With persistent install on usb, update (when online of course ;) )
apt-get update
apt-get upgrade
My USB GPS device is a simple generic one, nothing special and although I cant remember the cost,
it was not more than around $50,-/$60,-
Then a quick edit to the kismet.conf file, we can do this with nano;
nano /pentest/wireless/kismet-newcore/conf/kismet.conf
Just edit to make sure the gps device is pointing correctly to ttyUSB0.
Ctrl + X (to close after amending)
Y (Yes to save)
Enter (to save as same file name)
Then start up gpsd and we're good to go.
gpsd /dev/ttyUSB0
So with the Kismet-Newcore and GPS set to work, it was war-driving time !
So starting up kismet with the GPS;
In kismet going to Windows --> GPS Info
All is well, now just time to hop in the car and drive around a little !
When done, just exit kismet.
Now we can use giskismet, first inserting all information into a GISKismet database file from which we can create .kml files to put in either google maps or google earth.
So in the directory where the kismet files are;
giskismet -x kismet_netxml_file.netxml
wireless.dbl will be created, then we can make some .kml files depending on what we want to see.
giskismet -q "select * from wireless" -o output_all.kml
The .kml file will be created in that same directory with all information on all access points seen and can then be opened with google earth.
If for instance only want to show AP's with an ESSID "linksys";
giskismet -q "select * from wireless where ESSID='linksys'" -o linksys.kml
Resulting .kml in Google Earth;
Showing only AP's without any encryption;
giskismet -q "select * from wireless where Encryption='None'" -o None.kml
Showing only AP's with WEP encryption;
giskismet -q "select * from wireless where Encryption='WEP'" -o WEP.kml
You can actually filter the input to this database on channel / essid / bssid or encryption.
For instance;
giskismet -x kismet_netxml_file.netxml --channel 1 --encryption None
then
giskismet -q "select * from wireless" -o output.kml
This will give you a .kml file directly with only networks shown which are on channel 1 without encryption.
Resulting .kml in Google Earth;
The amount of networks you see with either no encryption or WEP is really staggering..
Still trying to figure out how best to grep out the SSIDs for entering in my essid list for cracking hidden essids.
Wrote a bit of code that the blog wouldnt even let me post, so must be rough ! Will be reverting on that..
So got some help.. thanks Gitsnik !
Still quite a mouthful, but gets the job done, am pleased to say that what I had, although ugly, actually worked as well ;)
grep SSID kismet-nettxt-file.nettxt | egrep -v 'BSSID|SSID [0-9]' | sed 's/.*://' | sed 's/"//' | sed 's/"//' | sort -f | uniq > ssid.txt
Still not 100% perfect, but I'm sure I will be able to 'prettify' (omg) it after some further resting, testing and trials.
So after some trial and error, and not a little help from Gitsnik;
grep SSID test.nettxt | egrep -v 'BSSID|SSID [0-9]' | cut -c 18- | sed 's/"//g' | sed 's/ *$//g' | sort -fu > ssid.txt
Seems to be pretty clean so far !
To make things a little easier on stripping out the SSIDs, made a couple of scripts which I thought
I would share for the hell of it ;
SSIDstrip_v0.1
ssidstrip_v0.1 can be downloaded here;
http://www.mediafire.com/file/4xa4m4sbdqv990x/ssidstrip
Or if you like a bit more to look at (and with some more safety built in to avoid accidental overwriting etc.)
SSIDstrip_v0.2
ssidstrip_v0.2 can be downloaded here ;
http://www.mediafire.com/file/uojgs7jc6dmmfxa/ssidstrip_v0.2
Links to information on above;
Official GISKismet Development Home
Official Kismet Homepage
sed 's/"//g'
ReplyDeleteThe g is a global notation so you don't have to add the second identical sed, also you can cut down on your uniq call by adding the -u switch to sort (sort -fu > ssid.txt)
The only thing I think we were discussing is the need to remove some of the binary gunk, maybe with something similar to:
egrep -v '\\[0-9]'
You could even add it to the current egrep - add a new | character then the stuff above, like so:
egrep -v 'BSSID|SSID [0-9]|\\[0-9]'
Thanks for that Gitsnik, going to get it neat and tidy in no time ;)
ReplyDeleteNice post and also a very nice picture of some pasta in between the slides Tape lol
ReplyDeleteYeah ;)
ReplyDeleteI have absolutely NO idea what happened there..
bit worrying actually, but doesnt seem like anything comprimised..
Hey, great post. Quick question though, are the encryption types separated into none, WEP, WPA-TKIP, WPA-Auto and WPA-AES?
ReplyDeleteEncryption : None
Encryption : WEP
Encryption : WPA+PSK
Encryption : WPA+TKIP
Encryption : WPA+PSK
Encryption : WPA+TKIP
Encryption : WPA+AES-CCM
Encryption : WPA+PSK
Encryption : WPA+AES-CCM
Those are the five variations under encryption in the Kismet files that I could find. Any help would be great!
Hey Klash,
DeleteWell it was a long time ago and havent done any wardriving to speak of recently so dont have a file to test it on..
However I seem to recall that the only options were ;
> None
> WPA
> WEP
However am not sure what parameters GISKismet uses to filter the results
so you will have to do some testing yourself on it.
If I have some time I may do some more testing as was wanting to do some
wardriving to figure out how much of a problem reaver would be in some areas.
If you have any further findings would appreciate it if you post back here as well !
Thanks - TAPE
In the end I separated them using the five encryption types I found. I had used that approach in previously but I just wanted to double check it was right, so hopefully it is! :)
DeleteIt's for a small bit of research for my masters, ended up with some pretty good results too, mostly thanks to your GISKismet explanation that I remembered from 2009! Results: http://pics.klashed.net/2009-2012.png
I actually ended up publishing a conference paper on the assessment of security and vulnerabilities of home wireless networks, but there are a definite few things I would like to change now I've been doing it longer. :)
Haha, well glad the blog was able to be of help for the studies ;)
DeleteThanks for posting back, I will have to get back on the horse and do
a drive again one of these days to make sure I don't get rusty :)