Firmware for pi hack me Access Point Practice Lab


Safely learning Security is hard.  We all need realistic environments to learn security fundamentals. Over the the last 10 years, I supported a program that gave kids access to realistic hacking learning environments. r00tz asylum was a kids-oriented ethical hacking educational village at Defcon. We helped kids learn about network enumeration with labs that taught them about scanning & vulnerability discovery. We showed basic vulnerability exploitation by teaching them how to exploit the Shellshock vulnerability. We taught them basic linux commands to move around systems in order to deface websites. We helped kids learn about election security with contrived sql injection demos.

Every year, people asked if we could share the labs. But the labs were too complex and the files were too large for easy sharing. Many of the labs were partly run in the cloud.

The labs were not designed to be resilient to a loss of connectivity. It was volunteer work that produced the labs. People did what they could in the time they could make. But the labs were brittle. This has annoyed me for years.

In retrospect, it’s miraculous that r00tz came out a success. We had hundreds of kids flying to an event where, if the Internet failed there was no plan b. Those kids would be bored. The parents would be pissed. And I would have been annoyed! This would have been an avoidable catastrophe. Well it never happened. But it could have!

So I built a lab that doesn’t require connectivity. It has the added benefit of being easy to run without experts present. Here is a firmware image for the Raspberry Pi:

https://firmware.patrickmccanna.net/Firmware/pi_hack_me_ap.img.tar.gz

It configures your pi to run as a wifi access point. You can use it to practice wifi hacking & learn basic linux hacking. My daughter described it as kind of a hacking “escape room.” There’s a web page hosted on the Access Points that gives students some tips once they’ve gotten past the first challenge. You should start with three simple goals:

  • Discover the Wifi password.
  • Identify a potential point of entry for getting shell access on the access point.
  • Gain shell access to the Access point.

From there- you can pivot to more advanced topics. You could use this firmware to learn Linux by making changes to the software on the device. You could use it to test IoT devices for security vulnerabilities. You could use it as a local web server and host some pictures. These devices are almost like gaming consoles that can be transformed into new experiences with the right knowledge.

I’m making my way through my security challenges with my daughters. As they ask questions, I’m taking notes and I’ll post them here. But you don’t have to wait for me. The software is all ready to go! I used the same open source software that commercial Access Points use (Hostapd & DNSMasq).

With this lab, you can go from simple password breaking and move on to more advanced topics. You can use this lab to get practical experience in Linux, Internet Protocol, Authentication, Network Reconnaissance, Web development, embedded wifi access points and Security Defense.

HOW TO GET STARTED


You need a Raspberry Pi B+3 or a Raspberry pi 4 and an 8gb or greater SD card.

Start by downloading the Pi Firmware here:

https://firmware.patrickmccanna.net/Firmware/pi_hack_me_ap.img.tar.gz

You can extract it using the command:

tar -xvf pi_hack_me_ap.img.tar.gz

You can then rip it to an SD card using the raspberry pi imaging software.

Install the raspberry pi imaging software (available here: https://www.raspberrypi.com/software/)

Here is a gif that gives you a feel for how to extract & rip the firmware. Note that you need administrator privileges on your account to write to the sd card.

Extracting & Ripping the firmware

Ripping takes about 15 minutes depending on the size of your SD card.

That’s all there is. Plug the sdcard into your pi, power up. You don’t need to plug in a monitor or keyboard. You don’t need to connect it to the Internet. It’s ready to go. Try to find the wifi network you’ve created. Start hacking it.

Here are your challenges:

  • Challenge 1: What is the Wifi password?
  • Challenge 2: How did you gain remote access to the running access point?
  • Challenge 3: How could you modify the default web application?
  • Challenge 4: What could you do to secure the access point?
  • Challenge 5: What do you need to do to make it a secure, working wifi access point?

If you need more granular challenges, take a look at this post: https://patrickmccanna.net/pi_hack_me_ap-challenges/

Happy hacking! If you get stuck or run into problems, file an issue here:

https://github.com/CaptainMcCrank/Learn_Linux_Networking_And_Hacking/issues

Pi_Hack_Me_AP Challenges

My Access Point firmware is a playground where you can learn by experience. You’ll have the opportunity to try on both offensive security and defensive security.

Gaining experience with offensive techniques is valuable because hacking is perceived as a magical power. If you know a spell and cast it correctly- you can do things that other people can’t. It isn’t magic. It’s logic & taste. If you know where to look, you’ll find spiders in any house. Hackers work the same way. We have an easy time gaining control of systems for four reasons.

  • Software quality standards are poor.
  • Assessing software quality requires reverse engineering experience
  • Humans assume usability is a proxy for measuring software quality
  • A defender needs to be right 100% of the time. A hacker only needs to be right once.

There are too many instances of dev education that indexes on getting a demo working quickly. Implementing AuthN/AuthZ logic that protects sensitive operations is a topic that’s typically reserved for advanced courses that not everyone takes. This means hackers tend to have an easy time discovering predictable implementation mistakes. Knowing how hackers are able to access your system forces you to learn the changes you need to make to secure it.

Gaining experience with defensive techniques is not easy. Assessing logs for evidence of attacks & compromise is pretty abstract unless you have an active attacker. When you run the attacks, you can look at the logs for evidence of attack activity. This also helps you get context on the privacy implications of accessing websites. I want to make sure ambitious kids understand that tampering with websites is easy to detect. I don’t want to see any kids getting into trouble with the law because they didn’t understand how traceable scanning is.

