You can skip this part to if you like
But please don’t, its awesome.
Wardriving with Wifi Pineapple Mark V running Kismet: http://t.co/JgOfEWhmXA via @YouTube
— Darren Kitchen (@hak5darren) October 2, 2014
I saw this tweet over 2g on my phone while at work, so I was unable to watch the video. I never thought that my blog would source the inspiration for this video. Let alone a video that would be tweeted by Darren. Wow.
I would like to thank HackedExistence for the nice things he said about my blog. I went and watched a random video from his youtube channel, and again he did a very nice job presenting on the subject at hand.
Updates!
So, wow … let’s talk about updates to the war driving system that I’ve made since I last posted on the subject.
Hardware
I am using the GlobalSat GPS dongle discussed in this post. It works fairly well, but you’ll want to check that it sticks in NMEA mode. To set the dongle to NMEA mode, use SiRF Demo. This does function under Wine on Fedora 20, which how I primarily use it now. If you’re looking to get a gps dongle, you can also look for ones that work with the rasberry pi. There were few comments remarking on the youtube video about how war driving data is more useful if you know where the access points were located and I agree.
Were I to purchase another GPS reciever, Adafruit published a tutorial for GPS on the rasberry pi that I thought would be another interesting approach. They utilize one of their GPS breakout board and a serial ttl convertor cable to interface with the Rasberry Pi. You might even be able to push the GPS data from the breakout board to the pineapple via the onboard serial convertor instead of using a USB breakout.
When I was looking into GPS units, I found that the GPS standards are rather more guides that aren’t often followed. The advantage of the adafruit receiver would be the ability to help format the code into something that is standards compliant.
I’ve found that the little battery from sparkfun lasts about 2 hours, while I’m powering the pineapple and the gps unit. For longer war driving sessions, say to Ohio and back, this does the job, as well as keeping my power hungry cell phone juiced up.
Software
Parsing the GPS data is done by kismet_server. GPSD was falling over itself.
One thing I never could manage to get work correctly was autostarting kismet_server. My thought was that something in the command stack was failing, but not kismet_server. Actually, it was the enviroment starting kismet_server.
In trying to write this post I started researching how to get it to work. Someone else on the hak5 forums had the same problem. Thankfully, that someone else documented the solution. The short explanation is that many of the envirmental variables needed by kismet_server are not loaded at the time that kismet_server starts.
The solution is to use a script that sets up the enviroment for kismet. I’m using harmless’ script, which follows:
#!/bin/sh #/sd/usr/bin/printenv >> /sd/var/log/boot110.log #Setting some environment variables so that kismet can run #These were copied verbatim from the SSH printenv output: export LD_LIBRARY_PATH='/lib:/usr/lib:/sd/lib:/sd/usr/lib' export PATH='/bin:/sbin:/usr/bin:/usr/sbin:/sd/usr/bin:/sd/usr/sbin' #Run kismet (daemonized to suppress unnecessary output): kismet_server --daemonize -f /sd/kismet/kismet.conf pineapple notify 'kismet now running'
I saved it as kismet-server-start in root’s home directory. Remember to chmod +x.
Configuration
HackedExistence’s video shows him setting up the microSD card to be automounted by the pineapple. I myself have also started letting the pineapple auto mount the sd card. This necessitated a change in the configuration file to use /sd/kismet instead of /mnt/test. These changes are also reflected in the kismet config, which I’ve included at the end of the post.
Boot Mode Setup
Because the pineapple is now handling mounting the SD card at boot, I no longer need to use the old boot mode code that included mounting a directory. I also need to update it to use the script in /root. My new boot switch code is this:
ifconfig wlan1 down && iwconfig wlan1 mode monitor && ifconfig wlan1 up && /root/kismet-server-start
At the end of the video, HackedExistence was cating the contents of the files. Here’s my command to print just the access point names from the nettxt file:
cat *.nettxt | grep "SSID : " | sed -e 's/<SSID>//g' | tr -d " t:"" | sed '/Cloaked/'d | sed '/cloaked/'d | sort -d | awk 'a !~ $0; {a=$0}' | sed '/�[0-9][0-9]/d'
Where to from here?
