Monday, October 30, 2017

SANS 504, Splunk .conf2017 and the White Rabbit

While attending SANS 504 in Mesa, AZ in October, we had rogue access point hunting activity where the instructor had someone hide an access point in the hotel and we had to go out and find it.

It was a lot of fun, but I thought there could be a better way to do this.  One of the drawbacks to the approach was that a standard wireless access point needs to be attached to power.  This meant that, in all likelihood, we just had to walk around where the area was strongest and look at all the power receptacles.

Additionally, because the AP was quite large, there were limited choices for hiding spots.

I like a challenge, and I thought "what do I think would make a fun and challenging rogue access point activity?"

1) the AP needs to be small and capable of hiding anywhere
2) the AP needs to be battery powered
3) the AP should require you to interrogate it over the network to get the prize
4) the prize should only be unlocked by some physical interaction with the AP

My first attempt was to use a WeMos D1 mini, a nifty little ESP8266 board that I had lying around:


I decided to call it the "White Rabbit", hereafter to be referred to simply as "the rabbit".

This worked! I had the code configured the rabbit to present itself as an AP.   A user could connect to the rabbit, and once connected it would hand out an IP via DHCP.  The rabbit itself would pick a random IP address on the subnet, so the user would then have to nmap scan the network for other hosts to find the rabbit.

Once the rabbit is found, there is a service running on it (on a random TCP port) requiring the user to use nmap to scan the rabbit to find the port for the service.

Once the TCP port is found, a user can connect to the port, and the rabbit will spit out instructions.  By default it will say the prize is not yet activated.

The user has to locate the rabbit, and push the button.  After the button is pushed, the rabbit opens another service on a random UDP port, connecting to the port will now tell the user how to get the prize, via UDP connection to another random port.

When data is sent to that random UDP port, it will respond with the "phrase that pays" and then close the service on the UDP port and put the rabbit back in the deactivated state for others to find.

This was great!  But I still needed a tidy enclosure and battery.

Then it hit me.  In September I was at Splunk .conf2017 in Washington D.C..  They had an area called the "Science Sandbox".  This was, to me at least, the coolest part of the vendor area.  There was a guy there from Splunk that had 3d printed fidget spinners with built in wifi enabled microcontrollers.  The intention being that you could spin the spinners and they would report the number of spins to a splunk server in the cloud.  I was given one of these spiffy spinners, which happens to be based on the Huzzah feather board from Adafruit (buy one here)  This board shares the same basic architecture as the WeMos D1 mini I had used in my prototype.  So I got to hacking it.  As luck would have it, the code was pretty much drop-in compatible with the fidget spinner, and in fact the sensor on the spinner used the same port on the ESP8266 that my button on my prototype did.

Now I have a portable, small, battery powered rabbit that I can hide anywhere and requires physical manipulation to unlock the prize.

Works great and I just need to now find a collection of fellow nerds that want to do a hunt to try it out :).

-G
Posted by at No comments:

Friday, October 12, 2012

Motion Sensing Fog Machine Trigger

For halloween I always use a fog machine on my porch, however it's a pain to have to turn it on at just the right time. I decided to make a motion sensing trigger.

I started by taking apart the control box that came with the fog machine.  On the outside it looks like this:

It has a light that comes on when the fog machine is heated up, as well as a switch that turns on the pump for the fog.

The connector for the fog machine looks like this:
It's a typical IEC320C13 connector

The inside is pretty straightforward, the white and green wires attach to the light, and the green (really red, but it is connected to the green) and black connect to the switch 


I measured the voltage at the switch and the light when they were activated and found that they were mains AC 120v in both cases.

The basic design I came up with was to use a microcontroller, powered somehow off the power at the light, that way when the fog machine was ready it would turn the microcontroller on and it could control the fog machine using a relay attached to the green and black wires.

Since I didn't want to destroy my stock fog machine controller, I bought an extension cord from amazon (http://www.amazon.com/gp/product/B000067RRX).  After cutting the extension cord open I found that the black and white wires were swapped with respect to the pins on the IEC connector compared to the stock controller.

I found an old 5v cell phone charger adapter, and soldered the black and green lines to it, this would power the microcontroller when the fog machine was sending the signal that the heater in the fog machine was ready.

The green and white lines were then wired into the relay. I used a relay board from SparkFun (https://www.sparkfun.com/products/10733) that was donated by a friend.  I know the SparkFun site says to not use this board, but I decided I'd go for it anyway ;)


For a controller, I used an Atmel attiny85 I had lying around. The program was simple. I added a capacitor for power conditioning and an LED to indicate when the controller was in the "armed" state, ready to trigger fog at the next motion detected.  This controller is connected to the relay board on the right in the picture below.


Attached to the attiny85 is a Parallax PIR sensor that I bought at Fry's electronics in Plano, TX last thanksgiving, why the heck aren't there Fry's electronics stores in Utah?

Here's the finished assembly, this will all be stuffed in a fairly small project enclosure box.



In the end it works perfectly, the program is written to activate the fog for 5 seconds when it detects motion, then wait until it hasn't seen motion for 10 seconds before re-arming, and then triggering again on the next motion detected, etc.  Here is a demo of it in operation, you can see the LED light up when the controller is armed.  You can also see the project box that will be the controller's final home.


Here's the code for the attiny85:
#include <avr/io.h>
#include <avr/interrupt.h>
#include <util/delay.h>

#ifndef F_CPU
    #define F_CPU 16000000UL
#endif

//Hardware definitions

#define LED1  PB1
#define FOG   PB0
#define LED2  PB2
#define OUTPUT_LEDS    ((1 << LED1) | (1 << LED2) | (1 << FOG))

#define MOTION  PB4
#define INPUT_LEDS (1<<MOTION)
//DEADPERIOD * DELAY = delay in MS the motion sensor has to be quiet before rearming
#define DEADPERIOD 100
#define DELAY 100
//Time in seconds to activate the fog
#define FOGTIME 5

volatile unsigned char armed = 0;
volatile unsigned char tripped = 1;
volatile int count = 0;

unsigned char readPin(int pin) {
 unsigned char i = PINB;
 i>>=pin;
 return i&1;
}

void writePin(int pin, unsigned char value) {
 if (value > 0) {
  PORTB |= (1<<pin);
 } else {
  PORTB &= ~(1<<pin);
 }
}

void fog() {
 writePin(FOG,1);
 _delay_ms(1000*FOGTIME);
 writePin(FOG,0);
}

void setup() {
 DDRB = OUTPUT_LEDS;
 PORTB &= ~OUTPUT_LEDS;
 while(readPin(MOTION)==1){}
}

void loop() {
 writePin(LED1,armed);

 if (armed && readPin(MOTION)) {
     fog();
     tripped = 1;
     armed = 0;
     count = DEADPERIOD;
   } else if (tripped && (count > 0)) {
  if (readPin(MOTION)) { // repeat trigger, reset count
       count = DEADPERIOD;
  }
  count--;
 } else if ((tripped) && (count == 0)) {
      armed = 1;
      tripped = 0;
 }
 _delay_ms(DELAY);
}


int main(void){
 setup();
 
 for (;;) {
 loop();
 }

 return 0;
}



Posted by at 16 comments:
Subscribe to: Posts (Atom)