Wardriving With The Wifi Pineapple mark V
You can skip this part if you like
If it wasn’t clear to anyone that I make things up as I go, I pretty much don’t know what I’m doing. But I do it anyway because it means that
- I learn something new
- I’m never bored because I’m always
- Challenging myself.
Background
This morning I was looking at gps units because I’m trying to get my Wifi Pineapple to do stuff. In my last post, I mentioned my intent to return the gps unit because I thought it was defective. Thing is, its not defective, per-say. I just don’t know what I’m doing. I think. I’ve seen posts about running the same GPS stick under linux with no issues on the amazon website as well as this post for hooking everything up to the rasberry pi. It seems to be linux compatible for all that I can see.
This trouble occurs after I’ve plugged the gps chip into my computer and gotten everything working from there. I’ll have to write a separate blog post about how to actually get the thing to run.
The problem is that gpsd is being temperamental, which seems to be par for the course. GPSD isn’t outputting any debug information when I use it. Apparently. Because there’s no output when everything is working or debug information to say what is not working. So, I don’t know for sure that gpsd is or is not working.
The solution of course is to use something other then gpsd. Kismet_server does provide a way to directly access a GPS device though. So let’s use that. The problem with that is it also doesn’t seem to output any errors. Which may mean everything is working perfectly. Or not. At least with kismet_server managing the GPS tracking you don’t get an error saying GPSD has been unresponsive for the last 15 minutes and kismet_server needs to reconnect.
Hardware
The core is the wifi pineapple from hak5. Next up is some parts from sparkfun: a usb power cable and a lion battery pack. Alternately I have a usb charger for the cigarette letter that provides much longer lasting power. Then I have a leftover 2gb microSD card that I usually leave in the pineapple. The final part is the gps dongle.
Software
Software side, its still pretty easy. To get kismet_server on the pineapple you’ll need it connected to the wifi somehow. Then you’ll run:
opkg update
opkg install kismet_server
I wouldn’t bother with installing gpsd. It doesn’t seem to work, and its one more layer to go wrong.
You could use kismet_drone but then you have to connect it to a kismet_server. It might be nice if you had an army of drones that you wanted to connect back to a single server so that multiple people could connect to it, but I can’t see any purpose to it in my application.
Conf Files
Here’s my kismet.conf for kismet server.
#http://soliloquyforthefallen.net/blog/2014/04/12/wardriving-with-the-wifi-pineapple-mark-v # Kismet config file # Most of the "static" configs have been moved to here -- the command line # config was getting way too crowded and cryptic. We want functionality, # not continually reading --help! # Version of Kismet config version=2009-newcore # Name of server (Purely for organizational purposes) servername=Kismet_2009 # Prefix of where we log (as used in the logtemplate later) logprefix=/mnt/test/kismet/logs # Do we process the contents of data frames? If this is enabled, data # frames will be truncated to the headers only immediately after frame type # detection. This will disable IP detection, etc, however it is likely # safer (and definitely more polite) if monitoring networks you do not own. # hidedata=true # Do we allow plugins to be used? This will load plugins from the system # and user plugin directiories when set to true (See the README for the default # plugin locations). allowplugins=true # See the README for full information on the new source format # ncsource=interface:options # for example: ncsource=wlan1 # ncsource=wifi0:type=madwifi # ncsource=wlan0:name=intel,hop=false,channel=11 # Comma-separated list of sources to enable. This is only needed if you defined # multiple sources and