esp8266 Bruteforce #2 CRAR

Zrzut ekranu 2018-03-27 o 22.40.18

Next day – next step.

So while being at the hotel after hours i finally decided to spend time on coding CRAR instead of watching the German Eurosport. One – i don’t understand a word, two time flies 3x faster during coding – so as i’m pretty much waiting for end of week to depart from here i started coding and testing.

First of all – Victim

So in order to test CRAR properly i had to find a good victim. Quickly downloaded the LAN Scan tool to figure out what’s happening here. The Hotel has a free WiFi connection so there should be also some router here that you can login to manage it. Quick scan revealed a good target for the game.

A

I opened the web page to figure out what am i trying to achieve here and i found what i was looking for. Simple login page using a POST to a PHP script – meaning we can easily craft the data and keep on sending. The web page presents itself as : Tiger IP Connect 5.1

Zrzut ekranu 2018-03-27 o 21.56.28

Googled quickly to figure out what is this – seems like a dedicated software to control/manage access to AP (see here). Doesn’t really mater as long as i can test CRAR on it. So, knowing we have a page to login, let’s see how data is posted to this http server. No fancy investigation was done just a view into the html output from this server.

Zrzut ekranu 2018-03-27 o 21.56.34

I easily found that the form with user/password is POSTing to index.php. Well with all that in hand i was ready to launch the ESP (well took one for a trip, knowing i will be bored as hell after hours hehehe).

Secondly – the configuration

Right, i hooked up my ESP to my Macbook and as the software was done  i started configuring the brute-forcer as per the details taken from the web page form.

B

There are couple updates here since my last post, mainly done for ease of setting up the whole process. Let me guide you through what are these settings.

  1. ESP starts in AP_STA mode, so that i can access it’s own WIFI when craxor is connected to victim AP. Thanks to this i don’t have to connect to victim’s WiFi anymore, i can reconfigure CRAR by connecting to the hotspot it creates.C

Settings are as follows:

  • WiFi – self explanatory, target (victim) AP SSID
  • Password – target (victim) AP Password – in this case, no password, public hotspot
  • Host – the HTTP ip address
  • URL – the URL for the POST
  • Body – the arguments for the POST (taken from the html form definition above), here i assume that the username is admin, why not. It’s just testing, nothing serious 😉
  • Min characters – this is to indicate minimum characters for Wordlist generator
  • Max characters – this is to indicate maximum characters for Wordlist generator
  • Socket Timeout – this is for the socket connect function, so it doesn’t get stuck waiting for socket to timeout, i make it 200ms
  • Charset – this is for the wordlist generator i basically say here that i want to generate 6 characters long including lower case, upper case and numbers.
  • Success Word – hehe bad naming but this is the text that when NOT found means we got this form cracked. Why ‘not’ found ? Well it’s because it’s hard to guess what page displays when login is OK, so it’s better to see if failure text is present every time we check new word from generator. If Failure text is not present, we might be already logged in!

Controls

  • Start – which is to start the bruteforce process
  • Pause – which is to pause the bruteforce
  • Reset – which is to restart the ESP (start from setup())

Status

  • Started flag (1/0)
  • Current Word – that’s basically the word we test against now
  • Total Epochs – number of epochs passed (iterations basically)
  • Epochs / sec – number of iterations per second
  • WiFi Signal – yeah, signal to the AP
  • WiFi Connected – just a flag if we’re connected

Results

Self explanatory 🙂

Page down there are more debug things you might be interested in, so here is the screen

Zrzut ekranu 2018-03-27 o 21.56.57

Basically what we see here is

Sent – what we have sent to the server

Received – what we have received from the server
Based on  received text area  you can deduct why i put “Invalid” in the Success Word field.

If Invalid is found, it means we have probably logged in. As long as this word is present in the response, we know we have provided invalid credentials.

Ok, so i’m leaving this soft running until the last day, we will see what happens, overall it’s just a test of the soft and the overall POC. As resuming the wordlist generation is also implemented, i can easily turn off and on ESP and cracking will continue from the last word saved.

Zrzut ekranu 2018-03-27 o 22.44.18

Will see where we are on Friday with that 😉

 

Peace

 

Advertisements

esp8266 bruteforce #1 CRAR

Zrzut ekranu 2018-03-26 o 20.43.02.png

Synopsis

Warrning – i have not enough photos in this post – basically writing it in a hotel.

