Properties>IPv4 Properties and set the following:
IP Address: 172.30.253.1
Subnet mask: 255.255.255.252
Leave everything else blank
Up until this point we have needed a monitor and keyboard to do the initial configuration on the Pi, but now that we can remotely access the Pi using our laptop, we can do everything else via SSH. (Actually it is possible to do all the prior steps headlessly as well, but that is slightly more complicated, and a subject for another post.)
If you're using Linux you can SSH into the Pi using:
ssh -l pi 172.30.253.2
(obviously if you used a different IP address then use that instead)
And in Windows I like to use Putty for SSH. Since I will be using this connection again in the future I made sure to save the Session for future use.
So now we're logged onto the Pi, and the Pi has internet access via its wifi, so let's install aircrack-ng and tcpdump:
sudo apt-get update
sudo apt-get install aircrack-ng tcpdump -y
And that's it. The Pi is ready for its initial mission. Plug in the Wifi adapter, watch the lights flash, and run ifconfig to verify the Pi recognizes it. I'm sure that I will install additional functionality in the future, and scripts will be written to simplify tasks, but for now, we should be good. To test to make sure everything is working run:
sudo airmon-ng
note the Interface name of your Wifi adapter
sudo airmon-ng check
sudo airmon-ng check kill
sudo airmon-ng start wlx... # replace wlx... with your interface name noted above
sudo airmon-ng
note the Interface name of your Wifi adapter
sudo airmon-ng check
sudo airmon-ng check kill
sudo airmon-ng start wlx... # replace wlx... with your interface name noted above
If you are using a new version of Raspbian (Stretch or later) which uses predictable network interface names, after the command above you will receive a message that the name is too long, and it will be renamed using the old style, which in this case is wlan1 (or more specifically wlan1mon now that it's been put in monitor mode.) Quick note, I put the three commands above followed by another airmon-ng into a bash script so I can now put the adapter into monitor mode with one command.
So now that we've got a WiFi interface in monitor mode, what can we do with it? First let's see what Wifi networks are in range with:
sudo airodump wlan1mon
This gives all sorts of useful information, such as channel, encryption, and BSSID, which can be used for a number of different useful tasks such as capturing encrypted handshakes or monitoring traffic on a specific network. Speaking of monitoring traffic, now that we're in monitor mode, we can also use tcpdump to literally pull wireless packets out of the air like so:
sudo tcpdump -i wlan1mon
This information can be fed back to the laptop, or to a desktop, to be analyzed by Wireshark or any script you can dream up. Any unencrypted traffic will be easy to decipher.
So that is as far as I'm going to take this post. I may make another post on using this device in more detail in the future, but for now there is plenty of information out there on using aircrack-ng and tcpdump. Since we have two WiFi interfaces on this device, one could even do a man-in-the-middle set-up if one was so inclined, but I would like to stress once again that I strongly advise against using this device for any illegal activity.
What do I plan on using this device for? It's intended purpose is wireless network auditing. I plan to write a python script that analyzes the data from the output of airodump-ng. For example, if the Coconut-Pi detected two networks of sufficient strength operating on the same wireless channel it could note that on an audit so that it could be adjusted. I'll also admit that sometimes when you are sitting in a hotel room it can be entertaining to watch the wireless traffic just to see what people send through the air unencrypted. It will make you value a home VPN server even more.
One last thing I'd like to mention is that if one were to use this device to capture a wpa2 handshake with the intention of trying to crack it, whatever you do don't use the Raspberry Pi for hashing. I imagine you might be able to do it faster with pen and paper. I joke, but seriously, use a different machine for hashing, unless you are cracking something for future generations to see long after you're deceased.
So now that we've got a WiFi interface in monitor mode, what can we do with it? First let's see what Wifi networks are in range with:
sudo airodump wlan1mon
This gives all sorts of useful information, such as channel, encryption, and BSSID, which can be used for a number of different useful tasks such as capturing encrypted handshakes or monitoring traffic on a specific network. Speaking of monitoring traffic, now that we're in monitor mode, we can also use tcpdump to literally pull wireless packets out of the air like so:
sudo tcpdump -i wlan1mon
This information can be fed back to the laptop, or to a desktop, to be analyzed by Wireshark or any script you can dream up. Any unencrypted traffic will be easy to decipher.
So that is as far as I'm going to take this post. I may make another post on using this device in more detail in the future, but for now there is plenty of information out there on using aircrack-ng and tcpdump. Since we have two WiFi interfaces on this device, one could even do a man-in-the-middle set-up if one was so inclined, but I would like to stress once again that I strongly advise against using this device for any illegal activity.
What do I plan on using this device for? It's intended purpose is wireless network auditing. I plan to write a python script that analyzes the data from the output of airodump-ng. For example, if the Coconut-Pi detected two networks of sufficient strength operating on the same wireless channel it could note that on an audit so that it could be adjusted. I'll also admit that sometimes when you are sitting in a hotel room it can be entertaining to watch the wireless traffic just to see what people send through the air unencrypted. It will make you value a home VPN server even more.
One last thing I'd like to mention is that if one were to use this device to capture a wpa2 handshake with the intention of trying to crack it, whatever you do don't use the Raspberry Pi for hashing. I imagine you might be able to do it faster with pen and paper. I joke, but seriously, use a different machine for hashing, unless you are cracking something for future generations to see long after you're deceased.
I has created the same thing, Please take a look at: https://github.com/vs4vijay/SwissArmyPi
ReplyDeleteNice, you really did put everything on there. Have you tried Metasploit on the Pi? How does it run?
DeleteVery informative and useful historical post. I see you have a lot of other cool stuff available at your website, simply bookmarking it to check in spare time. Thanks and keep the good work up.
ReplyDeleteGenerator Monitoring