Wireless Networks can leak a treasure trove of information. In this tutorial we will use Snoopy to find various Wireless Access Points and Access points a device is probing for this can help us determine the name to call our malicious SSID for a evil twin network. When a device is probing for Wireless Access Points it will connect to the one with the most power by default allowing an attacker to make a Fake Access Point and alter the Wireless Tx Power of a device to establish a connection between the Fake Access Point and a device. This means that all traffic that is send over the device can then be intercepted and read by the attacker.
Linux Operating System
Snoopy v2.0 – modular digital terrestrial tracking framework
Wireless Interface with monitor mode capability.
Server only Required if you want to send data to a local or remote server. (Optional)
In this tutorial we will be working with a software called Snoopy.
What is Snoopy ?. Snoopy is a distributed, sensor, data collection, interception, analysis, and visualization framework. It is written in a modular format, allowing for the collection of arbitrary data from various sources via Python plug-ins. Each Snoopy instance can run multiple plug-ins simultaneously. A plug-in collects data, which is queried by the main Snoopy process and is written to a local database. Snoopy can sync data between clients (drones) and a server, and clients (drones) can also pull replicas of data from a server. Each Snoopy instance can run plug-ins appropriate for its position in the greater picture. Here’s a diagram to depict one possible setup.
You can check out the snoopy project at the following url (Credits Sensepost). https://github.com/sensepost/snoopy-ng
First we need to install Snoopy we found it quite a challenge to install due to changes in the Linux distribution. We got multiple errors during the install process so we put a little install script with the necessary fixes together to help you along the way.
Open up a new terminal and paste the follow commands.
apt-get update && apt-get upgrade apt-get install python-libpcap apt-get install gcc make autoconf git python-pip python-dev build-essential libffi-dev libssl-dev libjpeg-dev libxml2-dev libxslt1-dev python-dev tcpdump libpcap-dev vim postgresql libpq-devpip install --upgrade pip pip install --upgrade virtualenv git clone https://github.com/sensepost/snoopy-ng.git virtualenv ./snoopy-ng/venv source ./snoopy-ng/venv/bin/activate cd ~/snoopy-ng/ sed -i 's/.*from gps import.*/from gps3 import gps3/' ./plugins/gpsd.py sed -i 's/from libmproxy/from mitmproxy/' ./includes/mitm.py pip install BeautifulSoup Pillow cryptography epeg-cffi gps3 httplib2 mitmproxy netifaces netlib psutil pyOpenSSL pyasn1 pyinotify python-dateutil requests scapy sqlalchemy psycopg2 cd ~/snoopy-ng/ && git clone https://github.com/JPaulMora/Pyrit.git apt-get remove python-scapy sudo pip install ./setup/scapy-latest-snoopy_patch.tar.gz cd Pyrit/ python setup.py clean python setup.py build python setup.py install systemctl stop postgresql.service systemctl disable postgresql.service systemctl stop exim4.service systemctl disable exim4.service git clone http://www.tablix.org/~avian/git/publicsuffix.git cd publicsuffix python setup.py install
Our script will remove a python file called mitm.py from the installation directory. During the installation due to a error in the mitm.py addon. will need to now edit mitmproxy.py open up mitmproxy.py.
Open up mitmproxy.py in nano and comment the line “from includes.mitm import *.
Once snoopy has installed successfully open up a command terminal and set up a new drone user and a new server (this step is optional we will not be using any of the drone modules in this tutorial only the Wifi modules.
Data can be synchronized to a remote machine by supplying the –server (-s) option. The remote machine should be running the server plugin (–plugin server). A key should be generated for a drone name before hand. The below illustrates this.
root@server:~# snoopy_auth --create myDrone01 --verbose
[+] Creating new Snoopy server sync account
[+] Key for 'myDrone01' is 'GWWVF'
[+] Use this value in client mode to sync data to a remote server.
root@kali:~# snoopy --plugin server
[+] Running webserver on '0.0.0.0:9001'
[+] Plugin server caught data for 2 tables.
root@client:~# snoopy --plugin example:x=1 --drone myDrone --key GWWVF --server http://<server_ip>:9001/ --verbose
[+] Starting Snoopy with plugins: example
[+] Plugin example created new random number: 21
[+] Snoopy successfully sunc 2 elements over 2 tables.
Once Snoopy Client & Server are running on the drone run:
# snoopy -v -m wifi:wlan1=True -s http://
Followed by the addon modules you will be using.
The data being collected will them be transferred to the sever. Your server must have GUI compatibility in order to run Maltego we will be using Snoopy Locally and Viewing the data tables locally.
Lab Set Up:
Alfa Networks AWUS036H USB Wireless Interface.
Snoopy is capable of monitoring and analyzing lots of different types of technology such as Wireless, Blue-tooth 3G for this tutorial we will be using it for the purpose of finding out what Wireless Access points that Wireless Clients are looking for.
In this guide we will be using Snoopy for the sole purpose of monitor Wifi clients in order to revel Wireless Access Points that the Device is probing for.
Why do we need to know what Wireless Access Points a Wireless Client is probing for ?.
With data costs being costly users will often users connect to a Open Wireless Network. users will very rarely forget Wireless Access Points from there devices. This makes is very easy for a attacker to intercept the traffic by mimicking a fake Wireless Access Point know as a Evil Twin access point.
The Access point will have the same SSID as the Wireless Access point the user has previously connected to.
The next time the client probes for the Fake SSID all the traffic will be sent and received through the attackers fake network.
First we need to set up Wireless Interface into monitor mode.
ifconfig wlan1 down
iwconfig wlan1 mode monitor
ifconfig wlan1 up
Now that our Wireless Interface is in monitor mode we can start sniffing Wifi traffic in Snoopy cd into your installation directory and using the following command to start Snoopy this commands tell snoopy that we want to use the Wifi modules and specifies our card that in monitor mode change wlan1 to your Wireless interface’s name.
python snoopy.py -vv -m wifi:wlan1=True
Snoopy will gather the data to a Database .db file within the installation directory to open up to view information in our database we will be SQLite Manager.
Now we have SQLite Manager Firefox addon installed open it from toolbar.
Locate Snoopy Database and open it up you can find Snoopy Database in the installation directory for Snoopy-ng.
In the screenshot below this is our Database saved by Snoopy under table “wifi_client_ssids” you will be able to view Wireless Access Points that the client device is probing for.