Monday 7 September 2009

Network mapping with Kismet-newcore + giskismet

I finally decided to make a persistent install of BT4 Pre Final on a USB stick to be able to get Kismet running as it should without having to upgrade each time..
With persistent install on usb, update (when online of course ;) )

apt-get update
apt-get upgrade

My USB GPS device is a simple generic one, nothing special and although I cant remember the cost,
it was not more than around $50,-/$60,-

















 



 
Then a quick edit to the kismet.conf file, we can do this with nano;

nano /pentest/wireless/kismet-newcore/conf/kismet.conf























Just edit to make sure the gps device is pointing correctly to ttyUSB0.

Ctrl + X (to close after amending)
Y (Yes to save)
Enter (to save as same file name)

Then start up gpsd and we're good to go.

gpsd /dev/ttyUSB0

So with the Kismet-Newcore and GPS set to work, it was war-driving time !

So starting up kismet with the GPS;






In kismet going to Windows --> GPS Info






All is well, now just time to hop in the car and drive around a little !

When done, just exit kismet.

Now we can use giskismet, first inserting all information into a GISKismet database file from which we can create .kml files to put in either google maps or google earth.

So in the directory where the kismet files are;

giskismet -x kismet_netxml_file.netxml




wireless.dbl will be created, then we can make some .kml files depending on what we want to see.

giskismet -q "select * from wireless" -o output_all.kml

The .kml file will be created in that same directory with all information on all access points seen and can then be opened with google earth.




































If for instance only want to show AP's with an ESSID "linksys";
giskismet -q "select * from wireless where ESSID='linksys'" -o linksys.kml




















Resulting .kml in Google Earth;





































Showing only AP's without any encryption;
giskismet -q "select * from wireless where Encryption='None'" -o None.kml







Showing only AP's with WEP encryption;
giskismet -q "select * from wireless where Encryption='WEP'" -o WEP.kml






































You can actually filter the input to this database on channel / essid / bssid or encryption.

For instance;
giskismet -x kismet_netxml_file.netxml --channel 1 --encryption None

then
giskismet -q "select * from wireless" -o output.kml

This will give you a .kml file directly with only networks shown which are on channel 1 without encryption.

Resulting .kml in Google Earth;




The amount of networks you see with either no encryption or WEP is really staggering..



Still trying to figure out how best to grep out the SSIDs for entering in my essid list for cracking hidden essids.
Wrote a bit of code that the blog wouldnt even let me post, so must be rough ! Will be reverting on that..

So got some help.. thanks Gitsnik !

Still quite a mouthful, but gets the job done, am pleased to say that what I had, although ugly, actually worked as well ;)


grep SSID kismet-nettxt-file.nettxt | egrep -v 'BSSID|SSID [0-9]' | sed 's/.*://' | sed 's/"//' | sed 's/"//' | sort -f | uniq > ssid.txt

Still not 100% perfect, but I'm sure I will be able to 'prettify' (omg) it after some further resting, testing and trials.


So after some trial and error, and not a little help from Gitsnik;

grep SSID test.nettxt | egrep -v 'BSSID|SSID [0-9]' | cut -c 18- | sed 's/"//g' | sed 's/ *$//g' | sort -fu > ssid.txt

Seems to be pretty clean so far !

To make things  a little easier on stripping out the SSIDs, made a couple of scripts which I thought
I would share for the hell of it ; 

SSIDstrip_v0.1
























ssidstrip_v0.1 can be downloaded here;
http://www.mediafire.com/file/4xa4m4sbdqv990x/ssidstrip


Or if you like a bit more to look at (and with some more safety built in to avoid accidental overwriting etc.)
SSIDstrip_v0.2
























ssidstrip_v0.2 can be downloaded here ;
http://www.mediafire.com/file/uojgs7jc6dmmfxa/ssidstrip_v0.2




Links to information on above;

Official GISKismet Development Home

Official Kismet Homepage

8 comments:

  1. sed 's/"//g'

    The g is a global notation so you don't have to add the second identical sed, also you can cut down on your uniq call by adding the -u switch to sort (sort -fu > ssid.txt)

    The only thing I think we were discussing is the need to remove some of the binary gunk, maybe with something similar to:

    egrep -v '\\[0-9]'

    You could even add it to the current egrep - add a new | character then the stuff above, like so:

    egrep -v 'BSSID|SSID [0-9]|\\[0-9]'

    ReplyDelete
  2. Thanks for that Gitsnik, going to get it neat and tidy in no time ;)

    ReplyDelete
  3. Nice post and also a very nice picture of some pasta in between the slides Tape lol

    ReplyDelete
  4. Yeah ;)
    I have absolutely NO idea what happened there..

    bit worrying actually, but doesnt seem like anything comprimised..

    ReplyDelete
  5. Hey, great post. Quick question though, are the encryption types separated into none, WEP, WPA-TKIP, WPA-Auto and WPA-AES?

    Encryption : None

    Encryption : WEP

    Encryption : WPA+PSK
    Encryption : WPA+TKIP

    Encryption : WPA+PSK
    Encryption : WPA+TKIP
    Encryption : WPA+AES-CCM

    Encryption : WPA+PSK
    Encryption : WPA+AES-CCM

    Those are the five variations under encryption in the Kismet files that I could find. Any help would be great!

    ReplyDelete
    Replies
    1. Hey Klash,

      Well it was a long time ago and havent done any wardriving to speak of recently so dont have a file to test it on..
      However I seem to recall that the only options were ;
      > None
      > WPA
      > WEP

      However am not sure what parameters GISKismet uses to filter the results
      so you will have to do some testing yourself on it.

      If I have some time I may do some more testing as was wanting to do some
      wardriving to figure out how much of a problem reaver would be in some areas.

      If you have any further findings would appreciate it if you post back here as well !

      Thanks - TAPE

      Delete
    2. In the end I separated them using the five encryption types I found. I had used that approach in previously but I just wanted to double check it was right, so hopefully it is! :)

      It's for a small bit of research for my masters, ended up with some pretty good results too, mostly thanks to your GISKismet explanation that I remembered from 2009! Results: http://pics.klashed.net/2009-2012.png

      I actually ended up publishing a conference paper on the assessment of security and vulnerabilities of home wireless networks, but there are a definite few things I would like to change now I've been doing it longer. :)

      Delete
    3. Haha, well glad the blog was able to be of help for the studies ;)

      Thanks for posting back, I will have to get back on the horse and do
      a drive again one of these days to make sure I don't get rusty :)

      Delete

 
Google Analytics Alternative