Darren Kitchen: Good afternoon, we are on the sidelines of the DefCon conference at the pavilion of the hacker group Hack 5, and I want to introduce one of my favorite hackers, DarkMatter, with his new development called WiFi Kraken.
The last time we met, you had a huge backpack with a Cactus topped with a pineapple on your back, and generally it was crazy times!
Translator's Note: Mike placed a real pineapple on his Cactus device - a nod to WiFi Pineapple, a hacker's device for intercepting wireless communications, see photos from the BlackHat-2017 conference.
Mike Spicer: yes, absolutely crazy times! So, this project goes under the hashtag WiFi Kraken and represents a new generation of technologies in the field of monitoring wireless networks. When I created WiFi Cactus, I gained a lot of skills and decided to put the knowledge into practice, using it to achieve practical goals in a new project. Today I present to you Kraken!
Darren Kitchen: and what is this Kraken? What is it for and what is the purpose of this development?
Mike Spicer: the goal is to be able to capture all the data at once, all 50 WiFi channels in the 2.4-5 GHz range, all at the same time.
Darren Kitchen: why don't you just use one radio channel to intercept all the data?
Translator's Note: Mike Spicer is the creator of WiFi Cactus, a device for monitoring 50 wireless channels used by mobile devices located within a radius of 100 m. WiFi Cactus was first introduced to the public at the BlackHat conference on July 27, 2017. Link to the source:
Mike Spicer: it's problematic enough. Look at the environment we're in right now - there could easily be 200-300 people in this room with a bunch of devices that communicate on different channels. If I listen to only one channel, I may miss some important information being transmitted at that time on another channel. If you try to listen to all channels, you have to spend a lot of time jumping from one channel to another. Cactus solves this problem by allowing you to listen to all these channels at the same time.
Darren Kitchen: What problems did Kraken have to face?
Mike Spicer: one of the biggest problems was the 100 megabit Ethernet port that I connected to my device and the throughput of which did not suit me. When you have 2 radios doing 300 megabits with 802.11 radio endpoints, pushing too much data into the system severely limits throughput. Therefore, I wanted to expand the receive-transmit channel. In the next version of Cactus, I migrated from a 100 megabit switch to a gigabit switch, which increased the throughput by 10 times.
In Kraken, I took a completely new approach - I connect directly to the PCI Express bus.
Darren Kitchen: about PCIE - I see here a whole bunch of radio modules from which these aluminum corners-antennas stick out.
Mike Spicer: yes, this is an interesting engineering solution based on parts bought on Amazon, I had to suffer with cable management and paint the antennas black with a spray can.
The basis is the MediaTek MT 6752 wireless processor adapters for Android devices, and the most interesting is the use of the Linux kernel driver. That means I can monitor channels, I can inject data, I can do all those cool things that we hackers love to do with wireless cards.
Darren Kitchen: yes, I see here 11 cards for wireless communication B, G, A, C.
Mike Spicer: in the range of 2,4-5 GHz, 20 and 40.
Darren Kitchen: minus "twenty" and plus "forty". In this way, different communication ranges and their combinations can be used. This is something we already talked about when we discussed using a single radio scanner that hops across different radio links. You listen to channel 1 and miss everything that is happening at that time on channel 6, listen to channel 2 and miss the rest, and so on. Tell me, how many combinations of frequencies, channels, ranges can your device process at the same time?
Mike Spicer: according to the latest calculations, the number of simultaneously monitored channels is 84. It is possible that someone will be able to monitor more channels, but the combinations I use give this number. However, this project allows you to listen to only 14 of them, almost as many as Cactus allows, but a little less. I hope I can apply some of the solutions from Cactus to Kraken to make it more efficient.
Darren Kitchen: tell me what you use to capture?
Mike Spicer: I use Kismet software, which is a network detector, packet sniffer and intrusion detection system for 802.11 wireless LANs. It's an amazing all-in-one software that allows me to run almost all DefCon projects, super stable and has a web user interface. It can scan wireless networks, report what is happening there, for example, now you see a red line on the monitor screen, which means that user devices are currently shaking hands. This software processes radio data in real time. One of the problems that I managed to solve using this software on this device is real-time data visualization, that is, I see on the monitor what is happening with the wireless network right now.
Darren Kitchen: and you don't have to wear your Cactus backpack to do it. So what exactly is in Kraken's black box?
Mike Spicer: it's basically a set of USB3.0 wireless cards because I'm connecting directly to the PCIE bus.
Darren Kitchen: that is, you are using a real computer with an ATX format motherboard. This is very similar to the 6-card USB2.0 alpha release used many years ago, which used an ATX motherboard with 14 USB ports and needed to add a USB adapter to work with PCIE cards. At the same time, there were problems with throughput. What is installed in this device? I see Intel.
