Raspberry Pi as a Wireless Network Scanner
Transcript of Raspberry Pi as a Wireless Network Scanner
Raspberry Pi as a Wireless Network Scanner
By Dmitry Kolyvagin
IASP-560
Professor Dr. John Yoon
Table of Contents:
I. Introduction 1) Home Wireless Networks
2) Common Security Issues
3) Typical Attacks
II. Network Scanner 1) Objective
2) Hardware
3) Software
a. Raspbian
b. Kismet
4) Network Configuration
III. Alerts and WIDS 1) Configuration
2) Alerts
IV. Deployment 1) Scanning and Monitoring
2) Testing Alerts
a. Evil Twin
b. Deauth
V. Conclusion
I. Introduction
Home Wireless Networks
In our day and age, most homes have a variety of wireless devices on the network ranging from
laptops and cell phones to smart TVs and IP cameras. Some homes have remote temperature
control sensors installed, smart light bulbs that can be controlled wirelessly and so one. The point
is that the average home in the United States has way too many devices nowadays and all of
them are connected to the network. Below is an image that illustrates an example of a home
network topology and some of the common wireless devices that are connected. On the left, you
can see most general devices like a laptop, phone, printer, and on the right side of the picture,
there are plenty called “Internet of Things” devices.
Common Security Issues
As you can tell from the above image, the most typical configuration for a home network
consists of a modem for the Internet and a Wi-Fi router for devices to connect to it. This makes
the Wi-Fi router constantly exposed to the outside environment and anyone can see the name
(SSID) of the network, what security protocol it is using and the mac address (BSSID) of the
device. Knowing this information, attackers can easily orchestrate a wide range of attacks that
fall into three main categories - denial of service, man in the middle and spoofing attacks.
Additionally, some wireless networks can be using older and outdated encryption protocol
known as Wired Equivalent Privacy (WEP) that has major security flaws and can be cracked in a
matter of minutes. For example, hackers can easily find such vulnerable networks by using a
method called wardriving. In this act of searching, an attacker typically scans wireless networks
from a moving vehicle. Once found, it takes less than 5 minutes to get in the wireless network
using tools like aircrack-ng, besside-ng and fluxion.
Typical Attacks
Furthermore, there are other attacks that hackers can initiate on a wireless network; one of the
most popular is called an evil twin attack. Hackers can replicate the SSID and BSSID of an
access point (AP) and force users to connect to it by kicking everyone from their original
network. The attacker then can use IP forwarding and monitoring tools to analyze the traffic and
pass it along without any indication. In most cases, users never realize that they are connected to
a different network because of this simple spoofing technique. An authentication attack is
another popular one and it is used to deauthenticate clients from their wireless networks in order
to capture the frame exchange when they try to connect back. After capturing the encrypted
authentication frame, attackers can run a dictionary attack offline and brute force the password
with tools like aircrack-ng, John the Riper and Rainbow Crack. These are just some of the most
common attacks that black hats use today when targeting wireless networks, they are very
simplistic in their nature and most intruders use software toolkits that automate all of the
malicious algorithms without having to know or write the code.
II. Network Scanner
Objective
The main objective of this project is to configure a fully operational network scanner capable of
analyzing wireless traffic and be able to provide wireless intrusion detection features in a form of
scripted alerts that will be displayed and logged on the Raspberry Pi. This software package is
also capable of monitoring Bluetooth devices but we are not going to concentrate on that.
Instead, we will monitor the traffic of my Wi-Fi router with SSID named “Chocolate_Candy”
and set up the WIDS (Wireless Intrusion Detection System) to report on it if any suspicious
activities are detected. Finally, upon the implementation of the network scanner, it will be
possible to connect to it from an outside network by using remote desktop connection and check
on the status, alerts and the environment.
Hardware
Let’s start with the easiest – the hardware, all that is going to be required for this to work are
Raspberry Pi with all the accessories, microSDHC and an external wireless adapter capable of
switching to monitor mode. From the hardware side of things, there isn’t much to set up and it’s
pretty straightforward. One important thing to note here is that the in-build wireless card has to
be disabled and we will need to use Ethernet cable to provide connectivity to Raspberry Pi so
that we can remotely access it. Below is a picture of my setup and everything that needs to be
connected to the device.
Software
My initial intent was to use Arch Linux operating system because of its lightweight and low
resource requirements, but after trying to configure it for days and installing all the dependencies
that were needed for Kismet, I decided to switch to a more user-friendly OS that comes ready for
installing the network scanner package.
Raspbian
The quickest and easiest way to install Raspbian OS image on to SD card is to use NOOBS (new
out of the box software). After downloading and extracting NOOBS file contents on to a
formatted SD card (FAT32) we are ready to install the Raspbian Lite OS. By booting up the pi,
with the SD card inside, a NOOBS installation menu will be displayed, after that, we can select
the Raspbian Lite version of the OS and click install on the top left corner of the menu. Below is
an image with the NOOBS menu.
Kismet
After installing the OS, the final step is to install the actual Kismet network scanner package.
