Featured - The Ultimate Wifi Stealing Setup | Squat the Planet

Featured The Ultimate Wifi Stealing Setup

autumn

Lurker
Joined
Jan 14, 2014
Messages
670
Reaction score
1,123
Location
Slab City
With my departure date from Nowhere, Appalachia rapidly approaching, I decided it would be a good idea to make sure I can always have internet access in my RV. I will cover the system setup from start to finish. I'm assuming that you have basic technical competence here, including basic Linux competence.

What it does


You are sitting in your RV/van/whatever. You have a local wifi network named 'Jupiter.' When you connect to it, you almost always have access to the internet. Under the hood, a microcontroller is continuously searching for and connecting to any open access points within range of your extremely powerful antenna, then bridging that connection through it's own AP. It can connect to any open AP within 200-2,750 ft depending on the terrain.

There is a network drive on the local wifi network that always has the latest episodes of TV shows, movies, games, and whatever else you want. Under the hood, the media server is leveraging it's constant connection to torrent whatever you need.

Important notes:
  • This setup has a total power of 60dBm, which is roughly 225x more powerful than ALFA RV repeater bundles
  • This is completely illegal. The setup FAR exceeds FCC regulations for maximum ERP (36dBm), almost 100 times over. But who gives a shit?
  • The amplifier will flood the licensed spectrum @ 1.7ghz. If you park near a runway you will interfere with aircraft navigation systems. So don't do that.
  • Power consumption should be no more than 17.5W AC. If your inverter has 90% efficiency this is 19.25W DC. I'll save you the math, if you're running it 24/7 this is 462Wh per day.
What you need

Raspberry Pi

You need a Raspberry Pi. It's essentially a teeny tiny computer that is usually used for robotics. I recommend this kit for getting started easily.

You will need an SD card to go with it, I got this one. If you don't have an SD slot on your computer, you will also need a USB->SD adapter.

If you're on Windows, you will need an extra HDMI cable, display, and keyboard laying around to configure the Pi's wifi connection before you can SSH into the Pi over WLAN. If you're on Linux, you can do this by editing the root partition directly (reason being the filesystem is ext4, which linux can read and Windows can't)

Note to those who would buy a cheap chinese SD card:
Everyone likes to save money. I've been a techno-nerd for a very long time, please just believe me when I say that you should not buy a cheapo $5 Chinese SD card. It will fail in a couple of weeks at best, if it was even a real SD card when you got it - and if it was, it's probably 1GB instead of 32.


Antenna

There are two types of antennas: directional and omnidirectional. An omnidirectional antenna is what you are already using with all of your electronics. It can pickup RF from a 360* radius on it's vertical plane. These are not ideal for this application, but they are easier to use as they don't require aiming the antenna.

Nerd info:
Something interesting to note here: in practice, a directional antenna functions as a wide-beam attenuator, narrow-beam antenna. As you step up the dBi of the directional antenna, the precision required for aiming the antenna increases (how much varies based on design.) In terms of real-world application, the inverse is true for omnidirectional antennas: they become less accurate; the higher you go, the tighter the vertical plane. When you get a bigass omnidirectional antenna, it is wholly possible that you will have poor signal reception due to a difference of less than 20ft in elevation at a distance of 100ft. For this reason omni antennas are not good for long-distance applications.

Simply:
An omnidirectional antenna will be much more expensive and significantly hurt your range and ability to connect to wifi networks based on geography. I don't recommend it. However, it will make this setup fully automated as-is, with no antenna-aiming required.

I would recommend two directional antennas
If you absolutely must because you're a total lazy-ass (read: like me), I would get this omnidirectional antenna: 12dBi TP-Link Omni Antenna - $40 - It's worth noting that their 15dBi model is only $10 more, but is known to have significant QC issues compared to the 12dBi antenna. The 15dBi one is not worth $50.

Warning: You will get fucked if you buy a cheap antenna from China. Antennas are very sensitive and require good QC. Chinese products have no/very little QC which is part of why they're so cheap.

