Introduction: The 802.11 Ninja - Portable 802.11 Hacking Device
Before we begin this tutorial, I have to mention that I haven't even brushed the surface of possibilities that this awesome little piece of hardware offers! Not every implementation of the 802.11 Ninja won't need every single feature, so using creativity and imagination while leveraging what the actual needs are from the hardware is important and fun!
The 802.11 Ninja is a hardware device that can be used stealthily during a penetration test, or even on the dashboard of your vehicle during a wardrive or reconnaissance. It can be used as a Wireless Intrusion Detection System (WIDS), or even as a simple network diagnostic tool. Because the Raspberry Pi OS (Raspbian OS) is Linux based, we have access to the unlimited power that Linux has to offer as well. This includes Perl, Bash and shell scripting, and the Aircrack-ng Suite of 802.11 penetration testing tools. The one featured in the pictures above also has a built-in GPS radio to capture Access Point (AP)/GPS data using the WARCARRIER software that I wrote a while back.
The alternative to this dedicated hardware could be an Android device, as I have also written WARCARRIER for Android as well (unreleased/TBA), but this type of 802.11 scanning (probing) is not as accurate, fast, and reliable as pure RFMON (monitor mode) passive/promiscuous scanning. This is especially true during a penetration test. Also, if doing reconnaissance, it wouldn't be as painful to have a "$35 ARM powered Linux Computer" (O'REILLY) stolen while in operation than a $200 to $800 tablet!
802.11 Protocol Terms
Here I will cover a few 802.11 Protocol terms for those new to the world of WiFi penetration testing. These terms will be used throughout the rest of this documentation.
- AP - Access point - the wireless router
- 802.11 - the protocol used by WiFi for packet management and the transit of data
- MAC Address - media access controller address - unique to each network radio, or adapter.
- ESSID/SSID - extended service set identifier - the broadcast name of the access point, e.g. "Free WiFi" or "Linksys"
- BSSID - Basic service set identifier - the MAC address of the AP
- RFMON - Radio Frequency Monitor Mode - mode for packet sniffing with an 802.11 radio
Aircrack-NG Suite Tools:
- Airodump-NG - 802.11 protocol analyzer - packet sniffing
- Aireplay-NG - packet injection into 802.11 networks
- Airmon-NG - tool for putting the 802.11 adapter/radio into RFMON mode
- Airbase-NG - tool for creating an AP using a simple 802.11 adapter/radio
In this tutorial we will briefly cover the following topics,
- Fitting an ALFA 802.11 adapter and Raspberry Pi (B) into a chassis
- Wiring up LEDs and Buttons for output and input from the GPIO pins on the Raspberry Pi
- Writing scripts that initialize GPIO pins for I/O in Raspbian OS
- Linux (Raspbian OS (Debian for ARM))
- Start up scripts
- How to control LEDs
- How to read button presses
- mass de-authentication for obtaining sensitive WPA protocol packets that can be used to possibly recover the client-target's WPA2 password during a penetration test.
- Airodump-NG for capturing 802.11 packets
This tutorial requires the following hardware (It's what I used anyways, parts can be substituted)
- Advantus Super Stacker Crayon Box (I use the same chassis in my other Instructables.com tutorial on making an Arduino-based Blue Box)
- Raspberry Pi B (I used this kit from RadioShack)
- Momentary push button
Again, not all implementations will be the same, I am sure. Just getting up and running with the a single WiFi card and Airodump-NG is still a fun little project alone!
Step 1: The Chassis
Aligning the Parts
I used the Advantus Super Stacker Crayon Box, which proved very suitable for hosting the wires, GPS and 802.11 Radios, and the Raspberry Pi. It's the most challenging part of this project, but after doing a few others that required plastic carving and drilling, it gets easier and your projects start to look nicer.
Line up the parts in the chassis in a way which will allow heat to escape, access to all important ports (including the HDMI port on the Raspberry Pi for easy access), and allows us to easily expand upon the project by adding wires and solid state components to the GPIO pins. I stacked the Raspberry Pi on top of the ALFA adapter and used a piece of black electrical tape to temporary hold the pieces together. Then, laid the device into the Crayon Box and marked a hole for the ALFA adapters antenna to extend out of through the bottom. After which I made the hole slightly larger near the tip to accommodate for the antenna screw down nut.
Also, there are heat-sinks that will fit into the Crayon Box as well, made just for the Raspberry Pi like these. Also, a simple heat sink typically used for a voltage regulator will do also, if a creative way is found to mount it to the board.
