search

IOActive / laf

This project intends to provide a series of tools to craft, parse, send, analyze and crack a set of LoRaWAN packets in order to audit or pentest the security of a LoraWAN infrastructure.
BSD 3-Clause "New" or "Revised" License
165 stars 34 forks source link

UdpProxy not capturing any packets #12

Closed caueb closed 3 years ago

caueb commented 3 years ago

Hi, I'm trying to capture and parse the packets passing through my gateway using the UdpProxy, however, it is not capturing any packets, no Join-Request, nothing.

I followed the installation instructions provided in the repository and was trying to replicate the video demonstration seen on Matias Sequeira-Youtube.

My environment: Raspberry Pi 3 B + RAK2245 Lora module (I'm running the gateway using the vendors firmware on port 1700)

cat /etc/os-release PRETTY_NAME="Raspbian GNU/Linux 10 (buster)" NAME="Raspbian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=raspbian ID_LIKE=debian

My steps: Followed the installation instructions on Github.

Tried the following: /laf/tools python3 UdpProxy.py --port 1700 --dst-ip 127.0.0.1 --dst-port 1701

*tcpdump shows traffic on wlan0 port 1700 but not on localhost.

Maybe I'm missing something?

matiassequeira commented 3 years ago

Hi,

I assume you're trying to run the proxy in the gateway (the downside of this if that you wouldn't be able to compile the Golang library and thus, not parse the packets). I recommend to use it in a 64-bit Linux. A few things to double check:

I've just pushed some fixes and updated the master branch. Let me know how it goes, and/or tell me a little bit more about your setup: where are you running the proxy, where's your network server, etc.

caueb commented 3 years ago

Yes I was trying to run LAF from the gateway(Raspberry Pi). Sorry, my bad, I thought it was the way to go. After changing the gateway configuration to send data to my host computer instead of the server(TTN), and cloning the repository again, it is working perfect! Thank you so much! I really appreciate the quick and precise reply. Issue solved, I will close the tread.

matiassequeira commented 3 years ago

@caueb just wondering, are you trying to use the defensive part of the framework? If so, you might want to check this open-source project that initially derived from this framework: https://github.com/Argeniss-Software/rolaguard. It's a management platform aimed to "Operations, Cybersecurity & Compliance" of LoRaWAN networks.

Otherwise, I would love to hear which use are you intending to give it!

caueb commented 3 years ago

Hi @matiassequeira, I'm doing a final project for my masters of cybersecurity investigating LoraWAN vulnerabilities. We assembled a testbed to test different settings. The testbed is composed of: 1 gateway = RPi3 + Dragino Lora Hat (Single Channel) 1 gateway = Rpi4 + RAK2245 (8 channels) 1 end-device = Arduino Uno + Dragino Lora Shield 1 SDR-RTL2832U to sniff packets using GNU-Radio 1 HackRF One to sniff packets using GNU-Radio and test a jamming attack

The initial goal was to test attacks to LoraWAN v1.1 using the SDR. So far I could only run the end-device in LoraWAN v1.0.3 specification, ABP and OTAA, it seems that there is a limitation of the hardware and libraries available for it. It would be great to check this open-source project for the defensive side, however, due to the project ends in 1 or 2 more weeks I think there is not much time. We were focusing in the offensive side, but if we have more time I will definitely give it a go. Thanks for the suggestion!

matiassequeira commented 3 years ago

That's cool! How far have you gotten with the SDR? We have a pending project which is to create a full SDR library that could sniff / inject packets using an SDR. We have pretty deep LoRaWAN knowledge, but didn't have too much time to delve into the SDR world, so if you feel comfortable building SDR libraries let me know and we can figure something out!

El mar., 27 de oct. de 2020 a la(s) 03:47, Caue Borella ( notifications@github.com) escribió:

Hi @matiassequeira https://github.com/matiassequeira, I'm doing a final project for my masters of cybersecurity investigating LoraWAN vulnerabilities. We assembled a testbed to test different settings. The testbed is composed of: 1 gateway = RPi3 + Dragino Lora Hat (Single Channel) 1 gateway = Rpi4 + RAK2245 (8 channels) 1 end-device = Arduino Uno + Dragino Lora Shield 1 SDR-RTL2832U to sniff packets using GNU-Radio 1 HackRF One to sniff packets using GNU-Radio and test a jamming attack

The initial goal was to test attacks to LoraWAN v1.1 using the SDR. So far I could only run the end-device in LoraWAN v1.0.3 specification, ABP and OTAA, it seems that there is a limitation of the hardware and libraries available for it. It would be great to check this open-source project for the defensive side, however, due to the project ends in 1 or 2 more weeks I think there is not much time. We were focusing in the offensive side, but if we have more time I will definitely give it a go. Thanks for the suggestion!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/IOActive/laf/issues/12#issuecomment-717054224, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADNQHDN6QOAKHXGST25I64TSMZ3IRANCNFSM4S6ASSNQ .

caueb commented 3 years ago

I'm still doing some tests with the SDR's. Using Gnu-Radio and gr-lora it was possible to capture and decode uplink messages and join-requests in 8 channels simultaneously with the HackRF. I was also able to decrypt the messages using a similar technique as you presented in the conferences. There is still so much to test but not much time now. Regarding your project I would be very happy to get involved. Although my background is not in coding & programming, I'm starting to build a lot of knowledge in LoRaWAN and maybe I could contribute somehow.