2.4ghz Amplifier

You will need a 2.4ghz amplifier. This is where the licensed spectrum flooding comes from. It's a cheap-ass made in china amplifier - it says that it's FCC approved but it is absolutely not. However, it does actually amplify it's transmission circuit to 36dBm (4 watts) which is all that we need it to do:

2.4Ghz 4W 802.11 Signal Extender

Wifi Card


You will need an extra wifi card.

Note: If you have anything other than the Raspberry Pi 3 which I linked above (Zero, 2, model A, whatever) you will need TWO wifi cards, one of which must support AP mode. That's because we're using the Pi 3's onboard wifi chipset for the access point.

Go ahead and pickup the ALFA 036H - $32 - this is what I have and it works for our purposes. You might be able to get something that's decent cheaper, just make sure that it supports monitor mode

Optional


I am going to update this later when I have my system fully setup. For those who are interested, I will be using a DC stepper motor and an L298N motor controller to rotate the directional antenna. It will be controlled by the software that finds the wifi networks. This will elevate the entire system to complete automation w/ the directional antenna. I will do a full write-up when I'm done with that.

Setting everything up


Antenna, amplifier, pi, cards

Plug your ALFA into one of the Raspberry Pi's USB ports. Unscrew the antenna that comes on the ALFA (if it's screwed on), and screw on the connecting cable from the amplifier. Pay special attention to the stickers on the bottom of the amplifier which say "to router" - that's the side you want to screw it into. The Raspberry Pi is your "router". Screw your antenna into the opposite side of the amplifier.

So it should go like this: Pi->Alfa->Amplifier->Antenna

The amplifier comes with a 110V plug because it requires it's own power source.

Plug your SD card into your computer. Using Etcher if you're on Windows or `dd` if you're on Linux, flash the latest Raspbian Lite image to the SD card. On the boot partition (/boot), create an empty file named 'ssh' with no file extension.


If you're on Linux, you can skip all of this and configure the image directly then SSH into the pi over wifi by adding the appropriate information to /etc/network/interfaces & /etc/wpa_supplicant/wpa_supplicant.conf

After you've flashed the sd card, put it in the Pi. Plug your monitor and keyboard into the Pi. Plug the amplifier in. Plug your Raspberry Pi in. When the Raspberry Pi boots up, you should be greeted by a CLI login prompt, familiar to any linux user. Enter the username 'pi', and the password 'raspberry'.

First, change the 'pi' user's password with:

passwd

Then, run:
sudo raspi-config

Change your keyboard layout etc from GB to US.

First changes that need to be made:

If you are on a passworded network: using nano, edit the /etc/wpa_supplicant/wpa_supplicant.conf file, and add the following to the bottom:
network={
ssid="YOUR-WIFI-SSID-HERE"
psk="YOUR-WIFI-PASSWORD-HERE"
}
Then type:

sudo wpa_supplicant -i wlan1 -c /etc/wpa_supplicant/wpa_supplicant.conf

If you are on an open wifi network, instead simply type:

sudo killall wpa_supplicant
sudo iwconfig wlan1 essid YOUR-WIFI-SSID


Now you can SSH into the Pi on your local wifi network. For Windows, use PuTTY. You can find the Pi's IP either through your router's DHCP table or by using nmap and finding the MAC address that matches the vendor "Raspberry Pi Foundation"

Automatic Setup
Here is a script I threw together that should setup everything automatically. After you setup your wifi connection, it will setup everything except Deluge. If you want to go that route, enter the following commands:

sudo wget pastebin.com/raw/dYj93CsV -O /root/setup.sh
cd /root && chmod +x setup.sh && sudo ./setup.sh


If that causes you any issues, move onto the manual setup. Otherwise, skip down to Deluge

