Hack 66. Scan for Wireless Networks
Detect which networks are available in your area.
Wireless networks are rapidly gaining use in homes, businesses, schools, and other places. You can often access these networks for your personal use. As an example, if you are visiting a conference and a number of different wireless networks are available, you need to be able to distinguish one network from another and log on. To discover which networks are available to you, you need to use a network scanner.
Another reason to scan a network is to determine how wide-reaching and secure the network is. If you are running a wireless network that is not encrypted, a house down the street might be able to connect and gain free access to your LAN. In some cases, you might want to have an open network (some people leave their wireless networks open to create free Internet hotspots), but in other cases, this might be expressly what you don't want.
Although anyone can connect to a wireless network easily enough, scanning for networks is a different ballgame. First of all, you need to put your network card into a special mode called monitor mode that can scan for networks, and then you need to be able to control the card to determine when a network has been detected. You can achieve all of this with a suitable wireless card and a tool called Kismet (http://www.kismetwireless.net).
Although every wireless card allows you to connect to a network, not all cards support monitor mode. If you are unsure whether your card supports this mode, some sensible Google searching is likely to indicate if your hardware supports it. When you have determined monitor mode is available, you need to find which driver the card uses. If you are already using the card in Linux, you can probably see which driver is loaded by using this command:
Take a look at the list of drivers supported by Kismet at http://www.kismetwireless.net/documentation.shtml and see if your driver is included in the list. The cards listed in the Kismet documentation are known to work, but drivers, patches, and third-party support might be available for your card elsewhere. Many of the members of the Kismet mailing lists and IRC channels have experience in a range of different cards, and they can help you determine if your card is supported. If your card isn't fully supported by Kismet, you need to peruse the mailing lists (available at http://www.kismetwireless.net/forum.php) and IRC channel (#kismet on irc.freenode.net) to see what level of support is available for your hardware.
8.13.1. Patching the Driver to Enable Monitor Mode
Though some wireless cards do support the use of monitor mode, the default Linux drivers aren't coded to support it. Many of these drivers have patches that can be applied to the kernel driver source code to enable monitor mode support. To use these patches, make sure the patch is suitable for the version of the driver included in the kernel. To find out the version of your driver, look in the Documentation directory inside the kernel source code and look through the files in the networking directory. You can also do a search to see which files contain the word wireless:
foo@bar:~$ grep -rli wireless networking/
When you are ready to patch the kernel device driver, download your driver patch to a directory on your hard disk. You can test that the patch will apply cleanly without actually patching the code by running the following command from inside your kernel source tree (usually /usr/src/linux-<version>):
foo@bar:~# patch -p1 --dry-run < /path/to/patches/patch.diff
If you don't get any FAIL errors when you run this command, you are ready to patch the file with this command:
foo@bar:~# patch -p1 < /path/to/patches/patch.diff
Now recompile the kernel to build the driver. Then ensure that you are loading the updated driver. This might require a reboot or manually removing the old module from memory and inserting the new one. You can do this with the rmmod and insmod commands:
foo@bar:~$ rmmod orinoco foo~bar:~$ insmod orinoco
8.13.2. Running Kismet
Kismet is a special tool that can scan for wireless networks and indicate which ones are available for you to connect to. Kismet is packaged for many Linux distributions and the source code is available at http://www.kismetwireless.net. Detailed instructions on how to install and set up Kismet are included with the software, so I won't cover that here. The documentation will require you to make some adjustments to your /etc/kismet.conf file, which controls Kismet's configuration. When you are reading the documentation, you should pay particular attention to the suiduser and PID parts, as these could cause problems with Kismet running.
To start Kismet, run the command-line program:
When the program starts, you see an interface that displays a list of networks Kismet has detected. Each network is color-coded to indicate if it is open (red) or encrypted (green). If you have configured speech=true in /etc/kismet.conf and you have the festival speech synthesis software available on your system, Kismet speaks to you and tells you when it detects a network.
Inside the Kismet interface, you can press h to display a help list, which tells you the commands for accessing the application's features. Once you have some sniffed networks displayed in the main window, you need to turn off the default Autofit mode so that you can get more information about the different networks. You can display information in Kismet in a variety of different ways, and you can't use all functions in all modes. To turn off the mode, press the s key, and select another way to sort the networks. Now you can select a network with the arrow keys.
If you press the i key with a network selected, you can find out general information about it. The r key gives you a detailed ASCII graph with the current packet rateuseful for determining how much traffic is available. Another useful mode is the statistics view (a key), which indicates channel usage and the total number of servers and networks.
You also can use Kismet in conjunction with a GPS unit to plot wireless networks on a map [Hack #67] .
8.13.3. Dumpster-Diving the Kismet Way
At this point in your use of Kismet, you have looked at the main methods of scanning for networks. Although the information inside the Kismet interface is useful, you also can use Kismet's other tools to find out even more information about the traffic on the network. The most common method of doing this is by capturing the raw data sent across the wireless network and then using some tools to crack open and sift through the captured information.
When you run Kismet, the raw data it collects is stored in your home directory in a series of *.dump files. These files contain data stored as pcap information (a common network packet format). You can use packet analysis tools to open these dumps and identify patterns in their contents. A number of packet analysis tools are available for Linux, but one of the most popular is Ethereal (http://www.ethereal.com). You can use Ethereal to open these dump files and look for plain-text data, as well as to capture live data. If you use Ethereal to capture live data while your network card is in monitor mode, you will see the low-level frame information about the wireless network, and this can be useful when diagnosing problems with wireless software.
Another useful function of Ethereal is for strengthening network security. If you run Ethereal while connected to a network, the packet data from normal communications is logged, and you can use it to see if plain-text passwords or other sensitive data is being transferred over the stream. A useful feature in Ethereal is the ability to follow a TCP stream conversation, and determine how data is sent back and forth between the client and the server. With this information, you can perform an autopsy on how the traffic is formed and how secure it is.