Raspberry (or other SBC) wardriving setup
> Introduction
This section covers the use of
airodump-ng, running on a headless
Raspberry Pi Zero W (or other SBC) to provide a lightweight way to scan for WIFI signal while on the go (aka wardriving).
I assume you're familiar with setting up a Raspberry Pi / Raspbian and know some command line, nano editor, ... If not, you should be able to easily fill the blanks by
DuckDuckGoing or
StartPaging.
> Hardware
Raspberry Pi Zero W
External battery to power the RPi
Android phone
TP-Link TL-WN722N (or other compatible Monitoring mode capable card)
> Pre-requisites
Refer to
these instrucions for basic configuration.
> Configuration
Software install
Follow instructions on
how to install Aircrack-ng (from source or via packet manager).
WIFI cards configuration
The idea is to have the RPi internal WIFI card (wlan0) connecting to an the Android hotspost for remote control via SSH and the external card (wlan1) be put in monitoring mode.
To make sure the external card is not picked up as wlan0 and doesn't get an IP address via DHCP, we'll create two udev rules to force it to wlan 0 and wlan1 and deny DHCP on wlan1.
This may work without udev rules but it's better to make sure things don't mess up.
First check the WIFI cards' MAC addresses by running the following command with the external card plugged in.
ifconfig
Check the lines which starts with "ether" under each wlanX (normaly wlan0 and wlan1).
The one matching "ether b8:27:eb" is the Raspberry WIFI cards' (wlan0) and the other theM external card (ie: e8:de:27:xx:xx:xx for a TL-WN-722N).
Write that down and create two udev rules, one for each WIFI card
sudo nano /etc/udev/rules.d/10-network-wlan0.rules
Then set the rule content (replacing the MAC address with one from the internal WIFI card), save and exit.
# Identify device by MAC address
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="b8:27:eb:xx:xx:xx", NAME="wlan0"
Do the same for the external WIFI card
sudo nano /etc/udev/rules.d/10-network-wlan1.rules
Then set the rule content (replacing the MAC address with the one from the external WIFI card), save and exit.
# Identify device by MAC address
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="e8:de:27:xx:xx:xx", NAME="wlan1"
Next edit the /etc/dhcpcd.conf file
sudo nano /etc/dhcpd.conf
And add this line the end of the file to disable DHCP on wlan1, save and exit.
denyinterfaces wlan1
Next, edit the /etc/network/interfaces file
sudo nano /etc/network/interfaces
And set the following content
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
allow-hotplug wlan1
iface wlan1 inet manual
Next, restart the RPi and check via the ifconfig command that wlan0 picked an IP address (line starting with inet) while wlan1 didn't.
Also check that the MAC addresses match what's in the 2 udev rules.
Manual startup of airodump-ng
Put the wlan1 card in monitor mode
sudo ifconfig wlan1 down
sudo iwconfig wlan1 mode monitor
sudo ifconfig wlan1 up
Start monitoring (saving results every 10s to a csv file prefixed scan)
sudo airodump-ng wlan1 -w scan --write-interval 10 --uptime --berlin 30 -o csv --manufacturer
Press Crtl+c to exit airodump-ng
Startup script
The following startup script can be used to put the wlan1 card im monitoring mode (if not already), start airodump-ng, save the results as CSV to scan-01.csv.
Once you exit airodump-ng (Crtl+c), you'll be asked if you want to backup the scan and the backup script will be called (see the next paragraph).
It can take a wifi adapter name (ie: wlan0) as an argument but by default (if none provided), it will use wlan1 (which if our configuration).
To use it, copy paste the content in a file named (for instance) start_scan.sh
#!/bin/bash
if [[ $# -eq 0 ]]
then
card="wlan1"
else
card=$1
fi
# Get the script's path and cd to it
dir="$(dirname "$(readlink -f "$0")")"
cd $dir
# Set the card in monitor mode
echo "Checking $card is on monitor mode"
ifconfig | grep "$card" -A 1 | grep "PROMISC"
if [ $? -ne 0 ]
then
echo "Setting $card to monitor mode"
sudo ifconfig $card down
if [ $? -ne 0 ]
then
echo "Problem when shutting down $card"
exit 1
fi
sudo iwconfig $card mode monitor
if [ $? -ne 0 ]
then
echo "Problem when putting $card in monitor mode"
exit 1
fi
sudo ifconfig $card up
if [ $? -ne 0 ]
then
echo "Problem when starting up $card"
exit 1
fi
fi
# Remove previous scan files
ls scan*.csv > /dev/null 2>&1
if [ $? -eq 0 ]
then
echo "Removing previous scan files"
rm -rf scan*.csv
fi
# Start scanner
sudo airodump-ng $card -w scan --write-interval 10 --uptime --berlin 30 -o csv --manufacturer
# Ask to backup the current scan once airodump-ng exits
./backup.sh
Make it executable
chmod +x start_scan.sh
To run it
./start_scan.sh
Backup script
This script will ask your for a filename and a file description and then backup the last airodump-ng scan to the backup directory for later analysis.
The filenames and descriptions are stored in a text file (info.txt) under the backup directory.
To use this script, copy paste the content in a file named backup.sh
#!/bin/bash
# Get the script's path and cd to it
dir="$(dirname "$(readlink -f "$0")")"
cd $dir
backup_scan() {
echo "Airodump-ng scan backup"
echo -n "Type a short description [ENTER]: "
read short_desc
echo -n "Type a long description [ENTER]: "
read long_desc
date=`date +%Y-%m-%d_%H%M%S`
# Check the backup folder exists, if not create it
if [ ! -d "$dir/backup" ]
then
mkdir "$dir/backup"
fi
# Copy file to the backup directory
cp "$dir/$scan_results" "$dir/backup/$date - $short_desc.csv"
echo "File copied to $dir/backup/$date - $short_desc.csv"
echo "$date;$short_desc;$long_desc" >> "$dir/backup/info.txt"
}
#File to backup
scan_results=scan-01.csv
# Check it exists
ls "$scan_results" > /dev/null 2>&1
if [ $? -eq 0 ]
then
while true
do
read -p "Do you wish to backup this scan? [Y/N] " yn
case $yn in
[Yy]* ) backup_scan; break;;
[Nn]* ) exit;;
* ) echo "Please answer Yes or No.";;
esac
done
else
echo "No scan to backup (no such file: $dir/$scan_results)"
fi
Make it executable
chmod +x backup.sh
To run it when not using start_scan.sh
./backup.sh