Finux's Kismet GPSDrive Google Earth Howto Guide

====== Kismet GPSDrive Google Earth Howto Guide ======

Technical Ability = Medium - Configuration of .conf files using a text editor, ability to run commands as a root user. Use of either package manager or compiling software from source code.

Packages To Be Installed;

Kismet, gpsd, GPSDrive, MySQL server and client, MySQL python Interface

I suppose that first of i should start by talking about two individual subjects, firstly about what is war driving. Well Wikipedia says

Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle using a Wi-Fi-equipped computer, such as a laptop or a PDA. It is similar to using a radio scanner, or to the amateur radio practice of DXing.(http://en.wikipedia.org/wiki/Wardriving)

There is a point that i would like to make clear, in the UK i know that this isn't an illegal action, however i can't say the same for you in your part of the world. In wardriving you do not connect to the networks that you discover, and ethically and morally i tend to agree. It is certain not legal to connect to someone else network without their permission in the UK and i would imagine in most parts of the world it is the same. If it's not your network and you haven't been invited then you have no place on it, i don't condone it, if you do it and get into trouble then i have no sympathy for you. Sorry for the government health warning but i wanted to make it clear, that i don't want you to use this guide for breaking the law.

The idea with this guide is we run kismet, with a GPS device and then with this setup we can locate secured and unsecured wireless devices. Then you either get in your car or bike or have a walk with your set up around an area, the results are then stored in a database, which we will later use to plot your route, and your results on Google maps. Goes without saying that a laptop is required for war driving or a PDA, but for this tutorial we'll use a laptop. It also goes without saying if your driving keep your eyes on the road, and not on the laptop screen. Even if you don't have a laptop and your not going to do a war drive i would still heavily suggest setting up kismet, it's a fantastic tool for checking out your wireless network, making sure that devices are connected to your wireless network are known to you. Also if your having wireless problems it is also worth running kismet to see if your having conflicts with other wireless networks in your area.

Moving on to the main topic of this guide Kismet. So what is kismet? Well apart from kismet being a Indian word that means fate, or luck. It is also a wireless scanning tool. Kismet describes it's self as an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.

Well put simply what this means is that kismet is a tool for manipulating the function of your wireless card and puts it into what is known as promiscuous mode. This is also known as raw monitoring mode or rfmon.

I suppose the next thing i should really talk about is the active and passive scanning, one of the really cool things about kismet is that it is what's known as a passive scanner.

The best known active scanner is Netstumbler. Netstumbler works by broadcasting a request for any access points this request is known as a ANY request, the access point or AP responds to the ANY request and by doing so the AP is mapped. Now a countermeasure to this would be to tell you AP not to respond to ANY request, this is known as a cloaked, or a hidden wireless network. However kismet doesn't work like this, and it is in this where the true power of Kismet lies.

Kismet makes your card into what could be described as a listening post, one big ear that listen to everything, then it dissects the information it hears, and from there it gets its.

By doing this it is able to de-cloak hidden AP's, and also detect other wireless devices, such as an other wireless card.

Wireless devices send out a constant beacon when active, kismet will see this and then report that it has found a device probing for a network or an AP.

It takes the packet that is being sent out, looks inside the packet where there it can find a lot of information about the device that the probe came from, like what it is connected to, such as the MAC address of the device. The MAC address is needed in a probe or a connection so any device that receives that probe can respond. Try to think of this as a IMEI number that mobile phones have, a absolute address, you can change your sim card, your carrier but the IMEI of the handset will always stay the same, if you mobile phone operator wanted to send an update, rather than sending it to the handset they would send it to the IMEI fingerprint of the mobile handset. As with a MAC address this number should never be changed it is the physical identify for that device, however there is a fair few packages that can be used to spoof or change your MAC address.

When devices are connected to an AP they hold a ESSID, or the wireless network name in any packets it sends. Even if you don't think your sending a lot of traffic your wireless device is always sending out a beacon to the AP, it's best to imagine that as a "hello i'm still here and you can still find me at this number, cheers"

This is why Kismet describes its self as a sniffer and a scanner, if an AP point will give Kismet it's SSID then it will report this, if it doesn't then it will attempt to de-cloak the device. As an ethical hacking student i think of this tool in high regards.