Manual Setup

You need to install a few packages:

sudo apt-get install hostapd hostapd-utils dnsmasq rfkill python-pip

Then we're going to configure hostapd. By default, it starts via init.d, which is not functional. To begin with, we must remove it from rc.d, and delete the if-pre-up.d symlink:

sudo update-rc.d hostapd remove && sudo rm /etc/if-pre-up.d/hostapd

Next, we're going to go to our /etc/network/interfaces file and make the the following modifications. Delete everything in the file and replace it with this:

auto lo
iface lo inet loopback

iface eth0 inet manual

allow-hotplug wlan0
iface wlan0 inet static
post-up sudo sh ~/wlan0-downup.sh > /var/log/wlan0-downup
post-up sudo hostapd -f /var/log/hostapd -B /etc/hostapd/hostapd.conf
post-up sudo service dnsmasq restart
address 192.168.42.1
netmask 255.255.255.0

auto wlan1
allow-hotplug wlan1
iface wlan1 inet manual
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Next, do the following:

touch ~/wlan0-downup.sh
echo "sudo ifconfig wlan0 down" >> ~/wlan0-downup.sh
echo "sudo ifconfig wlan0 up" >> ~/wlan0-downup.sh


I'm not really sure why but for hostapd to work correctly the interface needs to be brought down and back up before hostapd is started. This is triggered by post-up in our interfaces file, then it will start hostapd.

In /etc/default/hostapd find the line:
DAEMON_CONF=

and replace it with:

DAEMON_CONF="/etc/hostapd/hostapd.conf"


/etc/hostapd/hostapd.conf should contain only the following:
interface=wlan0
ssid=Jupiter
channel=1

Add the following to the very bottom of /etc/dnsmasq.conf:

interface=wlan0
bind-interfaces
domain-needed
bogus-priv
dhcp-range=192.168.42.5,192.168.42.254,255.255.255.0,12h
dhcp-option=252,"\n"

Add the following to the very bottom of /etc/dhcpcd.conf:

denyinterfaces wlan0

We need this so that dnsmasq and dhcpcd don't fight with each other.

Last commands:
sudo iptables -t nat -A POSTROUTING -o wlan1 -j MASQUERADE
sudo iptables -A FORWARD -i wlan1 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o wlan1 -j ACCEPT

This will properly forward all traffic between wlan0 and wlan1. Important for captive portal hotspots. Save this config with:

iptables save

Now run:

sudo reboot

And when the raspberry pi comes back up, you should see a new wifi hotspot - Jupiter. Connect to it, and ssh into it from your computer. The local IP of the Pi will be 192.168.42.1. It should already be connected to your local wifi network via the wlan1 interface, eg. you should have internet access already when you connect to the Pi's AP on your computer.

That's all there is to it. You've fully setup everything on the hardware side of things. Now onto the software.

Setting up my software

Run the following commands:

sudo pip install wifi
sudo pip install wireless
mkdir ~/jupiter && cd ~/jupiter
wget http://paste.debian.net/download/929417/ -O jupiter.py
wget http://paste.debian.net/download/929416/ -O jupiter.sh
chmod +x jupiter.py && chmod +x jupiter.sh
sudo echo "* * * * * root /home/pi/jupiter/jupiter.sh > /dev/null" >> /etc/crontab


That's it! All done. Your Pi will now start regularly (every minute) checking your current connection, signal strength, and availably nearby APs.

Setting up the media server

You must be connected to the Pi's wifi network. SSH into the Pi and we'll be good to go.


Run the following command:

sudo apt-get install samba

When it finishes, you have to setup a username/password for it:

sudo smbpasswd -a pi

It will prompt you to enter the password (quirk of linux security: it will not display stars or anything at all, but the password is being entered)

Now we need to create our storage folder with the appropriate permissions:

sudo mkdir /samba
sudo chown pi /samba
sudo chown :pi /samba


Note: If you have an external HDD/SDD you would like to use for additional storage, you can mount it to /samba and make that alteration permanent by adding the mount to /etc/fstab - if anyone needs clarification let me know

Now we have to edit the samba.conf file:

sudo nano /etc/samba/smb.conf

Go all the way to the bottom and add:

[data]
path=/samba
valid users=pi
read only=no
browseable=yes

Now that we've got it all setup, we must restart the service:

sudo service smbd restart

In windows, we can automatically locate the network share by enabling network discovery:
View attachment 36690

After you give it a moment, you can open your file explorer and navigate to the 'Network' tab, where you will find '<HOSTNAME>' (mine is bandit, the default is Raspberry):
View attachment 36691

