This project started because I was convinced you could detect if a device was in your proximity due to of all the wireless emissions it gives off. Turns out it's entirely possible, and you can assemble your own Wi-Fi monitor tool with minimal hardware and hopefully this guide.
I'm writing this blog to assist others with issues that I faced along the way, and just introduce everyone to something that I think is pretty cool.
Wi-Fi Monitoring
In this context Wi-Fi monitoring refers to the process of sniffing 802.11a, 802.11b and 802.11g traffic.
This post does not cover any projects handling this traffic. Only obtaining the traffic itself and sending it to Kismet.
The possibilities are endless with what you do with the captured traffic. Feel free to share any cool project ideas! Just make sure these projects are ethical and you have proper permission to capture the data (see disclaimer).
Brief description of the process
- Build an OpenWrt image with required dependencies
- Build the Kismet-Remote package
- Configure a Kismet server
- Configure the Kismet-Remote to communicate with the Kismet server
You can probably achieve the outcome of this project in a number of different ways. I prefer building my OpenWrt image and packages using the supplied Docker images. I also like separating the two into separate steps, however using the standard SDK and joining step 1 and 2 would suffice.
I find that using Docker for build environments is a must, and potentially saved me lots of headaches (and introduced others).
Notes:
- A good chunk of this stuff is well documented. I struggled a bit with the OpenWrt Docker images, but I hope that this post provides some clarity.
- By no means are my Docker configurations great, but they get the job done.
- After starting the containers, I access the shells by running:
docker exec -it <container_name> bash - When BCM2712 is referenced. It should be replaced with the appropriate target for your particular hardware.
Hardware Requirements
- OpenWrt compatible device
- Wi-Fi adapter that supports monitoring mode
My Setup
- Raspberry Pi 5 running OpenWrt-BCM2712 (Router)
- TP-Link-TL-WN725N (Wireless USB Adapter)
- TP-Link-UE300 (USB 3.0 to Gigabit Ethernet Network Adapter)
- TP-Link-EX511 (Access point)
*I have also also managed to get this running on a Raspberry Pi 1.
Building the OpenWrt image
Using OpenWrt provides us with a solid foundation for this project. This step explains building a custom image for your device that will contain pre-requisite packages. If you already have an OpenWrt running, all you have to do is install the required packages for the aircrack-ng suite, then you can proceed with building the packages for the Kismet remote.
Required Packages
At the time of writing this, I truly have no idea what packages are required. I had to install a ton of drivers, most of which are probably useless. I will list what I assume is required, but I will add the full command for what I use in my current setup listed as well.
- airmon-ng
- aircrack-ng
- drivers for network adapter (Described below)
Related packages for my TL-WN725N (Realtek RTL8188EUS or similar chipsets):
Driver Firmware:
- rtl8188eu-firmware
- rtl8192cu-firmware
Kernel Modules:
- kmod-rtl8192c-common
- kmod-rtl8192cu
- kmod-rtlwifi
- kmod-rtlwifi-usb
- kmod-rtl8xxxu (Alternative driver for some Realtek chipsets)
Utility Tools (if needed):
- wireless-tools (generic wireless tools for configuration)
- iwinfo (provides wireless information)
- iw (command-line wireless configuration utility)
docker-compose.yml
version: '3.8'
services:
imagebuilder:
image: openwrt/imagebuilder:bcm27xx-bcm2712-SNAPSHOT
container_name: openwrt-image-builder
tty: true
stdin_open: true
command: /bin/sh
restart: no
user: root
Shell
The command bellow is currently what I'm using for my device. Adjust it to your preferences but let it serve as a template for creating an image with the modules you want.
make image PROFILE="rpi-5" ROOTFS_PARTSIZE=8192 PACKAGES="opkg cypress-firmware-43430-sdio brcmfmac-nvram-43430-sdio kmod-brcmfmac wpad-basic-mbedtls iwinfo base-files bcm27xx-gpu-fw brcmfmac-nvram-43455-sdio busybox ca-bundle cypress-firmware-43455-sdio dnsmasq dropbear e2fsprogs firewall4 fstools iwinfo kmod-brcmfmac kmod-fs-vfat kmod-nft-offload kmod-nls-cp437 kmod-nls-iso8859-1 kmod-sound-arm-bcm2835 kmod-sound-core kmod-usb-hid kmod-usb-net-lan78xx libc libgcc libustream-mbedtls logd luci mkf2fs mtd netifd nftables odhcp6c odhcpd-ipv6only partx-utils ppp ppp-mod-pppoe procd procd-seccomp procd-ujail uci uclient-fetch urandom-seed wpad-basic-mbedtls airmon-ng nano kmod-rt2800-lib kmod-rt2800-usb kmod-rt2x00-lib kmod-rt2x00-usb kmod-usb-core kmod-usb-uhci kmod-usb-ohci kmod-usb2 usbutils openvpn-openssl luci-app-openvpn cypress-firmware-43455-sdio brcmfmac-nvram-43455-sdio kmod-brcmfmac wpad-basic-mbedtls kmod-usb-net-lan78xx iwinfo mount-utils rtl8188eu-firmware luci-ssl kmod-rtl8192c-common kmod-rtl8192cu kmod-rtl8xxxu kmod-rtlwifi kmod-rtlwifi-usb rtl8188eu-firmware rtl8192cu-firmware tcpdump aircrack-ng libnl200 libcap protobuf-lite libprotobuf-c lua liblua dockerd docker docker-compose luci-app-dockerman kmod-mii kmod-crypto-sha256 kmod-usb-net-cdc-ether kmod-usb-net-cdc-ncm kmod-usb-net kmod-usb-net-rtl8152 luci-app-sqm luci-app-adblock pciutils ppp-mod-pptp kmod-nf-nathelper-extra luci-proto-ppp"
You should find your build files here:
/builder/bin/targets/bcm27xx/bcm2712
Flashing firmware
I use the -ext4-factory.img.gz and -ext4-sysupgrade.img.gz images.
