Help‎ > ‎Security‎ > ‎

Kismet Drone

Kismet

"Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system." (http://www.kismetwireless.net/)

A Kismet drone may be used as a remote wireless sniffer to collect wireless data from a remote location and/or multiple locations and reported back to the centralized Kismet server where it can be analyzed. 


Linksys WRT54G and other OpenWRT Compatible Devices

This tutorial will explain how to configure a Linksys WRT54G as a Kismet Drone.

You might have several Linksys WRT wireless access points laying around home or the office.   I did.  You will find that these devices work perfectly for monitoring your wireless networks and potential threats.  This should also work for any device that will run the OpenWRT firmware, although I can not guarantee the same results on any device.  


Disclaimer

This tutorial is not for the faint of heart, novice user, or any n00b.  It is expected that you will have some significant experience with Linux and Kismet in order to complete this tutorial. 

In the process of following this tutorial you could inadvertently permanently brick (break) your device.  I am not responsible for this, or any thing else that happens as a result of you following this tutorial.  

You also take all responsibly for any legal ramifications for the use of wireless sniffing software, or any action you take in connection with this tutorial.  You are responsible to be aware your local laws concerning the use of this Open Source software and the use of wireless sniffing programs.

THERE IS NO WARRANTY FOR THE INFORMATION ON THIS SITE TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THIS INFORMATION  “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE INFORMATION IS WITH YOU. SHOULD THIS INFORMATION PROVE INCORRECT OR BAD PRACTICE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THIS INFORMATION AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THIS INFORMATION (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROCESS DESCRIBED TO FUNCTION WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

This Tutorial is Copyrighted under the GPL v3 by supertechguy.com 
http://www.gnu.org/licenses/gpl.html



OpenWRT

To begin you must install the OpenWRT firmware on your WRT54G.  To do so, you will need to visit the OpenWRT website: http://openwrt.org/ and select the correct build for your device.  This can be just a bit tricky to do, you will need to reference the supported hardware page to determine the chipset in your device, and what build to select.  I would recommend that start here: http://wiki.openwrt.org/doc/howto/beginner.  If a build with the Linux 2.6 kernel is available for your hardware, you should use it.

Also, I would highly recommend that you reset the device to its factory defaults at the same time or after flashing the firmware.


Kismet Drone

Once you have installed the OpenWRT firmware, you should be aware that OpenWRT works like many other Open Source Linux operating systems, in that it has a package management system.  To access it you will need ether login to the Web interface or SSH.  

To simplify this tutorial we will use SSH to install the Kismet Drone packages on the device.

Use a SSH client to connect to the device.  (For you Windows users out there, Putty is a execellent choice for this, http://www.chiark.greenend.org.uk/~sgtatham/putty/)

Login

Login using the default credentials
        User: root
        Password: admin


BusyBox v1.15.3 (2010-04-06 04:08:20 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 Backfire (10.03, r20728) --------------------------
  * 1/3 shot Kahlua    In a shot glass, layer Kahlua
  * 1/3 shot Bailey's  on the bottom, then Bailey's,
  * 1/3 shot Vodka     then Vodka.
 ---------------------------------------------------


Changing the password

The very first thing that you should do is change the root password. 

    root@OpenWrt:~# passwd
    Changing password for root
    New password:
    Retype password:
    Password for root changed by root


Package Management

Update available packages

    root@OpenWrt:~# opkg update

Install the Kismet Drone Package

    root@OpenWrt:~# opkg install kismet-drone

Install nano (you'll need a text editing program in the next step)

    root@OpenWrt:~# opkg install nano


Optimize the device

Disable Web Interface, to save memory... (Memory doesn't grow on trees out here)

    root@OpenWrt:~# /etc/init.d/uhttpd disable


Configuration Changes

Edit /etc/config/network

root@OpenWrt:~# nano /etc/config/network

Currently the file should look like this:

#### VLAN configuration 
config switch eth0
option enable   1

config switch_vlan eth0_0
option device   "eth0"
option vlan     0
option ports    "1 2 3 4 5"

config switch_vlan eth0_1
option device   "eth0"
option vlan     1
option ports    "0 5"

#### Loopback configuration
config interface loopback
option ifname "lo"
option proto static
option ipaddr 127.0.0.1
option netmask 255.0.0.0


#### LAN configuration
config interface lan
option type bridge
option ifname "eth0.0"
option proto static
option ipaddr 192.168.1.1
option netmask 255.255.255.0


#### WAN configuration
config interface wan
option ifname "eth0.1"
option proto dhcp

Change the following lines under '#### LAN configuration'
    option ipaddr 192.168.1.1 -> option ipaddr (Device IP Address)
    
option netmask 255.255.255.0 -> option netmask (Correct Netmask)

Add the following lines at the bottom of the '#### LAN configuration' section:
    option gateway (Gateway IP Address)
    option dns (IP Address of DNS Server)
    
option defaultroute 0
    
option peerdns 0


So when your finished your configuration in the '
#### LAN configuration' section might look something like this:

