Overview

In this lab we'll install the Access Agility "WiFi Scanner" application on to your Windows machine. We'll configure it to use the WLAN Pi M4 as an external sensor. This allows us to leverage the 6GHz capabilities of the WLAN Pi which may be missing from our laptop.

Using the WLAN Pi as an external sensor also provides opportunities to perform scanning of networks that may be in remote locations. By using a VPN connection between the laptop and WLAN Pi, it's possible to use the scanning capabilities to assist with remote troubleshooting tasks.

What You'll Need For This Lab

To complete this lab, you'll need the following items:

• A windows laptop (with administrative privileges to install software)

• A WLAN Pi M4

WiFi Scanner Installation

Let's start by obtaining "WiFi Scanner For Windows". Please visit the following web page and download and install a 7-day trial copy of "WiFi Scanner for Windows" on to your laptop:

Once WiFi Scanner is installed, take a few moments to make sure the application launches correctly and familiarise yourself with its user interface. If you've used Wi-Fi scanning packages before, you'll find it quite intuitive to use.

By default, WiFi Scanner uses the internal adapter of your laptop to scan for networks when first launched. Within a few seconds, you should see a summary of Wi-Fi networks detected by the laptop adapter as it scans all Wi-Fi channels. Although this is great information, in this lab we want to investigate how to use the WLAN Pi as an external sensor with WiFi Scanner.

Connectivity

To use the WLAN Pi as a remote sensor, there must be IP connectivity between the WiFi Scanner laptop and the WLAN Pi.

In this lab, we'll connect using the lab's wireless and wired network connections. Your laptop will be connected to the lab wireless network, and your WLAN Pi M4 will be connected to one of the lab PoE switch ports.

Once both devices have their network connection, you can use the IP address shown on the front panel of your WLAN Pi as the target sensor address.

Sensor Setup

Once you're happy with finding your way around WiFi Scanner's UI, please review the instructions provided below to set up your WLAN Pi M4 as a remote sensor. This will allow you to scan the 2.4 GHz 5 GHz and 6 GHZ (🤓) bands using the wireless adapter of the WLAN Pi.

The instructions provide below are borrowed directly from the WiFi Scanner web site, which can be found using the following link:

1) Configure WiFi Scanner Integration

We'll start by configuring a remote sensor and test connectivity to the sensor. Please use the following steps in the WiFi Scanner UI:

WiFi Scanner > Preferences > WiFi Scanner Preferences pop-up :

In the WiFi Scanner Preferences pop-up select:

• Remote WiFi Scanner tab

• Click the "+" button in the "SSH Devices" drop-down. This will clear the form fields to allow entry of the WLAN Pi connection details

• Enter configuration data as shown below (customised for your environment). Field details:

  • Device Name: any name you choose to identify your WLAN Pi in the sensor list

  • Server Host: the IP address of the WLAN Pi. This address must be reachable from your laptop for scanning to be completed

  • Port: the WLAN Pi SSH server runs on port 22 by default. This may be changed in environments where non-standard SSH ports are used

  • Interface: this must be wlan0 for the WLAN Pi

  • Username: the username used to login to the WLAN Pi (usually "wlanpi")

  • Password: the password you created to login to your wlanpi

Once the sensor connection settings haven been entered (or updated), hit the Save/Update button.

2) Test Configuration

Let's verify that WiFi Scanner has a network connection to the WLAN Pi before initiating a scan.

Click the "Test Configuration" button to confirm settings and availability of all commands needed for this setup. Be patient as this process can take several seconds to complete.

Note any issues with test configuration results. If you have followed all instructions and setup is not working please let one of the session instructors know so that they can investigate. If hitting issues later with the application (e.g. when out in the field), use the copy/paste icon to copy test log data and send to support@accessagility.com for guidance on potential issues.

3) Use WLAN Pi As Scanning Interface

Now we finally get to scan for networks!