only want to enable some of them. By default, all defined # sources are enabled. # For example, if sources with name=prismsource and name=ciscosource are defined, # and you only want to enable those two: # enablesources=prismsource,ciscosource # Control which channels we like to spend more time on. By default, the list # of channels is pulled from the driver automatically. By setting preferred channels, # if they are present in the channel list, they'll be set with a timing delay so that # more time is spent on them. Since 1, 6, 11 are the common default channels, it makes # sense to spend more time monitoring them. # For finer control, see further down in the config for the channellist= directives. preferredchannels=1,6,11 # How many channels per second do we hop? (1-10) channelvelocity=3 # By setting the dwell time for channel hopping we override the channelvelocity # setting above and dwell on each channel for the given number of seconds. #channeldwell=10 # Channels are defined as: # channellist=name:ch1,ch2,ch3 # or # channellist=name:range-start-end-width-offset,ch,range,ch,... # # Channels may be a numeric channel or a frequency # # Channels may specify an additional wait period. For common default channels, # an additional wait period can be useful. Wait periods delay for that number # of times per second - so a configuration hopping 10 times per second with a # channel of 6:3 would delay 3/10ths of a second on channel 6. # # Channel lists may have up to 256 channels and ranges (combined). For power # users scanning more than 256 channels with a single card, ranges must be used. # # Ranges are meant for "power users" who wish to define a very large number of # channels. A range may specify channels or frequencies, and will automatically # sort themselves to cover channels in a non-overlapping fashion. An example # range for the normal 802.11b/g spectrum would be: # # range-1-11-3-1 # # which indicates starting at 1, ending at 11, a channel width of 3 channels, # incrementing by one. A frequency based definition would be: # # range-2412-2462-22-5 # # since 11g channels are 22 mhz wide and 5 mhz apart. # # Ranges have the flaw that they cannot be shared between sources in a non-overlapping # way, so multiple sources using the same range may hop in lockstep with each other # and duplicate the coverage. # # channellist=demo:1:3,6:3,11:3,range-5000-6000-20-10 # Default channel lists # These channel lists MUST BE PRESENT for Kismet to work properly. While it is # possible to change these, it is not recommended. These are used when the supported # channel list can not be found for the source; to force using these instead of # the detected supported channels, override with channellist= in the source defintion # # IN GENERAL, if you think you want to modify these, what you REALLY want to do is # copy them and use channellist= in the packet source. channellist=IEEE80211b:1:3,6:3,11:3,2,7,3,8,4,9,5,10 channellist=IEEE80211a:36,40,44,48,52,56,60,64,149,153,157,161,165 channellist=IEEE80211ab:1:3,6:3,11:3,2,7,3,8,4,9,5,10,36,40,44,48,52,56,60,64,149,153,157,161,165 # Client/server listen config listen=tcp://0.0.0.0:2501 # People allowed to connect, comma seperated IP addresses or network/mask # blocks. Netmasks can be expressed as dotted quad (/255.255.255.0) or as # numbers (/24) allowedhosts=172.16.42.0/24 # Maximum number of concurrent GUI's maxclients=5 # Maximum backlog before we start throwing out or killing clients. The # bigger this number, the more memory and the more power it will use. maxbacklog=5000 # Server + Drone config options. To have a Kismet server export live packets # as if it were a drone, uncomment these. # dronelisten=tcp://127.0.0.1:3501 # droneallowedhosts=127.0.0.1 # dronemaxclients=5 # droneringlen=65535 # OUI file, expected format 00:11:22manufname # IEEE OUI file used to look up manufacturer info. We default to the # wireshark one since most people have that. ouifile=/etc/manuf ouifile=/usr/share/wireshark/wireshark/manuf ouifile=/usr/share/wireshark/manuf # Do we have a GPS? gps=true # Do we use a locally serial attached GPS, or use a gpsd server? # (Pick only one) #gpstype=gpsd gpstype=serial # What serial device do we look for the GPS on? gpsdevice=/dev/ttyUSB0 # Host:port that GPSD is running on. This can be localhost OR remote! #gpshost=localhost:2947 # Do we lock the mode? This overrides coordinates of lock "0", which will # generate some bad information until you get a GPS lock, but it will # fix problems with GPS units with broken NMEA that report lock 0 gpsmodelock=false # Do we try to reconnect if we lose our link to the GPS, or do we just # let it die and be disabled? gpsreconnect=true # Do we export packets over tun/tap virtual interfaces? tuntap_export=false # What virtual interface do we use tuntap_device=kistap0 # Packet filtering options: # filter_tracker - Packets filtered from the tracker are not processed or # recorded in any way. # filter_export - Controls what packets influence the exported CSV, network, # xml, gps, etc files. # All filtering options take arguments containing the type of address and # addresses to be filtered. Valid address types are 'ANY', 'BSSID', # 'SOURCE', and 'DEST'. Filtering can be inverted by the use of '!' before # the address. For example, # filter_tracker=ANY(!"00:00:DE:AD:BE:EF") # has the same effect as the previous mac_filter config file option. # filter_tracker=... # filter_dump=... # filter_export=... # filter_netclient=... # Alerts to be reported and the throttling rates. # alert=name,throttle/unit,burst # The throttle/unit describes the number of alerts of this type that are # sent per time unit. Valid time units are second, minute, hour, and day. # Burst describes the number of alerts sent before throttling takes place. # For example: # alert=FOO,10/min,5 # Would allow 5 alerts through before throttling is enabled, and will then # limit the number of alerts to 10 per minute. # A throttle rate of 0 disables throttling of the alert. # See the README for a list of alert types. alert=ADHOCCONFLICT,5/min,1/sec alert=AIRJACKSSID,5/min,1/sec alert=APSPOOF,10/min,1/sec alert=BCASTDISCON,5/min,2/sec alert=BSSTIMESTAMP,5/min,1/sec alert=CHANCHANGE,5/min,1/sec alert=CRYPTODROP,5/min,1/sec alert=DISASSOCTRAFFIC,10/min,1/sec alert=DEAUTHFLOOD,5/min,2/sec alert=DEAUTHCODEINVALID,5/min,1/sec alert=DISCONCODEINVALID,5/min,1/sec alert=DHCPNAMECHANGE,5/min,1/sec alert=DHCPOSCHANGE,5/min,1/sec alert=DHCPCLIENTID,5/min,1/sec alert=DHCPCONFLICT,10/min,1/sec alert=NETSTUMBLER,5/min,1/sec alert=LUCENTTEST,5/min,1/sec alert=LONGSSID,5/min,1/sec alert=MSFBCOMSSID,5/min,1/sec alert=MSFDLINKRATE,5/min,1/sec alert=MSFNETGEARBEACON,5/min,1/sec alert=NULLPROBERESP,5/min,1/sec #alert=PROBENOJOIN,5/min,1/sec # Controls behavior of the APSPOOF alert. SSID may be a literal match (ssid=) or # a regex (ssidregex=) if PCRE was available when kismet was built. The allowed # MAC list must be comma-separated and enclosed in quotes if there are multiple # MAC addresses allowed. MAC address masks are allowed. apspoof=Foo1:ssidregex="(?i:foobar)",validmacs=00:11:22:33:44:55 apspoof=Foo2:ssid="Foobar",validmacs="00:11:22:33:44:55,aa:bb:cc:dd:ee:ff" # Known WEP keys to decrypt, bssid,hexkey. This is only for networks where # the keys are already known, and it may impact throughput on slower hardware. # Multiple wepkey lines may be used for multiple BSSIDs. # wepkey=00:DE:AD:C0:DE:00,FEEDFACEDEADBEEF01020304050607080900 # Is transmission of the keys to the client allowed? This may be a security # risk for some. If you disable this, you will not be able to query keys from # a client. allowkeytransmit=true # How often (in seconds) do we write all our data files (0 to disable) writeinterval=300 # Do we use sound? # Not to be confused with GUI sound parameter, this controls wether or not the # server itself will play sound. Primarily for headless or automated systems. enablesound=false # Path to sound player soundbin=play sound=newnet,true sound=newcryptnet,true sound=packet,true sound=gpslock,true sound=gpslost,true