Raspberry Pi as a Wireless Network Scanner

By Dmitry Kolyvagin

IASP-560

Professor Dr. John Yoon

Table of Contents:

I. Introduction 1) Home Wireless Networks

2) Common Security Issues

3) Typical Attacks

II. Network Scanner 1) Objective

2) Hardware

3) Software

a. Raspbian

b. Kismet

4) Network Configuration

III. Alerts and WIDS 1) Configuration

2) Alerts

IV. Deployment 1) Scanning and Monitoring

2) Testing Alerts

a. Evil Twin

b. Deauth

V. Conclusion

I. Introduction

Home Wireless Networks

In our day and age, most homes have a variety of wireless devices on the network ranging from

laptops and cell phones to smart TVs and IP cameras. Some homes have remote temperature

control sensors installed, smart light bulbs that can be controlled wirelessly and so one. The point

is that the average home in the United States has way too many devices nowadays and all of

them are connected to the network. Below is an image that illustrates an example of a home

network topology and some of the common wireless devices that are connected. On the left, you

can see most general devices like a laptop, phone, printer, and on the right side of the picture,

there are plenty called “Internet of Things” devices.

Common Security Issues

As you can tell from the above image, the most typical configuration for a home network

consists of a modem for the Internet and a Wi-Fi router for devices to connect to it. This makes

the Wi-Fi router constantly exposed to the outside environment and anyone can see the name

(SSID) of the network, what security protocol it is using and the mac address (BSSID) of the

device. Knowing this information, attackers can easily orchestrate a wide range of attacks that

fall into three main categories - denial of service, man in the middle and spoofing attacks.

Additionally, some wireless networks can be using older and outdated encryption protocol

known as Wired Equivalent Privacy (WEP) that has major security flaws and can be cracked in a

matter of minutes. For example, hackers can easily find such vulnerable networks by using a

method called wardriving. In this act of searching, an attacker typically scans wireless networks

from a moving vehicle. Once found, it takes less than 5 minutes to get in the wireless network

using tools like aircrack-ng, besside-ng and fluxion.

Typical Attacks

Furthermore, there are other attacks that hackers can initiate on a wireless network; one of the

most popular is called an evil twin attack. Hackers can replicate the SSID and BSSID of an

access point (AP) and force users to connect to it by kicking everyone from their original

network. The attacker then can use IP forwarding and monitoring tools to analyze the traffic and

pass it along without any indication. In most cases, users never realize that they are connected to

a different network because of this simple spoofing technique. An authentication attack is

another popular one and it is used to deauthenticate clients from their wireless networks in order

to capture the frame exchange when they try to connect back. After capturing the encrypted

authentication frame, attackers can run a dictionary attack offline and brute force the password

with tools like aircrack-ng, John the Riper and Rainbow Crack. These are just some of the most

common attacks that black hats use today when targeting wireless networks, they are very

simplistic in their nature and most intruders use software toolkits that automate all of the

malicious algorithms without having to know or write the code.

II. Network Scanner

Objective

The main objective of this project is to configure a fully operational network scanner capable of

analyzing wireless traffic and be able to provide wireless intrusion detection features in a form of

scripted alerts that will be displayed and logged on the Raspberry Pi. This software package is

also capable of monitoring Bluetooth devices but we are not going to concentrate on that.

Instead, we will monitor the traffic of my Wi-Fi router with SSID named “Chocolate_Candy”

and set up the WIDS (Wireless Intrusion Detection System) to report on it if any suspicious

activities are detected. Finally, upon the implementation of the network scanner, it will be

possible to connect to it from an outside network by using remote desktop connection and check

on the status, alerts and the environment.

Hardware

Let’s start with the easiest – the hardware, all that is going to be required for this to work are

Raspberry Pi with all the accessories, microSDHC and an external wireless adapter capable of

switching to monitor mode. From the hardware side of things, there isn’t much to set up and it’s

pretty straightforward. One important thing to note here is that the in-build wireless card has to

be disabled and we will need to use Ethernet cable to provide connectivity to Raspberry Pi so

that we can remotely access it. Below is a picture of my setup and everything that needs to be

connected to the device.

Software

My initial intent was to use Arch Linux operating system because of its lightweight and low

resource requirements, but after trying to configure it for days and installing all the dependencies

that were needed for Kismet, I decided to switch to a more user-friendly OS that comes ready for

installing the network scanner package.

Raspbian

The quickest and easiest way to install Raspbian OS image on to SD card is to use NOOBS (new

out of the box software). After downloading and extracting NOOBS file contents on to a

formatted SD card (FAT32) we are ready to install the Raspbian Lite OS. By booting up the pi,

with the SD card inside, a NOOBS installation menu will be displayed, after that, we can select

the Raspbian Lite version of the OS and click install on the top left corner of the menu. Below is

an image with the NOOBS menu.

Kismet

After installing the OS, the final step is to install the actual Kismet network scanner package.

