Thursday, July 14, 2016

Passively monitoring devices with a Snoopy Raspberry Pi drone

I was recently distracted from a Blog project I had recently begun working on (Bypassing just about any paywall or firewall - coming soon) after reading a comment in /r/netsec. I thought monitoring rouge devices around my home and getting alerts was a really cool idea. So I began working with the skeleton python code /u/gindc had used for his alert system. After a few google searches I found myself down a rabbit hold of custom scripts on Github built (far better than I could) for this very purpose. I settled on trying something built by Sensepost called Snoopy-NG.
Snoopy-NG was packed full of features, plus it plugged into Maltego so you would get pretty bubble relation charts based on the relation of the device. The idea behind it was to see what beacon probes the devices around your drone were beaconing out and see if there was a correlation with other devices. For instance if two people had the same Starbucks network stored in their phone, Snoopy would see the relation and correlate that both had been to the same place. On top of that it had other more malicious features, like creating a rouge AP and utilizing Karma to pull in devices. There are other features, but I haven't had time to play around with them.
Since the Snoopy-NG project seems to have been abandon in early 2015, a lot of things had to be modified or removed, as I am not good enough to fix, so I took the easier route of just not using those features (MITM framework integration).

I had ordered two Raspberry Pi 3's in an unnecessary splurge and had not really put them to use yet, so I decided to use one as my drone. I also had two Alfa AWUS051NH wireless cards and two high gain antennas that had been collecting dust and decided to re-purpose them as my Raspberry Pi drone's antenna (I was sad to learn that the built in wifi on the Pi 3 does not support packet injection, Ea. no monitor mode). I then stood up an Ubuntu server on my cloud provider (LOVE CloudAtCost - super cheap! And you can part your servers out and build multiple on the fly! Just wait until they have an 80/90% off special) as my C2 data server.
I did a "git clone" on the server and was able to run the with little to no dependency issues. On the Pi I had far more issues - I initially was using the Kali image built for the Pi, but after multiple problems, I assumed it was because of dependencies that couldn't be satisfied with the Kali arm image and went back to the Ubuntu Mate image built for the Pi; but experienced the same issues. So in hindsight I would have kept the Kali image instead of using the Ubuntu Mate image, but since it was now working on Mate, I decided to roll with it and pull any extra dependencies I needed. I then did a git pull on the Pi:

Some notes on the Pi install of Snoopy-NG -
1. You will need to remove ~/snoopy-ng/includes/ (I was getting a python six import error: "importerror: cannot import name range six.moves", and after some research I found that because the built for Snoopy was deprecated and thus did not play well anymore with python six - so I removed it)
2. Because of the removal, you will need to nano ~/snoopy-ng/plugins/ and comment "from includes.mitm import *
3. Before you run, edit it and comment out a line towards the end: pip install and add these two lines under it:
dpkg -i python-libpcap_0.6.4-1_armhf.deb

Once the install has completed without error, its pretty simple from here on out. On the server side run:
# snoopy_auth --create [DroneName]
# snoopy -v -m server
And once that is up and running, on the drone run:
# snoopy -v -m wifi:mon0=True -s http://:9001/ -d [name of drone from server] -l [location-can be anything] -k [keyWithoutBrackets]

You should see data being transmitted to the Snoopy sever:

And here is a screenshot of both of them in action:

* I highly recommend using screen to run all of these - that way you can close out your terminals and return to the screen session later by running "screen -RD". You can exit your screen session by pressing CTRL + a + d (hold control then press "a" then while still holding CTRL letting up on "a" press "d")

Back to the server (not if you go with cloud at cost, they do not install a GUI - you will need to install one to run Maltego) - I fired up Maltego and imported the Snoopy-NG .mtz conf file:

1. In Maltego, click the odd looking spaceship button in the upper left corner next to save - Go to import - click on import configuration - scroll to and click next on: /snoopy-ng/transforms/snoopy_entities.mtz
2. After the import - scroll to the machines tab and click "Run Machine" - then scroll to and select one of the two snoopy options

* Some more notes: I noticed that the drone was seeing quite a bit but Maltego was not displaying them, so I edited some of the machine properties:

1. Click on "Manage Machine" highlight (do this for both Snoopy machines) one of the two snoopy machines and click on the three dots - comment out using // anything that says "delete()" and for any field that contains a number, add 30 (or more)
2. I am not at all familiar with Maltego, I have no idea what the purpose of the delete() entries were for, as I wanted to see as many devices as possible - I am hoping a Maltego expert can chime in. I was just poking around with the configs.

This should produce a pretty graph of all the devices around you!

Now you can see all the devices in your area, what networks they connect to, what networks their phones are beaconing out, and if any of those devices have been on the same networks! I never did create the alerts for new devices because of this snoopy rabbit hole I went down, but I figured I would share this information with the community in hopes of revitalizing this project. Perhaps I will jump back on that alert system later and update this blog...

So how do you prevent being seen? You really cant. There are some steps you can take to somewhat prevent being seen, such as disabling auto connect to wifi on your phone so that its constantly not looking for saved networks (I don't even do this out of laziness). You can set your router to not beacon out the SSID - Note: In doing this you will have to manually enter your network in the device you are trying to connect to it. And in hiding your SSID, your network can still be seen, but only when a device is trying to connect to it and only if you are monitoring with a wifi card in monitor mode. So it is very unlikely people will find it.


  1. Good to Read, Flight Network - Social Media App for Travelers is strongly benefit you when you are a traveling on a business trip, and wish to speak with your fellow colleagues or business associates in real-time during a flight. Never Travel Solo...