Category: Wifi Pineapple

War Driving on the Wifi Pineapple: Part 2

You can skip this part to if you like

But please don’t, its awesome.

I saw this tweet over 2g on my phone while at work, so I was unable to watch the video. I never thought that my blog would source the inspiration for this video. Let alone a video that would be tweeted by Darren. Wow.

I would like to thank HackedExistence for the nice things he said about my blog. I went and watched a random video from his youtube channel, and again he did a very nice job presenting on the subject at hand.

Updates!

So, wow … let’s talk about updates to the war driving system that I’ve made since I last posted on the subject.

Hardware

I am using the GlobalSat GPS dongle discussed in this post. It works fairly well, but you’ll want to check that it sticks in NMEA mode. To set the dongle to NMEA mode, use SiRF Demo. This does function under Wine on Fedora 20, which how I primarily use it now. If you’re looking to get a gps dongle, you can also look for ones that work with the rasberry pi. There were few comments remarking on the youtube video about how war driving data is more useful if you know where the access points were located and I agree.

Were I to purchase another GPS reciever, Adafruit published a tutorial for GPS on the rasberry pi that I thought would be another interesting approach. They utilize one of their GPS breakout board and a serial ttl convertor cable to interface with the Rasberry Pi. You might even be able to push the GPS data from the breakout board to the pineapple via the onboard serial convertor instead of using a USB breakout.

When I was looking into GPS units, I found that the GPS standards are rather more guides that aren’t often followed. The advantage of the adafruit receiver would be the ability to help format the code into something that is standards compliant.

I’ve found that the little battery from sparkfun lasts about 2 hours, while I’m powering the pineapple and the gps unit. For longer war driving sessions, say to Ohio and back, this does the job, as well as keeping my power hungry cell phone juiced up.

Software

Parsing the GPS data is done by kismet_server. GPSD was falling over itself.

One thing I never could manage to get work correctly was autostarting kismet_server. My thought was that something in the command stack was failing, but not kismet_server. Actually, it was the enviroment starting kismet_server.

In trying to write this post I started researching how to get it to work. Someone else on the hak5 forums had the same problem. Thankfully, that someone else documented the solution. The short explanation is that many of the envirmental variables needed by kismet_server are not loaded at the time that kismet_server starts.

The solution is to use a script that sets up the enviroment for kismet. I’m using harmless’ script, which follows:

    
		#!/bin/sh
		#/sd/usr/bin/printenv >> /sd/var/log/boot110.log
		 
		#Setting some environment variables so that kismet can run
		#These were copied verbatim from the SSH printenv output:
		export LD_LIBRARY_PATH='/lib:/usr/lib:/sd/lib:/sd/usr/lib'
		export PATH='/bin:/sbin:/usr/bin:/usr/sbin:/sd/usr/bin:/sd/usr/sbin'
		 
		#Run kismet (daemonized to suppress unnecessary output):
		kismet_server --daemonize -f /sd/kismet/kismet.conf
		pineapple notify 'kismet now running'
	

I saved it as kismet-server-start in root’s home directory. Remember to chmod +x.

Configuration

HackedExistence’s video shows him setting up the microSD card to be automounted by the pineapple. I myself have also started letting the pineapple auto mount the sd card. This necessitated a change in the configuration file to use /sd/kismet instead of /mnt/test. These changes are also reflected in the kismet config, which I’ve included at the end of the post.

Boot Mode Setup

Because the pineapple is now handling mounting the SD card at boot, I no longer need to use the old boot mode code that included mounting a directory. I also need to update it to use the script in /root. My new boot switch code is this:

ifconfig wlan1 down && iwconfig wlan1 mode monitor && ifconfig wlan1 up && /root/kismet-server-start

At the end of the video, HackedExistence was cating the contents of the files. Here’s my command to print just the access point names from the nettxt file:

cat *.nettxt | grep "SSID       : " | sed -e 's/<SSID>//g' | tr -d " t:"" | sed '/Cloaked/'d | sed '/cloaked/'d | sort -d | awk 'a !~ $0; {a=$0}' | sed  '/[0-9][0-9]/d'

Where to from here?

The question I had that made me set all this up was, “How many android phones are openly accessible from the road?” I’m not any closer to answer that question. Honestly, I have not thought about it much since I set this system up. I’ve had other things accepted onto my plate that had a higher priority then this. However, the little time I’m thought about it, I’ve had a few different ideas:

  1. Using the first three digits of the mac address.
  2. Some kind of filter based on location.
  3. How long the access point remains active (if I pass a car I should only see it for a few seconds)?
  4. The other thing that I’ve thought about is that if I take two passes through an areas, then subtract the ones that are there twice.

So, how about you folks? Any ideas? Leave them in the comment below, please!

Full Configuration File

http://soliloquyforthefallen.net/blog/?p=678
	# Kismet config file
	# Most of the "static" configs have been moved to here -- the command line
	# config was getting way too crowded and cryptic.  We want functionality,
	# not continually reading --help!

