[HowTo] Network Stumbling Using Kismet or airodump-ng with gpsd

[kidFromBigD]

Inspiration & Thanks to ButtFuzz for his original work in the BT2final forum:
hxxp://forums.remote-exploit.org/showthread.php?t=7220

EDIT: I realize the title says airodump-ng, but here I'm showing kismet. See Post #2 for airodump-ng tutorial.

I've been a Remote Exploit forum member since Aug. 2007 and thought it about time to actually contribute some learnings.

Updated for the BT4b users out there...

Assumptions:
1. Laptop running BackTrack 4 beta LiveCD, with supported built-in Wifi(external WiFi USB dongles should work, and HD installs of BT4b should work as well).
2. Pharos i500 GPS USB dongle(but others should work). Do not plug it in yet.
3. Clear view of the sky.
4. You already know how to root login to the LiveCD(DVD) and issue 'startx' command.

Setup:
1. Open two Konsoles on the system. I'll refer to them as Konsole #1 and Konsole #2.
2. In Konsole #1, cd to /dev and view the files there:

Code:

root@bt:~# cd /dev
root@bt:/dev# ls -altr

Notice the files, links, etc. there.

Position yourself outdoors, or at least close to a window as GPS data is required for the following steps...

Plug in the USB dongle into any available port on the laptop. Perform the 'ls -altr' command again, notice that a few new entries are there. The important point here is that the system recognized the device, and that ttyUSB0 is present. Your mileage may differ here, but it recognized my Pharos i500 as ttyUSB0.

3. Start gpsd in Konsole #1. I've found this command worked quite well:

Code:

root@bt:/dev# gpsd -N -n -D 3 /dev/ttyUSB0

You will noticed quite a few messages streaming to the Konsole. This is normal. It will stream more messages once kismet has started pulling the GPS data.

4. In Konsole #2, we need to initialize the WiFi device, create the directory for our saved kismet files, change the kismet.conf file, and start kismet:

Code:

root@bt:~# iwconfig eth1 mode monitor
root@bt:~# cd Desktop
root@bt:~Desktop# mkdir captures
root@bt:~Desktop# cd captures
root@bt:~Desktop/captures# vi /etc/kismet/kismet.conf

5. You need to change the kismet.conf file to reflect the reality of your system. In my case, the WiFi is known as eth1, an Intel 3945 chipped device. Look for this line and change appropriately:

Code:

source=iwl3945,eth1,intel

6. Save changes, exit vi.

7. We are ready to start kismet. From Konsole #2, type:

Code:

root@bt:~Desktop/captures# kismet -g localhost:2947

Here, you are telling kismet to listen to port 2947 for its GPS feed.

Kismet should launch, and the display should reflect correct GPS data along the bottom of the status window.

Back in Konsole #1, notice the stdout streaming has increased greatly. Completely normal.

You are now ready to Stumble thru your WiFi environment. You are passively listening to WiFi traffic, logging everything to ~Desktop/captures directory.

When you are done, simply Ctrl-C kismet and the files will be closed.

Post-production filtering, analysis, Google-mapping, Maltego-ing your data is up to you, and is the subject of possible future How-To's.

Comments, Corrections, Clarifications & Amplifications welcome.

Best Regards.

[kidFromBigD]

Inspiration & Thanks to ButtFuzz for his original work in the BT2final forum:
hxxp://forums.remote-exploit.org/showthread.php?t=7220

Steps for airodump-ng

I've been a Remote Exploit forum member since Aug. 2007 and thought it about time to actually contribute some learnings.

Updated for the BT4b users out there...

Assumptions:
1. Laptop running BackTrack 4 beta LiveCD, with supported built-in Wifi(external WiFi USB dongles should work, and HD installs of BT4b should work as well).
2. Pharos i500 GPS USB dongle(but others should work). Do not plug it in yet.
3. Clear view of the sky.
4. You already know how to root login to the LiveCD(DVD) and issue 'startx' command.

Setup:
1. Open two Konsoles on the system. I'll refer to them as Konsole #1 and Konsole #2.
2. In Konsole #1, cd to /dev and view the files there:

Code:

root@bt:~# cd /dev
root@bt:/dev# ls -altr

Notice the files, links, etc. there.

Position yourself outdoors, or at least close to a window as GPS data is required for the following steps...

Plug in the USB dongle into any available port on the laptop. Perform the 'ls -altr' command again, notice that a few new entries are there. The important point here is that the system recognized the device, and that ttyUSB0 is present. Your mileage may differ here, but it recognized my Pharos i500 as ttyUSB0.

3. Start gpsd in Konsole #1. I've found this command worked quite well:

Code:

root@bt:/dev# gpsd -N -n -D 3 /dev/ttyUSB0

You will noticed quite a few messages streaming to the Konsole. This is normal. It will stream more messages once airodump-ng has started pulling the GPS data.

4. In Konsole #2, we need to initialize the WiFi device, create the directory for our saved airodump-ng files, and start airodump-ng:

Code:

root@bt:~# iwconfig eth1 mode monitor
root@bt:~# cd Desktop
root@bt:~Desktop# mkdir captures
root@bt:~Desktop# cd captures

5. We are ready to start airodump-ng. From Konsole #2, type:

Code:

root@bt:~Desktop/captures# airodump-ng -w cap --gpsd eth1

Airodump-ng should launch, and the display should reflect correct GPS data along the top of the status window.

Back in Konsole #1, notice the stdout streaming has increased greatly. Completely normal.

You are now ready to Stumble thru your WiFi environment. You are passively listening to WiFi traffic, logging everything to ~Desktop/captures directory.

When you are done, simply Ctrl-C airodump-ng and the files will be closed.

Post-production filtering, analysis, Google-mapping, Maltego-ing your data is up to you, and is the subject of possible future How-To's.

Comments, Corrections, Clarifications & Amplifications welcome.

Best Regards.