Tuesday, April 9, 2013

Wifi Autoscaning w/ Raspberry Pi and Kali Linux

I love Raspberry Pis. I currently have 2 Model B rev 2s, an original Model B rev 1, and now a Model A. One of the project's that I'm really looking forward to doing is working with the Model A as a battery powered device for wireless penetration testing, and as a mobile tool for reconnaissance. With it's credit-card size and low power requirements, the Raspberry Pi Model A is perfectly suited for the job.

Here's the main components for my layout (you should be able to purchase the major components for less than $120):

  1. A Raspberry Pi Model A complete with Pibow ModelA Case. You can order the set here.
  2. An Alfa Network 802.11b/g/n Long Range Wireless USB Adapter
  3. 2.4GHz 20DBi High Gain WIFI Directional YAGI Antenna
  4. 12000mah External USB Battery Pack
  5. 8GB SD Flash Card recommended, minimum 4GB
  6. You will also need the necessary USB cables, keyboard, and a display for the initial setup. Since these are not part of the final rig, and are custom requirements depending on your lab, I'll assume you can handle them yourself.
Note: The antenna and wireless card are a little over-powered for this setup, but I wanted to see what the rig would do given the most power hungry components I had. Using a mini-usb wireless adapter would be much better if you don't need the long range. In my test runs of this setup I ran the system for 12 hours to see how the battery would hold up, battery showed one bar and was good for another few hours.

Your first step is to install the default Kali Linux Raspberry Pi image to your SD Card. The instructions are available on the Kali Linux Documentation site.

After you have the SD Card loaded with the image, fire up your favorite terminal and run "fdisk" on the device. Create a new partition out of the remaining space on the card. Once that is done, run "mke2fs -t ext4" on the new partition to format it. Now we could have been fancy and grown the Kali Linux partition to use the full device, but I prefer to have a separate partition. This prevents the packet capture files from filling the entire card and possibly causing problems for the Kali Linux installation. Since we are basically running a headless capturing system, we won't know how much data it will sniff off the air until we get it back to our lab.

Now we will need a script to automatically start airmon-ng and airodump-ng on boot. I've written a quick bash script for this, with an easy config file to tailor it for each engagement. Feel free to use these and tailor them to your needs, they have worked for me so far.

/root/autoscan
  • #!/bin/bash
  • #
  • # autoscan - simple auto scanner for kali linux on raspberry pi
  •  
  • source /root/.autoscan.cfg
  •  
  • airmon-ng start ${AIRMON_DEV}
  •  
  • while [ ! -e "/tmp/.autoscan.stop" ]; do
    • airodump-ng -w ${STORAGE} ${AIRODUMP_OPTS} ${AIRMON_MON} > /dev/null 2>&1 &
    • PID=$!
    • sleep ${RUN_TIME}
    • kill ${PID}
    • FS="$(df `dirname ${STORAGE}` | tail -n1 | awk '{print $4}')"
    • test ${FS} -lt ${SAFETY_NET} && touch "/tmp/.autoscan.stop"
  • done
  •  
  • airmon-ng stop ${AIRMON_MON}

The script is pretty basic. We start out importing the config file and starting the wireless card in monitor mode. Then we enter a loop to capture our packets. The script will sleep for a period of time before killing the airodump-ng process. Then before starting the next iteration, the script will verify that there is a safe amount of space on the storage partition. If the partition gets too full, it will trigger the script to end.

Next up is the configuration file.

/root/.autoscan.cfg
  • #!/bin/bash
  • # autoscan config file
  •  
  • # This is your wireless device, probably wlan0 unless you have a
  • # more advanced setup
  • export AIRMON_DEV="wlan0"
  • export AIRMON_MON="mon0"
  •  
  • # Pass these extra parameters to airodump-ng
  • # (see "man airodump-ng" for info)
  • export AIRODUMP_OPTS="-c 6"
  •  
  • # Where to store the packet files, this is the full path plus
  • # the prefix
  • export STORAGE="/root/store/auto"
  •  
  • # Split packet capturing into multiple files.
  • # Every scan will record for this number of seconds before
  • # starting a new scan.
  • export RUN_TIME="900s"
  •  
  • # Do not allow scanning to consume the entire disk.
  • # Do not start another scan if there is less than SAFETY_NET
  • # space left (in k).
  • export SAFETY_NET=100000

A couple notes on the configuration. Make sure you change the "AIRODUMP_OPTS" variable to suit your needs. You may want to add some "-o" output formats if space is an issue.

All that's left is to mount the extra storage, and start the script on boot. For ease of use I'm going to just put both into "/etc/rc.local". I've mounted the storage partition that we created earlier to "/root/store", if you place it somewhere else on the system make sure you update the /root/.autoscan.cfg to point to the correct location.

/etc/rc.local
  • #!/bin/sh -e
  • #
  • # rc.local
  •  
  • mount /dev/mmcblk0p3 /root/store
  • /root/autoscan > /dev/null 2>&1 &
  • exit 0

Now that the SD Card is prepared, it's time to fire up the Raspberry Pi. Once the system is up, log in as "root" with the default password of "toor". Don't forget to change it! Then verify that the script is running and working.

