3.1 Survey, Select & Attack
The SkyNET drone’s initial task is to survey local wire-less networks in the area of interest. Information aboutthe composition of local networks is gathered: BSSID,SSID, encryption type, channel, MAC address(es) of as-sociated clients. Capturing handshakes and data acrossall channels at this point is not feasible as our monitor-ing wireless card has to rapidly cycle through channelsto gather the access point and client association informa-tion efﬁciently. An attacker should structure channel se-lection based upon individual channels wireless network composition. This could be done through weighted met-rics, including composition of encryption types, num-ber of clients per network, and signal strength, allow-ing for more effective use of ﬂight time. As open net-works require no data collection or cracking to connectwe can say that these are the easiest targets. It shouldbe noted that wireless hotspots, although often open net-works, may not provide loyal clients and may be ineffec-tive for exploitation. Once SkyNET has determined thewireless network(s) to attack, it must crack encryption of the various wireless networks it wishes to access.
3.1.1 Wired Equivalent Privacy (WEP)
WEP requires clients and access points to share up tofour secret symmetric keys for communications. Mostinstallations just use a single key called the root key.Using the improved PTW attack in Aircrack-ng , wecan obtain a 95% success rate of cracking the key withbetween approximately 40,000 and 50,000 packets, de-pending on if the Initialization Vector is generated ran-domly or in counter mode respectively . To put thisinto perspective, a common viral YouTube video
whichis 228 seconds generates 30,208 packets at 320p (the de-fault setting). With packet injection gathering the neces-sary amount of data takes a matter of minutes .
3.1.2 Wi-Fi Protected Access (WPA)
SkyNET inﬁltrates WPA and WPA2 encrypted networksby attacking the Pair-wise Master Key. If a Pre-SharedKey (PSK) is used, then PSK=PMK. The PSK is 8 to63 characters. This is the solution provided to homenetworks, and small enterprises that lack authentica-tion servers. It is generated using a known algorithm:PSK=PMK=PBKDF2 (password, SSID, SSID length,4096, 256) where PBKDF2 is a method used in RSA’sPublic Key Cryptography Standard #5, 4096 is the num-ber of hashes, and 256 bit is the output length. Thenumber of hashes required makes brute forcing compu-tationally intensive and not suitable to be done on thedrone .The Pairwise Temporal Key each client session uses isderived from the PMK using the 4-way handshake. Toattack the PMK, the attacker needs to capture the 4-wayhandshakemessages. Anattacker, thedrone, canactivelyforce a 4-way handshake to occur by deauthenticating anassociated client, forcing the client to re-associate withthe access point .
As the drone has limited computational power, crack-ing keys in wireless networks efﬁciently is not feasible.To compensate, the drone utilizes a 3G mobile data link to off-load computation to an Amazon Elastic ComputeCloud (EC2) GPU Cluster  instance running Aircrack-ng  and Pyrit . The full utilization of the Aircrack-ng suite is available on the drone for packet capture andattacks requiring injection.
3.2 Attack & Enlist
Once the drone has access to a compromised network its second task is to attack hosts; preferring non-mobilehosts. The botmaster can deploy an array of attack scripts or frameworks. In our example we suggest us-ing the open source Metasploit framework, scripted torun
. Once a host is compromised, thedrone exchanges identiﬁcation information, conﬁgures acallback mechanism, and secures the host as it is now apotential asset to SkyNET. A better outline of this ex-change is described in the next section.
4 SkyNET Command and Control
In this section we describe an example protocol for con-trolling SkyNET. This protocol demonstrates a processof converting a compromised host into a bot controller(Enlist), and a process for commanding bot controllers.Controllers will receive command data delivered by aSkyNET drone, from the botmaster. In this example wedemonstrate how the drone can be used as a secure andtrusted channel (phase 1), and as an untrusted informa-tion relay (phase 2). Figure 2 shows these two phases forone bot controller (host/controller), separated by a star.The star represents a second ﬂight of the SkyNET drone.We refer to this example protocol as a control protocol,but it also delivers botnet commands to bot controllers.An encryption or decryption key used between parties
for communication from
for communication from
. We callthe botmaster
, a host or controller
and the drone