Home network and Raspberry PiHome network and Raspberry Pi

Daniele AlbrizioDaniele Albriziodaniele@albrizio.itdaniele@albrizio.it

By Evan-Amos - Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=56262833

2

What exactly is Raspberry Pi?

● The Raspberry Pi Foundation is a charity founded in 2009 to promote the study of basic computer science in schools, and is responsible for developing a single-board computer called the Raspberry Pi, the UK's best-selling PC of all time.

3

Raspberry Pi 3 2016

● 1.2 GHz 64-bit quad-core ARM Cortex-A53● 500 MHz SDRAM● SoC Broadcom BCM2837● GPU Broadcom VideoCore IV @ 250 MHz (BCM2837: 3D

part of GPU @ 300 MHz, video part of GPU @ 400 Mhz), 1080p30 H.264/MPEG-4 AVC high-profile decoder and encoder

● 1GB SDRAM shared with GPU● 4xUSB 2.0● 15-pin MIPI camera interface (CSI) connector

4

Raspberry Pi 3 2016

● HDMI (rev 1.3), composite video (3.5 mm TRRS jack), MIPI display interface (DSI) for raw LCD panels

● Analog audio via 3.5 mm phone jack; digital via HDMI

● MicroSDHC slot● 10/100 Mbit/s Ethernet

5

Raspberry Pi 3 2016

● 17 x GPIO● 300 mA (1.5 W) average when idle, 1.34 A (6.7

W) maximum under stress ● Powered by 5 V via MicroUSB or GPIO header● Bluetooth 4.1● 802.11n wireless

6

Privacy concerns in a home network

● What are all my devices really doing on my network?

● Are all network flows licit?● What can I do to limit information leakage and

uncontrolled behaviour?

7

Needs

● Insulate my (trusted?) DSL router and main PC from wireless untrusted devices like smart-phones and IoTs (forwarding, NAT, hostapd)

● Traffic Analisys and consciousness (wireshark)● Firewalling (iptables at the moment)● Bonus:

– ADs removal (Pi-hole)

8

9

Shopping list

● Raspberry Pi 3● Heat sinks● Case● SDCard● Usb power supply

10

Base Distro

● Raspbian (base)● Kali (some VA and security testing)

● https://www.offensive-security.com/kali-linux-arm-images/● https://docs.kali.org/kali-on-arm/install-kali-linux-arm-raspberry-pi

– # dd if=kali-xxxxx-rpi.img of=/dev/sdX bs=512k

– Where sdX is your sdcard device: please be absolutely sure of which is your sdcard device before flashing: data loss danger.

● Insert your SDcard and power on your Raspberry

11

First steps

● Bind the Raspberry IP on your DSL router dhcp (reservation)

● Access via ssh using user:root pass:toor keyboard/monitor-less

● Install hostapd, tcpdump, isc-dhcp-server– sudo apt install hostapd tcpdump isc-dhcp-server

● Install PC authorized key in the raspberry (optional)– ssh-copy-id -i ~/.ssh/id_rsa.pub root@kalihost

12

Disable Network Manager for Wi-Fi interface to avoid conflicts

● service network-manager restart

#/etc/NetworkManager/nm-system-settings.conf[main]plugins=ifupdown,keyfile

[ifupdown]managed=false

[keyfile]unmanaged-devices=mac:8a:70:95:99:99:99

13

Configure NAT and IP address

● for the wireless lan interface

# file /etc/network/interfacesauto wlan0 iface wlan0 inet static address 10.5.5.1 netmask 255.255.255.0 post-up iptables -t nat -A POSTROUTING -s 10.5.5.0/24 -o eth0 -j MASQUERADE

By Yangliy at English Wikibooks - Transferred from en.wikibooks to Commons., Public Domain, https://commons.wikimedia.org/w/index.php?curid=61795881

14

IP Forwarding (like a router)

● In /etc/sysctl.d/99-sysctl.conf– net.ipv4.ip_forward=1

● Reload parameters– sysctl -p /etc/sysctl.conf

● Verify the parameter is “1”– cat /proc/sys/net/ipv4/ip_forward

15

Enable DHCP server on wlan0

● Enable dhcp server upon boot– sudo update-rc.d isc-dhcp-server enable

● Start the dhcp server– sudo isc-dhcp-server start

#/etc/dhcp/dhcpd.confsubnet 10.5.5.0 netmask 255.255.255.0 { range 10.5.5.26 10.5.5.36; option domain-name-servers 10.5.5.1; #option domain-name-servers 8.8.8.8, 8.8.4.4; option domain-name "internal.example.org"; option routers 10.5.5.1; option broadcast-address 10.5.5.255; default-lease-time 600; max-lease-time 7200;}

#/etc/default/isc-dhcp-serverINTERFACESv4="wlan0"