Select the sensor that we just added using the source selector as shown below:

Windows WiFi Scanner will connect to the WLAN Pi device over SSH, run tcpdump for the configured wireless interface (wlan0) and send results to WiFi Scanner for display. WiFi Scanner will cycle through all supported channels every 100ms and repeat until scanning is paused/stopped.

Make sure that you can see SSIDs on all 3 Wi-FI bands. Make a note of the lab SSIDs, channels and channel widths for later reference in our capture labs. Ensure you can see the 6GHz band SSIDs in your results. You should be able to see test lab 6 GHz networks displayed after a few scan cycles. The screen dump below highlights the sensor selection and 6 GHz areas of interest (your lab will shows more SSIDs than are shown below):

Congratulations, you've completed the Wi-Fi scanning lab for Windows.

In this lab, we'll take a look at how we:

• Start the Kismet process

• Access the Kismet UI

• Use Kismet to scan for wireless networks and clients

Starting Kismet

1. To start kismet, simply head over to Terminal in Cockpit, type kismet then press enter:\
2. Kismet will produce many lines of logging output as it starts up. Don't worry too much about the log messages that scroll up the screen during the start-up process. Once they stop, Kismet is running. Leave it running to complete the labs below. \
3. Kismet launches its own web server process to provide a web UI to view the data that it gathers. Open a new browser tab on your laptop/Mac and navigate to: http://wlanpi-xxx.local:2501 or, if you do not see the login page: http://<wlanpi-ip-address>:2501 (this may work better on Windows)

4. We need to login to Kismet to access its UI. As Kismet has its own credentials store, you will need to create a username and password the first time you browse to it. For ease of use, it's probably not a bad idea (for now) to set your Kismet credentials to be the same as your WLAN Pi credentials:\
5. Once you've set the credentials, you'll be taken to the main Kismet UI and will see the following panel pop-up as this is your first login. You can hit "Continue" for now. We do not need to configure any specific settings for this lab.\

Wi-Fi Sniffing

Now that we've got access to Kismet, we'll take a look at how we can use it to gather Wi-Fi network data. We need to tell Kismet which network adapter to use in the WLAN Pi to scan for 802.11 activity over the air.

Step 1 - Specify a data source

We need to tell Kismet that we need to enable wlan0 to start scanning nearby Wi-Fi networks and devices:

1. Click on hamburger menu icon (top left)

2. Select Data Sources

3. Expand wlan0

4. Enable this Source:\
5. You should see a small scrolling bar chart history of packet activity detected by this source. This indicates that Kismet is scanning Wi-Fi channels and gathering data: \
6. Close the pop-up window

Step 2 - Explore Kismet the Kismet Device List

Kismet is now switching the WLAN Pi wireless adapter between all Wi-Fi channels and gathering frames on each channels. From this data, it builds a table of access points and wireless clients as it receives 802.11 frames from them.

As it has many channels to hop between, each scan cycle takes several seconds to complete and only a small snapshot of the activity on each channel is captured. However, as it provides an overview of both APs and their clients, you can think of Kismet as a Wi-Fi scanner on steroids.

Let's take a look at the data available in the Kismet UI. Later, we'll look at how we can modify scanning to gather data focused on specific channels or frame types to provide more selective network data.

Have a look through the Kismet device list and see if you can complete each of the following tasks:

1. Can you find your Wi-Fi devices in the 'Device List'

2. What channel is your device is connected on?

3. Click on your Device to view more detail (Tip: look out for the Monitor button - click on it for detailed scanning on that device)

4. Filter to see only APs (hint: use Search box)

5. Filter to see only client devices

6. Check to verify if devices can be seen on all 3 Wi-Fi bands: 2.4 GHz, 5 GHz and 6 GHz

7. Click on any of the displayed rows to drill down into more detail about that device

8. Click on the "SSIDs" tab of the device list to see a summary of SSIDs detected. Click on any of the SSIDs to see more detail:\

Step 3 - Selective Scanning: Channel Selections

By default, Kismet scans all Wi-Fi channels that are available, gathering frame data about all devices heard. As it's hopping across many channels, it gathers a very small amount of frames (and hence data) about each channel. To gather more data about a channel (or channels) in which you are interested, it's possible to limit the channels that Kismet scans. Let's give this a try:

• Go back to the hamburger selector in the Kismet UI and select "Data Sources"

• Snap open the "wlan0" interface shown in the "Data Sources" list. You will now see all of the channels being scanned by Kismet. Channels being scanned are orange coloured. Click on channels to deselect them and limit the channels that Kismet will scan:
• Select a subset of channels and close the Data Sources panel. In the devices panel, you should only now see activity on the selected channels.

