SweetSecurity icon indicating copy to clipboard operation
SweetSecurity copied to clipboard

Published 20 hours ago verified publisher icon TravisFSmith

shuts down network?

Open meiguoren opened this issue 6 years ago • 6 comments

I've installed everything, but now when I turn on the Rpi it doesn't allow devices on my home network to connect to the internet. Is this a situation where the pi is overloaded, its started locking up when I turn it on and try to even move the mouse around.

meiguoren avatar Jun 30 '18 21:06 meiguoren

If you installed everything, including the Elastic Search and Kibana on the Pi, its a good idea to turn off the graphical interface as the Raspberry Pi does not have enough ram to run the entire SweetSecurity suite plus a graphical interface all on its own.

I also ran into the same issue as you, what I did was flush the iptables rules. SweetSecurity wipes all previous rules and applies its own set of rules which I find completely kill access to the Internet.

booth-f avatar Jul 04 '18 14:07 booth-f

I have the same problem. I think it's nothing about the Pi's hardware.

the reason is that the so-called "SweetSecurity" client service actually calls 'nmap' tool to scan your whole LAN.

look at the line 33 in SweetSecurity/sweetSecurity/client/spoof.py:

victimMac=convertMAC(row[3])
packet = Ether()/ARP(op="who-has",hwdst=dfgwMAC,pdst=dfgw,psrc=row[2])
sendp(packet)
packet = Ether()/ARP(op="who-has",hwdst=victimMac,pdst=row[2],psrc=dfgw)
sendp(packet)

I guess when you boot up your Pi, the 'sweetsecurity' service make your Pi pretend to be your LAN's gateway.

when you use Wireshark to sniff the packcts, you will find many packets like:

who has 192.168.1.2 tell .... . . who has 192.168.1.255 tell...

dude, I think it's like an ARP spoofing attack.......

I think we can improve this. maybe it's really not a good design?

currently you can simply disable this service on your Pi. so your Pi will stop scanning and showing new devices in your LAN:

sudo systemctl disable sweetsecurity

and restart your Pi.

or

you can just ignore this , but every time you start up your Pi, your home LAN will be down about 3-5 minutes.......when the scanning is done, disable other devices' network cards & re-enable them....

cloudstrifeedge avatar Aug 10 '18 02:08 cloudstrifeedge

I didn't have issues with my home LAN being down. However, I setup the Pi as a sensor only and it is sending all the data back to a separate ELK server.

rndrev avatar Aug 10 '18 05:08 rndrev

both my router & PCs don't have an ARP policy or firewall, so my PC&Mac will disconnect from NAS server every time I start up Pi......

cloudstrifeedge avatar Aug 10 '18 05:08 cloudstrifeedge

looks like the network down only occurs when Pi start to scan your LAN. after the scanning, all devices will back to normal. it may take about 3-5 minutes. you can shutdown your router's ARP policy and PC's ARP firewall, then reboot your Pi to give it a try. @rndrev

plus: I use my Pi as a sniffer through eth0 network card. I don't use porting mirroring due to the layout of my home network.

cloudstrifeedge avatar Aug 10 '18 05:08 cloudstrifeedge

I set up my Pi 3 B+ as sensor, having a mirrored port on eth0 and normal network access on wlan0.

Ouch!

Disabling the sweetsecurity service put things straight in the end.

Perhaps setup.py should ask whether you

a) have a span/mirror port configured and want the sensor in passive mode b) already have the sensor device as gateway and just need the iptables config c) have none of the above and also need/want spoofing.

royolsen avatar May 15 '19 22:05 royolsen