Slashdot Mirror

This was revealed many places a while back. Dragorn of Kismet covered it back in 2010:

http://blog.kismetwireless.net/2010/08/google-wifi-android-and-too-much-data.html

I am curious, does this mean better Kismet support? Can we now do wardriving without $300 adapters or do spectrum analyzing to pick the best frequency to run our wireless on to not interfere with the neighbors?

http://www.kismetwireless.net/

Google grabbed _intentionally_. Someone thought it was a good idea to do this and wrote the code to achieve it.

I had heard they used Kismet. I know for a fact that it logs unencrypted packets by default By default Kismet will log the pcap file, gps log, alerts, and network log in XML and plaintext. (section 10).

Next, Google did not cooperate. That's part of what the fine is for. They were supposed to delete everything and didn't.

Is this true. It seems odd that they'd do that, given that they're the ones who decided to mention anything in the first place and said they'd delete it from the start. Guess they learned their lesson about talking.

NetStumbler for Windows and MiniStumbler for Windows CE downloads are at:
NetStumbler.com

I've been told that the software that actually did the sniffing wasn't NetStumbler, but rather it was Kismet. I don't know the original source of who knows this firsthand though, so I can't verify this. However if this is true it's interesting, because it would mean A) Google was likely using a non-Windows system to do the wireless packet sniffing, B) the author of NetStumbler was using another sniffing utility to do the work rather than his own tool, which would be an interesting irony.

This is the code. Google didn't write it, from what I understand, they just used it in the default configuration.

Both InSIDDer and Heatmapper are Windows-only, AFAIK. For Linux, there's the awesome Kismet and its cousin for OS X, KisMAC.

And considering the tools are easily found by any member of Slashdot http://www.kismetwireless.net/

The difference here is that they actually intercepted data by mistake. If you use Kismet (probably the best wireless sniffing tool for Linux), you can set it to not save data packets, only beacon packets (which really have all the data that Google needs), but by default, it saves everything, including any data packets it sees (encrypted or unencrypted).

It depends on what you're doing what packets you want. If you're trying to break WEP, you only care about encrypted data packets; if you're just doing innocent wardriving, you only want the beacons.

There are several tools you can use to get the SSID from a "Non broadcasting" device.

Linux:
http://www.kismetwireless.net/,
Airjack,
Many others...

Windows:
AirMagnet
AirSnort

I just listed the most common for the particular OS. I do know they can be compiled onto other systems.

If you take a minute to step away from your knee jerk reaction to correcting people and think about it, you would realize* that at some point it has to broadcast the SSID or know one could ever maintain connection.

http://tech.blorge.com/Structure:%20/2008/04/21/wi-fi-mythbuster-do-not-hide-your-ssid/

So it is trivial to get an SSID from one that is hidden.

* Against all evidence. I'm assuming your not actually an idiot

or for linux, kismet

In other news, experts have revealed that water is scarily wet, the sun is frighteningly hot, and occasionally rain terrifyingly falls from the sky. We'll interrupt your surfing with more news as it unfolds. Meanwhile, please continue to tremble in fear of the obvious.

Thanks Michael for your support of free speech. I'm really pleased to hear you think it's "fine".

Why don't people seem to get that making these programs obscure does not make you safer? I for one want to monitor my wireless network to see if they are vulnerable to such "cracking" (goddammit, "cracking" is removing copy protection and has been for two decades!!) tools.

They tried to shut down nmap in the same way (it first appeared in Phrack, btw), but I think most people will agree it's an absolutely essential tool for securing your network and checking for open ports, etc.

Making these types of programs illegal (it's this just a macafied kismet?) is absolutely crazy and will result in more, not fewer security breaches.

There is already a separate Linux app that has most of the functionality of the Windows app. I suggest using that versio (available from http://www.kismetwireless.net/wispy.shtml) instead of trying to get the Windows app running under Mono. The reason for this is that the USB library used by the Windows app, probably will not work under Mono.

My wireless card software can already show me the signal-to-noise levels on all the channels so I fail to see what else that thing can do in addition. And if you insist on seeing a quite useless image of the 'spectrum' then there are free software for that out there already such as Kismet.

The comparison on their website is just silly. You can rent a basic spectrum analyser for a couple of hundred dollars for the day, plug in a directional antenna to your test port and pinpoint your problem, as well as use the tracking generator and a reflection bridge to test all your wireless equipment, tranceivers, cables, antennas, adapters/connectors etc. for attennuation, SWR, passband etc. Having installed a load of wireless stuff just as a hobby I find that thing quite useless.

Yes, there are Linux and OSX applications available.

The linux app pretty much looks and works just like the Windows app, but it does have a raw output util that you can do some interesting things with.

I haven't used the OSX app, but the screenshots on their site look very good.

does it run with Linux?

Yes.

The hardest part was choosing the right sounds to represent each type of packet. It's interesting that the Ball State artists chose bells, because we also used deep tubular bells for WiFi beacons and high glockenspiel notes for data packets - you can hear what it sounded like here (20MB mp3).

Unless you want to do some snooping or personal intrusion detection with kismet.
Last I knew linuxant and ndiswrapper didn't support the hooks that were needed by kismet.

I was a happy Linuxant customer before needing this functionality.
Now I'm a happy customer of both madwifi on my laptop and prism54 on my desktop.

This should help you out:

1. File associations

Edit your /etc/mailcap or /etc/mime.types file!


2. Multimedia

Xine is easy to compile and install: to get the extra codec support you need to install the mplayer libraries, instructions are here. Regarding audio I'm not sure what your problem is, I can play more than 1 movie in xine at a time reciving sound from all of them - getting a noise from IM shouldn't be a problem.


3. Corporate groupware

You could use Open Exchange as the server and Evolution 2 as the mail client - haven't treid them myself but ave heard good things.


4. Firefox

I haven't come across any major sites that only allow IE recently (excluding MS itself of course). I'm not going to get in to the discussion of web standards and FF vs IE here - that's been covered thousands of times before.


5. Wifi

Kismet will scan for AP's (and even try and get the wep codes if you're that way inclined). Unfortunately you will need to use ifconfig yourself to connect to the ap though. Also drivers for wireless are really easy in linux thanks to ndiswrapper.


6. Fonts (minor)

If you miss the windows Arial font why not install it in Linux??

Haydn.

Fortunately, MAC filtering and turning off the SSID makes it LESS likely that someone is going to set up outside their house and use their connection

It doesn't make it less likely that someone will go out of their way to use it, because those people have things like Kismet on hand. It only prevents the people who have naïve Windows XP boxen from accidentally connecting.

Why would the Government need to advertise this if you are so technically inclined? Sounds like to me you would just open your notebook and see an AP that you were able to connect. Didn't you notice it pop up in yellow or red in Kismet? Come on! You're a technically inclined 20 something! You don't need the man to tell you about a free Wifi AP!

Kismet? Definately! I would love to see that. Kismet on a DS would rock.

Kismet is at www.kismetwireless.net not .org as the poster linked to.

Kismet can be found at http://www.kismetwireless.net/ not at kismetwireless.ORG as the article says.

Kismet is an excellent wardriving tool for Linux, which will even run on your PDA.

For those of us interested in maps of what wardrivers have found in your neighborhood, check out WiFiMaps.com.

What's up with tcpdump and friends, snort, kismet, bsd-airtools and ethereal anyway?

The Proxim Orinoco b/g and a/b/g cards work nicely with the madwifi drivers. Not yet plug-and-play right now, but once it's set up it works very well. Be sure to grab the latest snapshot of Kismet.

Ever go sniffing in places that are... well, less then suitable to carry around a laptop (or conceil one while sniffing)?

Oh yes. I just keep the laptop running while inside its nice leather carrying case. I use Kismet and it will tell me the SSID, MAC address, and GPS coordinates so I can find it again later.

No mention of WiFiMaps.com for drawing Wardriving data onto a map? I would figure that even mentioning Netstumbler, Kismet, and talking about maps and stuff would give at least a mention -- sheesh! Guess I'll have to wait for O'Reilly's Mapping Hacks book to come out.

Doh - I forgot to mention: Apple doesn't talk it up much, but a few standard PCMCIA wireless cards work just dandy with OS X. The makers of Kismac, a wireless stumbler for Mac OS (Kismac? Kismet? Get it?), maintains a list of 3rd party cards which work with their software.

[ tons of tips and ideas what's possible with a Z follow ]

The 5500 and others are more like little Linux laptops then PDAs. While I am far from a typical PDA user, the absolutely INCREDIBLE stuff I can do with just a 5500 and a wireless card continues to astound me today. To be fair, I never bought a Zaurus with the intention of ever doing typical PDA like stuff, but just wanted an easy familiar environment to hack in.

Years ago I had a USR P1000 (The Palm 1000, before Palm bought it from US Robotics), and while it was a great PDA (for the day), it was underpowered for what I wanted and most importantly LACKED A KEYBOARD, which makes all the difference in the world. One day I worked an ENTIRE day with only my P1000, a ssh client and a (9600 baud) serial link to my cell phone to see just how doable it was. As a unix admin doing security work the P1000 did have SOME uses (serial console to Sun boxes, ssh client for accessing mail via Mutt, etc) but the end result was a less than productive day overall. Trying to edit files on unix boxes with vi using Graffiti was quite painful and I vowed I'd never buy another PDA until it had at least a minimal keyboard to work with.

