Raspberry (or other SBC) wardriving setup
> Introduction
This section covers the use of airodump-ng, running on a headless Raspberry Pi Zero W (or other SBC) to provide a lightweight way to scan for WIFI signal while on the go (aka wardriving).I assume you're familiar with setting up a Raspberry Pi / Raspbian and know some command line, nano editor, ... If not, you should be able to easily fill the blanks by DuckDuckGoing or StartPaging.
> Hardware
Raspberry Pi Zero WExternal battery to power the RPi
Android phone
TP-Link TL-WN722N (or other compatible Monitoring mode capable card)
> Pre-requisites
Refer to these instrucions for basic configuration.> Configuration
Software install
Follow instructions on how to install Aircrack-ng (from source or via packet manager).WIFI cards configuration
The idea is to have the RPi internal WIFI card (wlan0) connecting to an the Android hotspost for remote control via SSH and the external card (wlan1) be put in monitoring mode.To make sure the external card is not picked up as wlan0 and doesn't get an IP address via DHCP, we'll create two udev rules to force it to wlan 0 and wlan1 and deny DHCP on wlan1.
This may work without udev rules but it's better to make sure things don't mess up.
First check the WIFI cards' MAC addresses by running the following command with the external card plugged in.
ifconfig
The one matching "ether b8:27:eb" is the Raspberry WIFI cards' (wlan0) and the other theM external card (ie: e8:de:27:xx:xx:xx for a TL-WN-722N).
Write that down and create two udev rules, one for each WIFI card
sudo nano /etc/udev/rules.d/10-network-wlan0.rules
# Identify device by MAC address
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="b8:27:eb:xx:xx:xx", NAME="wlan0"
sudo nano /etc/udev/rules.d/10-network-wlan1.rules
# Identify device by MAC address
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="e8:de:27:xx:xx:xx", NAME="wlan1"
sudo nano /etc/dhcpd.conf
denyinterfaces wlan1
sudo nano /etc/network/interfaces
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
allow-hotplug wlan1
iface wlan1 inet manual Also check that the MAC addresses match what's in the 2 udev rules.
Manual startup of airodump-ng
Put the wlan1 card in monitor mode
sudo ifconfig wlan1 down
sudo iwconfig wlan1 mode monitor
sudo ifconfig wlan1 up
sudo airodump-ng wlan1 -w scan --write-interval 10 --uptime --berlin 30 -o csv --manufacturer Startup script
The following startup script can be used to put the wlan1 card im monitoring mode (if not already), start airodump-ng, save the results as CSV to scan-01.csv.Once you exit airodump-ng (Crtl+c), you'll be asked if you want to backup the scan and the backup script will be called (see the next paragraph).
It can take a wifi adapter name (ie: wlan0) as an argument but by default (if none provided), it will use wlan1 (which if our configuration).
To use it, copy paste the content in a file named (for instance) start_scan.sh
#!/bin/bash
if [[ $# -eq 0 ]]
then
card="wlan1"
else
card=$1
fi
# Get the script's path and cd to it
dir="$(dirname "$(readlink -f "$0")")"
cd $dir
# Set the card in monitor mode
echo "Checking $card is on monitor mode"
ifconfig | grep "$card" -A 1 | grep "PROMISC"
if [ $? -ne 0 ]
then
echo "Setting $card to monitor mode"
sudo ifconfig $card down
if [ $? -ne 0 ]
then
echo "Problem when shutting down $card"
exit 1
fi
sudo iwconfig $card mode monitor
if [ $? -ne 0 ]
then
echo "Problem when putting $card in monitor mode"
exit 1
fi
sudo ifconfig $card up
if [ $? -ne 0 ]
then
echo "Problem when starting up $card"
exit 1
fi
fi
# Remove previous scan files
ls scan*.csv > /dev/null 2>&1
if [ $? -eq 0 ]
then
echo "Removing previous scan files"
rm -rf scan*.csv
fi
# Start scanner
sudo airodump-ng $card -w scan --write-interval 10 --uptime --berlin 30 -o csv --manufacturer
# Ask to backup the current scan once airodump-ng exits
./backup.sh
chmod +x start_scan.sh
./start_scan.sh
Backup script
This script will ask your for a filename and a file description and then backup the last airodump-ng scan to the backup directory for later analysis.The filenames and descriptions are stored in a text file (info.txt) under the backup directory.
To use this script, copy paste the content in a file named backup.sh
#!/bin/bash
# Get the script's path and cd to it
dir="$(dirname "$(readlink -f "$0")")"
cd $dir
backup_scan() {
echo "Airodump-ng scan backup"
echo -n "Type a short description [ENTER]: "
read short_desc
echo -n "Type a long description [ENTER]: "
read long_desc
date=`date +%Y-%m-%d_%H%M%S`
# Check the backup folder exists, if not create it
if [ ! -d "$dir/backup" ]
then
mkdir "$dir/backup"
fi
# Copy file to the backup directory
cp "$dir/$scan_results" "$dir/backup/$date - $short_desc.csv"
echo "File copied to $dir/backup/$date - $short_desc.csv"
echo "$date;$short_desc;$long_desc" >> "$dir/backup/info.txt"
}
#File to backup
scan_results=scan-01.csv
# Check it exists
ls "$scan_results" > /dev/null 2>&1
if [ $? -eq 0 ]
then
while true
do
read -p "Do you wish to backup this scan? [Y/N] " yn
case $yn in
[Yy]* ) backup_scan; break;;
[Nn]* ) exit;;
* ) echo "Please answer Yes or No.";;
esac
done
else
echo "No scan to backup (no such file: $dir/$scan_results)"
fi
chmod +x backup.sh
./backup.sh