If you're flashing for the first time. I use the Raspberry Pi Imager to flash the -ext4-factory.img.gz image. Subsequent updates I use the OpenWrt utilities to flash the -ext4-sysupgrade.img.gzimages.
Building the Kismet Remote ipk
The Kismet Remote (or Drone) used to be included in the Opkg package manager. Since it is no longer accessible, we need to build it ourselves.
docker-compose.yml
version: '3.8'
services:
openwrt:
container_name: openwrt-package-builder
image: openwrt/sdk:bcm27xx-bcm2712-SNAPSHOT
# volumes:
# - ./bin:/builder/bin # Mapping the builder directory
tty: true
stdin_open: true # To keep stdin open for sudo commands
user: root # Start the container as the root user to get sudo privileges
Shell
Copy over build script from
this awesome repository.
cd /
git clone https://github.com/kismetwireless/kismet-packages.git
cp -r kismet-packages/openwrt/kismet-openwrt/ /builder/
cd /builder
Create a new file "feeds.conf" to replace the default. I changed the remotes to the Github mirrors as I was having issues with the defaults. I then src-linked the Kismet files to what we just copied across.
src-git-full base https://github.com/openwrt/openwrt.git
src-git packages https://github.com/openwrt/packages.git
src-git luci https://github.com/openwrt/luci.git
src-git routing https://github.com/openwrt/routing.git
src-git telephony https://github.com/openwrt/telephony.git
src-link kismet /builder/kismet-openwrt
We then want to update our feeds, and 'install' the kismet-remote package:
./scripts/feeds update -a -p kismet
./scripts/feeds install -f kismet-capture-linux-wifi
We then make the actual module:
make package/feeds/kismet/kismet-capture-linux-wifi/compile
You may need to add the version in the Makefile:
/builder/package/feeds/kismet/kismet-capture-linux-wifi/Makefile
define Package/kismet-capture-linux-wifi
VERSION:=1
SECTION:=net
CATEGORY:=Network
TITLE:=Kismet Wi-Fi Capture Support
URL:=https://www.kismetwireless.net
DEPENDS:=+libpthread +libpcap +libnl +libcap +protobuf-lite +libprotobuf-c
SUBMENU:=kismet
endef
I found my ipk here:
/builder/bin/packages/aarch64_cortex-a76/kismet/kismet-capture-linux-wifi_2023-07-R1-r1_aarch64_cortex-a76.ipk
You need to install the base modules as well.
/builder/bin/packages/aarch64_cortex-a76/base/*
Configuring Kismet server
Dockerfile:
*note, I do not claim credit for this particular Dockerfile. If you believe this is your work, reach out and we will deservedly credit it.
FROM debian:bullseye
#Install kismet
RUN sed -i -e "s/ main[[:space:]]*\$/ main contrib non-free/" /etc/apt/sources.list
RUN apt update
RUN apt install -y firmware-ralink firmware-misc-nonfree
RUN apt install -y wget gnupg2 usbutils wireless-tools iproute2 kmod vim
RUN wget https://www.kismetwireless.net/repos/kismet-release.gpg.key
RUN apt-key add kismet-release.gpg.key
RUN echo 'deb https://www.kismetwireless.net/repos/apt/release/bullseye bullseye main' | tee /etc/apt/sources.list.d/kismet.list
RUN apt update && apt install -y kismet gpsd
WORKDIR /Drive/kismet_files
CMD kismet
docker-compose.yml:
version: '3.8'
services:
kismet:
build: .
ports:
- "0.0.0.0:2501:2501"
- "0.0.0.0:3501:3501"
tty: true
stdin_open: true
command: /bin/sh
container_name: kismet-server
Enable the remote capture and change the listen interface to 0.0.0.0 instead of the loopback interface so that we can access it externally.
nano etc/kismet/kismet.conf
remote_capture_enabled=true
remote_capture_listen=0.0.0.0
remote_capture_port=3501
Configuring the remote
- Start the adapter in monitor mode using airmon-ng
- Start the remote capture tool
airmon-ng start wlan1mon
kismet_cap_linux_wifi --tcp --connect <device_ip>:3501 --source wlan1mon
Log in to the Kismet server interface and HAPPY MONITORING!
Important notes
- If you get "Cannot satisfy the following dependencies for..." you will most likely need to re-pull your containers, satisfying dependencies.
docker-compose down
docker-compose pull
docker-compose up -d
- At the time of writing this blog, they actually changed how their images are shipped. "Starting with the branch of OpenWrt 24.10 any snapshot (aka nightly) builds no longer contain the actual binaries but instead a setup.sh script"
Acknowledgements:
Thank you to the incredible developers and contributors behind the tools and resources that made this blog possible. If I’ve used your work and missed proper accreditation, please feel free to reach out—I’d be happy to update and give credit where it’s due.
Disclaimer: This blog is for educational purposes only. Use the tools and techniques discussed here only on networks you own or have explicit permission to monitor. Unauthorized access or monitoring of wireless networks is illegal and may result in severe penalties. Always comply with applicable laws and regulations. The author is not responsible for any misuse of this information.
Top comments (0)