Tag: linux

Categories
How-To Guides

Automatically Update Pi-hole Daily

Cron is a great sysadmin tool, but it seems like my cronjobs never run because I can’t quite get syntax or permissions right.

Here’s my “how to use cron to (actually) update your Pi-hole daily” guide.

First, run:

sudo crontab -e

(I know that running ‘pihole-up’ doesn’t require sudo, but cron gets angry without it.)

Add the following line to the cron file: 

0 5 * * * /usr/bin/date >> /var/log/pihole_update.log && /usr/local/bin/pihole -up >> /var/log/pihole_update.log 2>&1

This will cause pihole to update every morning at 5:00 am, and log the results to /var/log/pihole_update.log preceded by a timestamp (so you know it’s actually working). (If you prefer updates weekly instead of daily, change 0 5 * * * to 0 5 * * 0 and updates will happen at 5:00 am every Sunday instead.)

Pi-hole updates, automated.

Categories
Cyber Security

Decrypting WPA2 Encrypted Wi-Fi Traffic with Wireshark

TL;DR

sudo ip link set wlan1 down
sudo iw dev wlan1 set type monitor
sudo ip link set wlan1 up
sudo iw dev wlan1 set channel 6
sudo tcpdump -i wlan1 -w %Y-%m-%d_%H.%M.%S.pcap -G 3600
  1. Capture some handshakes
  2. Open .pcap file in Wireshark
  3. Edit > Preferences > Protocols > IEEE 802.11 > Decryption Keys > Edit > New (+)
  4. Select key type: wpa-pwd
  5. Enter the key in the following format: password:ssid
  6. Click OK, then OK again. Wireshark will refresh the display with decrypted traffic. Set the display filter to “ip” to filter out all of the wireless noise.

Intro

Analyzing WPA2 encrypted wireless traffic is more difficult than I thought it would be. After several hours of struggling, I was able to do it. Here’s a condensed version of what I learned.

There are several components that must all work together in order to be successful:

  1. You must have the WPA2 password and SSID
  2. You can only unencrypt traffic for devices for which you also captured a four-way handshake which occurred after the handshake took place
    1. Cool side note: This might even work across pcaps if the files are opened in the right order! For example, if you capture a handshake in cap1.pcap, and more traffic (but no handshake) in cap2.pcap, you can open cap1.pcap first, then File > Open cap2.pcap, and the handshake from cap1.pcap will be used to decrypt traffic in cap2.pcap.

Note: In theory, this should work with WPA and WEP encrypted traffic as well, with only slight modification for WEP.

1. Capturing Traffic in Linux

First, let’s capture some traffic (note, you may need to change “wlan1” to “wlan0” or whatever your adapter shows up as. To see a list of all wireless adapters, run “iwconfig”.) You’ll need to know which channel the desired AP is running on.

To discover this on 2.4Ghz networks, use

sudo airodump-ng wlan1

Or for 5Ghz networks, use

sudo airodump-ng -b a wlan1

(Note: not all traffic may be captured on 5Ghz with this method; I’m still working on this.)

(Note 2: If you’re doing this in Kali Linux, be sure to update your distro before proceeding or airodump-ng will likely fail:)

sudo apt update
sudo apt upgrade

Once you know which channel you need to use, run the following commands:

sudo ip link set wlan1 down
sudo iw dev wlan1 set type monitor
sudo ip link set wlan1 up
sudo iw dev wlan1 set channel 6 # (set the correct channel here)
sudo tcpdump -i wlan1 -w %Y-%m-%d_%H.%M.%S.pcap -G 3600

That last command will begin capturing traffic to a file with a filename of the current timestamp and will start a new .pcap file every 3600 seconds (1 hour). Capture as much traffic as you desire, and then press CTRL+C to stop the packet capture.

2. Capturing a Handshake

Be sure to capture a handshake for the device you wish to decrypt traffic for; the handshake will be required to decrypt the traffic for that device. If you can’t manually disconnect and reconnect a device, you can attempt to de-authenticate the device (or all devices) from the network in hopes that they will then reconnect.

To deauth a device, you’ll need to know the BSSID of your AP. To find the BSSID, run:

sudo airodump-ng wlan1

Once your AP has appeared, press CTRL+C to cancel.

Now, you can use the BSSID to deauth a device. To deauth a single device, run:

sudo aireplay-ng --deauth 2 -a [bssid] -c [mac address of device] wlan1

Or, to deauth ALL devices (you should probably be careful with this option), run:

sudo aireplay-ng -0 2 -a [bssid] wlan1

Now that you’ve caught some handshakes, we can start decrypting traffic. NOTE: Only traffic that was captured after the handshake can be decrypted.

3. Decrypting and Analyzing Traffic in Wireshark

To view the decrypted traffic in Wireshark:

  1. Open the pcap file in Wireshark
  2. Go to: Edit > Preferences > Protocols > IEEE 802.11 > Decryption Keys > Edit > New (+)
  3. Select key type: wpa-pwd
  4. Enter the key in the following format: password:ssid
  5. Click OK, then OK again. Wireshark will refresh the display with decrypted traffic. Set the display filter to “ip” to filter out all of the wireless noise.
Categories
How-To Guides

Change Laptop Lid Action on Ubuntu 20.04 LTS

To change what closing the lid of your Laptop does in Ubuntu 20.04 LTS:

sudo nano /etc/systemd/logind.conf

Change “HandleLidSwitch=” to one of the following options:

  • ignore: Do nothing
  • poweroff: Poweroff the computer
  • reboot: Reboot the computer
  • halt: Halt the computer (shut down, but keep power on)
  • kexec: directly boot into a new kernel
  • suspend: Suspend the computer
  • hibernate: Hibernate the computer
  • hybrid-sleep: Put the computer into hybrid-sleep
  • suspend-then-hibernate: Suspend the computer, and then hibernate
  • lock: all running sessions will be screen-locked

Note: If you just want to blank your screen, “lock” is the option you are looking for. (You’ll still have to unlock your screen.)

When you’re done, 

sudo systemctl restart systemd-logind.service

Note that the above line may kill your current GUI session. Try Ctrl+Alt+F3 to get back to your desktop.