Fast forward to my (now several years old) 5500. Shortly after getting it I wiped the original Sharp rom and replace it with the actively developed OpenZaurus distribution, and was very happy with the results.

I have a very portable linux box with wireless, nearly all the software I was using on Solaris and Linux, as well as the pretty Qtopia apps and a half-way decent environment. I've been able to get nice tools like nmap, p0f (Passive OS Fingerprinter), Kismet, and other excellent unix based tools working with minimal effort on the Z under OpenZaurus (and the a lesser extent the Sharp ROM). Under OZ I can compile and run MANY common exploit tools like the awesome Metasploit framework, which require perl, and to a less extent Python. Both are no big deal to get going on the Z, especially since the Z is binary compatible with the IPAQ based Familiar distribution, and usually just needs the odd library to get an app working. That's all fine for text based apps, but since OZ (using Opie, at least) is QT and not X based, a variety of GUI based apps don't easily run. There ARE solutions to getting X based apps to run with minimal fuss, including the original x11zaurus package, and more recently the excellent X/QT package, as well as simply running one of the versions of the vncserver for Zaurus which of course allows you to display X not only on your Z, but also on any other VNC compatible device (such such as you cell phone, Linux, Windows, etc).

More recently the GPE environment and projects has become available, and is offers an attractive alternative to Opie, but with X11 compatibility built in.

For me, I joined the Debian religion ~5-6 years ago after experimenting to see what all the fuss on /. was all about. It didn't take long before I was the typical Debian crack addict apt-getting any application I wanted to check out on a whim. After living in Ottawa for years I was very well aware of the Corel (and later Rebel.com (who themselves were called Hardware Canada previously, and were a unix reseller) Netwinder , which was a cool little ARM based PC, which unfortunately suffered under the idiocy of Corel's managem

OK. Time for Wireless security 101.

Just because you aren't broadcasting your SSID doesn't make you less vulnerable by any means, at least to the windows newbie who relies on netstumbler.

I'll try to explain this in non-technical terms. Netstumbler simply tells your wireless card to send out broadcast SSID's, basically saying to everyone, "hello? if anybody can hear me - i'm looking for access points to talk to". If you have SSID broadcasting enabled on your access point, it will respond and say, "hello, i'm an access point with the SSID of linksys". If you have SSID broadcasting disabled, the access point will ignore the request.

There is a diagnostic mode that is part of the 802.11 specification that allows your wireless card to virtually become a scanner (like a police scanner). Thanks to proprietary drivers, you won't be able to get this to work on Windows, (although there is some pretty cool commercial software that includes drivers that will do this, but you will pay alot for it).
However, under Linux, there's a vast number of cards supported that allow you to put your wireless card into monitor mode.

OK, so what can you do with monitor mode?
If you aren't broadcasting your SSID, this means that in order for a wireless client to connect, they have to know your SSID.

In this scenario, your wireless card will say "hey, cloaked access point linksys, if you're there, i want to talk to you". Then, your SSID-cloaked access point will respond and setup a
connection.

If you are running in monitor mode on your wireless card, you can observe this conversation between the wireless client and access point taking place, thus exposing the cloaked SSID. Once you know the SSID, you can connect. Keep in mind that wireless connections can and will drop, and it can take as little as a few seconds of observation to decloak the SSID.

Kismet is excellent software that takes advantage of this (on operating systems such as Linux that have drivers that can tell the wireless card to go into monitor mode). This is one of the many things that makes Kismet far superior over Netstumbler. Also, monitor mode is also how WEP is possible to crack, by observing the physical layer traffic flowing over the network.

Guess what -- your friendly university network admin probably will use kismet or a similar tool in monitor mode to survey wireless networks.

you can always not broadcast your wlan name and set a password, it works against most people. And on the other end you can always use KisMac or KisMet

I ran kismet on a recent train journey and spotted the obvious Ap's called "train" on channels 1 and 6. A few passengers had left their centrino's on adhoc mode and I also picked up quite a few AP's as the train slowed for stations.

The interesting reason for this post is that they have handheld machines with WiFi to sell tickets and to take payment the till at the bar... for credit card authorisation.... arg.