Sundays are lazy days, that one was no different – with a cup of coffee and e-cig i was looking around for an idea when i realised i still have my Kali Linux laptop lying around and i can actually try to see if there is anything interesting around (last time i checked it was months ago). I moved last year to new home and pretty much haven’t played with Kali for some time. It was a good exercise to do and i just went for it.

Plugged my laptop into a socket (one of these laptops that do not work on a battery anymore 🙂 ) and sat again on the same couch. Quick scan and i realised there is some week/poor WPA2 / WPS signal broadcasted, isn’t something that i could use as a backup internet, but still was ok-ish to check against WPS (reaver) attack.

I kicked off Reaver and started cracking and went around the WPS weakness even though the signal wasn’t that good. After couple of hours pinning the WiFi router i finally got the key and connected. After adjusting the antenna several times i figured out that the network i have connected was running near my home, the distance was around 30m (garden). Signal was absolutely weak.

Quick scan of the LAN revealed two interesting hosts one of which was a router with some sharing enabled (ftp,http opened).

As usual, the dumb-mode test has been executed and i found there is no admin/admin, admin/password or even anonymous access granted to both the http / ftp. Opening the web page of the router gave pretty much a login screen and that was it.

The quality of the connection wasn’t enough to keep alive for longer than couple of minutes, either it was dropped or i had pings lost, so checking above credentials took me some time and patience.

I figured out at that point that there is absolutely no sense to push on testing it that way and it would be more beneficial if i think of a solution to leave this process automated close to the garden fence and forget about it until something is found.

Let’s get dirty and prepare a plan

What do i want to automate?

I want to get into that http://192.168.0.1 which is serving the HTTP login, forget the FTP for now – i guess when access to HTTP will be granted, we will get access to all services there.

How do i want to automate it?

Brute-force – just go with the most simple approach but keep the process flow inteligent by ensuring that when power is lost, we don’t start from the beginning, that we can get a wordlist or go full hardcore by doing a words generation for fun. Also, i don’t need a process that takes me minutes to setup – the game itself is considered a waste of time, so need myself spending +10minutes on starting laptop, bash scripting and stuff – i need something low level and firing up straight away when switched on.

Deciding on the right hardware

Knowing all of the above i realised that the best solution for my exercise would be a esp8266. I always believed ESP’s are made for more than just turning the light on/off as an IOT device. I see two possible options here

  1. Put the ESP8266 with a power-bank into a Coca Cola bottle (to make it water resistant / rain / snow ). Fantastic idea to drop these kind of things wherever needed, but there’s a big problem here – Battery.Zrzut ekranu 2018-03-26 o 22.02.59Well as this is just a fun project  i don’t mind; i know brute forcing can take ages so i don’t mind to pick it up from time to time and recharge. Software however needs to tackle this properly – as mentioned earlier, once dropped i never get back to it for setting up, only recharging.

    Above require a software to notify about the low battery – but i’ll get to that later on.

    Ps. How cool would it be to have it running for weeks on batteries, in that case you could drop it in some distance place and come back for it in days.

  2. Install the ESP8266 in the garden lamp (already 12Volt enabled) – and keep it running there for ages – seems like the simplest solution without any cons. But, i don’t like it – i like the idea of having an option to drop a cracker somewhere or stick it. Lamps are generally already installed, i doubt i will get a good signal out of them – so this is a NONO – however a possibility.
    Zrzut ekranu 2018-03-26 o 21.29.10

 

So out of these 2, i choose option one and try to ensure it gets ultra small size – don’t want a 2L coca cola bottle lying in my garden whole summer 😉

For that i’ve seen already good projects for IOT gardens – i’ll copy a good solution and post a photo in next update.

So having hardware plan already, i move on to the next step.

Software – bringing life

Let’s start with the assumption that CRAR is not a WiFi cracker, so in order to operate it already needs wifi credentials – but that’s all clear.

