Wi-Fi scanner and analyzer for Mac
In this lab, we'll install the Intuitibits WiFi Explorer Pro 3 application on your Mac. We'll configure it to use the WLAN Pi M4 as an external sensor. This allows us to leverage the 6 GHz capabilities of the WLAN Pi, which may be missing from the current capabilities of your Mac.
The WLAN Pi, as an external sensor, also provides opportunities to perform scanning of networks that may be in remote locations. Using a VPN connection between the laptop and WLAN Pi makes it possible to use the scanning capabilities to assist with remote troubleshooting tasks.
To complete this lab, you'll need the following items:
A Mac laptop (with administrative privileges to install software)
A WLAN Pi M4
If you don't already own WiFi Explorer Pro 3, please visit the following web page and download and install the trial version. This trial license is good for 7 days.
You will need WiFi Explorer Pro 3 to complete this lab. Intuitibits also publishes a different app called WiFi Explorer, this version does not support the remote sensor capabilities required for this lab.
Once WiFi Explorer Pro 3 is installed, please take a few moments to ensure the application launches correctly and familiarize yourself with the user interface. If you have used any Wi-Fi scanning package before, you should figure out this UI pretty quickly.
By default, WiFi Explorer Pro 3 uses the internal adapter of your Mac to scan for networks when first launched. Within a few seconds, you should see a summary of Wi-Fi networks detected by the laptop adapter as it scans all Wi-Fi channels. Although this is excellent information, we want to investigate how to use the WLAN Pi as an external sensor in this lab.
To use the WLAN Pi as a remote sensor, there must be IP connectivity between your Mac and the WLAN Pi.
In this lab, your Mac will be connected to the lab Wi-Fi, and your WLAN Pi M4 will be connected to one of the lab PoE switch ports.
Once both devices have their network connection, you can use the IP address shown on the front panel of your WLAN Pi as the target sensor address.
The WLAN Pi M4 does not support OTG connectivity. Therefore it is not possible to establish a connection with a WLAN Pi M4 remote sensor over a USB Type-C connection.
Once you're happy navigating your way around the user interface, please review the instructions below to set up your WLAN Pi M4 as a remote sensor. This allows you to scan the 2.4 GHz, 5 GHz, and 6 GHz (🤓) bands using the wireless adapter inside the WLAN Pi.
Please ensure you note the channels being used by our lab networks while completing this lab. This information will be helpful later in our wireless frame capture lab.
Some information below is taken from the following article, which may be useful for future reference.
To add the WLAN Pi as a remote sensor to WiFi Explorer Pro 3, use these configuration steps:
Go to WiFi Explorer Pro 3 > Settings or Preferences (depending on macOS version) and select the Sensors tab_:_\
Hit the "+" button at the bottom left of the panel and enter the IP address of the WLAN Pi as prompted by the new pop-up. The WLAN Pi address may be found on the front panel of the WLAN Pi:
The new sensor will appear in the sensor list, and you may replace the phrase "New Sensor" with your own chosen name (e.g., WLAN Pi M4):\
You may select and edit the Address, Interface Name and Port fields.
If your WLAN Pi and Mac are on the same Layer 2 segment, WiFi Explorer Pro 3 may automatically detect and display your WLAN Pi M4 in the Sensors list. In the graphic above, the sensors "wlanpi-c4d" and "wlanpi-275" were automatically discovered. This is denoted by the "network symbol" in the lower-right corner of the sensor icon.
If you have issues using the WLAN Pi as a sensor (e.g., no scanning data is shown), you can use the sensor "Diagnostics" feature to verify sensor connectivity. It also checks that the WLAN Pi has the correct software packages and an appropriate wireless adapter to enable remote sensor functionality.
If the diagnostics output shows errors, depending on the failure, you may need to:
Fix any network connectivity issues
Contact the WLAN Pi team for guidance
Contact Intuitibits Support
The sensor diagnostics feature can be accessed via the 3-dots button in the Sensors pane of the Preferences window (shown below):
Now that the WLAN Pi has been added as a sensor, we can use it to scan for the Wi-Fi networks. To select your WLAN Pi M4 as the scanning data source, click the mode button on the top bar of WiFi Explorer Pro 3:
The mode selector will appear. It will include previously configured WLAN Pi sensors. Select your freshly added sensor, and scanning via the sensor will begin:
The first time the sensor is used, you will be prompted to enter a username and password. Enter your username and password for the WLAN Pi, and then scanning will commence.
