14 149 115
0 121
91 13 137 105 R
G B
142 230 0
127 205 0
137 222
0 R
G B
242 174 107
255 131
0 240 161 82 R
G B 166
166 166
140 140 140
159 159 159 R
G B
207 19 149
177 18 128
202 20 146 R
G B
1 152 255
0 137 230 0 122 201 R
G B
0 63 137
0 59 130 0 44 95 R
G B
103 66 148
87 55 125 75 48 108 R
G B
241 93 104
237 41 57
238 68 80 R
G B
164 208 197
45 136 113
0 109
85 0 93 69 R
G B
Tables
0 130 102
0 109
85 R
G B
230 234 232
201 213 207
182 197 190
171 188 179 R
G B
Competitors
A DIY Hardware Packet Sniffer
Affordable Penetration Testing for the Individual
Veronica Swanson: University of California, Irvine
“CyberSecurity for the Next Generation”
North American Round, New York
14 149 115
0 121
91 13 137 105 R
G B
142 230 0
127 205 0
137 222
0 R
G B
242 174 107
255 131
0 240 161 82 R
G B 166
166 166
140 140 140
159 159 159 R
G B
207 19 149
177 18 128
202 20 146 R
G B
1 152 255
0 137 230 0 122 201 R
G B
0 63 137
0 59 130 0 44 95 R
G B
103 66 148
87 55 125 75 48 108 R
G B
241 93 104
237 41 57
238 68 80 R
G B
164 208 197
45 136 113
0 109
85 0 93 69 R
G B
Tables
0 130 102
0 109
85 R
G B
230 234 232
201 213 207
182 197 190
171 188 179 R
G B
Why DIY?
System security is important, and penetration testing can be essential to ascertaining and improving the level of security of your system.
But what about the cost? Large-scale penetration tests from security firms can be costly, and even commercial penetration testing devices can be expensive for the individual.
Creating your own device is less expensive and offers
potential for customization.
14 149 115
0 121
91 13 137 105 R
G B
142 230 0
127 205 0
137 222
0 R
G B
242 174 107
255 131
0 240 161 82 R
G B 166
166 166
140 140 140
159 159 159 R
G B
207 19 149
177 18 128
202 20 146 R
G B
1 152 255
0 137 230 0 122 201 R
G B
0 63 137
0 59 130 0 44 95 R
G B
103 66 148
87 55 125 75 48 108 R
G B
241 93 104
237 41 57
238 68 80 R
G B
164 208 197
45 136 113
0 109
85 0 93 69 R
G B
Tables
0 130 102
0 109
85 R
G B
230 234 232
201 213 207
182 197 190
171 188 179 R
G B
Competitors
The Hardware Packet Sniffer
The HPS was designed to be a simple, small, concealable, DIY packet sniffer
Simply plug the HPS into an open Ethernet port and it will receive packets of data being sent on the network and
transmit them to a given MAC and IP address.
It’s Cheap! Other penetration testing devices can be much
more expensive. Total development costs came to $43.99.
14 149 115
0 121
91 13 137 105 R
G B
142 230 0
127 205 0
137 222
0 R
G B
242 174 107
255 131
0 240 161 82 R
G B 166
166 166
140 140 140
159 159 159 R
G B
207 19 149
177 18 128
202 20 146 R
G B
1 152 255
0 137 230 0 122 201 R
G B
0 63 137
0 59 130 0 44 95 R
G B
103 66 148
87 55 125 75 48 108 R
G B
241 93 104
237 41 57
238 68 80 R
G B
164 208 197
45 136 113
0 109
85 0 93 69 R
G B
Tables
0 130 102
0 109
85 R
G B
230 234 232
201 213 207
182 197 190
171 188 179 R
G B
The Hardware
Atmel ATMEGA328P
• Functions as the host controller
• Interfaces with the ethernet controller via SPI
mikroETH Board
• Microchip ENC28J60 Ethernet Controller
• Interfaces with a network using an ethernet cable
• Sends and receives packets based on programmed MAC and IP
addresses
14 149 115
0 121
91 13 137 105 R
G B
142 230 0
127 205 0
137 222
0 R
G B
242 174 107
255 131
0 240 161 82 R
G B 166
166 166
140 140 140
159 159 159 R
G B
207 19 149
177 18 128
202 20 146 R
G B
1 152 255
0 137 230 0 122 201 R
G B
0 63 137
0 59 130 0 44 95 R
G B
103 66 148
87 55 125 75 48 108 R
G B
241 93 104
237 41 57
238 68 80 R
G B
164 208 197
45 136 113
0 109
85 0 93 69 R
G B
Tables
0 130 102
0 109
85 R
G B
230 234 232
201 213 207
182 197 190
171 188 179 R
G B
Competitors
ENC28J60 Ethernet Controller
By setting the Ethernet controller in promiscuous mode, the HPS can capture and store packets of data from the network that it is plugged into regardless of what MAC address the packets were intended for.