16

Enable Wi-Fi Access Point

● Insert DAEMON_CONF="/etc/hostapd/hostapd.conf" in /etc/default/hostapd

● Modify and customize hostapd.conf (see next slide)● Enable startup on boot

– sudo update-rc.d hostapd enable

● Start the access point– sudo service hostapd start

17

/etc

/hos

tapd

/hos

tapd

.con

f interface=wlan0driver=nl80211ssid=traphw_mode=g

ieee80211n=1wmm_enabled=1# Low priority / AC_BK = backgroundwmm_ac_bk_cwmin=4wmm_ac_bk_cwmax=10[…]

macaddr_acl=0ignore_broadcast_ssid=0wpa=1wpa_passphrase=lamiapassphrasesegretawpa_key_mgmt=WPA-PSKwpa_pairwise=TKIP CCMPrsn_pairwise=CCMPieee80211w=n#ap_isolate=1

channel=6acs_num_scans=5acs_chan_bias=1:0.8 6:0.8 11:0.8chanlist=1 6 11

By Maripo GODA - Own work, CC BY-SA 3.0,https://commons.wikimedia.org/w/index.php?curid=18774788

18

Traffic dump and sniff

● Use the following script to remotely dump (on your PC) traffic from your raspberry and show it in your local wireshark– Your raspberry being 192.168.1.5 and your pc being

192.168.1.10#!/bin/shssh root@192.168.1.5 tcpdump -U -s0 \'not\(\(host 192.168.1.5 and port 22\)or\(host 192.168.1.10 and port 22\)\)' \-i wlan0 -w - | wireshark -k -i -

19

Wireshark

● Industry standard sniffer● Provides highlighting, correlation, decoding,

filtering, etc..● Multiplatform (linux, windows, mac)● Provides statistics and flow analysis

20

I need you

● Connectivity hungry apps as soon as a smartphone connects:

21

Connectivity Check without SSL

● GET /generate_204 HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36

Host: connectivitycheck.gstatic.com

Connection: Keep-Alive

Accept-Encoding: gzip

● HTTP/1.1 204 No Content

Content-Length: 0

Date: Fri, 27 Oct 2017 18:48:06 GMT

22

YeeLight strange pattern

● I tought I bought a LAN controlled light● A WAN one I got

23

Who the hell is this one?

● $ geoiplookup 52.221.85.229– GeoIP Country Edition: SG, Singapore

● $ host 52.221.85.229– 229.85.221.52.in-addr.arpa domain name pointer

ec2-52-221-85-229.ap-southeast-1.compute.amazonaws.com.

24

Further findings

● Telegram uses non TLS encryption on tcp port 80

● Whatsapp sometimes uses google dns 8.8.8.8 to reach its servers

25

Ads and Privacy

● Profiling– Cookies

– Referrals

– Javascripts

– Biometrics (fingerprinting of mouse movements orkeyboard typing)

By Nicolasbuenaventura - Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=32181778

26

Bonus track: Pi-Hole

● Advertising blackholing● On-the-access-point● Web interface● Extensive statistics● Customizable lists, white and black ones● Disable button

27

Install Pi-hole

● Download and install Pi-hole– curl -sSL https://install.pi-hole.net | bash

● Customize /etc/pihole/setupVars.conf for using wlan0 addresses– PIHOLE_INTERFACE=wlan0– IPV4_ADDRESS=10.5.5.1/24

● Change Pi-hole web interface management password– pihole -a -p somepasswordhere

● You can also remove the password by not passing an argument– pihole -a -p

● Head your browser at http://192.168.1.5/admin

28

29

30

31

32

33

34

35

36

37

38

Spare space for fun

● Security Webcam using motion● Plenty of GPIO space

39

What we learned to improve our privacy consciousness

● What is Raspberry● How to install Kali Linux on Raspberry Pi 3● Setup a wireless router using NAT and DHCP● Sniff and read realtime traffic pattern● AD’s suppression● ...

40

Quest'opera è stata rilasciata con licenza Creative Commons Attribuzione - Non commerciale - Condividi allo stesso modo 3.0 Italia. Per leggere una copia della licenza visita il sito web http://creativecommons.org/licenses/by-nc-sa/3.0/it/ o spedisci una lettera a Creative Commons, PO Box 1866, Mountain View, CA 94042, USA. Alcune immagini hanno licenze d’uso differenti e sono indicate sulle immagini stesse.

Daniele Albriziodaniele@albrizio.it

Questions?Questions?

41

Further readings

● Yeelight hardware and software reverse engineered – https://hackernoon.com/inside-the-bulb-adventures-in-reverse-engineering-smart-bulb-firmware-1b81ce2694a6

– https://github.com/OpenMiHome/mihome-binary-protocol