Raspberry Pi, Kismet, and PCI 11.1

So Bob Gibbett, today we're gonna talk about PCI compliance with using Raspberry Pi and Kismet. Anybody using Raspberry Pis at all? Awesome. Kismet? Nice. Alright. Anybody doing this already? Run the demo.

Alright, PCI, gaming card industry? Everybody doing PCI or anybody not doing PCI? So if you're doing credit cards, you have to do PCI. It doesn't matter if you If you just pick up to a payment gateway, it's still hitting your site, still hitting your network, you have to put it out there. So anybody who has a card, it's hard to pass it to you. New version is out in April 2015, so little changes here and there, so you might keep up on it if you're getting it to start with it. You want to make sure you use the latest version, current version. And because you're PCI compliant, it doesn't mean you're secure. And so it's a big misconception.

you know, a lot of times over management they'll say, but we're PCI compliant. How could this happen? Why do you need more money? We're already PCI compliant. And what it comes down to is PCI is a starting point. Use it as a, you know, your baseline to just start your program. And you want to know from there. And you'll be able to know about it in a moment. So PCI 11.1, basically it states that you're supposed to detect and document all your authorized and unauthorized, or unsexist, on a quarterly basis. So right here, just as I said, quarterly basis, that really does nothing for you. Somebody could be out there for 90 days and you wouldn't know it. If you are an employee in a company that does this

on a quarterly basis, you know you can just watch for the guy to come around with the intent and pull that road access point out that day. You turn it back on the next day and you're good for another three months. So what kind of threats, so before we even get into this, before we just want to get in there to check the box for PCI, what are we really trying to accomplish? What are our threats? What kind of threats do we see with this? Anything? Yeah, just in terms of wireless or PCI? Rogue access. So it's when you have a wireless bridge from an uncontrolled space into a controlled space. Yeah. And it's ultimately all the bad things that you

then have. Yeah. So our threats.

That's our most likely threat. When we look from a risk perspective, it's a user. And they don't necessarily have to be a bad user or malicious user. A lot of times they have good intentions. They want to be more productive. They want to help their coworkers out. So one of them might have a router sitting around at the house because they've got a new one. And they'll bring it in and plug it into an open network there, which should be open. We should have everything disabled that's not active. We should do Mac. Maybe they found something helpful. Maybe they found that you can plug into the back of the voice phone and get internet in some cases. Depends on your phone. So that's, you

know, they just want to help. They want to go sit at the picnic table. They want to go to the conference room. We let them roam around when they're at home still out there. Why not out there? They're more productive. Streaming down my personal devices, so how many times, I can't tell you how many times people have come up to me and said, can I have the Wi-Fi password? And they say, why? I want to stream music on my phone, using all my data on my client. So this is the way to circumvent that, because the company's bad. And bypass monitoring and other people. So if you're doing any type of endpoint protection, somebody can bring them on a laptop, and you're going to bypass all those

with their own device, because they're no longer your income. Other one, people twin SSID. That's where you can sit outside somebody's place, up with a SSID that's very similar to what their company would be. So it would be company, employee, open Wi-Fi. And your employees will jump on it. You can't really fault them. If you walk around here, you'll see a bunch of them already that's firing up. They look legitimate. Nobody questioned them. People are just connected to them. So it just seems safe because your company name has got to be efficient. So somebody could sit out there, and then from there, maybe do a reverse show, maybe capture your traffic, maybe just start proxying you and do a man in the middle, whatever the case

may be. So it's a nice avenue. And then a Dropbox. This is very legitimate Houston's 30s. But this is $25. It's a mini-poner. You can check it out online. But $25. So if you can get into a building and drop this behind somebody's voiceover ID, or drop it onto an open jack under the desk where it's gonna be out of sight. It runs on battery. Once you plug it in, it's gonna bridge the network, like you said, and you can sit outside and you know, your tens of thousands of dollars you put into firewalls are just bypassed by just $25 in the cable.

