Kismet
A Kismet drone may be used as a remote wireless sniffer to collect wireless data from a remote location and/or multiple locations and reported back to the centralized Kismet server where it can be analyzed.
Linksys WRT54G and other OpenWRT Compatible Devices
This tutorial will explain how to configure a Linksys WRT54G as a Kismet Drone.
You might have several Linksys WRT wireless access points laying around home or the office. I did. You will find that these devices work perfectly for monitoring your wireless networks and potential threats. This should also work for any device that will run the OpenWRT firmware, although I can not guarantee the same results on any device.
Disclaimer
This tutorial is not for the faint of heart, novice user, or any n00b. It is expected that you will have some significant experience with Linux and Kismet in order to complete this tutorial.
In the process of following this tutorial you could inadvertently permanently brick (break) your device. I am not responsible for this, or any thing else that happens as a result of you following this tutorial.
You also take all responsibly for any legal ramifications for the use of wireless sniffing software, or any action you take in connection with this tutorial. You are responsible to be aware your local laws concerning the use of this Open Source software and the use of wireless sniffing programs.
THERE IS NO WARRANTY FOR THE INFORMATION ON THIS SITE TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THIS INFORMATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE INFORMATION IS WITH YOU. SHOULD THIS INFORMATION PROVE INCORRECT OR BAD PRACTICE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THIS INFORMATION AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THIS INFORMATION (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROCESS DESCRIBED TO FUNCTION WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. This Tutorial is Copyrighted under the GPL v3 by supertechguy.com
http://www.gnu.org/licenses/gpl.html
OpenWRT
To begin you must install the OpenWRT firmware on your WRT54G. To do so, you will need to visit the OpenWRT website: http://openwrt.org/ and select the correct build for your device. This can be just a bit tricky to do, you will need to reference the supported hardware page to determine the chipset in your device, and what build to select. I would recommend that start here: http://wiki.openwrt.org/doc/howto/beginner. If a build with the Linux 2.6 kernel is available for your hardware, you should use it.
Also, I would highly recommend that you reset the device to its factory defaults at the same time or after flashing the firmware.
Kismet Drone
Once you have installed the OpenWRT firmware, you should be aware that OpenWRT works like many other Open Source Linux operating systems, in that it has a package management system. To access it you will need ether login to the Web interface or SSH.
To simplify this tutorial we will use SSH to install the Kismet Drone packages on the device.
Login
Login using the default credentials User: root Password: admin
BusyBox v1.15.3 (2010-04-06 04:08:20 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
Backfire (10.03, r20728) --------------------------
* 1/3 shot Kahlua In a shot glass, layer Kahlua
* 1/3 shot Bailey's on the bottom, then Bailey's,
* 1/3 shot Vodka then Vodka.
---------------------------------------------------
The very first thing that you should do is change the root password.
root@OpenWrt:~# passwd Changing password for root New password: Retype password: Password for root changed by root
Package Management
Update available packages
root@OpenWrt:~# opkg update
Install the Kismet Drone Package
root@OpenWrt:~# opkg install kismet-drone
Install nano (you'll need a text editing program in the next step)
root@OpenWrt:~# opkg install nano
Optimize the device
Disable Web Interface, to save memory... (Memory doesn't grow on trees out here)
root@OpenWrt:~# /etc/init.d/uhttpd disable
Configuration Changes
Edit /etc/config/network
root@OpenWrt:~# nano /etc/config/network
Currently the file should look like this:
option enable 1
config switch_vlan eth0_0
option device "eth0"
option vlan 0
option ports "1 2 3 4 5"
config switch_vlan eth0_1
option device "eth0"
option vlan 1
option ports "0 5"
#### Loopback configuration
config interface loopback
option ifname "lo"
option proto static
option ipaddr 127.0.0.1
option netmask 255.0.0.0
option type bridge
option ifname "eth0.0"
option proto static
option ipaddr 192.168.1.1
option netmask 255.255.255.0
option ifname "eth0.1"
option proto dhcp
Change the following lines under '#### LAN configuration'
option ipaddr 192.168.1.1 -> option ipaddr (Device IP Address)
option netmask 255.255.255.0 -> option netmask (Correct Netmask)
Add the following lines at the bottom of the '#### LAN configuration' section:
option gateway (Gateway IP Address)
option dns (IP Address of DNS Server)
option defaultroute 0
option peerdns 0
So when your finished your configuration in the '
#### LAN configuration' section might look something like this:
option netmask 255.255.255.0
When you are done, you should save the file by pressing Ctrl-o <enter> You can then exit by pressing Ctrl-x
Next, Edit /etc/config/dhcp root@OpenWrt:~# nano /etc/config/dhcp
The file will should look like this:
option filterwin2k '0' #enable for dial on demand
option localise_queries 1
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
#list server '/mycompany.local/1.2.3.4'
You need to delete the following lines under the 'config dhcp lan' section
option start 100
option limit 150
option leasetime 12h
Then add the following line under the 'config dhcp lan' section
option ignore 1
So when your finished the file should look like this:
option filterwin2k '0' #enable for dial on demand
option localise_queries 1
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
#list server '/mycompany.local/1.2.3.4'
When you are done, you should save the file by pressing Ctrl-o <enter>
You can then exit by pressing Ctrl-x
Apply the ConfigurationNext, you need to reboot the device so all your settings can be applied.
root@OpenWrt:~# reboot
After the device reboots you will need to connect it directly into your network and login via SSH. Once you have logged back into the device you can finish up the kismet drone setup. BusyBox v1.15.3 (2010-04-06 04:08:20 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
Backfire (10.03, r20728) --------------------------
* 1/3 shot Kahlua In a shot glass, layer Kahlua
* 1/3 shot Bailey's on the bottom, then Bailey's,
* 1/3 shot Vodka then Vodka.