sound=alert,true # Does the server have speech? (Again, not to be confused with the GUI's speech) enablespeech=false # Binary used for speech (if not in path, full path must be specified) speechbin=flite # Specify raw or festival; Flite (and anything else that doesn't need formatting # around the string to speak) is 'raw', festival requires the string be wrapped in # SayText("...") speechtype=raw # How do we speak? Valid options: # speech Normal speech # nato NATO spellings (alpha, bravo, charlie) # spell Spell the letters out (aye, bee, sea) speechencoding=nato speech=new,"New network detected s.s.i.d. %1 channel %2" speech=alert,"Alert %1" speech=gpslost,"G.P.S. signal lost" speech=gpslock,"G.P.S. signal O.K." # How many alerts do we backlog for new clients? Only change this if you have # a -very- low memory system and need those extra bytes, or if you have a high # memory system and a huge number of alert conditions. alertbacklog=50 # File types to log, comma seperated. Built-in log file types: # alert Text file of alerts # gpsxml XML per-packet GPS log # nettxt Networks in text format # netxml Networks in XML format # pcapdump tcpdump/wireshark compatible pcap log file # string All strings seen (increases CPU load) logtypes=pcapdump,gpsxml,netxml,nettxt,alert # Format of the pcap dump (PPI or 80211) pcapdumpformat=ppi # pcapdumpformat=80211 # Default log title logdefault=Kismet # logtemplate - Filename logging template. # This is, at first glance, really nasty and ugly, but you'll hardly ever # have to touch it so don't complain too much. # # %p is replaced by the logging prefix + '/' # %n is replaced by the logging instance name # %d is replaced by the starting date as Mon-DD-YYYY # %D is replaced by the current date as YYYYMMDD # %t is replaced by the starting time as HH-MM-SS # %i is replaced by the increment log in the case of multiple logs # %l is replaced by the log type (pcapdump, strings, etc) # %h is replaced by the home directory logtemplate=%p%n-%D-%t-%i.%l # Where state info, etc, is stored. You shouldnt ever need to change this. # This is a directory. configdir=%h/.kismet/
A few highlights on that conf file!
If you’ve copy pasted my config, then you don’t need to worry about this stuff. Still, you should read it over.
-
To be able to connect to a kismet server remotely, there are **two** lines that you need to edit to allow remote connections. They are:
listen=tcp://0.0.0.0:2501
allowedhosts=172.16.42.0/24Most websites are covering the old kismet conf file so they won’t mention that. You need to change the listen line to tcp://0.0.0.0:2501 so it will answer all connections. Set the allowed hosts to 172.16.42.0/24 so that at least people have to be connected to your router to do anything.
-
You’ll also need to edit your config to make kismet server aware that is needs to manage your gps device.
gpstype=serial
# What serial device do we look for the GPS on?
gpsdevice=/dev/ttyUSB0 - This expects to log in /mnt/test/kismet/logs. If you don’t have that directory set up, kismet_server will fail to start. Silently.
Dip Switches
One of the features of the Pineapple Mark V is the boot mode switches. I have a wardrive mode, and my command string is this:
ifconfig wlan1 down && iwconfig wlan1 mode monitor && ifconfig wlan1 up && mount /dev/sda1 /mnt/test && kismet_server -f /mnt/test/kismet/kismet.conf 2>&1 >> /mnt/test/kismet/errors.log
You’ll need to ssh into the pineapple and mkdir the /mnt/test directory first.
You could, if battery life was a true concern and you didn’t want to do any monitoring whatsover via a wireless interface add in an ifconfig wlan0 down
but eh.
In Conclusion
Does this home rolled crazy ass solution work? Mostly. I’ve done some successful testing with it locally. I know it usually streams GPS data. But I don’t know that I trust it on large scale yet. On the other hand, there’s a trip to DC608 coming up at the end of the month. Its a two hour trip to Madison. And I have half a month to finish testing everything.
Its madness, it really is.