Friday, September 7, 2018

Using the Raspberry Pi to Pen Test Wireless Networks or The Coconut-Pi

Inspired by Hak5's wireless pen testing device named the Pineapple, I decided to pair a Raspberry Pi with a USB WiFi Adapter to create a small, portable device for monitoring wireless traffic, analyzing  wireless access points, or penetrating wireless networks.  Because the Pineapple was my inspiration, and I used a Pi as the basis, I've decided to whimsically call this device the Coconut-Pi.  Because of the potential for one to use this device for evil, I will place the standard disclaimer here:  I am not advocating the use of this device for anything illegal.  Do not attempt to gain access to any network that you have not been given permission to access.  Do not use this device to spoof any network with the intention of tricking people into logging onto your device.  Despite the fact that I find these disclaimers pointless and ineffective, seriously, prison does not seem like a good place to end up, so please use the following information responsibly.

The idea is fairly basic.  It uses a Raspberry Pi  connected to a USB WiFi Adapter capable of being put into monitor mode.  The Pi 3B comes with on-board WiFi, but the chip on the Pi does not support monitor mode, so the adapter is required.  Specifically, I used an Alfa AWUS036NHA long range USB Wifi Adapter, which utilizes an Atheros AR9271 chipset.  There are probably better WiFi adapters I could have used, but I purchased this adapter years ago, specifically because it could be put into monitor mode, and the driver came preinstalled on Kali Linux.  Conveniently enough, the driver is also included with Raspbian Lite, which is the OS I will be using.  If we want to make this rig portable, we can't forget the 5V rechargeable Li-ion battery as well.

One could ask the question, if this is supposed to be a pen testing rig, why would you use Raspbian Lite instead of Kali Linux, since Kali has also been ported to work on the Raspberry Pi?  The answer is simply, in my opinion, Kali does not run well on the Pi.  It's been a year or two since I tried it, so I can't remember exactly where it fell short, and there may have been improvements since then, but I prefer to stick to using Raspbian on the Pi whenever practical.  We will mainly be using Aircrack-ng and TCPDump, both of which are in the Raspbian repositories, and since both Kali and Raspbian are Debian-based, anything else that I end up needing down the road can also be installed on Raspbian.

When I first conceived of this project, my intention was to use a Raspberry Pi Zero.  I planned to use the Pi's UART to console into the Pi from a laptop, and then use a male micro USB OTG to female USB-A adapter to connect the WiFi adapter to the Pi.  This would have worked well, and I still may build that in the future, but since the Pi uses 3.3V TTL for serial communication on it's UART, I would need either a TTL to RS-232 converter (max232) or TTL to USB converter, and I didn't have either lying around in my shop.  I did order a couple 3.3V TTL to USB converters, but even with Prime 2-day shipping, I didn't have the patience to wait on it to arrive, so I redesigned the project using a Pi model 3B.  With the Pi 3B I can use the Ethernet port and a cross-over Ethernet cable to connect my laptop to the Pi, so no level shifter is required, and the Wifi adapter can plug directly into one of the 3B's female USB-A ports.  Bottom line, I ended up using a more expensive Pi, but saved some money on adapters, so based on cost there is little difference between the designs.

Setting up the Raspberry Pi


There really isn't too much set-up to this project.  I installed Raspbian Lite on an SD card, stuck it in the Pi, and did the basic Pi set-up (changed password, expanded the file system, enabled SSH, changed locale, timezone, and keyboard configuration, etc.).  If you need any instruction on doing basic set-up for the Pi, see my first Raspberry Pi post here.  The Pi will need an internet connection to do installation from the repository, and I'll be using the Ethernet port to connect to my laptop, so I set the Pi's built-in wifi to connect to my home network.  Another way to do this would be to change the settings on the laptop to allow the Pi to share the laptop's internet connections, but I chose not to do that.  As I mentioned before, to connect the laptop to the Pi I used a cross-over Ethernet cable, which simply swaps pins 1&2 with 3&6.  These days, thanks to auto-MDIX, you can use any old Ethernet cable and get away with it, but I'm stuck in the past, so I made a short cross-over cable for this project.

At this point, you will either need to assign static IP addresses in the same subnet on both your laptop and your Pi, or simply allow them to assign themselves their own link-local addresses via DHCP.

If the Ethernet ports on both your Pi and your laptop are set to DHCP, when you connect them directly they will soon realize that there is no DHCP server to give them an address.  Once they become aware of this, they will assign themselves IP addresses from the link-local address space of 169.254.0.0/16.  You will then need to find the Pi's self-assigned address by using the command: ifconfig.

