Wardriving with a Raspberry Pi

War driving, also known as “WiFi sniffing” is the process of locating WiFi networks, and potentially viewing their traffic. You can find more notes on wardriving here on my gitbook.

On my previous post about wardriving, this works no problem but sometimes you want a smaller, easier device to carry that is more portable. In comes the RaspberryPi!

RaspberryPi

I’ve found running on RaspberryPi (I use a RPi4) running Raspbian-Lite is easiest as it’s very portable, easy to throw into a backpack, and easy to setup with a USB Hub if needed. I also recommend a 64GB+ Micro SD card to have enough space. I run a 128GB but I grab my files from the Pi when every so often. For this you will need a couple things other than a RaspberryPi, like WiFi Adapters, and the Kismet software. A GPS Adapter and the GPSD software is not REQUIRED but will make it a lot more fun and adds the ability to see where you seen a specific WiFi.

WiFi Radios

From here we need any WiFi radio we can use, including the built in one. I myself have and recommend these adapters:

• Alfa AWUS036ACM <– Capable of 2.4GHz and 5GHz
• Alfa AWUS036ACHM <– Capable of 2.4GHz and 5GHz
• Alfa AWUS036ACH <– Capable of 2.4GHz and 5GHz (This more than likely will require driver installation)
• Panda Wireless PAU09 N600 <– Capable of 2.4GHz and 5GHz
• Alfa AWUS036NEH
• Alfa AWUS036NH
• Panda Wireless PAU05
• TP-Link TL-WN722N
• Ralink USB WiFi RT5370

GPS

If you’re looking for GPS adapters, I also have the following, I primarily use the GlobalSat BU-353-S4

• VK-162
• HiLetgo VK172

Flashing

I am using the RaspberryPi Imager software to flash Raspbian onto my Pi.

Choose your device, OS, and SD card.

We probably should edit the settings for this to connect it to our WiFi so I am able to SSH into it right away.

Then from here, we save the settings and select yes

It will inform us that all the current data on the MicroSD will be erased and ask if we want to conitue, we say yes.

Once it’s done, you can plug the SD card into the Pi, and turn it on. Give it a few min to do it’s thing. If you’re plugging your Pi into a Monitor with mouse/keyboard, you’re good to continue. If not, onto a mild pain, finding the IP address of the Pi. You can use whatever method you are comfortable with. USUALLY you can log into your Router and find IP addresses of devices on your network. You can nmap/zenmap scan your network, whatever works for you.

Once you have the IP, you can ssh into the Pi using ssh if you’re on MacOS or Linux, on windows you’ll use Putty software. Use the username you setup in the setting of the Imager software. If you went with default, the default username is pi and the default password is raspberry.

MacOS/Linux:

ssh [username]@[ip]

Windows:

Once you’re logged in a good idea is to update your system:

sudo apt update && sudo apt upgrade -y

Kismet

As this is on a RPi running Raspbian(Currently Debian Bookworm), we will follow the instructions on installing on that. Other install instructions from packages can be found here, or installing from source can be found here.

wget -O - https://www.kismetwireless.net/repos/kismet-release.gpg.key --quiet | gpg --dearmor | sudo tee /usr/share/keyrings/kismet-archive-keyring.gpg >/dev/null

echo 'deb [signed-by=/usr/share/keyrings/kismet-archive-keyring.gpg] https://www.kismetwireless.net/repos/apt/release/bookworm bookworm main' | sudo tee /etc/apt/sources.list.d/kismet.list >/dev/null

sudo apt update && sudo apt install -y kismet gpsd gpsd-clients gpsd-tools

When asked if Kismet should be installed with suid-root helpers, select yes by pressing enter.

Add your user to the kismet group with:

sudo usermod -aG kismet your-user-here

Setup

First we need to run kistmet to set a default username/password. So run:

kismet

Then go to https://[IP]:2501 to get to a web interface and set the username and password.

After you’ve done that, press CTRL+C to stop kismet at the moment.

Kismet config

So by default, the kismet config file is under /etc/kismet/kismet.conf but that gets reset every time we update kismet, so we will put our sonfig in a file called kismet_site.conf under the same directory of /etc/kismet/. To make this easier, we can take the kismet-wardrive mode config and copy that into our kismet_site.conf file with:

sudo cp /etc/kismet/kismet_wardrive.conf /etc/kismet/kismet_site.conf

After plugging in your WiFi Radios, GPS, and Bluetooth adapters, depending which one you have, you’ll wanna set the GPSD to the proper adapter.

GPS:

After plugging in our GPS adapter, we can run:

dmesg

In here we look for our GPS dongle, it willl usually look like: GlobatSat BU-353-S4:

/dev/ttyUSB0

VK-162/VK172:

/dev/ttyASM0

With the device plugged in, set GPSD to the device

gpsd /dev/ttyUSB0

OR

gpsd -b /dev/ttyACM0

To verify if it is working properly we can run:

gpsmon

OR

cgps

Now, in our kismet_site.conf, we will add GPSD as a GPS source to the top of the config with:

sudo nano /etc/kismet/kismet_site.conf

gps=gpsd:host=localhost,port=2947

WiFi Radios:

Let’s get the radio ‘names’ with:

ip a

With only one radio plugged in, it should be wlan1 as wlan0 is the built in WiFi. With the source, we add that to our kismet_site.conf with our GPS and Wardrive config

source=wlan1

Running

From here - we can run kismet with

kismet

It should start and be on it’s way with collecting WiFi. Now what if we don’t want to tell it to start every time? We want it to auto launch kismet when it powers on and starts up.

Autostarting Kismet

The README for starting Kismet at launch can be found here on their github.

As I installed Kismet from the package, the service for systemd is already there.

By default, the Kismet systemd service runs Kismet as root; this is NOT best practices but it is the only user consistently available.

It is STONGLY recommended that you install Kismet as suid-root via `make suidinstall`, and that you run Kismet as a non-privileged user.  Kismet will then limit root access to the capture binaries which control individual interfaces.

So lets set this up to run as our user with:

sudo systemctl edit kismet

Changing the user to the ‘kismet’ user OR as the user you have setup.

[Service]
User=th4ntis
Group=kismet
StartLimitBurst=0

So with this setup, let’s start the service with”

sudo service kismet start

Set the service to start on boot with:

sudo systemctl enable kismet

Verify the Kismet service is running with:

sudo service kismet status

It’s all set and ready to autostart!

Post Capture

A kismet file and a wiglecsv file will be made. The wiglecvs is to upload to Wigle.net. Docs can be found here. This will show that logging is greately reduced and will only be used for Access Point(AP) collection.

To copy these files off, we will need to run this from our host machine

scp [user]@[ip]:/home/[user]/[kismet-file] .

This will need to be the exact file name. We can also use something like WinSCP to copy the files to our machine using Windiws.

If we have GPS enabled and the info, we can convert the file into a KML File to be used with Google Earth. More info here.

kismetdb_to_kml --in some-kismet-log-file.kismet --out some-kml-file.kml

We are able to convert the file to pcap to be analyzed in Wireshark. Docs can be found here.

kismetdb_to_pcap --in some-kismet-log.kismet --out some-pcap-log.pcapng

Conclusion

Ta-da! You’re even more portable with your wardriving! Just get a powerful enough powerbank to run it on the go, plug it in, put it all in a backpack and you’re off! Enjoy Wardriving and Capturing All The WiFi.