telot Posted January 3, 2013 Posted January 3, 2013 (edited) The Interceptor has long been kind of a dead project. It makes sense too. The fon+, the hardware Robin Wood originally wrote his interceptor code for is way past EOL, hard to find, and under-featured given the current landscape of embedded/SOC offerings. By borrowing some of irongeek's raspberry pi recipes, and adding in some pi-point, I was able to get very similar functionality out of my raspberry pi. Heres how. Hardware: Raspberry Pi Model B 32GB SD Card Belkin 4 port powered USB hub Alfa wifi card (NHA, from the hakshop) USB Ethernet adapter (also from the hakshop) OS: Latest image of rasbian Software: All can be apt-get installed bridge-utils tcpdump hostapd fkill hostapd zd1211-firmware hostap-utils iw dnsmasq Edit /etc/network/interfaces to look like this: auto lo iface lo inet loopback iface eth0 inet dhcp iface wlan0 inet static address 192.168.0.1 netmask 255.255.255.0 Edit /etc/dnsmasq.conf # Never forward plain names (without a dot or domain part) domain-needed # Only listen for DHCP on wlan0 interface=wlan0 # Create a dhcp range on your /24 wlan0 network with 12 hour lease time dhcp-range=192.168.0.5,192.168.0.254,255.255.255.0,12h Edit /etc/hostapd/hostapd.conf (notice it is wpa with the preshared key at /etc/hostapd-psk - the ssid is also hidden) interface=wlan0 driver=nl80211 ssid=monkey channel=1 auth_algs=1 wpa=1 wpa_psk_file=/etc/hostapd-psk wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP TKIP rsn_pairwise=CCMP ignore_broadcast_ssid=1 Next Create/edit /etc/hostapd-psk 00:00:00:00:00:00 YourSuperLongAndSecurePasswd We're all set! Below you'll see my script for the intercepting portion of the monkey. Feel free to put it in /etc/rc.local to make it run on boot up. #!/bin/bash #Change settings below to match network eth_ip="192.168.1.199" eth_netmask="255.255.255.0" eth_broadcast="192.168.1.255" brctl addbr mybridge brctl addif mybridge eth0 brctl addif mybridge eth1 ifconfig eth0 0.0.0.0 promisc up ifconfig eth1 0.0.0.0 promisc up ifconfig mybridge promisc up ifconfig mybridge $eth_ip netmask $eth_netmask broadcast $eth_broadcast tcpdump -i eth1 -w /root/cap.pcap & And here is my script for the wifi access point portion of the monkey, again you can put it in rc.local # turn on forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # enable NAT iptables -t nat -A POSTROUTING -j MASQUERADE # start the access point hostapd -B /etc/hostapd/hostapd.conf Now you're passing along all wired traffic to and from your wired victim, all whilst capturing every packet that goes by. You can then surreptitiously nab the pcap via the hidden wifi AP. What it doesn't do: Unlike the interceptor, it doesn't clone the traffic and pipe it over wifi and/or vpn. It merely captures the traffic and stores it for later retrieval. This was necessary with the original fon+, because there was no usb port, and only a dozen or so MB of storage. Now with USB and storage cheaper than ever, you can store days/weeks/months of captures if you want. Things to add: -Cronjob that will only turn on the wifi at certain times such as after business hours. That way no employee who happens to be chilling with airodump-ng running notices anything odd. -Cronjob that changes the wifi card from master mode to managed and connects to a wifi access point as a client to securely send the cap files. In doing so you could also send an email/upload a status file. -Add Jasegar functionality to the wifi AP (this ones the biggy) -Add the all important sslstrip functionality (something I've tried but can't get to work - if theres interest, I'll happily share my findings) -Add in Moriarty's awesome new UWUI So thats it! I've been testing this for the last several hours and it works great. Hope you guys find this interesting enough to give it a try yourself and post your experience here. Long live the interceptor monkey! telot Edited January 3, 2013 by telot Quote
Mr-Protocol Posted January 3, 2013 Posted January 3, 2013 In theory, it can be done with the Mark IV as well. Quote
inTheDMZ Posted January 3, 2013 Posted January 3, 2013 I have hostapd-karma running on the pi, just follow digininjas guide, i used a tp-link TL-WN812N. You will need a powered hub otherwise the adaptor is underpowered and hostapd will conk-out! Quote
telot Posted January 3, 2013 Author Posted January 3, 2013 Mr-Protocol: For sure. I'm still waiting with bated breath for Seb to release a new firmware with interceptor support (its been talked about since the mark4 came out, but I'm still hopeful). inTheDMZ: I got Karma going as well on a previous project with the pi - digininja's guide was pretty easy to follow. I decided to go with the NHA for my pi-karma as well as this interceptor version. The card is just robust and awesome and wireless-N. I've left Karma off this build so far, because I ran out of time, and I'm not sure its a feature that everyone would want with a device like this. Karma is something that a good (or even semi-good) sysadmin would notice over time, and bringing attention to your wireless/wired network tap is probably not a good idea. Regardless, I'll still build it in so the option is there for people. Cheers telot Quote
