Pi_Hack_Me_AP Challenges

My Access Point firmware is a playground where you can learn by experience. You’ll have the opportunity to try on both offensive security and defensive security.

Gaining experience with offensive techniques is valuable because hacking is perceived as a magical power. If you know a spell and cast it correctly- you can do things that other people can’t. It isn’t magic. It’s logic & taste. If you know where to look, you’ll find spiders in any house. Hackers work the same way. We have an easy time gaining control of systems for four reasons.

  • Software quality standards are poor.
  • Assessing software quality requires reverse engineering experience
  • Humans assume usability is a proxy for measuring software quality
  • A defender needs to be right 100% of the time. A hacker only needs to be right once.

There are too many instances of dev education that indexes on getting a demo working quickly. Implementing AuthN/AuthZ logic that protects sensitive operations is a topic that’s typically reserved for advanced courses that not everyone takes. This means hackers tend to have an easy time discovering predictable implementation mistakes. Knowing how hackers are able to access your system forces you to learn the changes you need to make to secure it.

Gaining experience with defensive techniques is not easy. Assessing logs for evidence of attacks & compromise is pretty abstract unless you have an active attacker. When you run the attacks, you can look at the logs for evidence of attack activity. This also helps you get context on the privacy implications of accessing websites. I want to make sure ambitious kids understand that tampering with websites is easy to detect. I don’t want to see any kids getting into trouble with the law because they didn’t understand how traceable scanning is.

Below are the challenges I’ve shared with my daughter. I did quite a bit of hand-holding to get her across the line for hacking the wifi network. My objective is to have her go through these challenges on her own. Ideally, she’ll search the web for context on these questions and start learning how to work these things out on her own. It was self education that got me to this stage of my career. It’s a pattern that I know works, but it seems to be dying in certain subsets of the infosec world. If you decide to run this access point, you can use these challenges as a guide on what to try:

Easy Challenges

  1. What is the Wifi Password?
  2. When you are connected to the network, what is default gateway ipaddress and hostname of the default gateway? What is the IP address that was assigned to the device you were attached to? What is the DNS server’s IP address while you’re connected to the hotspot? (Need a clue? check out this video: https://www.youtube.com/watch?v=6PZp7LNKHgk)
  3. Are you able to connect to the Internet over the hotspot in its default configuration? How did you determine this? Why does or doesn’t it work?
  4. What possible entry points exist for gaining access to the Hotspot? Describe you tested to discover if the attack is possible? How can you gain shell access to the device? Do not continue to the next section until you have been able to gain access

Medium Challenges

  1. How do you change the password on the Access Point?
  2. How do you configure SSHD so that you don’t have to rely on passwords?
  3. What is the operating system version of the device?
  4. What services are listening on the device?
  5. What web server is running on the device?
  6. Describe any web page you found on the device. What was the URL? Were you able to view it?
  7. Where are the logs for the webserver stored?
  8. Where are the files for the webserver stored?
  9. Can you view the web page?

Advanced Challenges

  1. What is HostAPD?
  2. What is an interface?
  3. What interface is HostAPD running on?
  4. What is the ipaddress on wlan0?
  5. What is the ipaddress on eth0? Why?
  6. Where are the HostAPD access logs?
  7. What file do you need to edit to change the SSID, Password and wifi security settings?
  8. What is IP forwarding? What is ip Masquerading?
  9. What is a “router”?
  10. What are the major steps for turning our Hacking hotspot into a working wifi access point that gives access to the Internet?
  11. What is IP Forwarding? How do we enable it?
  12. How can you change your device into a working access point?
  13. How do you get connectivity working on the Ethernet Interface?
  14. Plugging it into a network with DHCP
  15. Plugging it into a network with static ip addresses
  16. How do you turn on ip forwarding in linux?
  17. How do you make it a permanent change?
  18. How do you activate Network Address translation?
  19. How do you vend IP addresses to devices that are attached to your network?

Privacy/Security Defense Challenges

  1. What does an admin know about you while you’re attached to the device?
  2. What do you see when running tail –f /var/log/hostapd.log while a device attaches to the wifi network?
  3. What do you see when running tail-f /var/log/dnsmasq.log while a device attaches to the wifi network?
  4. What do you see when running tail –f /var/log/lighttpd/access.log while a device browses to the web site?
  5. What are the privacy implications for connecting to a wifi network?
  6. What information does an Access Point operator have about you if you attach to that network?
  7. What kind of attacks can an admin execute while you’re attached to the device?
  8. What is packet sniffing? How could it be done?
  9. What is a MITM attack? How could it be done?
  10. What is DNS hijacking? How could it be done?
  11. How can you harden this access point so that no one could reproduce the attacks you used?
  12. How do you install software?
  13. How could you configure SSHD to resist brute force password guesses?
  14. What is Fail2Ban
  15. What is nftables?

