Driftnet on WEPed wireless networks HOWTO by Robert Timko on 18/08/03

Download

I am assuming that both Kismet (version 3.0.1) and the driftnet source downloaded above are both working properly.

First off, the version of Driftnet above is slightly modified to work on wireless, and also utilizes pcap_open_offline to read from and replay dump files. This is great if are on an open wireless network, such as a hotel, or Starbucks. However, there is one problem: WEP. How do you run Driftnet on a WEPed wireless network?

Well, until I learn to code and hack-up a WEP decoding engine into driftnet, I'll use Kismet (www.kismetwireless.net) because it's the coolest and most advanced application ever invented for anything wireless!

It's rather easy. Because Kismet supports writing data frames to a FIFO named pipe AND has a built-in WEP decoder, you can simply point the data to a file, and have Driftnet read from that, instead of an interface!

First, edit your kismet.conf file to enable WEP decoding and named pipe output:
# Known WEP keys to decrypt, bssid,hexkey. This is only for networks where
# the keys are already known, and it may impact throughput on slower hardware.
# Multiple wepkey lines may be used for multiple BSSIDs.
wepkey=00:DE:AD:C0:DE:00,FEEDFACEDEADBEEF01020304050607080900 - obviously may vary based on network
.....
.....
# Do we mangle packets if we can decrypt them or if they're fuzzy-detected
mangledatalog=true - have to make sure this is on

.....
..... # Do we write data packets to a FIFO for an external data-IDS (such as Snort)? - or driftnet hehe
# See the docs before enabling this.
fifo=/tmp/kismet_dump


Then, simply use the -f switch, which is included in the modified Driftnet compiled source, linked above to read from a file:
[root@box driftnet_wireless]# ./driftnet -f /tmp/kismet_dump

You can also use the -v option for more verbose output.

As an alternative, if you are not looking for a 'real-time' solution, you can use Kismet normally, with WEP decryption enabled, and just use the -f switch in Driftnet on an archived Kismet dumpfile(Make sure you aren't channel hopping or you will miss packets!). The only problem with this is that pictures fly by quite fast as I haven't added a delay switch :P. (yet)
I also like to use urlsnarf that comes with dsniff (http://naughty.monkey.org/~dugsong/dsniff/) to see what websites are being visited as well.

Please email me with any ideas or bugfixes as I my coding ability is not as good as I would like!

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , Infosecwriters.com. All rights reserved. Comments are property of the respective posters.