Once configured for Full-duplex mode, the Ethernet controller can simultaneously receive and transmit acquired data over Ethernet.
By programming a destination MAC and IP address into the
Ethernet controller, the HPS can then send the data it collects
to a specified device.
14 149 115
0 121
91 13 137 105 R
G B
142 230 0
127 205 0
137 222
0 R
G B
242 174 107
255 131
0 240 161 82 R
G B 166
166 166
140 140 140
159 159 159 R
G B
207 19 149
177 18 128
202 20 146 R
G B
1 152 255
0 137 230 0 122 201 R
G B
0 63 137
0 59 130 0 44 95 R
G B
103 66 148
87 55 125 75 48 108 R
G B
241 93 104
237 41 57
238 68 80 R
G B
164 208 197
45 136 113
0 109
85 0 93 69 R
G B
Tables
0 130 102
0 109
85 R
G B
230 234 232
201 213 207
182 197 190
171 188 179 R
G B
Ethernet Memory Organization
The memory in the Ethernet controller is static RAM, and is organized into three sections:
• Control Registers - provide access to the on-chip Ethernet
controller logic through the SPI interface. Separated into four banks of memory containing three types of registers
• ETH Registers
• MAC (Medium Access Control) Registers
• MII (Media Independent Interface) Registers
• Ethernet Buffers - an eight Kbyte memory split into a receive buffer and a transmit buffer where the data received and the data to be transmitted are stored.
• Physical Registers - used for configuration and control of the
physical device. Can only be accessed through MII registers.
14 149 115
0 121
91 13 137 105 R
G B
142 230 0
127 205 0
137 222
0 R
G B
242 174 107
255 131
0 240 161 82 R
G B 166
166 166
140 140 140
159 159 159 R
G B
207 19 149
177 18 128
202 20 146 R
G B
1 152 255
0 137 230 0 122 201 R
G B
0 63 137
0 59 130 0 44 95 R
G B
103 66 148
87 55 125 75 48 108 R
G B
241 93 104
237 41 57
238 68 80 R
G B
164 208 197
45 136 113
0 109
85 0 93 69 R
G B
Tables
0 130 102
0 109
85 R
G B
230 234 232
201 213 207
182 197 190
171 188 179 R
G B
Competitors
The Atmega328p Microcontroller
The microcontroller is the host controller used to program and operate the Ethernet controller over SPI.
Before the Atmega328p can be used as the host controller, the device needs to be configured for Master SPI mode.
• This is simply done by setting the directions of the SPI pins appropriately as shown.
Pin Name Pin Number SPI Master Direction
MOSI (Master Out Slave In) PB3 Output
MISO (Master In Slave Out) PB4 Input
SCK (Serial Clock) PB5 Output
SS (Slave Select) PB2 Output
14 149 115
0 121
91 13 137 105 R
G B
142 230 0
127 205 0
137 222
0 R
G B
242 174 107
255 131
0 240 161 82 R
G B 166
166 166
140 140 140
159 159 159 R
G B
207 19 149
177 18 128
202 20 146 R
G B
1 152 255
0 137 230 0 122 201 R
G B
0 63 137
0 59 130 0 44 95 R
G B
103 66 148
87 55 125 75 48 108 R
G B
241 93 104
237 41 57
238 68 80 R
G B
164 208 197
45 136 113
0 109
85 0 93 69 R
G B
Tables
0 130 102
0 109
85 R
G B
230 234 232
201 213 207
182 197 190
171 188 179 R
G B
SPI Interface
SPI is a data transfer protocol which allows a Master device to communicate with peripheral Slave devices.
