Experimentally wardrive to collect WiFi base station information

[waldoj]

WiFi probably correlates pretty strongly with broadband. (I very much doubt that there are many WiFi base stations in use in households that don't have broadband.) Sure, some of those homes will use satellite internet, but clustering results may help. Driving around and network names, and MAC addresses will further improve the quality of that data — there are probably MAC ranges that can be associated with e.g. Comcast routers, and network names are probably often set to the ISP-provided names (e.g., CenturyLink1234).

• [x] Identify a hardware/software setup that will do the trick
• [x] Obtain the necessary hardware and software
• [x] Go on a test drive to see how well it works

[waldoj]

WiGLE has wardriving FAQs that seem pretty helpful. Best to adhere to these.

[waldoj]

Huh, that FAQ is pretty old and ungood in some key respects.

It looks like I'd need a USB GPS with antenna ($25), a USB WiFi receiver with an external antenna port ($15), and a magnetic, roof-mounted antenna. The prices are all over the place on those antennas, so I think I'm gonna have to learn more about those before I have a grasp of how much needs to be spent on that.

[waldoj]

Looks like folks use Kismet.

[waldoj]

Apparently some GPS receivers output proprietary, binary files — you don't want that.

[waldoj]

Looks like a good, cheap starter antenna is the Alfa APA-M04. A 2-pack is $20. They're not magnetic roof-mounts — they need to be rigged up on the interior of the car, one pointing left, one pointing right. Each one of those can be connected to a separate USB WiFi adapter, with Kismet monitoring both of them. I suspect this $15 WiFi adapter would work — just use a pair of USB cable extenders to allow them to be mounted properly.

[waldoj]

I should be able to do some initial testing without even acquiring this $50 worth of hardware — just start with the laptop and see what good it does.

[waldoj]

Oh, wait, that won't work — gotta have GPS. OK, so try with just that one thing.

[waldoj]

I ordered this GPS receiver. Looks like the chipset is broadly supported. It's got a 5-foot cable, and it's waterproof.

[waldoj]

Oh, good — Kismet is Dockerized.

[waldoj]

Well, that didn't go well. Sure, it's Dockerized, but it doesn't build (I opened a PR with a fix), and requires a Linux-only shell script to bind the wifi interface to the container. But even beyond that, the thing doesn't work — theoretically, two ports are opened (2501 and 3501), but neither responded.

Here's the output:

$ docker run kismet-git
INFO: Including sub-config file: /usr/local/etc/kismet_httpd.conf
INFO: Including sub-config file: /usr/local/etc/kismet_memory.conf
INFO: Including sub-config file: /usr/local/etc/kismet_alerts.conf
INFO: Including sub-config file: /usr/local/etc/kismet_80211.conf
INFO: Including sub-config file: /usr/local/etc/kismet_storage.conf
INFO: Including sub-config file: /usr/local/etc/kismet_logging.conf
INFO: Including sub-config file: /usr/local/etc/kismet_uav.conf
INFO: Loading config override file '/usr/local/etc/kismet_site.conf'
INFO: Loading optional sub-config file: /usr/local/etc/kismet_site.conf
INFO: Local config and cache directory '/root/.kismet/' does not exist;
      creating it.
ERROR: Error reading config file '/root/.kismet//kismet_server_id.conf': 2
INFO: Generated server UUID 840C6ADA-599A-11E9-8B4E-4B49534D4554 and
      storing in /root/.kismet//kismet_server_id.conf
INFO: Setting server UUID 840C6ADA-599A-11E9-8B4E-4B49534D4554
INFO: Kismet will only listen to HTTP requests on 2501:
INFO: Serving static content from '/usr/local/share/kismet/httpd/'
INFO: Serving static userdir content from '/root/.kismet/httpd/'
INFO: Opened OUI file '/usr/local/share/kismet/kismet_manuf.txt
INFO: Indexing manufacturer db
INFO: Completed indexing manufacturer db, 26102 lines 523 indexes
INFO: Saving devices to the Kismet database log every 30 seconds.
INFO: Registering support for DLT_PPI packet header decoding
INFO: Registering support for DLT_RADIOTAP packet header decoding
INFO: PHY802.11 will not process Wi-Fi 'phy' and 'control' frames; these
      typically are the most susceptible to corruption resulting in false
      devices.  This can be re-enabled with dot11_process_phy=true
INFO: Allowing Kismet clients to view WEP keys
ERROR: Error reading config file '/root/.kismet//ssid_map.conf': 2
INFO: Registered PHY handler 'IEEE802.11' as ID 0
INFO: Registered PHY handler 'RTL433' as ID 1
INFO: Registered PHY handler 'Z-Wave' as ID 2
INFO: Registered PHY handler 'Bluetooth' as ID 3
INFO: Registered PHY handler 'UAV' as ID 4
INFO: Registered PHY handler 'NrfMousejack' as ID 5
INFO: Registered PHY handler 'RTLAMR' as ID 6
INFO: Registered PHY handler 'RTLADSB' as ID 7
INFO: Could not open system plugin directory (/usr/local/lib/kismet/),
      skipping: No such file or directory
INFO: Did not find a user plugin directory (/root/.kismet//plugins/),
      skipping: No such file or directory
INFO: GPS track will be logged to the Kismet logfile
LOCAL: This is the first time Kismet has been run as this user.  You will
       need to set an administrator password before you can use many
       features of Kismet.  Visit http://localhost:2501/ to configure the
       password, or consult the Kismet documentation to set a password
       manually.
INFO: Enabling channel hopping by default on sources which support channel
      control.
INFO: Setting default channel hop rate to 5/sec
INFO: Enabling channel list splitting on sources which share the same list
      of channels
INFO: Enabling channel list shuffling to optimize overlaps
INFO: Sources will be re-opened if they encounter an error
INFO: Saving datasources to the Kismet database log every 30 seconds.
INFO: Launching remote capture server on 127.0.0.1:3501
INFO: No data sources defined; Kismet will not capture anything until a
      source is added.
INFO: Opened kismetdb log file './/Kismet-20190408-01-06-18-1.kismet'
INFO: Saving packets to the Kismet database log.
ALERT: rootuser Kismet is running as root; this is less secure.  If you
       are running Kismet at boot via systemd, make sure to use `systemctl
       edit kismet.service` to change the user.  For more information, see
       the Kismet README for setting up Kismet with minimal privileges.
INFO: Starting Kismet web server...
INFO: Started http server on port 2501

[waldoj]

At this point, KisMac2 is probably my only decent option. It's crashy, janky abandonware, for which I'm just running the final nightly before the project was abandoned, but it reads GPS data just fine, exports in a couple of acceptable formats, and seems to work OK. I'll take it out for a test drive.

[waldoj]

OK, so I just did a ~20-minute test drive using the external GPS attached to an otherwise-stock MacBook Pro. I picked up 92 base stations, of which 40 were CenturyLink. I did a manual comparison to the data I observed to what's on wigle.net (per #7), and most of the data points were new. So that's great. (I mean, that's also terrible — it would have been better if there was very little new data, because then no wardriving would be required.)

But KisMac2 is just terrible. I did, indeed, get data out of it, which I exported as a Netstumbler file. That's tab-delimited, so it was trivial to get useful data out of it. But I also saved the data in KisMac format, which KisMac then couldn't open again. KisMac crashed while exporting data in another format. Driving around, I feel like it's going to die at any moment, but exporting data is incompatible with driving safely.

[waldoj]

I have a Raspberry Pi 2 lying around — looks like I should set that up and use it.