#### LAN configuration
config interface lan
        option type     bridge
        option ifname   "eth0.0"
        option proto    static
        option ipaddr   10.0.0.15 
        option netmask  255.255.255.0
        option gateway  10.0.0.1
        option dns 8.8.8.8
        option defaultroute 0
        option peerdns 0

When you are done, you should save the file by pressing Ctrl-o <enter>
You can then exit by pressing Ctrl-x


Next, Edit /etc/config/dhcp
    
root@OpenWrt:~# nano /etc/config/dhcp

The file will should look like this:

config dnsmasq
        option domainneeded     1
        option boguspriv        1
        option filterwin2k      '0'  #enable for dial on demand
        option localise_queries 1
        option local    '/lan/'
        option domain   'lan'
        option expandhosts      1
        option nonegcache       0
        option authoritative    1
        option readethers       1
        option leasefile        '/tmp/dhcp.leases'
        option resolvfile       '/tmp/resolv.conf.auto'
        #list server            '/mycompany.local/1.2.3.4'
        #option nonwildcard     1
        #list interface         br-lan
        #list notinterface      lo

config dhcp lan
        option interface        lan
        option start    100
        option limit    150
        option leasetime        12h

config dhcp wan
        option interface        wan
        option ignore   1


You need to delete the following lines under the 'config dhcp lan' section
    
    
option start    100
    
option limit    150
    
option leasetime        12h

Then add the following line under the 'config dhcp lan' section

    
option ignore   1

So when your finished the file should look like this:


config dnsmasq
        option domainneeded     1
        option boguspriv        1
        option filterwin2k      '0'  #enable for dial on demand
        option localise_queries 1
        option local    '/lan/'
        option domain   'lan'
        option expandhosts      1
        option nonegcache       0
        option authoritative    1
        option readethers       1
        option leasefile        '/tmp/dhcp.leases'
        option resolvfile       '/tmp/resolv.conf.auto'
        #list server            '/mycompany.local/1.2.3.4'
        #option nonwildcard     1
        #list interface         br-lan
        #list notinterface      lo

config dhcp lan
        option interface        lan
        option ignore   1

config dhcp wan
        option interface        wan
        option ignore   1

When you are done, you should save the file by pressing Ctrl-o <enter>
You can then exit by pressing Ctrl-x

Apply the Configuration

Next, you need to reboot the device so all your settings can be applied.

root@OpenWrt:~# reboot


Login

After the device reboots you will need to connect it directly into your network and login via SSH.

Once you have logged back into the device you can finish up the kismet drone setup.

BusyBox v1.15.3 (2010-04-06 04:08:20 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 Backfire (10.03, r20728) --------------------------
  * 1/3 shot Kahlua    In a shot glass, layer Kahlua
  * 1/3 shot Bailey's  on the bottom, then Bailey's,
  * 1/3 shot Vodka     then Vodka.
 ---------------------------------------------------

More Configuration Changes

Next, Edit /etc/config/wireless

root@OpenWrt:~# nano /etc/config/wireless

Currently the file should look like this:

config wifi-device  radio0
        option type     mac80211
        option channel  5
        option macaddr  (YOUR MAC ADDRESS)
        option hwmode   11g

        # REMOVE THIS LINE TO ENABLE WIFI:
        option disabled 1

config wifi-iface
        option device   radio0
        option network  lan
        option mode     ap
        option ssid     OpenWrt
        option encryption none

You need to change the following lines:

    
option disabled 1 -> option disabled 0
    
option mode ap -> option mode monitor

You also should remove the following line:

    
option encryption none

So when you are done it should look like this:

config wifi-device  radio0
        option type     mac80211
        option channel  5
        option macaddr  (YOUR MAC ADDRESS)
        option hwmode   11g

        # REMOVE THIS LINE TO ENABLE WIFI:
        option disabled 0

config wifi-iface
        option device   radio0
        option network  lan
        option mode     monitor
        option ssid     OpenWrt
       

When you are done, you should save the file by pressing Ctrl-o <enter>
You can then exit by pressing Ctrl-x

Next you will need to Edit /etc/kismet/kismet_drone.conf

root@OpenWrt:~# nano /etc/kismet/kismet_drone.conf

We will only need to work with a few lines of the file, but I would highly suggest reading through the entire file and modifying to your needs.