Note: If you would like to change your pi's hostname, just run raspi-config again and find the option for setting the hostname, then reboot the pi with `sudo reboot`

In linux the network share will be found via smb://192.168.42.1/samba

Setting up Deluge

Now we need to setup the torrent client. This will allow us to automatically download new episodes of TV shows to our network share. Begin by installing deluge's daemon and web UI:


sudo apt-get install deluged deluge-web deluge-console


Now we will temporarily start the daemon so that it creates all of the config files. Run:

deluged

Then:

killall deluged

Now we need to add a username/password to the deluged client. This won't be used necessarily but it's good to have on hand in case you ever decide to use the straight GUI version instead of the Web UI. Replace the italics:

echo "USERNAME:PASSWORD:10" >> ~/.config/deluge/auth

Copy this to a new file, /etc/default/deluge-daemon:
DELUGED_USER="debian-deluged"
RUN_AT_STARTUP="YES"

Then, run these commands:

sudo update-rc.d deluged remove
wget pastebin.com/raw/gE7aBM8n -O /etc/init.d/deluge-daemon
sudo chmod 755 /etc/init.d/deluge-daemon


Now run the following commands:

sudo update-rc.d deluge-daemon defaults
sudo invoke-rc.d deluge-daemon start


You can verify that deluged has started by typing:

ps -ef | grep deluged

You should see something very close to this (the first one is the important one, the second is just our currently running grep command):

debian-+ 1182 1 17 04:55 ? 00:00:01 /usr/bin/python /usr/bin/deluge -d
pi 1200 943 0 04:55 pts/0 00:00:00 grep --color=auto deluged

If you're on Windows, open a command prompt as administrator. Hit your Windows key, type 'cmd', right click on 'Command Prompt' and select 'Run as Administrator'

Now type the following in your Windows command prompt. Change "torrent.bandit" to whatever you want - this is the address that will be redirecting you to your torrent client (ie. "http://torrent.bandit" instead of "http://192.168.42.1:8112"):

echo "127.21.21.3 torrent.bandit" >> C:\windows\system32\drivers\etc\hosts
netsh int ipv4 install
netsh int ipv6 install
netsh interface portproxy add v4tov4 listenport=80 listenaddress=127.21.21.3 connectport=8112 connectaddress=192.168.42.1


Restart your Windows computer. When you open a browser and type "torrent.bandit" in the address bar, it should redirect you to your Deluge Web UI:

View attachment 36692

You will be prompted for a password, enter 'deluge'. You will be prompted to change your password. Select yes. Enter your new password twice in the settings window, then hit the 'change' button beneath it.

If your browser is annoying you about SSL, we can fix that quickly. Let's create a self signed certificate. Run the following command:

openssl req -x509 -newkey rsa:2048 -keyout ~/.config/deluge/ssl/deluge.key.pem -out ~/.config/deluge/ssl/deluge.cert.pem

You will be prompted to enter a bunch of crap. Type anything twice for the password, then keep hitting enter until it's done:

View attachment 36693

If you refresh your deluge page, you will now find that the SSL annoyance has gone away.

Todo: RSS feeds in Deluge. I'm struggling to get FlexGet working properly.
 
Last edited by a moderator:

Matt Derrick

Retired Wanderer
Staff member
Joined
Aug 4, 2006
Messages
10,542
Reaction score
13,815
Location
Portland, OR
Website
youtube.com
epic man, i've always wanted to get a setup like this going. once you finish out the article, i think this would make a great featured thread!
 
  • Like
Reactions: Cornelius Vango

autumn

Lurker
Joined
Jan 14, 2014
Messages
670
Reaction score
1,123
Location
Slab City
epic man, i've always wanted to get a setup like this going. once you finish out the article, i think this would make a great featured thread!

Aw thanks buddy :) It's all done for now. Just need to get RSS feeds working w/ FlexGet.

Next thing to add is gaining access to passworded networks. Cracking WPA2 is an expensive pain in the ass, so instead, if the python program is unable to find an open network, and a passworded one is in range, it will DoS them off their own network, force them to connect to a mirrored AP (our wlan1), then serve them a page asking for their wifi password, under the guise of a router problem or something.
 