If you imagine that your where a system admin of a company's network, and employee Joe Blog's gets a new laptop, or a PDS, or a telephone. Your company's protocol about introducing foreign devices on the network is pretty strict, but he still wants to use the wireless capabilities of his device. He buys a cheap wireless route and plug's it in to the network, producing an AP point out width your control. Now granted this is highly unlikely as there where steps that you could take to make sure this wouldn't happen, but also imagine that you by mistake have employed a person who's intent is to gain access to your network, and plugs in a wireless router so he can gain access to the network when he's not on the company clock. The point of this is imagine someone introduces a wireless hole into your network for whatever reason.

With kismet you could run a test and see what wireless networks are open or closed in your office infrastructure. Like all defensive tools this can be used by a hacker for illicit purposes, with Kismet you could sit outside wireless network, never connect to it and then intercept or sniff all of the MAC addresses that are connected to that network. If the only security on the wireless network is MAC address filtering than you have bypassed that ring of security.

MAC address filtering is when the AP allows connection to the network dependent on the MAC address of the device that's requesting a connection. Most common home wireless routers have this facility and a number of organisations use MAC address filtering as one in a chain of security procedures.

There are some requirements for your wireless card to use kismet, but the reason it's more of a Linux tool then a Window tool, is to do with the way the Windows OS interacts with the hardware via drivers. If you use NDISwrapper to use your wireless card, then you'll not be able to run kismet. For most wireless cards in laptop seem to be supported and i can tell you from personal experience the IPW or Intel Pro Wireless cards work, To check if your wireless card works visit the kismet web site and view the documentation section, http://www.kismetwireless.net/

Another package that i want to touch on here is a program called GPSDrive. GPSDrive is a navigation system that use data from a GPS device and plots it on to a map. I'm not going to go into much detail about GPS, but i'll do a quick and dirty guide to GPS.

GPS stands for global positioning system and the technology's purpose is to pin point your position in the world, it uses a number of satellites to plot X and Y placements on the world thus giving you your location.

GPSDrive works pretty much hand in hand with Kismet, and is incredibly easy to setup kismet to use it.

For the purpose of this guide i'm going to use Ubuntu 7.10, a pretty standard laptop, Kismet version 2007.10.R1 and GPSDrive Version 2.09.

The good news installing Kismet on Ubuntu is pretty easy and can be done simply by opening up a command line terminal and using the following command

sudo aptitude install kismet

Kismet is a very popular package indeed and i imagine that most package managers would have it in their repositories, however there source code is available so it can be downloaded from www.kismetwireless.net, and compiled from source. But for ease i have used the pre-compiled binary available for the Ubuntu, Kismet is also available in the standard Debian repositories as well.

There is a light bit of configuration that needs to be done with Kismet however it's pretty simple and it only takes a couple of minutes. Once kismet is installed you need to edit the kismet.conf file which in Ubuntu and Debian can be located in

/etc/kismet

Now first we need to find out what the capture source is for your wireless card, if you haven't already done so go and to www.kismetwireless.net/documentation.shtml and scroll down to section 12

There is a package that i think is installed by default on Ubuntu but isn't on Debian, called lshw and it's job is to list hardware. The good news is it's available in the Debian repositories, so a quick aptitude install lshw will get it for Debian users, if your using another distribution then then search your package manager for it. Once you have that installed you can issue the following command in to your terminal

sudo lshw -C network

This will list all your network devices and the drivers that they use. Find out what driver your wireless card is using and the match that against the documentation site and find out which your capture source is, so in my case i issued

sudo lshw -C network, from here i found that my wireless card was using the ipw3945 driver, i checked the web site www.kismetwireless.ner/documentation.shtml went to section 12, and looked for ipw3945, it was there. There was a few choices however i went for the one that best matched my driver name. If your unsure Google about for a little while, for support for your card on kismet and i'm sure you'll find the right config help for you.