inTheDMZ Posted January 3, 2013 Posted January 3, 2013 Thats a good point. What about some kismet monitoring to see what wireless activities are going on? Quote
Mr-Protocol Posted January 3, 2013 Posted January 3, 2013 Mr-Protocol: For sure. I'm still waiting with bated breath for Seb to release a new firmware with interceptor support (its been talked about since the mark4 came out, but I'm still hopeful).inTheDMZ: I got Karma going as well on a previous project with the pi - digininja's guide was pretty easy to follow. I decided to go with the NHA for my pi-karma as well as this interceptor version. The card is just robust and awesome and wireless-N. I've left Karma off this build so far, because I ran out of time, and I'm not sure its a feature that everyone would want with a device like this. Karma is something that a good (or even semi-good) sysadmin would notice over time, and bringing attention to your wireless/wired network tap is probably not a good idea. Regardless, I'll still build it in so the option is there for people. Cheers telot Everyone has been extremely busy as of late. I've even hardly had a chance to talk with Seb. Quote
lester Posted January 4, 2013 Posted January 4, 2013 can someone point me to digininja's guide referenced in this thread? Thanks. Quote
digininja Posted January 4, 2013 Posted January 4, 2013 Nice work. The only thing I'd say is different is that when I built the original I decided not to store any data on the device as it is a small portable device and could easily be stolen with the client data on it, that is why I set up the VPN and sent data off site. Seb asked me about writing an interceptor module for the Pineapple and it is on my list. Quote
telot Posted January 4, 2013 Author Posted January 4, 2013 (edited) Seb asked me about writing an interceptor module for the Pineapple and it is on my list. Swoot - I know I speak for many in saying that we're real excited to have that additional functionality in our pineapples. Thanks digininja! telot Edited January 4, 2013 by telot Quote
digininja Posted January 4, 2013 Posted January 4, 2013 I'm trying not to promise much as I've very little time but I'll see what I can do Quote
Mr-Protocol Posted January 4, 2013 Posted January 4, 2013 I'm trying not to promise much as I've very little time but I'll see what I can do Isn't it mostly just port forwarding traffic to the "internet" interface and a VPN Tun/Tap interface? Quote
digininja Posted January 4, 2013 Posted January 4, 2013 ye, thats it but you would have to make sure that you set it up so that you don't lose your connection when you start it and that it rolls things back correctly. Quote
Mr-Protocol Posted January 4, 2013 Posted January 4, 2013 ye, thats it but you would have to make sure that you set it up so that you don't lose your connection when you start it and that it rolls things back correctly. Yeah, I figured so. I had quite a bit of fun getting my VPN tunnel/proxy online for when I travel. Quote
demonjester Posted February 2, 2013 Posted February 2, 2013 I did something like this with the tp link 703n + usb ethernet adapter, couple of weeks ago. It is good to see this up and running again. Quote
telot Posted February 4, 2013 Author Posted February 4, 2013 Would you mind posting details or a how-to demonjester? I'm very interested to see how others are going about it. Thanks! telot Quote
demonjester Posted February 4, 2013 Posted February 4, 2013 (edited) Would you mind posting details or a how-to demonjester? I'm very interested to see how others are going about it. Thanks! telot Atm the moment the one downside will be that it receives a router ip address so when it gets hooked up it will be listed as "whatever" "192.168.x.x" (for example) I am gonna see if I can have it to where it won't receive a ip address, and try to make the traffice go straight through. ANYWAYS it was rather simple, get a usb to ethernet adapter I have a belkin brand (for testing purposes). You will need to download some packages Make sure you have these packages installed. kmod-usb-core kmod-usb-net kmod-usb2 kmod-ohci OR uhci These are the basic requirements. Now plug in your usb ethernet adapter into the 703n, type ifconfig -a and see if it shows up, if it does awesome (slim chance it will) if not, then type dmesg look for anything saying usb (should also have what chipset the usb ethernet adapter is using) near the bottom of the dmesg, when I did this I found out my usb ethernet adapter had asix chipset (Yours may vary) so I went to download.openwrt.org and looked up packages for my firmware (mine was attitude adjustment yours may also vary) I searched for anything related to asix, and found this package kmod-usb-net-asix You will most likely have small amount of room left just to install tcpdump to capture packets (chances are you will need to do the internal usb hub mod or just find cheap self powering hub to use a flash drive to save your packet captures.) I pretty much bridged eth0,eth1,wlan0 together, and made the SSID hidden. That was about it. Sorry to thread jack, I will make my own thread if needed. Edited February 4, 2013 by demonjester Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.