NPR Blog Series: Part 1 – The Drop Box

Note: Per our agreement with NPR, Pwnie Express is not disclosing any data collected during the research experiment with Steve Henn, but focusing it’s comments on providing education on the techniques used.As part of a collaboration between NPR, Ars Technica, and Pwnie Express, I spent the last few months on what can only be described as “way too much fun to be called work”. When Sean Gallagher (Ars Technica editor and long-time Pwnie fan) approached me asking if I’d be interested in legally “spying” on an NPR journalist, I gleefully accepted the challenge. The willing target would be NPR tech correspondent Steve Henn, in support of a Morning Edition series about the state of Internet privacy a year after the Snowden/NSA revelations.

Once the proper legal authorizations were in place, we decided the Pwn Plug R2 would serve as the ideal “drop box” to stream Steve’s laptop and iPhone traffic from his home office to my analysis server in Vermont. The Pwn Plug R2 was deployed as a secondary wireless AP on Steve’s home network as shown:

NPR-deployment

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

To turn the Pwn Plug R2 into a normal (“non-evil”) wireless AP, I first installed the hostapd package:

# aptitude update

# aptitude install hostapd

I then configured /etc/hostapd/hostapd.conf as shown:

               interface=wlan0

driver=nl80211

ssid=pwnie

hw_mode=g

channel=1

macaddr_acl=0

auth_algs=1

ignore_broadcast_ssid=0

wpa=3

wpa_passphrase=WouldntYouLikeToKnow

wpa_key_mgmt=WPA-PSK

wpa_pairwise=TKIP

rsn_pairwise=CCMP

To ensure the hostapd service started up automatically at boot time, I created the following init script:

### BEGIN INIT INFO

# Provides:                  pwnix_ap

# Required-Start:         $remote_fs $syslog

# Required-Stop:         $remote_fs $syslog

# Default-Start:            2 3 4 5

# Default-Stop:            0 1 6

# Short-Description: Pwnie Express normal (non-evil) AP service

### END INIT INFO

#!/bin/bash

# processname: pwnix_ap

 NAME=pwnix_ap

 DESC=”Pwnix AP Service”

 PIDFILE=/var/run/$NAME.pid

 SCRIPTNAME=/etc/init.d/$NAME

 AP_INTERFACE=wlan0

 INTERNET_INTERFACE=eth0

  case “$1″ in

      start)

            echo “[+] Starting $NAME…”

            echo “[+] Using AP interface: $AP_INTERFACE”

            echo “[+] Using Internet interface: $INTERNET_INTERFACE”

            # Clean slate

            ifconfig $AP_INTERFACE down

            killall hostapd  > /dev/null 2>&1

            killall dhcpd > /dev/null 2>&1

            iptables –flush

            iptables –table nat –flush

            iptables –delete-chain

            iptables –table nat –delete-chain

            sleep 1

             #################

             # Start AP        #

             #################

            # Configure AP interface

            ifconfig $AP_INTERFACE up 10.99.99.1 netmask 255.255.255.0

            sleep 5

            # Start dhcpd server on AP interface

            dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhcpd.pid $AP_INTERFACE & > /dev/null 2>&1

            # Enable NAT

            iptables –table nat –append POSTROUTING –out-interface $INTERNET_INTERFACE -j

MASQUERADE

            iptables –append FORWARD –in-interface $AP_INTERFACE -j ACCEPT

            # Enable IP forwarding

            echo 1 > /proc/sys/net/ipv4/ip_forward

            # Start hostapd

            hostapd -B /etc/hostapd/hostapd.conf > /dev/null 2>&1

            # indicate to the user that passive recon is on

            touch $PIDFILE

            echo “[+] $NAME started.”

            exit 0

            ;;

  status)

            echo “[+] Checking $NAME…”

            if [ -f $PIDFILE ]; then

            echo “[+] $NAME is running.”

            exit 0

            else

            echo “[-] $NAME not running.”

            exit 1

            fi

            ;;

  stop)

            echo “[+] Stopping $NAME”

            ifconfig $AP_INTERFACE down

            killall hostapd  > /dev/null 2>&1

            killall dhcpd > /dev/null 2>&1

            iptables –flush

            iptables –table nat –flush

            iptables –delete-chain

            iptables –table nat –delete-chain

            echo 0 > /proc/sys/net/ipv4/ip_forward

rm $PIDFILE

            echo “[+] $NAME stopped.”

            exit 0

            ;;

  restart)

            $0 stop

            $0 start

            ;;

  *)

            echo “Usage: $0 {status|start|stop|restart}”

            exit 1

esac

 After saving this script to /etc/init.d/pwnix_ap, I made it executable and set it to autostart:

# chmod +x /etc/init.d/pwnix_ap

# update-rc.d pwnix_ap defaults

Persistent remote access to the Pwn Plug R2 was a cinch using the “Reverse Shells” feature. Once connected to the plug via SSH, I started a full-packet capture using tcpdump:

# tcpdump -vUnni wlan0 -w date "+%h.%d.%Y-%H%M".cap

I then used a variety of open-source analysis tools to parse and inspect the web traffic generated by the normal day-to-day use of our mobile device and PCs/laptops. Stay tuned for “Part 2: A Week in the Life” to see what I found!

Dave.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *