GSoC 2018 – Easily Expandable WIDS – First Update

In this blog post I’d like to present the recent changes made in Eewids, why they were done and what’s to come next. For an introduction of Eewids see here.

In general the steps done the last weeks aimed mainly at the easiness of use and testing the main concept – having an easily expandable framework at hand. Thus, a RogueAP detection was added and visualization based on InfluxData tools and Grafana were included. Both steps were much more easy to achieve because of the architecture of Eewids.

Starting Eewids most easily

For everyone potentially interested in using Eewids it would have been a big hassle to compile Kismet (git development version) by herself. As Eewids is completely based on Docker container most of the components didn’t need to get installed. And that’s quite important. No one wants to compile, start and administrate all the stuff: Kismet, Eewids’ Parser, RabbitMQ, InfluxDB, Telegraf, Grafana and finally the plugins added to Eewids (like the RogueAP detection, see below). While all these components are provided by Docker container and can get started by simply hitting ‘docker-compose up’, the Wi-Fi card had to get accessed directly so far. Therefore, it was necessary to have a recent version of Kismet’s remote capture, which is not included in any major Linux distribution yet.

Luckily Kismet’s developer found a solution to this problem and documented it. We adapted this to the needs of Eewids and now have a solution in which one can start Eewids easily on a local machine, needing nothing more than a compatible Wi-Fi card, docker and docker-compose. Please see the getting-started.md of Eewids for more information and try it yourself! 😉

Renaming fields of captured data

To make the captured data of Eewids as accessible as possible for developers many field names saved in the message broker RabbitMQ were changed to be quite similar to Wireshark’s “Display Filter Reference”. See here.

Hearing Map for RogueAP detection

A simple RogueAP detection which existed before have been expanded by a hearing map. Now a whitelist contains not only valid ESSID:BSSID pairs, but also the information which remote capture is able to see which AP. Thus, an attacker can not use a valid ESSID:BSSID pair of a AP which is located in a different building to cover an EvilTwin attack. See here for more information.

Add a visualization tool: Grafana

We develop Eewids to make it easy to add new functions to it. To test this claim and to actually extend functionality by a way to analyze and visualize what’s happening arround, we added Grafana. It connects easily to different datasets (like InfluxDB, Elastic etc.) and let you create graphs and lists etc. As a starting point we added InfluxDB to save our captured data, Telegraf to get the data out of RabbitMQ and to send them to InfluxDB and Grafana to use the data from the InfluxDB.

Which would have been a hassle to implement on a local machine was quite easy with docker and a already existing dataset provided by Eewids in RabbitMQ. Thus, it only took us some hours to find out how to use this software. Even this time was not related to Eewids itself, but just to the missing basic understanding of Telegraf, InfluxDB and Grafana. That is to say if anyone who already know these tools would have liked to add these to Eewids could have done this easily. And this is the objective of Eewids.

We consider this a successful proof of concept. We used InfluxDB for Grafana, because we expect new things to come which depends on/use InfluxDB. Likewise we can imagine the fast and forward implementation of Elastic and the related tools and software. We’d glad to see this adapted in the future as well. 🙂

What comes next?

Now that we have a visualization tool (Grafana) added, it would make sense to extend it with more information, letting alerts visualized etc. Furthermore, we’d like to improve the “backend” features for developers. That means we would like to create some templates to easily start using Eewids data and adding detection methods. Let’s see how it works out!

GSoC 2018 – Easily Expandable WIDS – Introduction

Hello,

I am Alex and I want to create a framework for making an easily expandable wireless intrusion detection system this summer. The objective is to create a working environment which can be expanded with microservices to detect attacks on Wi-Fi networks and which fits easily within rather large organizations instead of small private setups.

All the things are happening on GitHub and thus this introduction is based on the README I created having this blog post in mind.

Background

Existing WIDS Tools

Analyzing 0x90/wifi-arsenal especially in search of wireless intrusion detection systems (WIDS) I realized that there just is no complete ready-to-go solution yet, at least regarding free and open source software (FOSS). For me a WIDS should serve the following needs:

  • detection of most of the known Wi-Fi attacks
  • scalability and thus being able to work within big organizations
  • simple expandability (there are always more attacks to come ;-))

Although there is indeed software on GitHub which can be used to detect Wi-Fi attacks, they are usually specialized on some attacks and/or they are hobby projects which would not fit in setups of bigger environments. Please have a look at the defence-related Wi-Fi tools on the wifi-arsenal list.

