The Renderlab: WRT54G Kismet Drone How-To V0.3.3


By RenderMan (render AT renderlab DOT net)


Return to Guide Index

OpenWRT Firmware

Assume the following for this How-To:
Laptop/Workstation IP address: 192.168.0.30
Router IP address: 192.168.0.252
Router is a WRT54G V1.0, V1.1, V2.0, or V3.0
Hacked Firmware is OpenWRT Whiterussian RC4.

Yes, there is a Kismet-2005-08-R1 ipkg available, but this guide is meant as a manual install method should the Ipkg become outdated or not work.

Step One:

1.1 Obtain a Linksys WRT54G Router. Revision shouldn't matter, I will note any differences necessary for different Rev's.

WRT54GS w/Speedboost is supposed to work as well. I don't have one so your on your own. Let me know if it does and any changes nessecary and I will add them to this guide.

1.2 Configure the routers address, DNS and gateway (so that the router can talk to the rest of the world and we can load packages later). This can be done after OpenWRT is loaded, but we might as well use the GUI Linksys has here anyways to make life easier.

Step Two:

2.1 Download the OpenWRT "Whiterussian" RC4 release from the Whiterussian folder on the OpenWRT site. The Whiterussian RC4 firmware worked well for me, so your on your own if you use a different one. Success stories are welcome though.

The file want to use is named "openwrt-wrt54g-squashfs.bin" (if your using a WRT54GS, obviously pick the GS firmware).

2.2 Connect to the web control panel on the router (presuming you have not removed the Linksys firmware yet or are using another with a web util). Using the Upgrade firmware button under Administration -> Upgrade Firmware, Violate your warranty by loading the "openwrt-wrt54g-squashfs.bin" file.

Note: It is very advisable to set the BOOT_WAIT parameter on your router *BEFORE* you flash. In case you turn your router into a brick, this gives you a few seconds to try and upload a fresh firmware on powerup. If not, it gets ugly. The OpenWRT Usersguide has instructions for doing this on the default Linksys firmware, or you can load a Sveasoft firmware (or any other firmware) that has the BOOT_WAIT parameter as an option on the web control panel. At any rate, make sure you turn this on, it will save you much headache!

2.2.1 It's reccomended by OpenWRT and myself that you use tftp to load firmware's just so you can be sure you can do it should your router become a brick. If you have access to a *nix system on the same network as the router, just run the following:

tftp 192.168.0.252
tftp> binary
tftp> rexmt 1
tftp> trace
Packet tracing on.
tftp> put openwrt-wrt54g-squashfs.bin

Then power cycle the router. The tftp program should upload the new firmware (provided the BOOT_WAIT parameter was set, and your timing was right on the power cycle).

2.3 Telnet to 192.168.0.252 and you *should* get a prompt and the nice little banner for the OpenWRT firmwar.e

Step Three

3.1 Read the OpenWRT Userguide, specifically the section on using 'ipkg' to load extra software. There is a kismet drone ipkg, which at the time of writing is current, but does'nt get updated very quickly so it may become outdated very quickly. You can use the Ipkg, but these instructions are for a manual install should the Ipkg not work for whatever reason.

Provided the router has all the settings for talking to the outside world set (from step 1.2), you should just be able to run:

ipkg update
ipkg list

If the router complains about not finding hosts, double check you set up DNS and a Gateway. You may need to set a default gateway with route add default gw and your name server with: echo 'nameserver XX.XX.XX.XX' >/etc/resolv.conf where XX is the IP of your DNS server.

3.2 From the router (provided you have enough space on it), using wget, download the kismet_drone binaries from the kismetwireless.net site to the /tmp dir:

cd /tmp
wget http://www.kismetwireless.net/code/kismet-2005-08-R1-wrt54.tar.gz

Untar/gzip the package:

tar -zxvf http://www.kismetwireless.net/code/kismet-2005-08-R1-wrt54.tar.gz

If you are using a v1.0 or v1.1 router, edit the /tmp/kismet-2005-08-R1-wrt54/conf/kismet_drone.conf file source line to use 'eth2'
source=wrt54g,eth2,wrt54g

If your using a v2.0 make sure it's ' eth1'
source=wrt54g,eth1,wrt54g

If you are using a v3.0 router, change it to:
source=wrt54g,eth1:prism0,wrt54g

Some users with Whiterussian RC3 & RC4 have reported that the above values don't work all the time. If you try the above and it does'nt work, double check your settings and try the following:
source=wrt54g,prism0,wrt54g

You may also need to change your 'allowed hosts' line in the kismet_drone.conf file to something like:

allowedhosts=127.0.0.1,192.168.0.0/24

Where you can change the 192.168.0.0 to whatever network segment your using.

