Building A Red Team WiFi Attack Car
Why drive a normal car when you can drive a red team WiFi attack car? Join security researcher Sebastian Bicchi to build the ultimate wardriving vehicle.
If you regularly handle Red Team WiFi assessments then there is a good chance that you might catch a cold this time of the year. If there is not a handy coffee shop nearby it can be a cold pain in the ass and you will probably need to conduct your assessment from a car which is always uncomfortably obvious unless you have a vehicle with tinted windows or a van so you can work in the back. In this article I will show you how to build your custom Wifi-Hacking/Wardriving car equipment so can conduct your assessments from the confines of your cozy office.
Modus Operandi
You simply park your Red Team Car near the target location and start the appliance. Then you can go home, connect to your VPN, connect to your Raspberry and start hacking from your cozy chair at home. No more cold car sessions. Don't even think about doing this near Fort Meade though, it's cruising for a bruising and the target example below is purely hypothetical and for entertainment purposes.
The Pineapple
The Hak5 Pineapple is a really cool piece of kit which has many fields of application, but unfortunately it lacks a few really important features for our purposes.
Here is what is missing:
- LTE/3G - it basically works, but nevertheless, VPN over LTE (what you want to have) isn't that hassle free. It didn't work reliably or easy when I tried it.
- EAPHammer attacks.
- Moar tools.
- Lots of Memory and Storage.
What we want
So let's rock - what do we want to soup up our war driving rig?
- A flexible kali installation: To install new tools on the fly.
- At least two Wifi cards, better three with a lot of power.
- Storage - a lot of storage; 64GB is good, 2 TB is better.
- GPS so we can go war driving.
- Stable power for at least three days, without killing our car battery
- An out-of-band connection to a dedicated server, LTE/3G with a VPN.
What we need
We will do all of that with a few ingredients:
- A car
- Raspberry Pi (or two); 3B+ is recommended and works well
- Wi-Fi card of choice: Recommended is ALFA AWUS 1900 and/or ALFA AC1200
- SD Card (16 GB is fine, 32 GB is better), USB thumb drive / external drive to store loot data
- USB Hub with external power supply (USB 2.0 is fine, the RBP lacks USB 3)
- Adafruit 5V UBec
- GPS Stick, if you want to wardrive
- LTE Stick, for example HUAWEI E3531
- Cabeling
- Raspberry Pi Case
- Car battery (ask your mechanic - he might have one left for you)
- Dedicated server or OpenVPN server / service
- Some wire, luster terminals, battery clamps, a 5A fuse and holder
- (Optional) Some capacitors to improve to quality of the power supply (prevent Raspberry "low Power" Warning)
You can find a component reference at the bottom, including amazon links.
Target setup
The target setup looks like this (minus the fluke 89 multimeter):
Kali on Raspberry 3B+
I assume you have your RPB 3B+ ready and with a 32 GB SD card. At the time this article was written, the official image didn't work well, so I chose the Re4son Kernel which worked fine for me. You can download it here: https://re4son-kernel.com/re4son-pi-kernel/. Simply dd it onto your SD card, expand the volume after first boot and voila you're done.
LTE & VPN
LTE and VPN is our out-of-band connection. Since LTE connections usually don't offer public, static IPs (at least here in austria) and we don't want to put addiotional load on our Raspberry PI with a VPN server, the RPB is the VPN client.
Installing LTE sticks like the HUAWEI E3531 is suprisingly painless, as Kali knows how to handle it out of the box. After you plugged it in, a new ethernet device will appear. Now here is something you should consider: You will have mutliple network connections, such as:
- The LTE stick, which will by default create a local interface and asssign a DHCP address in 192.168.8.0/24 IP to the Raspberry
- The VPN tun device, which will hold a 10.0.8.0/24 IP address
- (If sucessfull): The hacked target network, which will most likely give you a DHCP IP address in 192.168.0.0/10.0.0.0/172.16.0.0
So you need to take care of the correct routing, otherwise you might run into troubles when you try to connect to target devices inside the hacked Wifi network.
If you don't have a VPN server installed, just use this little script, it did its job very well: https://github.com/angristan/openvpn-install
Power supply
Attention: Secjuice and I are not responsible if you kill yourself, burn your house/car or fail otherwise. If you don't feel like having enough electrical engineering knowledge to do this properly, just don't do it! Car batteries are quite powerful. Due to the low voltage, you definitely will not kill yourself by electrocution, but burning down some equipment, your car or house is quite possible, if you do something stupid. Also polarized capacitors explode quite well if you wire them the wrong way or use the wrong dimension.
If your operation will not exceed 5 h, youmight use the cars on board power supply, but don't forget (especially in winter): The circuit can draw up to 3 Amps (usually it's between 0,5 and 1 A on the 12V side), which in 10 hours can suck 50 - 70 % of your car battery. Depending on the car type, capacity, load, age of the battery and the temperature this might result in a non-starting car:
So, the general cabeling ist very simple:
Basically you will have two 5V UBECs from Adafruit, that will convert down the 12V to 5V, with a max. Output of 3 Amps (I recommend to keep the load below 2 Amps for stability reasons. One output will be used for the raspberry, the other for the USB Hub, to balance the load (don't try to just use them parallel - this isn't a good idea for non-linear switching power ICs!).
The capacitors are optional, I also estimated the capacity of 470uF (and it turns out to be quite good). I soldered the capacitors with a USB A female jack and a socket connector for the Hub Power supply onto an empty circuit board (yes, I know it's ugly af):
The average load for all components running was 0,6 Amps:
With a capacity of 60 Ah, the battery could easily supply the whole appliance for at least 72h or more. Remember, that there are different capacities and also car batteries are not made for low, steady power supply, so don't take the designed capacity for real.
Conclusion
It may be illegal in your country to actually deploy this vehicle, so this article is for hypothetical illustrative purposes only. If though you live in a place where laws against this sort of vehicle do not exist, then you know what to do next!
Component reference
Wifi cards
AC1200
AWUS1900, 50€ https://www.amazon.de/Network-AWUS1900-802-11ac-Ultra-adapter/dp/B01MZD7Z76/ref=sr_1_1?s=computers&ie=UTF8&qid=1547331669&sr=1-1&keywords=AWUS+1900 or the https://www.amazon.de/Alfa-AWUS036ACH-Dual-Adapter-AC1200/dp/B00VEEBOPG/ref=sr_1_1?s=computers&ie=UTF8&qid=1547331743&sr=1-1&keywords=alfa+ac1200
Raspberry PI 3B+
Adafruit UBEC
https://www.adafruit.com/product/1385