Raspberry (or other SBC) wardriving setup


> Introduction

This section covers the use of airodump-ng, running on a headless Raspberry Pi Zero W (or other SBC) to provide a lightweight way to scan for WIFI signal while on the go (aka wardriving).

I assume you're familiar with setting up a Raspberry Pi / Raspbian and know some command line, nano editor, ... If not, you should be able to easily fill the blanks by DuckDuckGoing or StartPaging.

> Hardware

Raspberry Pi Zero W
External battery to power the RPi
Android phone
TP-Link TL-WN722N (or other compatible Monitoring mode capable card)

> Pre-requisites

Refer to these instrucions for basic configuration.

> Configuration

Software install

Follow instructions on how to install Aircrack-ng (from source or via packet manager).

WIFI cards configuration

The idea is to have the RPi internal WIFI card (wlan0) connecting to an the Android hotspost for remote control via SSH and the external card (wlan1) be put in monitoring mode.
To make sure the external card is not picked up as wlan0 and doesn't get an IP address via DHCP, we'll create two udev rules to force it to wlan 0 and wlan1 and deny DHCP on wlan1.
This may work without udev rules but it's better to make sure things don't mess up.

First check the WIFI cards' MAC addresses by running the following command with the external card plugged in.

ifconfig
Check the lines which starts with "ether" under each wlanX (normaly wlan0 and wlan1).
The one matching "ether b8:27:eb" is the Raspberry WIFI cards' (wlan0) and the other theM external card (ie: e8:de:27:xx:xx:xx for a TL-WN-722N).

Write that down and create two udev rules, one for each WIFI card

sudo nano /etc/udev/rules.d/10-network-wlan0.rules
Then set the rule content (replacing the MAC address with one from the internal WIFI card), save and exit.

# Identify device by MAC address
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="b8:27:eb:xx:xx:xx", NAME="wlan0"
Do the same for the external WIFI card

sudo nano /etc/udev/rules.d/10-network-wlan1.rules
Then set the rule content (replacing the MAC address with the one from the external WIFI card), save and exit.

# Identify device by MAC address
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="e8:de:27:xx:xx:xx", NAME="wlan1"
Next edit the /etc/dhcpcd.conf file

sudo nano /etc/dhcpd.conf
And add this line the end of the file to disable DHCP on wlan1, save and exit.

denyinterfaces wlan1
Next, edit the /etc/network/interfaces file

sudo nano /etc/network/interfaces
And set the following content

allow-hotplug wlan0
iface wlan0 inet dhcp 
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

allow-hotplug wlan1
iface wlan1 inet manual 
Next, restart the RPi and check via the ifconfig command that wlan0 picked an IP address (line starting with inet) while wlan1 didn't.
Also check that the MAC addresses match what's in the 2 udev rules.

Manual startup of airodump-ng

Put the wlan1 card in monitor mode

sudo ifconfig wlan1 down
sudo iwconfig wlan1 mode monitor
sudo ifconfig wlan1 up
Start monitoring (saving results every 10s to a csv file prefixed scan)

sudo airodump-ng wlan1 -w scan --write-interval 10 --uptime --berlin 30 -o csv --manufacturer 
Press Crtl+c to exit airodump-ng

Startup script

The following startup script can be used to put the wlan1 card im monitoring mode (if not already), start airodump-ng, save the results as CSV to scan-01.csv.
Once you exit airodump-ng (Crtl+c), you'll be asked if you want to backup the scan and the backup script will be called (see the next paragraph).
It can take a wifi adapter name (ie: wlan0) as an argument but by default (if none provided), it will use wlan1 (which if our configuration).
To use it, copy paste the content in a file named (for instance) start_scan.sh

#!/bin/bash

if [[ $# -eq 0 ]]
then
    card="wlan1"
else
    card=$1
fi

# Get the script's path and cd to it
dir="$(dirname "$(readlink -f "$0")")"
cd $dir

# Set the card in monitor mode
echo "Checking $card is on monitor mode"
ifconfig | grep "$card" -A 1 | grep "PROMISC"
if [ $? -ne 0 ]
then 
    echo "Setting $card to monitor mode"
    sudo ifconfig $card down
    if [ $? -ne 0 ]
    then 
        echo "Problem when shutting down $card"
        exit 1
    fi
    sudo iwconfig $card mode monitor
    if [ $? -ne 0 ]
    then 
        echo "Problem when putting $card in monitor mode"
        exit 1
    fi
    sudo ifconfig $card up
    if [ $? -ne 0 ]
    then 
        echo "Problem when starting up $card"
        exit 1
    fi
fi

# Remove previous scan files
ls scan*.csv > /dev/null 2>&1
if [ $? -eq 0 ]
then
    echo "Removing previous scan files"
    rm -rf scan*.csv
fi

# Start scanner
sudo airodump-ng $card -w scan --write-interval 10 --uptime --berlin 30 -o csv --manufacturer 

# Ask to backup the current scan once airodump-ng exits
./backup.sh
Make it executable

chmod +x start_scan.sh
To run it

./start_scan.sh

Backup script

This script will ask your for a filename and a file description and then backup the last airodump-ng scan to the backup directory for later analysis.
The filenames and descriptions are stored in a text file (info.txt) under the backup directory.
To use this script, copy paste the content in a file named backup.sh

#!/bin/bash

# Get the script's path and cd to it
dir="$(dirname "$(readlink -f "$0")")"
cd $dir


backup_scan() {
    echo "Airodump-ng scan backup"

    echo -n "Type a short description [ENTER]: "
    read short_desc

    echo -n "Type a long description [ENTER]: "
    read long_desc

    date=`date +%Y-%m-%d_%H%M%S`

    # Check the backup folder exists, if not create it
    if [ ! -d "$dir/backup" ]
    then
        mkdir "$dir/backup"
    fi

    # Copy file to the backup directory
    cp "$dir/$scan_results" "$dir/backup/$date - $short_desc.csv"
    echo "File copied to $dir/backup/$date - $short_desc.csv"

    echo "$date;$short_desc;$long_desc" >> "$dir/backup/info.txt"
}

#File to backup
scan_results=scan-01.csv

# Check it exists
ls "$scan_results" > /dev/null 2>&1
if [ $? -eq 0 ]
then
    while true
        do
        read -p "Do you wish to backup this scan? [Y/N] " yn
        case $yn in
            [Yy]* ) backup_scan; break;;
            [Nn]* ) exit;;
            * ) echo "Please answer Yes or No.";;
        esac
    done
else
    echo "No scan to backup (no such file: $dir/$scan_results)"
fi
Make it executable

chmod +x backup.sh
To run it when not using start_scan.sh

./backup.sh