I will just detail the steps to get this working and what to do with the data once you have collected it.  I am using BackTrack 4 r2 within a Virtual Machine and an Alfa AWUS036H set at 30db.  You can skip step 2 if you are not using a virtual machine.

1. UPDATE BACKTRACK!!!

• root@bt:~# apt-get update && apt-get dist-upgrade
  • Let this complete, it may take upwards on 2-5 minutes depending on if its a fresh install.

2.  Plug in your Alfa, connect it to the VM and restart networking

• Connect the Alfa USB to the VM by performing the steps below. Additionally you can use the icon row at the bottom of VMware workstation to connect the device.  With Fusion, simply click Virtual Machine // USB // Connect Realtek [Model]

• Once the adapter is attached to the VM, restart networking… just to have a clean attachment.
  • root@bt:~# /etc/init.d/networking stop
  • root@bt:~# /etc/init.d/networking start
• Check that the adapter has been detected and is functioning  by checking iwconfig
  • root@bt:~# iwconfig
    • Determine what interface is associated with your Alfa (Realtek RTL8187) chipset.
    • root@bt:~# airmon-ng
    • In my example we are going to use: wlan0 (zero)

3.  Update Kismet

• Grab the latest version from  http://www.kismetwireless.net/download.shtml and install it. Be sure to review ALL documentation here.
  • root@bt:~# wget https://www.kismetwireless.net/code/kismet-2011-03-R2.tar.gz  (or whatever the latest version is)
  • root@bt:~# tar xvfz kismet-2011-03-R2.tar.gz
  • root@bt:~# cd kismet-2011-03-R2
  • root@bt:~/kismet-2011-03-R2# ./configure
  • root@bt:~/kismet-2011-03-R2# make install (this may take upwards of 5 – 10 minutes)

4. Start Kismet

• Be sure to read the kismet help file for all available switches. I am purposely NOT using -c to specify an interface.
  • root@bt:~# kismet
  • Note: If you are not going to use GPS, edit your kismet.conf file and tell it you are not going to.
    • root@bt:~# vi /usr/local/etc/kismet.conf
    • Edit the line: Do we have a GPS? to say “gps=false”
  • Helpful navigation tips. [TAB] moves selection. [`] Brings up menu items,  arrow and enter keys allow interaction between items.

Select your interface preference . I chose [ Yes]

• After choosing interface options, you will be ‘reminded’ that kismet is running as root.  Be sure to determine the risk before answering.

• Choose if you would like to start the kismet server.  Kismet runs in a client/server configuration. More details here. Note, once you start the server, a number of files will be generated and placed on your desktop. (Assuming you started kismet within that directory)  Do not delete these files, they are the logs of the captures.

• Select [ YES ] to add an interface for raw capture.

• Enter the interface you are going to use (from step 2) and enter any options or name and select [ Add ]



• An error about dhclient looking at the adapter you have chosen will appear if you have not stopped the service.  To stop it specifically for your wireless adapter, just look at the open files and kill the dhclient service attached to wlan0.
  • root@bt:~# lsof | grep wlan0
  • root@bt:~# kill -9 [PSID]

• To view the traffic Kismet is seeing, you will need to close the console. (Don’t worry, you can get it back if you need)

• The Kismet menu system can be engaged by pressing the [`]or [~] and then use the arrow keys to navigate.

• To interact with the visible networks, head over to the sort menu and select your sorting preference.  I chose [ type ] for this example. You can select the network you want more details about by navigating to it and pressing enter.

5. Reviewing Captures

Now Kismet has been capturing data, how can we look at it?

• You should have 5 files (depending on your switches and options you may end up with more or less.

1. 1. Kismet-[ date/time].netxml
   2. Kismet-[date/time].gpsxml
   3. Kismet-[date/time].alert
   4. Kismet-[date/time].nettxt
   5. Kismet-[date/time].pcapdump

• To view the .netxml file in excel, simply rename and drop the [net].

• Then simply import the .xml file into excel.
• In excel 2010, I was only able to open the data in read only mode.