An exception should be mentioned: Kismet. It is probably the most famous and complete FOSS Wi-Fi solution and very popular. Still, it does not seem to fulfill the above necessities completely. And it is probably not the objective of Kismet to be a full-featured WIDS either. Instead it has many features for pentesting Wi-Fi networks and other interesting stuff.

Why Not Just Expanding Existing Programs?

One solution would be to simply add needed functionality to Kismet. And this is definitely a good idea and I encourage everyone to improve the code of Kismet. Some needs mentioned above could be solved with a microservice approach more generally though. This is exactly what EEWIDS tries to achieve. By creating a containerized framework EEWDIS enables

  • scalability
  • working easily in setups of bigger organizations
  • the possibility to add functionality easily (see below)

Main Idea of EEWIDS

Simple layout sketch of EEWIDS
Simple layout sketch of EEWIDS

Basis Kismet

EEWIDS uses Kismet as a basis. Thus, it uses Kismet’s advantages and tries to add functionality by using container techniques. As Kismet is under heavy development right now, EEWIDS uses the git version of Kismet right away, which is completely different to the last release from 2016. The Kismet remote capture (which replaces the former Kismet drone) is the only piece of software, which can not be containerized. The Kismet remote capture has to run on the machine which contains a Wi-Fi card which is able to monitor the traffic. As Kismet is very popular the Kismet remote capture will already run on many different machines and platforms, e.g. on OpenWrt. Therefore, it is better to use Kismet as a basis for capturing the data instead of building an own system.

The Kismet remote capture will send the data to a Kismet server instance which is running in a container. By using the Kismet server we will be informed about every attack which Kismet did detect and thus we can reuse the work already done on this side. EEWIDS will attach to the Kismet server to:

  • pull the pcap-ng data stream which contains all data captured
  • pull all alerts raised by Kismet server itself

Message Broker RabbitMQ

Both kind of information will be parsed and submitted to a Message Broker afterwards. The Message Broker is the central point of EEWIDS. By using RabbitMQ – one of the most popular systems of its kind – it is easily possible to subscribe to a needed information. This is supposed to be the big advantage for developers. Thus, instead of capturing and parsing Wi-Fi packets itself, a detection method only needs to subscribe to the needed information and will receive it directly from the Message Broker. Furthermore, the developer can use any programming language or system which is needed for this kind of detection, without bothering C++ or other stuff, which may would be necessary for Kismet plugins.

Analyzing and Visualization

The actual analyzing is done in services dedicated to this task. E.g. instead of parsing packages, looking for Beacons and analyzing it afterwards, a service will just subscribe to all Beacon frames. All other frames are not of interest. The service does not need to parse the Beacon frames, it just needs to access the json-formatted information it got from the Message Broker, e.g. data[‘wlan.ssid’] or data[‘wlan.bssid’]. This can be done independent of the programming language, as most of them already have modules for json and are able to access RabbitMQ. This setup should indeed work for every language which already has a client listed on RabbitMQ website.

Another advantage is the freedom of choice of visualization/analyzing software. It is easily possible to include either influxdata’s TICK stack or the elastic stack, both Open Source analyzing software which also have anomaly detection methods. These stacks and other software already have interfaces to access RabbitMQ and to read json-formatted data and thus it is easy to extract the collected information as needed.

This should make it easy to extend EEWIDS in various ways. Let’s see what can happen.

Focus

The usability on a developers perspective depends on the availability of logged frame information actually stored in RabbitMQ and the existence of easily adaptable templates. Furthermore, it has to be as easy and straight-forward to deploy the system as possible. That’s why I’d like to focus on three things:

  • the parsing of Kismet’s pcap-ng files should be as complete as feasable
  • there should exist templates for some major programming language to describe the usage
  • the deployment should work straight forward

Freifunk-BroschĂŒre “Freie Funknetze in der Praxis” von Medienanstalt Berlin-Brandenburg

Die Medienanstalt Berlin-Brandenburg (mabb) hat eine eine BroschĂŒre “WLAN fĂŒr alle – Freie Funknetze in der Praxis” veröffentlicht. Aus der Pressemitteilung: Aktuelle Publikation der mabb informiert umfassend ĂŒber das Thema „Freifunk“.