Carving Holes and Mounting
For carving out large sections, hold the component in the chassis and mark with a Sharpie marker exactly where the hole should go. Then, use a Dremel Drill tool and make holes periodically around the outline. After making a few, use a little pressure and follow the entire outline from hole to hole carving out the plastic entirely. It should be very easy if a enough preliminary holes are made.
The only bolt required went directly though the mounting holes of the Raspberry Pi and the ALFA adaper. A small gold washer was used after carving out some support rails in the bottom of the case as seen in the pictures above. Between the ALFA adapter and the Raspberry Pi, I used the rubber bumper self adhesive pads listed in the Requirements List. This lets some heat flow between the boards up out of the case and prevents circuits or surface mounted components from touching. They also work really well to support components and even for feet on the bottom of the chassis to help support it if it's standing.
If the holes in the chassis are carved slightly smaller than the size of the component which will extend out of the chassis, it should help to support the component as the part is pushed into the hole. For example in the images above, the GPS radio and antenna are one single piece. The antenna (square piece) sticks up out of the chassis and the hole for it in the chassis is slightly smaller than the antenna. This actually supports the antenna completely without any need for additional support.
Also, as seen in the images above, I have removed the large yellow component video output jack from the Pi. I did this using a pair of wire cutters and just cut the three prongs leading to the motherboard.
The wires are all looped and held together using small black zip ties. This frees up room around the device and helps to hold them in place. For this tutorial we will be hooking the wires from,
- pin 7 to the positive side of the LED
- ground to the (longer) negative side of the LED
- pin 8 to one side of the momentary push button
- 3.3 (3V3) pin to the other side of the momentary push button switch
Then we need a 10K ohm resistor from the side of the push button that is connected to the pin (8), to the negative (grounded) pin of the LED. A schematic can be viewed in the images above. This is a very simple schematic and we can learn more about it from the Introduction Manual (O'REILLY) that comes with the Raspberry Pi kit.
The BU-353 GPS radio is a simple USB GPS radio which can be seen in the images above. It is the square USB component. The device comes in a large circular black plastic housing, which can be removed. Also, the USB cable leading from the device can also be trimmed and spliced to be much smaller. Placing this antenna topside is probably in our best interest as it receives signals from above. So depending on the orientation chosen for our project, we should always keep that into account.
Once this is all together, we can boot into the device and start installing the software and start-up scripts.
Step 2: Raspbian OS Start-up Scripts
Start Up Scripts
Linux start-up scripts can be placed into the /etc/rc.local file. Note:When calling any programs from scripts, you MUST include the entire path to the program, for instance, instead of having a line such as,
echo "starting up the scripts"
We can find echo's path by issuing a,
mine showed up as "/bin/echo", so then I call it as
/bin/echo "starting up the scripts"
This should save us a lot of frustrating troubleshooting when working with the device and getting it set up for our own needs. This is especially true for the /etc/rc.local file that we will be using.
This will ensure that they are ran with "root" privileges. We need these privileges for working with networking hardware, stopping processes, and more. First we write a script that will stop all of Raspbian OS's network utilities and it looks like so,
#!/bin/bash killall -9 wpa_cli killall -9 wpa_supplicant killall -9 ifplugd
save this to a file named ninja_kill in the /usr/local/sbin directory. Then, make it executable by issuing a
chmod +x /usr/local/sbin/ninja_kill
Now, all we need to do is put a line like so,
into the /etc/rc.local file before the "exit 0" line. This will ensure that network utilities will be stopped before starting Airodump-NG from the Aircrack-NG Suite.
Step 3: WARCARRIER Software
The WARCARRIER software I wrote can be downloaded at the Google Code page here. It is a reconnaissance tool that gathers GPS, WiFi, Bluetooth Spectrum, Bluetooth devices, and more. It can create Google maps, plot way-points, and much more. It requires a few dependencies, from Perl that can be installed by using the following commands,
apt-get install cpanminus libbluetooth-dev python-dev
cpanm -i Net::Bluetooth
cpanm -i Curses::UI
cpanm -i JSON::XS
We can start WARCARRIER from a remote connection using a second WiFi radio in Master mode (if using the Raspberry Pi B+ with extra USB ports), or we can start it, or just Airodump-NG from the /etc/rc.local file. We need to first put the device into RFMON mode for monitoring packets with Airodump-NG or injecting packets with Aireplay-NG. We can do this in the /etc/rc.local file with the following line (placed after the call to ninja_kill).
airmon-ng start wlan0
This should create the VAP labelled "mon0" To call WARCARRIER, we need to pass the "-d mon0" argument and the "-f filename" argument for the monitoring device and the log file name respectively.
