CowPi: Capturing Open Wi-Fi with a raspberry Pi

Below is an article that I wrote and had published in the 2017 summer issue on 2600: The Hackers Quarterly.  Since the article was submitted I had changed the name for this project from “Pineapple Pi – creating an automated open wifi traffic capturing tool for under $20” to the more catchy “CowPi: Capturing Open Wi-Fi with a Raspberry Pi”. I have also have paired down the components used to allow the CowPi to be concealed in a small pocket notebook (see image at the end of the post).

The Intro

I never thought of myself as a hacker, though looking back I have had that mindset from a very early age.  I was always curious about how things work. In fact, I recall I time when I was only around 6 years old taking apart my Alphie II (https://en.wikipedia.org/wiki/Alphie) to try and figure out how this little robot knew what paper card I inserted and respond accordingly.

This curiosity laid fairly dormant inside while growing up, only to make brief appearances over the years.  I easily recall resurgence when I was starting to enter my teen years and discovered computer games.  My friend portent’s just bought him a copy of Doom II which came on a CD! At this time my family could not afford such luxuries as a CD-ROM, so with a little trial and error I discovered that I could use pkzip/pkunzip to split the data from the Doom II CD to approximately 11 3 ½ floppy’s so that I could have my own copy of the game J

Ultimately I believe that it was this mindset that lead me to a career in I.T.  I have now been working in the industry for a little over 10 years, with my time split almost 50/50 between working in the public sector small enterprise and most recently as a consultant for a small IT consulting firm. The over the past few years my job role has steadily transformed into a network security centric role.

When I started focusing my career on defensive security my curiosity for how things work was reignited.  As I started hearing about the different techniques that the “bad guys” (our what the media unfortunately labels as hackers) use to compromise networks, I wanted to know the details of how these attacks worked. I started watching various security and anti-security podcast, started buying copies of 2600 on a regular basis, to which I am now subscribed. I kept consuming information on the surface, learning just the basic concepts of how exploits are used.

This cursory knowledge was great for helping know what is needed to do so that I could better protect the clients of my day job.  But this was still not enough, it was time for me to get my hands dirty and start to learn the in’s and out’s of the offensive security world. Having a specific interest in networking I decided that I was going to start by focusing on wireless security.  Having known on the WiFi Pineapple for many years (https://www.wifipineapple.com), I decided a few months ago to purchase one to start learning more and executing proof of concept attack (on a test lab of course).  I liked the idea that it had a nice web GUI (and I could postpone learning Linux) and many on the standard wireless testing tools preloaded or available with a mouse click or 2.

After playing with my WiFi Pineapple for a few months and learning many new things about how wireless actually works, I had a scenario that I wanted to test, but there was no pineapple module for it.  Since it is well known that using an open WiFi is a bad idea as the traffic to the AP is in the clear and available for anyone with the right tools to capture, I thought it would be great to have a small device that could automatically and discreetly find the most active open WiFi within range and start capturing the traffic.  Proving that this was possible will hopefully aid the battle to convincing Joe Public that open WiFi is bad, since now you do not have the heads up of a hooded figure with sunglasses and laptop covered in stickers sitting in the corner of your coffee shop (where I happen to be writing this) to reminds you that your information is not safe.

The Disclaimer

Ok, before I go any further I feel obligated to add the expected disclaimer. This part is very simple, don’t be stupid, don’t be evil. This information is presented purely for educational purposes. This project is designed to reinforce the fact it is never a good idea to use an open hotspot, especially without protection (some form of VPN), and display some of the cool and wonderful things that can be achieved with a SoC (system on a chip) and dangers.

So with that said if you decide to do something stupid with this information and get in trouble…. I told you so, and it’s not my fault.

The Pi

Right from the start of this project I knew that the Raspberry Pi would be the base hardware.  Having but the basics of scripting from administering Windows systems, I wanted to stick with something that was well documented as I know this was also a great learning opportunity.  The first step was select the type of Pi. Having read the specs of the built-in wireless of the Pi 3, I knew that it would not support the required software, this meant that I was going to have to add a USB WiFi adapter and I did not want to have to script my way around finding which of the 2 adapters would be the right one as testing later showed that they often swapped WLAN designations. It did not take long to finalize on the Pi Zero as it was small, did not have its own wireless to cause scripting issues, and it was cheap ($5).

The next step was to choose the OS to use. This was a very easy decision.  Again looking for something well documented to help a noob out I when with latest version Raspbian Jessie Lite available here: https://www.raspberrypi.org/downloads/raspbian/.  Since the goal was to create a device that booted and execute a script automatically, there was no need for a GUI as it would be running headless. Now since the Pi Zero only has two USB ports (one for power and one for peripherals) I recommend using a USB hub or Pi hat to aid with the setup and configuration.

The NIC

Having the base hardware and OS sorted out it was time to move onto finding the right Wireless adapter. There are all kinds of WiFi USB NICs that will work for this project. They come in a variety of shapes and sizes, each with their pros and cons. You can get larger adapters with a higher gain antenna, which will allow you to capture traffic covering a broader distance. Or smaller ones that are the size of your thumbnail, making them very inconspicuous but at the sacrifice or range.

