From 7753c245d27db98900afc0c16b8af53fffd51392 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Thu, 9 Dec 2021 12:52:28 +0100 Subject: [PATCH] Created first big version of documentation --- README.md | 348 ++++++++++++++++++++++++++++++++++++++++++- docs/img/header0.png | Bin 0 -> 13787 bytes 2 files changed, 346 insertions(+), 2 deletions(-) create mode 100644 docs/img/header0.png diff --git a/README.md b/README.md index fd52817..72f59aa 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,347 @@ -# rfmon-to-influx +rfmon-to-influx +================= -Writing (mostly meta-) data received in Wireless-Monitor-Mode into an InfluxDB. \ No newline at end of file +![](docs/img/header0.png) +*Successful Associations, grouped by AP within 24h* + +
+ +Writing (mostly meta-) data received in Wireless-Monitor-Mode into an InfluxDB. + +
+ +Table of contents +================= + +- [1. Description](#1-description) + - [1.1. What kind of data](#11-what-kind-of-data) + - [1.2. Data-Usage](#12-data-usage) + - [1.3. Tools used](#13-tools-used) +- [2. Usage/Installation](#2-usageinstallation) + - [2.1. Prerequisites](#21-prerequisites) + - [2.2. Running with Docker](#22-running-with-docker) + - [2.3. Environment-Variables](#23-environment-variables) +- [3. Data collected](#3-data-collected) + - [3.1. Data-Types](#31-data-types) + - [3.2. Metric-Overview](#32-metric-overview) + - [3.3. Metric-Details](#33-metric-details) + - [3.4. Tag-Overview](#34-tag-overview) + - [3.5. Tag-Details](#35-tag-details) +- [4. Screenshots](#4-screenshots) +- [5. Potential Issues](#5-potential-issues) + - [5.1. Channel/Frequency](#51-channelfrequency) + - [5.2. Technology](#52-technology) + - [5.3. Data protection](#53-data-protection) + - [5.4. Ethical](#54-ethical) + +
+ +# 1. Description + +This Program listens on an Wifi-Interface in Monitor-Mode (rfmon) and logs most actions made into an influx or influx-like time-database. + +
+ +## 1.1. What kind of data + +**Any** packet sent by a router or station nearby is received and its metadata is collected and categorised. + +The host does **not** have to be part of that network. + +
+ +## 1.2. Data-Usage + +The data can be used to identify problems with the wifi-communication nearby +e.g. +- Wifi-Congestion at certain times of the day +- occurring signal-issues + - e.g. due to broken Microwave-Ovens disrupting communications + - or moving big Objects (e.g. Machines) causing signal-reduction. + +