WARCARRIER will scan using a null-probe for surrounding devices if a USB Bluetooth dongle is plugged into the Pi. This is a noisy scan that could make some WIDS throw flags. WARCARRIER also will scan the Bluetooth spectrum for any noise using the Ubertooth One as listed in the Hardware Requirements in the Introduction. This requires Dragorn's Spectools to read the data from as mentioned in the WARCARRIER Bluetooth Wiki page I created here. If you haven't read any of Dragorn's work, I'd suggest to if you are into 802.11 penetration testing as it is brilliant. This allows the snapshots of WARCARRIER to contain local Bluetooth devices, the spectrum, WiFi APs, and the GPS location of all in one single snapshot.
Step 4: Aircrack-NG Suite
The Aircrack-NG Suite is a suite of tools specifically crafted for hacking 802.11 networks and network hardware. They were first developed by Christophe Devine back in 2004. It includes tools for packet injection/network manipulation, packet sniffing, cracking WEP/WPA keys, managing WiFi adapters, constructing encrypted packets, creating tunnels, creating an access point, and much more.
If you'd like to create an 802.11 Ninja without WARCARRIER you can always simply start-up Airodump-NG to start capturing 802.11 packets as well, but we still need a device in monitor (RFMON) mode. I would still recommend using the ninja_kill script shown above to stop all processes that will ruin the scan by interfering with the 802.11 radio.
First we need to install the Aircrack-NG Suite onto the Pi by compiling it's source code like so,
mkdir -p /appdev/ac ** cd /appdev/ac
apt-get install libpcap-dev
tar -zxvf aircrack-ng-1.2-beta1.tar.gz
make && make install
Then, use Airmon-ng to start the VAP "mon0" and begin Airodump-NG with a file name. I would recommend using the current date/time This can be done very easily in Perl. as we see in the script below.
#!/usr/bin/perl -w use strict;
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
my $filename = ($year+1900)."-".$mon."-".$mday."-".$hour.":".$min.":".$sec."-80211_ninja_scan";
system("airodump-ng --channel 7 --bssid 00:11:22:33:44:55 --write $filename");
This will start Airodump-NG to scan on channel 7 (2.442GHz) and create a new file name each time it starts. This way, if placed into the /etc/rc.local file to start automatically, we can easily find where our scans are by date. To use Aireplay-NG for mass-deauthentication, we can use Perl and check for listed "client stations" from the Airodump-NG CSV output. For each station, we can push those (just the MAC address) into a list and then for each element of the list, we can do,
aireplay-ng -0 3 -a <bssid> -e <essid> -c $element_from_array_mac_address mon0</essid></bssid>
which will use "mon0" as the device and deauthenticate the client three times in hopes of capturing a WPA2 handshake to use while attempting to crack the WPA2 passphrase.
Step 5: GPS Software
In the images above, I used a cheap, $35 USD, BU-353 Prolific GPS radio. It came in a black circular housing which I was able to remove easily using a simple screwdriver and a pair of needle nosed pliers. The pliers where used to remove the rubber which is melted over the USB wires as they enter the housing.
For the GPS to work properly with WARCARRIER, it needs to be in National Marine Electronics Association (NMEA) mode. This can be accomplished in two ways, that I have tested. Install the GPSD Linux daemon for reading the GPS radio - version 3.2 using the following commands,
mkdir /appdev/ && cd /appdev
tar vxzf gpsd-3.2.tar.gz
apt-get install chrpath python-gps scons
mkdir /usr/lib2/ && cp lib* /usr/lib2/
scons && scons install
this will get the GPS daemon, GPSD, installed. The GPS device should show up and a file descriptor for it should be generated when plugged into the Raspbian Pi, as /dev/ttyUSB0. Next, we need to install a few more utilities that will be very useful for creating our own scripts.
apt-get install gpsd-clients
This will install gpspipe, which a utility that will access the output from GPSD in NMEA mode for WARCARRIER to use. We can set the GPS into NMEA mode by issuing the following command,
gpsctl -n /dev/ttyUSB0
Now, let's move on to GPIO programming for lighting the LED and listening for a button press.
Step 6: GPIO Pins on the Raspberry Pi
General Purpose Input Output (GPIO) pins are great for adding LEDs, push buttons and more. In this step, we will learn how to light an LED and read a momentary push button from the Raspbian OS. In the image above, the LED on the side of the case will light up only while the device is successfully scanning. The push button will stop scanning (if it's running) and restart the scan.