Alright, so looking at this, my objective was not any longer just to make a list of all the authorized and unauthorized So we want to do that. We want to identify the access points. We want to prevent users from connecting to unauthorized access points. So the Evo twins. And detect wireless access points or other devices as they're introduced into the network. So we want to do more than just, this is an opportunity to do more than just the wireless access point. If something is just plugged into the network, if somebody plugged one of these in, they want to know about it. Or even a laptop or another computer or whatever the case could be. Criteria? They're performing on a continuous basis, 90 days,

so they're here and gone. Or you'll never see them, there's no block, there's no event walking around with the antenna, there's nothing except for at the moment. Unless you can coordinate with all your attackers, anybody's figured that one out, let me know. Low cost, and easy to deploy in that, you want it to be scalable. All

right, so Raspberry Pi, it's been around for some time, a few years now, they're getting better and better with them. A lot of people seem to be using the various projects, all good, right? We're using the Master of Pi 2 Model B. Second generation, came out in February. It's a nice little device. Anybody hasn't seen one yet? It's just one of these. That's not a lot to it. So you keep hearing that they're low cost. The problem we run into is

You get $25, $35, and what do they really cost? Probably about, well, we pay $70. By the time you buy the case, the power adapter, the SD card, the Wi-Fi adapter and all that, so we just started doing that can of kits, I don't know what everybody else is using, but $70 on Amazon, you get everything you need to start. And everything that I'm going to show you now, we have step-by-step instructions online, you can do the link at the end, because it's a nice thing. If you haven't used Linux yet, or you haven't, you know, In my case, I used to use Unix and dabbled in the next, like, once a year I would

get to go in and do something with it. But Unix was 20 years ago. So it was nice to get back in and start doing this stuff. So if you're new to this or you haven't touched it in a while, it's a nice project to go in, especially step by step, all the instructions are there. All

right, so it's using Raspbian, as I said. And we used it with Breezy and then Jesse just came out in September as we were building these out. So we tried our instructions on both of them. We both worked fine. All right, so when you're doing this, you want to select your location. You want to look at the, look at your building, map it out. A typical wireless range is about 150 feet. So you want to use, basically you want to overlap with each other. And what I did was created a drone. We have one unit that we plug into a monitor on our NOC and it sits there and runs. And then all the drones

are headless and they talk back to the main host. So we just drop them into closets, there's no monitor, there's no keyboard, nothing to it, just this and an ethernet cable going into it. Also, if you can, you want to split subnets and we'll see when we talk about Nmap, why you want to do that. Alright, so Kizmet users?

Okay, so Kismet, open source tool. It's a 802.11

layer two wireless network detector. The advantage of Kismet against other tools is that if someone's not broadcasting an SSID, it's gonna be detected because it's actually capturing that. It's not just looking at it, it's capturing it and it's processing that way. So you can put an access point out there, not put an SSID out there, or not broadcast that, but Kismet will detect it and they'll have the MAC address. And then when someone does that handshake, when someone tries to medicate it to us, whoever is managing that, it'll go ahead and use the SSID at that point. So you'll get it eventually. But at least you'll know something's out there, you just can't track it now. So on the host configuration,

it's really just a text file you're gonna go in and modify, and you're gonna set your sources to use it from We're going to disable GPS because there's no need to. It's just, I don't know what it does. If we're saving any processing power or anything by not looking for it, but just trying to cut out any noise or anything in your logs. And if you're war driving or you have some type of mobile thing, you're trying to protect them, it might work for you. And we're going to log to the NetMex ML. So there's a lot of logging options. We trimmed out some of the logging. cut it back on the logging only because

these are, you know, we said they're powerful, they're nice, they're awesome, but they don't have a lot of space, so we don't want to put them on the logs. All right, drone configuration, same, you know, text file, you're going to go over modify and set your drone list in your lab hosting. We set it for subnet, so you can put your host on as long as it's on the subnet, but you can go down to the IP address if you want to. And the same thing, the same little GBA.

So that's Kismet. Up and running. Powerpoint. Killing.

Alright, so that's Kismet. I can't see it here now.