Note that each scan takes several seconds to complete. You will also note that the SSIDs on the 6 GHz may take a few scans before they finally appear; please be patient.
Make sure that you can see SSIDs on all 3 Wi-Fi bands.
Note down the lab SSIDs, channels and channel widths for later reference in our capture labs.
Ensure that you can see the 6 GHz band SSIDs in your results: you should see the lab 6 GHz networks displayed. The screen dump below shows how to display SSIDs on the 6 GHz band:
Which 6 GHz channels are the lab APs using?
Are they Preferred Scanning Channels (PSCs)?
You can use the WLAN Pi CLI tool called wifichannel: wifichannel 53
Congratulations, you've completed the Wi-Fi scanning lab with your Mac.
A wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework.
In this lab, we'll be exploring the open source Kismet project.
Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework. It is not a tool set developed by the WLAN Pi dev team, but it does come pre-installed as part of the WLAN Pi software image, as it provides valuable features for Wireless engineers.
First, let's take a look at exactly what Kismet is… and then we can follow up with lab exercises.
To complete this lab, you'll need the following items:
Computing device with a browser (generic tablet, iPad, Windows laptop or Mac)
WLAN Pi
Note that Kismet is already installed on the WLAN Pi OS, so there is no requirement to install any additional packages.
To use Kismet on the WLAN Pi, there must be IP connectivity between your computing device and the WLAN Pi.
Your computing device will be connected to the lab Wi-Fi network, and your WLAN Pi will be connected to one of the lab PoE switch ports.
Once both devices have a network connection, you can use the IP address displayed on the front panel of your WLAN Pi as the target address for your browser session.
Kismet is a monitoring tool for wireless. Initially supporting only 802.11 Wi-Fi, with the proper hardware, Kismet can now capture Bluetooth advertisements, BTLE, nRF-based wireless mice and keyboards, weather stations, wireless thermometers, switches, smoke detectors, 802.15.4 / Zigbee, ADSB airplane transponders, AMR wireless power, water meters, gas meters, and more.
Kismet operates almost entirely passively, with a few exceptions (such as Bluetooth scanning mode) noted in the documentation for those capture types.
Kismet is not an attack tool (generally) – to test your Wi-Fi security, check out tools like Aircrack-ng (preinstalled for you already, btw!) or the Wi-Fi Pineapple.
Kismet is largely focused on collecting, collating, and sorting wireless data. The logs generated by Kismet can be fed into other tools (the pcap, handshakes, and other data) like hashcat, aircrack, and more.
Kismet is fundamentally different than Wireshark. Kismet primarily focuses on representing devices; access points, clients, bridged wired devices, sensors, Bluetooth entities, and so on, while Wireshark focuses on displaying packet capture traces and enabling you to go deep into specific packet details.
Kismet and Wireshark work best when used together.
Kismet collects packets and logs them to standard formats (pcap and pcapng) or the kismetdb format which can be converted directly to pcap and pcapng, and collects location, changes over time, etc.
Wireshark can open the pcap logs and give extensive, detailed information about specific packets. Each tool is designed for a different job, but operate well together.
Kismet source and more info:
Wi-Fi channels in Kismet define both the basic channel number, and extra channel attributes such as 802.11n 40 MHz channels, 802.11ac 80 MHz and 160 MHz channels, and non-standard half and quarter rate channels at 10 MHz and 5 MHz.
Kismet will auto-detect the supported channels on most Wi-Fi cards. Monitoring on HT40, VHT80, and VHT160 requires support from your card.
Channels can be defined by channel number or frequency.
xx
Basic 20 MHz channel, such as 6
or 153
xxxx
Basic 20 MHz frequency, such as 2412
XXHT20
20 MHz HT20 channel, such as 6HT20
XXXXHT20
20 MHz frequency, such as 2412HT20
xxHT40+
40 MHz 802.11n with upper secondary channel, such as 6HT40+
xxHT40-
40 MHz 802.11n with lower secondary channel, such as 6HT40-
xxVHT80
80 MHz 802.11ac channel, such as 116VHT80
xxVHT160
160 MHz 802.11ac channel, such as 36VHT160
xxW10
10 MHz half-channel, a non-standard channel type supported on some Atheros devices. This cannot be automatically detected, you must manually add it to the channel list for a source.
xxW5
5 MHz quarter-channel, a non-standard channel type supported on some Atheros devices. This cannot be automatically detected, you must manually add it to the channel list for a source.