	# Version of Kismet config
	version=2009-newcore

	# Name of server (Purely for organizational purposes)
	servername=Kismet_2009

	# Prefix of where we log (as used in the logtemplate later)
	logprefix=/sd/kismet/logs

	# Do we process the contents of data frames?  If this is enabled, data
	# frames will be truncated to the headers only immediately after frame type
	# detection.  This will disable IP detection, etc, however it is likely
	# safer (and definitely more polite) if monitoring networks you do not own.
	# hidedata=true

	# Do we allow plugins to be used?  This will load plugins from the system
	# and user plugin directiories when set to true (See the README for the default
	# plugin locations).
	allowplugins=true

	# See the README for full information on the new source format
	# ncsource=interface:options
	# for example:
	ncsource=wlan1
	# ncsource=wifi0:type=madwifi
	# ncsource=wlan0:name=intel,hop=false,channel=11

	# Comma-separated list of sources to enable.  This is only needed if you defined
	# multiple sources and only want to enable some of them.  By default, all defined
	# sources are enabled.
	# For example, if sources with name=prismsource and name=ciscosource are defined,
	# and you only want to enable those two:
	# enablesources=prismsource,ciscosource

	# Control which channels we like to spend more time on.  By default, the list
	# of channels is pulled from the driver automatically.  By setting preferred channels,
	# if they are present in the channel list, they'll be set with a timing delay so that
	# more time is spent on them.  Since 1, 6, 11 are the common default channels, it makes
	# sense to spend more time monitoring them.
	# For finer control, see further down in the config for the channellist= directives.
	preferredchannels=1,6,11

	# How many channels per second do we hop?  (1-10)
	channelvelocity=3

	# By setting the dwell time for channel hopping we override the channelvelocity
	# setting above and dwell on each channel for the given number of seconds.
	#channeldwell=10

	# Channels are defined as:
	# channellist=name:ch1,ch2,ch3
	# or
	# channellist=name:range-start-end-width-offset,ch,range,ch,...
	#
	# Channels may be a numeric channel or a frequency
	#
	# Channels may specify an additional wait period.  For common default channels,
	# an additional wait period can be useful.  Wait periods delay for that number
	# of times per second - so a configuration hopping 10 times per second with a
	# channel of 6:3 would delay 3/10ths of a second on channel 6.
	#
	# Channel lists may have up to 256 channels and ranges (combined).  For power
	# users scanning more than 256 channels with a single card, ranges must be used.
	#
	# Ranges are meant for "power users" who wish to define a very large number of
	# channels.  A range may specify channels or frequencies, and will automatically
	# sort themselves to cover channels in a non-overlapping fashion.  An example
	# range for the normal 802.11b/g spectrum would be:
	#
	# range-1-11-3-1
	#
	# which indicates starting at 1, ending at 11, a channel width of 3 channels,
	# incrementing by one.  A frequency based definition would be:
	#
	# range-2412-2462-22-5
	#
	# since 11g channels are 22 mhz wide and 5 mhz apart.
	#
	# Ranges have the flaw that they cannot be shared between sources in a non-overlapping
	# way, so multiple sources using the same range may hop in lockstep with each other
	# and duplicate the coverage.
	#
	# channellist=demo:1:3,6:3,11:3,range-5000-6000-20-10

	# Default channel lists
	# These channel lists MUST BE PRESENT for Kismet to work properly.  While it is
	# possible to change these, it is not recommended.  These are used when the supported
	# channel list can not be found for the source; to force using these instead of
	# the detected supported channels, override with channellist= in the source defintion
	#
	# IN GENERAL, if you think you want to modify these, what you REALLY want to do is
	# copy them and use channellist= in the packet source.
	channellist=IEEE80211b:1:3,6:3,11:3,2,7,3,8,4,9,5,10
	channellist=IEEE80211a:36,40,44,48,52,56,60,64,149,153,157,161,165
	channellist=IEEE80211ab:1:3,6:3,11:3,2,7,3,8,4,9,5,10,36,40,44,48,52,56,60,64,149,153,157,161,165

	# Client/server listen config
	listen=tcp://0.0.0.0:2501
	# People allowed to connect, comma seperated IP addresses or network/mask
	# blocks.  Netmasks can be expressed as dotted quad (/255.255.255.0) or as
	# numbers (/24)
	allowedhosts=172.16.42.0/24

	# Maximum number of concurrent GUI's
	maxclients=5
	# Maximum backlog before we start throwing out or killing clients.  The
	# bigger this number, the more memory and the more power it will use.
	maxbacklog=5000

	# Server + Drone config options.  To have a Kismet server export live packets
	# as if it were a drone, uncomment these.
	# dronelisten=tcp://127.0.0.1:3501
	# droneallowedhosts=127.0.0.1
	# dronemaxclients=5
	# droneringlen=65535

	# OUI file, expected format 00:11:22manufname
	# IEEE OUI file used to look up manufacturer info.  We default to the
	# wireshark one since most people have that.
	ouifile=/etc/manuf
	ouifile=/usr/share/wireshark/wireshark/manuf
	ouifile=/usr/share/wireshark/manuf

	# Do we have a GPS?
	gps=true
	# Do we use a locally serial attached GPS, or use a gpsd server?
	# (Pick only one)
	#gpstype=gpsd
	gpstype=serial
	# What serial device do we look for the GPS on?
	gpsdevice=/dev/ttyUSB0
	# Host:port that GPSD is running on.  This can be localhost OR remote!
	#gpshost=localhost:2947
	# Do we lock the mode?  This overrides coordinates of lock "0", which will
	# generate some bad information until you get a GPS lock, but it will
	# fix problems with GPS units with broken NMEA that report lock 0
	gpsmodelock=false
	# Do we try to reconnect if we lose our link to the GPS, or do we just
	# let it die and be disabled?
	gpsreconnect=true

