As part of a recent collaboration between Pwnie Express and Splunk, Inc., we put together a simple “Pwnie-Splunk” dashboard showing a real-time stream of all wireless and Bluetooth devices detected by a Pwn Plug R2 on the RSA show floor.
To accomplish this, we cobbled together a few parsers for Airodump-NG and Bluelog output, which we then forwarded to the Splunk demo server via syslog.
The Bluelog parser is fairly simple. First, we launch Bluelog in daemon mode, recording Bluetooth device names and device types and logging all detected devices to a local log file on the Pwn Plug R2:
Next, we forward a real-time tail of this log to the Splunk server:
Ok, that was fairly painless. Parsing Airodump-NG output on the hand was a bit of a challenge. Airodump-NG does export to CSV. However, the resulting CSV contains binary blobs, MS-DOS newline characters, two separate sections (with header rows) for wireless APs versus wireless clients, and the CSV file is entirely overwritten every 5 seconds while Airodump-NG is running. Also, Airodump-NG has no native support for backgrounding or daemonizing itself.
We thus first launch Airodump in a detached screen session:
Next, because Airodump overwrites the CSV every 5 seconds, we need to establish a way to track “already known” devices to avoid duplicate log entries for devices already discovered by the running Airodump session. To accomplish this, we first log the initial list of client devices and APs detected by Airodump:
The “tr” commands strip out the MS-DOS newlines and binary blobs. The first “awk” command then splits the wireless AP/client sections into a simple comma-separated list of each device type, then the second “awk” command organizes the output into the desired format for our syslog entries. The “tee” command writes the initial list of known APs/clients to a local file, and “logger” then forwards that same list to the Splunk server.
We now want to keep an eye on the Airodump CSV file and forward any newly detected APs/clients to Splunk. This is accomplished with the following while loop:
The “tr” and “awk” commands server the same purpose as when we created the initial list of APs/clients above. With the addition of the “egrep” command however, we can effectively de-duplicate our results by excluding any “already known” AP/client devices from our output and then appending any newly detected devices to the original list.
Running this demo live at both the Splunk and Pwnie booths made one thing quite clear: It’s 2014, and most security conference attendees still do not disable the Wifi or Bluetooth functions of their mobile devices while on the conference floor. Within 10 minutes of launching the demo, over 1000 mobile devices appeared on our Pwnie-Splunk dashboard.
Yikes.