Wardriving Adventures - Using Kismet to find WiFi Devices

Over the past several decades homes, offices, and schools have been deploying wireless access points without any regard to the security of these devices.  Even still the number of overall Internet of Things trend is moving upwards with more and more wireless devices that are being brought into the home.  The convenience of having wireless devices accessing the Internet has taken the priority over the insecurity that it introduces.  The amount of wireless devices continually spawning in public places has brought about a new form of entertainment for many different wireless hobbyist.  This hobby is known as wardriving.  

Wardriving sounds particularly dangerous or aggressive, but really the term spawns from the popular hacker movie WarGames with Matthew Broderick.  In the movie Matthew Broderick dials every phone number in a specific sequence in search of open modems.  In the a similar fashion wardriving is the act of driving around in a car looking for all wireless access points and clients that are actively broadcasting. For wardriving the hobbyists assemble hardware and software within their vehicles and navigate around roads or highways plotting their results on the Internet or use the data in personal projects.  

Is wardriving illegal?  Well the act of scanning for wireless networks is performed many times a day by ordinary technology users.  Everytime you scan for networks with your laptop or your phone you are essentially performing the same function that wardriving consists of.  Searching for wireless Internet connections is perfectly legal.  The fine line between legal and illegal lies in if you actively attack that network or by associating to that device without prior permission from the owner.  

Well why do we need to wardrive or map the wireless frequencies being broadcasted?  Overall mapping and wardriving is meant for research and site surveys.  Many graduate students and professors can use the wide collection of data in performing open source research.  As well aggregation sites such as Wigle which will be covered in more depth later in the blog post use the information to help educate the public of dangers of wireless security.  There may be more sinister reasoning for mapping out weak or nonexistent wireless devices in your area, but those will not be covered here.

Do I have your interest yet?  Are you wanting to start wardriving as well?  Well good news the entry cost can be very reasonable, and there is a large community of drivers that are willing to help.  For my particular setup I will be using larger than setup than most.  I will be using my 2016 Macbook running a virtual machine of Kali rolling release, and the beta version of Kismet.  I will get to the setup of Kismet shortly, but first I will also briefly describe the wireless cards that were used as well.  For the screenshot shown below I used a combination of Alfa AWUS052NH and the Alfa AC1200.  Each of these wireless cards have the ability to scan both the 2.4Ghz and 5Ghz range.  In order to accommodate the extra needed USB plugs I used a simple 4 port USB hub that did not require any extra power.  However, I am investigating into larger USB hubs that can be wired into a car power for additional wireless cards.  Finally, what would wireless captures be without a way to tie the SSIDs back into a geographical location.  For this I chose one of the most mentioned devices on different wardriving guides.  The GlobalSat BU-353-S4 USB GPS receiver works perfectly for this application.  This is what my setup looks like running in the vehicle.  

After taking the picture shown above I moved the GPS into the upper corner of my vehicles window in order to help with GPS tracking.  Your results might vary depending on where you place the wireless cards or the GPS USB.  

Multiple cards are not required for wardriving, but to understand why I chose to run three wireless cards we must first take a quick trip down how wireless access points operate.  In order to not get too far into the weeds with details basically the Federal Communications Commission more commonly known as the FCC is an independent agency of the United States government that regulate interstate communications by radio, television, wire, satellite, and cable.  Basically, the FCC only allows authorized users to operate on certain frequencies to monitor and regulate transmissions. However, with the popularity of home wireless devices a portion of the frequency spectrum was dedicated by the FCC that allows all citizens to operate as long as certain frequencies and power levels are within regulatory compliance.  You have more than likely heard the frequencies that are permitted.  In the United States wireless devices can operate between the 2.4GHz and the 5GHz bands.  Each of these ranges are divided into a multitude of channels.  Shown in the screenshot below of the 2.4GHz range you will see a graphical representation of the overlap between the different channels.  

When you setup your home wireless access point you might manually select which channel you want to broadcast on or you could let the device automatically select based on the density of traffic on certain channels.  Therefore, when your wireless device such as smartphone or laptop connect they will look for the appropriate wireless access point and associate on that particular channel.  The same concept must be considered when thinking about wardriving.  Each wireless card can only listen for broadcast traffic on one particular channel at a time.  Thus wireless technology employees a method known as channel hopping.  Channel hopping is much like it sounds in that it will change either incrementally or by random to different channels and then will listen for a set amount of time before moving on to the next channel.  If we consider that in the United States there are a total of 50 possible channels that could be broadcast on with only one wireless card we can only receive 1/50th of the traffic at any given time.  By adding more cards we can continually hop with more devices and capture more traffic on other channels.

Kismet is a wireless network detector, sniffer, and intrusion detection system. Kismet works with Wi-Fi (IEEE802.11) cards, as well as Bluetooth devices for scanning discoverable BT and BTLE devices, the RTL-SDR radio for detecting wireless sensors, thermometers, and switches, and a growing collection of other capture hardware.  The reason I chose the new Kismet Beta was because ease of use in configuring new wireless devices on the go.  The screenshot below shows the simplistic UI for the Kismet Beta.  

Kismet has a specific menu options, as shown by the screenshot below that will allow a point and click method to add sources.  By clicking Enable Source key we will immediately start pulling in results.

The screenshot below shows the current configuration of the wlan0 interface.  As you can see the device is currently running, and hopping over all available channels. What makes Kismet great is that when adding multiple sources it will automatically handle each device and will hop using in an organized manner which will ultimately give us a much larger collection field.

The screenshot provides a heads up display of the current configurations running.  The icon on the far left is that of the GPS collection.  When a successful connection to the GPS USB device is obtained the icon will turn green.  

As mentioned above Wigle is an aggregation of location and information of wireless networks world-wide.  Currently Wigle will accept all sorts of different data sources for upload and addition to their dataset.  One of those file formats that is already accepted is the .kismet file that will be generated during our wireless capture.  To conclude this blog post I have provided a nice little logo that is provided by Wigle that shows personal stats of each individual.

For future blog posts I hope to post more interesting results and wireless device finds that I have discovered.  Until then keep on hacking!