Sie erlĂ€utert ausfĂŒhrlich, was sich hinter „Freifunk“ verbirgt und welche Chancen und Risiken mit diesem Netz verbunden sind. Mit der Publikation möchte die mabb die Freifunk-Community dabei unterstĂŒtzen, die Bekanntheit von Freifunk in der Öffentlichkeit zu vergrĂ¶ĂŸern. Noch kennen zu wenige BĂŒrger und Institutionen die Möglichkeiten dieses Netzes. Und die, die es kennen, haben Bedenken und Vorbehalte es zu nutzen oder selbst anzubieten. Fragen wie „Ist das Freifunk-Netz sicher?“, „Mache ich mich strafbar wenn ich meinen Router fĂŒr andere öffne?“ oder „Hafte ich fĂŒr illegale Downloads anderer?“ werden immer wieder gestellt. Die Publikation der mabb greift diese Fragen auf und gibt praktische ErlĂ€uterungen und Anwendungshinweise fĂŒr Nutzer und Anbieter.

Die BroschĂŒre kann als als PDF heruntergeladen oder analog bestellt werden. Die Inhalte stehen unter einen freien Creative Commons-Lizenz.

 

Rathaus Berlin-Neukölln funkt frei!

Ab sofort haben Besucherinnen und Besucher sowie Anwohnerinnen und Anwohner die Möglichkeit, rund um das Rathaus Neukölln ĂŒber das Berliner Freifunk-Netz freien, zeitlich uneingeschrĂ€nkten und kostenlosen Zugang zum Internet zu erhalten.

Die im Rathausturm installierten Router sind ĂŒber Richtantennen an das bestehende Berliner Freifunk-Netzwerk angebunden und stellen so nicht nur eine Verbindung ins Internet her, sondern ermöglichen den Nutzerinnenn und Nutzern auch Freifunk interne Dienste anzubieten und nutzen. [1]

Nach einem einstimmigen, postiven Echo aus dem Ausschuss fĂŒr Verwaltung und Gleichstellung, stimmte am 24.04.2013 die Bezirksverordnetenversammlung Neukölln fĂŒr die Installation von Freifunk-Routern auf dem Rathaus-GebĂ€ude [2]. Der Antrag im Ausschuss fĂŒr Verwaltung und Gleichstellung ging auf eine Initiative der Piratenpartei zurĂŒck.

Der Bezirk stellt den Ort, sowie den Strom fĂŒr die Freifunk-Hardware zur VerfĂŒgung. Die Kosten fĂŒr Baumaßnahmen und Router konnten aus Mitteln einer Förderung der Medienanstalt Berlin Brandenburg (mabb) gedeckt werden [3]. Die Installation und Wartung der Netzwerktechnik erfolgt ehrenamtlich durch Mitglieder der Berliner Freifunk-Community.

Eine der insgesamt 14 installierten Antennen funkt zum ca. 3.8 km entfernten Rathaus in Kreuzberg, auf dem bereits im Oktober 2013 Router installiert worden waren. Beide Standorte sind Teil des sogenannten BerlinBackBone (BBB), einem WLAN basierten stadtweiten Mesh-Netzwerk ĂŒber den DĂ€chern Berlins, das Dank der finanziellen UnterstĂŒtzung durch die mabb derzeit von der Freifunk-Community intensiv modernisiert und ausgebaut wird. Neben den beiden RathĂ€usern befinden sich darunter auch bereits mehrere Kirchen und HochschulgebĂ€ude.

Über diese Relaisstationen sind die lokalen Kieznetze (Meshwolken) der Freifunkenden untereinander und mit dem Internet verbunden. So ist es möglich, innerhalb der Stadt auch ĂŒber grĂ¶ĂŸere Entfernungen drahtlos untereinander zu kommunizieren, ohne auf Netze der kommerziellen Provider angewiesen zu sein.

