remote capture using Wlanpi on osX

Following a small script call WLANPishark (https://github.com/wifinigel/WLANPiShark) created by @wifinigel, You can read his blog post I wanted to do the same from a Mac osX client.

To be able to do it, we need to enable ssh access to the wlanpi without password and enable sudo command for a user without password.

Set password less access to the wlanpi

To enable ssh access without password, ssh authentication with rsa key must be enabled as well as disable sudo password for a user. in my example, all sudo command will not require password. it can be restricted only the one that you require (a little google search will show you how to do it)

On the wlanpi

  1. set up ssh connection using key exchange on the wlanpi
    1. Option 1
      1. modify /etc/sshd.conf to allow key authentication
        1. RSAAuthentication yes
        2. PubkeyAuthentication yes
    2. Option 2
      1. modify /etc/ssh/sshd_config to allow key authentication
        1. add or uncomment PubkeyAuthentication yes
        2. AuthenticationMethods must contain publickey
    3. restart ssd daemon
      1. systemctl restart sshd
  2. create a new username (you can use your own username
    1. adduser username
  3. add new username to sudoers
    1. usermod -aG sudo username
  4. allow new user to run sudo without password
    1. sudo visudo
      1. add the following line at the end of the file
        1. username ALL=(ALL:ALL) NOPASSWD:ALL
        2. Note this is where you can restrict what command can be run or not

On your osX device

  1. generate rsa key
    1. run the commande ssh-keygen -t rsa
  2. copy the key to the wlanpi
    1. ssh-copy-id -i ~/.ssh/id_rsa.pub username@wlanpiipaddress
  3. test connection to validate
    1. ssh username@wlanpiipaddress
      1. No password should be required
  4. test sudo access without password
    1. type the commande sudo su –
      1. prompt should change to #

capturing the data

This is assuming that the wifi card is name wlan0

  • Kill all tcpdump process on the wlanpi
    ssh IPWLANPI "sudo -S pkill -f tcpdump"
  • Kill airmon-ng process
    ssh IPWLANPI "sudo -S airmon-ng check kill"
  • make sure that wlan0 is up
    ssh IPWLANPI "sudo -S ifconfig wlan0 up"
  • set wlan0 in monitor mode
    ssh IPWLANPI "sudo -S iw wlan0 set monitor none" 
  • set capture channel
    ssh IPWLANPI "sudo -S iw wlan0 set channel CHANNEL CHANNEL_WIDTH"
    • where channel width is HT20, HT40- or HT40+
  • start the capture process
    ssh IPWLANPI "sudo -S tcpdump -n -i wlan0 -U -s 0 -w – "|wireshark -k -i –

wireshark will launch and you will see the packet from the wlanpi display in wireshark. the process is still manual. if can be put into a bash script to automate all the command by passing the interface, channel and channel width via parameter

here is a small bash script that automate the process

#!/bin/bash 
function usage () {
 echo "wlanpihark.sh [IP address] [interface] [ch number] { 20 ^| 40+ ^| 40- }"
 echo "WLANPIShark.bat -h"
}

IPWLANPI=$1
INTERFACE=$2
CHANNEL=$3

if [ -z $IPWLANPI ];
then
    usage
    exit
fi


if [ $IPWLANPI == "-h" ];
then
    usage
    exit 
fi

if [ -z $4 ];
then 
 CHANNEL_WIDTH="HT20"
fi

if [ $4 == "40+" ]; 
then
 CHANNEL_WIDTH="HT40+"
fi

if [ $4 == "40-" ];
then
 CHANNEL_WIDTH="HT40-"
fi

if [ $4 == "20" ];
then 
 CHANNEL_WIDTH="HT20"
fi

if [ -z $CHANNEL_WIDTH  ];
then 
 echo
 echo Invalid channel width selection: CHANNEL_WITDH
 usage
 exit
 return 
fi

ssh $IPWLANPI 'sudo -S pkill -f tcpdump'
echo "Kill all tcpdump session"
ssh $IPWLANPI 'sudo -S airmon-ng check kill'>null
COMMAND="sudo -S ifconfig  $INTERFACE  up"
echo "Bring interface $INTERFACE UP"
ssh $IPWLANPI $COMMAND>null
COMMAND='sudo -S iw '$INTERFACE' set monitor none' 
echo "Set interface in monitor mode"
ssh $IPWLANPI $COMMAND>null
COMMAND='sudo -S iw '$INTERFACE' set channel '$CHANNEL' '$CHANNEL_WIDTH
echo "set channel to $CHANNEL and channel width to $CHANNEL_WIDTH"
ssh $IPWLANPI $COMMAND>null
ssh $IPWLANPI "sudo -S tcpdump -nUi $INTERFACE -s0 -w -" | wireshark -k -i -

Special thanks to Nigel for the inspiration

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s