The next step is to configure kismet.conf file. I have used gedit to work with the kismet.conf file but you can use any text editor you feel happy with. In a terminal put the following command

sudo gedit /etc/kismet/kismet.conf

and locate the part of the file that says

suiduser=your_user_here, and replace it with your username, do not put root in here. Kismet starts with super user privileges then drops back into a normal user privileges. So in my case i changes so it read suiduser=arron.

Then we need to set the capture source, i looked for the line that reads source=none,none,addme. Now the layout of this line is source=interface,capture source, and ignore this bit. So when i edited the file for the interface i put eth1, but this maybe different in your case, it's whatever ifconfig tells you is your wireless device. The source for me was ipw3945, and i left the addme bit. so my line reads like this

source=eth1,ipw3945,addme

Then look for the part that says, Do we have a GPS? and the for the line that says gps=false. We will need to change that to true. So my line reads gps=true. Save the file and exit.

To test that Kismet is working you run by issuing the following command

sudo kismet

Now i warn you that if you are connected to your network via wireless, you will first need to disconnect. Because your card is in Raw Monitoring mode it cannot be connected to a network at the same time, in Ubuntu 7.10 the network manager can manage this without having to disconnect wireless networking, however the chances are you'll need to do it. So be warned if your connected yo your wireless network and your doing something that you need to be connected to the wireless network, wait until your finished and then run kismet.

Step two is to install GPSDrive, it's a pretty popular package and is available in both the standard Ubuntu and Debian repositories, however if your using a different distribution to these, then check your package manager, or download the source code and compile it. the web address for GPSDrive is www.gpsdrive.de. To install GPSDrive issue the following command into yout terminal

sudo aptitude install gpsdrive

Once that's done we now need to configure GPSDrive to work with your GPS device. I have used a bluetooth GPS device, i ould not suggest using this but that's what i had available to me at the time, the reason i say i wouldn't suggest it is, it adds another layer of technology between your system, and the desired outcome. I'll quickly run through how i got a bluetooth dongle to communicate with the GPS device, but like i say, it's not what i would recommend, and if you have a device that plugs in to the system directly then this is by far in my opnion that better option. If this doesn't work for you then Google about and find out how to make your GPS device work for you. I installed a few bluetooth utilities that where available, for Ubuntu i couldn't tell you how to get them installed on other distributions, and i'm afraid you'll need to do your own research for this bit if your not running Ubuntu.

sudo aptitude install bluez-pin bluez-utils

Once they where installed i then need to edit the Bluetooth hcid.conf file by issuing the following command into a terminal

sudo gedit /etc/bluetooth/hcid.conf

// copy of text to replace

#
# HCI daemon configuration file.
#

# HCId options
options {
# Automatically initialize new devices
autoinit yes;

# Security Manager mode
# none - Security manager disabled
# auto - Use local PIN for incoming connections
# user - Always ask user for a PIN
#
security user;

# Pairing mode
# none - Pairing disabled
# multi - Allow pairing with already paired devices
# once - Pair once and deny successive attempts
pairing multi;

# PIN helper
pin_helper /usr/bin/bluepin;

# D-Bus PIN helper
#dbus_pin_helper;
}

# Default settings for HCI devices
device {
# Local device name
# %d - device id
# %h - host name
name "Laptop";

# Local device class
class 0x3e0100;

# Default packet type
#pkt_type DH1,DM1,HV1;

# Inquiry and Page scan
iscan enable; pscan enable;

# Default link mode
# none - no specific policy
# accept - always accept incoming connections
# master - become master on incoming connections,
# deny role switch on outgoing connections
lm accept;

# Default link policy
# none - no specific policy
# rswitch - allow role switch
# hold - allow hold mode
# sniff - allow sniff mode
# park - allow park mode
lp rswitch,hold,sniff,park;

# Authentication and Encryption (Security Mode 3)
#auth enable;
#encrypt enable;
}

// end of text to replace

I restarted the Bluetooth daemon by issuing, the following command into a terminal

sudo /etc/init.d/bluetooth restart

When this was done i used the Bluetooth dongle to scan for other Bluetooth devices in it's area by issuing the following command

hcitool scan, this listed the Bluetooth enabled devices within range. So i got a result back like this 00:11:67:80:5A:01 BT-GPS which was the MAC address of the Bluetooth enabled GPS device.

