Improbinator – My first ESPduino project

I committed my first ESPduino project to Github the other day, ESPduino – Improbinator.

ESPduino – Improbinator – Flood of faked 802.11 Probe Request Frames

Background: Living in a town with about 20 wifi-probes mounted on walls in the city center, which collects 802.11 Probe Request frames to measure and map visitor flows through the city kicked off the idea that I could dilute and skew the measurements by flooding the devices with a controlled stream of nearly-real looking but obviously faked probe request frames.

OUI Data: Collected by war-walking sessions around town and other cities and countries – both for client and router OUI’s.

It’s an open project, you could send pull requests or fork the project.

Idea dump: Arduino ESP8266 – WIFI Beacon Attacker

Update 2016-11-12: I wrote a piece about ESPduino – Improbinator where much of the ideas were implemented, there is also a Github repo at Improbinator where you find the code.

I accidentally bought an Arduino ONE R3 for cheaps and had no project to use it in, so I toyed around with different ideas and this hit me while taking my son for a walk.

This assumes a few things:

  • ESP8266 has ways to generate (custom) beacon frames
  • 1+N ESP8266 is possible to connecto to Arduino ONE

Use an Arduino + ESP8266 + SDCard shield, to emit lots of beacon frames and keep iterating them for a set period of time, to imitate or mimic real phones moving around in an area. MAC addresses randomized from a table of 24bit OUI prefixes of popular makes/brands and the remaining 24 bits random.

As my brain seems to work a bit different, I tend to strive for edge-cases, to over optimize and extend beyond limits – I don’t even know if it’s possible with the hardware combination to attach a second or even a third ESP8266 board to an Arduino ONE R3, or if it’s possible to drive two or three shields through software/electronics.

With one, two or three ESP8266, I imagine having as many buffers with lists of pre-generated MAC addresses to run through and broadcast beacons, depth of lists TBD. OUI prefixes would be stored on SDCard and I already have the data, both from OUI prefix list and collected data from the last 5+ years of War-walking.

If outfits like Libelium are making devices for identifying customers in stores/gallerias/malls and can even identify the type of smartphone – we could throw some dirt into their machinery, as we could generate beacons with MAC addresses for devices based on statistics from collected data. No harm would be done as they are generated and only “visible” in a small physical “bubble” for a limited time, even with the possibility that a generated MAC address would clash with a real MAC address in the same area, it would not be any long term effects.

The build would be cased in acrylic, either a stock box with modification for sheild(s) or complete custom. Powerbanks of 10000mAh (or more) @ 5V to run it off-grid/backpack.

Inspiration:
Pry-fi by Chainfire on XDA-Developers.

Thought: A WPS-owner-upper with Tweets and Google Maps

I’ve been playing with this thought for a while, I do not have the skill set or the RaspberryPi necessary to actually put this into play. Yet.

A smallish board of Raspberry (I or II+) size together with a (few) USB WiFi High Powered dongle(s) and some piece of coding, the Blackjack attack could be used. With only 18 packets over the air, you could essentially get WPA/WPA2 passwords for each WPS-enabled device you could stumble across within seconds, there is a lot of them out there since most broadband router manufacturer thinks that WPS is the shit (and also reduces the pressure on their support).

What would be needed?

  • RaspberryPi or similar.
  • High-powered WiFi USB-dongles
  • Battery-pack to run devices off-grid, like in a backpack.
  • Airsnort-ng, Reaver and a few other packages
  • 3G/LTE USB-dongle for internet access

Anyone with a little time and effort could pull this off, as the equipment is cheap and available, the software is free and the desire to hack is endless.

1600 wifi

Jag har varit på test, vägen dit var lite utanför de vanliga rutterna, när jag rör mig utanför rutterna har jag för vana att dra igång wifi-scan för att hitta och logga accesspunkter. Normalen ligger runt 7400, nu bumpades det upp till 9000-ish. Det är mängden jag har i listan för de senaste 6 veckornas promenader, utöver det har jag cirka 1 miljon rader data.

Vad jag gör med datat? Samlar på det, parse’ar det och identifierar hårdvaran, för att jag kan. Med tillräckligt stora dataset kan jag identifiera tillverkare och modell.

Nördigt? Japp!

Colubris MAP 625 / HP MSM422

Japp, jag ropade in lite skoj hårdvara. En AccessPoint med en massa skoj features, nypris 4500-6000 kronor beroende på var någonstans man tittar, jag fick den till vrakpris, dock utan power supply.

Därför jagar jag nu efter detta, det som är lite stökigt är att den kräver 48V DC, 0.25A (max 12W) och det är inte helt lätt att hitta, dels för att det betraktas som “proffsutrustning”, vilket gör att man inte hittar något med moms påräknad, dessutom väger eländet (kraftpaketet) nästan 7 Kg. Vilket får mig att tänka på alternativet, PoE, Power over Ethernet .. som kan leverera rätt spänning och mer effekt än nödvändigt samt att jag kan hänga burken i 100 meter lång Cat5/6 kabel som värst, så jag har hittat ett par PoE-injectors i lämplig prisklass, runt 200 kr.

Vad jag ska göra med den? Hacka den, så klart!

Eller, hacka folk omkring mig… eftersom det är en MiMo-AP, så kan den uppträda som många enheter samtidigt, det tillsammans med en aningens hackad/justerad RADIUS-server kan jag samla ihop lite skoj info. Givetvis endast i lärande syfte, när jag tröttnat på det kommer den användas som kvarters-vid AP för mitt privata WiFi-nätverk.

Eller typ. Kanske. Vi får se.