+ +Aswell as gaining knowledge about installed routers and user interaction with them +e.g. +- in a company environment + - Logging presense and activity of interconnected machines + - Finding other Access-Points not allowed due to potential disruption of Production-Lines + +
+ +Other usages might be threat-detection at Wifi-Level +e.g. +- Deauthentication-Attacks +- Bruteforce-Attempts + +
+ +## 1.3. Tools used + +The program uses `tcpdump` for listening in a subProcess and then extract the metadata when packets arrive. + + +
+ +# 2. Usage/Installation + +## 2.1. Prerequisites + +The Wifi-Interface cannot be used elsewhere at the same time e.g. Network-Manager. +(Packet-capture e.g. tcpdump or Wireshark is ok) + +As of this version, the program does **not** set the interface into monitor mode or changes to channels. + +
+ +### 2.1.1. Interface into Monitor-Mode (rfmon) + +You can change into Monitor-mode beforehand with the packages `net-tools` and `wireless-tools`: +```sh +ifconfig down +iwconfig mode Monitor +ifconfig up +``` + +
+ +### 2.1.2. Set/Change channels + +You can set the channel of the interface (if the interface allows this) with the package `wireless-tools`: +```sh +iw dev set channel +``` + +
+ +## 2.2. Running with Docker + +### 2.2.1. Permissions + +The container must run as **root**, to have permission to listen on the wifi-interface. + +
+ +### 2.2.2. docker run + +Either run with docker directly. + +```sh +docker run + -d + --restart unless-stopped + --network host + -e WIFI_INTERFACE="" + -e INFLUX_URL="http://influxdb:8086/" + -e INFLUX_TOKEN="" + -e INFLUX_ORG="" + -e INFLUX_BUCKET="" + ruakij/rfmon-to-influx:2 +``` + +
+ +### 2.2.3. docker-compose + +Or use the more preferred way with docker-compose. + +`docker-compose.yml` + +```yaml +version: '3' + +services: + rfmon: + container_name: rfmon + image: ruakij/rfmon-to-influx:2 + restart: unless-stopped + network_mode: "host" + environment: + - WIFI_INTERFACE="" + - INFLUX_URL="http://influxdb:8086/" + - INFLUX_TOKEN="" + - INFLUX_ORG="" + - INFLUX_BUCKET="" +``` + +And then pull&start the container: +```sh +docker-compose up -d +``` + +
+ +## 2.3. Environment-Variables + +### 2.3.1. Necessary + +Variable|Description +---|--- +`INFLUX_URL` | Url of influx-server +`INFLUX_TOKEN` | Token with write-access +`INFLUX_ORG` | Organisation and.. +`INFLUX_BUCKET` | Bucket to write into + +
