[Howto] Kismet and Odroid Wifi Modules

Post Reply
User avatar
Posts: 10648
Joined: Wed Jul 15, 2015 5:00 pm
languages_spoken: english
ODROIDs: XU4 (HC1, HC2), C1+, C2, C4 (HC4), N1, N2, H2, Go, Go Advance, M1
Location: Bucharest, Romania
Has thanked: 645 times
Been thanked: 916 times

[Howto] Kismet and Odroid Wifi Modules

Post by mad_ady »

The website WiGLE (http://wigle.net) has a large database of wireless access points collected via wardriving. The total number of tracked access-points is around 120 million - and this includes SSID, geographical location, MAC address and encryption type. As you may have noticed, we are living in an interconnected world that relies on WiFi to bring all devices together. That's why you should be paying attention to your personal WiFi setup and make sure you are secure. The following series of articles will be your guide through the world of wireless security and you'll learn the techniques the bad guys are using to penetrate your network in order to better protect yourself, and best of all, everything is done using your precious Odroid! Although Kali linux is the preferred distro for security analysis, we'll be working on HardKernel's Ubuntu 14.04 (or later).

Before we start we need to make something clear. Breaking into somebody's network without permission is a criminal offence punishable by law in most countries! All these tests have been done under laboratory conditions and with the network owner's consent. If in doubt please consult a lawyer.

Meet Kismet

The first thing every penetration tester does (after acquiring permission, of course) is to gather information about its target. In the context of WiFi networks, this means having a receiver listen to the broadcasts of all the access points around you. There are various tools that let you do this, but the best, in my opinion, is Kismet.

Kismet is a wireless network detector, sniffer, and intrusion detection system for linux with a text-mode interface. Some of its features include 802.11 sniffing, PCAP logging, client server architecture and XML output for integration with other tools.

We will be using Kismet to collect a list of access-points around our receiver and see if we can extract useful information from any of them. To install kismet simply run the following command on a Ubuntu system:

Code: Select all

$ sudo apt-get install kismet
Select "Yes" to install Kismet with setuid root when asked and type your username to be added to the kismet group. Before we will start kismet, you need to have a monitoring WiFi interface available. To do this, you'll obviously need a WiFi interface.

I first used the Wifi Module 3 (http://www.hardkernel.com/main/products ... 7447734369) from HardKernel for my experiments, which is based on Realtek RTL8188 chipset. It worked, but it didn't provide the best results. I also tried Wifi Module 4 (http://www.hardkernel.com/main/products ... 1630348024), with a Ralink RT5572 chipset, which adds 5GHz capabilities, but also works in 2.4GHz. The last module I tested was Wifi Module 0 (https://www.hardkernel.com/shop/wifi-module-0/) based on Ralink RT5370N, which worked surprisingly well for its size.

Note that while the wireless interface is in monitor mode (similar to ethernet's promiscuous mode) you will not be able to use the interface for traffic, so if you don't have a wired connection to your Odroid, you'll be cutting yourself off from the network by putting the wifi in monitor mode.

Monitor mode with aircrack-ng

Before you can start using kismet, you need to set up a monitoring interface that is attached to your WiFi card. To do this, you will need the airmon-ng utility, which is part of aircrack-ng package.

Code: Select all

$ sudo apt-get install aircrack-ng
To check that your wireless driver supports monitor mode you can run the following command (like in figure 1):

Code: Select all

$ sudo airmon-ng
Figure 1. Supported hardware

Enabling monitor mode support for Wifi Module 3

If you don't see your device listed, either the hardware or the driver doesn't support monitor mode and you're out of luck. If you have the Odroid WiFi Module 3 and you still don't see it, it means that you need to upgrade your wifi driver. By default HardKernel's Ubuntu release loads the 8192cu driver, which is the open source variant of the driver and has less functionality (it can only connect as client). The rtl8192cu driver instead comes from Realtek and adds support for monitor mode and hotspot.