It really does not matter what adapter you choose, other than its chipset must support monitor mode. For help finding an adapter that supports this mode, I recommend checking out this compatibility guide: http://www.aircrack-ng.org/doku.php?id=compatibility_drivers

I decided to use the TP-Link TL-WN722N since it has the right chips set, it is a good balance of size and range and can be easily found online for $15 or less.

The Battery

Being an IT pro, I have had the opportunity to attend numerous industry conferences over the years. For a while, portable cell phone charger battery packs were the swag of choice that vendors used to lure you to their booths. These chargers are usually compact, have a capacity ranging from 2200-3000mAh and more often than not have a power on button, which is a key feature for being able to quickly and discreetly start the traffic capturing process.

So for this project it just made sense to use one of these said “swag juice packs” for my power source, despite the fact that it is total overkill for short-term “testing”.

The Raspberry Pi Zero is very power efficient. When running idle without any peripheral is only draws around 100 mA.  Adding a USB WiFi adds overhead. However, if you disable the LED’s and power to the micro HDMI (since it will be running headless) your idle power is still only around 120 mA!

That means that with one of my free 2600 mAh battery packs I’d have just over 21 hours of idle time, or some ware in the vicinity of 15 hours of active use when implementing the power saving tweaks.

The Prerequisites

Now at first boot, the Raspbian OS does not come with everything that you need to hit the ground running. There are a few prerequisites needed to prior to installing and using the aircrack-ng tool suite. Thankfully these can be installed with a single command “sudo apt-get -y install libssl-dev libnl-3-dev libnl-genl-3-dev ethtool rfkill”. Once the install is complete you can download the aircack-ng package to your Pi via “sudo wget http://download.aircrack-ng.org/aircrack-ng-1.2-rc4.tar.gz” (I chose to do this in /opt) this was the latest release at the time of writing, please refer to aircrack-ng.org for future releases.  Once the download is completed go ahead and unpack it with “tar -zxvf aircrack-ng-1.2-rc4.tar.gz”. Next move into the unpacked directory and compile the installer “sudo make” then when complete run the installer “sudo make install”.  The final step (and the installer will remind you is to update the OUI) “sudo airodump-ng-oui-update”. The final prerequisite (if you are going to use my script “as is”) is to make the fold at root directory to write the survey and captured packet to. First make sure you in the root folder the enter “sudo mkdir DaCaps”.

 

The Code

#!/bin/bash

# references the interface
wlaninterface=wlan0

# add the mon the the interface name for use with airmon-ng and airodump-ng
m=mon
i=$wlaninterface$m

# sets the base file name for the wireless survey
recon=/DaCaps/scouted

# sets the file name for the pcap file to write too
pcapfile=/DaCaps/DaCapFile

# sets the length of time to run the survey for – in seconds
recontime=120s

# sets the length of time to run the packet capture for – in seconds
capturetime=3600s

# general house cleaning to remove previous captures
rm $recon*.csv &> /dev/null
rm $pcapfile*.cap &> /dev/null

# setting wlan0 into monitor mode
airmon-ng check kill &
airmon-ng start $wlaninterface &

# running the wireless survey for the defined amount of time the stops the process
airodump-ng -w $recon –output-format csv $i &> /dev/null &
sleep $recontime
kill $!

# finds the open WiFi network with the most active traffic and get the channel number
channel=$(grep -a ‘OPN’ $recon*.csv | sort -nrk11 | tail -1 | awk ‘{print $6}’)

# removes the comma from the output of the previous line
ch=${channel::-1}

#running the packet capture for the defined amount of time the stops the process
airodump-ng –encrypt OPN –output-format pcap –channel $ch -w $pcapfile $i &> /dev/null &
sleep $capturetime
kill $!

# our work here is done, time to take a nap
Shutdown -P now

The Automation

Once the script was created on the Pi (placed in /opt in my case) the next step was to manually run it to confirm that everything ran as expected “sudo /opt/WiFiCap.sh”.   After a few successful test time was time to move onto the final phase of this project… the automation.  Still being failing new to working and scripting world this turn out to be more of a challenge than I had anticipated.  I scoured the internet, interacted with various form, at tried numerous methods to have this script run automatically. Though I was able to get it to run via the standard methods for startup scripts, it did not actually execute all task correctly.

The issue (or what it logically seemed to be) was that the necessary services that aircrack-ng used did not seem to be fully loaded until a user logged in.  I sure that there is a possible method to successfully run this script prior to login, but I knew with certainty that it would work will a user was logged in.

After exercising my Google-Fu a little longer, I found that there was an option in the raspi-config (sudo raspi-config) to auto login as the default user on boot (Boot Options -> B1 Desktop/CLI -> B2 Console Autologin).

Now that the Raspberry Pi you booting and auto logging in I just needed the script to launch without any interaction.  This required using the “.bashrc” file found is /home/pi, to call upon the script. From the default login enter “sudo nano .bashrc”  at the bottom of the add “sudo /opt/WiFiCap.sh”. Don’t forget to make sure the script has full read/write and execute permission “sudo chmod 777 /opt/WiFiCap.sh”.

That’s it, the next time the Pi boot it will execute the script from a user run level, find the most active open WiFi and start capturing those packets. After the shutdown you can remove the Micro SD card and plug it into another system to copy the pcap file off of and do with it as you wish (again, don’t be evil, don’t be stupid).