+ +### 2.3.2. Optional + +Variable|Default|Description +---|---|--- +`LOGLEVEL` | INFO | Loglevel +`WIFI_INTERFACE` | wlan0 | Token with write-access +~~`HOSTNAME`~~ | ~~Device's Hostname~~ | ~~Hostname to use as global hostname-tag~~ *(Unused)* + +
+ +# 3. Data collected + +8 Metrics are constructed with 6-10 tags identifying them. + +
+ +## 3.1. Data-Types + +Type|Example|Description +---|---|--- +`String` | Wlan | - +`Number` | 0 | Any normal number, positive and negative +`Boolean` | true | true or false values +`MAC` | 12:34:56:78:9A:BC | Address for L2-networks + +
+ +## 3.2. Metric-Overview +--- +
+ +Name|Type|Description +---|---|--- +rfmon_signal_dbm | `Number` (-95 <> -20) | Signal-Level of every Packet in dBm +rfmon_datarate_bytes | `Number` (1 <> 144) | Data-Rate of every Packet in MBit/s +rfmon_ssid_names | `String` (Length: 0-32) | SSIDs of any Packet containing it +rfmon_authenticationtype_info | `String` | Authentication-Type used by Sender +rfmon_associationsuccess_bools | `Boolean` | Result of an Association +rfmon_disassociationreason_info | `String` | Disconnect-Reason from a ST (not always sent) +rfmon_handshakestage_info | `Number` (1 <> 4) | Stage of a handshake (1 and 3 from ST, 2 and 4 from AP) + +
+ +## 3.3. Metric-Details + +### 3.3.1. rfmon_ssid_names +`String` (Length: 0-32) + +SSIDs from ProbeRequest might be empty (probe for any) or in case of Beacon-Frames could be hidden. + +### 3.3.2. rfmon_authenticationtype_info +`String` {OpenSystem_1, OpenSystem_2, Unknown} + +
+ +## 3.4. Tag-Overview +--- +
+ +Name |Type |Description +---|---|--- +srcmac | `MAC` | Sender's MAC-Address (not present in ClearToSend-Packet) +dstmac | `MAC` | Destination's MAC-Address (not present in RequestToSend-Packet) +bssid | `MAC` | AP's MAC-Address +frequency | `Number` | Frequency the packet was captured on in MHz +packetType | `String` | Type of packet +flags_MoreFragments | `Boolean` | Packet is incomplete +flags_Retry | " | Packet is being retried +flags_PwrMgt | " | Sender will not sleep +flags_MoreData | " | More data in send-buffer to be expected +flags_Protected | " | Packet is protected +flags_Order | " | Packet is strictly ordered + +