I then took the MAC address and of the GPS device and i want make a serial connection between Bluetooth device and my system, i took the MAC address of the device and used a package called sdptool. I issued the following command into a terminal

sdptool browse 00:11:67:80:5A:01, in the results i got back i found the channel i was looking for was channel 1. I then need to make a file in rfcomm.conf in the /etc/bluetooth folder by issuing the following command, i have made a sample copy of the config file which will also be available with the howto guide called rfcomm.conf

sudo gedit /etc/bluetooth/rfcomm.conf

and i add the add the the following

// beginning of rfcomm.conf file

rfcomm4 {
bind yes;
device < GPS MAC ADDRESS>;
channel 1;
comment "Serial Port";

// end of rfcomm.conf file

To start using the GPS device issue the following command into a terminal

rfcomm connect 4

If some reason you get an error message like this "Can't create RFCOMM TTY: Address already in use"

The issue the following command into the terminal

sudo rfcomm release 4

and then repeat the rfcomm connect 4 command

Once this is done you need to run gpsd which is a daemon for gpsd devices, it should have been installed by default when you installed GPSDrive but if not install it by issuing the following command into a terminal sudo aptitude install gpsd

Once this package is installed you need to tell gpsd where your GPS device and started it, so in my case it was (side note gpsd needs to be run with root privileges)

sudo gpsd /dev/rfcomm4

Once this is done you can check your GPS device is working by issuing the following command in to the terminal

xgps

The next thing we want to do is set up a MySQL database to store the combined outputs from Kismet and GPSDrive. After you've done done the war drive then we'll extract the data, and plot it against Google Map's. So firstly we need to install MySQL, i've done this by installing through the Ubuntu repositories, however check your distribution for documentation on installing MySQL, i've installed MySQL Client version 5 and Server Version 5, don't think it will make much of a difference, there is also a Python interface to MySQL package that we will need later for extracting the data.

sudo aptitude install mysql-client-5.0 mysql-server-5.0 python-mysqldb

One this is done you will need to connect to your MySQL server and configure a database for the wireless results to go into. During the install of MySQL server you should have been asked to setup a password. If you did so then you will need the -p option if you have not then leave this part out

mysql -u root -p < /usr/share/gpsdrive/create.sql

Then you need to load GPSDrive up and tick the box on the left had side hat says USE SQL, now make sure the GPSDrive is using your GPS Device then click on the Preferences box, select settings 2, and just confirm that the GPSDrive is look at the correct GPS Device location in my case this would be /dev/rfcom4 but it could /dev/ttyusb 0. Close GPSDrive

Now if you load Kismet up again, what you will notice is a bar with the latitude and longitude of your position just above the status part at the bottom of the screen, well this is the hard work done now. Load GPSDrive up again. Your ready to go out and do your war drive, like i say if your driving then please just put your set up in the bag seat or something so your concentrating on the Road. You may just want to put your rig in a backpack and go for a walk.

Once you've one your war drive the next thing to do is to extract the data that you have been putting into SQL database and convert it into a format the Google Map's can understand, this can be a little tricky i must admit but there is a lot of scripts out there that make it easier,

So one of the first things that i would advice is installing Google Maps for Linux from this web address http://earth.google.com/download-earth.html or you could check to see if your package managers has it in there, i do because i have the Google Ubuntu/Debian repositories setup.