Last edited:

autumn

Lurker
Joined
Jan 14, 2014
Messages
670
Reaction score
1,123
Location
Slab City
i am interested to see this working. I looked up the antenna and found this video.

so this will be on the roof of your toyota?


That just depends on how much money I'm left with when I'm done with the engine. I might have to go with a cheaper antenna. The problem is that with the parabola, I would need two stepper motors - one at about 2.5Nm of torque, the other at 8Nm. It has to be really slow for scanning, but it does need to eventually decide which network to be on; a 180* turn on the horizontal axis with cheaper/shitty motors at 0.2nm / 0.1cm/s2 would take a while... too long for my impatient ass. And a stepper motor with >=8Nm of torque is really expensive, probably over $100.

Meanwhile, the yagi needs a modest 1.2Nm of torque. The stepper for that would probably be about $30 instead. I could go without a dual-axis design there, since the yagi has 35* on it's vertical plane.
 

Matt Derrick

Retired Wanderer
Staff member
Joined
Aug 4, 2006
Messages
10,542
Reaction score
13,815
Location
Portland, OR
Website
youtube.com
on a side note, i'm currently testing two different kinds of wifi extenders that fit in your pocket. i'll probably make up a video about those later, they're pretty interesting, but i need to do more testing since i'm having trouble with both of them (but that might just be related to the crappy internet here).
 
  • Like
Reactions: scntfc and autumn

autumn

Lurker
Joined
Jan 14, 2014
Messages
670
Reaction score
1,123
Location
Slab City
on a side note, i'm currently testing two different kinds of wifi extenders that fit in your pocket. i'll probably make up a video about those later, they're pretty interesting, but i need to do more testing since i'm having trouble with both of them (but that might just be related to the crappy internet here).

Cool man. What models and do you know what the EIRP is on those?
 

Matt Derrick

Retired Wanderer
Staff member
Joined
Aug 4, 2006
Messages
10,542
Reaction score
13,815
Location
Portland, OR
Website
youtube.com
no idea what an EIRP is.

i got the alfa external usb wifi with omni and directional antennas. was kinda having a bitch of a time with it until i figured out the router needed to be moved to a different channel.

the other is a mini travel router the hootoo travelmate elite. just a little box that plugs into the wall and it can either plug into ethernet and share it wirelessly or act as a bridge to another wireless point.
 

nicho

New member
Joined
May 3, 2017
Messages
3
Reaction score
5
Location
Marquette, MI
This is pretty neat. So it is a Raspberry Pi with a huge antenna that connects to open points within ~2700 ft? ..Out of curiosity, how often are you able to succeed in finding open access points in this range?

Your evil twin attack is cool. The thing is you have to take different approaches for different types of routers. .Have you looked into Reaver? If you have all your ducks in a row this does the trick:

reaver -i (interface) -c (channel) -b (BSSID) -vv -L -N -S --no-nacks --win7 -d 30 -x 60

People say pixiedust brings lots of success. Really depends on the router. The idea of a van with a giant antenna that is attacking access points is mindboggling to me. It could work.

I have been interested in the subject as well, because my local internet provider generates passwords with a simple algorithm.. like "rustyskates411" or "largepotato878". Conventional math says cracking a password like that character-by-character would take millions of years. However it seems there are ways to reduce that time significantly.
 
Last edited:
  • Useful
Reactions: Phinigma

autumn

Lurker
Joined
Jan 14, 2014
Messages
670
Reaction score
1,123
Location
Slab City
no idea what an EIRP is.

i got the alfa external usb wifi with omni and directional antennas. was kinda having a bitch of a time with it until i figured out the router needed to be moved to a different channel.

the other is a mini travel router the hootoo travelmate elite. just a little box that plugs into the wall and it can either plug into ethernet and share it wirelessly or act as a bridge to another wireless point.