Again, you see a lot of, you see it in SSID, you see B-sized guests, B-sized staff. Everybody's probably comfortable with connecting to B-sized guests, right? But you don't know if it's me or Justin or anybody else, correct? Just assuming it's a legitimate source. So once you have it up and running, as you select them, you can go in and get further details on it. And it'll show you the channel, it'll show you the screen. So this is minus 93. You're going to have to learn what's good in your environment. Typically anything less than 100, you probably want to get out the antenna and the tablet and start walking around. I don't know if anybody's used the VI tumbler. That was fairly

easy. Get that in one of these antennas. Make sure you get the panel on and walk around. It'll take you right to it just by looking at the signal signal, you can narrow it down pretty quickly. And then you'll be able to determine if it's inside or if you're outside of your building.

So from there, we're gonna go into that XML file. There's many plugins, there's many analyzers, many parsers, and everybody's gonna have their own flavor, what they like to do. We don't have enough coming through, so we just drop it into, we open it in Excel, and just open it as a read-only XML file. High and heavy column except for those two, and it'll give you a list of the MAC address and the SSI file. So from there, you go around, you check, and that looks like it's within our vicinity, in our buildings. we'll use the iStumbler and go out and try to track it down. Once we confirm that it's clean, that it's not in

our area. If you're in a Windows environment, you can block the SSID with GTO. So that stops the, you know, the evil twist. And then on Kismet, we'll go through it. Just at the end of the config file on the host, just put the MAC address into the filter and it won't display anywhere on here. You know, so basically on our knock, anytime we walk by, if there's something showing, want to take a look at. Nmap. Any people using Nmap? So you should know everything in your network. Yes. Oh, okay. Just saying you need to know that. So Nmap, it's going to basically like the list out, find a lot of services, you know, addresses, MAC addresses. It's a good way to

pull all that information. So everybody has this already, right? We all have it down to the last

If it's not, this is a good way to get back into it. So you're going to do some simple Nmap scans. And the way we're doing this, so I created a NOMLESS, NOMLESS with MAC address, IP addresses, and I parsed that out. So Nmap branded scan, we parsed out those components, the results, and then it does a, it's not a crime job for every minute to go ahead and do another scan. It takes the results from that scan and prepares it for the results in a known list. We plug this in before I forget.

Anything different, I'm just gonna go ahead and report on. I'll just give you a little bit. So you can have it dump to a text file. We have it go to NXLog. NXLog meets it up to our

a secure way to do this where we can do it centrally and maybe write to the chair or something like that. But we'll get something going with that.

Alright, so these are the commands. Establish the node IP and map SD. And what we're doing, we're looking for ports 21, 22, 23, 80, and 443. So you have FTP, SMP, callback, port 80 and port 443, the HTTP and HTTPS, only because we want to be able to Those are the things you're typically gonna see on a wireless access point. They're gonna have some method to SSH to it, they're gonna have some method to, you know, web interface to manage it. So it's not 100%, but this will probably cover the 99.99. All

right, and then same thing with the MAC address. When you do the MAC address, you have to run it as pseudo. The reason why I said you have to keep it on different subnets is because when Nmap is scanning for Mac address, it won't jump. It won't jump your routers. It's gonna stay within your subnet. So you need one on every subnet. And even if you can't get a Raspberry Pi on every subnet, you can run Nmap on your own. So if you have any server, workstation, whatever you have available to you, then that subnet will work. And then again, we drop the results into

step-by-step instructions on doing this, that's URL. Looking for ideas, other things to do. Because we come across a lot of these things where, you know, a lot of this are with small and medium businesses or academic world or somewhere where you just don't have the enterprise budget and the enterprise staff. You know, where you have, there's companies we work with and their security teams are bigger than our entire staff. And, you know, so there's ways around this and a lot of my

looking for any ideas if anybody has anything out here and you're struggling with challenges. You know, you always see the big dollar things. Something simple like disabling USB. You don't have to go out and buy the $10,000 in-point solution. You can do it through Windows with a GPO setting. It's just a little bit of work and typing. If you do that, you can fix a lot of problems. So, you know, if you're out there, you haven't