Unfortunately, this is the step where you need to get your hands dirty a bit (or buy Wifi Module 0 or Wifi Module 4, which are supported out of the box). You'll be recompiling the kernel to add the rtl8192cu module from backports. You can follow any kernel compilation guide (either from Odroid Magazine January 2016 issue, or from here: https://github.com/umiddelb/armhf/wiki/ ... ARM-device). In the kernel configuration you need to edit the following things:

Set your custom kernel name (e.g. -8192cu) - General setup -> Local version - CONFIG_LOCALVERSION
Disable - Networking support -> Wireless -> cfg80211 - CONFIG_CFG80211
Enable built-in - Backport Linux -> cfg80211 wireless extensions compatibility - CONFIG_BACKPORT_CFG80211_WEXT
Enable as module - Backport Linux -> Wireless LAN -> Realtek rtlwifi family of devices - CONFIG_BACKPORT_RTL_CARDS
Enable as module - Backport Linux -> Wireless LAN -> Realtek rtlwifi family of devices -> Realtek RTL8192CU/RTL8188CU - CONFIG_BACKPORT_RTL8192CU
Enable built-in - Backport Linux -> Wireless LAN -> Realtek rtlwifi family of devices -> Debugging output for rtlwifi driver family - CONFIG_BACKPORT_RTLWIFI_DEBUG

Note that some of the settings above may be already selected for your kernel. That's all right - they differ a bit from device to device. Once the kernel has compiled (correctly), issue the necessary commands to install it (it would be wise to make a backup of your existing kernel and modules, just in case) and reboot your Odroid.

For your convenience, here are the steps needed to compile and install a kernel for Odroid C1 (assuming that you have your build environment set up):

Code: Select all

$ git clone --depth 1 --single-branch -b odroidc-3.10.y https://github.com/hardkernel/linux
$ cd linux
$ make odroidc_defconfig
$ make menuconfig
$ make -j 4 uImage dtbs modules
$ sudo cp arch/arm/boot/uImage arch/arm/boot/dts/*.dtb /media/boot
$ sudo make modules_install
$ sudo make firmware_install
$ kver=`make kernelrelease`
$ sudo cp .config /boot/config-${kver}
$ cd /boot
$ sudo update-initramfs -c -k ${kver}
$ sudo mkimage -A arm -O linux -T ramdisk -a 0x0 -e 0x0 -n initrd.img-${kver} -d initrd.img-${kver} uInitrd-${kver}
$ sudo cp uInitrd-${kver} /media/boot/uInitrd
Note that if you use GCC 5.x you will end up with a kernel crash when booting a C1. You will need to add this patch (https://github.com/archlinuxarm/PKGBUIL ... ress.patch), or compile with GCC 4.8. You can ask for support to compile the kernel module on this thread: http://forum.odroid.com/viewtopic.php?f=112&t=18724.

Monitor mode - hands on

Now that your network card (assumed to be wlan0) supports monitor mode, you can create a monitor interface (you won't be able to use your network card in client mode while it's in monitor mode). You can also specify a channel number or a frequency to have the antenna tune to that channel. You can get a list of available channels and frequencies by running iw phy0 info

Code: Select all

 $ sudo airmon-ng start wlan0
Figure 2. Monitor mode enabled

You should see a message that a monitor interface was created and named mon0 (later versions of airmon-ng use a slightly different naming convention - the interface would have been called wlan0mon instead). You can now use the monitor interface for interesting things like packet capture (through wireshark or tcpdump), or to use it with Kismet for wireless surveys. If you get errors while enabling monitor mode you should stop the processes listed by airmon-ng and try to enable monitor mode again.

If you're feeling adventurous you might get the same results under Android as well. You may need to compile the correct driver for your Android branch kernel and set up aircrack-ng directly on Android. It didn't work for me directly, but more details here: https://github.com/kriswebdev/android_a ... /README.md

The 802.11 protocols use layer 2 datagrams to encapsulate the data that needs to be transmitted. There are 3 types of frames based on their purpose:
  • management - which handle authentication, association, probes, deauthentication, disassociation and beacons
  • control - facilitate the exchange of data between stations. It includes Acknowledgement, Clear to Send and Request to Send frames.
  • data - encapsulates the actual data that the end user transmits and receives
If you do packet captures on an idle wireless network you will likely see a lot of management traffic (beacons, association, etc) and very little data or control traffic. Data traffic is bursty in nature for web browsing, but you can get an idea of what base stations and what clients are active based on management traffic. You can download here a test packet capture that has the three frame types to analyse in Wireshark.

By looking over the packet captures you will notice that control and management traffic is sent unencrypted while data traffic (only the payload) is encrypted depending on your encryption type (WEP, WPA).

Figure 3. Packet capture of 802.11 management traffic

Back to Kismet

Now that you have a monitor interface, you can finally start up Kismet:

Code: Select all

$ kismet
The first time you run it you will have to answer a few questions - such as if the colors on your screen are visible or if you wish to start the kismet server automatically (you should answer yes). Once the kismet server starts it will complain that it doesn't have a packet source defined and will ask if you want to add an interface. Reply "Yes". In the next window type in "mon0" in the Intf field.