The entire installation is going to take over an hour and will require changing network

configuration files. The first step is to download the latest Kismet package (Kismet 2019-09-

R1); you can do it by using git repository or downloading it directly from Kismet website. Once

downloaded, navigate to Kismet directory and type “./configure”. Wait till the code gets

configured for the compilation and type “make”. This process will take over an hour and after

that, we will need to install the package and configure user groups. By typing “sudo make

suidinstall” we will install Kismet and “sudo usermod -aG kismet pi” we will add pi user the

Kismet group. After this we are done, just need to restart the device, check user groups to make

sure Kismet was added by typing “groups” command.

Network Configuration

Finally, to make everything work we will need to set the external wireless adapter into monitor

mode. First, we will check which physical interface it belongs to by typing “iw dev”. After, we

will add another interface called mon1 that will be set in monitor mode with the command “sudo

iw phy phy1 interface add mon1 type monitor” and turn it on with the command “ifconfig mon1

up”. I have tried to make these settings permanent by adding these commands to network

interfaces configuration file but somehow it wasn`t working so I ended up making a tiny script

that will have to run every time before turning Kismet on. That is it; now that we configured the

wireless adapter we can run Kismet and start monitoring traffic.

III. Alerts and WIDS

Configuration

Now that we have set up the Raspbian OS, installed Kismet software package and configured the

wireless adapter, all we need to do is to activate apspoof by adding “Chocolate_Candy” SSID

and BSSID to be monitored. In order to do that, we will have to edit a configuration file called

“kismet_alerts.conf”. Below is a picture of the alerts configuration file for the local user, all of

the alerts are enabled and access point spoofing detection is set up for “Chocolate Candy”.

Alerts

Kismet is most effective as a WIDS in a stationary mode so having it constantly in one location

increases its accuracy and coverage. There are a number of fingerprint alerts that can be triggered

at any time once a known-hostile specific behavior is detected. We will take a look at some of

the most common ones as an example. The first one – “apspoof”, looks at given SSID along with

all the accepted mac addresses if it detects a beacon or probe response for that SSID and that

device`s BSSID is not on the list, the alarm is raised. Another important alarm is “deauthflood”,

it detects spoofing of deauthenticate packets that typically are used to disconnect clients from a

network. There are plenty more Kismet signature alerts and their description can be found on the

official page of the software.

IV. Deployment

Scanning and Monitoring

After completing all of the above-mentioned steps and procedures, finally, we are ready to test

the network scanner. We will start by opening a terminal and typing “kismet” command, this will

run the network scanner. All we need to do now is to open a web browser and navigate to

“localhost: 2501”. After leaving the scanner running for about half a day, I have discovered

many network-enabled devices such as Wi-Fi routers that would broadcast on different channels,

cellphones, Smart TVs and others. Below are a couple of images of the Kismet scanning and

monitoring wireless activities in my apartment building. The first image has messages displayed

on the bottom alerting about events and the second image shows a graph of which frequencies

most devices transmit.

Testing Alerts

For the final part of the project, we will test the WIDS features of the Kismet package. I will use

a Wi-Fi Pineapple Nano device from Hack 5 connected to a machine running Kali Linux to test

the alerting system of the software package installed on Raspberry Pi.

We will test two attacks on my home`s access point “Chocolate_Candy”. The first one will be

evil twin and second one is deauth attacks. The goal here is to have both of these attacks detected

by Kismet scanner and logged in alerts.

Evil Twin

The evil twin attack is pretty easy to implement with pineapple, all we need to do is scan for

networks around, select a target and add it to SSID pool. The pineapple has everything

automated and by clicking couple of buttons you can broadcast as any SSID from the list. In our

case, I have selected “Chocolate_Candy” and started broadcasting with its SSID. Right away,

Kismet picked it up and displayed a message alerting that “Unauthorized device is broadcasting

with the SSID ‘Chocolate Candy’ “. Below are two images that show the pineapple interface and

alert that Kismet displayed after the attack has been initiated.

Deauth

For the second and final attack simulation, we will disconnect my laptop that is connected to

“Chocolate_Candy” access point by sending deauthentication frames from Wi-Fi Pineapple

Nano. Once deauthentication packets are transmitted, our network scanner will pick it up and

display alert notification. For this denial of service attack, we will use pineapple again because of

how easy it is implemented, all we have to do is scan networks around, select one and click one

button to deauthenticate all clients. After targeting my own router and doing so, my MacBook

lost network connection immediately letting me know that the attack worked. Below you can see

Kismet detecting this attack and displaying notifications.

V. Conclusion

Our homes now have many devices connected to the Internet, most of them are wireless, ranging

from baby monitors to Wi-Fi enabled refrigerators, therefore; it becomes very important to make

sure that proper securities are implemented. Hackers can target anyone for various reasons and

no network is too small to be at risk of a cyberattack. Thus, having some additional securities

deployed on a network can only benefit its users and promote a safer environment. During this

project, we looked at some of the security concerns related to Wi-Fi along with common attacks

that hackers deploy. Additionally, we implemented a network scanner (Raspberry Pi) and tested

its intrusion detection features by simulating some of the most common attacks such as evil twin

and denial of service proving that it can easily detect and notify users about malicious wireless

activities around their networks. I have wanted to try Kismet for some time now and this project

provided me the opportunity to do so, I learned some new things and look forward to improving

this set up in the near feature.