Pineapple Pi

Creating an Automated Open Wi-Fi Traffic Capturing Tool for Under $20

by Br@d

The Intro

I never thought of myself as a hacker, though looking back I have had that mindset from a very early age.  I was always curious about how things worked.  In fact, I recall one time when I was only around six years old taking apart my Alphie II to try and figure out how this little robot knew what paper card I inserted and responded accordingly.

This curiosity laid fairly dormant inside while I was growing up, only to make brief appearances throughout the years.  I can recall a resurgence when I was starting to enter my teen years and discovered computer games.

My friend's parents had just bought him a copy of Doom II which came on a CD!  At this time, my family could not afford such luxuries as a CD-ROM, so with a little trial and error I discovered that I could use PKZIP to split the data from the Doom II CD to approximately eleven 3½" floppies so that I could have my own copy of the game.

Ultimately, I believe that it was this mindset that led me to a career in IT.  I have now been working in the industry for a little over ten years, with my time split almost 50/50 between working in the public sector with small enterprise and most recently as a consultant for a small IT consulting firm.  Over the past few years, my job role has steadily been transforming into a network security-centric role.

When I started focusing my career on defensive security, my curiosity for how things worked was re-ignited.  As I started hearing about the different techniques that the "bad guys" (what the media unfortunately labels hackers as) use to compromise networks, I wanted to know the details of how these attacks worked.  I started watching various security and anti-security podcasts, started to buy copies of 2600 on a regular basis and eventually subscribed.  I kept consuming information on the surface, learning just the basic concepts of how exploits are used.

This cursory knowledge was great for helping to learn what was needed to do in order to better protect the clients of my day job.  But this was still not enough; it was time for me to get my hands dirty and start to learn the ins and outs of the offensive security world.  Having a specific interest in networking, I decided that I was going to start by focusing on wireless security.  Having known about the Wi-Fi Pineapple for many years: wifipineapple.com

I decided a few months ago to purchase one to start learning more and executing proof of concept attacks (on a test lab, of course).  I liked the idea that it had a nice web GUI (and I could postpone learning Linux) and many of the standard wireless testing tools preloaded or available with a mouse click or two.

After playing with my Wi-Fi Pineapple for a few months and learning many new things about how wireless actually works, I came up with a scenario that I wanted to test, but there was no Pineapple module for it.  Since it is well known that using open Wi-Fi is a bad idea, as the traffic to the AP is in the clear and available for anyone with the right tools to capture, I thought it would be great to have a small device that could automatically and discreetly find the most active open Wi-Fi within range and start capturing the traffic.  Proving that this was possible will hopefully aid in the battle of convincing Joe Public that open Wi-Fi is bad, since now you do not have the heads-up of a hooded figure with sunglasses and laptop covered in stickers sitting in the corner of your coffee shop (where I happen to be writing this) reminding you that your information is not safe.

The Disclaimer

OK, before I go any further, I feel obligated to add the expected disclaimer.  This part is very simple: don't be stupid, don't be evil.  This information is presented purely for educational purposes.  This project is designed to reinforce the fact that it is never a good idea to use an open hotspot, especially without protection (some form of VPN), and also to display some of the cool and wonderful things that can be achieved with a SoC (System-on-a-Chip), along with the dangers attached to it.

So, with that said, if you decide to do something stupid with this information and get in trouble, I told you so, and it's not my fault.

The Pi

Right from the start of this project, I knew that the Raspberry Pi would be the base hardware.  Having but the basics of scripting knowledge from administering Windows systems, I wanted to stick with something that was well documented, as I knew this was also going to be a great learning opportunity.  The first step was to pick the type of Pi.  Having read the specs of the built-in wireless of the Pi 3, I knew that it would not support the required software.  This meant that I was going to have to add a USB Wi-Fi adapter and I did not want to have to script my way around finding which of the two adapters would be the right one as testing later showed that they often swapped wlan designations.  It did not take long to finalize on the Pi Zero as it was small, did not have its own wireless to cause scripting issues, and was cheap ($5).

The next step was to choose the OS to use.  This was a very easy decision.  Again, looking for something well documented to help a noob out, I went with the latest version of Raspbian Jessie Lite, available at: raspberrypi.org/downloads/raspbian

Since the goal was to create a device that booted and execute a script automatically, there was no need for a GUI as it would be running headless.  Now, since the Pi Zero only has two USB ports (one for power and one for peripherals), I recommend using a USB hub or Pi HAT to aid with the setup and configuration.

The NIC

Having the base hardware and OS sorted out, it was time to move on to wireless adapter.  There are all kinds of Wi-Fi USB NICs that will work for this project.  They come in a variety of shapes and sizes, each with their pros and cons.  You can get larger adapters with a higher gain antenna, which will allow you to capture traffic covering a broader distance.  Or you can get smaller ones that are the size of your thumbnail, making them very inconspicuous, but sacrificing the range.

It really does not matter what adapter you choose, but its chipset must support monitor mode.  For help finding an adapter that supports this mode, I recommend checking out this compatibility guide at: aircrack-ng.org/doku.php?id=compatibility_drivers

I decided to use the TP-Link TL-WN722N since it has the right chipset, it is a good balance of size and range, and can be easily found online for $15 or less.