+ +## 3.5. Tag-Details + +### 3.5.1. frequency +`Number` (2412 <> 2484) + +The frequency corresponds to following wifi-channels: + +Channel|Frequency +---|--- +1 | 2412 +2 | 2417 +3 | 2422 +4 | 2427 +5 | 2432 +6 | 2437 +7 | 2442 +8 | 2447 +9 | 2452 +10 | 2457 +11 | 2462 +12 | 2467 +13 | 2472 +14 | 2484 + +See [Wikipedia - List of WLAN channels - 2.4GHz](https://en.wikipedia.org/wiki/List_of_WLAN_channels#2.4_GHz_(802.11b/g/n/ax)) for more Information. + +### 3.5.2. packettype +`String` + +Type|Sender|Description +---|---|--- +Beacon | AP | Signal its presence and provide synchronisation for Stations +ProbeRequest | ST | Ask if certain RA/SSID is available +ProbeResponse | AP | Directly respond to Request and Signal own presence +Data | Both | Data-packets +RequestToSend | ST | Ask for transmission-time +ClearToSend | RA | Ack transmission-time +Acknowledgment | Both | Ack Data-Packets +BlockAcknowledgment | Both | Ack alot of Data-Packets at once +NoData | Both | Packet without content, typically used to transmit QoS-States +Authentication | Both | Authentication-process to establish identity and set states +AssociationRequest | ST | Register to AP +AssociationResponse | AP | Respond to registering +Disassociation | ST | Actively unregister e.g. to associate with different AP +Handshake | Both | 4-Way-EAPOL-Handshake to generate encryption-keys between participants +Unknown | - | Unknown packets not identified into above types + +
+ +# 4. Screenshots + +
+ +# 5. Potential Issues + +## 5.1. Channel/Frequency + +The System can only monitor one channel at a time which might not be enough cover, +to combat this, more Interfaces and Systems can be deployed. + +This is not entirely unproblematic, as the system cannot currently prevent packages from being inserted more than once. + +
+ +## 5.2. Technology + +Mismatches between sender and receiver-technologies (e.g. MIMO or HT) can cause packets not being logged at all. +Though this should only be a problem for data-packets. + +
+ +## 5.3. Data protection + +Because the system collects any data, this can be problematic, specially in countries with strong data-protection laws. + +A wifi MAC address is likely to be considered as information of an identifiable natural person, e.g. under GDPR Art.4 (1) and its processing may only be done with prior consent or has to be anonymised. + +