I travel regularly on the train and the internet access doesn't always work. The train staff don't have a clue about the technology or how to make it work. The Ap's are poorly configured and I guess are hard to manage because they are always on the move!

rd

You're right that WEP is insecure, but relying on your alternative recommendations is even worse. Kismet on Linux can sniff out cloaked SSIDs and MAC addresses of any devices on the network as long as the wireless network in question is actively transmitting packets at the same time that Kismet is being used. I have personally verified this functionality firsthand while running Kismet against my own wireless network.

Why does this work? Because the SSID and the MAC address of the destination device is included in plaintext in every wireless data packet (with or without WEP). SSID cloaking doesn't hide SSIDs within the data packets, it only prevents the router from broadcasting the stream of non-data packets announcing its SSID that it would otherwise broadcast. Therefore SSID cloaking is really only effective if you are not transmitting any data, or if your attacker is using an inferior sniffing platform that doesn't have raw access to the SSID in the data packets.

MAC address filtering is ineffective for the same reason -- every data packet is required by the specification to include the destination MAC address, so as long as you are transmitting data, your MAC addresses (all of them, not just the AP's MAC address) are exposed. Once an attacker gets your MAC addresses it is a simple matter to spoof them.

Your recommendation to use higher level layers of security is a very good one, because there is simply no way at the present time to secure wireless networks even to a level that is comparable to what we normally expect out of a wired network.

The Zaurus is a tiny linux box. A powerful, tiny linux box. The first thing you should do when you get a Z is wipe the OS and instead install the excellent OpenZaurus (OZ). OZ is better than the original Linux install in nearly every respect. Don't think of your Z as a PDA, it's more like a tiny laptop. Some of the things I do with mine:

email: I recently compiled Mutt with a IMAP header cache patch. One of the most powerful email clients in the palm of my hand :-)

wireless sniffing: As you know, Kismet rules the land of wireless sniffers. Pop a wireless card in your Z (or get a 6000 :-) and your neighbours will never be safe again :-)

mp3/ogg playing: Using either Opie-Player2 or the excellent tkcplayer. Unfortunatly, I can't use the tkcplayer on the very latest version of OpenZaurus, not because it won't run (because it DOES almost start up when using "runcompat" but then tells me it can't run on this platform-- which it CAN otherwise it wouldn't be able to tell me that :-) TKC are you listening? Remove the check please :-)

Video playing: using a port of the best linux movie player mplayer. I've encoded a bunch of movies down to ~200MB with great results. You can pop a couple of these on a 512MB card for those long flights :-)

Coding: Of course, I've got gcc and perl loaded on the puppy. Hell, without perl I wouldn't be able to run Chaosreader, makes those long hotel stays much more interesting :-)

Exploit testing :-) Since perl and gcc work fine, I really haven't run into any common exploits I can't compile or run properly.

A couple of hints and tricks:

1) If you want to extend your battery life while doing things like mp3 playing or wardriving, grab something like Qoverclock and use it to UNDERCLOCK your Z. Turn down (or off) the display as well. Poke at it a bit and realize you can easily make a shell script to do without the GUI.

2) To maximize your space on root, ram, sd and cf, the single best thing to use is UCLX which works just like UPX. UCLX/UPX are executeable file compressors-- you compress your executable and when you run it it decompresses (to ram) on the fly. The compression it uses is AT LEAST as good as gzip (or better) and the decompression is very fast. When using slower media like SD (or even CF) you'll find that executables will run FASTER compressed then they would uncompressed-- the CPU can decompress much smaller exe faster than the much larger uncompressed exe could be loaded from media and run.

3) When choosing a root/ram disk size for OpenZaurus, it's a good idea to pick a small root with a much larger ram disk. If (when) you need more ram, you can simply make some ramdisk swap files.

4) While you can run gcc right on the Z, it's also nice to us a cross compiler on your (much faster) desktop and then just cp the binary over. If you're too lazy to do cross compiles (or don't want to set up a ton of additional packages like ncurses, etc), you can also just ssh into the IPAQ development cluster and compile your code there. Typically it will run without issue-- sometimes you may want/need to statically link your programs or just grab the libraries from the ipaq and throw 'em on your Z. I haven't found a single thing yet I couldn't get to run.

5) Assuming you grab the required libraries, you can run basically all of the sw in th

with kismet, you will be able to see the valid mac addresses being used on the network, without being connected to it. from their homepage:

"Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic."

then use something like macchanger, and you're in!

Kismet comes with a program called gpsmap, which can plot your route. There are various sources you can pull from, Mapquest-style included. GpsDrive is handy too.

Yes, but did they fix the bug where NetStumbler sends packets out? I find this unacceptable in a wireless monitoring tool, and that's why I'm using kismet. Well, that and the fact that I would never sully my laptop with the required Windows operating system.