Step4 - Selective Scanning Via CLI Options

Although changing scanning options via the Kismet UI is easy, it can be quite cumbersome when de-selecting large numbers of channels. Also, having the repeat the same workflow to select a data source each time Kismet is started may become annoying.

The good news is that we can start Kismet with CLI parameters that pre-select a data source and channels. Also, we may not want to collect all frames heard over the air - we may just be interested in gathering beacons to get a summary of networks heard nearby.

Let's look at a few command line options to pre-configure the behaviour of kismet and speed up our workflows:

1. Launch Kismet and start capturing using the wlan0 adapter: kismet -c wlan0\

2. Launch kismet capturing on the 2.4GHz band only: kismet -c wlan0:name="wlanpi",channels="1,6,11"\

3. Launch kismet capturing on the 5GHz band only: kismet -c wlan0:name="wlanpi",channels="36,40,48,52,56,60,100,104,108,112,116,120,124,128,132,136,140,144,149,153,157.161,165"\

4. Launch Kismet on the 6GHz band only: kismet -c wlan0:name="wlanpi",channels=\"5\-W6e,9\-W6e,13\-W6e,17\-W6e,21\-W6e,25\-W6e,29\-W6e,23\-W6e,37\-W6e\" Note: This is not the complete 6 GHz band - feel free to complete the list for all the channels you'd like to scan. Note: The "\" characters are required in the channel list above due to the fact that the command is being submitted in a Linux shell.

Check out the references below for more information. You may even consider creating your own custom configuration file to make things even easier! You can also add your own filters to customise the frames captured by Kismet.

• https://www.kismetwireless.net/docs/readme/datasources_wifi/

• https://www.kismetwireless.net/docs/readme/starting_kismet/

• https://www.kismetwireless.net/docs/readme/config_files/#configuration-override-files---kismet_siteconf

Congratulations, you've completed the Kismet lab!

Lab Background

In this lab we'll look at a couple of software applications that are able to use the WLAN Pi as an external Wi-Fi sensor for network scanning. Both allow scanning of the 2.4GHz, 5GHz and 6GHz bands.

The results of this lab will allow us to better understand our lab RF environment, which will be useful when we get to the fame capture lab later.

The two 'external' applications we'll be using are:

• Windows: WiFi Scanner

• macOS: WiFi Explorer Pro 3

Both applications operate in a similar manner to gather Wi-Fi network data across all 3 Wi-Fi bands.

Both applications initiate an SSH session to the WLAN Pi, continually switching its wireless NIC to each Wi-Fi channel in turn. Beacon frames are captured using a utility on the WLAN Pi, such as "tcpdump", to build a list of Wi-Fi networks. The beacon data is processed on the scanning app to create a detailed channel audit of 802.11 networks that can be heard by the WLAN Pi.

As the volume of data gathered via the WLAN Pi sensor is relatively low, the WLAN Pi can (if required) be geographically remote from the platform running the Wi-Fi scanner. Remote network connectivity may be provided between the scanner application and the WLAN Pi sensor using some type of VPN access such as Tailscale.

Please choose the Wi-Fi scanning lab that you are in the mood for:

• Windows

• macOS

• Kismet

Overview

In this lab, we'll be exploring the Open Source Kismet project. Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework. It's not a toolset that has been developed by the WLAN Pi dev team, but is installed as part of the WLAN Pi software image as it provides such a useful set of features for Wireless engineers.

We'll first take a look at exactly what Kismet is, and we'll follow this with lab exercises so that you can become familiar with this excellent toolset.