+ +## 5.4. Ethical + +The large-scale collection of data for behavioural or movement analysis, especially without consent of the data subject, is highly controversial. + +Metadata that can be used to track precise activities, such as wifi data, is very powerful and should only be collected and used when necessary. + +If this data falls into the hands of a malicious actor, more precise attacks on the targets could be carried out, such as break-insv, behaviour-based discrimination or more successful phishing. diff --git a/docs/img/header0.png b/docs/img/header0.png new file mode 100644 index 0000000000000000000000000000000000000000..90a4b4e77d1addb12ba455e75962ddc1e78690cb GIT binary patch literal 13787 zcmdUW2{_by-}jt4Maj}CgxoDsA$6>SDJ_x{A!JWN*>}b;lS8XegtE;kB>O(LVMxfH zeczX1Fk=j6j9K2_=$!jL=YG!pKF|HU&-Gr{GZ)u?%>0+%@4I|H-_7$|I-0z@g?B?B z5MHh8SM(u}9iJhPADp?jflo5$!!yBQm)ms{PY8tX3+MNT=repG5Xe!8)|E@Q{SuZ& zeBa)lnNS$_J+rv&w3*wbAFo{Li`#MgM?^zEkDkrFP>ZO$p*xPreWZo%dj8?Lv~c%P z%roKqeaZROH5&PlU-s^ZJ)OsGMq?cwiEx_Qv$&X0vss1JS#Ob|v<$qXh$XeO*d6qp z7Y56K+=*ZG;^Msdy2s%FI6S)EeTwtv>rZ-|!{79hIfpABuKfTG&#r`Vwjl6acn3Hf z-6zl4;>F|O!lTNfDhF7U_XrZB89g{lL?Sn?qG(I9`X%a+i(XqN1alE1V`D2!N(!>+ zt1iJ6W~FX=GmIV5S$Ry%kScSoKbaqPe3A}U?G0>_`Q3Toa#bS*a58 zDmETbpDwvn+~BeS-!S-C1tVZ8X4?`4H4b}>BOAmKetP(}LfFP?cn1o-+BPkqkrpo6 zu10wi1f}vzU>So8ieo-~D>H@?A)S$vJZ;LA_ZpUBWpm?}N$g=bHLyosUXeMWDB?Uk z&y|K2*O;s5iLp=e*Wc(h3oP>*Flc8jxKc+^-PV`eSRIYeouWqHF$y!0WwZ3kk~uh0 zNYb^-H&ZrN2Ell4U$07w=*ct|cb~h2PlOMmT`LyyF7ut1lJQ?y^34^2cfB}xCJw<3 zfvg35;(}cNEEdc)J3WnEZCa46RLR$V*oZN6jV@(|yw?=xjs4-iB1yK z_}bJ|PG1T28MLn06i2Q`KX(;FbX!Y`p<3d6N8Vqaa7D>sOFup6wqnug@vdm4)wy8m z7#^I)TqDX!gh-+{`sNS~Ic2Pq@lK2iD~pkA$38^8`fAP7F5Qh9YPgEib!O*O1a#$b ztR;N2vN3okF<|c1_N`4iuDln69NmQ=n1xFmvg+5VG7ZiB42qV@B8q7BsgVTv}PdjQD3RHI-B$ zT7rEe;73Dl8Ji)7JDySr`S1oEQMyaSnzpGaaeUT ziru#1L^NnuLseHHh(%LAQ|Nc+;7ywnAtr?|t>fv6(~kn7-iynjR#t4{bh<={2#TG# zKOA~GpCa&CTyuop^hJ?Ep@<{ydQECu#szSDdwV;(-TvXx&l4l3AQx{ZLR|}LeTH(8<9f0G1t&x@*3lQa8P#jJxV+mqCGR#Haa zT+mgU?`oeNRhzA;Xi)W=*kLaoP^~WFTGTN<;xj**z1RyS2~lYVo1{W~YHizQn+~)k zj`@(=`soq|?z{3v;4|OMP>6tf5>u;!!4S|ukD47nyO(pg4ZDV6a$6iTvfC_%3(LjeW+5wc_+}NhR zk|#mZNuqbGzB4f~5fAuj>J5p1sXN~W0AqyG>aSd4NT*f^8o53|=*iSoC4Q1QQMb9M ztfUBDP-sZr-Hu6t&*}(X%klsKf9h5^)_z?z=<3_r+)|okggW^)TG~I_b%aWkvW^!NI_FVeHr_qPM4qBaP>|SKiU;hb)@Q z7b~blGnf22lqGzL4jaKb7mIGcBMvW zqVE(vXq-Hu?L%ZIk`_xxnscixyWvsmk9S0`f&j!l5cHivNeWy~!o6HHNQVa@7*OVzQDKRq46&gugj)9L&2%L>* zR#+0&P}*$aQD^zlzwPG}hx)AA!bDz2MRh&Vx(umDEu&&#}32?i4T}-Nm(IcRI4qWd`3hnah`@H~o>SrhN^9Satq*-LCOPJoAqho|p0feM8ebb5 zbFz6QLKd?U;=bsDlObcWpLRl!1*2fxHd zsN9>&E(sG>^~)6~uxm@`xSN@=^`Z}KL`P>w7PN8??