The Battery

Being an IT pro, I have had the opportunity to attend numerous industry conferences over the years.  For a while, portable cell phone charger battery packs were the swag of choice that vendors used to lure you to their booths.  These chargers are usually compact, have a capacity ranging from 2200-3000 mAh, and more often than not have a power-on button, which is a key feature for being able to quickly and discreetly start the traffic capturing process.

So for this project, it just made sense to use one of these "swag juice packs" for my power source, despite the fact that it is total overkill for short term "testing."

The Raspberry Pi Zero is very power efficient.  When running idle without any peripheral, it only draws around 100 mA.  Adding a USB Wi-Fi adds overhead.  However, if you disable the LEDs and power to the micro-HDMI (since it will be running headless), your idle power is still only around 120 mA!

That means that with one of my free 2600 mAh battery packs, I'd have just over 21 hours of idle time, or somewhere in the vicinity of 15 hours of active use when implementing the power saving tweaks.

The Prerequisites

Now at first boot, the Raspbian OS does not come with everything that you need to hit the ground running.  There are a few prerequisites needed prior to installing and using the aircrack-ng tool suite.  Thankfully, these can be installed with a single command:

$ sudo apt-get -y install libssl-dev libnl-3-dev libnl-genl-3-dev ethtool rfkill

Once the install is complete, you can download the aircack-ng package to your Pi via:

$ sudo wget http://download.aircrack-ng.org/aircrack-ng-1.2-rc4.tar.gz

(I chose to do this in /opt).

This was the latest release at the time of writing - please refer to aircrack-ng.org for future releases.  Once the download is completed, go ahead and unpack it with:

$ tar -zxvf aircrack-ng-1.2-rc4.tar.gz

Next, move into the unpacked directory and compile the installer:

$ sudo make

then when complete run the installer:

$ sudo make install

The final step (and the installer will remind you) is to update the OUI:

$ sudo airodump-ng-oui-update

The final prerequisite (if you are going to use my script "as is") is to define the folder location to write the survey and captured packet to.

First, make sure you are in the root folder and enter:

$ sudo mkdir DaCaps

The Code

#!/bin/bash # references the interface wlaninterface=wlan0 # add the mon to the inferface name for use with airmon-ng and airodump-ng m=mon i=$wlaninterface$m # sets the base file name for the wireless survey recon=/DaCaps/scouted # sets the file name for the pcap file to write to pcapfile=/DaCaps/DaCapFile # sets the length of time to run the survey for - in seconds recontime=120s # sets the length of time to run the packet capture for - in seconds capturetime=3600s # general house cleaning to remove previous captures rm $recon*.csv &> /dev/null rm $pcapfile*.cap &> /dev/null # setting wlan0 into monitor mode airmon-ng check kill & airmon-ng start $wlaninterface & # running the wireless survey for the defined amount of time then stops the # process airodump-ng -w $recon --output-format csv $i &> /dev/null & sleep $recontime kill $! # finds the open Wi-Fi network with the most active traffic and gets the # channel number channel=$(grep -a 'OPN' $recon*.csv | sort -nrk11 | tail -1 | awk '{print $6}') # removes the comma from the output of the previous line ch=${channel::-1} # running the packet capture for the defined amount of time then stops the # process airodump-ng --encrypt OPN --output-format pcap --channel $ch -w $pcapfile $i &> /dev/null & sleep $capturetime kill $! # our work here is done, time to take a nap shutdown -P now

The Automation

Once the script was created on the Pi (placed in /opt in my case), the next step was to manually run it to confirm that everything ran as expected:

$ sudo /opt/WiFiCap.sh

After a few successful tests, it was time to move onto the final phase of this project: the automation.  Still, being fairly new to the working and scripting world, this turned out to be more of a challenge than I had anticipated.  I scoured the Internet, interacted with various forms, and tried numerous methods of having this script run automatically.  Though I was able to get it to run via the standard methods for startup scripts, it did not actually execute all tasks correctly.

The issue (or what it logically seemed to be) was that the necessary services that aircrack-ng used did not seem to be fully loaded until a user logged in.  I was sure that there was a possible method of successfully running this script prior to logon, but I knew with certainty that it would work when a user was logged in.

After exercising my Google-Fu a little longer, I found that there was an option in the raspi-config:

$ sudo raspi-config

to auto login as the default user on boot: Boot Options -> B1 Desktop/CLI -> B2 Console Autologin

Now that the Raspberry Pi was booting and auto logging-in, I just needed the script to launch without any interaction.

This required using the .bashrc file found in /home/pi to call upon the script.  From the default login, enter:

$ sudo nano .bashrc

at the bottom, add:

sudo /opt/WiFiCap.sh

Don't forget to make sure the script has full read/write and execute permission:

$ sudo chmod 777 /opt/WiCap.sh

That's it.

The next time the Pi boots, it will execute the script from a user run level, find the most active open Wi-Fi, and start capturing those packets.  After the shutdown, you can remove the microSD card and plug it into another system to copy the PCAP file and do with it as you wish (again, don't be evil, don't be stupid).

Code: WiFiCap.sh