If you choose to use static IP addresses, be sure to choose an obscure subnet such as: 172.30.253.0/30 to avoid conflicting with any wifi network you might be auditing.  Using this example, the /30 subnet (or 255.255.255.252) only has two assignable IP addresses, so we'll call the Pi ".2" and the laptop ".1".

To change the IP address on the Pi, find your Ethernet interface name with ifconfig, and edit /etc/dhcpcd.conf to add the following lines:

interface enx...  # replace enx... with your interface name
static ip_address=172.30.253.2/30


To change the IP on my laptop running Kali Linux I went to Settings>Network>Wired>Add Profile... and created a new profile with the following settings:

Address: 172.30.253.1
Netmask: 255.255.255.252
Leave Gateway and DNS blank

To change the IP on my laptop running Windows 10 go to Control Panel>Network and Internet>Network Connections>Ethernet>Properties>IPv4 Properties and set the following:

IP Address: 172.30.253.1
Subnet mask: 255.255.255.252
Leave everything else blank

Up until this point we have needed a monitor and keyboard to do the initial configuration on the Pi, but now that we can remotely access the Pi using our laptop, we can do everything else via SSH. (Actually it is possible to do all the prior steps headlessly as well, but that is slightly more complicated, and a subject for another post.)

If you're using Linux you can SSH into the Pi using:

ssh -l pi 172.30.253.2
(obviously if you used a different IP address then use that instead)

And in Windows I like to use Putty for SSH.  Since I will be using this connection again in the future I made sure to save the Session for future use.

So now we're logged onto the Pi, and the Pi has internet access via its wifi, so let's install aircrack-ng and tcpdump:

sudo apt-get update
sudo apt-get install aircrack-ng tcpdump -y

And that's it.  The Pi is ready for its initial mission.  Plug in the Wifi adapter, watch the lights flash, and run ifconfig to verify the Pi recognizes it.  I'm sure that I will install additional functionality in the future, and scripts will be written to simplify tasks, but for now, we should be good.  To test to make sure everything is working run:

sudo airmon-ng

note the Interface name of your Wifi adapter

sudo airmon-ng check
sudo airmon-ng check kill
sudo airmon-ng start wlx...  # replace wlx... with your interface name noted above

If you are using a new version of Raspbian (Stretch or later) which uses predictable network interface names, after the command above you will receive a message that the name is too long, and it will be renamed using the old style, which in this case is wlan1 (or more specifically wlan1mon now that it's been put in monitor mode.) Quick note, I put the three commands above followed by another airmon-ng into a bash script so I can now put the adapter into monitor mode with one command.

So now that we've got a WiFi interface in monitor mode, what can we do with it?  First let's see what Wifi networks are in range with:

sudo airodump wlan1mon

This gives all sorts of useful information, such as channel, encryption, and BSSID, which can be used for a number of different useful tasks such as capturing encrypted handshakes or monitoring traffic  on a specific network.  Speaking of monitoring traffic, now that we're in monitor mode, we can also use tcpdump to literally pull wireless packets out of the air like so:

sudo tcpdump -i wlan1mon

This information can be fed back to the laptop, or to a desktop, to be analyzed by Wireshark or any script you can dream up.  Any unencrypted traffic will be easy to decipher.

So that is as far as I'm going to take this post.  I may make another post on using this device in more detail in the future, but for now there is plenty of information out there on using aircrack-ng and tcpdump.  Since we have two WiFi interfaces on this device, one could even do a man-in-the-middle set-up if one was so inclined, but I would like to stress once again that I strongly advise against using this device for any illegal activity.

What do I plan on using this device for?  It's intended purpose is wireless network auditing.  I plan to write a python script that analyzes the data from the output of airodump-ng.  For example, if the Coconut-Pi detected two networks of sufficient strength operating on the same wireless channel it could note that on an audit so that it could be adjusted.  I'll also admit that sometimes when you are sitting in a hotel room it can be entertaining to watch the wireless traffic just to see what people send through the air unencrypted.  It will make you value a home VPN server even more.

One last thing I'd like to mention is that if one were to use this device to capture a wpa2 handshake with the intention of trying to crack it, whatever you do don't use the Raspberry Pi for hashing.  I imagine you might be able to do it faster with pen and paper.  I joke, but seriously, use a different machine for hashing, unless you are cracking something for future generations to see long after you're deceased.

3 comments:

  1. I has created the same thing, Please take a look at: https://github.com/vs4vijay/SwissArmyPi

    ReplyDelete
    Replies
    1. Nice, you really did put everything on there. Have you tried Metasploit on the Pi? How does it run?

      Delete
  2. Very informative and useful historical post. I see you have a lot of other cool stuff available at your website, simply bookmarking it to check in spare time. Thanks and keep the good work up.

    Generator Monitoring

    ReplyDelete