Die ZugĂ€nge zum Internet werden innerhalb des Netzes dabei sowohl von Privatpersonen geteilt [4] als auch ĂŒber den Förderverein Netzwerke e.V. und andere Partner bereitgestellt. Besonders der IN-Berlin e.V. und neuerdings auch de Berlin Commercial Internet eXchange (BCIX) e.V. stehen hier tatkrĂ€ftig mit Know-How und Bandbreite zur Seite.

Aufgrund der vielen positiven Erfahrungen, wie aktuell auch in den RathĂ€usern Kreuzberg und Neukölln, freut sich die Berliner Freifunk Community darauf, weitere Installationen auf und in anderen öffentlichen und privaten GebĂ€uden durchzufĂŒhren. Freifunk Berlin sucht dazu neben weiteren Standorten auch noch UnterstĂŒtzerinnen und UnterstĂŒtzer, die bei der Verwirklichung eines stadtweiten freien Netzes helfen wollen! Weitere Informationen finden sich auf der Website http://freifunk.berlin.

[1] http://wiki.freifunk.net/Berlin:Standorte:Bezirksamt_Kreuzberg

[2] http://www.berlin.de/ba-neukoelln/bvv-online/vo020.asp?VOLFDNR=3790&options=4

[3] http://www.mabb.de/information/wlan/public-wifi.html

[4] https://digitalegesellschaft.de/portfolio-items/storerhaftung-beseitigen/#gesetz

Freifunk Wireless Community Weekend 2014 at c-base Berlin, May 30 – June 1

Community mesh networkers from around the world are meeting in May 2014 at the c-base in Berlin.

There are Pre-Meetings May 28 and 29, the „official program“ starts 30th and last until June 1st. In fact the final version of the agenda will be created by attendents on-site. If you add your idea or wish to our wiki upfront, we can take care of your talk or workshop. Hacks sessions are taking place over the whole weekend.

This year we focus on topics like crypto, IPv6 and new services, but also like always latest firmware, new installation setups and last not least legal and political update plus public relations. Following the tradition we’ll have barbecue in the evening hours at Spree beach and we don’t charge entry fee. For more information and taking part, please click here: Wireless_Community_Weekend_2014

when

  • 30 May till 1 June 2014 at c-base berlin

where

inside locations

  • main hall
  • c-base beachpark

Freifunk-Erlebnisbericht Netze ĂŒber Berlin

Der Freifunk-Erlebnisbericht “Rooftop Bombing mit Netzwerkknoten in Berlin” von Boris Niehaus im Magazon vice.com gibt einen Eindruck vom Bauen von freien Netzen ĂŒber Berlins DĂ€chern.

Freifunk Berlin

“Wir betreten das GebĂ€ude und treffen im Foyer den Chef der IT­ Abteilung des Rathauses, mit dem wir in die 10. Etage fahren und durch eine Luke aufs Dach klettern. Mir schlĂ€gt der Wind ins Gesicht und Herr Zachler, der Rathaus-IT, schĂŒtzt sich mit einer PlastiktĂŒte gegen den Regen, mit Kabelbindern befestigt. Die FREIFUNKER springen ziemlich routiniert auf dem Dach rum, verlegen Kabel und richten insgesamt 14 Antennen aus. Diese bauen eine bis zu 5 Kilometer lange Funkverbindung zu anderen großen Knotenpunkten, wie dem Zoofenster in Charlottenburg oder den Arkaden in Neukölln, auf.”

“…ein selbstverwaltetes Netzwerk hat viele Vorteile. Es liefert eine unabhĂ€ngige Infrastruktur, die auch dann noch funktioniert, wenn unser Internet durch ein Unwetter ausfĂ€llt, oder wenn das Netz wie in totalitĂ€ren Regimen einfach mal abgestellt wird. Du kannst dich mit deiner Nachbarschaft vernetzen, Community­-Radios einrichten, Netzwerkspiele spielen. Ein paar wenige InternetzugĂ€nge können zudem einen ganzen Stadtteil versorgen. Nicht schlecht fĂŒr sozial schwĂ€chere Gegenden, insbesondere da Harz­-IV­-Haushalte vom Amt immer noch kein Geld fĂŒr einen eigenen Internetzugang erhalten.”
http://www.vice.com/de/read/rooftop-bombing-mit-netzwerkknoten-in-berlin