It is very probably that your data source will be "Linux Wi-Fi" when capturing with Kismet.
The Linux Wi-Fi data source handles capturing from Wi-Fi interfaces using the two most recent Linux standards: The new netlink/mac80211 standard present since approximately 2007, and the legacy ioctl-based IW extensions system present since approximately 2002.
Wi-Fi packet capture is accomplished via “monitor mode”, a special mode where the card is told to report all packets seen, and to report them at the 802.11 link layer instead of emulating an Ethernet device.
The Linux Wi-Fi source will auto-detect supported interfaces by querying the network interface list and checking for wireless configuration APIs. It can be manually specified with type=linuxwifi
That's right, WiFi Explorer Pro for Windows!
In this lab, we will use WiFi Explorer Pro for Windows, configure it to use the WLAN Pi M4 as an external sensor. This allows us to leverage the 6 GHz capabilities of the WLAN Pi, which may be missing from your current computer.
The WLAN Pi, as an external sensor, also provides opportunities to perform scanning of networks that may be in remote locations. Using a VPN connection between the laptop and WLAN Pi makes it possible to use the scanning capabilities to assist with remote troubleshooting tasks.
To complete this lab, you'll need the following items:
A Windows laptop with administrative privileges to install software
A WLAN Pi M4
Let's start by installing WiFi Explorer Pro for Windows:
Download WiFi Explorer Pro from the Intuitibits website.
Launch the installer and follow the instructions.\
If you didn't uncheck "Launch when ready", the app will open and a 7-day free trial will start immediately.
The main window of the app now opens. Let's left-click the Signal column once to ensure WiFi Explorer displays the access points with the strongest Received Signal Strength Indicator (RSSI) at the top of the scan results.\
Once WiFi Explorer Pro is installed, please take a few moments to ensure the application launches correctly and familiarise yourself with the user interface. If you've used Wi-Fi scanning apps before, we are confident you will feel at home within WiFi Explorer Pro for Windows.
By default, Wi-Fi Explorer Pro uses the internal adapter of your laptop to scan for networks when first launched. Within a few seconds, you should see a summary of Wi-Fi networks detected by the laptop adapter as it scans all Wi-Fi channels. Although this is excellent information, we want to investigate how to use the WLAN Pi as an external sensor in this lab.
To use the WLAN Pi as a remote sensor, there must be IP connectivity between the laptop and the WLAN Pi.
We'll connect using the lab's wireless and wired network connections in this lab. Your laptop will be connected to the lab wireless network, and your WLAN Pi M4 will be connected to one of the lab PoE switch ports.
Once both devices have their network connection, you can use the IP address shown on the front panel of your WLAN Pi as the target sensor address.
Once you're happy with finding your way around the user interface, please review the instructions below to set up your WLAN Pi M4 as a remote sensor for WiFi Explorer Pro. This will allow you to scan the 2.4 GHz, 5 GHz and 6 GHz (🤓) bands using the wireless adapter of the WLAN Pi.
Please ensure you note the channels being used by our lab networks while completing this lab. This information will be useful later in our wireless frame capture lab.
Open the Manage Remote Sensors dialog by clicking the dropdown v arrow and click Manage Remote Sensors...\
Under the Sensors tab, click the + button.\
Enter IP address of eth0 interface of your WLAN Pi. Display and buttons are your friend. The big white IP address on the home screen of your WLAN Pi should be the right address. You can always verify by opening the on-screen Menu > Network > Interfaces.
Assign a new name of your choice to the new sensor. This is useful when you have multiple remote sensors deployed.\
Before we go, let's click the '3 dots in a circle' icon and Run Diagnostics.