Once you have installed Google Maps then you can look at extracting the data from the MySQL database into a .kml, so firstly we need to download the script,

gedit gpsdrivetoGoogleEarth.py

Copy and place the bellow into this file

// begin script

import MySQLdb

DB="geoinfo"
LOGIN="root"
PASSWORD="<insert db password>"

def hl():
print "=" * 80

cnx = MySQLdb.connect(db=DB,user=LOGIN,passwd=PASSWORD)
cursor = cnx.cursor()

cursor.execute("SELECT * from waypoints order by name")
results = cursor.fetchall()

hl()
print "Total APS:%s" % len(results)
hl()

f = open('ap.kml','w')
f.write('<?xml version="1.0" encoding="UTF-8"?>\n')
f.write('<kml xmlns="http://earth.google.com/kml/2.0">\n')
f.write('<Folder>\n')
f.write('<name>BrestWireless</name>\n')
f.write('<visibility>1</visibility>\n')

for line in results:
name = line[0]
wep = line[1]
lat = line[3]
lon = line[4]
mac = line[7]
print "%s (%s): %s %s" % (name,mac,lat,lon)
f.write('\n')
f.write(' <Placemark>\n')
f.write(' <name>%s</name>\n' % name)
#f.write(' <description><![CDATA[ MAC:%s ]]></description>\n' % mac)
f.write(' <description></description>\n')
f.write(' <View>\n')
f.write(' <longitude>%s</longitude>\n' % lon)
f.write(' <latitude>%s</latitude>\n' % lat)
f.write(' </View>\n')
f.write(' <visibility>1</visibility>\n')
f.write(' <styleUrl>root://styleMaps#default?iconId=0x307</styleUrl>\n')
if wep =='WLAN-WEP':
f.write(' <Style><icon>http://www.brest-wireless.net/gmap/node_interest.png</icon></Style>\n')
else:
f.write(' <Style><icon>http://www.brest-wireless.net/gmap/node_online.png</icon></Style>\n')

f.write(' <Point><coordinates>%s,%s,45</coordinates></Point>\n' % (lon,lat) )

f.write(' </Placemark>\n')

f.write('</Folder>\n')
f.write('</kml>')
hl()

// end script

Once you have made your gpsdrivetoGoogleEarth.py file, you will need to make it executable, and copy it to the location of your database.

So first things to do is

sudo chmod +x gpsdrivetoGoogleEarth.py

then mv it to where the database is stored, if your unsure then ubdatedb and locate geoinfo which of course the updatedb will need to be ran as root, but it should be stored /var/lib/mysql/

sudo mv gpsdrivetoGoogleEarth.py /var/lib/mysql/

Once the file has been transferred, then run the script

sudp python gpsdriveToGoogleEarth.py

Once this has been done you should be left with an .kml file called ap.kml, from here you can move it to somewhere more convenient i choose just to move it my desktop, by using the following command but you might want to move it somewhere else

sudo mv ap.kml /home/arron/Desktop

Once there load up Google Earth you can open ap.kml and see where you've gone on your war drive.

Now as i have said this is for educational purposes, and is not meant for you to go around an map where you can get free Internet access. Education is the biggest weapon we have in security. By showing people how easy it is for people to map a whole network, and that this information could be used to steal their network bandwidth and hacking their network.

Remember you wouldn't leave the front door to your house wide open don't leave access to your network the same

For further reading here are a number of URL's i came across in working on this howto guide

http://www.kismetwireless.net

http://www.howtoforge.com/wardriving_garmin_kismet_gpsdrive_ubuntu

http://www.byteme.org.uk/howtos/kismet-sql-google-maps.html

http://www.wi-fiplanet.com/tutorials/article.php/3595531

http://www.i-hacked.com/content/view/99/42/

http://pykismetearth.googlepages.com/

http://www.niquille.com/kismet-earth/

http://docs.google.com/View?docid=ddbzssqk_7gt69rw

http://www.parknation.com/gmap/

Finux

You can find me, in a number of ways. You can drop me a twitter @f1nux, you can find a lot of my stuff and other members of the Abertay Linux Society stuff at http://www.thelinuxsociety.org.uk or you can find me on irc.freenode.net #linuxbasement

All work was conducted whilst Studying Ethical Hacking & Countermeasures at The University of Abertay Dundee, Dundee, Scotland, United Kingdom, DD1 1HG - http://www.abertay.ac.uk/