Below are the challenges I’ve shared with my daughter. I did quite a bit of hand-holding to get her across the line for hacking the wifi network. My objective is to have her go through these challenges on her own. Ideally, she’ll search the web for context on these questions and start learning how to work these things out on her own. It was self education that got me to this stage of my career. It’s a pattern that I know works, but it seems to be dying in certain subsets of the infosec world. If you decide to run this access point, you can use these challenges as a guide on what to try:

Easy Challenges

  1. What is the Wifi Password?
  2. When you are connected to the network, what is default gateway ipaddress and hostname of the default gateway? What is the IP address that was assigned to the device you were attached to? What is the DNS server’s IP address while you’re connected to the hotspot? (Need a clue? check out this video: https://www.youtube.com/watch?v=6PZp7LNKHgk)
  3. Are you able to connect to the Internet over the hotspot in its default configuration? How did you determine this? Why does or doesn’t it work?
  4. What possible entry points exist for gaining access to the Hotspot? Describe you tested to discover if the attack is possible? How can you gain shell access to the device? Do not continue to the next section until you have been able to gain access

Medium Challenges

  1. How do you change the password on the Access Point?
  2. How do you configure SSHD so that you don’t have to rely on passwords?
  3. What is the operating system version of the device?
  4. What services are listening on the device?
  5. What web server is running on the device?
  6. Describe any web page you found on the device. What was the URL? Were you able to view it?
  7. Where are the logs for the webserver stored?
  8. Where are the files for the webserver stored?
  9. Can you view the web page?

Advanced Challenges

  1. What is HostAPD?
  2. What is an interface?
  3. What interface is HostAPD running on?
  4. What is the ipaddress on wlan0?
  5. What is the ipaddress on eth0? Why?
  6. Where are the HostAPD access logs?
  7. What file do you need to edit to change the SSID, Password and wifi security settings?
  8. What is IP forwarding? What is ip Masquerading?
  9. What is a “router”?
  10. What are the major steps for turning our Hacking hotspot into a working wifi access point that gives access to the Internet?
  11. What is IP Forwarding? How do we enable it?
  12. How can you change your device into a working access point?
  13. How do you get connectivity working on the Ethernet Interface?
  14. Plugging it into a network with DHCP
  15. Plugging it into a network with static ip addresses
  16. How do you turn on ip forwarding in linux?
  17. How do you make it a permanent change?
  18. How do you activate Network Address translation?
  19. How do you vend IP addresses to devices that are attached to your network?

Privacy/Security Defense Challenges

  1. What does an admin know about you while you’re attached to the device?
  2. What do you see when running tail –f /var/log/hostapd.log while a device attaches to the wifi network?
  3. What do you see when running tail-f /var/log/dnsmasq.log while a device attaches to the wifi network?
  4. What do you see when running tail –f /var/log/lighttpd/access.log while a device browses to the web site?
  5. What are the privacy implications for connecting to a wifi network?
  6. What information does an Access Point operator have about you if you attach to that network?
  7. What kind of attacks can an admin execute while you’re attached to the device?
  8. What is packet sniffing? How could it be done?
  9. What is a MITM attack? How could it be done?
  10. What is DNS hijacking? How could it be done?
  11. How can you harden this access point so that no one could reproduce the attacks you used?
  12. How do you install software?
  13. How could you configure SSHD to resist brute force password guesses?
  14. What is Fail2Ban
  15. What is nftables?

Basics of getting around on a Mac

If you are brand new to computing, it’s helpful to set the stage a little bit. Computers are these boxes that do things. You’re probably comfortable opening up a browser and searching youtube, but there’s a lot that goes on in the operating system and it can be easy to get by without learning the lay of the land. I’ve got a few links to get you started.

The basic features you should strive to get a handle on are:

  • Basic keyboard shortcuts
  • How to right click and navigate with a touchpad
  • Launching apps via dock
  • Navigating the file system using finder
  • Learning how to find and launch the installed applications using the finder
  • The terminal

ThisIsE has a nice short tutorial video that gives you a tour of everything on the Mac. It covers important topics like the dock, finder, command shortcuts and configuring the system. It’s only 13 minutes and worth a view if you’re unfamiliar with the Mac:

https://youtu.be/egK5BKEn87c?t=27

Perhaps you don’t like videos and prefer to read. Apple also has a very nice e-book that covers the major features of the macbook air. This renders in the apple books app- so you can view it on an iphone and it has the nice property of being free 😀

https://books.apple.com/us/book/macbook-air-essentials/id1432979717

The Terminal (aka the command line)

Additionally, we’re going to be doing a lot of work in the Terminal, so it is worth familiarizing yourself with this video explaining what the terminal is:

https://www.youtube.com/watch?v=FfT8OfMpARM

UPDATE 2/16/22: This video is a speed run of helpful tips for the Mac Terminal:
https://www.youtube.com/watch?v=qOrlYzqXPa8

Some self test questions:

  1. Do I know how to copy and paste on a mac from keyboard shortcuts?
  2. Do I know how to delete files from the UI?
  3. Do I know how to view a file?
  4. Do I know how to navigate to the “Documents” directory under my account?
  5. Do I know how to change system settings on a mac?
  6. Do I know how to add a program to the Dock?
  7. Do I know how to close a program that doesn’t respond?
  8. Do I know how to view a file from the command line?
  9. Do I know how to to delete a file from the Command Line?
  10. Do I know how to view a file’s permissions from the command line?