• Data is shifted in bytes from the Master to the Slave, and from the Slave to the Master one bit at a time.
The Ethernet controller is designed to respond to a set of seven SPI instructions.
• Each instruction is 1 byte long followed by 1 byte of data if
applicable. The first 3 bits contain an opcode, and the following 5 bits are an argument.
14 149 115
0 121
91 13 137 105 R
G B
142 230 0
127 205 0
137 222
0 R
G B
242 174 107
255 131
0 240 161 82 R
G B 166
166 166
140 140 140
159 159 159 R
G B
207 19 149
177 18 128
202 20 146 R
G B
1 152 255
0 137 230 0 122 201 R
G B
0 63 137
0 59 130 0 44 95 R
G B
103 66 148
87 55 125 75 48 108 R
G B
241 93 104
237 41 57
238 68 80 R
G B
164 208 197
45 136 113
0 109
85 0 93 69 R
G B
Tables
0 130 102
0 109
85 R
G B
230 234 232
201 213 207
182 197 190
171 188 179 R
G B
Competitors
SPI Ethernet Controller Instructions
Instruction Name Opcode Argument Data
Read Control Register 0 0 0 a a a a a n/a
Read Buffer Memory 0 0 1 1 1 0 1 0 n/a
Write Control Register 0 1 0 a a a a a d d d d d d d d Write Buffer memory 0 1 1 1 1 0 1 0 d d d d d d d d Bit Field Set 1 0 0 a a a a a d d d d d d d d Bit Field Clear 1 0 1 a a a a a d d d d d d d d System Command (Soft Reset) 1 1 1 1 1 1 1 1 n/a
14 149 115
0 121
91 13 137 105 R
G B
142 230 0
127 205 0
137 222
0 R
G B
242 174 107
255 131
0 240 161 82 R
G B 166
166 166
140 140 140
159 159 159 R
G B
207 19 149
177 18 128
202 20 146 R
G B
1 152 255
0 137 230 0 122 201 R
G B
0 63 137
0 59 130 0 44 95 R
G B
103 66 148
87 55 125 75 48 108 R
G B
241 93 104
237 41 57
238 68 80 R
G B
164 208 197
45 136 113
0 109
85 0 93 69 R
G B
Tables
0 130 102
0 109
85 R
G B
230 234 232
201 213 207
182 197 190
171 188 179 R
G B
The software is composed of the three layers:
• Sniffing Application - appropriately executes the receive and transmit functions.
• Ethernet Firmware – configuring the Ethernet controller, as well as the receive and transmit functions.
• SPI Instructions - code initializing the Atmega328p to
operate in master mode for SPI and the SPI Ethernet controller instructions.
Sniffing Application
Ethernet Firmware
SPI Instructions
The Software
14 149 115
0 121
91 13 137 105 R
G B
142 230 0
127 205 0
137 222
0 R
G B
242 174 107
255 131
0 240 161 82 R
G B 166
166 166
140 140 140
159 159 159 R
G B
207 19 149
177 18 128
202 20 146 R
G B
1 152 255
0 137 230 0 122 201 R
G B
0 63 137
0 59 130 0 44 95 R
G B
103 66 148
87 55 125 75 48 108 R
G B
241 93 104
237 41 57
238 68 80 R
G B
164 208 197
45 136 113
0 109
85 0 93 69 R
G B
Tables
0 130 102
0 109
85 R
G B
230 234 232
201 213 207
182 197 190
171 188 179 R
G B
Competitors
Handling the Acquired Data
Once the HPS is in place and switched on, it will begin
transmitting data to the designated destination MAC and IP address.
To view and capture the data, a network protocol analyzer such as Wireshark, must be used.
• Implementing capture filters for source IP or MAC address can isolate the target packets.