>sM4Se<^-?H^AJGLW9y_H<9n zpRFzwST{c;gVJ!MiX zuDk$)`Dm!Y5z!Z`Liwg)INA!{Q^)IKUi9G7lnBQFs(9m=!3~@=b0oPdK(f>5S|KEZdWv$Zve#tl6 zpuTsm);%H^W{M%FSzO}6`!(kB;kiRDWfjQ8=A6R{^Gk|@e>=$$LpgAX1kd$|OrzV0 zex0vJ%3Tyzs3;_<(pR14=AfrXE}}|WsZFkYQEASMDKXRm*F5^kas9GdSy>r1tTL^< z+<#rNP(6-yiAo%~%zgE09c8xFY-MKh3rb$T$NBIm31H!4JJMb2?#gH@@deem4x;IOR zjU<-|TE6|3*4_(al2b3(1%RcrbU*zOJmfmAxcd}{&OKr~Z)&pU+4~AzvC8ByMad@u zcBu1?eHJ^{G7taCN#q{QJ>eHJu{4r%CZ;$x@N4@XitN=7D!>POy6G@ zabqQn-Rwe_drG{QsJ0G1o|1T*a zu6oPyPu_QVb&eGz@-?eEyGNg+a^&DZYN~|`Zf5k$A^;mpulbE+Qq`2Cp!xaPQTH=d z8RZMEB{$J5>&y@!T*xz=o#Pwy9%v>x%+RnIo-?$QtZ2xzzw@~2lCSY>j`(+JRfIC0nW5nuV-uzcFpRP`!Mpn?BDMi-GTylJxe1! z*oi0qek%XlokiYET)q|)Yxr|KbbgRr+nM;-Xci@iwad;0Xw+qtG|%g3lN+PAj?8d_TOS8H?n%Sj59s<(=Sj|*u(Cl3Fe{CxlD zv$0mni(jTtrGQ~CbK9fgH4Wmr;{Kl}Y#PF=7VVFDcz6t+I}KKUQ3WV|dUkdccp8B~ z7(lnsAJDl*Dt!4R_RQfHj!lVWrKclVk9R2#D61h>9V${dVt&};6y~v%i&FO`CJ1P3 zuJ15gC8&85rhob6Gx)h0DtOZ9PN~}^cXut3x-CB}DMr;T{=svRmPqdRIWFFl>))BO z`y(gTcoy~#cV+wIr6ocPdone+m6ferBNL-RZWT`m;5=TgW6_GROJcF2JqST8Bh|$w z858Dfj?+j8)OO;0U zMn?V4eF>-Z|4vcLdMSSoqJHz-&e$?QR*wf#j9lPDMa`x5SFJBy%3Mqv5Vma)J&pA1 zd>Cu)Qv(8Df@^^DWV5EI+-mR8HC{2SF}KMD`?d#phTmVzMMhJTk=B6Sk1pGVV*ebZ z{pOKdRQ#h32QNC`l+`3+65h{5PoY|-&~7)g4YmJ;iOL*WR=3+WXL570 zva=sX3veVw?gJDXWo<8C<=*jOhq0x%`)La2^Do_lY<+&tyG!4h^7WtVSHCf3k<&l9 z({owPhnFX}>^>_Q02f`V)%}eEr`+}bi47x%w`y~Dx61{5{R$TF&{NU^io8=^c=3jx zBB%D2os7-;fZQ!|{2!IL|B0ndWAd_$+ef*?10D=~w9qv7gipqZ#Z$|dVk#DlOBY{Q zM~xzn75~72zsdI?4xKypR1DeQQD}!6PVcH;Q#^F=pe_Qn(sQiJ#Sp|fy6}q}iTOPM zq}hJckKQewxV(BnHw$h9*cA(>!~~Qnk*#jt^d{`*#Kd1TKul}`2(+GaBi8{$W(Bb{ zxBMf$Dxa#VIFWwaZp(dM$5e@==9?7SF*fV)mVVY6XmvC8YC~+>TXIL%zy*Uhd%(Sp z8bxO6jrw^`in!|Rk!WGv@6D;$Lok-R$T5WFrT-vT;p4{1e?@#*xBftUM$h~0UWA5r ziApH{o>=@wa9c^pKgXbE7u?_`SMQnXo0iY2NVj7uy+o%|__SLhteejhADZ8}_3iYg zR?fBgt~8Pk)M(gkYHg(4S;1|b2x@qrYIc8jsI@}MnKNb*HX{4}(_~1P%f(H*x$xoZ zm_1seF*Nbom^#=*oM~pvjht&jfmBgg*?6QJHQbDB*kggJaHg;Fo1Ng`)NWUA zw4fDorj9<4kuifSbGhQMpQGk4`ab0xsYCAX{IjV=ZoV)9y1gx;e*Zq)q^_teDn}G{ zcEkk2db$;5lJz-MwBy;qKVSAgL?8df>h!R9)GN+)^L>jIdg1CGbI;K1a;L7GL=|Uq)YO2zuHi3 ztv^3mc5~oaLPCPVuC0U&2@;n-dC}A(R)zX`VhuYUaM-;;8i5QxLSA zu#y2~v9-980|yQqI&eV76njpt;(LzwI};tRx~Bk>g@H;N)w@LB%s47G79Dwuvp#ZH zr*VryUWUIRw*;uDVH83@5zfP59}HMUO3ObLB!QLR7=Ye`%XPBGc?lzSgy5{cgUViMjra{%8LDixEnUP9je3P+^rchbj%01@d zhpRj}SiB7tt|t$tlRE1h`7&lg~`?hOuW^@WSa5YJXW zY2-wXk9e;DSYaMGdhoyFOf&`mx!G_uZgAs$JT#|P|Bm<+pNRsy=ma>#5RXEflt8?? zk#<@9FmUYhV93~RhXXVP;cnSnWZWV+JGj|lAr12F^j0_sN&om)JNQF?