Hardware – Open-Source NSA Technology (Airborne Wifi)
As you are probably already aware, a certain person decided to smear a large number of highly classified documents over the internet. Part of these documents however included the ‘ANT’ Hardware Catalogue.
ANT is a division of the NSA responsible for developing hardware devices and software for use by the ‘Tailored Access Operations’ division.
The full catalogue is available from multiple sources – Although This gives a good overview of the capabilities of each device.
The one product we’re going to focus on here is called SPARROW-II 
As you can see – this system is used as a mobile wireless network (WLAN) detection point.
As you can see – this system is used as a mobile wireless network (WLAN) detection point.A small computer intended to be used for WLAN collection, including from UAVs. Hardware: IBM Power PC 405GPR processor, 64 MB SDRAM, 16 MB of built-inflash, 4 mini PCI slots, CompactFlash slot, and 802.11 B/G hardware. Running Linux 2.4 and the BLINDDATE software suite. Unit price (2008): $6K. (Wikipedia)
Another thing to note at the very bottom is the price: $6000 If you’re unsure as to why we might be interested in finding out the locations of wireless networks – Wikipedia explains the concept Here. It’s also a very useful way of profiling a companies exposure during a security assessment. Normally wardriving is conducted from a car (hence the driving). But the SPARROW system allows an aircraft or small UAV to map networks, giving a large amount of capability. It also allows discovery of networks in very sparsely populated areas like, say, deserts… So the obvious thing to do now is to try and build an open-source version of this piece of hardware. Let’s break down exactly what it is we want the system to do:
- Sniff WLANs
- Associate WLANs with a location
- Log the locations
- Operate autonomously (and independant of mains power)
Now our budget is considerably lower than that of the NSA… With that in mind, the following components are used to build the system:
- Alpha AWUS036H – Fairly standard USB Wifi adapter for WLAN detection (£20) – amzn.to/1fepQvc
- Raspberry Pi Model B (512Mb RAM)- Cheap, small linux computer that will provide the ‘brains’ for the system (£30)- amzn.to/1ioc4Xi
- 8Gb SD Card – Storage for the Raspberry pi (£5) –amzn.to/1rwDgEy
- Ublox GY-NEO6MV2 GPS Module – The easiest way to map a network to a set of co-ordinates. (£10) – ebay.eu/1lSoOI3
- 12000mAh USB Battery – Provides power in order to keep the system running – (~£25) amzn.to/1fiBLrt
- USB hub – Allows us to use multiple peripherals with the Raspberry pi, and solves power issues (~£10)
So in total, that brings us to a cost of around £100. Of course, that’s assuming you pay full price. Ebay (and similar sites), or an Academic discount can be used to obtain this equipment at much cheaper rates… So how does it all fit together? The diagram below shows how all of the various bits plug into each other:
If you are aiming to try to build this yourself, this tutorial is really good for interfacing the GPS Module to the Raspberry Pi using the UART GPIO pins Here (Google translate works wonders!) For testing purposes, an ethernet cable was used to allow SSH access to the Raspberry pi. When airborne however, this can also be acheived by using another 802.11 Wifi adapter as a downlink, or by using a 3G internet dongle. (In my case, I went for the 802.11 option). This means we can now remotely see the location of the system, using any number of programs that make use of the gpsd daemon (gpsmon is shown below) 
More importantly for wifi-mapping though, we can use the aircrack-ng suite of tools (Homepage Here). This allows us to:
If you are aiming to try to build this yourself, this tutorial is really good for interfacing the GPS Module to the Raspberry Pi using the UART GPIO pins Here (Google translate works wonders!) For testing purposes, an ethernet cable was used to allow SSH access to the Raspberry pi. When airborne however, this can also be acheived by using another 802.11 Wifi adapter as a downlink, or by using a 3G internet dongle. (In my case, I went for the 802.11 option). This means we can now remotely see the location of the system, using any number of programs that make use of the gpsd daemon (gpsmon is shown below) More importantly for wifi-mapping though, we can use the aircrack-ng suite of tools (Homepage Here). This allows us to:- Generate a log of every wireless network we’ve seen, along with it’s gps location.