Basics of getting around on a Mac

If you are brand new to computing, it’s helpful to set the stage a little bit. Computers are these boxes that do things. You’re probably comfortable opening up a browser and searching youtube, but there’s a lot that goes on in the operating system and it can be easy to get by without learning the lay of the land. I’ve got a few links to get you started.

The basic features you should strive to get a handle on are:

  • Basic keyboard shortcuts
  • How to right click and navigate with a touchpad
  • Launching apps via dock
  • Navigating the file system using finder
  • Learning how to find and launch the installed applications using the finder
  • The terminal

ThisIsE has a nice short tutorial video that gives you a tour of everything on the Mac. It covers important topics like the dock, finder, command shortcuts and configuring the system. It’s only 13 minutes and worth a view if you’re unfamiliar with the Mac:

https://youtu.be/egK5BKEn87c?t=27

Perhaps you don’t like videos and prefer to read. Apple also has a very nice e-book that covers the major features of the macbook air. This renders in the apple books app- so you can view it on an iphone and it has the nice property of being free 😀

https://books.apple.com/us/book/macbook-air-essentials/id1432979717

The Terminal (aka the command line)

Additionally, we’re going to be doing a lot of work in the Terminal, so it is worth familiarizing yourself with this video explaining what the terminal is:

https://www.youtube.com/watch?v=FfT8OfMpARM

UPDATE 2/16/22: This video is a speed run of helpful tips for the Mac Terminal:
https://www.youtube.com/watch?v=qOrlYzqXPa8

Some self test questions:

  1. Do I know how to copy and paste on a mac from keyboard shortcuts?
  2. Do I know how to delete files from the UI?
  3. Do I know how to view a file?
  4. Do I know how to navigate to the “Documents” directory under my account?
  5. Do I know how to change system settings on a mac?
  6. Do I know how to add a program to the Dock?
  7. Do I know how to close a program that doesn’t respond?
  8. Do I know how to view a file from the command line?
  9. Do I know how to to delete a file from the Command Line?
  10. Do I know how to view a file’s permissions from the command line?

Password Strength

A password’s “strength” comes from three elements of the password:

  1. The length of a password.  We measure the length as the number of characters password. “password” is 8 characters long. A longer password is more difficult to discover through brute force methods. This is because there is a larger set of elements to test.
  2. The range of characters allowed in the password.   A large set of possible characters makes brute force discovery of passwords more difficult. This is because there is a larger set of characters to test in for each possible password element.
  3. The cracking speed of a brute force generator.  Attackers can use brute forcing tools that will try to grind through all possible passwords. This relates to the speed of the cracker, such as 1,000,000 tries per second.

There is a simple formula to discover the number of possible password passwords on a system. You only need to know the set of possible characters & the length of the password.  

Let us assume the password length is 8 characters. Let us also assume that there are no restrictions on reusing characters within the password.  

We will calculate the number of possible Permutations With Repetition.

Let’s refer to the password as an “array.”  An array is a data structure that is a collection of elements.  If a password is 8 characters long, we’re saying that the password is an array that can have 8 elements in it.  Each element gets it’s own character.  We can visualize a password array using the password “PASSWORD”

PASSWORD
An example all uppercase 8 character password array

P is the first element. A is the second element. S is the third element and so on.

Let us assume only upper case letters are allowed in the password. The possible range of characters for the first element is: [A,B,C, … X,Y,Z].  So this gives us a 26 possible values that could be included in the password.

Unfortunately, passwords often include lower case letters. We need to add the range of lowercase characters in set.  If the password is only Upper and Lower case values, that means we have 26+26= 52 possible values.  

password
PASSWORD
An all lowercase and an all uppercase 8 character password array

Passwords often have include Numbers.  Since each element only has one character, this means that the set of possible values are between 0 and 9.  The total number of possible values is 10, so we must increase our potential set of possible values to 26+26+10= 62 possible values.  

When looking at our 8 character password, we’ll just include the ordered list of numbers from 0 to 7 in our example.  Note that it could be any order of numbers included.

password
PASSWORD
01234567
An all lowercase and an all uppercase 8 character password array, followed by an example password consisting of only numbers.

Finally, passwords often include special characters & punctuation.  There are 33 characters & special punctuation marks on the standard US keyboard.  

password
PASSWORD
01234567
!@#$%^&*
An all lowercase and an all uppercase 8 character password array, followed by an example password consisting of only numbers and an example password of only special characters.

In our visualization, we included the 4 arbitrary password examples. PASSWORD and some 8 character passwords consisting of only numbers & letters.  In all likelihood, none of these examples are going to be correct.  It’s likely to be an ugly combination of something like “72%aoPs4”.

Our total possible values has become 26+26+10+33=95 possible values.  This means in our 8 character password, each element could have one of 95 possible values.