The question I had that made me set all this up was, “How many android phones are openly accessible from the road?” I’m not any closer to answer that question. Honestly, I have not thought about it much since I set this system up. I’ve had other things accepted onto my plate that had a higher priority then this. However, the little time I’m thought about it, I’ve had a few different ideas:
- Using the first three digits of the mac address.
- Some kind of filter based on location.
- How long the access point remains active (if I pass a car I should only see it for a few seconds)?
- The other thing that I’ve thought about is that if I take two passes through an areas, then subtract the ones that are there twice.
So, how about you folks? Any ideas? Leave them in the comment below, please!
Full Configuration File
http://soliloquyforthefallen.net/blog/?p=678 # Kismet config file # Most of the "static" configs have been moved to here -- the command line # config was getting way too crowded and cryptic. We want functionality, # not continually reading --help! # Version of Kismet config version=2009-newcore # Name of server (Purely for organizational purposes) servername=Kismet_2009 # Prefix of where we log (as used in the logtemplate later) logprefix=/sd/kismet/logs # Do we process the contents of data frames? If this is enabled, data # frames will be truncated to the headers only immediately after frame type # detection. This will disable IP detection, etc, however it is likely # safer (and definitely more polite) if monitoring networks you do not own. # hidedata=true # Do we allow plugins to be used? This will load plugins from the system # and user plugin directiories when set to true (See the README for the default # plugin locations). allowplugins=true # See the README for full information on the new source format # ncsource=interface:options # for example: ncsource=wlan1 # ncsource=wifi0:type=madwifi # ncsource=wlan0:name=intel,hop=false,channel=11 # Comma-separated list of sources to enable. This is only needed if you defined # multiple sources and only want to enable some of them. By default, all defined # sources are enabled. # For example, if sources with name=prismsource and name=ciscosource are defined, # and you only want to enable those two: # enablesources=prismsource,ciscosource # Control which channels we like to spend more time on. By default, the list # of channels is pulled from the driver automatically. By setting preferred channels, # if they are present in the channel list, they'll be set with a timing delay so that # more time is spent on them. Since 1, 6, 11 are the common default channels, it makes # sense to spend more time monitoring them. # For finer control, see further down in the config for the channellist= directives. preferredchannels=1,6,11 # How many channels per second do we hop? (1-10) channelvelocity=3 # By setting the dwell time for channel hopping we override the channelvelocity # setting above and dwell on each channel for the given number of seconds. #channeldwell=10 # Channels are defined as: # channellist=name:ch1,ch2,ch3 # or # channellist=name:range-start-end-width-offset,ch,range,ch,... # # Channels may be a numeric channel or a frequency # # Channels may specify an additional wait period. For common default channels, # an additional wait period can be useful. Wait periods delay for that number # of times per second - so a configuration hopping 10 times per second with a # channel of 6:3 would delay 3/10ths of a second on channel 6. # # Channel lists may have up to 256 channels and ranges (combined). For power # users scanning more than 256 channels with a single card, ranges must be used. # # Ranges are meant for "power users" who wish to define a very large number of # channels. A range may specify channels or frequencies, and will automatically # sort themselves to cover channels in a non-overlapping fashion. An example # range for the normal 802.11b/g spectrum would be: # # range-1-11-3-1 # # which indicates starting at 1, ending at 11, a channel width of 3 channels, # incrementing by