	# Do we export packets over tun/tap virtual interfaces?
	tuntap_export=false
	# What virtual interface do we use
	tuntap_device=kistap0

	# Packet filtering options:
	# filter_tracker - Packets filtered from the tracker are not processed or
	#                  recorded in any way.
	# filter_export  - Controls what packets influence the exported CSV, network,
	#                  xml, gps, etc files.
	# All filtering options take arguments containing the type of address and
	# addresses to be filtered.  Valid address types are 'ANY', 'BSSID',
	# 'SOURCE', and 'DEST'.  Filtering can be inverted by the use of '!' before
	# the address.  For example,
	# filter_tracker=ANY(!"00:00:DE:AD:BE:EF")
	# has the same effect as the previous mac_filter config file option.
	# filter_tracker=...
	# filter_dump=...
	# filter_export=...
	# filter_netclient=...

	# Alerts to be reported and the throttling rates.
	# alert=name,throttle/unit,burst
	# The throttle/unit describes the number of alerts of this type that are
	# sent per time unit.  Valid time units are second, minute, hour, and day.
	# Burst describes the number of alerts sent before throttling takes place.
	# For example:
	# alert=FOO,10/min,5
	# Would allow 5 alerts through before throttling is enabled, and will then
	# limit the number of alerts to 10 per minute.
	# A throttle rate of 0 disables throttling of the alert.
	# See the README for a list of alert types.
	alert=ADHOCCONFLICT,5/min,1/sec
	alert=AIRJACKSSID,5/min,1/sec
	alert=APSPOOF,10/min,1/sec
	alert=BCASTDISCON,5/min,2/sec
	alert=BSSTIMESTAMP,5/min,1/sec
	alert=CHANCHANGE,5/min,1/sec
	alert=CRYPTODROP,5/min,1/sec
	alert=DISASSOCTRAFFIC,10/min,1/sec
	alert=DEAUTHFLOOD,5/min,2/sec
	alert=DEAUTHCODEINVALID,5/min,1/sec
	alert=DISCONCODEINVALID,5/min,1/sec
	alert=DHCPNAMECHANGE,5/min,1/sec
	alert=DHCPOSCHANGE,5/min,1/sec
	alert=DHCPCLIENTID,5/min,1/sec
	alert=DHCPCONFLICT,10/min,1/sec
	alert=NETSTUMBLER,5/min,1/sec
	alert=LUCENTTEST,5/min,1/sec
	alert=LONGSSID,5/min,1/sec
	alert=MSFBCOMSSID,5/min,1/sec
	alert=MSFDLINKRATE,5/min,1/sec
	alert=MSFNETGEARBEACON,5/min,1/sec
	alert=NULLPROBERESP,5/min,1/sec
	#alert=PROBENOJOIN,5/min,1/sec

	# Controls behavior of the APSPOOF alert.  SSID may be a literal match (ssid=) or
	# a regex (ssidregex=) if PCRE was available when kismet was built.  The allowed
	# MAC list must be comma-separated and enclosed in quotes if there are multiple
	# MAC addresses allowed.  MAC address masks are allowed.
	apspoof=Foo1:ssidregex="(?i:foobar)",validmacs=00:11:22:33:44:55
	apspoof=Foo2:ssid="Foobar",validmacs="00:11:22:33:44:55,aa:bb:cc:dd:ee:ff"

	# Known WEP keys to decrypt, bssid,hexkey.  This is only for networks where
	# the keys are already known, and it may impact throughput on slower hardware.
	# Multiple wepkey lines may be used for multiple BSSIDs.
	# wepkey=00:DE:AD:C0:DE:00,FEEDFACEDEADBEEF01020304050607080900

	# Is transmission of the keys to the client allowed?  This may be a security
	# risk for some.  If you disable this, you will not be able to query keys from
	# a client.
	allowkeytransmit=true

	# How often (in seconds) do we write all our data files (0 to disable)
	writeinterval=300

	# Do we use sound?
	# Not to be confused with GUI sound parameter, this controls wether or not the
	# server itself will play sound.  Primarily for headless or automated systems.
	enablesound=false
	# Path to sound player
	soundbin=play

	sound=newnet,true
	sound=newcryptnet,true
	sound=packet,true
	sound=gpslock,true
	sound=gpslost,true
	sound=alert,true

	# Does the server have speech? (Again, not to be confused with the GUI's speech)
	enablespeech=false
	# Binary used for speech (if not in path, full path must be specified)
	speechbin=flite
	# Specify raw or festival; Flite (and anything else that doesn't need formatting
	# around the string to speak) is 'raw', festival requires the string be wrapped in
	# SayText("...")
	speechtype=raw

	# How do we speak?  Valid options:
	# speech    Normal speech
	# nato      NATO spellings (alpha, bravo, charlie)
	# spell     Spell the letters out (aye, bee, sea)
	speechencoding=nato

	speech=new,"New network detected s.s.i.d. %1 channel %2"
	speech=alert,"Alert %1"
	speech=gpslost,"G.P.S. signal lost"
	speech=gpslock,"G.P.S. signal O.K."