"stumbling" or "wardriving" or "airboxing*" or whatever you want to call it isn't cool if you broadcast so-called "jackass packets" all the while, and NetStumbler does.

Cool kids use stealthy silent scanning tools like Kismet and the like. Kismet actually does detect NetStumbler users scanning, even.

(*airboxing is a special term for people who dislike pete shipley (supposed inventor of network scanning, and also stupid terms like "wardriving").)

The open source kismet is a powerful alternative to NetStumbler. For those of us who don't use Windows, this is nice ;) There is also airsnort, once again for the non-windows crowd.

Kismet also recently announce a new version: Kismet-2004-04-R1.

Maybe I'm missing what you're getting at, but the 802.11b definitions for channels aren't used by anything else, but the spectrums that they cover are still unregulated... which means that anything can use it.

Now if you're saying that you can't see those with a 802.11 aware device then yeah, but if I made some device that just broadcast randomness on the 2.4-2.5ghz range then that would interfere with all of those channels. It's also interesting to note that these ranges differ depending on the country. Japan's different than US/Canada.

The full ranges are in the kismet documentation if I remember correctly.
But the overlap is because the upper freqency for channel 1 is 2.423 while the lowest end for channel 6 is 2.426. 5 ranges from 2.421 to 2.443.

Still, the FCC doesn't have any say over what those channel mappings are; meaning that a cordless phone could easily interfere with those channels (and does).

Some other good Security LiveCD distros are Knoppix STD and P.H.L.A.K. But I mainly use Knoppix (which also has kismet and nmap), and when I want speed, SLAX is very good.

EtherPeek can sniff on any ethernet interface, in fact on the Mac it uses libpcap

...at least on OS X - unless it uses raw BPF (if the EtherPeek executable is Mach-O, what does "otool -L" say about it?). The older non-OS X versions presumably didn't use libpcap or BPF.

AiroPeek for wireless sniffing (support for a number of cards)

...because they had to supply their own drivers, thanks to the lack of any standard mechanism in Windows by which drivers for 802.11 cards can supply 802.11 packets to NDIS and offer standard NDIS OIDs to request monitor mode and the like. Ethernet doesn't have that problem, so EtherPeek on Windows can just connect to Ethernet drivers through NDIS (just as WinPcap does).

...or even a distributed RFGrabber device for sniffing.

That's based on the old WSP100 device from Network Chemistry. BTW, those devices probably use Network Chemistry's Tazmen Sniffer Protocol, so other applications that handle that protocol, such as Kismet, should also work with them.

with the proliferation of wifi, I am surprised no one has mentioned kismet yet. It allows for live capture of 802.11a/b/g traffic which can then be analyzed by ethereal. Also passively watches the network for programs like netstumbler and alerts you to their presence.

dowski

Dunno how fast software like kismet works, but riding on a train could be a great way to scan long stretches for hotspots. On the other hand, the delayed-email systems like we're seeing in third-world countries could probably benefit from having "carriers" mounted on trains.

Also, has anyone taken to wartraveling with handhelds? It's probably a heck of a lot more convenient than lugging around a laptop.

However, if you wanted to pose as a different wifi network, no telling what combination of packet filtering, transparent proxies, and web servers would yield.

If you use Linux on your laptop, kismet will interface with GPS devices, and do signal power interpolation to find signal sources. It will also mark everything on a user-supplied map. Good Luck.

I've been toying with a related idea - but instead of setting up a 'client' system, I was considering trying to set up a portable "access point" and internal "network" in a vehicle.

I find it odd that even today nobody blinks if someone says they're building a LAN and doesn't mention internet access, but if someone says "wifi" it's automatically assumed it's only for The Internet(tm)...

I'm thinking of taking a "scrounged" ancient laptop, Prism 2/2.5/3-based 802.11b card, hostap (is there a hostap-type linux driver for prism GT chipsets yet?), and a trimmed down linux distro running dhcp, dns, and web servers (maybe even Samba) to provide 'local network only' connections to passers by as I travel, just as an experiment. Maybe even some sort of 'chat' facility. (Mainly just because I'm curious how many people would notice, how many people would immediately disconnect when they got the "this doesn't provide internet access" page, and how many would browse the [legally] free downloads, "sign" the guestbook, and so on...)

On the other hand, I'd also like to figure out how to interface with Kismet so as to "pause" it when a potentially-open network is detected and have a script check to see if it's REALLY open (a lot of "open" networks seem to still restrict by MAC address, or aren't running DHCP servers, or otherwise are not designed to be connected to by just anyone) and perhaps "burst" a quick email send/recieve as I drive by before having Kismet resume scanning...