Copy /tmp/kismet-2005-08-R1-wrt54/kismet_drone into /usr/bin/kismet_drone and /tmp/kismet-2005-08-R1-wrt54/kismet_drone.conf into /etc/kismet_drone.conf. Don't worry about the kismet_server in the package, we'll cover that later in another guide later.

OpenWRT uses the squashfs file system so added files and changes are retained through power cycles. This means that your drone files are not erased on reboot. You can also store scripts for running all the commands to start up the drone on the router or just have it start up the drone on boot!.

Step Four:

4.1 If you run the kismet binary now, it will fail in 2 ways. It cannot find the kismet_drone.conf file and it cannot find the 'wl' command (Broadcom Binary Driver for the Wireless chipset) to enter monitor mode. The 'wl' command is easy to install with ipkg. Just type:

ipkg update
ipkg install wl

I've mirrored the driver locally just in case it goes down, if the above does'nt work try:
ipkg install http://www.renderlab.net/projects/wrt54g/wl_3.90.37-1_mipsel.ipk

keeping in mind that the IPKG wl driver will probobly be newer than what I have mirrored.

The Second error is also easy to deal with and is covered in step Six in the commands to run it with.

Step Five:

5.1 Setup the Kismet.conf file on your laptop/workstation to use 'source=kismet_drone,192.168.0.252:3501,drone'. You can run other sources at the same time (wi-fi cards, other drones) on separate source= lines.

The source line breaks down like this:

Kismet_drone indicates this is a remote drone source, as opposed to a local card source.

192.168.0.252:3501 is the TCP/IP address and port that the drone is running on. You can change the IP address to whatever you setup your router to. You should'nt need to change the port.

drone is just an arbitrary description that is shown in the bottom right corner of the kismet window in the sources list. You can change this to whatever you want for organizational purposes.

Step Six:

6.1 To run the drone it's much like the sveasoft section, Just telnet into the router in another window or terminal and run the following commands:

wl ap 0 - Put the Router in Client mode (Just to be sure, we don't want anyone associating while we drive by)
wl disassoc - Lets make sure it's not associated with anything that could screw up our detection
wl passive 1 - Throws the router scan engine into passive mode, prevents any transmission and slipping into murky legal areas.
wl promisc 1 - Why not put it in promisc mode too? chmod -R 777 /usr/bin/kismet* - Make sure the drone binaries are executable
/usr/bin/./kismet_drone -f /etc/kismet_drone.conf - Run the drone, specifying where the config file is

The binaries we installed were compiled to look for the conf file in /tmp/etc/. We're just telling it at run time where to look instead (I like keeping all configs together.)

You should then see something like :

Suid priv-dropping disabled. This may not be secure.
No specific sources given to be enabled, all will be enabled.
Enabling channel hopping.
Disabling channel splitting.
Source 0 (wrt54g): Enabling monitor mode for wrt54g source interface eth2
channel 6...
Source 0 (wrt54g): Opening wrt54g source interface eth2...
Kismet Drone 3.1.0 (Kismet)
Listening on port 3501 (protocol 8).
Allowing connections from 192.168.0.0/255.255.0.0

If not, double check your steps

The last line is the most important to see. It means that the drone will now accept connections from servers on the 192.168.0.0/24 network, where our workstation is hopefully set.

You should then be able to fire up Kismet and if everything lines up, you'll see 'accepted streamer connection from ' in the router telnet session, and Kismet will show a 'drone' with channel '--' in the bottom right corner as a source (This does'nt mean it's not scanning channels, it's just a limitation of the server to know which channel the drone is on). If it's also your only source and you detect networks, you'll know it's working.

