lecture: When hacker uses ELK stack for visualization
Visualizing Wi-Fi traffic is today more or less limited to console windows and analyzing different logs from aircrack-ng toolset. There are some commercial tools, but if we want to stay in open source area we need to find better solution. So ELK stack was used to gather, hold, index and visualize data. For input modified version of airodump tool was used. With this some amazing dashboards can be created and some interesting data can be correlated and some deep digging can be made for Wi-Fi packets.
When doing penetration tests we often run into big number of different data. One of those fields are also Wi-Fi networks. When doing Wi-Fi analysis we are mostly focused on using aircrack-ng or Kismet toolset. This means, that we are generally limited to terminal windows and text outputs. This kind of data is hard to visualize and since humans can easily analyze data when there is good visual representation, there is place to do some research in this area.
ELK stack is a modern solution that can handle large amount of data and make it search and visualize in an easy way. ELK stack is composed from three different components. Logstash takes care for secure log storage transfer from clients to central repository. Elasticsearch is a search server based on Lucene. It provides a distributed, multitenant-capable full-text search engine with a RESTful web interface and schema-free JSON documents. Kibana is virtualization package that can help better understand large volumes of data, easily create bar charts, line and scatter plots, histograms, pie charts, and maps.
To get data into ELK stack is another thing. Current tools don’t provide any JSON output to logging component of and ELK stack. So we tried different things to get JSON output, but best solution was to just change source code and recompile airodump tool. With this we created right input for Elasticsearch and provided shipping this data to central repository for visualization.
Visualization with Kibana from gathered data can be quickly done and doesn’t required any programming skills. With this quick interesting dashboards can be created and very good visibility can be achieved.
We could visualize following data:
• Number of open and protected Wi-Fi networks
• Number of clients connected to different Wifi networks/stations
• Number of clients on stations in time
• Clients that broadcast send most beacons over Wi-Fi
• Manufacturer information about clients and stations
• Monitoring client in time space
Start time: 20:00
- I like trains