	# How many alerts do we backlog for new clients?  Only change this if you have
	# a -very- low memory system and need those extra bytes, or if you have a high
	# memory system and a huge number of alert conditions.
	alertbacklog=50

	# File types to log, comma seperated.  Built-in log file types:
	# alert				Text file of alerts
	# gpsxml			XML per-packet GPS log
	# nettxt			Networks in text format
	# netxml			Networks in XML format
	# pcapdump			tcpdump/wireshark compatible pcap log file
	# string			All strings seen (increases CPU load)
	logtypes=pcapdump,gpsxml,netxml,nettxt,alert

	# Format of the pcap dump (PPI or 80211)
	pcapdumpformat=ppi
	# pcapdumpformat=80211

	# Default log title
	logdefault=Kismet

	# logtemplate - Filename logging template.
	# This is, at first glance, really nasty and ugly, but you'll hardly ever
	# have to touch it so don't complain too much.
	#
	# %p is replaced by the logging prefix + '/'
	# %n is replaced by the logging instance name
	# %d is replaced by the starting date as Mon-DD-YYYY
	# %D is replaced by the current date as YYYYMMDD
	# %t is replaced by the starting time as HH-MM-SS
	# %i is replaced by the increment log in the case of multiple logs
	# %l is replaced by the log type (pcapdump, strings, etc)
	# %h is replaced by the home directory

	logtemplate=%p%n-%D-%t-%i.%l

	# Where state info, etc, is stored.  You shouldnt ever need to change this.
	# This is a directory.
	configdir=%h/.kismet/

War Driving on the Wifi Pineapple: Geotagging Access Points

In my second to last post I was talking about the GlobalSat ND-100S USB GPS Dongle. I said it didn’t work. Then in my last post, I said maybe it did.

It worked.

I won’t give everything away, because it draws pretty much a big arrow to where I live, but some interesting stats:

  • WPA Protected networks: 1,497
  • WEP Protected Networks: 108
  • Open Networks: 1,193

So, some interesting tidbits and a large mass of data …. now I just have to figure out what statistics (and how) to generate with the information.


War Driving on the Wifi Pineapple: Post One!

Wardriving With The Wifi Pineapple mark V

You can skip this part if you like

If it wasn’t clear to anyone that I make things up as I go, I pretty much don’t know what I’m doing. But I do it anyway because it means that

  1. I learn something new
  2. I’m never bored because I’m always
  3. Challenging myself.

Background

This morning I was looking at gps units because I’m trying to get my Wifi Pineapple to do stuff. In my last post, I mentioned my intent to return the gps unit because I thought it was defective. Thing is, its not defective, per-say. I just don’t know what I’m doing. I think. I’ve seen posts about running the same GPS stick under linux with no issues on the amazon website as well as this post for hooking everything up to the rasberry pi. It seems to be linux compatible for all that I can see.

This trouble occurs after I’ve plugged the gps chip into my computer and gotten everything working from there. I’ll have to write a separate blog post about how to actually get the thing to run.

The problem is that gpsd is being temperamental, which seems to be par for the course. GPSD isn’t outputting any debug information when I use it. Apparently. Because there’s no output when everything is working or debug information to say what is not working. So, I don’t know for sure that gpsd is or is not working.

The solution of course is to use something other then gpsd. Kismet_server does provide a way to directly access a GPS device though. So let’s use that. The problem with that is it also doesn’t seem to output any errors. Which may mean everything is working perfectly. Or not. At least with kismet_server managing the GPS tracking you don’t get an error saying GPSD has been unresponsive for the last 15 minutes and kismet_server needs to reconnect.

Hardware

The core is the wifi pineapple from hak5. Next up is some parts from sparkfun: a usb power cable and a lion battery pack. Alternately I have a usb charger for the cigarette letter that provides much longer lasting power. Then I have a leftover 2gb microSD card that I usually leave in the pineapple. The final part is the gps dongle.

Software

Software side, its still pretty easy. To get kismet_server on the pineapple you’ll need it connected to the wifi somehow. Then you’ll run:
opkg update
opkg install kismet_server

I wouldn’t bother with installing gpsd. It doesn’t seem to work, and its one more layer to go wrong.

You could use kismet_drone but then you have to connect it to a kismet_server. It might be nice if you had an army of drones that you wanted to connect back to a single server so that multiple people could connect to it, but I can’t see any purpose to it in my application.

Conf Files

Here’s my kismet.conf for kismet server.

			#http://soliloquyforthefallen.net/blog/2014/04/12/wardriving-with-the-wifi-pineapple-mark-v
			# Kismet config file
			# Most of the "static" configs have been moved to here -- the command line
			# config was getting way too crowded and cryptic.  We want functionality,
			# not continually reading --help!

