Danijel Grah

Security Consultant at Viris (SI)

Danijel Grah has a Bachelor degree in Computer Science at the University of Ljubljana, Slovenia.
He is a Security Consultant at Viris for some time and is involved in penetration testing, security reviews, programming, consulting and research. He has deep understanding into threats, vulnerabilities and trends.

He likes to practice Information Security in everyday life. Danijel is devoted to his work, open minded, enjoys new challenges and he never stops studying.

ELK stack for Hackers

Visualizing Wi-Fi traffic is today more or less limited to console windows and analyzing different logs from aircrack-ng toolset. There are some commercial tools, but if we want to stay in open source area we need to find better solution. So ELK stack was used to gather, hold, index and visualize data. For input modified version of airodump tool was used. With this some amazing dashboards can be created and some interesting data can be correlated and some deep digging can be made for Wi-Fi packets.

When doing penetration tests we often run into big number of different data. One of those fields are also Wi-Fi networks. When doing Wi-Fi analysis we are mostly focused on using aircrack-ng or Kismet toolset. This means, that we are generally limited to terminal windows and text outputs. This kind of data is hard to visualize and since humans can easily analyze data when there is good visual representation, there is place to do some research in this area.
To get data into ELK stack is another thing. Current tools don’t provide any JSON output to logging component of and ELK stack. So we tried different things to get JSON output, but best solution was to just change source code and recompile airodump tool. With this we created right input for Elasticsearch.

Visualization with Kibana from gathered data can be quickly done and doesn’t required any programming skills. With this quick interesting dashboards can be created and very good visibility can be achieved.
We could visualize following data:
• Number of open and protected Wi-Fi networks
• Number of clients connected to different Wifi networks/stations
• Number of clients on stations in time
• Clients that broadcast send most beacons over Wi-Fi
• Manufacturer information about clients and stations.

Presentation @DefCamp 2015