One thing I've noticed in testing, the wlan0 interface didn't always come up, and the airmon-ng command would fail. Fortunately the wireless card activity light gives me a clue to this happening, so it's not a big deal. Restarting the Raspberry Pi fixes it.

13 comments:

  1. Nice work!

    i am actually thinking about simillar stuff, maybe an army of wifi drones, scanning different locations and connect via reverse shell to c&c server once a AP is cracked ;-)
    unfortunatly raspberrys are to expensive for an "just for fun" army, so i am thinking of arduinos or beagle boards to forward sniffed traffic to one base station via Zigbee, which will then launch attacks against WEP...

    i love this thought, but to be honest, i will never make it come true ;-)

    ReplyDelete
  2. Great.

    Im struggling to install wifi on my Kali.

    this is the one i have http://www.flipkart.com/edup-ep-n8531-usb-adapter/p/itmdhxb4xujzjsfz?pid=USBDHXB3FHEMNHE7

    Can u Help me ??

    ReplyDelete
    Replies
    1. I don't have any experience with that card. I've been working on wireless since 802.11b was released, and I remember how difficult it was to get wireless pcmcia cards working. I now don't buy any card that is not confirmed to work by either the application, or the distribution I'm using.

      It looks like that card is a ralink rt5370. Not sure aircrack has support for that or not. If I were you, I'd check Aircrack-ng's compatibility list before purchasing a card. I've had very good experience with Atheros based cards.

      If you want to get this card working, I found this site that might help:
      Thomas Rieder's Blog : Monitor Mode RT5370

      Delete
  3. Nice rig man. Glad I found your post. I've this same idea floating around in my head for a while. Just waiting on my yagi :/

    My mobile p0wning project:

    Raspi w/pwnpi
    8 dbi yagi for range
    Alfa awus036h (poss. 2 to bridge repeat signals)
    3 axis gimbal with servos for yagi mount
    RC rover mobile platform and all required peripherals
    Possibly wrt54g board w/ ddwrt instead of 2nd alfa...depends on power
    A few 10000 + mAh batteries
    Usb hub, maybe 3g dongle for control @ crazy ranges

    Pipe the .cap through ssh to my gpu setup and crack w/ oclhashcat or pyrit

    My neighbors are going to hate me :)


    ReplyDelete
    Replies
    1. I've often thought of going to a pawn shop and picking up a cheap RC vehicle, and seeing if I can tie one of the controls into the GPIO and use that to start/stop the scanner. Maybe something with a headlight or horn button.

      Good luck on your project.

      Delete
  4. Hi, i've installed kali linux on my raspberry PI but my Alfa AWUS036NHR isn't know by kali :( could you tell me how to install it ? thx in advance for your help

    ReplyDelete
    Replies
    1. Looks like the HNR version isn't supported out of the box. Alfa has instructions here: http://www.alfa.com.tw/press_c_show.php?sn=5

      Hope that helps

      Delete
  5. Hi, have you experienced problems with powering the USB WiFi adapter because of the 100mA limit per USB port on the RPi? And if not, could you supply the exact model of the WiFi adapter.

    ReplyDelete
    Replies
    1. I haven't had any issues with them. Though I've only used wireless on the Model A. I use wired for all the Model Bs. The Model B requires 2-3 times the power to operate due to the built in NIC, not sure if that affects anything though.

      I've used two cards with the RPi. The Alfa adapter in the picture, model number AWUS036NH. The other is a generic "Black Knight 802.11b/g/n Ultra High Power USB Adapter" which uses the rt2800usb driver, sorry there's no model number on that one. On the other end my usual AP is a built up Alix.2D13 kit from www.netgate.com running pfSense. It's got a better card than most market APs, and dual 9db antennas, so the cards might not be needing much power for broadcasting to the AP. You might want to check your AP as well.

      If all you're doing is scanning or capturing though, power shouldn't be an issue as you're receiving only.

      I have had power problems with other USB devices, but I fixed those by swapping out the under-powered USB charger I was running on. Since I've switched to only power sources that rate for 1A (1000mA) or higher, I haven't had any issues.

      Delete
  6. What is the yagi antenna mounted on? I see it is a tripod of sorts but i cannot find something like it.

    ReplyDelete
    Replies
    1. It's mounted to a 5.25" to 3.5" bay bracket and then that is mounted to a Vktech Portable Folding Tripod. It's nice and portable, but a bit tipsy. I'd recommend getting a bit bigger tripod for some more stability.

      Delete
    2. So no drilling required as i saw some pole drilled into it. Also what's the exact brand/model of the antenna since I cant find something like it easily.

      Delete
    3. It's just a cheap antenna, made in china, so I can't read most of the info on it. Just google for "wifi 24dbi yagi antenna" you should find quite a few of them. The mounting on the antenna is usually a U-bolt to mount it to a pole, but it's just bolted to a plate on the antenna, so you just have to unscrew the bolts and you're good, then you can attach it to anything.

      Delete