Image Source: https://ssoih.com
In this post I am going to show you how to make a basic wardriving rig for collecting signal intelligence for the 802.11 protocol.
For this project lets get the basics down of setting the rig up. Below is a list of the hardware and software that I used to build out this project. This does not mean it is the only way, just what I had available.
Hardware Used:
- Wifi Adapter - Alfa network model AWUS036NH
- Power Supply - EasyACC Power Bank
- Board - Raspberry Pi 4 64 bit model B (I am using the model with 8 G of Ram)
- Antenna - Alfa Network 9dbi wifi booster SMA Omni-Directional High-Gain
- Micro SD - high speed microSD class 10 and SD adapter for microSD
- SD card USB - MemoryMarket USB (if your computer does not have a SD slot)
- Case - CanaKit Raspberry Pi 4 Case
- GPS Module - BU-353S4
- Cables - USB C to USB C and micro HDMI to HDMI
Software Used:
- Kali Linux PI Image - kali-linux-2021.2-rpi4-nexmon-64
- Etcher SD image flasher - BalenaEtcher
Flashing The Kali Image
Downloading and burning the Kali image to the microSD card is nice and easy using Etcher, just remember to compare your checksum and then fire up Etcher.
When Etcher has finished the flash eject your card and pop it in your pi 4. It is now time to connect our cordage and configure our OS.
Plug your micro HDMI cord into your Pi and connect it to your monitor (you can use VNC and SSH as an alternative if so desired,) and connect the power bank to your Pi utilizing your USB-c cable.
Once the Kali image has booted up we will be greeted with a login screen. The default creds are kali:kali.
so, there you have it. We made it, we now have the OS up and running on our Pi. The next step is configuring the microSD card and OS.
Resizing the microSD card
When the OS is flashed to the microSD card there are only two partitions created, BOOT and ROOTFS. The rest of the microSD card is "unallocated" space. This is an issue as it will not leave much room for us and will eventually lead to a logon screen loop due to insufficient space.
To fix this issue we will be using GParted, a partition editing tool. Open the terminal in your Kali OS and type "gparted". You will need to provide the default password "kali" (we will fix the default creds next.)
Once you have GParted up select the ext4 partion (ROOTFS,) click the "partitions" tab and select resize. This will open a new window. move the bar for sizing all the way to the right.
You should now see the "free space following (MiB)" showing a value of 0. Click the resize button and "check mark" icon to apply the changes. I have included a screen shot below to better demonstrate the steps.
Configuring and updating the OS
Now that we have the basics taken care of we need to update, configure, and secure our Kali OS.
First things first, lets update that password shall we? In the terminal type "passwd" and supply your new password of choice. I would like to note that it would be wise to change your device name as well.
All Kali images come with a set of default SSH keys. We need to change the default keys to help mitigate a man-in-the-middle situation in our future or someone abusing our SSH access. We will however keep the default keys around in case we would need them for some reason...
In your terminal cd into the /etc/ssh directory. We will create a new directory called default_keys and then move all the default keys into our new directory.
After we have backed up our default keys we can create a new set with the following command: "sudo dpkg-reconfigure openssh-server". Thats it, we have replaced our SSH keys, updated the password, and opened up some space on our microSD card. We are finally ready to update the OS.
We want to make sure we update our OS with the following command in the terminal: "sudo apt-get update -y && sudo apt-get upgrade -y" in able to update the OS make sure your Pi is connected to the interwebs via WiFi or Ethernet.
Configuring Kismet
Kismet is a wireless framework used to detect devices, sniff, wardrive, or even as a wireless intrusion detection system. You can get more information on kismet at https://www.kismetwireless.net/.
We are using a GPS receiver with our rig, so before running kismet we first need to set up our GPS and also our Alfa adapter. Lets start with setting up our kismet config file to work with GPS.
We need to detect where our GPS is going to be located within the Pi. We can do this several ways, however for simplicity we will use dmesg. First we will run dmesg and pipe the output to grep to list all connected serial devices.
We are going to run this command two times, one without the GPS plugged in and the later with the GPS plugged in.
same command, however we have now plugged in our GPS receiver:
Using your editor of choice open the kismet.config file with sudo privileges, here I am using vim. The kismet.conf file can be located at /etc/kismet/kismet.conf. In the kismet.conf file locate the following line and uncomment it: "gps=gpsd:host=local,port=2947"
Save the file and close kismet.conf. We now need to set up the GPS receiver on our OS. In order to accomplish this we need a way to interface with the GPS receiver. Gpsd is a simple solution for our needs as it is by definition an "interface daemon for GPS receivers" according to its man page.
Installing gpsd is a simple task. Type "sudo apt install gpsd -y" into the terminal and we are good to go. after installing gpsd we just need to let the gps daemon know where the device is located by providing the following command: "sudo gpsd /dev/ttyUSB0".
You can check that your GPS receiver is working by typing the following command in the terminal: "cgps".
It can take a few minutes for the GPS to link up and get a fix, however after a few minutes you will start to see your location being triangulated. All that is left to do now is set up our Alfa adapter, so lets get to it.
Configuring the Alfa WiFi adapter
Before we plug our dongle in we are going to run a few commands. Much like the GPS USB, we need to find the location of our WiFi adapter. We will use the "iwconfig" and "ip" commands to map this out and wrap up our build.
If we type "iwconfig" in the terminal we will get a list of all the wireless interfaces available. This command is much like using the ifconfig command for wired networks although ifconfig is not available in all distros "ip" can be used in its place.
Lets use iwconfig to find our available wireless interfaces with no dongle plugged in, we will then use the "ip" command to show additional information on the interface.
Now that we have a baseline of what interfaces are available lets plug in our WiFi adapter and run the same commands.
By comparing the results we can see that our WiFi adapter is the interface labeled "wlan1", as it did not exist previously. In order to use the adapter for sniffing purposes we need to switch to "monitor" mode. We can use airmon-ng to rectify this situation. The command "airmon-ng" comes from the aircrack-ng tool suite. You can learn more about aircrack-ng here: aircrack-ng.org.
Before running airmon-ng we first need to kill any processes that will cause complications. Kill all problematic processes by typing the following command in the terminal: "sudo airmon-ng check kill".
We can now put the WiFi adapter into monitor mode using the following command in the terminal: "sudo airmon-ng start wlan1". When the adapter has been put into monitor mode we will see a new interface named "wlan1mon". This can be seen by running the iwconfig command again.
Lets Wardrive
That is it, now all we have to do is run kismet with our selected WiFi adapter with the following command: "kismet -c wlan1mon". The kismet file with all your wardriving wonders will be found in the same directory that you start kismet.
If you would like to output your data to csv, pcap, etc check out the kismetdb_to_* commands.
Unplug your monitor strap your supplies together and hop on that board, for for a walk, or take a drive. Remember kids, don't let your dongle dangle in the dirt. enjoy!