			# Version of Kismet config
			version=2009-newcore

			# Name of server (Purely for organizational purposes)
			servername=Kismet_2009

			# Prefix of where we log (as used in the logtemplate later)
			logprefix=/mnt/test/kismet/logs

			# Do we process the contents of data frames?  If this is enabled, data
			# frames will be truncated to the headers only immediately after frame type
			# detection.  This will disable IP detection, etc, however it is likely
			# safer (and definitely more polite) if monitoring networks you do not own.
			# hidedata=true

			# Do we allow plugins to be used?  This will load plugins from the system
			# and user plugin directiories when set to true (See the README for the default
			# plugin locations).
			allowplugins=true

			# See the README for full information on the new source format
			# ncsource=interface:options
			# for example:
			ncsource=wlan1
			# ncsource=wifi0:type=madwifi
			# ncsource=wlan0:name=intel,hop=false,channel=11

			# Comma-separated list of sources to enable.  This is only needed if you defined
			# multiple sources and only want to enable some of them.  By default, all defined
			# sources are enabled.
			# For example, if sources with name=prismsource and name=ciscosource are defined,
			# and you only want to enable those two:
			# enablesources=prismsource,ciscosource

			# Control which channels we like to spend more time on.  By default, the list
			# of channels is pulled from the driver automatically.  By setting preferred channels,
			# if they are present in the channel list, they'll be set with a timing delay so that
			# more time is spent on them.  Since 1, 6, 11 are the common default channels, it makes
			# sense to spend more time monitoring them.
			# For finer control, see further down in the config for the channellist= directives.
			preferredchannels=1,6,11

			# How many channels per second do we hop?  (1-10)
			channelvelocity=3

			# By setting the dwell time for channel hopping we override the channelvelocity
			# setting above and dwell on each channel for the given number of seconds.
			#channeldwell=10

			# Channels are defined as:
			# channellist=name:ch1,ch2,ch3
			# or
			# channellist=name:range-start-end-width-offset,ch,range,ch,...
			#
			# Channels may be a numeric channel or a frequency
			#
			# Channels may specify an additional wait period.  For common default channels,
			# an additional wait period can be useful.  Wait periods delay for that number
			# of times per second - so a configuration hopping 10 times per second with a
			# channel of 6:3 would delay 3/10ths of a second on channel 6.
			#
			# Channel lists may have up to 256 channels and ranges (combined).  For power
			# users scanning more than 256 channels with a single card, ranges must be used.
			#
			# Ranges are meant for "power users" who wish to define a very large number of
			# channels.  A range may specify channels or frequencies, and will automatically
			# sort themselves to cover channels in a non-overlapping fashion.  An example
			# range for the normal 802.11b/g spectrum would be:
			#
			# range-1-11-3-1
			#
			# which indicates starting at 1, ending at 11, a channel width of 3 channels,
			# incrementing by one.  A frequency based definition would be:
			#
			# range-2412-2462-22-5
			#
			# since 11g channels are 22 mhz wide and 5 mhz apart.
			#
			# Ranges have the flaw that they cannot be shared between sources in a non-overlapping
			# way, so multiple sources using the same range may hop in lockstep with each other
			# and duplicate the coverage.
			#
			# channellist=demo:1:3,6:3,11:3,range-5000-6000-20-10

			# Default channel lists
			# These channel lists MUST BE PRESENT for Kismet to work properly.  While it is
			# possible to change these, it is not recommended.  These are used when the supported
			# channel list can not be found for the source; to force using these instead of
			# the detected supported channels, override with channellist= in the source defintion
			#
			# IN GENERAL, if you think you want to modify these, what you REALLY want to do is
			# copy them and use channellist= in the packet source.
			channellist=IEEE80211b:1:3,6:3,11:3,2,7,3,8,4,9,5,10
			channellist=IEEE80211a:36,40,44,48,52,56,60,64,149,153,157,161,165
			channellist=IEEE80211ab:1:3,6:3,11:3,2,7,3,8,4,9,5,10,36,40,44,48,52,56,60,64,149,153,157,161,165

			# Client/server listen config
			listen=tcp://0.0.0.0:2501
			# People allowed to connect, comma seperated IP addresses or network/mask
			# blocks.  Netmasks can be expressed as dotted quad (/255.255.255.0) or as
			# numbers (/24)
			allowedhosts=172.16.42.0/24

			# Maximum number of concurrent GUI's
			maxclients=5
			# Maximum backlog before we start throwing out or killing clients.  The
			# bigger this number, the more memory and the more power it will use.
			maxbacklog=5000

			# Server + Drone config options.  To have a Kismet server export live packets
			# as if it were a drone, uncomment these.
			# dronelisten=tcp://127.0.0.1:3501
			# droneallowedhosts=127.0.0.1
			# dronemaxclients=5
			# droneringlen=65535

			# OUI file, expected format 00:11:22manufname
			# IEEE OUI file used to look up manufacturer info.  We default to the
			# wireshark one since most people have that.
			ouifile=/etc/manuf
			ouifile=/usr/share/wireshark/wireshark/manuf
			ouifile=/usr/share/wireshark/manuf

			# Do we have a GPS?
			gps=true
			# Do we use a locally serial attached GPS, or use a gpsd server?
			# (Pick only one)
			#gpstype=gpsd
			 gpstype=serial
			# What serial device do we look for the GPS on?
			gpsdevice=/dev/ttyUSB0
			# Host:port that GPSD is running on.  This can be localhost OR remote!
			#gpshost=localhost:2947
			# Do we lock the mode?  This overrides coordinates of lock "0", which will
			# generate some bad information until you get a GPS lock, but it will
			# fix problems with GPS units with broken NMEA that report lock 0
			gpsmodelock=false
			# Do we try to reconnect if we lose our link to the GPS, or do we just
			# let it die and be disabled?
			gpsreconnect=true

			# Do we export packets over tun/tap virtual interfaces?
			tuntap_export=false
			# What virtual interface do we use
			tuntap_device=kistap0

			# Packet filtering options:
			# filter_tracker - Packets filtered from the tracker are not processed or
			#                  recorded in any way.
			# filter_export  - Controls what packets influence the exported CSV, network,
			#                  xml, gps, etc files.
			# All filtering options take arguments containing the type of address and
			# addresses to be filtered.  Valid address types are 'ANY', 'BSSID',
			# 'SOURCE', and 'DEST'.  Filtering can be inverted by the use of '!' before
			# the address.  For example,
			# filter_tracker=ANY(!"00:00:DE:AD:BE:EF")
			# has the same effect as the previous mac_filter config file option.
			# filter_tracker=...
			# filter_dump=...
			# filter_export=...
			# filter_netclient=...