In the authentication prompt, enter username wlanpi and the new WLAN Pi password you created in the Getting Started section.\
A few seconds later, the diagnostics results should appear on the screen. WiFi Explorer Pro connects via SSH to the WLAN Pi and checks if all packages are installed, if the Wi-Fi adapter is ready, etc. Note a new feature: WiFi Explorer Pro now uses a new scanning tool on Remote Sensors called scandump. Thanks to this, it no longer switches the Wi-Fi adapter to Monitor mode. Instead, it uses 802.11 netlink API. It is faster and also allows adapters that don't support Monitor mode to perform scanning. WLAN Pi ships with scandump preinstalled. Without scandump, WiFi Explorer has to switch the Wi-Fi adapter to Monitor mode and cycle between channels to scan them. Support for Monitor mode is mandatory for that.\
WiFi Explorer Pro is now ready to scan using WLAN Pi's Wi-Fi adapter, even remotely via VPN.
Select the remote sensor from the dropdown menu.
Remote (yes, we appreciate that the M4 technically sits in front of you at the moment) scan results will now start appearing in your app.
Let's add a new column Channel Utilization to the current view. Right-click anywhere in any existing column name (for example, near Annotations), and select Channel Utilization. \
The new column appears and we see QBSS information as broadcasted by the APs in their beacons. Note that you might need to also enable this feature on your controller or AP.\
We now select the 6 GHz filter in the top bar. There we go; there is an AP using 6 GHz primary channel 37.\
What 6 GHz channel is your 6 GHz AP using? Is it a Preferred Scanning Channel (PSC)? You can use WLAN Pi Terminal tool called wifichannel for that:
wifichannel <channel>
wifichannel 37
WiFi Explorer Pro also highlights PSC channels in red/orange. So you could tell that channel 37 is one of those channels by looking at the bottom part of the spectrum view.
Congratulations, you've completed the Wi-Fi scanning lab for Windows.
In this lab, we'll look at software applications that can use the WLAN Pi as an external Wi-Fi sensor for network scanning:
Kismet
Windows: WiFi Explorer Pro for the very first time!
macOS: WiFi Explorer Pro 3
WiFi Explorer Pro enables scanning of the 2.4 GHz, 5 GHz, and 6 GHz bands. The results from this lab will assist us in understanding the RF environment, which will be helpful when we get to the frame capture lab.
WiFi Explorer Pro initiates a SSH session to the WLAN Pi, continually switching its wireless interface to each Wi-Fi channel. Beacon frames are captured using a utility on the WLAN Pi, such as tcpdump
, to build a list of Wi-Fi networks. The beacon data is processed on the scanning app to create a detailed channel audit of 802.11 networks that the WLAN Pi can hear.
The WLAN Pi can be geographically remote from the host running the Wi-Fi scanner. Remote network connectivity may be provided between the scanner application and the WLAN Pi sensor using some type of VPN access, such as Tailscale or ZeroTier.
In this lab, we'll take a look at how we:
Start the Kismet process
Access the Kismet UI
Use Kismet to scan for wireless networks and clients
Before we can do anything with Kismet on the WLAN Pi, it is necessary to manually start the process.
Using the Web UI, hover over KISMET
in the menu bar.\
From the dropdown, you should be able to see whether Kismet is running or not.\
Select "START"
\
Once the Kismet process is running, you should see a new option within the dropdown menu.
Select Launch Kismet
.\
We need to log in to Kismet to access its UI. The Kismet service has a discrete credential store, you will need to create a username and password the first time you browse to it. For ease of use, it's not a bad idea (for now) to set your Kismet credentials to be the same as your WLAN Pi credentials:\
Once you've set the credentials, you'll be taken to the main Kismet UI and will see the following panel pop-up as this is your first log in. You can hit "Continue" for now. We do not need to configure any specific settings for this lab. \
It is also possible to start / stop the Kismet service via FPMS
Now that we've got access to Kismet, we'll take a look at how we can use it to gather Wi-Fi network data.
By default, when you start Kismet from FPMS, it is already configured with wlan0
as a data source. It's probably already collecting data too.
If you are using a WLAN Pi with multiple wireless interfaces, you can specify an alternative or additional data sources by following the steps below:
Click on hamburger menu icon (top left)
Select Data Sources
Expand the desired wireless interface
Click on "Enable Source"\
You should see a small scrolling bar chart history of packet activity detected by this source. This indicates that Kismet is scanning Wi-Fi channels and gathering data:\
Close the pop-up window
By default, Kismet will cycle through all the Wi-Fi channels, gathering frames on each channel, from this data it builds a table of access points and wireless clients as it receives 802.11 frames from them.