• To view uptime in days,  for the AP’s.  Josh Wright has provided a nice formula we can use.
• Apply: =U[cell]/(1000000 * (60 * 60 * 24)) to the “/bsstimestamp column.
  • Example: =U70/(1000000*(60*60*24))
  • Row 76 becomes 77, where row 77 contains the time in Days in the last column.

Wrap up

There are many ways to view and capture data with Kismet, using xplico plus the .pcap could prove useful.  I have only scratched the surface of what is possible.  The purpose of this post wasn’t to include every possible combination, but to get you up and running quickly using kismet and reviewing the data just as fast.
Twitter

A couple of test gadgets; iPod touch (Gen2), G1, iPod Shuffle seemed to work just fine.  The tin does get hot, and there is a buzzing and hissing noise that emits from the tin.  Perfectly Normal.
From the F.A.Q

“How many charges/hours of use can I get out of a MintyBoost?”

I would suggest this for anyone needing a quick burst of juice on the go.   This is also a nice beginners soldiering project.

As always, comment with questions or contact me via twitter.

ax0n

This document will reference his article A.LOT. I suggest you stop reading this (for now), and head directly to his article to familiarize yourself with it.

I am simply going to focus on OSX (Snow Leopard – 10.6). I wanted this to be available on my MacBook at the drop of a hat.

“So, uh…other than that, what’s the point of this ‘article’ ?” . Hmmm… great question. I better get started before you leave.

Note: I’m assuming you have met all of the hardware requirements in the h-i-r.net article.

Step 1: Flashing the Fon

Enable redboot! I used this guide. The problem however, is that once I had established the ssh connection to the Fon, I was unable to wget the files. Additionally, I was unable to ping anything external. I’m sure I was doing something wrong, and there is a simple fix (comment if there is). So what should I do now? I mean, stuck at the second step in the instructions? Fail. To correct the issue, Grab the files referenced in the instructions from here and here and while your at it grab this (you’ll need all of these files), launch a tftp server, unpack the files and place them in the tftp server directory. Then start server. (be sure to make note of the IP address ). I placed the files in a root dir called “tftp” this makes it a little easier when typing the path.

Enabling Redboot

Now that we have the files living in the tftp server dir, Launch a terminal, connect to the Fon via ssh and issue the following commands using the following syntax to grab the files (wget http://[ip.add.re.ss]/[dir]/[filename]):

root@OpenWrt:~# cd /tmp
root@OpenWrt:~# wget http://201.37.100.106/tftp/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma 
root@OpenWrt:~# mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7
root@OpenWrt:~# reboot

After the Fon comes back online, ssh back in and follow the remaining steps in the instructions to enable redboot.

root@OpenWrt:~# cd /tmp
root@OpenWrt:~# wget http://201.37.100.106/tftp/out.hex
root@OpenWrt:~# mtd -e "RedBoot config" write out.hex "RedBoot config"
root@OpenWrt:~# reboot

Once you get to the section “now your ready to flash”, you can stop. Those instructions follow a path we aren’t going to.

Installing the Jasager Firmware

Head over to digininja’s site and follow the instructions here “for firmware users”. I skipped the redboot.pl installation, as we already have redboot enabled and working. Download jasegar, unpack it and place it in your tftp dir. (if you didn’t do it earlier) The ONLY tricky part during the flash process is to be SURE you copy and paste the commands or triple check your typing. I mistakenly forgot to load vmlinux.bin.17.  It didn’t brick the Fon, but I was scared to reboot it.

RedBoot> fis init
About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma
Using default protocol (TFTP)
Raw file loaded 0x80040400-0x801003ff, assumed entry at 0x80040400
RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7
 
< Wait for a while > note: This took about 2 minutes
 
... Erase from 0xa8030000-0xa80f0000: ............
... Program from 0x80040400-0x80100400 at 0xa8030000: ............
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs
Using default protocol (TFTP)
Raw file loaded 0x80040400-0x801e03ff, assumed entry at 0x80040400
RedBoot> fis create -l 0x6F0000 rootfs
 
< Wait for a long while > note: This took almost 15 minutes. Don’t panic. It’s working.
 