Now the logic behind it should be ultra simple:

  1. Start
  2. Load config (contains last word from which to resume and other settings)
  3. Check if WiFi connected
  4. If not, reconnect, goto 3
  5. If yes, connect to the specific IP address (tcp)
    1. if not connected goto 6
    2. if connected
      1. send a prepared url as an HTTP packet
      2. check for the response
        1. if response contains “SPECIFIC_WORD/CONTENT” – cracking completed
        2. if response does not contain “SPECIFIC_WORD/CONTENT” – not cracked
      3. generate next word (wordlist generator)
      4. Save Config
  6. Serve HTTP web page so we can access this esp and check for stats
  7. Send out notification (via pushover) when Cracking completed / Battery level low

Voilla, that’s it.
This logic ensures that when this nitty device gets plugged in – it loads up the latest word  and resumes from it. That we have a wifi reconnection tackled and that we are serving a Web server – at any time we can control the device with a simple web server, and that we finally get a notification when things are done / about to be off (battery)

As usual i started coding

Zrzut ekranu 2018-03-26 o 20.22.33

This is a screen shot of an esp running a brute force against a Raspberry PI PHP crafted page to see if all works fine – looking at this already, i spot a place for a more distributed approach to this cracking, but it’s not a rocket science so i leave it up to you:)

Next step is to move it really to a production environment, meaning i will be sharing more shots of the victim’s router, hardware and some code snippets – where finally i will drop it in the garden and we will all start the timers. We will see if CRAX0R makes anything out of it 😉 If not, it’s still a great fun!

Stay tuned.

IoT – The WiFi Probe REQ an RTLS. Tracking WiFi Devices for a penny.

zrzut-ekranu-2016-09-14-o-08-35-27

Every WiFi enabled device that you have (laptop, phone, tablet, kindle, watch, … ) is sending a PROBE REQuest packets in background to figure out if there are any known AP’s.
It’s done transparently, wether you are in a shopping center, outside in a park, or in the mountains – it’s a continuous process.
If an AP is found the device automatically associates to let you stay online ASAP. This is built in the 802.11 protocol. (More)

Knowing that every single device is broadcasting a Probe packet i figured out that it might be interesting to place couple of ESP8266 around with sniffer mode enabled to listen to these Probe Requests and forward them to a central server for analysis. The idea behind that is to be able to track every device between zones (places where ESP8266 are located) and guess what, i had couple of hours free to code and try it out.

I placed couple of nodes in different places within the city and enabled sniffer mode that looks for 0x40 802.11 type packets (PROBE REQUEST). When a packet is received it is sent out to a central server where packets are stored and presented later on on a web page.


This time i used ESP8266 on a ‘Witty’ chip – it’s a cool 2cmx2cm sized board that has a single button, rgb led built in and obviously an USB power. Pretty cheap, you can get tons of them for almost ‘no money’.

Every single ESP8266 device in this system that listens for packets is called ZONE, so if you place 4 of them in different locations – you have 4 zones. I have placed 2 of them for tests, one in the Garage and one outside in the area where i live. This is to figure out if i can determine wether people (and at what time) travel between garage and main area, how often and at what time. Time for a start, ESP’s placed, kick started – analysis time.

zrzut-ekranu-2016-09-14-o-08-51-13

The above graph shows number of packets for every hour in last 24hours, there’s a quite number of packets received as you can see, big-data time 😉

As i have two zones, let’s see how active they are – meaning, when was the last packet received at which zone – this helps me out to determine the Per-zone activity and eventual down-times of the zone nodes.

zrzut-ekranu-2016-09-14-o-08-52-49

You can clearly see that both zones received their last packets 2/3 seconds ago – so somebody was hanging around there with a device sending probe requests, good! Let’s move on, let’s find out what is the packet per zone distribution.

zrzut-ekranu-2016-09-14-o-08-54-28

Sensible, the MAIN zone that is outside in the main area of my home is definitely more active, garage makes only 6.7% of all the packets received. Let’s find out what happened in GARAGE in last 24 hours.

zrzut-ekranu-2016-09-14-o-08-55-52

Ahh more graphs, more stats – fantastic. GARAGE Zone received 62 Probe packets in last 24hrs, the peak was around 7 am (where people started to jump into their cars to drive to work).  In total there are 17 UNIQUE devices found, so potentially we can assume there were 17 persons in the zone. Need more info…

zrzut-ekranu-2016-09-14-o-08-57-28

Brilliant, i can see which device was the most ‘popular’ one, meaning was having the biggest ratio of PROBEs sent across the 24hrs time and in total. Beside i can see live packets coming in from the ESP. Let’s look at this B0:79 – looks like the most popular one, a single click on the device and we’re entering a Device tracker sub-page where..

