Pwnie Express and Splunk: Realtime Wireless & Bluetooth Visibility

As part of a recent collaboration between Pwnie Express and Splunk, Inc., we put together a simple “Pwnie-Splunk” dashboard showing a real-time stream of all wireless and Bluetooth devices detected by a Pwn Plug R2 on the RSA show floor.

To accomplish this, we cobbled together a few parsers for Airodump-NG and Bluelog output, which we then forwarded to the Splunk demo server via syslog.

The Bluelog parser is fairly simple. First, we launch Bluelog in daemon mode, recording Bluetooth device names and device types and logging all detected devices to a local log file on the Pwn Plug R2:

# Start bluelog and write output to local logfile
bluelog -nfdo /var/log/pwnix/bluelog-devices

Next, we forward a real-time tail of this log to the Splunk server:

# Forward newly detected Bluetooth devices to Splunk server
tail -f /var/log/pwnix/bluelog-devices | logger -u /tmp/ignored -d -P 514 -t bluelog -n "${splunk_server}" &

Ok, that was fairly painless. Parsing Airodump-NG output on the hand was a bit of a challenge. Airodump-NG does export to CSV. However, the resulting CSV contains binary blobs, MS-DOS newline characters, two separate sections (with header rows) for wireless APs versus wireless clients, and the CSV file is entirely overwritten every 5 seconds while Airodump-NG is running. Also, Airodump-NG has no native support for backgrounding or daemonizing itself.

We thus first launch Airodump in a detached screen session:

# Launch a detached airodump session that logs output in CSV format
screen -d -m -S AirodumpSession airodump-ng --output-format=csv --write=/var/log/pwnix/airodump "${monitor_interface}"

Next, because Airodump overwrites the CSV every 5 seconds, we need to establish a way to track “already known” devices to avoid duplicate log entries for devices already discovered by the running Airodump session. To accomplish this, we first log the initial list of client devices and APs detected by Airodump:

# Create initial list of client devices and forward to Splunk server
cat /var/log/pwnix/airodump-01.csv | tr -d 'r' | tr -cd '11121540-176' | awk -vRS='nStation MAC' 'NR==2 {print}' | egrep -v "First time seen|^$" | awk -F"," '{print$1","$6","$7,$8,$9,$10,$11,$12,$13,$14,$15,$16}' | tee "${local_logpath}"/airodump-known-clients | logger -u /tmp/ignored -d -P 514 -t wificlient -n "${splunk_server}"

# Create initial list of APs and forward to Splunk server
cat "${local_logpath}"/airodump-01.csv | tr -d 'r' | tr -cd '11121540-176' | awk -vRS='nStation MAC' 'NR==1 {print}' | egrep -v "^BSSID|^$" | awk -F"," '{print$1","$14","$6}' | tee "${local_logpath}"/airodump-known-APs | logger -u /tmp/ignored -d -P 514 -t wifiap -n "${splunk_server}"

The “tr” commands strip out the MS-DOS newlines and binary blobs. The first “awk” command then splits the wireless AP/client sections into a simple comma-separated list of each device type, then the second “awk” command organizes the output into the desired format for our syslog entries. The “tee” command writes the initial list of known APs/clients to a local file, and “logger” then forwards that same list to the Splunk server.

We now want to keep an eye on the Airodump CSV file and forward any newly detected APs/clients to Splunk. This is accomplished with the following while loop:

while [ 1 ]
do

# Extract wireless clients from airodump CSV file, append newly detected clients to airodump-known-clients, and forward newly detected clients to Splunk server
cat "${local_logpath}"/airodump-01.csv | tr -d 'r' | tr -cd '11121540-176' | awk -vRS='nStation MAC' 'NR==2 {print}' | egrep -v "First time seen|^$" | awk -F"," '{print$1","$6","$7,$8,$9,$10,$11,$12,$13,$14,$15,$16}' | grep -vxf "${local_logpath}"/airodump-known-clients | tee -a "${local_logpath}"/airodump-known-clients | logger -u /tmp/ignored -d -P 514 -t wificlient -n "${splunk_server}"

# Extract wireless APs from airodump CSV file, append newly detected APs to airodump-known-APs, and forward newly detected APs to Splunk server
cat "${local_logpath}"/airodump-01.csv | tr -d 'r' | tr -cd '11121540-176' | awk -vRS='nStation MAC' 'NR==1 {print}' | egrep -v "^BSSID|^$" | awk -F"," '{print$1","$14","$6}' | grep -vxf "${local_logpath}"/airodump-known-APs | tee -a "${local_logpath}"/airodump-known-APs | logger -u /tmp/ignored -d -P 514 -t wifiap -n "${splunk_server}"

# Repeat every few seconds
sleep 3
done

The “tr” and “awk” commands server the same purpose as when we created the initial list of APs/clients above. With the addition of the “egrep” command however, we can effectively de-duplicate our results by excluding any “already known” AP/client devices from our output and then appending any newly detected devices to the original list.

Pwnie-Splunk Dashboard Screenshot

Running this demo live at both the Splunk and Pwnie booths made one thing quite clear: It’s 2014, and most security conference attendees still do not disable the Wifi or Bluetooth functions of their mobile devices while on the conference floor. Within 10 minutes of launching the demo, over 1000 mobile devices appeared on our Pwnie-Splunk dashboard.

Yikes.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *