This service provides the ability to visualize traffic using the protocols 802.11 b/g/n, partially supported 802.11ac/ah protocols. The service consists of 2 parts: collection and processing services and results visualization services. Parts are installed and working almost independently of each other.
It is possible to process information from .pcapng files collected by third-party utilities, such as tcpdump, wireshark or airodump-ng, as well as the ability to read directly from a network interface that is set to monitor mode.
-
Install python3 (
apt install python3 python3-pipon Ubuntu) -
Install scapy and requests libraries (
pip install scapy requests). TODO uselibpoco and libtinsand rewrite service on C++ to get more efficiency.
-
cd Collector
python3 collection_service.py [-h] [-i INTERFACE] [-f [FILE [FILE ...]]]
[-H HOST] [-c [CHANNEL [CHANNEL ...]]] [-v]
[-t TIMEOUT] [--iterations ITERATIONS] -u
USERNAME [-W WORKERS] -w WORKSPACE
optional arguments:
-h, --help show this help message and exit
-i INTERFACE, --interface INTERFACE
interface to listen, mode must be set to monitor
manually
-f [FILE [FILE ...]], --file [FILE [FILE ...]]
path to input pcap or space separated list of pcaps to
parse and visualize
-H HOST, --host HOST host to send results, localhost is default, port may
be specified
-c [CHANNEL [CHANNEL ...]], --channel [CHANNEL [CHANNEL ...]]
channel or space separated list of channels to listen,
if not specified, current channel of interface will be
used
-v, --verbose show additional info in stdout
-t TIMEOUT, --timeout TIMEOUT
time to parse one channel
--iterations ITERATIONS
iterations over scanning channels, -1 means infinity
-u USERNAME, --username USERNAME
username to use in visualisation server
-W WORKERS, --workers WORKERS
num workers to process traffic, 1 is default
-w WORKSPACE, --workspace WORKSPACE
name of workspace to place results
-
python3 collection_service.py --host localhost:8080 --workers 4 -u admin --workspace test -f ~/dump/dump-01.capRead pcap file"~/dump/dump-01.cap"process them using 4 threads and send results to workspacetestin visualization service at localhost:8080. Login in visualization server isadminIf workspace exists, data will be added to them, else workspace will be created. User must have permissions to collect result via checking flagis_collectorin server admin panel -
python3 collection_service.py -H http://my_localhost -W 4 -u admin --workspace test --interface wlan0 --channel 1 2 3 4 --iterations 4 --timeout 2Scan channels 1, 2, 3, 4 via interfacewlan0and send result to visualisation server. Each channel is scanned for 2 seconds, the channels are replaced 4 times in a cycle. 4 threads will be created to process traffic. Root permissions may be required. Mode must be set to monitor manually(sudo iwconfig wlan0 mode Monitor). Visualization service will display results in real-time with ~5sec delay. -
python3 collection_service.py -H http://localhost:8080 -W 4 -u admin --workspace test --interface wlan0 --channel 1 2 3 4 --iterations -1 --timeout 2 -f ~/scripts/*Scan channels 1, 2, 3, 4 via interfacewlan0and send result to visualisation server. Each channel is scanned for 2 seconds, the channels are replaced infinitely in a cycle. At the same time process all files located in the~/scripts/directory. 4 threads will be created to process traffic. Root permissions may be required. Mode must be set to monitor manually(sudo iwconfig wlan0 mode Monitor). Visualization service will display results in real-time with ~5sec delay.
This service consists from two docker containers: api and database.
Api is web server written in python3 via flask framework and deployed under gunicorn.
Database is specially configured postgres database. Instructions how to connect your SQL database to service is below.
-
docker >= 18.0.0. The instructions are different for different operating systems and it is better to use the official documentation -
make(apt install makeon Ubuntu) -
docker-composesupporting your docker version. Instruction.
-
Set default admin password in file
docker-compose.ymlvia set environment variableADMIN_PASSWORDin api container. If environment isn't set, random secure password will be created and written into logs. -
Unset variable
LIMITED_DATABASE_URIif you want to block ability to execute sql from all users. Else you are able to configure./Docker/db_init.sqlto set or unset permissions for userdot11viewerin databasedot11monitor.
-
make buildordocker-compose build -
make upordocker-compose up, moreover you may run service as daemon viamake up-daemonordocker-compose up -d -
Connect to localhost to see result. User
adminwill be created, and password written into logs. It's strongly recommended to change this password via admin panel from web interface.
-
After start service will show you login and registration page. Here you should login as existing user (admin for example) or create new user.
-
Then you are coming to main page of app.
Here you can see main informaion about current session and permission of user.
User id- id of your user, it may be useful to communicate with admistrators to request permissionsUser login- username used to login, may be changed by adminsPermissions- your permissions, contact with users having administration privileges to change them.
-
After granting sufficient privilegies you will be see button in head of page
-
Monitor page
This page shows informaion from all collector over all time. In top of window you may change current workspace (testis now selected). Discovered wifi access point are represented as yellow circles and clients as blue. Blue edges means discoveres facts of data transmission between clients and it's width conected with amount of captered data. This page update graph in real time. If many collectors captured one packed of data information about intesivity of data transfers may be incorrect. But with of edges gives us main understanding about access points usage. Access points are connected with yellow dotted edge if they working as one infrestructure. -
Admin page
Access to this page grants you full permissions over server.
- You may edit all users information. To change some data edit values of some fields and press
Edit and savein line that you want to save. Fieldpassword hashrepresents pbkdf2 hashes like database, because it isn't secure to store password as plain text. But you can clear hash from field, enter new user password and save it. Hash will be computed and stored automatically. If you enter as password somithing likepbkdf2:.*, this value will be used as hash. it means, that new user passwords mustn't start with string "pbkdf2:" - You are able to see full collected database in other tabs of this page:
"Access points", "Clients", "Data transfers", "Authorisations" - In tab
"Authorisations"are stored best capturedEAPOL4-stage handshake result and number of tries from user to achieve that. Stage=2 and large Tries means troubles with authorisation or bruteforce attack to access points. Stage=4 and large Tries may indicate deauth attacks to clients. (Google: "dot 11 deauth attack", "wifi deauth")
- SQL Editor page
This page allow users to write custom sql requests to database. You are in read only mode, can't see private schames but have access to schemas pg_catalog, pg_tables and pg_tables. Moreover, users are able to execute functions (but not create them or use filesystem functions). It means, than malicious users CAN produce troubles like via high-load requests, for example. You shouldn't grant sql permission to users you do not grant.