zrzut-ekranu-2016-09-14-o-08-58-54

I can figure out that it is a Motorola device (based on MAC OUI) and

zrzut-ekranu-2016-09-14-o-08-59-04

This Motorola sent 32 packets in last 24hrs, it was seen only in one zone (GARAGE) and it was most active today at 07:00 AM. Great, let’s go deeper…

zrzut-ekranu-2016-09-14-o-09-01-03

Above is a confirmation of the fact that Motorola was seen only in Garage (wasn’t captured by MAIN zone) – live packets on the right hand side. But let’s see the whole history of this device shall we?

zrzut-ekranu-2016-09-14-o-09-02-31

You can clearly look at each of the devices found and track it’s activitiy. What’s even more i can see the RSSI value – that tells me the distance of the device to the zone node.
This Motorola was first found today at 02:52 AM, interesting. The RSSI tells me it was probably on the opposite side of the garage (which is quite big) – meaning far away from the node! Knowing the Garage i can immediately figure out where this person was moving.

Let’s go back and pick up different device.

zrzut-ekranu-2016-09-14-o-09-17-25

zrzut-ekranu-2016-09-14-o-09-17-48

This one is more interesting, somebody was seen in both zones with this device, i wonder at what distance and time.

zrzut-ekranu-2016-09-14-o-09-18-50

First seen at 7:54 today, wen to a garage (7:55) and was pretty close to the NODE at 7:56. Then the signal is getting weaker (jumped into the car probably) as minute later the signal was lost.

As you can see a simple system that costs $3.20 for each node can be turned into a quite sensible real time location service. Knowing that a deployment of 100 of nodes is still low cost – you can imagine how this can help out in business stats, emergency tracking, and advertisement targetting systems (tv screens knowing the profiles  (vendor) of candidates per week/month/season can push targeted ads). There is a big space for project like this to go live and for sale. It’s nothing new – but it’s definitely the most affordable one you can get ($3.20 for a node!).

zrzut-ekranu-2016-09-14-o-09-23-25

zrzut-ekranu-2016-09-14-o-09-23-44

In terms of the project – i keep it live, costs almost nothing so i’ll be adding nodes just for fun 😉

Update. I recalculate RSSI to Meters (distance), it makes more sense now.

zrzut-ekranu-2016-09-14-o-12-05-40

 

Spooky and PS_POLL incident

Just placed a new Spooky at my apartment on the balcony.
Btw, every time a blue internal led blinks – it means Spooky has parsed a packet.

And guess what next?

spoku

Just got a notification after couple of hours running of a PS_POLL traveling from unknown to unknown.

Zrzut ekranu 2016-08-04 o 20.22.17

A PS_POLL frame indicates (in shortcut) that some device went sleep and checks at some point wether there is any packet queued on the AP to be received.

To assist stations with power saving, Access Points (APs) are designed to buffer frames for a station when that station is in power save mode and to transmit them later to the station when the AP knows the station will listen. When a station is in power save mode, it turns off its transmitter and receiver to preserve energy. It takes less power for a station to turn its receiver on to listen to frames than to turn it its transmitter on to transmit frames. For this reason, it’s more power-efficient for an AP to inform a station if it has buffered frames present on the AP than to have the station poll the AP querying if frames are present.

…if its sees that the AP has buffered frames for it, it must send a Power Save Poll (PS-Poll) control frame to retrieve each buffered frame on the AP

So far so good, but i don’t recognize source and destination here.
First let’s find out if there is any packet flying over WiFi with these MAC addresses.

root@kali:~# airodump-ng wlan0mon

Comes back with
Zrzut ekranu 2016-08-04 o 20.47.07

It doesn’t ring a bell, this is not my AP, Spooky is monitoring for A4:2B:8C:18:59:BA.
So it looks like a station (18:E2:C2:21:BE:68) is sending PS_POLL to AP(DC:53:7C:99:E8:97) and has my BSSID(A4:2B:8C:18:59:BA)..

Let’s find out if i can sniff 18:E2 in the air…

Zrzut ekranu 2016-08-04 o 21.08.40

And this station is certainly associated with the strange AP.