14 149 115
0 121
91 13 137 105 R
G B
142 230 0
127 205 0
137 222
0 R
G B
242 174 107
255 131
0 240 161 82 R
G B 166
166 166
140 140 140
159 159 159 R
G B
207 19 149
177 18 128
202 20 146 R
G B
1 152 255
0 137 230 0 122 201 R
G B
0 63 137
0 59 130 0 44 95 R
G B
103 66 148
87 55 125 75 48 108 R
G B
241 93 104
237 41 57
238 68 80 R
G B
164 208 197
45 136 113
0 109
85 0 93 69 R
G B
Tables
0 130 102
0 109
85 R
G B
230 234 232
201 213 207
182 197 190
171 188 179 R
G B
Sample Wireshark Capture
14 149 115
0 121
91 13 137 105 R
G B
142 230 0
127 205 0
137 222
0 R
G B
242 174 107
255 131
0 240 161 82 R
G B 166
166 166
140 140 140
159 159 159 R
G B
207 19 149
177 18 128
202 20 146 R
G B
1 152 255
0 137 230 0 122 201 R
G B
0 63 137
0 59 130 0 44 95 R
G B
103 66 148
87 55 125 75 48 108 R
G B
241 93 104
237 41 57
238 68 80 R
G B
164 208 197
45 136 113
0 109
85 0 93 69 R
G B
Tables
0 130 102
0 109
85 R
G B
230 234 232
201 213 207
182 197 190
171 188 179 R
G B
Competitors
Building the Board
The device is wired according to the
displayed circuit diagram.
It is critical that the master and slave pins be wired
correctly for the SPI
protocols to function
properly
14 149 115
0 121
91 13 137 105 R
G B
142 230 0
127 205 0
137 222
0 R
G B
242 174 107
255 131
0 240 161 82 R
G B 166
166 166
140 140 140
159 159 159 R
G B
207 19 149
177 18 128
202 20 146 R
G B
1 152 255
0 137 230 0 122 201 R
G B
0 63 137
0 59 130 0 44 95 R
G B
103 66 148
87 55 125 75 48 108 R
G B
241 93 104
237 41 57
238 68 80 R
G B
164 208 197
45 136 113
0 109
85 0 93 69 R
G B
Tables
0 130 102
0 109
85 R
G B
230 234 232
201 213 207
182 197 190
171 188 179 R
G B
Building the Board
Part Price
mikroETH Board $24.00
AA 1.5V Battery $0.40
Bodhilabs AA Battery Holder with 3.3V Regulator $10.95
ATMEGA328P-PU Microcontroller $2.24
Perf Board $3.52
Short Ethernet Cable $1.85
328P Socket $0.17
Slide Switch $0.86
Total Price: $43.99
14 149 115
0 121
91 13 137 105 R
G B
142 230 0
127 205 0
137 222
0 R
G B
242 174 107
255 131
0 240 161 82 R
G B 166
166 166
140 140 140
159 159 159 R
G B
207 19 149
177 18 128
202 20 146 R
G B
1 152 255
0 137 230 0 122 201 R
G B
0 63 137
0 59 130 0 44 95 R
G B
103 66 148
87 55 125 75 48 108 R
G B
241 93 104
237 41 57
238 68 80 R
G B
164 208 197
45 136 113
0 109
85 0 93 69 R
G B
Tables
0 130 102
0 109
85 R
G B
230 234 232
201 213 207
182 197 190
171 188 179 R
G B
Competitors
Summary
The HPS is a simple, do it yourself packet sniffer for penetration testing.
The device is easy to fabricate
Less expensive than other penetration testing devices offered
on the market.
14 149 115
0 121
91 13 137 105 R
G B
142 230 0
127 205 0
137 222
0 R
G B
242 174 107
255 131
0 240 161 82 R
G B 166
166 166
140 140 140
159 159 159 R
G B
207 19 149
177 18 128
202 20 146 R
G B
1 152 255
0 137 230 0 122 201 R
G B
0 63 137
0 59 130 0 44 95 R
G B
103 66 148
87 55 125 75 48 108 R
G B
241 93 104
237 41 57
238 68 80 R
G B
164 208 197
45 136 113
0 109
85 0 93 69 R
G B
Tables
0 130 102
0 109
85 R
G B
230 234 232
201 213 207
182 197 190
171 188 179 R
G B
Thank You
Veronica Swanson: University of California, Irvine
CyberSecurity for the Next Generation”
North American Round, New York 15th – 17th November, 2012