			# Alerts to be reported and the throttling rates.
			# alert=name,throttle/unit,burst
			# The throttle/unit describes the number of alerts of this type that are
			# sent per time unit.  Valid time units are second, minute, hour, and day.
			# Burst describes the number of alerts sent before throttling takes place.
			# For example:
			# alert=FOO,10/min,5
			# Would allow 5 alerts through before throttling is enabled, and will then
			# limit the number of alerts to 10 per minute.
			# A throttle rate of 0 disables throttling of the alert.
			# See the README for a list of alert types.
			alert=ADHOCCONFLICT,5/min,1/sec
			alert=AIRJACKSSID,5/min,1/sec
			alert=APSPOOF,10/min,1/sec
			alert=BCASTDISCON,5/min,2/sec
			alert=BSSTIMESTAMP,5/min,1/sec
			alert=CHANCHANGE,5/min,1/sec
			alert=CRYPTODROP,5/min,1/sec
			alert=DISASSOCTRAFFIC,10/min,1/sec
			alert=DEAUTHFLOOD,5/min,2/sec
			alert=DEAUTHCODEINVALID,5/min,1/sec
			alert=DISCONCODEINVALID,5/min,1/sec
			alert=DHCPNAMECHANGE,5/min,1/sec
			alert=DHCPOSCHANGE,5/min,1/sec
			alert=DHCPCLIENTID,5/min,1/sec
			alert=DHCPCONFLICT,10/min,1/sec
			alert=NETSTUMBLER,5/min,1/sec
			alert=LUCENTTEST,5/min,1/sec
			alert=LONGSSID,5/min,1/sec
			alert=MSFBCOMSSID,5/min,1/sec
			alert=MSFDLINKRATE,5/min,1/sec
			alert=MSFNETGEARBEACON,5/min,1/sec
			alert=NULLPROBERESP,5/min,1/sec
			#alert=PROBENOJOIN,5/min,1/sec

			# Controls behavior of the APSPOOF alert.  SSID may be a literal match (ssid=) or
			# a regex (ssidregex=) if PCRE was available when kismet was built.  The allowed
			# MAC list must be comma-separated and enclosed in quotes if there are multiple
			# MAC addresses allowed.  MAC address masks are allowed.
			apspoof=Foo1:ssidregex="(?i:foobar)",validmacs=00:11:22:33:44:55
			apspoof=Foo2:ssid="Foobar",validmacs="00:11:22:33:44:55,aa:bb:cc:dd:ee:ff"

			# Known WEP keys to decrypt, bssid,hexkey.  This is only for networks where
			# the keys are already known, and it may impact throughput on slower hardware.
			# Multiple wepkey lines may be used for multiple BSSIDs.
			# wepkey=00:DE:AD:C0:DE:00,FEEDFACEDEADBEEF01020304050607080900

			# Is transmission of the keys to the client allowed?  This may be a security
			# risk for some.  If you disable this, you will not be able to query keys from
			# a client.
			allowkeytransmit=true

			# How often (in seconds) do we write all our data files (0 to disable)
			writeinterval=300

			# Do we use sound?
			# Not to be confused with GUI sound parameter, this controls wether or not the
			# server itself will play sound.  Primarily for headless or automated systems.
			enablesound=false
			# Path to sound player
			soundbin=play

			sound=newnet,true
			sound=newcryptnet,true
			sound=packet,true
			sound=gpslock,true
			sound=gpslost,true
			sound=alert,true

			# Does the server have speech? (Again, not to be confused with the GUI's speech)
			enablespeech=false
			# Binary used for speech (if not in path, full path must be specified)
			speechbin=flite
			# Specify raw or festival; Flite (and anything else that doesn't need formatting
			# around the string to speak) is 'raw', festival requires the string be wrapped in
			# SayText("...")
			speechtype=raw

			# How do we speak?  Valid options:
			# speech    Normal speech
			# nato      NATO spellings (alpha, bravo, charlie)
			# spell     Spell the letters out (aye, bee, sea)
			speechencoding=nato

			speech=new,"New network detected s.s.i.d. %1 channel %2"
			speech=alert,"Alert %1"
			speech=gpslost,"G.P.S. signal lost"
			speech=gpslock,"G.P.S. signal O.K."