one. A frequency based definition would be: # # range-2412-2462-22-5 # # since 11g channels are 22 mhz wide and 5 mhz apart. # # Ranges have the flaw that they cannot be shared between sources in a non-overlapping # way, so multiple sources using the same range may hop in lockstep with each other # and duplicate the coverage. # # channellist=demo:1:3,6:3,11:3,range-5000-6000-20-10 # Default channel lists # These channel lists MUST BE PRESENT for Kismet to work properly. While it is # possible to change these, it is not recommended. These are used when the supported # channel list can not be found for the source; to force using these instead of # the detected supported channels, override with channellist= in the source defintion # # IN GENERAL, if you think you want to modify these, what you REALLY want to do is # copy them and use channellist= in the packet source. channellist=IEEE80211b:1:3,6:3,11:3,2,7,3,8,4,9,5,10 channellist=IEEE80211a:36,40,44,48,52,56,60,64,149,153,157,161,165 channellist=IEEE80211ab:1:3,6:3,11:3,2,7,3,8,4,9,5,10,36,40,44,48,52,56,60,64,149,153,157,161,165 # Client/server listen config listen=tcp://0.0.0.0:2501 # People allowed to connect, comma seperated IP addresses or network/mask # blocks. Netmasks can be expressed as dotted quad (/255.255.255.0) or as # numbers (/24) allowedhosts=172.16.42.0/24 # Maximum number of concurrent GUI's maxclients=5 # Maximum backlog before we start throwing out or killing clients. The # bigger this number, the more memory and the more power it will use. maxbacklog=5000 # Server + Drone config options. To have a Kismet server export live packets # as if it were a drone, uncomment these. # dronelisten=tcp://127.0.0.1:3501 # droneallowedhosts=127.0.0.1 # dronemaxclients=5 # droneringlen=65535 # OUI file, expected format 00:11:22manufname # IEEE OUI file used to look up manufacturer info. We default to the # wireshark one since most people have that. ouifile=/etc/manuf ouifile=/usr/share/wireshark/wireshark/manuf ouifile=/usr/share/wireshark/manuf # Do we have a GPS? gps=true # Do we use a locally serial attached GPS, or use a gpsd server? # (Pick only one) #gpstype=gpsd gpstype=serial # What serial device do we look for the GPS on? gpsdevice=/dev/ttyUSB0 # Host:port that GPSD is running on. This can be localhost OR remote! #gpshost=localhost:2947 # Do we lock the mode? This overrides coordinates of lock "0", which will # generate some bad information until you get a GPS lock, but it will # fix problems with GPS units with broken NMEA that report lock 0 gpsmodelock=false # Do we try to reconnect if we lose our link to the GPS, or do we just # let it die and be disabled? gpsreconnect=true # Do we export packets over tun/tap virtual interfaces? tuntap_export=false # What virtual interface do we use tuntap_device=kistap0 # Packet filtering options: # filter_tracker - Packets filtered from the tracker are not processed or # recorded in any way. # filter_export - Controls what packets influence the exported CSV, network, # xml, gps, etc files. # All filtering options take arguments containing the type of address and # addresses to be filtered. Valid address types are 'ANY', 'BSSID', # 'SOURCE', and 'DEST'. Filtering can be inverted by the use of '!' before # the address. For example, # filter_tracker=ANY(!"00:00:DE:AD:BE:EF") # has the same effect as the previous mac_filter config file option. # filter_tracker=... # filter_dump=... # filter_export=... # filter_netclient=... # Alerts to be reported and the throttling rates. # alert=name,throttle/unit,burst # The throttle/unit describes the number of alerts of this type that are # sent per time unit. Valid time units are second, minute, hour, and day. # Burst describes the number of alerts sent before throttling takes place. # For example: # alert=FOO,10/min,5 # Would allow 5 alerts through before throttling is enabled, and will then # limit the number of alerts to 10 per minute. # A throttle rate of 0 disables throttling of the alert. # See the README for a list of alert types. alert=ADHOCCONFLICT,5/min,1/sec alert=AIRJACKSSID,5/min,1/sec