Noted security researcher Mike “dragorn” Kershaw, developer of the gold standard in WiFi scanners, Kismet, has recently released a tool for Android that enables raw 802.11 frame captures in WiFi monitor mode.
Putting a WiFi device into monitor mode allows it to capture all sorts of interesting data about the wireless network that would otherwise be invisible. Monitor mode captures are extremely useful for network diagnostics and penetration testing, and getting that ability on Android devices should open up a lot of very interesting possibilities.
The new tool, simply called “Android PCAP Capture“, does things a little differently than you might expect. For starters, it doesn’t use root or require a custom ROM to work, which is rather unusual for an advanced tool like this. Kershaw is generally against requiring root access in Android applications, as he feels the current way it’s handled is simply not secure enough considering how much damage a root-enabled application can do:
Giving android apps root terrifies me – it places 100% trust in the developer to not be malicious, and the market to have not presented you with a cloned project that IS malicious, and in the developers systems to make sure no-one can ever push an update using their keys that becomes malicious… it’s bad news all around.
Kershaw has a point about the way root access is currently being handled, and despite some efforts to change what we consider the norm, you certainly run a risk every time you allow root access for an application.
But anyone who has worked with WiFi under standard GNU/Linux knows that doing anything advanced with the hardware requires root access. So how did Kershaw manage to put the hardware into Monitor mode without requiring root access or a custom kernel?
Controlling the built-in WiFi hardware under Android would have certainly required root access, and more than likely modifications to the ROM itself. That assumes that your particular device’s WiFi hardware even had support for Monitor mode in its driver to begin with, which isn’t guaranteed.
So for PCAP Capture, Kershaw decided not to support the internal WiFi hardware at all, and instead only support devices using the RTL8187 chipset connected over USB. By implementing the RTL8187’s driver in userspace, the application doesn’t require root, it only needs to be running on an Android device which supports USB host mode.
USB host mode on Android is something of a mixed bag, unfortunately. While technically anything running Android Honeycomb or better should support USB host, hardware variations between manufacturers means that your particular Android device may or may not support USB host even if it has a new enough build of Android.
Generally speaking, Nexus devices such as the Galaxy Nexus or Nexus 7 should work, but devices from other manufacturers will need to be tested on a case-by-case basis.
To perform our capture test with PCAP Capture, we’ll be using the Nexus 7 tablet and the RTL8187 based Alfa AWUS036H WiFi adapter.
Both these pieces of hardware are exceptionally popular in their respective communities; the Nexus 7 being one of the best selling and best supported Android tablets ever released, and the AWUS036H being a common choice for advanced WiFi work under Linux.
While some will certainly bemoan PCAP Capture’s requirement for an RTL8187 WiFi adapter and USB host capable Android device, you can’t really claim either of those requirements are that hard to accommodate.
We’ll also need a USB On-The-Go (OTG) adapter cable, which lets you connect a standard USB device to the Micro-USB port found on most Android tablets and smartphones (such as the Nexus line). These can be had for as little as $1 USD on sites like Amazon.com or eBay.