Classroom Glossary Public page

WIR-101 Lab 11 — Wireless Wardriving and Findings Report

789 words

Prerequisites: Week 11 lecture; Kismet installed; GPS receiver available (or coordinates from instructor); authorized survey area defined Duration: ~90 min Points: 100

Authorization

  • Lab Authorization Form signed
  • Survey area: approved campus/building perimeter only (instructor defines exact boundary before lab starts)
  • Passive monitoring only -- no injection, deauthentication, or association
  • No attempt to connect to any discovered network
  • Kismet log files are for lab use only; not to be shared or published (privacy of captured device information)

Objective

Conduct a passive wireless reconnaissance survey of an approved area using Kismet. Export the results. Produce a professional 4-page findings report with at least three scored findings, a remediation summary table, and CVSS v3.1 scores.

Part A — Kismet Setup and Survey (30 min)

Pre-survey checks

# Verify monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0
iwconfig wlan0mon | grep Mode

# Verify GPS daemon (if using GPS receiver)
sudo gpsd /dev/ttyUSB0 -F /var/run/gpsd.sock
cgps -s  # confirm GPS fix before moving

If no GPS hardware: use instructor-provided coordinates for the survey area, or set a static location in Kismet.

Launch Kismet

sudo kismet -c wlan0mon \
    --log-prefix /tmp/lab11_survey \
    --log-types kismet,pcapng,kml,csv

The web interface is at http://localhost:2501. Default credentials on first launch: set username and password when prompted.

Conduct the survey

Walk or drive the approved boundary for 20-25 minutes with Kismet running. Kismet channel-hops automatically across 2.4 GHz and 5 GHz (if your NIC supports 5 GHz monitor mode).

Monitor the Kismet web UI for device count. A typical office building perimeter walk detects 50-200 unique APs.

Stop Kismet and verify logs

sudo kismet --stop  # or Ctrl+C in the terminal
ls -lh /tmp/lab11_survey*

You should have files: .kismet, .pcapng, .kml, .csv.

Part B — Data Export and Analysis (20 min)

Export from Kismet SQLite database

# kismet_analysis.py
import sqlite3
import json

db_path = '/tmp/lab11_survey.kismet'
conn = sqlite3.connect(db_path)

# Get all WiFi devices
query = """
SELECT 
    d.devmac,
    d.commonname as ssid,
    d.type,
    d.first_time,
    d.last_time,
    d.max_signal,
    json_extract(d.device, '$.dot11.last_beaconinfo.tlvdata.rsn.akm_list[0]') as akm,
    json_extract(d.device, '$.dot11.last_beaconinfo.tlvdata.rsn.pairwise_list[0]') as cipher,
    json_extract(d.device, '$.dot11.channel') as channel
FROM devices d
WHERE d.type = 'Wi-Fi AP'
ORDER BY d.max_signal DESC
"""
rows = conn.execute(query).fetchall()
print(f"Total APs found: {len(rows)}")

for row in rows[:10]:
    print(row)

Fallback: if the JSON extraction fails (Kismet schema varies by version), use the Kismet web API at http://localhost:2501/devices/views/all/devices.json to export the full device list.

Build the AP inventory table

Create a spreadsheet or markdown table with columns:

| BSSID | SSID | Channel | Encryption | MFP | Signal (dBm) | Vendor (OUI) | First Seen |

For each AP, do an OUI lookup to identify the vendor:

# Simple OUI lookup (use the ieee.org registry or a local copy)
import requests

def lookup_oui(mac):
    oui = mac.replace(':', '')[:6].upper()
    # Use local OUI database if available
    # Or: requests.get(f"https://api.macvendors.com/{oui}").text
    return oui  # replace with actual lookup

for bssid, ssid, *rest in rows:
    vendor = lookup_oui(bssid)
    print(f"{bssid} ({vendor}): {ssid}")

Part C — Findings Report (30 min)

Write a 4-page findings report following the capstone report format. The report must contain at least three findings from your survey.

Required structure

Cover Page

  • "Wireless Reconnaissance Survey -- [Survey Area Name]"
  • Date, your name, course identifier

Executive Summary (half page)

  • 3-5 bullets summarizing the highest-risk findings
  • Overall risk rating for the surveyed environment

Scope (2-3 sentences)

  • Survey area, time window, tools used

Methodology (half page)

  • Passive scanning approach; Kismet configuration; no active attacks performed

Findings (2-3 pages) At minimum three findings; follow the template:

Finding 1: [Title]
Severity: [Critical/High/Medium/Low/Informational]
CVSS v3.1: [score] | [vector string]
Affected Asset: [SSID/BSSID or "multiple"]
Description: ...
Evidence: [data from Kismet output]
Remediation: [specific and actionable]

Candidate finding categories from your survey data:

  • Open (unencrypted) APs: Critical
  • WEP or WPA-TKIP APs: Critical
  • WPA2-PSK without MFP: Medium/High (depends on passphrase strength assessment)
  • WPA2-PSK with MFP: Low/Informational (still vulnerable to dictionary if passphrase is weak)
  • Hidden SSID (probe-only): Informational (security through obscurity; not a defense)
  • Client probe requests for off-network SSIDs: Low (information leakage)
  • High AP density on same channel (co-channel interference): Informational

Remediation Summary Table

Finding Severity Remediation Effort
... ... ... Low/Med/High

Part D — CVSS Scoring Exercise (10 min)

Pick two of your findings. For each, write out the full CVSS v3.1 vector string and compute the base score manually using the CVSS v3.1 formula (or the NVD calculator at nvd.nist.gov/vuln-metrics/cvss/v3-calculator -- linked from course portal).

Show your work:

  • AV: value and justification
  • AC: value and justification
  • PR: value and justification
  • UI: value and justification
  • S: value and justification
  • C/I/A: values and justifications
  • Final vector string and base score

Write-up Questions

  1. Your survey detected 15 APs in the approved area. One of them has an SSID you do not recognize -- it is not in the organization's authorized AP inventory. The OUI maps to TP-Link. What are the three most likely explanations for this AP's presence, and what is your recommended next step for each?
  2. A survey of the same area at 2 PM on a weekday vs. 2 AM on a Saturday would likely show different results. What specific differences would you expect, and why does the time of survey matter for a wireless risk assessment?
  3. Kismet's WIDS alerting system triggers an alert when it observes the same SSID broadcasting from two different BSSIDs. What attack does this alert detect? Write the specific alert condition logic in pseudo-code.
  4. You found that 8 out of 15 APs are using WPA2-PSK without MFP (Management Frame Protection). The client asks: "Do I need to upgrade all these APs?" Write a risk-prioritized recommendation: which APs are highest priority to address first, and what is the minimum viable remediation path for each group?

Cleanup

sudo airmon-ng stop wlan0mon
sudo systemctl restart NetworkManager
sudo killall gpsd 2>/dev/null

Delete Kismet log files from /tmp after submission (they may contain personally-identifying device MAC addresses):

rm /tmp/lab11_survey.*

Submission

Zip into lab11_YOURNAME.zip:

  • lab11_ap_inventory.md (AP table from Part B)
  • lab11_findings_report.pdf or lab11_findings_report.md (Part C report)
  • lab11_cvss_scoring.md (Part D)
  • kismet_analysis.py
  • writeup.md

Do NOT submit the raw Kismet .kismet database or .pcapng capture file. These may contain privacy-sensitive device information. Submit only the analysis outputs.