=->0e|Lnq7 z3jbIvhEMwk$gfKvdcGcCV_Uq|bw73+OQpS<$8VtO&cX>^$SYt4v_Y=TXj1<>=C$M!oQ%g*QiiTedK3gnwuo1%=i3Rfc|qbCAJIgHb1&Sci? zehglsD#wvBGN&D)pE-a0W9T>Pw!QB-D-HP4MryXy&{F3ndu3vnOMEDOq>y-wE~~y!zs|f{LX*ug*$`eV4jQ(OGp(C8-6*!u3$V zWoybeZnlAB;rPdguoT|=!(F9$zy4~t4#d%!raPAClT|uVzfj>lkM*~IBiBP0R%?TT#Xvt(| zMg_}f2;_K}8=Ml=Bbs*3we$>AR{X-Xl#?7xy_jX22Ic7Rq8+Eg{tq<25>`+J`~Xf$ zZ|4_3e}3c=4TJd2ZE|rrH+^4~Y9IOZ)P?w#cr>NA^m0rq%()R9PS`0zU6R#nZzzDn z7bhOw;GK@!APZB~iS4wSOE_gW{Dn@@<0lw4%R^e=2?X{t-}2yPXT?uemfY5OQKK~I z_2CnIx9>IWbaFFsW&-&8riMcbn+6E~bZ0;0j(Gf`wH&mI-}mb|Sn}`Hhl8%yn;Wl@ z_iHzp8yE8pse5@gv|BAPfc=>T+EzWLqgDOcXw*0Mbcb`<5`B379~;ZA#c0(%sDr+! z8oH9At~uNv^BMvnobayfFcp-1&U`8MQ<}GLyj1rofyQc401%B^fH7Eph9ccvhR<2+ zQW)|HBzkc+<)v19B>5oe6y0UNwTe&XgXZg?vl&@F`XDWi3Gf*dB>tzk1q-xL+QZoslVZ{%TsH2Jg4C0xTb~W_S`ysQk z9ZUzKkUZ=RuZU`b$a;GA+`f~6d-;UQ)~lsS8LeLe?v}?wAP0juvjFTJd__SA5_cz9 z$6fd*7+B8k9XCy_>A4;}u=9*!DZ|VYb1>JzbkwjpXbSMdQJX!4SYz1D-j7!+7t+W@ z>Jcurq4{kp)Zt>Ju*RtjsZZ#fo&=qW9^K2_J4PrAX}o)6GPBVq9l_Gqx@On0+T<5& zV-&F3wXPU>Kc#~fEVfs6klCnV{Bt(Xkq6tQR1PZD{*<rVwehAe zq+dYQhkbIp|NTmGBcb+*44;H5u+B@&6-#6${jF!Lyd}KF+i<(@r@*z!g#AdP{#mWQ zx*#Yz|DhfU&SS66q&r(XN94?;{#Nu<@a-&~dYUTZ)-2T95E{Y1Xs}YVy0M+AwAzzG zR7?-<9Y3`OgL~nVDrDlAgYl?M>nUelF`qsl8E4FDG%if_#K2PuT9eCZz_$LSEM}Ow ztSBs7X^kFyA!FSsIPvN=ub_nieYx8w7-O;F!JU>P-)W{9L;7Z0hp;*jfuXP5&n2^98> zU4&SJU))RY^?5djj>Tbq9V?UwDHbi-S>bRFN)bP?!@|)xAgOEf(}tdy22bxs>Ki|0 zS#$b4?2PMf3C8`od7ju+sX;$Fnut3V;DV0b}kJz)+#yvkdDw)2d4pXz?Ru1P7O`2!=&)VE|T1K+;W$LL{vXv^ET z%MoGC6?VFtSeLQnn4c^MSAZ4r#P2K=Bn4FKq-u|)FRnTzk0_M>=-{@i?=Gfh#xYpC z0W4hEO%<-VyXco6)Cve`5+OjXgtRc;;rAG1++GD~f(4A%5#c2*D=nM(3H?zAs7w*rBAoZwwAS2^kJvXq50@?$E3%ZRat1v2iG2o{dQ<(QR`K^ zpWpbl=AadNf0qU{S|%H<@NInGr_!u0j^{X6o` zV8F-=R(3Y5e4Z|4AenaR5Qmh8k5gUV6t-i>ry|n$)h3qnZ8WXc3-^LXz0?cNAdY}y zW6!C-YWnC$af$>-eIh^U?cNRQte`1u`4;SNt61frzZH?_?32Iodx7d629tAARu*>R zJ-7@qDfvA2t%YIb>5x}ZQ5I$*8r%aW%JRjpS=@}S2(OX%i<#6}3~c#pyA5o}JNt~{ zo$i@u`!TYc4lBd!6KzGR{l#25gozZS0=4?s5bwGo#+aU7fNxBUY4xVa{cwTcJy$4u6iU`tSg*u!c+IoqqA5rcmXH@qu*c z`3`Y}eo!C&6(*oHs@oCsm|_{6xJxcrKCq7AobZTL0(Tde8L?4v@oa@Gmxm06kixP(A4NTboJd$2V+MW zXE;n+wzX~d^M`MuMb28Fos)5vz4j$q*~1DPF=qQ2J%k%CFx-0aJsm5Z*zyDcquCyL z=HNs4yb4J0azK`=?vo`f^H~?z8 zX8P6wJ%S1NHn`}YPIkIf;qzYpK4%Ioa0zYU(F00~F5mODMDO|y$;1FBXXiq19j%A+ zppe+hJ#g*6R7l)vJoK6dMQv)Ufl8rgiA#K#C}oa32A$_L)gJS4+~w}}s4q|bHMm0$ zNtdo)vU{W>dW6Q zw6QJ)!