The entire installation is going to take over an hour and will require changing network
configuration files. The first step is to download the latest Kismet package (Kismet 2019-09-
R1); you can do it by using git repository or downloading it directly from Kismet website. Once
downloaded, navigate to Kismet directory and type “./configure”. Wait till the code gets
configured for the compilation and type “make”. This process will take over an hour and after
that, we will need to install the package and configure user groups. By typing “sudo make
suidinstall” we will install Kismet and “sudo usermod -aG kismet pi” we will add pi user the
Kismet group. After this we are done, just need to restart the device, check user groups to make
sure Kismet was added by typing “groups” command.
Network Configuration
Finally, to make everything work we will need to set the external wireless adapter into monitor
mode. First, we will check which physical interface it belongs to by typing “iw dev”. After, we
will add another interface called mon1 that will be set in monitor mode with the command “sudo
iw phy phy1 interface add mon1 type monitor” and turn it on with the command “ifconfig mon1
up”. I have tried to make these settings permanent by adding these commands to network
interfaces configuration file but somehow it wasn`t working so I ended up making a tiny script
that will have to run every time before turning Kismet on. That is it; now that we configured the
wireless adapter we can run Kismet and start monitoring traffic.
III. Alerts and WIDS
Configuration
Now that we have set up the Raspbian OS, installed Kismet software package and configured the
wireless adapter, all we need to do is to activate apspoof by adding “Chocolate_Candy” SSID
and BSSID to be monitored. In order to do that, we will have to edit a configuration file called
“kismet_alerts.conf”. Below is a picture of the alerts configuration file for the local user, all of
the alerts are enabled and access point spoofing detection is set up for “Chocolate Candy”.
Alerts
Kismet is most effective as a WIDS in a stationary mode so having it constantly in one location
increases its accuracy and coverage. There are a number of fingerprint alerts that can be triggered
at any time once a known-hostile specific behavior is detected. We will take a look at some of
the most common ones as an example. The first one – “apspoof”, looks at given SSID along with
all the accepted mac addresses if it detects a beacon or probe response for that SSID and that
device`s BSSID is not on the list, the alarm is raised. Another important alarm is “deauthflood”,
it detects spoofing of deauthenticate packets that typically are used to disconnect clients from a
network. There are plenty more Kismet signature alerts and their description can be found on the
official page of the software.
IV. Deployment
Scanning and Monitoring
After completing all of the above-mentioned steps and procedures, finally, we are ready to test
the network scanner. We will start by opening a terminal and typing “kismet” command, this will
run the network scanner. All we need to do now is to open a web browser and navigate to
“localhost: 2501”. After leaving the scanner running for about half a day, I have discovered
many network-enabled devices such as Wi-Fi routers that would broadcast on different channels,
cellphones, Smart TVs and others. Below are a couple of images of the Kismet scanning and
monitoring wireless activities in my apartment building. The first image has messages displayed
on the bottom alerting about events and the second image shows a graph of which frequencies
most devices transmit.
Testing Alerts
For the final part of the project, we will test the WIDS features of the Kismet package. I will use
a Wi-Fi Pineapple Nano device from Hack 5 connected to a machine running Kali Linux to test
the alerting system of the software package installed on Raspberry Pi.
We will test two attacks on my home`s access point “Chocolate_Candy”. The first one will be
evil twin and second one is deauth attacks. The goal here is to have both of these attacks detected
by Kismet scanner and logged in alerts.
Evil Twin
The evil twin attack is pretty easy to implement with pineapple, all we need to do is scan for
networks around, select a target and add it to SSID pool. The pineapple has everything
automated and by clicking couple of buttons you can broadcast as any SSID from the list. In our
case, I have selected “Chocolate_Candy” and started broadcasting with its SSID. Right away,
Kismet picked it up and displayed a message alerting that “Unauthorized device is broadcasting
with the SSID ‘Chocolate Candy’ “. Below are two images that show the pineapple interface and
alert that Kismet displayed after the attack has been initiated.
Deauth
For the second and final attack simulation, we will disconnect my laptop that is connected to
“Chocolate_Candy” access point by sending deauthentication frames from Wi-Fi Pineapple
Nano. Once deauthentication packets are transmitted, our network scanner will pick it up and
display alert notification. For this denial of service attack, we will use pineapple again because of
how easy it is implemented, all we have to do is scan networks around, select one and click one
button to deauthenticate all clients. After targeting my own router and doing so, my MacBook
lost network connection immediately letting me know that the attack worked. Below you can see
Kismet detecting this attack and displaying notifications.
V. Conclusion
Our homes now have many devices connected to the Internet, most of them are wireless, ranging
from baby monitors to Wi-Fi enabled refrigerators, therefore; it becomes very important to make
sure that proper securities are implemented. Hackers can target anyone for various reasons and
no network is too small to be at risk of a cyberattack. Thus, having some additional securities
deployed on a network can only benefit its users and promote a safer environment. During this
project, we looked at some of the security concerns related to Wi-Fi along with common attacks
that hackers deploy. Additionally, we implemented a network scanner (Raspberry Pi) and tested
its intrusion detection features by simulating some of the most common attacks such as evil twin
and denial of service proving that it can easily detect and notify users about malicious wireless
activities around their networks. I have wanted to try Kismet for some time now and this project
provided me the opportunity to do so, I learned some new things and look forward to improving
this set up in the near feature.