Mike Spicer: yes, this uses a 5th generation Intel i1 processor, nothing expensive, I took what I had. I have a spare motherboard with me, so if something breaks, I'll just replace it, so I'm ready to troubleshoot. I used the most available cheap stuffing from ready-made parts for Kraken. This is not a Pelican case, I used what I called the Condition 150, this case is rock solid and $700 cheaper than the Pelican. This whole device cost me less than $XNUMX.
Darren Kitchen: and for 700 bucks you made a great wireless sniffer that can do a lot more than a single radio. How did you go about solving the bandwidth problem by moving away from Pineapple?
Mike Spicer: now we have two usb3.0 and i will say something about the motherboard. If you look here, you can see a single USB root hub equipped with a bus, so everything goes through a single 5 gigabit USB port. This is very convenient, because it's like having 250 devices connected to one bus, but it's not cool at all in terms of throughput. Therefore, I found these 7 port PCIE USB cards with a bandwidth of 5 gigabits each and combined them into one common channel with a large bandwidth - about 10 gigabits per second through the PCIE bus.
The next bottleneck is an SSD used over 6 gig SATA, so I averaged 500 megabytes per second, or 4 gigabits.
Darren Kitchen: and you also talked about the title of your performance.
Mike Spicer: I called it "I know what you did last summer - 3 years of monitoring DefCon wireless networks."
Darren Kitchen: And what kind of traffic, what data did you monitor at the last three DefCon conferences?
Mike Spicer: the most interesting thing I found is the API leak. In total there were 2 such cases, one leak came from the Norwegian company met.no, the developer of the WeatherAPI weather forecasting application, and concerned the time of sunrise and sunset. This app sent out an HTTP request where the main parameters of the leak were latitude and longitude, so it's completely harmless.
Darren Kitchen: i.e. anyone with the unique phone's MAC address could have intercepted that request...
Mike Spicer: yes, and enter your data to change the time of sunrise.
Darren Kitchen: oops!
Mike Spicer: exactly right, oops... i found another similar weather.com app that does the same thing, it's a ZTE desktop widget, and when i found it, they just blew my mind.
Darren Kitchen: well, yes, they have a clear approach - why bother with the availability of HTTP, it's just weather data, no private information ...
Mike Spicer: yes, but the fact is that during installation, most of these applications ask you to allow access to information about your location, and you give them this opportunity, being sure that your personal data will be safe. In fact, HTTP leaks can completely undermine your trust in such APIs.
Darren Kitchen: you should have seen a whole bunch of unique devices here!
Mike Spicer: yes, there are a lot of devices on the wireless network! During the previous DefCon, Kismet crashed the server because it was processing data from a crazy number of devices that were simultaneously on the WiFi network. The number of devices registered on the network reached 40! I have never bothered to count the total number of unique devices I have stolen, because it is like looking down an endless rabbit hole.
Darren Kitchen: Well, yes, you are still at DefCon! Here MDK3, MDK4 are launched, a bunch of MAC addresses pop up, etc.
Mike Spicer: yes, when people start running their ESP32 microcontrollers at the same time, all hell breaks loose.
Darren Kitchen: Is there any information about Kraken on GitHub or on your blog?
Mike Spicer: yes i posted the code because when i did some analysis of the received data wireshark couldn't handle it because when you have a 2,3,5 gb file and want to look at the http request, you have to wait 30 minutes. I'm a lone guy who just does traffic analysis and I don't have a team to do it for me, so I have to do my job as efficiently as possible. I looked at several tools, talked to commercial developers, but their products did not meet my needs. True, there was one exception - the Network miner program developed by the NETRESEC group. Three years ago, the developer gave me a free copy of this code, I sent him my comments, they updated the software and now the program works perfectly, not processing all network packets, but only those transmitted wirelessly.
It automatically splits traffic into parts and shows DNS, HTTP, files of any type that can be reassembled. It is a computer forensics tool capable of digging deep into applications.
This program works fine with large files, but I still only ran custom querysets in it, and I still needed to find out all the SSIDs used in the DefCon wireless network. So I've written my own tool called Pcapinator, which I'll be presenting on Friday during my keynote. I also posted it on my page at github.com/mspicer, so you can check if it works.
Darren Kitchen: collaborative discussion and testing of our products is a great thing, one of the key features of our community.
Mike Spicer: yeah, i love it when people tell me "what do you think about this or that?" Just like with the Kraken, my idea was just to stick all these antennas in here, turn on the system and put it somewhere in the corner for 6 hours until the battery runs out, and catch all the local WiFi- traffic.
Darren Kitchen: well, it's great to meet you and you guys come to Hack 5 to see what Mike has done for all of us!
Some ads π
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, , a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper in Equinix Tier IV data center in Amsterdam? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com