- Listen to every wireless client (phone/laptop/fridge) that is on, and map it
- Break into insecure wireless networks
If you want to learn how to use those tools, there are far better explanations than I can give out in the wider internet. airodump-ng is below, with the local networks shown. 
And then, a map of all of the WLAN networks on a street in Bristol: 
I would like to show a specific example however: What a lot of people don’t realise is that their iPhone/Blackberry/Android/whatever phone has WiFi on by default. When a wireless client (aka Phone) is on, it is constantly asking everyone within range if they are one of a list of networks it ‘remembers’. Why does this matter? It’s trivial to create a rogue access point that pretends to be every network that anyone asks for. The wireless client will then connect to it, no questions asked, and allow it to inject malicious content into browsing sessions, sniff passwords, etc. For an example of this attack scenario, see Here. On a (slightly) less malicious level, knowing where a phone has been is useful intelligence data. It also allows us to potentially locate homes and work locations of targets. airodump-ng can show probe requests (from the aircrack-ng suite), but it’s not very good at only showing them. Instead, the command:
And then, a map of all of the WLAN networks on a street in Bristol: I would like to show a specific example however: What a lot of people don’t realise is that their iPhone/Blackberry/Android/whatever phone has WiFi on by default. When a wireless client (aka Phone) is on, it is constantly asking everyone within range if they are one of a list of networks it ‘remembers’. Why does this matter? It’s trivial to create a rogue access point that pretends to be every network that anyone asks for. The wireless client will then connect to it, no questions asked, and allow it to inject malicious content into browsing sessions, sniff passwords, etc. For an example of this attack scenario, see Here. On a (slightly) less malicious level, knowing where a phone has been is useful intelligence data. It also allows us to potentially locate homes and work locations of targets. airodump-ng can show probe requests (from the aircrack-ng suite), but it’s not very good at only showing them. Instead, the command:tcpdump -i mon0 ‘(type mgt subtype probe-req)’ -e
Will give us the requested network names, and the MAC address of the sending device. With a small amount of python magic (available at the bottom of the post), we can get a nicer display of all of the network names associated with each client, and the manufacturer of the device.
So now all we need to to is go and attach this to an aircraft 
So in summary, we’ve increased the amount of RAM, storage and computational power over the SPARROW-II system, whilst using a budget 60 times smaller. However, the resulting system is considerably heavier than the SPARROW-II. Currently, it weighs in at around 500g, which is quite a lot for a UAV system. However, about a third of this weight is plastic case, which could be removed and replaced with styrofoam padding. If I ever get my small UAV working again, I’ll be sure to give it a test-flight!
So in summary, we’ve increased the amount of RAM, storage and computational power over the SPARROW-II system, whilst using a budget 60 times smaller. However, the resulting system is considerably heavier than the SPARROW-II. Currently, it weighs in at around 500g, which is quite a lot for a UAV system. However, about a third of this weight is plastic case, which could be removed and replaced with styrofoam padding. If I ever get my small UAV working again, I’ll be sure to give it a test-flight!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
| #!/usr/bin/python# Generates list of WLAN Clients in area, along with their requested networks## Parses piped stdin of 'tcpdump -i mon0 '(type mgt subtype probe-req)' -e'## Joe Greenwood# Hyperion Bristol 2014import osfrom netaddr import *import timeimport sysdef update_probelist(probes): data = sys.stdin.read(1024) print data f = data.split("\n") for line in f: try: wlan = line.split("Probe Request")[1].split(")")[0].replace("(","").lstrip(" ") client = line[line.index("SA")+3:line.index("SA")+20] #print client, wlan client = EUI(client.replace(":","-").upper()) oui = client.oui client_org = oui.registration().org client = str(client)+" "+client_org try: if wlan not in probes[client] and wlan!=" ": probes[client].append(wlan) except: probes[client] = [wlan] except: passprobes = {}while 1: update_probelist(probes) print("\n"*30) for i in probes: print(i) print(probes[i]) |