Freifunk verbindet! Trefft uns auf dem Wireless Community Weekend vom 10.-12. Mai 2013 in Berlin

Philipp Seefeldt hat auf Vimeo den Animationsfilm Freifunk verbindet! veröffentlicht. Die Idee dazu kam von Sven Heinze und Juergen Neumann. Beim Text half Silke Meyer, gesprochen hat Anne Helm und die Musik wurde von Thomas Deittert geschrieben. Ihr könnt das Video gerne auf Eurer Website einbinden. Es steht unter einer freien Creative Commons Lizenz (SA-By) 

Wenn ihr mehr ĂŒber Freifunk und Freifunker aus Deutschland und anderen LĂ€ndern erfahren möchtet, kommt zum Wireless Community Weekend in die c-base nach Berlin vom 10.-12. Mai. Am 8. und 9. Mai finden bereits informelle Treffen statt.

Wann

  • 10.-12. Mai 2013

Wo

Mehr Infos

Mehr Infos im Wiki hier: http://wiki.freifunk.net/Wireless_Community_Weekend_2013

Freifunk WLAN in und auf dem Rathaus Kreuzberg: Freier Internetzugang trotz Störerhaftung

Besucher des BĂŒrgeramts im Rathaus Kreuzberg haben ĂŒber ein neu eingerichtetes Freifunk-WLAN ab sofort kostenlosen, freien und zeitlich uneingeschrĂ€nkten Zugang zum Internet. Neben einem Access Point im Warteraum in der dritten Etage wurden auch auf dem Dach des elfstöckigen GebĂ€udes drei WLAN-Router installiert. Diese Router haben durch Richtantennen eine Reichweite bis zu zehn Kilometer und stellen Verbindungen zu dem bereits ĂŒber den DĂ€chern von Berlin bestehenden Freifunk-Netz und den darin angebundenen InternetzugĂ€ngen her.

Die Bezirksverordnetenversammlung beschloss im FrĂŒhjahr den Start eines WLAN-Pilotprojekts, welches dann von Freifunkerinnen und Freifunkern um AndrĂ© Gaul zusammen mit dem BĂŒrgerdeputierten Andreas Pittrich realisiert wurde. UnterstĂŒtzt wurde das Projekt durch Dietmar Zachler von der Rathaus-IT und Stadtrat Hans Panhoff. Alle GerĂ€te wurden von Freifunk installiert, das Bezirksamt stellt die Aufstellorte und Strom fĂŒr die GerĂ€te zur VerfĂŒgung.

Die ZugĂ€nge zum Internet werden von BĂŒrgerinnen und BĂŒrgern innerhalb des Freifunk-Netzes bereitgestellt. Durch das Bereitstellen eines Internetanschlusses geht man jedoch ohne weitere Maßnahmen wegen der in Deutschland noch immer geltenden Störerhaftung ein juristisches Risiko ein, da man fĂŒr die Durchleitung von fremdem Internet-Verkehr haftbar gemacht werden kann. Um die Störerhaftung zu umgehen, leitet Freifunk die Daten verschlĂŒsselt durch ein VPN ĂŒber Schweden und zeigt damit auch die Unsinnigkeit der Störerhaftung auf. Die gleiche Technik benutzt auch die Freifunk Freedom Fighter Box, die seit Juni 2012 kostenlos verteilt wird, um freies WLAN an öffentlichen PlĂ€tzen bereitzustellen und gegen die Störerhaftung zu protestieren.

Freifunk unterstĂŒtzt den Gesetzentwurf der Digitalen Gesellschaft, der BĂŒrgerinnen und BĂŒrger sowie Gewerbetreibende, die einen Internet-Zugang via WLAN anbieten, mit kommerziellen Internetprovidern haftungsrechtlich gleichstellt. Aufgrund der durchweg positiven Erfahrungen im Rathaus Kreuzberg hofft Freifunk, bald weitere Installationen auf und in anderen öffentlichen GebĂ€uden durchfĂŒhren zu können.