			# How many alerts do we backlog for new clients?  Only change this if you have
			# a -very- low memory system and need those extra bytes, or if you have a high
			# memory system and a huge number of alert conditions.
			alertbacklog=50

			# File types to log, comma seperated.  Built-in log file types:
			# alert				Text file of alerts
			# gpsxml			XML per-packet GPS log
			# nettxt			Networks in text format
			# netxml			Networks in XML format
			# pcapdump			tcpdump/wireshark compatible pcap log file
			# string			All strings seen (increases CPU load)
			logtypes=pcapdump,gpsxml,netxml,nettxt,alert

			# Format of the pcap dump (PPI or 80211)
			pcapdumpformat=ppi
			# pcapdumpformat=80211

			# Default log title
			logdefault=Kismet

			# logtemplate - Filename logging template.
			# This is, at first glance, really nasty and ugly, but you'll hardly ever
			# have to touch it so don't complain too much.
			#
			# %p is replaced by the logging prefix + '/'
			# %n is replaced by the logging instance name
			# %d is replaced by the starting date as Mon-DD-YYYY
			# %D is replaced by the current date as YYYYMMDD
			# %t is replaced by the starting time as HH-MM-SS
			# %i is replaced by the increment log in the case of multiple logs
			# %l is replaced by the log type (pcapdump, strings, etc)
			# %h is replaced by the home directory

			logtemplate=%p%n-%D-%t-%i.%l

			# Where state info, etc, is stored.  You shouldnt ever need to change this.
			# This is a directory.
			configdir=%h/.kismet/
		

A few highlights on that conf file!

If you’ve copy pasted my config, then you don’t need to worry about this stuff. Still, you should read it over.

  • To be able to connect to a kismet server remotely, there are **two** lines that you need to edit to allow remote connections. They are:

    listen=tcp://0.0.0.0:2501
    allowedhosts=172.16.42.0/24

    Most websites are covering the old kismet conf file so they won’t mention that. You need to change the listen line to tcp://0.0.0.0:2501 so it will answer all connections. Set the allowed hosts to 172.16.42.0/24 so that at least people have to be connected to your router to do anything.

  • You’ll also need to edit your config to make kismet server aware that is needs to manage your gps device.
    gpstype=serial
    # What serial device do we look for the GPS on?
    gpsdevice=/dev/ttyUSB0

  • This expects to log in /mnt/test/kismet/logs. If you don’t have that directory set up, kismet_server will fail to start. Silently.

Dip Switches

One of the features of the Pineapple Mark V is the boot mode switches. I have a wardrive mode, and my command string is this:
ifconfig wlan1 down && iwconfig wlan1 mode monitor && ifconfig wlan1 up && mount /dev/sda1 /mnt/test && kismet_server -f /mnt/test/kismet/kismet.conf 2>&1 >> /mnt/test/kismet/errors.log
You’ll need to ssh into the pineapple and mkdir the /mnt/test directory first.

You could, if battery life was a true concern and you didn’t want to do any monitoring whatsover via a wireless interface add in an ifconfig wlan0 down but eh.

In Conclusion

Does this home rolled crazy ass solution work? Mostly. I’ve done some successful testing with it locally. I know it usually streams GPS data. But I don’t know that I trust it on large scale yet. On the other hand, there’s a trip to DC608 coming up at the end of the month. Its a two hour trip to Madison. And I have half a month to finish testing everything.

Its madness, it really is.


War Driving on the Wifi Pineapple: GlobalSat ND-100S USB GPS Dongle

Its been along time since I’ve posted here.  I was busy.  Now I’m not.  Don’t ask.

I recently ordered a GlobalSat ND-100S USB GPS Dongle from Amazon.  I’m returning it because it failed me on a recent war drive.  It appears to be unwilling to talk to Linux in a usable format on a consistent basis.  I had to shift it into GWS 3.0 & 3.1 via an extra piece of software.  And it did starting flashing on my trip indicating a GPS lock.

My hardware/software setup was to use the Hak5 Pineapple MarkV and set one radio into monitor mode.  Then I would use GPSD to feed back GPS coordinates from the ND-100S.  GPSD would give me a semi-constant

 ERROR: No update from GPSD in 15 seconds or more, attempting to reconnect message

So I decided to let Kismet handle talking to the GPS chip.  A quick check at home showed that Kismet recognized that it needed to manage the GPS dongle, and would in fact use it.

However, I couldn’t get it to actually locate anything for me.  I’ve read various reviews stating that it did work with Kismet, however in my case I couldn’t get it to behave.  I confess that this may be due to my inexperience with GPS dongles, a bad software configuration, or many other things.  With GPSD not returning error messages and Kismet seeming to be fine, frankly I’m flying in the dark.  There’s not much to be gathered from the internet on the error message.

So, back it goes to amazon and I’ll have to find a different GPS dongle to use.


Karma On The Fon: Serial Interface Mod

Does that plug belong there? Or not? I hope it looks like it does.

Does that plug belong there?  Or not?  I hope it looks like it does.

This is a 2 piece addition to the fonera so that you can more easily access the serial interface of the device. I’ve found that it makes talking to the fonera via serial so much more stable versus connecting with the cables onto the board.

I’m a big fan of sparkfun. I’ve always been treated well, shipping is fair, and they are more then willing to lend a hand with your problems. I source what I can from them. They have a device similar to the FTDIfriend from adafruit – but I have not used it so I can’t recommend it to you.

Note that in my experience sometimes the fonera is willing to boot with a seriel cable connected, and other times it is not. This precludes just mounting the FTDFriend inside of the fonera (plus its quite hard to convince everything to fit). Using a jack system like this allows you to plug into system just after powering on so you don’t have to worry about whether or not the fonera is happy today.