Input: Listening for a push button event let's write a small script that runs when the Raspberry Pi boots up that constantly listens for a button press on GPIO 8. Again, we will simply put this script into /etc/rc.local First, we need to initialize the GPIO pin for input as,
echo 8 > /sys/class/gpio/export
then we set it for input, as
echo in > /sys/class/gpio/gpio8/direction
Now if we check the value of
when the button is pressed, we should get the value of "1" and when the button is not pressed, we should get the value of "0" - simple binary. Now let's write a script that does something simple, like reboot the Pi.
while [ 1 ]; do
if [ "$(cat /sys/class/gpio/gpio8/value)" -eq "1" ]; then reboot; fi
This script will loop forever and continue checking the value of the GPIO pin 8 for a key press. If found, it will reboot the Pi. This can be applied in many situations and we can be creative in doing so!
Output: Lighting an LED Let's write a script which turns on and off an LED using the GPIO pin 7. This is a lot easier than writing a script to listen or a button press. Basically, we initialize the GPIO pin as "out" in the direction file after exporting, then echo a 1 into the value file to turn the LED on, or 0 to turn the LED off.
echo 7 > /sys/class/gpio/export
echo in > /sys/class/gpio/gpio7/direction
Now to turn ON the LED, we do,
echo 1 > /sys/class/gpio/gpio8/value
to turn it back OFF the LED we do,
echo 0 > /sys/class/gpio/gpio8/value
This can prove very useful for status lights. For instance, the Blue LED light on the side of the 802.11 Ninja in the pictures above stays lit while Airodump-NG is running. This is done by writing the same while [ ] Bash loop as above for the push button, but checks the process list command "ps aux" for the string "airodump-ng" I have tested it by unplugging the WiFi adapter from the Pi during the scan and the LED went off as expected.
Step 7: Battery and Portability
The battery can be a simple USB/POWER bank. I got mine from a store called Five Below for only $5 USD. It powers the device rather well for an extended amount of time while it secretly scans the area for wireless data from the client target during a penetration test.
Solar Powered Pis
There are some great Instructables.com tutorials already on how to power a Raspberry Pi with a single Solar Panel, and I will link to them here. Having the ability to harness the power of daylight during a physical penetration test is incredibly useful.
Remember that when wardriving, we can use the USB ports, or 12V cigarette lighter to USB adapter, to power the Pi perfectly fine. Anytime we are in an automobile, we should consider this option for powering the Pi first.
If, however, we are lucky enough to find a remote power box, or wall jacks in the client target's vicinity or an area without monitoring cameras during a penetration test, we can always make use of the simple wall power outlet to USB adapters, as they seem to be getting smaller and smaller as they are manufactured.
The antenna that we choose is vital sometimes. Since WARCARRIER takes a general snapshot of the surrounding area and associates all Access Points (APs) with GPS coordinates received by the NMEA data from the BU-353 device - the smaller the antenna here the better to have more accurate results. Also, during a wardrive, it is best to use a non directional dipole antenna, as it's aperture is shaped like a large donut which will capture all APs within a small range.
I would use a directional antenna for direction WiFi connections to the 802.11 Ninja, or for active penetration testing e.g. packet injection. For directional antennas, I'd suggest a panel antenna. I hear folks all the time argue about how they love yagi antennas, as seen in the image above (the one with all the prongs), but I have let to see one outdo a panel antenna in any scenario.
Step 8: Further Reading and More Documentation for Ideas
- Homepage for project (working)http://80211.ninja/
- /etc/rc.local Linux File - https://www.netbsd.org/docs/guide/en/chap-rc.html
- RFMON 802.11 Monitor Mode - http://en.wikipedia.org/wiki/Monitor_mode
- Using the ALFA adapter for an AP in "master mode" - http://exploit.co.il/hacking/set-fake-access-point-backtrack5/
- CWSP (certified wireless security professional) - http://www.cwnp.com/certifications/cwsp
- Connect802 - http://www.connect802.com/
- RAIDING the Wireless Empire - Novel I wrote about a WiFi hacker who uses a tool similar to the 802.11 Ninja.
- Penetration Testing with Perl - Book I wrote on penetration testing with Perl which teaches the readers how to construct their own 802.11 protocol analyzer and WPA2 cracking tools. Also, shows exactly how the authentication process works with screenshots.
- WeakNet Labs - my weblog about hacking / phreaking / 802.11 security
- WEAKERTH4N Linux - 802.11 hacking themed free Linux distribution I made. I discuss a lot of development logs and give support to those in need via email as well.
Just as via my weblog, I will give technical support when I can for this project or any WeakNet Labs project I offer. Feel free to shoot me an email (located on the weblog) for support if needed. I apologize if there are any errors in the code pastes, as I have done most of this tutorial from memory. I you find any error, I will gladly fix it and give you credit.
I did include links, however, a lot of practice and learning can be done by simply starting up your own project and getting your hands dirty! ;)
"When we are done hacking the planet, we will hack the sky"