What You'll Need For This Lab

To complete this lab, you'll need the following items:

• A windows laptop or Mac with a browser

• A WLAN Pi M4

Note that Kismet is already installed on the WLAN Pi M4, so there is no requirement to install any additional packages

Connectivity

To use Kismet on the WLAN Pi, there must be IP connectivity between your laptop or Mac and the WLAN Pi.

In this lab, we'll connect using the lab's wireless and wired network connections. Your laptop/Mac will be connected to the lab wireless network, and your WLAN Pi M4 will be connected to one of the lab POE switch ports.

Once both devices have a network connection, you can use the IP address shown on the front panel of your WLAN Pi as the target address for your browser session.

What is Kismet?

Kismet is a monitoring tool for wireless. Originally supporting only 802.11 Wi-Fi, with the right hardware Kismet can now capture Bluetooth advertisements, BTLE, nRF-based wireless mice and keyboards, weather stations, wireless thermometers, switches, smoke detectors, 802.15.4 / Zigbee, ADSB airplane transponders, AMR wireless power, water meters, gas meters, and more.

Passive monitoring

Kismet operates almost entirely passively, with a few exceptions (such as Bluetooth scanning mode) noted in the documentation for those capture types.

Kismet is not an attack tool (generally) - to test your Wi-Fi security check out tools like Aircrack-NG or the Wi-Fi Pineapple.

Kismet is largely focused on collecting, collating, and sorting wireless data. The logs generated by Kismet can be fed into other tools (the pcap, handshakes, and other data) like hashcat, aircrack, and more.

Device-oriented display

Kismet is different from Wireshark. Kismet primarily focuses on representing devices - access points, clients, bridged wired devices, sensors, Bluetooth entities, and so on, while Wireshark focuses on displaying a deep dive of specific packets and all the content.

Kismet and Wireshark work best when used together. Kismet collects packets and logs them to standard formats (pcap and pcapng) or the kismetdb format which can be converted directly to pcap and pcapng, and collects location, changes over time, etc. Wireshark can open the pcap logs and give extensive detailed information about specific packets. Each tool is designed for a different job, but operate well together.

Source and more info: https://www.kismetwireless.net/docs/readme/intro/

Wi-Fi Channels

Wi-Fi channels in Kismet define both the basic channel number, and extra channel attributes such as 802.11n 40 MHz channels, 802.11ac 80 MHz and 160 MHz channels, and non-standard half and quarter rate channels at 10 MHz and 5 MHz.

Kismet will auto-detect the supported channels on most Wi-Fi cards. Monitoring on HT40, VHT80, and VHT160 requires support from your card.

Channels can be defined by number or by frequency.

Datasource: Linux Wi-Fi

Most likely this will be the main data source most people use when capturing with Kismet.

The Linux Wi-Fi data source handles capturing from Wi-Fi interfaces using the two most recent Linux standards: The new netlink/mac80211 standard present since approximately 2007, and the legacy ioctl-based IW extensions system present since approximately 2002.

Packet capture on Wi-Fi is accomplished via “Monitor mode”, a special mode where the card is told to report all packets seen, and to report them at the 802.11 link layer instead of emulating an Ethernet device.

The Linux Wi-Fi source will auto-detect supported interfaces by querying the network interface list and checking for wireless configuration APIs. It can be manually specified with type=linuxwifi

Overview

In this lab we'll install the Intuitbits "WiFi Explorer Pro 3" application on to your Mac. We'll configure it to use the WLAN Pi M4 as an external sensor. This allows us to leverage the 6 GHz capabilities of the WLAN Pi which may be missing from the current capabilities of your Mac.

Using the WLAN Pi as an external sensor also provides opportunities to perform scanning of networks that may be in remote locations. By using a VPN connection between the laptop and WLAN Pi, it's possible to use the scanning capabilities to assist with remote troubleshooting tasks.