There is a know 'limitation' with the WRT54G(S) in that it does'nt hop channels very well, or really at all, it has a habit of locking itself to a channel when it finds a network(s). When you get out of range it goes back to scanning all channels, this does'nt help us if we're trying to scan all channels all the time. It also does not report signal strength. It's a known kismet problem and not something with the drone (stop emailing me!).

However the 'wl' driver has a utility to scan all channels, so we do some voodoo to keep the wrt scanning:

#!/bin/sh
X=1
while [ $X -eq 1 ]
do
   sleep 1
   wl scan
done

Enter the above (with indents) into a file on the WRT54G and run it (ignore any error output complaining about eth1). This loops through the 'wl scan' function to constantly reset the router to scan all channels. You'll probobly want to change the 'wl scan' line to:

wl scan > /dev/null 2>&1 &

and start the file with a '&' at the end to send output to /dev/null and to put it into the background so you can start the kismet_drone as well from the same command line.

You may also want to issue a 'wl passive' command before you do this or else the router will start an active scan, generating packets. Not something you usually want to do

Scripts:

Using vi on the router I just added a script called 'rundrone.sh' on the root with the following:
wl ap 0
wl disassoc
wl passive 1
wl promisc 1
chmod 777 /usr/bin/kismet*
/usr/bin/./kismet_drone -f /etc/kismet_drone.conf

and made it executable. Now I just have to telnet in and run one command to start the drone.

The channel hopping script 'scanme.sh'(run as sh runscanme.sh& to put into the background):

#!/bin/sh
X=1
while [ $X -eq 1 ]
do
  sleep 1
  wl scan > /dev/null 2>&1 &
done

If you want to get really fancy and turn your WRT54G into a kismet_drone appliance by having the kismet_drone start up on boot as a service!

To do this, use vi to create the file /etc/init.d/S60kismet_drone on the router with the following:

#! /bin/sh
echo "Setting radio for kismet_drone"
mkdir /var/log
/sbin/ifconfig eth1 up
/usr/sbin/wl ap 0
/usr/sbin/wl disassoc
/usr/sbin/wl passive 1
/usr/sbin/wl promisc 1
/usr/sbin/wl monitor 1
echo "Running kismet_drone"
/usr/bin/./kismet_drone -f /etc/kismet_drone.conf > /dev/null 2>&1 &
sleep 3
echo "kismet_drone now running"

You can just download this file from Here, or use wget with:

wget http://www.renderlab.net/projects/wrt54g/S60kismet_drone

Either way, just put the file in the /etc/init.d/ directory and make it executable with:

chmod 777 /etc/init.d/S60kismet_drone

The router will start the drone on startup. We also need the channel hopping script to work on startup as well. Add the following to /etc/init.d/S70wl_scan :

#!/bin/sh
X=1
while [ $X -eq 1 ]
do
  sleep 1
  wl scan > /dev/null 2>&1 &
done

You can just download this file from Here, or use wget with:

wget http://www.renderlab.net/projects/wrt54g/S70wl_scan

Either way, just put the file in the /etc/init.d/ directory and make it executable with:

chmod 777 /etc/init.d/S70wl_scan

The router will begin channel hopping just after the drone starts


Joshua Wright of SANS.org came up with an alternate channel hopping script that allows for a little finer control of what channels are monitored. Just place this in your /etc/init.d/S70JW_scan file instead of the above script, tweak to your hearts content:

#!/bin/sh
while : ; do
 wl channel 1 ; sleep 1
 wl channel 6 ; sleep 1
 wl channel 11 ; sleep 1
 wl channel 2 ; sleep 1
 wl channel 7 ; sleep 1
 wl channel 3 ; sleep 1
 wl channel 8 ; sleep 1
 wl channel 4 ; sleep 1
 wl channel 9 ; sleep 1
 wl channel 5 ; sleep 1
 wl channel 10 ; sleep 1
done

You can just download this file from Here, or use wget with:

wget http://www.renderlab.net/projects/wrt54g/S70JW_scan

Either way, just put the file in the /etc/init.d/ directory and make it executable with:

chmod 777 /etc/init.d/S70JW_scan


This Guide also available at:
The Church of Wifi
Personalwireless.org


Return to Guide Index