Sunday, July 21, 2013

YAGI USB adapter review

I am still alive.  I have been working on projects at work and home. I will be posting an update to Education 2013. But I just wanted to make a quick post about a wireless adapter, USB-Yagi Plug and Play directional WiFi Antenna 802.11n 2200mW. It is a great wifi adapter to use for a penetration test. It has a higher range of your average wireless adapter and better sensititvity too. I took it for a spin for some war-driving to test how much it would capture.  Oh, I also grabbed a Garmin 18x USB GPS to record the location info.  It was pretty cool. I think I need something better to keep it still in the car since it comes with a tripod bottom which is good for a table but not a moving vehicle. Of course, I was lucky enough to have my wife drive so I could concentrate on the laptop and wifi. Perfect wingman, wingperson.  Anyway, so what I wanted to do is use kismet and wash, while I was at it with the garmin 18x.








Ok, so I connected the Yagi and Garmin to the laptop. The Yagi(rt2800USB) is detected instantly as wlan2 on Kali. However, in order for the Garmin to be detected, I had to load the drivers for Garmin. I just used the command, modprobe garmin_gps. It seemed to work.  I used the command dmesg:

[96273.677562] usbserial: USB Serial support registered for Garmin GPS usb/tty
[96273.677605] garmin_gps 5-6.4:1.0: Garmin GPS usb/tty converter detected
[96273.678093] usb 5-6.4: Garmin GPS usb/tty converter now attached to ttyUSB0
[96273.678118] usbcore: registered new interface driver garmin_gps
[96273.678123] garmin_gps: garmin gps driver v0.31

Ok, so that is done.  Once I loaded the garmin gps module, it looked like gpsd, was able to run. Kismet uses the daemon gpsd also. Then, I went to the kismet config file located at /etc/kismet/kismet.conf. I checked the GPS settings. In addition, I wanted to check the wifi source information. I changed the ncsource to "wlan2" since that is the adapter interface once you connect the Yagi. Also, you can check your local ports to make sure port 2947 is open (netstat -antp | grep 2947). That is the port gpsd uses.


# Do we have a GPS?
gps=true
# Do we use a locally serial attached GPS, or use a gpsd server, or
# use a fixed virtual gps?
# (Pick only one)
gpstype=gpsd
# Host:port that GPSD is running on.  This can be localhost OR remote!
gpshost=localhost:2947

# See the README for full information on the new source format
# ncsource=interface:options
# for example:
ncsource=wlan2
# ncsource=wlan0:type=ath9k
# ncsource=wlan0:name=intel,hop=false,channel=11

Lastly, you start kismet by running the "kismet" command. We were about to hit the road but I wanted to start wash. That is a program from the reaver suite. It will help detect wireless access points that have wps enabled. The reason I wanted to try this is that when I ran the command (wash -i mon0) with the Yagi adapter, I would get an repeated message:

[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...

Other people apparently had this message so they recommend that you run (wash -i mon0 -C). However, when I would run this command, it would not give me anything after that.  I started to wonder if there was something wrong with either reaver or the Yagi adapter. Well, I figured why not try the adapter on the road.  When you use kismet, you have to change your wash command to (wash -i wlan2mon -C). Kismet puts the wifi adaptor to monitoring mode like airmon-ng does. Now, we were off. We were not three blocks from the starting point before the wash command gave results. I guess everything was working before, but I was just not in a close enough range of a vulnerable adapter. We drove around for about 2 hours. It was pretty cool to see so many access points show up on kismet and wash. It was a little depressing to see so many WEP set access points also.  2013... Anyway, surprised to see that my laptop still had battery life, I went on to install Google Earth on Kali. I went to the link (http://www.google.com/earth/download/ge/agree.html) to download the deb file. I installed the deb but it came back with errors. However, when I went to /opt/google/earth/free, it seemed like all the files made it. I ran google-earth and it loaded. Now, kismet created 5 files from the little road trip. However, to import the files to Google Earth, you have to run:

giskismet -x Kismet-20130719-19-59-50-1.netxml
giskismet -q "select * from wireless" -o trip.kml

I just opened the "trip" file inside Google Earth. All of the wireless access points were loaded and displayed. It is also color coded by encryption strength. It has information on the hosts that are connected to the access point at the time of the capture.  That was pretty cool. Now, the interesting thing is that I could match the wash results to the BSSID and SSID names. I know that wash does not have the GPS functionality yet but it would be pretty cool to add it.




That brought up two things I would love to try to do. One, try to port the GPS functionality airmon-ng has to wash.  The author(s) of reaver said that it could be done. However, I have very little experience programming g with C++.  However, you have to start somewhere even tho it would probably be added by someone else before I could even come close to pulling it off. I will still give it a shot. I started by looking at the source code for airodump-ng which is in the file "airodump-ng.c". It has to be a million lines of code in there. Then, I looked at the source code for wash in "wpsmon.c". There are also corresponding header files with constants and libraries. Maybe SecurityTube will be creating a C++ class in the future...

Secondly, I would like to setup the FreeRadius-WPE man-in-the-middle attack. There is a great video from SchmooCon 2008 by Josh Wright and Brad Antoniewicz. I wanted to test it on WPA2 Enterprise wireless environment with the help of the Yagi. I am guessing with a greater range, you are less likely to get caught on a wireless pentest or security assessment. Start the recon work with kismet/wash and then, use the aircrack-ng/freeradius-wpe suites for exploitation.

Well, that is some of the wireless stuff I have been looking at lately. The wireless Yagi adapter is great. I love the fact that is not too big, not too small and is very effective. It increases the number of airodump-ng results that you receive. Kali loads the drivers automatically and it is easy to use. If you are looking for some war-driving fun, please pick it up.    


Credit, I didn't re-invent the wheel:

https://savannah.nongnu.org/projects/gpsd
http://wiki.networksecuritytoolkit.org/nstwiki/index.php/HowTo_Geolocate_kismet_Data
http://www.question-defense.com/2011/02/18/creating-wireless-recon-maps-with-google-earth-kismet-gpsd-and-backtrack

FreeRADIUS-WPE
http://www.willhackforsushi.com/?page_id=37

SchmooCon 2008
https://www.youtube.com/watch?v=EUcEcqJj24s

http://www.slideshare.net/NEOISF/attacking-and-securing-wpa-enterpris