[via Juergen Neumann]

Links

Dokumentation: wiki.freifunk.net/Berlin:Standorte:Bezirksamt_Kreuzberg

Beseitigung der Störerhaftung, Gesetzentwurf DigiGes: digitalegesellschaft.de/portfolio-items/storerhaftung-beseitigen/

Freifunk Freedom Fighter Box: freifunkstattangst.de/2012/06/14/aktion-gegen-storerhaftung-anonym-im-wlan-an-offentlichen-platzen-mit-freifunk/

BVV Beschluss: www.berlin.de/ba-friedrichshain-kreuzberg/bvv-online/vo020.asp?VOLFDNR=4948&options=4

Node Database and Map Server Yaffmap: Yet Another Freifunk Map

yaffmap is a project from Dennis Bartsch from Freifunk Berlin, which he started with a friend. It is called yaffmap. It got its name because at the beginning of the project we had many mapservers in Berlin and so it started as yet another approach for a Freifunk map. 
 
yaffmap – screenshot
 
The intention was to make a server that not just produces points and lines (nodes and their links) but to gather all information that might help to understand why a link is as bad as it is. This includes to gather wireless scan results, the effective rate chosen/calculated by the wireless driver to a specific neighbour and so on. Furthermore it had to be independent from the routing-protocol and its daemons (but needs it to gather useful info) and the IP version (or even no IP version for RPs like batman) and had to be able to upload and store data from multiple routing protocols on the same node. In order to sample so much information we went the route of scripting an agent for the map-server which runs on the nodes gathering the information and uploading it through a JSON interface to the server. For link-state-protocols like OLSR we even implemented the upload of the global topology to the server, which gave us some headache. From the beginning on the need for decentralized operation was stressed, so replication between the servers was implemented and any community which wants can have their own map data server. Moreover they cleary wanted the datacollection/storage to be independent from the frontend the map user is presented. In Berlin everytime a new map came along and an old one was gone we saw huge ammounts of data simply disappear. So the server only provides a SOAP interface for UIs and other services to use to get map data. The representation of a node in the database ist best seen on a graphic. Dennis uploaded it to imageshack, see [1]. A little bit of documentation is found under [2], but wasn’t thoroughly updated after we left concept stage.
 
We got to the point where the agent (bunch of shell/AWK) for the nodes runs on openWRT (best with madwifi and ath9k/ath5k) with olsrd (other routing daemons simply need scripts for data gathering, agent is held modular), uploades many useful information to the server (or another if the first does not respond; multiple can be configured) using JSON, where it gets stored correctly into a SQL database and replicated to other servers and provided through a SOAP interface. The agent even is already provided as a package in the respected PBerg Freifunk Firmware. There also exists a ‘proof-of-concept’ implementation for a map frontend, see [3]. The code is hosted on github as seen und [4]. Because of the frontend development got stuck the frontend SOAP interface is not very sophisticated nor much tested as is the frontend itself.
 
The result is a database which can answer more complex question to the mesh engineer or software developer. Maybe you want to know the average effective rate on all 11n interfaces or all 5GHz interfaces? Or you might be interested in the average ETX on different channels in a certain geographic area. Or you want to compare how different routing daemons evaluate the quality of a certain link. Maybe you even want to draw a noise map. Or wouldn’t it be interesting to see the correlation between the effective rate of a wifi link and the metrics which result in the routing daemons? Because the node data includes a ‘misc’ field through which any kind of node id or statistics could be stored/sent this is can even be integrated into existing community portals.
 
 

Freifunk at the Linuxtag

Just after the Wireless Community Weekend 2012 at the c-base, the next event is approaching. Starting Wednesday May 23 till Saturday May 26, 2012 the freifunk community participates in the Linuxtag Berlin. There is space for community members available and the opportunity to present own projects. Depending on the level of participation of the community we can showcast freifunk projects on a shared booth or get our own booth. Please add your name to the list of potential participants in the wiki and add how long and how you would like to contribute to this event.

When

  • Date: 23 – 26 May 2012
  • Opening hours for visitors: Wednesday – Friday 09:30 – 18:00, Saturday until 09:30 – 17:00
  • Conferences: daily 10:00 – 18:00

Where

  • Messe Berlin
  • Berlin Fairgrounds Hall 7 (Messedamm 22, 14055 Berlin, Germany)
  • Venue: Hall 7 (Station S-Messe SĂŒd)

Locations

  • Shared Booth

Links

http://wiki.freifunk.net/Linuxtag_2012