We calculate the potential set of values as n^k, where n is the set of possible values and k is the length of the the password (also referred to as the number of elements) .  This means there are 95^8 possible values, which translates to 6,634,204,312,890,625 possible passwords.  So about 6.6 quadrillion passwords.  This is a big number.  

Let’s assume you could create one password per second. It would take you about 210 million years to exhaust the potential set of passwords. Luckily, computers can help us test far more than one password per second.  But it still would take time to get through the entire set of passwords.  Cracking a password by trying every possible combination will take a lot of time. Is there a better strategy?

Some Cool Things

LEARN HTTP:

This is the best crash course I’ve seen for learning http at a deep and practical linux practioner level. I love that they are demoing how to pipe linux commands together to construct these requests and demonstrate how to make different classes of requests. If you are passionate about networking, this is an amazing read:

https://fasterthanli.me/articles/the-http-crash-course-nobody-asked-for

Accelerate Ansible Playbook Development

This is a Proof of Concept demo that is showing an application of a concept akin to Github’s copilot with Ansible. I spend a lot of time building ansible playbooks to do a thing. I’ve been thinking about how to tag & document useful playbooks. This demo is something I’ve been striving to create- but IBM has demo’d it faster:

https://research.ibm.com/blog/ai-for-code-project-wisdom-red-hat

Ansible: Saving Time by Locally Caching material

The BuilderHotspot can be used to save time building Single Board Computing firmware images where firmware components are installed using apt-get.

Downloading & compiling drivers can be painfully slow. I recently built a recipe for running a phony wifi network that spoofs common wifi SSIDs like “NETGEAR”. The solution relies on the AWUS036AH wifi adapter. These drivers aren’t available via apt- so I I need to download, configure, compile & install drivers. These activities add about 30 minutes to a firmware build- it would be advantageous to find some ways to speed this up.

We can reduce some time by:

  • Saving the driver files locally on the builder hotspot
  • pre-compiling them for target machines
  • syncing them to the target
  • then running make install on the target system.

I don’t want to package the drivers in the main recipe I publish- the drivers may be inappropriate for the target system- so I need a solution that will work for people generally.

I solved this problem by using some ansible conditionals.

I precompiled the rtl8812au drivers and stuck them in the Pi’ account’s home directory on the BuilderHotspot.

The logic of this playbook is:

If I have a rtl8812au in the home directory (discovered by stat’ing the location), register a variable called rtl8812au_config.

If the variable is defined, then I can use the synchronize step.

If the variable is not defined (because the directory was not identified), then we’ll go ahead and do a git clone- and in later steps, compile and install the drivers.

   - name: Check for /home/pi/rtl8812au
     delegate_to: localhost
     stat:
       path: /home/pi/rtl8812au
     register: rtl8812au_config 
     tags:          
     - dual_nic
     - catcher
     - awus03ach_wifi

   - name: Synchronization of files for rtl8812 wifi 
     synchronize: 
       src: "/home/pi/rtl8812au"
       dest: /tmp/
     when: rtl8812au_config is defined
     tags:          
     - dual_nic
     - catcher
     - awus03ach_wifi

   - name: Clone of rtl8812au drivers
     ansible.builtin.git:
       repo: https://github.com/aircrack-ng/rtl812au.git/
       dest: /tmp
       single_branch: yes
       version: master
     when: rtl8812au_config is undefined
     tags:          
     - dual_nic
     - catcher
     - awus03ach_wifi 

Configure dhcpcd to ignore wlan0


If you futz with multiple nics on a raspberry pi, at some point you will have to deal with disabling dhcp on a specific NIC. Here is some quick guidance on what to do:

Configure dhcpcd to ignore wlan0

dhcpcd is the linux dhcp client. dnsmasq is commonly used as a dhcp server. If you are doing something with both on the same client, you might have weird conditions where you are trying to set a static ip on the interface that is vending dhcp addresses. You’ll want to disable that interface from listening to the dhcp server.

Check /etc/network/interfaces; this should be empty except for an include from /etc/network/interfaces.d (which is in turn empty).

Edit /etc/dhcpcd.conf:

denyinterfaces wlan0

sudo systemctl restart dhcpcd.

BuilderHotspot //todos

Publish a repository of example recipes that includes:

  • Marathon Wifi trap
  • The Easiest Raspberry Pi Web Server
  • Photo Sharing Solution
  • Pcap on demand
  • Recipe with universally valuable defaults for catching gotchas
  • Unit Tests for validating a recipe

Update Default Recipe to address unnecessarily large journal logs (https://askubuntu.com/questions/1238214/big-var-log-journal)

edit /etc/systemd/journald.conf to Activate the SystemMaxUse= option there, e.g. as SystemMaxUse=100M to only use 100 MB.