EIRP is cool! It means equivalent isotropically radiated power... a fancy way of saying, power of the antenna and txpower added together, minus cable loss. That alfa, for example- 1 watt txpower (30dBm) + 5dBi omni antenna + 2.15dBi (reference dipole) = 37.15dBi EIRP. The only difference between ERP and EIRP is directivity.. boring dipole stuff.

That's a good adapter, I'm a big fan of the 036H. It has the RTL8187L chipset, which is the only chipset that realtek ever made that's actually on par with the best. Also, you can run that thing at 2 watts without overheating issues. Or at least I never had any.

Odd that the hootoo doesn't have technical specs anywhere. I would be interested to know how it performs once you've gotten a chance to test it out a little more

This is pretty neat. So it is a Raspberry Pi with a huge antenna that connects to open points within ~2700 ft? ..Out of curiosity, how often are you able to succeed in finding open access points in this range?

Your evil twin attack is cool. The thing is you have to take different approaches for different types of routers. .Have you looked into Reaver? If you have all your ducks in a row this does the trick:

reaver -i (interface) -c (channel) -b (BSSID) -vv -L -N -S --no-nacks --win7 -d 30 -x 60

People say pixiedust brings lots of success. Really depends on the router. The idea of a van with a giant antenna that is attacking access points is mindboggling to me. It could work.

I have been interested in the subject as well, because my local internet provider generates passwords with a simple algorithm.. like "rustyskates411" or "largepotato878". Conventional math says cracking a password like that character-by-character would take millions of years. However it seems there are ways to reduce that time significantly.

Reduce the time significantly, sure. It just depends.. if it's all lowercase "adjective+noun+3#s" It could be brought down to a week with a generated dictionary containing common words. Or maybe a day, assuming the noun/verb combos are very common words. Those 3 digits kill you because you then need 1,000 additional combinations of each adjective/noun combo. If you have a preshared key you can try about 3000 keys per second so you can only do about 3 adjective/noun combinations per second.

Reaver is for WPS (one 4 digit pin, one 3 digit pin), which isn't all that common in my experience.
 
Last edited:

wickedwench

Member
Joined
Jan 19, 2016
Messages
22
Reaction score
36
Location
Albuquerque, United States
Website
www.fireandsliceproductions.com
Very nice! For those who care, I might mention that at that power there are potential long-term health concerns about the placement of the antenna. You might want to place it as far from people in the vehicle as you can to mitigate that (again, if you care much...not everyone does). It will also build up heat, so take that into account as far as where you place it--wifi is microwave (as I'm sure the OP knows...saying it for anyone who might not). If I were in cities more often, I might have tried your set up on my own rig. As is, I'm usually far enough out that I have to rely on Verizon :(
 
  • Like
Reactions: DikembeMuhobo

meatcomputer

Well-known member
Joined
Dec 21, 2015
Messages
61
Reaction score
77
Location
Western mass
Website
bit.ly
I'm about to move into the top story of a 4 story factory space which has line of sight with the downtown area of the town. I was thinking on running an antennae to pickup wifi from the town and get free internet. I started planning something similar to what you wrote and then I found this! no more planning needed. Thanks so much zim.

Edit: Also, you mentioned you were going to try and make the directional antennae rotate using a dc stepper motor and a motor controller. I think that thats over kill and it might be cheaper/more simple to use a geared down dc motor connected to a relay. Making it much simpler/cheaper and I think accomplishing exactly what you want.
 
Last edited:
P

Popsicle

Guest
Umm umm umm umm wow . You have sparked my ( who did you work for ) part of my brain . Pm me are you a cable dog , commo ? Wow this person just engaged some serious knowledge
 

Jerrell

Well-known member
Joined
Aug 27, 2017
Messages
349
Reaction score
676
Location
AZ / CA
Umm umm umm umm wow . You have sparked my ( who did you work for ) part of my brain . Pm me are you a cable dog , commo ? Wow this person just engaged some serious knowledge

I was a comms guy in the military and know a fraction of this shit.
 

About us

  • Squat the Planet is the world's largest social network for misfit travelers. Join our community of do-it-yourself nomads and learn how to explore the world by any means necessary.

    More Info

Help us pay the bills!

Total amount
$10.00
Goal
$100.00

Latest Library Uploads