  1. The same adafruit usb to serial converter I advised earlier.
  2. A 3.5 mm panel mount stereo audio jack
  3. a 3.5 mm stereo audio plug
  4. shrink wrap
  5. Soldering iron
  6. Optional: The Heaterizer XL 3000. The instructions are the best part, and it works better then a lighter.
  7. Drill, drill bit the size of the 3.5 mm audio jack. (What? you don’t have a caliper?)

Installing the Fonera Side

  1. I drilled my hole between the ethernet jack and the antenna port.
  2. Install the stereo audio jack, taking care to make sure that you don’t let the metal of the jack contact any of the components or contacts in the circuit board. Do not glue the jack or anything like that, just finger tighten it.
  3. Cull 3 wires from the connector that came with ftdifriend.
  4. On one end of all three wires, bend the contacts so that just after the bit that a header pin fits into.
  5. Fit them onto the appropriate header pins on the fonera motherboard and loop them over to the audio jack and cut them to length.  Reference this page by digininja for the fonera pinout.  Be conservative – you are going to use the bits that you cut off again for the serial converter adaptor so you will need these.
  6. Shrink wrap the female header pin receptacles so that if they wiggle they can’t bump and mess with data transmission. You could possibly just solder them on, but I didn’t like that idea at the time.
  7. Remove the audio plug, remember how I said finger tight?
  8. Strip and solder the other ends of the cables to the audio jack.
  9. Reinstall the audio jack.  This time go ahead and tighten it up with a pair of pliers.  I didn’t strip the threads but other sparkfun customers have reported that these have a tendency to strip if you put much torque on it.  Be wary.
This is where you connect the female header pins to.  Note the shrink wrap to keep them from shorting each other out.

This is where you connect the female header pins to. Note the shrink wrap to keep them from shorting each other out.

See how the wires run up to the audio jack?

See how the wires run up to the audio jack?

The Serial converter side

  1. Remove the female headers from their pins on the fonera.  Use a continuity tester to figure out which pin on the audio jack goes to the Tx, Rx, and Ground wires.
  2. Flip the Tx and Rx pin connections.  Solder the three leads that you saved to the audio plug.
  3. Plug the other end into the respective female header pins so that you can connect it to the ftdi friend.

The Serial Converter Side

The End

Connect everything back up, double checking your connections are right. Then button up the case. I use GTKTerm on linux. Go ahead and fire that up (maybe as root). Boot up the fonera, plug in the ftdifriend to both the fonera and the computer. Soothe your fonera. You’re finished.


Karma On The Fon: Self Powered Jasager

Or, how to make a battery pack for your fonera.

You’ll need a multimeter, a 2.5mm by 5.5mm barrel plug (available on Amazon or better yet Radio Shack) and a 4 AA (or AAA, they supply the same voltage level). I also used some velcro so that the battery pack would be able to attach to the top of the fonera.

The outside of the barrel plug is negative and the inside is positive. Double check yours with the multimeter.

I also swapped the antenna for the bigger one from my other router.

Now, I can turn it on and leave it in my backpack to be even less suspicious 😀


Karm On the Fon: Again.

I recently managed to find a job. Not a great job, but a job. I had some money that I decided to purchase a fon with. Of course, the purpose was to gain another router. The purpose was to make a jasager device. The Jasager is custom firmware for the fonera by Robin Wood, aka digininja.

Background

So, when a computer boots (if it has a wireless network card) it will send out broadcasts looking for networks it know. The idea behind the jasager firmware is that after installing you now have a device that will answer, “yup, that’s me!” anytime it receives those probe requests. If someone is looking for their home network at a coffee shop, they shouldn’t find it. The jasager is kind enough to say, yup, connect to me anyway.

Why?

Because after a client connects to your router, its YOUR client on YOUR network. Think of the fun.

Order a Serial Cable

Seriously

Or, why it took me five weekend to get this thing to work

Its taken me about 5 weeks to finally get jasager actually installed on the damn router. Partially because I had 0.7.1 r2. The tough cookie firmware. The first week I tried setting up a local version of Kolonfonium. Didn’t work. I even tried the hosted. It still didn’t work.

So I ordered what I had hoped would be the correct cable from ebay. For reference, a TXDATA1046 is not the cable you’re looking for. It was dead. I received a replacement. That was when I found out it was the incorrect cable.

I finally ordered an FTDI Friend from lady ada. I didn’t get it that weekend, so I didn’t work on my fon. As a statement, no I am not receiving funds for endorsing this product. I just think it does the job well and has the most flexibility I have seen of the various USB serial products available. You’ll also want this cable because you only need the three pins (GND, TX, & RX).

Some people have tricks and what not that they use. I’m just saying that, by the time you try those tricks and they (possibly) fail, you will still need the serial cable. If you brick your fon, you will need a serial cable. If you get a UK fon from ebay, you will have to have a serial cable. Just buy one. Update: Also, if you forget your password or screw up one of the network configuration files, you can fix it without reflashing the fonera.

The week after that I managed to get openwrt flashed. I skipped the week after that (I think). Tonight I installed the firmware package from the jasager website. I just followed the guide that digininja posted. So really, the hardest part in the whole process was figuring out how to talk to the little bastard.

Get the serial cable.