alert=APSPOOF,10/min,1/sec alert=BCASTDISCON,5/min,2/sec alert=BSSTIMESTAMP,5/min,1/sec alert=CHANCHANGE,5/min,1/sec alert=CRYPTODROP,5/min,1/sec alert=DISASSOCTRAFFIC,10/min,1/sec alert=DEAUTHFLOOD,5/min,2/sec alert=DEAUTHCODEINVALID,5/min,1/sec alert=DISCONCODEINVALID,5/min,1/sec alert=DHCPNAMECHANGE,5/min,1/sec alert=DHCPOSCHANGE,5/min,1/sec alert=DHCPCLIENTID,5/min,1/sec alert=DHCPCONFLICT,10/min,1/sec alert=NETSTUMBLER,5/min,1/sec alert=LUCENTTEST,5/min,1/sec alert=LONGSSID,5/min,1/sec alert=MSFBCOMSSID,5/min,1/sec alert=MSFDLINKRATE,5/min,1/sec alert=MSFNETGEARBEACON,5/min,1/sec alert=NULLPROBERESP,5/min,1/sec #alert=PROBENOJOIN,5/min,1/sec # Controls behavior of the APSPOOF alert. SSID may be a literal match (ssid=) or # a regex (ssidregex=) if PCRE was available when kismet was built. The allowed # MAC list must be comma-separated and enclosed in quotes if there are multiple # MAC addresses allowed. MAC address masks are allowed. apspoof=Foo1:ssidregex="(?i:foobar)",validmacs=00:11:22:33:44:55 apspoof=Foo2:ssid="Foobar",validmacs="00:11:22:33:44:55,aa:bb:cc:dd:ee:ff" # Known WEP keys to decrypt, bssid,hexkey. This is only for networks where # the keys are already known, and it may impact throughput on slower hardware. # Multiple wepkey lines may be used for multiple BSSIDs. # wepkey=00:DE:AD:C0:DE:00,FEEDFACEDEADBEEF01020304050607080900 # Is transmission of the keys to the client allowed? This may be a security # risk for some. If you disable this, you will not be able to query keys from # a client. allowkeytransmit=true # How often (in seconds) do we write all our data files (0 to disable) writeinterval=300 # Do we use sound? # Not to be confused with GUI sound parameter, this controls wether or not the # server itself will play sound. Primarily for headless or automated systems. enablesound=false # Path to sound player soundbin=play sound=newnet,true sound=newcryptnet,true sound=packet,true sound=gpslock,true sound=gpslost,true sound=alert,true # Does the server have speech? (Again, not to be confused with the GUI's speech) enablespeech=false # Binary used for speech (if not in path, full path must be specified) speechbin=flite # Specify raw or festival; Flite (and anything else that doesn't need formatting # around the string to speak) is 'raw', festival requires the string be wrapped in # SayText("...") speechtype=raw # How do we speak? Valid options: # speech Normal speech # nato NATO spellings (alpha, bravo, charlie) # spell Spell the letters out (aye, bee, sea) speechencoding=nato speech=new,"New network detected s.s.i.d. %1 channel %2" speech=alert,"Alert %1" speech=gpslost,"G.P.S. signal lost" speech=gpslock,"G.P.S. signal O.K." # How many alerts do we backlog for new clients? Only change this if you have # a -very- low memory system and need those extra bytes, or if you have a high # memory system and a huge number of alert conditions. alertbacklog=50 # File types to log, comma seperated. Built-in log file types: # alert Text file of alerts # gpsxml XML per-packet GPS log # nettxt Networks in text format # netxml Networks in XML format # pcapdump tcpdump/wireshark compatible pcap log file # string All strings seen (increases CPU load) logtypes=pcapdump,gpsxml,netxml,nettxt,alert # Format of the pcap dump (PPI or 80211) pcapdumpformat=ppi # pcapdumpformat=80211 # Default log title logdefault=Kismet # logtemplate - Filename logging template. # This is, at first glance, really nasty and ugly, but you'll hardly ever # have to touch it so don't complain too much. # # %p is replaced by the logging prefix + '/' # %n is replaced by the logging instance name # %d is replaced by the starting date as Mon-DD-YYYY # %D is replaced by the current date as YYYYMMDD # %t is replaced by the starting time as HH-MM-SS # %i is replaced by the increment log in the case of multiple logs # %l is replaced by the log type (pcapdump, strings, etc) # %h is replaced by the home directory logtemplate=%p%n-%D-%t-%i.%l # Where state info, etc, is stored. You shouldnt ever need to change this. # This is a directory. configdir=%h/.kismet/