-kI3R)cXIN%r{5?dvclMOo5XpVdZJ7|yKN!7yN(;ydLtXBLVK+6Ga$;KIT} zNmX`>bIBMO4iQAR+*CiaFI;u9-?NS0Xst;U%nTmBKYm7Lv(6GhjK5>O@`fr?K0W-F ztF5t7ZGt9#B#-@SpwONb@Ws|KN4&NgRmy4)EFo;JO=e{oo-q~+9Db$5#kaNDF(@$w z%V5M>(y5=~HFMw|+KBPl^Jqrx1wJP6wN>C+50ihG(m%z%pefb< zrAmAiOle*-5$cOs2J*w|RPQm_{^ zhM2Vd{Af_(eg{)g4EdIcKO`B*?rzRK;xi~D=~CRIz_o~4j*H(Tw{>ue7cRjLvpQZ9Dt@eo+s=r;+T$o*LpXh$6&UYtcGS-;$tI&V^ zNsug-mT)Fc>-8|p?*1<%LQu_xyg!y~StbyT-l6LpBjGRhxRv;$r#z zNhlu*=yNXuf4lHqf8Xy2$7*Y9z8-$+|3W49tR?mwnezED57e9R20fNj`pK`AGsJb7 zdkP)kWVqIJE&l8&nbT6IPMtk<%DiYctnLJu{CIska&4EnVXNE68|TiaYPUE? zKZqG}dAf`3e^MPtn9-Zkx4-0#GpL(b_-r;yE7nVTMgfGAPuJ$D`KTsDcxP+xtqf}Qea^$WIm4q(D zvkQr#va{=?678(>vL>C&Xd!@0aeKa_(04qc023Y;&~WX+1>-l- zV*zh6b8=3?axK85z~Z~-W-BWcN5_S#ffNN<80@#|ZYz@Du(HC!3yr;q+hfkoO_sO4 zvV}Jd;fbs@#svT}94(barmN z&>oIjD~>%RV@gZzYEvd9SmRhrJ??zw`sRbFUS07lRSzISnXyCTMXnnxr;6vyIdB*COmT|fr7wO)}l#_~&hG~%?RBB|6y zCt-uUddJq~ED(g3&|amaDGN_vy7E$rin5qs3s2DGy$2nYmjYim-%|o_W~VG{gyj02 zI~<#9s}QTYvZ~PgZFfuTW>3~hgDr8S%6FulEF%qoUYuY8_|S#e7k}R#A0pu3;EK%yTtkCV5)V($s)6Gbn2&abYZ(F>I&F%ZjZNtrv!W5%fQ+PF_YGA; zm-yha&-dcV_@thLMC!;LbEI8 ztjU4QmasZF){HBk_s9@AN14N$;lfijIm#T{Jpc%F2l)tiLm}tn)A)U^UOi#VX7r)3 z6YSG?)ZX*=^BiB5*}8uPwDTR9@qV!};eRU=wq^Yy`y%wlepu|AH%5liY(nNi3f?&8 zO@OD3`}~JG9+q!ZQ{*K5X8Bq3BDcC188gkXO!iIAY!@AU(^M}is1KucWIJ`SV_`Bh z=ZJgj3~2I(8UlNuX7-nXmZU_;V;($i8I6jLbrlC8%1(8{GaKp{>DPt^HEMNW#A5+5 zdAWi`f-gi`yjaB2);a zlJ&6iSw%#H!t$dZDymkRQ0nN-0T7lZ`K{zz_y87&|3bc!@4rScbEzcHO+88Q9F-Dr z9flK%r1G1Fza&2+`<3ubZaJ!ryVxQS;$KShEx!*Kw8I^7AL-Bc#j)x$tu$W%hEwuv z?o2BCJ*1)hF3#Spcix!`>!XhB;bAObg4xy*OYn~g>-1(Qe}A@pgr%s8m+D;gWzgch z$Nk>8UAjERn+JS9s12I8cN)S)LDk#wBHLo@hSPcSOmg_)xY+m-s^#WW&=j%DP=^9o zI#~zmk!^LykgTECD2DT7S4RGB5NTv@#-IaxBcNV$cW&J(9jYFIfeEL8^NK>Wkf?B# z)#X5bwR^a!aM;-pw^jGcoKdNS?YZU~J#akBt693FskIe4JGXxn?yLWdx)%xR-Ie~% zWeYOFL&c7$?$?+1D*_DRww?-87_eC$WglTbU~&N8vA2cA^cnD*y1BBlvOXM0ihv~v zam<)c;=ZkIbWBVVk}v?~d8=q>yiIgjKCr$HuzpSmF{ui`08pCeB=Bqw40vwg0f2$1 zd(i%w>1lKK0a-Bq3!6gwV_Ee;4>#>x^nV6B`Xjb}<@{So`kSE`SKpeASf@eTE-LIT zy<&{5qStxk{Pgk^jvBnaG+4Pj*@ueSzt+LJGWBrJv z!!VhUZ)KijFs@)()#?K*xniPzO#YND=&uD`<`#we1kAC>Pmf@9C%4~r=L?{x{)rsrB0?rA=Vey;uny5IMamf_V)H@pC*&dCB!XDOIAvW70$hzgfpkxZlww#=T=Ke z{A%l)t~dR`(R X)2;4P>HbQbzqPLFT*=Y6`^*0U-7_th literal 0 HcmV?d00001