WiFi Pixie
The WiFi Pixie is designed as an educational tool for penetration testing on a Mac OS X system.
Main functions include:
- Gathering WiFi network information
- Dumping the gathered network information
- Turning off the WiFi
- Changing the WiFi network
There is also a reset button and a debugging mode.
- - - -
The code was written for a Teensy 3.1, with 4 switches, 2 buttons and 2 extra LEDs (in addition to the onboard one).
The hardware used is shown in the main image.
The switches and buttons each have one terminal soldered to a unique pin and the other to ground.
The anode of the LEDs (long wire) is connected to a unique pin and the cathode (short wire) is connected via a resistor to ground (the resistors I used were 330 ohms).
- - - -
To build this device, simply add the components described above to a Teensy 3.1 and download the code provided in the text file on to it.
The subsequent sections will describe the functionality of the device and how it was implemented.
- - - -
Main functions include:
- Gathering WiFi network information
- Dumping the gathered network information
- Turning off the WiFi
- Changing the WiFi network
There is also a reset button and a debugging mode.
- - - -
The code was written for a Teensy 3.1, with 4 switches, 2 buttons and 2 extra LEDs (in addition to the onboard one).
The hardware used is shown in the main image.
The switches and buttons each have one terminal soldered to a unique pin and the other to ground.
The anode of the LEDs (long wire) is connected to a unique pin and the cathode (short wire) is connected via a resistor to ground (the resistors I used were 330 ohms).
- - - -
To build this device, simply add the components described above to a Teensy 3.1 and download the code provided in the text file on to it.
The subsequent sections will describe the functionality of the device and how it was implemented.
- - - -
Downloads
Mode Overview
The Teensy tells the host computer that it's a keyboard and uses this to perform tasks.
- - - -
The first switch selects the mode: Store/Change.
Store mode is designed to firstly retrieve the WiFi network information from the host computer and store it in the non-volatile memory. Then at a later date the information can be retrieved.
Change mode is intended to change the state of the host computers WiFi connection.
- - - -
The second switch selects the operation based on the selected mode.
In store mode the two available operations are gather and dump. Using the gather option will instruct the Teensy to send the host computer commands in order to acquire the WiFi network information and then store it in the non-volatile memory. The dump option will cause the Teensy to create a text file and enter the gathered data into it.
In change mode the two options are off and switch. The off option will simply turn the host devices WiFi card off. Switch will make the Teensy change the access point that the host computer is associated with.
- - - -
The third switch is meant to select the operating system.
Currently, only commands for Mac OS X have been programmed. However, this switch is designed to allow an alternative set of commands to be implemented.
- - - -
The fourth switch turns debug mode on and off.
When instructing the Teensy to send the host computer keystrokes there is always some delay between the keys being sent and the relevant action being completed. For example, entering text into a text file has very little delay associated with it, whereas opening a program will take longer. This delay is also not consistent, so one time it may take less than a second, but another time it may take three seconds, or not open at all. These variations are not perceived by the Teensy and as such the common solution is to use a large delay.
The debug mode allows the programmer to add in break points into the code, which allows the program to be stepped through. Essentially, the Teensy sends the host computer a command then it waits for some input from the user before sending the next command. In this case the input from the user is a press of button two.
So, for example, the Teensy will transmit the command to open a program, once the program has opened the user will push the button and Teensy will send the next command. This avoids the situation where the Teensy sends the second command too early and it's received by the host computer before the program has been opened, which can cause unexpected and unintended results.
Another common occurrence is where a program is opened and gives an unexpected pop up, for example, requesting that a browser be made the default. In this case the user can resolve the message before allowing the Teensy to continue with its operation.
This mode is also useful for debugging programs loaded on to the Teensy...
- - - -
The first button is used to reset the Teensy.
It can be the case that instructions send from the Teensy are not executed correctly, even if debug mode is enabled. In these cases the reset button can be a quick way off simply restarting and running the code again, without having to unplug and replug in the device. This is especially useful in time critical situations.
- - - -
There are three LEDs on the device, red, blue and green.
The red LED is used to indicate that there is some internal processing happening, which is usually either initialisations or writing/reading the EEPROM.
The blue LED signals that some input is required from the user, this is generally the debug mode waiting to execute the next step.