Note that Kismet now supports the 6 GHz band with an appropriate wireless adapter. Watch out for 6 GHz APs and clients in the Kismet device data.
As it has many channels to hop between, each scan cycle takes several seconds to complete, and only a small snapshot of the activity on each channel is captured. Bear in mind that Kismet provides an overview of both APs and their clients, you can think of Kismet as a Wi-Fi scanner on steroids.
Let's take a look at the data available in the Kismet UI. Later, we'll look at how we can configure the scanning behavior to gather data focused on specific channels or frame types.
Have a look through the Kismet device list and see if you can complete each of the following tasks:
Can you find your Wi-Fi devices in the "Device List"?
What channel is your device connected on?
Click on your Device to view more detail (Tip: look out for the Monitor button – click on it for detailed scanning on that device)
Filter to see only APs (hint: use Search box)
Filter to see only client devices
Check to verify if devices can be seen on all 3 Wi-Fi bands: 2.4 GHz, 5 GHz and 6 GHz
Click on any of the displayed rows to drill down into more detail about that device
Click on the "SSIDs" tab of the device list to see a summary of SSIDs detected. Click on any of the SSIDs to see more detail:
There is no easy way to clear the device list to start over. The quickest way is to go back to the Web UI or FPMS and restart Kismet.
By default, Kismet scans all Wi-Fi channels that are available, gathering frame data about all devices heard. As it's hopping across many channels, it only gathers a few frames (and hence little data) about each channel. To gather more data about a specific channel (or channels) in which you are interested, we can reduce the number of channels that Kismet scans.
Go back to the hamburger selector in the Kismet UI and select "Data Sources"
Expand the "wlan0" interface shown in the "Data Sources" list. You will now see all the channels being scanned by Kismet. Channels being scanned are orange colored. Click on channels to deselect them and limit the channels that Kismet will scan:
Select a subset of channels and close the Data Sources panel. In the devices panel, you should only now see activity on the selected channels.
Although changing scanning options via the Kismet UI is "easy", it is cumbersome when deselecting numerous channels, also repeating this workflow each time Kismet is restarted is inefficient.
The good news is that we can start Kismet from the command line and use parameters that pre-select a data source and channel selection.
Kismet can be launched as a "service" (via Web UI / FPMS) or it can be launched from the command line with "arguments" additional parameters
STOP the Kismet service by navigating back to the WLAN Pi WebUI, hovering over KISMET
and selecting STOP
To initiate Kismet from the command line, head over to the Terminal in Cockpit
type kismet
then press enter:
\
This will launch Kismet in the "default" configuration state, identical to launching Kismet via Web UI or FPMS.
Kismet will produce many lines of logging output as it starts up. Do not stress about these log messages that scroll up the screen during the start-up process. Once they stop, Kismet is up and running.
To stop the Terminal session instance of Kismet you have initiated, use the keyboard combo "control + c"
Kill the Terminal session instance of Kismet:
Ctrl + C
Let's look at a few command line options to pre-configure Kismet and speed up our config:
Launch Kismet and configure wlan0
as the data source:
Launch Kismet and rename the data source:
Now is an opportune moment to re-visit the Kismet WebUI, if you kept the original tab open, you can refresh it! Or re-launch via the WLAN Pi WebUI menu bar. Navigate to data sources and see if your data source appears with the specified name.
Launch Kismet, capturing on the 2.4 GHz band only:
Launch Kismet, capturing on the 5 GHz band only:
Launch Kismet on the 6 GHz band only:
This is not the complete 6 GHz band – feel free to complete the list for all the channels you would like to scan.
The "\" characters are required in the channel list above because the command is being submitted in a Linux shell.
Going wardriving? Consider installing GPSd
with sudo apt install gpsd
for offline time sync and geotagging in Kismet.
Congratulations, you have completed the Kismet lab!
Refer to the references below for more information. You may even consider creating your own custom configuration file to make things even easier! You may add filters of your own to further customize the frames captured by Kismet.