Figure 4. Add the mon0 interface in Kismet

You can now close the log window and you should be collecting access-points. Kismet works by "hopping" between all channels and listening for management frames. It will compile a list of access points and clients it can hear about and will keep capturing traffic while it is running. If you leave it on for a long time you will eventually pick up a lot of networks (even if you're stationary).

If you keep seeing this error in the log window: Packet source 'mon0' failed to set channel 1: mac80211_setchannel() could not set channel 1/2412 on interface 'mon0' err -25, you may need to delete the managed network interface (the one you used to create the monitor interface):

Code: Select all

$ sudo iw dev wlan0 del
To navigate around in the Kismet interface, use ALT+K to bring up the menu. Use arrows, TAB and space to navigate and select items. You might want to show more columns - which you can activate in Kismet -> Preferences -> Client columns and Kismet -> Preferences -> Network Columns. You can also use the Sort menu to change the sorting based on your preference.

The main Kismet window is divided into multiple sections (see figure 5). On top you have the network list (1). If you select a network from the list, Kismet will display below the list of clients associated to that network (2). If you have a GPS active in your system, Kismet can display speed, altitude and location data as well (3). Next section is a text "graph" showing the ratio of packets versus data (4). And lastly, the bottom section shows log information (errors, probes, etc) (5). Colors signify encryption type. Orange is WPA-PSK, red is WEP and green is Open network.

Figure 5 - Kismet scanning

Collecting data is one thing, but making sense of it is another thing completely :). By default Kismet will generate logs in the current working directory. If you leave it on for too long, you will most likely run of of disk space (one hour of sniffing consumed about 150MB in my area). It's best if you can allocate a separate device (USB disk/network share) where you can write logs to prevent crashes due to low disk space. Also, frequent writes on SD cards are not healthy. The logs collected contain various information:

Kismet-yyyymmdd-hh-mm-ss-1.alert - Fingerprints for intrusion detection systems
Kismet-yyyymmdd-hh-mm-ss-1.gpsxml - Geographical data associated to the networks
Kismet-yyyymmdd-hh-mm-ss-1.nettxt - A summary in text format of all networks and clients seen. Details include SSIDs, packets sent and received and encryption types.
Kismet-yyyymmdd-hh-mm-ss-1.netxml - Same information as above in easier to parse XML format
Kismet-yyyymmdd-hh-mm-ss-1.pcapdump - All captured packets in pcap format (you can open them with Wireshark)

There are various parser scripts around the Internet that can parse these logs and generate reports or different formats. For example, Kismet Log Viewer (http://klv.professionallyevil.com/download.php) will generate a HTML summary page from your data.

Although you now might have collected a lot of data, it's not everything you could have collected. This is because Kismet does channel hopping and listens on a channel at a time. If your plan is to capture specific traffic, you have two options:
  • Tune your monitor interface to the desired channel and stop Kismet from doing channel hopping (Alt+K -> Config Channel… -> mon0 -> Lock -> Channel number)
  • If you have the resources, you could set up to three wireless adapters in monitor mode on non-overlapping channels (e.g. 1, 6 and 11) and have Kismet record data from all monitor interfaces at once

    Code: Select all

    $ sudo airmon-ng start wlan0 1
    $ sudo airmon-ng start wlan1 6
    $ sudo airmon-ng start wlan2 11
You should now have 3 monitoring interfaces (mon0, mon1 and mon2). Inside Kismet use Alt+K -> Add source… to add all interfaces and also Alt+K -> Config Channel… to lock each one to their respective channel.

Figure 6 - The "I know what you did last summer" setup. The Wifi Module 3 is thicker than the USB port and you require a cable for the third adapter


Kismet is a powerful tool to do passive network reconnaissance. By analysing the data you can learn a lot about your neighbours and their network usage pattern. For instance I recorded a few open or WEP access-points around my location. Also I picked up mobile access-points from various taxi companies that had cars in the neighbourhood. Strangely enough I'm picking an open "WirelessNet" SSID both at work and at home that looks like a honeypot. Recorded network traffic can also be potentially decrypted at a later time when you've obtained the network key. However, Kismet's best use for defence is to snoop on your own devices in order to see what kind of data they "leak" about you. We will explore this and more in follow-up articles.

Post Reply

Return to “Ubuntu (All Linux'es)”

Who is online

Users browsing this forum: No registered users and 1 guest