supertechguy.com

supertechguy.com

Kismet "Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system." (http://www.kismetwireless.net/) A Kismet drone may be used as a remote wireless sniffer to collect wireless data from a remote location and/or multiple locations and reported back to the centralized Kismet server where it can be analyzed. Linksys WRT54G and other OpenWRT Compatible Devices This tutorial will explain how to configure a Linksys WRT54G as a Kismet Drone. You might have several Linksys WRT wireless access points laying around home or the office. I did. You will find that these devices work perfectly for monitoring your wireless networks and potential threats. This should also work for any device that will run the OpenWRT firmware, although I can not guarantee the same results on any device. Disclaimer This tutorial is not for the faint of heart, novice user, or any n00b. It is expected that you will have some significant experience with Linux and Kismet in order to complete this tutorial. In the process of following this tutorial you could inadvertently permanently brick (break) your device. I am not responsible for this, or any thing else that happens as a result of you following this tutorial. You also take all responsibly for any legal ramifications for the use of wireless sniffing software, or any action you take in connection with this tutorial. You are responsible to be aware your local laws concerning the use of this Open Source software and the use of wireless sniffing programs. THERE IS NO WARRANTY FOR THE INFORMATION ON THIS SITE TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THIS INFORMATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE INFORMATION IS WITH YOU. SHOULD THIS INFORMATION PROVE INCORRECT OR BAD PRACTICE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THIS INFORMATION AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THIS INFORMATION (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROCESS DESCRIBED TO FUNCTION WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. This Tutorial is Copyrighted under the GPL v3 by supertechguy.com http://www.gnu.org/licenses/gpl.html OpenWRT To begin you must install the OpenWRT firmware on your WRT54G. To do so, you will need to visit the OpenWRT website: http://openwrt.org/ and select the correct build for your device. This can be just a bit tricky to do, you will need to reference the supported hardware page to determine the chipset in your device, and what build to select. I would recommend that start here: http://wiki.openwrt.org/doc/howto/beginner. If a build with the Linux 2.6 kernel is available for your hardware, you should use it. Also, I would highly recommend that you reset the device to its factory defaults at the same time or after flashing the firmware. Kismet Drone Once you have installed the OpenWRT firmware, you should be aware that OpenWRT works like many other Open Source Linux operating systems, in that it has a package management system. To access it you will need ether login to the Web interface or SSH. To simplify this tutorial we will use SSH to install the Kismet Drone packages on the device. Use a SSH client to connect to the device. (For you Windows users out there, Putty is a execellent choice for this, http://www.chiark.greenend.org.uk/~sgtatham/putty/) Login Login using the default credentials User: root Password: admin BusyBox v1.15.3 (2010-04-06 04:08:20 CEST) built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M Backfire (10.03, r20728) -------------------------- * 1/3 shot Kahlua In a shot glass, layer Kahlua * 1/3 shot Bailey's on the bottom, then Bailey's, * 1/3 shot Vodka then Vodka. --------------------------------------------------- Changing the password The very first thing that you should do is change the root password. root@OpenWrt:~# passwd Changing password for root New password: Retype password: Password for root changed by root Package Management Update available packages root@OpenWrt:~# opkg update Install the Kismet Drone Package root@OpenWrt:~# opkg install kismet-drone Install nano (you'll need a text editing program in the next step) root@OpenWrt:~# opkg install nano Optimize the device Disable Web Interface, to save memory... (Memory doesn't grow on trees out here) root@OpenWrt:~# /etc/init.d/uhttpd disable Configuration Changes Edit /etc/config/network root@OpenWrt:~# nano /etc/config/network Currently the file should look like this: #### VLAN configuration config switch eth0 option enable 1 config switch_vlan eth0_0 option device "eth0" option vlan 0 option ports "1 2 3 4 5" config switch_vlan eth0_1 option device "eth0" option vlan 1 option ports "0 5" #### Loopback configuration config interface loopback option ifname "lo" option proto static option ipaddr 127.0.0.1 option netmask 255.0.0.0 #### LAN configuration config interface lan