---------------------------------------------------
More Configuration Changes
Next, Edit /etc/config/wireless
root@OpenWrt:~# nano /etc/config/wireless
Currently the file should look like this:
config wifi-device radio0
option macaddr (YOUR MAC ADDRESS)
# REMOVE THIS LINE TO ENABLE WIFI:
You need to change the following lines:
option disabled 1 -> option disabled 0
option mode ap -> option mode monitor
You also should remove the following line:
option encryption none
So when you are done it should look like this:
config wifi-device radio0
option macaddr (YOUR MAC ADDRESS)
# REMOVE THIS LINE TO ENABLE WIFI:
When you are done, you should save the file by pressing Ctrl-o <enter>
You can then exit by pressing Ctrl-x
Next you will need to Edit /etc/kismet/kismet_drone.conf
root@OpenWrt:~# nano /etc/kismet/kismet_drone.conf
We will only need to work with a few lines of the file, but I would highly suggest reading through the entire file and modifying to your needs.
# Kismet drone config file
# Name of drone server (informational)
# Protocol, interface, and port to listen on
dronelisten=tcp://127.0.0.1:2502
# Hosts allowed to connect, comma separated. May include netmasks.
# allowedhosts=127.0.0.1,10.10.10.0/255.255.255.0
droneallowedhosts=127.0.0.1
# Maximum number of drone clients
# Do we use a locally serial attached GPS, or use a gpsd server?
# What serial device do we look for the GPS on?
# Host:port that GPSD is running on. This can be localhost OR remote!
# Do we lock the mode? This overrides coordinates of lock "0", which will
# generate some bad information until you get a GPS lock, but it will
# fix problems with GPS units with broken NMEA that report lock 0
# Do we try to reconnect if we lose our link to the GPS, or do we just
# let it die and be disabled?
# See the README for full information on the new source format
# ncsource=interface:options
# ncsource=wifi0:type=madwifi
# ncsource=wlan0:name=intel,hop=false,channel=11
# Special per-source options
# sourceopts=[sourcename|*]:opt1,opt2
# sourceopts=*:fuzzycrypt,weakvalidate
# Comma-separated list of sources to enable, if you don't want to enable all
# the sources you defined.
# enablesource=source1,source2
# How many channels per second do we hop? (1-10)
# By setting the dwell time for channel hopping we override the channelvelocity
# setting above and dwell on each channel for the given number of seconds.
# Users outside the US might want to use this list:
# channellist=IEEE80211b:1,7,13,2,8,3,14,9,4,10,5,11,6,12
channellist=IEEE80211b:1:3,6:3,11:3,2,7,3,8,4,9,5,10
channellist=IEEE80211a:36,40,44,48,52,56,60,64,149,153,157,161,165
channellist=IEEE80211ab:1:3,6:3,11:3,2,7,3,8,4,9,5,10,36,40,44,48,52,56,60,64,149,153,157,161,165
# See the README for full information on the new source format
You will need to change the following lines:
servername=Kismet-Drone -> servername=My-Kismet-Drone-Name
dronelisten=tcp://127.0.0.1:2502 -> dronelisten=tcp://(Device IP address):2502
droneallowedhosts=127.0.0.1 -> droneallowedhosts=(IP Address of Kismet Server)
gps=true -> gps=false
If you used a OpenWRT build with the Linux 2.6 Kernel you need to change the following line:
ncsource=null => ncsource=wlan0 (This should work for most 2.6 Kernels)
If that doesn't work or if you used a OpenWRT build with the Linux 2.4 Kernel you can try the following ncsource option:
If you are still running into problems, good luck, I would suggest finding a linux expert, and using google.
Again, when you are done editing the file, you should save the file by pressing Ctrl-o <enter>
You can then exit by pressing Ctrl-x
Start the droneAfter you have configured the Kismet Drone conf file, you can attempt to start it up by running: root@OpenWrt:~# kismet_drone If you have misconfigured anything you will get: *** KISMET DRONE HAS ENCOUNTERED A FATAL ERROR AND CANNOT CONTINUE. *** Otherwise you should see the Kismet Drone process start up with a bunch of messages... To stop the kismet_drone process press Ctrl-c
Set the drone to start at boot
Now we need to set the server to start at boot. Start by creating a init.d script /etc/init.d/kismet-drone:
root@OpenWrt:~# nano /etc/init.d/kismet-drone
Copy and Paste the following script into that file:
# Kismet Drone Startup Script
# Copyright (C) 2007 OpenWrt.org + RenderLab.net
# commands to run at boot
# continue with the start() section
# commands to launch application
# commands to kill application
#END OF FILE: DO NOT COPY PAST THIS POINT
When you are done creating the file, you should save the file by pressing Ctrl-o <enter>
You can then exit by pressing Ctrl-x
You will need to make the script executable with this command: root@OpenWrt:~# chmod +x /etc/init.d/kismet-drone Next you need to enable the script to run at boot:
root@OpenWrt:~# /etc/init.d/kismet-drone enable
Apply the ConfigurationOnce again, we will reboot the device The drone should be completed now.
Kismet Configuration
Installing Kismet is beyond the scope of this tutorial. To configure Kismet to use a drone you will need to edit the kismet.conf file.
Add a permanent entry to kismet.conf: ncsource=drone:host=(IP Address of Drone),port=2502
You can add more ncsource lines as you add more drones to your network.
Start up Kismet... and you should be up and running.
One more TIP you will need a newer version of Kismet to make this work. (The one in the 10.04 Ubuntu Repository is too old)
Credit where Credit is Due
Sources for tutorial information:
|