... Erase from 0xa80f0000-0xa87e0000: ...........
... Program from 0x80040400-0x801e0400 at 0xa80f0000: ..........................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
 
RedBoot> fconfig
Run script at boot: true
Boot script: 
Enter script, terminate with empty line
>> fis load -l vmlinux.bin.l7
>> exec
>> 
Boot script timeout (1000ms resolution): 2 (My default was 10)
Use BOOTP for network configuration: false
Gateway IP address: 
Local IP address: 192.168.1.1
Local IP address mask: 255.255.255.0
Default server IP address: 192.168.1.254
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> reset
 
^]
telnet> Connection closed.
root@desktop ~ # 

Sweet!

The hard part is over. So what happens if you make a mistake in fconfig like
me? Type fconfig -n it will list all of the nicknames of the fields you can
change. The shell doesn’t know what delete is, and there are all sorts of redboot keyboard-fu you can use to control input. I found it easier to type at the reboot> fconfig field_name [input]. So for
example, if you accidentally entered 192.168.1.11 for the IP address. You could fix just that line by typing: fconfig boot_my_ip 192.168.1.1

Let the Fon reboot, make sure you can ping 192.168.1.1 after all the lights
look good, then open your browser and hit http://192.168.1.1:1471 .

The jasager interface *should* open. If it does not after a few minutes… try the following.

1. Make sure you are loading and executing vmlinux.bin.17 in fconfig
2. Reboot the Fon
3. Double and triple check fconfig.

If all else fails, repeat the process. I ended up flashing almost 10 times
due for various reasons, ranging from mistakes I made in the network config, to
the Fon not playing nice with DHCP. If you need to reflash, redboot is only
available for a few seconds while the fon device is booting. I hope your
SMB, 3-1 infinite guy timing is still there. Here is what I had to do to hit
the timing properly.

1. Remove power from Fon
2. Launch a terminal and start pinging 192.168.1.254
3. Launch another terminal and PREP a telnet session to 192.168.1.254 9000
4. The first reply you receive from ping, press enter on your telnet session
5. If it fails. Repeat process until you get it.

Now, head back to

part 1 of the h-i-r instructions and follow along starting with “tinker
time”

Step 2: Install the pWn

This is the easy part. Below are simply notes regarding the process.

Metasploit and Karma

This is the part where I point you back to h-i-r.net’s part 2 for the complete setup of this step. I was able to drop in the framework to my tools directory with no additional steps required. However, you may want to update ruby if you desire. Then Download karma.rc, put it in the root directory with the framework and we are in the home stretch to put this all together.

Head to part 2 of the h-i-r instructions. Follow from “Time to tweak stuff”. You will need to edit karma.rc before you run it.

Hamster and Ferret

Last files we need to grab are hamster and ferret.

I was having some trouble getting hamster and ferret to compile, even after installing xcode. Luckily, the binaries are compiled for us already . Download them and place them in a directory you will remember.

You will need to set your browsers proxy to 127.0.0.1:1234 to view the Hamster interface. Be sure you add an exception for your NIC’s ip address, so you can monitor Jasager as well.

You can now head back to ax0n’s work and button up the rest of the project.

Starting the entire process

Here are the steps I use when booting this rig.

1. Power on the Fon and connect it to your PC with an Ethernet cable.
2. Make sure Jasager is online and Karma is active. I opted to control its state, instead of automatically starting it.
3. Open a terminal and Launch Metasploit and Karma with> sudo ~./msfconsole -r karma.rc
4. Open another terminal and launch hamster with> sudo ~./hamster
5. Enable your proxy. Or use quickproxy for firefox to quickly enable.
6. Open the Jasager (192.168.1.1:1471) and hamster (127.0.0.1:1234) interfaces
7. Gratz ur l33+

Conclusion

While this guide wasn’t meant to be as comprehensive as the article it was based on. I hope you will find a quick reference for installing this on your Mac Box.

All the files referenced, I have zipped up and stashed them here. Comment with questions or hit me up via twitter