Tech Segment: Kismet Drone on OpenWrt Kamikaze Using Madwifi
Last week we detailed how to setup kismet drone running on the older version of OpenWrt called "Whiterussian". This week I think I have it stable enough to detail how this setup will work on Kamikaze using Madwifi with an Atheros chipset. Why? Well, this solves three critical problems we have when running this using a the Broadcom chipset found in the WRT54G:
- We only see traffic in the 2.4GHz band using 802.11b/g
- We can not obtain signal strength information
- Channel hopping must be done with an add-on shell script and not done by the chipset
We solved these problems by using the following setup:
- Asus WL-500G Premium
- EnGenius 300mw Atheros mini-pci card
- OpenWrt Kamikaze, Latest build as of 7/27/07
- Kismet-devel, build 2163 compiled with the above
Once you've gotten the above installed you will need to install the compiled version of kismet that I did yesterday :)
ipkg install http://pauldotcom.com/kismet-drone_2163-1_mipsel.ipk
Now you will need to put your card into monitor mode:
wlanconfig wifi0 create wlandev wifi0 wlanmode monitor
Now, I do hope to integrate this into OpenWrt, as in working on getting the development version of kismet into the official package tree and using the /etc/confg/wireless configuration file to setup monitor mode. Once you've done that, you will need to edit /etc/kismet/kismet_drone.conf:
Startup Kismet Drone and you're off and running! I compiled the development version of kismet client for OS X and it works like a champ, for the most part. I still get an error stating "Arguement list too long", which relates to some problems that Kismet has with madwifi-ng. I did see some fixes for madwifi-ng go into the latest trunk for kamikaze, which I have not had a chance to test out. So, I am hoping that this setup will become more stable. I also need to test 802.11 packet capture as well. I found a command, iwpriv ath0 mode 1, which claims to put the adapater in 802.11a *only* mode. But still have some work to do to make certain I am getting all 802.11a/b/g.
Stories For Discussion
DNS Pinning: What's all the buzz about? - [PaulDotCom] - Many have been talking about DNS pinning, and esp Anti DNS Pinning which circumvents browser protections for script code to access web sites it did not originate from. It will be covered at Black Hat in a few people's talks, see article.
Buffer Overflow Strikes tcpdump - [PaulDotCom] - A message to all users of Backtrack and other CD ISOs, you need to update. If there is no patch available, don't use this software. This appears to be a very easy vulnerability to exploit, "Based on an unfiltered integer overflow in the print-bgp.c file, specially crafted border gateway protocol (BGP) packets may cause a buffer overflow in a snprintf() function". How long has that vulnerability been present? Looks like its not the first time the BGP handling code has been exploited. Yikes...
Bulletproof Hosting? - [PaulDotCom] - Can't Google do something about this? There has to be a way for Google to come up with a SPAM rating, I mean come on, they produce some awesome stuff like Google Maps, but then let silly things like this get through. I'm not saying filter it, but a rating system of some kind or warning would be nice. Then again, false positives would really piss ppl off.
Social Networking Sites Leak Data - [PaulDotCom] - Well duh, if you but your birthday on MySpace! This is stuff that we as security professionals already know, but its part of our duty to inform everyone else. So the next time your sister or friend talks about how they put their cell phone number on myspace, don't let them!
Anti-Botnet Technology? - [PaulDotCom] - The web site claims all sorts of good stuff, but how does it work? Where is the research to back this up? Sometimes I believe products do more to give people a false sense of security than they to do actually protecting people from threats. How does this protect you any better than Spybot, Ad-Aware, and Free-AVG combination?
BIND vulnerabilities, time to upgrade! - [PaulDotCom] BIND vulnerabilities releated to cache poisoning attacks. A good time to talk about recursive queries too!