option type bridge option ifname "eth0.0" option proto static option ipaddr 192.168.1.1 option netmask 255.255.255.0 #### WAN configuration config interface wan option ifname "eth0.1" option proto dhcp Change the following lines under '#### LAN configuration' option ipaddr 192.168.1.1 -> option ipaddr (Device IP Address) option netmask 255.255.255.0 -> option netmask (Correct Netmask) Add the following lines at the bottom of the '#### LAN configuration' section: option gateway (Gateway IP Address) option dns (IP Address of DNS Server) option defaultroute 0 option peerdns 0 So when your finished your configuration in the ' #### LAN configuration' section might look something like this: #### LAN configuration config interface lan option type bridge option ifname "eth0.0" option proto static option ipaddr 10.0.0.15 option netmask 255.255.255.0 option gateway 10.0.0.1 option dns 8.8.8.8 option defaultroute 0 option peerdns 0 When you are done, you should save the file by pressing Ctrl-o You can then exit by pressing Ctrl-x Next, Edit /etc/config/dhcp root@OpenWrt:~# nano /etc/config/dhcp The file will should look like this: config dnsmasq option domainneeded 1 option boguspriv 1 option filterwin2k '0' #enable for dial on demand option localise_queries 1 option local '/lan/' option domain 'lan' option expandhosts 1 option nonegcache 0 option authoritative 1 option readethers 1 option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.auto' #list server '/mycompany.local/1.2.3.4' #option nonwildcard 1 #list interface br-lan #list notinterface lo config dhcp lan option interface lan option start 100 option limit 150 option leasetime 12h config dhcp wan option interface wan option ignore 1 You need to delete the following lines under the 'config dhcp lan' section option start 100 option limit 150 option leasetime 12h Then add the following line under the 'config dhcp lan' section option ignore 1 So when your finished the file should look like this: config dnsmasq option domainneeded 1 option boguspriv 1 option filterwin2k '0' #enable for dial on demand option localise_queries 1 option local '/lan/' option domain 'lan' option expandhosts 1 option nonegcache 0 option authoritative 1 option readethers 1 option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.auto' #list server '/mycompany.local/1.2.3.4' #option nonwildcard 1 #list interface br-lan #list notinterface lo config dhcp lan option interface lan option ignore 1 config dhcp wan option interface wan option ignore 1 When you are done, you should save the file by pressing Ctrl-o You can then exit by pressing Ctrl-x Apply the Configuration Next, you need to reboot the device so all your settings can be applied. root@OpenWrt:~# reboot Login After the device reboots you will need to connect it directly into your network and login via SSH. Once you have logged back into the device you can finish up the kismet drone setup. BusyBox v1.15.3 (2010-04-06 04:08:20 CEST) built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M Backfire (10.03, r20728) -------------------------- * 1/3 shot Kahlua In a shot glass, layer Kahlua * 1/3 shot Bailey's on the bottom, then Bailey's, * 1/3 shot Vodka then Vodka. --------------------------------------------------- More Configuration Changes Next, Edit /etc/config/wireless root@OpenWrt:~# nano /etc/config/wireless Currently the file should look like this: config wifi-device radio0 option type mac80211 option channel 5 option macaddr (YOUR MAC ADDRESS) option hwmode 11g # REMOVE THIS LINE TO ENABLE WIFI: option disabled 1 config wifi-iface option device radio0 option network lan option mode ap option ssid OpenWrt option encryption none You need to change the following lines: option disabled 1 -> option disabled 0 option mode ap -> option mode monitor You also should remove the following line: option encryption none So when you are done it should look like this: config wifi-device radio0 option type mac80211 option channel 5 option macaddr (YOUR MAC ADDRESS) option hwmode 11g # REMOVE THIS LINE TO ENABLE WIFI: option disabled 0 config wifi-iface option device radio0 option network lan option mode monitor option ssid OpenWrt When you are done, you should save the file by pressing Ctrl-o You can then exit by pressing Ctrl-x Next you will need to Edit /etc/kismet/kismet_drone.conf root@OpenWrt:~# nano /etc/kismet/kismet_drone.conf We will only need to work with a few lines of the file, but I would highly suggest reading through the entire file and modifying to your needs. # Kismet drone config file version=newcore.1 # Name of drone server (informational) servername=Kismet-Drone # Drone configuration # Protocol, interface, and port to listen on dronelisten=tcp://127.0.0.1:2502 # Hosts allowed to connect, comma separated. May include netmasks. # allowedhosts=127.0.0.1,10.10.10.0/255.255.255.0 droneallowedhosts=127.0.0.1 # Maximum number of drone clients dronemaxclients=10 droneringlen=65535 # Do we have a GPS? gps=true # Do we use a locally serial attached GPS, or use a gpsd server? # (Pick only one) gpstype=gpsd # gpstype=serial # What serial device do we look for the GPS on? gpsdevice=/dev/rfcomm0 # Host:port that GPSD is running on. This can be localhost OR remote! gpshost=localhost:2947 # Do we lock the mode? This overrides coordinates of lock "0", which will # generate some bad information until you get a GPS lock, but it will # fix problems with GPS units with broken NMEA that report lock 0 gpsmodelock=false # Do we try to reconnect if we lose our link to the GPS, or do we just # let it die and be disabled? gpsreconnect=true # See the README for full information on the new source format # ncsource=interface:options ncsource=null # for example: # ncsource=wlan0 # ncsource=wifi0:type=madwifi # ncsource=wlan0:name=intel,hop=false,channel=11 # Special per-source options # sourceopts=[sourcename|*]:opt1,opt2 # sourceopts=*:fuzzycrypt,weakvalidate # Comma-separated list of sources to enable, if you don't want to enable all # the sources you defined. # enablesource=source1,source2 # How many channels per second do we hop? (1-10) channelvelocity=5 # By setting the dwell time for channel hopping we override the channelvelocity # setting above and dwell on each channel for the given number of seconds. #channeldwell=10 # Users outside the US might want to use this list: # channellist=IEEE80211b:1,7,13,2,8,3,14,9,4,10,5,11,6,12 channellist=IEEE80211b:1:3,6:3,11:3,2,7,3,8,4,9,5,10 # US IEEE 80211a channellist=IEEE80211a:36,40,44,48,52,56,60,64,149,153,157,161,165 # Combo channellist=IEEE80211ab:1:3,6:3,11:3,2,7,3,8,4,9,5,10,36,40,44,48,52,56,60,64,149,153,157,161,165 # See the README for full information on the new source format You will need to change the following lines: servername=Kismet-Drone -> servername=My-Kismet-Drone-Name dronelisten=tcp://127.0.0.1:2502 -> dronelisten=tcp://(Device IP address):2502 droneallowedhosts=127.0.0.1 -> droneallowedhosts=(IP Address of Kismet Server) gps=true -> gps=false If you used a OpenWRT build with the Linux 2.6 Kernel you need to change the following line: ncsource=null => ncsource=wlan0 (This should work for most 2.6 Kernels) If that doesn't work or if you used a OpenWRT build with the Linux 2.4 Kernel you can try the following ncsource option: ncsource=ath0 If you are still running into problems, good luck, I would suggest finding a linux expert, and using google. Again, when you are done editing the file, you should save the file by pressing Ctrl-o You can then exit by pressing Ctrl-x Start the drone After you have configured the Kismet Drone conf file, you can attempt to start it up by running: root@OpenWrt:~# kismet_drone If you have misconfigured anything you will get: *** KISMET DRONE HAS ENCOUNTERED A FATAL ERROR AND CANNOT CONTINUE. *** Otherwise you should see the Kismet Drone process start up with a bunch of messages... To stop the kismet_drone process press Ctrl-c Set the drone to start at boot Now we need to set the server to start at boot. Start by creating a init.d script /etc/init.d/kismet-drone: root@OpenWrt:~# nano /etc/init.d/kismet-drone Copy and Paste the following script into that file: #!/bin/sh /etc/rc.common # Kismet Drone Startup Script # Copyright (C) 2007 OpenWrt.org + RenderLab.net START=70 STOP=15 boot() { echo boot # commands to run at boot # continue with the start() section start } start() { echo start # commands to launch application kismet_drone } stop() { echo stop # commands to kill application killall kismet_drone } #END OF FILE: DO NOT COPY PAST THIS POINT When you are done creating the file, you should save the file by pressing Ctrl-o You can then exit by pressing Ctrl-x You will need to make the script executable with this command: root@OpenWrt:~# chmod +x /etc/init.d/kismet-drone Next you need to enable the script to run at boot: root@OpenWrt:~# /etc/init.d/kismet-drone enable Apply the Configuration Once again, we will reboot the device root@OpenWrt:~# reboot The drone should be completed now. Kismet Configuration Installing Kismet is beyond the scope of this tutorial. To configure Kismet to use a drone you will need to edit the kismet.conf file. Add a permanent entry to kismet.conf: ncsource=drone:host=(IP Address of Drone),port=2502 You can add more ncsource lines as you add more drones to your network. Start up Kismet... and you should be up and running. One more TIP you will need a newer version of Kismet to make this work. (The one in the 10.04 Ubuntu Repository is too old) Credit where Credit is Due Sources for tutorial information: The Renderlab: Kismet Newcore Drone Build Hacking - http://www.renderlab.net/projects/newcore/newcore-drone/drone.html OpenWRT Website - http://openwrt.org/ Kismet Website - http://www.kismetwireless.net/