Jump to content

The Monkeys Back! The Interceptor Lives Again!


telot

Recommended Posts

The Interceptor has long been kind of a dead project. It makes sense too. The fon+, the hardware Robin Wood originally wrote his interceptor code for is way past EOL, hard to find, and under-featured given the current landscape of embedded/SOC offerings. By borrowing some of irongeek's raspberry pi recipes, and adding in some pi-point, I was able to get very similar functionality out of my raspberry pi. Heres how.

Hardware:

Raspberry Pi Model B

32GB SD Card

Belkin 4 port powered USB hub

Alfa wifi card (NHA, from the hakshop)

USB Ethernet adapter (also from the hakshop)

OS:

Latest image of rasbian

Software: All can be apt-get installed

bridge-utils

tcpdump

hostapd

fkill

hostapd

zd1211-firmware

hostap-utils

iw

dnsmasq

Edit /etc/network/interfaces to look like this:

auto lo
iface lo inet loopback
iface eth0 inet dhcp
iface wlan0 inet static
address 192.168.0.1
netmask 255.255.255.0

Edit /etc/dnsmasq.conf

# Never forward plain names (without a dot or domain part)
domain-needed

# Only listen for DHCP on wlan0
interface=wlan0

# Create a dhcp range on your /24 wlan0 network with 12 hour lease time
dhcp-range=192.168.0.5,192.168.0.254,255.255.255.0,12h

Edit /etc/hostapd/hostapd.conf (notice it is wpa with the preshared key at /etc/hostapd-psk - the ssid is also hidden)

interface=wlan0
driver=nl80211
ssid=monkey
channel=1
auth_algs=1
wpa=1
wpa_psk_file=/etc/hostapd-psk
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP
rsn_pairwise=CCMP
ignore_broadcast_ssid=1

Next Create/edit /etc/hostapd-psk

00:00:00:00:00:00 YourSuperLongAndSecurePasswd

We're all set! Below you'll see my script for the intercepting portion of the monkey. Feel free to put it in /etc/rc.local to make it run on boot up.

#!/bin/bash
#Change settings below to match network
eth_ip="192.168.1.199"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"

brctl addbr mybridge
brctl addif mybridge eth0
brctl addif mybridge eth1
ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
ifconfig mybridge promisc up
ifconfig mybridge $eth_ip netmask $eth_netmask broadcast $eth_broadcast
tcpdump -i eth1 -w /root/cap.pcap &

And here is my script for the wifi access point portion of the monkey, again you can put it in rc.local

# turn on forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# enable NAT
iptables -t nat -A POSTROUTING -j MASQUERADE

# start the access point
hostapd -B /etc/hostapd/hostapd.conf

Now you're passing along all wired traffic to and from your wired victim, all whilst capturing every packet that goes by. You can then surreptitiously nab the pcap via the hidden wifi AP.

What it doesn't do:

Unlike the interceptor, it doesn't clone the traffic and pipe it over wifi and/or vpn. It merely captures the traffic and stores it for later retrieval. This was necessary with the original fon+, because there was no usb port, and only a dozen or so MB of storage. Now with USB and storage cheaper than ever, you can store days/weeks/months of captures if you want.

Things to add:

-Cronjob that will only turn on the wifi at certain times such as after business hours. That way no employee who happens to be chilling with airodump-ng running notices anything odd.

-Cronjob that changes the wifi card from master mode to managed and connects to a wifi access point as a client to securely send the cap files. In doing so you could also send an email/upload a status file.

-Add Jasegar functionality to the wifi AP (this ones the biggy)

-Add the all important sslstrip functionality (something I've tried but can't get to work - if theres interest, I'll happily share my findings)

-Add in Moriarty's awesome new UWUI

So thats it! I've been testing this for the last several hours and it works great. Hope you guys find this interesting enough to give it a try yourself and post your experience here.

Long live the interceptor monkey!

telot

Edited by telot
Link to comment
Share on other sites

Mr-Protocol: For sure. I'm still waiting with bated breath for Seb to release a new firmware with interceptor support (its been talked about since the mark4 came out, but I'm still hopeful).

inTheDMZ: I got Karma going as well on a previous project with the pi - digininja's guide was pretty easy to follow. I decided to go with the NHA for my pi-karma as well as this interceptor version. The card is just robust and awesome and wireless-N. I've left Karma off this build so far, because I ran out of time, and I'm not sure its a feature that everyone would want with a device like this. Karma is something that a good (or even semi-good) sysadmin would notice over time, and bringing attention to your wireless/wired network tap is probably not a good idea. Regardless, I'll still build it in so the option is there for people.

Cheers

telot

Link to comment
Share on other sites

Mr-Protocol: For sure. I'm still waiting with bated breath for Seb to release a new firmware with interceptor support (its been talked about since the mark4 came out, but I'm still hopeful).

inTheDMZ: I got Karma going as well on a previous project with the pi - digininja's guide was pretty easy to follow. I decided to go with the NHA for my pi-karma as well as this interceptor version. The card is just robust and awesome and wireless-N. I've left Karma off this build so far, because I ran out of time, and I'm not sure its a feature that everyone would want with a device like this. Karma is something that a good (or even semi-good) sysadmin would notice over time, and bringing attention to your wireless/wired network tap is probably not a good idea. Regardless, I'll still build it in so the option is there for people.

Cheers

telot

Everyone has been extremely busy as of late. I've even hardly had a chance to talk with Seb.

Link to comment
Share on other sites

Nice work. The only thing I'd say is different is that when I built the original I decided not to store any data on the device as it is a small portable device and could easily be stolen with the client data on it, that is why I set up the VPN and sent data off site.

Seb asked me about writing an interceptor module for the Pineapple and it is on my list.

Link to comment
Share on other sites

Seb asked me about writing an interceptor module for the Pineapple and it is on my list.

Swoot - I know I speak for many in saying that we're real excited to have that additional functionality in our pineapples. Thanks digininja!

telot

Edited by telot
Link to comment
Share on other sites

  • 4 weeks later...

Would you mind posting details or a how-to demonjester? I'm very interested to see how others are going about it. Thanks!

telot

Link to comment
Share on other sites

Would you mind posting details or a how-to demonjester? I'm very interested to see how others are going about it. Thanks!

telot

Atm the moment the one downside will be that it receives a router ip address so when it gets hooked up it will be listed as "whatever" "192.168.x.x" (for example) I am gonna see if I can have it to where it won't receive a ip address, and try to make the traffice go straight through.

ANYWAYS it was rather simple, get a usb to ethernet adapter I have a belkin brand (for testing purposes).

You will need to download some packages

Make sure you have these packages installed.

kmod-usb-core

kmod-usb-net

kmod-usb2

kmod-ohci OR uhci

These are the basic requirements. Now plug in your usb ethernet adapter into the 703n, type ifconfig -a and see if it shows up, if it does awesome (slim chance it will) if not, then type dmesg look for anything saying usb (should also have what chipset the usb ethernet adapter is using) near the bottom of the dmesg, when I did this I found out my usb ethernet adapter had asix chipset (Yours may vary) so I went to download.openwrt.org and looked up packages for my firmware (mine was attitude adjustment yours may also vary) I searched for anything related to asix, and found this package

kmod-usb-net-asix

You will most likely have small amount of room left just to install tcpdump to capture packets (chances are you will need to do the internal usb hub mod or just find cheap self powering hub to use a flash drive to save your packet captures.)

I pretty much bridged eth0,eth1,wlan0 together, and made the SSID hidden. That was about it.

Sorry to thread jack, I will make my own thread if needed.

Edited by demonjester
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...