# Kismet drone config file

version=newcore.1

# Name of drone server (informational)
servername=Kismet-Drone

# Drone configuration
# Protocol, interface, and port to listen on
dronelisten=tcp://127.0.0.1:2502
# Hosts allowed to connect, comma separated.  May include netmasks.
# allowedhosts=127.0.0.1,10.10.10.0/255.255.255.0
droneallowedhosts=127.0.0.1
# Maximum number of drone clients
dronemaxclients=10
droneringlen=65535

# Do we have a GPS?
gps=true
# Do we use a locally serial attached GPS, or use a gpsd server?
# (Pick only one)
gpstype=gpsd
# gpstype=serial
# What serial device do we look for the GPS on?
gpsdevice=/dev/rfcomm0
# Host:port that GPSD is running on.  This can be localhost OR remote!
gpshost=localhost:2947
# Do we lock the mode?  This overrides coordinates of lock "0", which will
# generate some bad information until you get a GPS lock, but it will
# fix problems with GPS units with broken NMEA that report lock 0
gpsmodelock=false
# Do we try to reconnect if we lose our link to the GPS, or do we just
# let it die and be disabled?
gpsreconnect=true

# See the README for full information on the new source format
# ncsource=interface:options
ncsource=null
# for example:
# ncsource=wlan0
# ncsource=wifi0:type=madwifi
# ncsource=wlan0:name=intel,hop=false,channel=11

# Special per-source options
# sourceopts=[sourcename|*]:opt1,opt2
# sourceopts=*:fuzzycrypt,weakvalidate

# Comma-separated list of sources to enable, if you don't want to enable all
# the sources you defined.
# enablesource=source1,source2

# How many channels per second do we hop?  (1-10)
channelvelocity=5

# By setting the dwell time for channel hopping we override the channelvelocity
# setting above and dwell on each channel for the given number of seconds.
#channeldwell=10

# Users outside the US might want to use this list:
# channellist=IEEE80211b:1,7,13,2,8,3,14,9,4,10,5,11,6,12
channellist=IEEE80211b:1:3,6:3,11:3,2,7,3,8,4,9,5,10

# US IEEE 80211a
channellist=IEEE80211a:36,40,44,48,52,56,60,64,149,153,157,161,165

# Combo
channellist=IEEE80211ab:1:3,6:3,11:3,2,7,3,8,4,9,5,10,36,40,44,48,52,56,60,64,149,153,157,161,165


# See the README for full information on the new source format

You will need to change the following lines:
  
servername=Kismet-Drone -> 
servername=My-Kismet-Drone-Name
  
dronelisten=tcp://127.0.0.1:2502 -> dronelisten=tcp://(Device IP address):2502
  
droneallowedhosts=127.0.0.1 -> droneallowedhosts=(IP Address of Kismet Server)
  
gps=true -> gps=false
    
If you used a OpenWRT build with the Linux 2.6 Kernel you need to change the following line:
    
ncsource=null => ncsource=wlan0  (This should work for most 2.6 Kernels)

If that doesn't work or if you used a OpenWRT build with the Linux 2.4 Kernel you can try the following ncsource option:
    ncsource=ath0
    
If you are still running into problems, good luck, I would suggest finding a linux expert, and using google.

Again, when you are done editing the file, you should save the file by pressing Ctrl-o <enter>
You can then exit by pressing Ctrl-x

Start the drone

After you have configured the Kismet Drone conf file, you can attempt to start it up by running:

root@OpenWrt:~# kismet_drone

If you have misconfigured anything you will get:

*** KISMET DRONE HAS ENCOUNTERED A FATAL ERROR AND CANNOT CONTINUE.  ***

Otherwise you should see the Kismet Drone process start up with a bunch of messages...

To stop the kismet_drone process press Ctrl-c

Set the drone to start at boot

Now we need to set the server to start at boot.

Start by creating a init.d script /etc/init.d/kismet-drone:

root@OpenWrt:~# nano /etc/init.d/kismet-drone

Copy and Paste the following script into that file:

#!/bin/sh /etc/rc.common
# Kismet Drone Startup Script
# Copyright (C) 2007 OpenWrt.org + RenderLab.net

START=70
STOP=15

boot() {
echo boot
# commands to run at boot

# continue with the start() section
start
}

start() {
echo start
# commands to launch application
kismet_drone
}

stop() {
echo stop
# commands to kill application
killall kismet_drone
}

#END OF FILE: DO NOT COPY PAST THIS POINT

When you are done creating the file, you should save the file by pressing Ctrl-o <enter>
You can then exit by pressing Ctrl-x

You will need to make the script executable with this command:
    
root@OpenWrt:~# chmod +x /etc/init.d/kismet-drone

Next you need to enable the script to run at boot:

root@OpenWrt:~# /etc/init.d/kismet-drone enable

Apply the Configuration

Once again, we will reboot the device
    
    root@OpenWrt:~# reboot

The drone should be completed now.

Kismet Configuration

Installing Kismet is beyond the scope of this tutorial.  To configure Kismet to use a drone you will need to edit the kismet.conf file.

Add a permanent entry to kismet.conf:
    ncsource=drone:host=(IP Address of Drone),port=2502

You can add more ncsource lines as you add more drones to your network.

Start up Kismet... and you should be up and running.

One more TIP you will need a newer version of Kismet to make this work.  (The one in the 10.04 Ubuntu Repository is too old)


Credit where Credit is Due

Sources for tutorial information:
The Renderlab: Kismet Newcore Drone Build Hacking - http://www.renderlab.net/projects/newcore/newcore-drone/drone.html
OpenWRT Website - http://openwrt.org/



Comments