The green LED simply indicates that the program is complete, which is particularly useful if the user is unable to see the screen of the host computer.
- - - -
- - - -
The first switch selects the mode: Store/Change.
Store mode is designed to firstly retrieve the WiFi network information from the host computer and store it in the non-volatile memory. Then at a later date the information can be retrieved.
Change mode is intended to change the state of the host computers WiFi connection.
- - - -
The second switch selects the operation based on the selected mode.
In store mode the two available operations are gather and dump. Using the gather option will instruct the Teensy to send the host computer commands in order to acquire the WiFi network information and then store it in the non-volatile memory. The dump option will cause the Teensy to create a text file and enter the gathered data into it.
In change mode the two options are off and switch. The off option will simply turn the host devices WiFi card off. Switch will make the Teensy change the access point that the host computer is associated with.
- - - -
The third switch is meant to select the operating system.
Currently, only commands for Mac OS X have been programmed. However, this switch is designed to allow an alternative set of commands to be implemented.
- - - -
The fourth switch turns debug mode on and off.
When instructing the Teensy to send the host computer keystrokes there is always some delay between the keys being sent and the relevant action being completed. For example, entering text into a text file has very little delay associated with it, whereas opening a program will take longer. This delay is also not consistent, so one time it may take less than a second, but another time it may take three seconds, or not open at all. These variations are not perceived by the Teensy and as such the common solution is to use a large delay.
The debug mode allows the programmer to add in break points into the code, which allows the program to be stepped through. Essentially, the Teensy sends the host computer a command then it waits for some input from the user before sending the next command. In this case the input from the user is a press of button two.
So, for example, the Teensy will transmit the command to open a program, once the program has opened the user will push the button and Teensy will send the next command. This avoids the situation where the Teensy sends the second command too early and it's received by the host computer before the program has been opened, which can cause unexpected and unintended results.
Another common occurrence is where a program is opened and gives an unexpected pop up, for example, requesting that a browser be made the default. In this case the user can resolve the message before allowing the Teensy to continue with its operation.
This mode is also useful for debugging programs loaded on to the Teensy...
- - - -
The first button is used to reset the Teensy.
It can be the case that instructions send from the Teensy are not executed correctly, even if debug mode is enabled. In these cases the reset button can be a quick way off simply restarting and running the code again, without having to unplug and replug in the device. This is especially useful in time critical situations.
- - - -
There are three LEDs on the device, red, blue and green.
The red LED is used to indicate that there is some internal processing happening, which is usually either initialisations or writing/reading the EEPROM.
The blue LED signals that some input is required from the user, this is generally the debug mode waiting to execute the next step.
The green LED simply indicates that the program is complete, which is particularly useful if the user is unable to see the screen of the host computer.
- - - -
Feedback
The technique that makes the functions performed by this device possible is the introduction of feedback from the host computer to the Teensy. This is done by taking advantage of being able to use both the keyboard emulator and the serial coms.
- - - -
Essentially to get data out of the host computer the Teensy uses the Terminal application to pipe the required information into a text file.
This file is then opened and the data copied to the clipboard.
Then a virtual terminal called Screen is opened using the serial link to the Teensy.
The data on the clipboard is then copied into Screen, which sends it over the serial connection to the Teensy.
Once the Teensy has received the data, certain information can be extracted or it can be stored in non-volatile memory for future recall.
- - - -
The WiFi instructions sent by the Teensy use the 'networksetup' command in Terminal, which requires the identification of the relevant hardware port in use.
So, the program takes this information and feeds it back to the Teensy such that it can be used in subsequent commands.
- - - -
- - - -
Essentially to get data out of the host computer the Teensy uses the Terminal application to pipe the required information into a text file.
This file is then opened and the data copied to the clipboard.
Then a virtual terminal called Screen is opened using the serial link to the Teensy.
The data on the clipboard is then copied into Screen, which sends it over the serial connection to the Teensy.
Once the Teensy has received the data, certain information can be extracted or it can be stored in non-volatile memory for future recall.
- - - -
The WiFi instructions sent by the Teensy use the 'networksetup' command in Terminal, which requires the identification of the relevant hardware port in use.
So, the program takes this information and feeds it back to the Teensy such that it can be used in subsequent commands.
- - - -