What You'll Need For This Lab

To complete this lab, you'll need the following items:

• A MacOS laptop (with administrative privileges to install software)

• A WLAN Pi M4

WiFi Explorer Pro 3 Installation

For this lab please visit the following web page and download and install a trial copy of "WiFi Explorer Pro 3" on to your Mac if you don't already have a copy:

Note that if you don't already have WiFi Explorer Pro 3 installed, you can download and install it and take advantage of the 7 day trial license that it provides.

Once WiFi Explorer Pro 3 is installed, take a few moments to make sure the application launches correctly and familiarise yourself with its user interface. If you've used Wi-Fi scanning packages before, you'll find it quite intuitive to use.

By default, WiFi Explorer Pro 3 uses the internal adapter of your Mac to scan for networks when first launched. Within a few seconds, you should see a summary of Wi-Fi networks detected by the laptop adapter as it scans all Wi-Fi channels. Although this is great information, in this lab we want to investigate how to use the WLAN Pi as an external sensor.

Connectivity

To use the WLAN Pi as a remote sensor, there must be an IP connection between WiFi Explorer Pro 3 and the WLAN Pi.

In this lab, we'll connect using the lab's wireless and wired network connections. Your Mac will be connected to the lab wireless network, and your WLAN Pi M4 will be connected to one of the lab POE switch ports.

Once both devices have their network connection, you can use the IP address shown on the front panel of your WLAN Pi as the target sensor address.

Sensor Setup

Once you're happy with finding your way around the UI, please review the instructions provided below to set up your WLAN Pi M4 as a remote sensor for WiFi Explorer Pro 3. This will allow you to scan the 2.4 GHz 5 GHz and 6 GHZ (🤓) bands using the wireless adapter of the WLAN Pi.

Configure Remote Sensor

To add the WLAN Pi as a remote sensor to WiFi Explorer Pro, use these configuration steps:

1. Open the WiFi Explorer Pro preferences UI option : WiFi Explorer Pro 3 > Preferences

2. Select the Sensors tab:
3. Hit the "+" button at the bottom left of the panel and enter the IP address of the WLAN Pi as prompted by the new pop-up. The WLAN Pi address may be found on the front panel of the WLAN Pi:
4. The new sensor will appear in the sensor list and you may over type the phrase "New Sensor with your own chosen name (e.g. WLAN Pi M4):
5. Note that you may also select and edit the Address, Interface name and Port fields by clicking on them if any configuration updates are required

Sensor Diagnostics

If you are having issues using the WLAN Pi as a sensor (e.g. no scanning data is shown), you can use the sensor "Diagnostics" feature to verify sensor connectivity. It also checks that the WLAN Pi has all of the correct software packages and an appropriate wireless adapter to allow Wi-Fi Explorer Pro 3 to run correctly.

If the diagnostics output shows failures, depending on the failure, you may need to:

• Fix any network connectivity issues

• Contact the WLAN Pi team for guidance

• Contact Intuitbits support

The sensor diagnostics feature can be accessed via the 3-dots button in the Sensors pane of the Preferences window (shown below):

Use the WLAN Pi as a Remote Sensor

Now that the WLAN Pi has been added a sensor, we can use it to scan for the Wi-Fi networks that it can hear. To use it as a sensor, hit the mode button on the top bar of the WFE UI:

The mode selector will appear. It will include the previously configured WLAN Pi sensor. Select the sensor and scanning via the sensor will begin:

The first time the sensor is used, you will be prompted to enter a username and password. Enter your username and password for the WLAN Pi and then scanning will commence.

Note that each scan takes several seconds to complete. You will also note that the SSIDs on the 6 GHz may take a few scans before they finally appear, so be patient.

Make sure that you can see SSIDs on all 3 Wi-Fi bands. Make a note of the lab SSIDs, channels and channel widths for later reference in our capture labs. Ensure that you can see the 6 GHz band SSIDs in your results: you should see test lab 6 GHz networks displayed. The screen dump below shows how to display SSIDs on the 6 GHz band (your lab will shows more SSIDs than are shown below):

Congratulations, you've completed the Wi-Fi scanning lab with your Mac.