Kismet GPS Hardware Suggestion

gps
dongle
wardriving

(squishy) #1

Hi,

Im learning about using kismet nowadays and i would like to know if there’s a GPS dongle that would be best to get a good position of the AP’s that im checking. or is it like any GPS dongle is passable?
thanx

#dongle


(Hardeep Singh) #2

Last time I got into GPS, acc. to my research back then, GlobalSat was one of the best manufacturers of GPS receivers. Not sure if they discontinued. Although others can do the job as well.

Link: https://www.amazon.com/GlobalSat-BU-353-S4-USB-Receiver-Black/dp/B008200LHW/

By the way do you use log aggregator system as Splunk? We can do super cool stuff if we get the AP data with GPS coordinates ingested into Splunk. You can even create LIVE maps and email notifications for certain events!


(squishy) #3

I was thinking of the GlobalSat gps too, i was just hesitant on purchasing this kind of gps dongle as I havent use it before and there might be compatibility issue with kali, but if u have suggested it then i’ll give it a go.
About the splunk, I dont have one implemented but from what you suggest im curious about it now. Do u perhaps have some reference on this? coz i think i would need to buy a license for splunk which i dont have the money too. Maybe there are a cheaper way on doing this like ELK?


(Hardeep Singh) #4

Oh no need to buy a license brother. It’s free for upto 500 MB of data per day. and that’s a looooot for our use.

Imagine like 1000 airodump worth of data. having them running 24X7 won’t make it reach the limit. So go to Splunk.com and download!!

Even if not you can ask for a 6 months of developer license for free. it gives you 10GB/day of data ingestion limit. cool enough?

I don’t have a single source to all that, I made it up as I went during my splunking. I’d have to write a guide for that. meanwhile you can install Splunk and go with your pace and ask here on MA for help and I’ll provide solutions :slight_smile:

but first go and install splunk brother! It’s super cool!

I discovered a DDOS attacked performed in my website using Splunk from my month old SSH logs.

my website got more login attempts from china than the total visitors I’v ever got on both my sites combined.

for the curious: it was 500,000 SSH login attempts in 2 day’s period. and I made a map of it too. all the failed attempts and their origin on world map.

would like to have a screenshot of it?


(squishy) #5

Cool!!! when i have everything setup and ready will drop another post here :slight_smile:
And about the splunk I would probably use the docker system for my implementation https://www.splunk.com/blog/2018/10/24/announcing-splunk-on-docker.html im guessing it doesn’t change anything…?

And wow 500k ssh logins, they must have tried so hard brute forcing rootsh3ll. It would be nice to see a pic of that map u have mentioned, for others to see as well :slight_smile:

thanx a bunch for ur help.!!!


(Hardeep Singh) #6

Just a minor change like port forwarding on the docker container will be required. I can’t think of any such external change change right now. Will update you if I discover any.

Yeah, and to my surprise, more than 90% of the attacks originated from China and around 75% originated from a single IP! Now Imagine with that information you can do so much more.

Things like:

  1. Create an alert and run a script that block an IP that have >100 Failed attempts.
  2. Create a honeypot and let them enter your fake SSH box! :smiling_imp: and collect the commands being run.
    This will tell us what KIND of information these bots are looking/designed for.
  3. Disable SSH login by password (as I have) and enable showing attempted password on your SSH logs and copy their wordlist :smirk:

Every single topic is so much fun when you get to do it! I mean. So. Much. Fun!

Let me get back to my Splunk instance and share the screenshot with you in a while :slight_smile:


(Hardeep Singh) #7

Hi @squishy

Previous month has been relatively easer for my server. This time majority of the attacks originated from Germany.
All these attempts are for Failed user attempts.

Below is a world map used to identify and mark the malicious sources separated by Cities within Splunk>

Commands I used in Seach Console: sshd "invalid user" NOT port NOT "preauth]"| iplocation InvalidSSHIP | geostats latfield=lat longfield=lon count by City

Now you guess what can we do with this information in our hand?