Zrzut ekranu 2016-08-04 o 21.09.10

A quick MAC Vendor check returns
Zrzut ekranu 2016-08-04 o 21.09.58

So most probably this is a phone.
Still i don’t understand why is it trying to push PS_POLL to my BSSID ?

Let’s mark this as “Investigation in progress”.

ESP8266 – WIDS – “Spooky”

Okay this is both #ESP8266 and #Security.

When i first got my hands on the ESP8266 i was curious how much can be done with the chip in terms of security. Knowing that the chip can go ‘monitor’ mode it was clear to me that first thing i’ll code would be the Wireless Intrusion Detection thing running on a 5v low power chip. At that time i ordered something what is called #NODEMCU and the fun started.

IMG_2941

The chip itself is capable of running a callback on ever packet it receives with a function:

static void ICACHE_FLASH_ATTR handle_pkt(uint8_t* buf, uint16_t len)

There is actually an official “Sniffer” PDF document by Espressif, google it for more details.

So the way Spooky works is simple. It captures packets within BSSID that is your local home Access Point. When a packet is received, it scans through 802.11 to find the source and destination. If Source or Destination is not listed on the ‘trusted mac’s’ list then it adds this traffic to a list that is then sent out to your Gmail account every hour.

So long story short, Spooky monitors for a non-trusted traffic (that has to be defined by user) and reports it when found via E-Mail, see below for example.

A Spooky generated e-mail notifying of unknown traffic (this is an unknown device authenticating on my AP)

 

 

And a simple configuration page with trusted devices added

 

static void ICACHE_FLASH_ATTR handle_pkt(uint8_t* buf, uint16_t len)

So how is this all programmed?
Firstly all is coded in C with Arduino IDE – it’s just great we can code chips with C. It was my first adventure with chip programming and i was very happy i didn’t have to lear myself some ASM or other script-kiddie language around.

The code itself is very easy, ESP8266 has a file system (SPIFF) so the configuration is loaded/stored directly from that file. I could easily skip writing/reading from EEPROM thanks to this.

All these Web server things are built in and available as ready to use classes so i will not go into details with that.

The Sniffer Callback function has to be very quickly executed or WatchDog will restart the chip, so there is no room and space and time for a lot of work to do. Knowing that i am only doing quick 802.11 inspection to find out RSSI, BSSID, Source, Destination and packet type in accordance to the below 802.11 header

802dot11_frame

First i find out the packet type by defining them as below:
Zrzut ekranu 2016-08-04 o 10.58.11

Then i filter out all Beacon and Probe request type of frames as they fly around and Spooky will identify them as unknown traffic. So i’m looking only after DATA and MANAGEMENT type frames that are Directed towards user selected Access Point BSSID. This is how i get only the interesting packets out of the chaos around.

Next i read out Source / Destination by looking into ToDS FromDS fields – these are swapped around in regards to the frame type, so be careful how you read them. An example below:

Zrzut ekranu 2016-08-04 o 10.57.11

Then we get the RSSI of the packet, this is easily taken from ESPRESSIF RxControl header within 802.11.

At this moment Spooky knows:
– What is the Packet type
– What BSSID is packet traveling within
– What source is this packet coming from
– What destination is this packet going to
– RSSI

Now having all above and list of trusted MAC addresses, it is easy for Spooky to identify wether a traffic directed within a defined BSSID is trusted or non trusted.
Anything coming from/to a MAC address that is not on the trusted list and having BSSID as defined by user is considered untrusted – and Spooky will email you the details.
All the rest is trusted so Spooky will ignore the traffic.

So the idea of using Spooky is quite simple:
Whenever you get an untrusted traffic notification from Spooky – you either block the MAC address on your Router (if you can’t identify it) or add it to Spooky Trusted MAC’s list (if you know the MAC).

Thanks to this you keep your AP safe and you are notified of unknown events. The word Notified is important because you don’t have to check your AP logs (who does it anyway?)  for intruders and you can respond to events immediately. And yes i know routers can be configured to block untrusted MACs, but i never used that option.

Spooky went into release and some of the users even made a small TicTac version of it.

 

I expect to make some 3d printed cube for spooky in free time. If you are interested in the code i will be posting it shortly.