Skip to content

Wardriving

Jump to bottom
André Henrique edited this page Jun 8, 2026 · 2 revisions

Wardriving

GPS-tagged wireless network discovery and mapping. The wardriving modules collect WiFi scan data georeferenced with GPS coordinates and export to multiple formats for analysis and reporting.

Module Reference

Module Description
wardrive/wardrive_logger GPS-tagged WiFi discovery logger with CSV/JSON/KML export
wifi_lab/gps_wardriving_ndjson GPS NMEA -> NDJSON wardriving log
wifi_lab/wardriving_deauth_loop Automated wardriving scan/deauth/capture cycles

wardrive_logger

The primary wardriving module. Combines passive WiFi scanning with GPS NMEA input to produce georeferenced network discovery logs.

Prerequisites

  • Monitor mode WiFi adapter
  • GPS receiver outputting NMEA 0183 (USB, Bluetooth, or serial)
  • Optional: USB GPS (u-blox, GlobalSat, etc.)

Basic Usage

wxf > use generic/wardrive/wardrive_logger
wxf (WardrivingLogger) > show options

Options:
  INTERFACE     wlan0mon    Monitor mode WiFi interface
  GPS_PORT      /dev/ttyACM0  GPS serial port (or tcp:host:port for network GPS)
  GPS_BAUD      4800        GPS serial baud rate
  OUTPUT_DIR    /tmp/wardrive  Output directory for logs
  FORMATS       csv,json,kml  Export formats (csv, json, kml, ndjson)
  CHANNEL_HOP   true        Hop channels (false = fixed channel)
  HOP_INTERVAL  0.1         Channel hop interval in seconds
  FILTER_SEC    none        Filter by security type (WEP, WPA, WPA2, WPA3, OPEN)
  MIN_RSSI      -100        Minimum RSSI to log (dBm)
  SIMULATE      false       Run without GPS (uses simulated coordinates)

wxf (WardrivingLogger) > set INTERFACE wlan0mon
wxf (WardrivingLogger) > set GPS_PORT /dev/ttyACM0
wxf (WardrivingLogger) > set OUTPUT_DIR /wardrive/run_20260608
wxf (WardrivingLogger) > set FORMATS csv,json,kml
wxf (WardrivingLogger) > run

[*] wardrive_logger starting...
[*] WiFi: wlan0mon | Channel hopping: enabled (0.1s/ch)
[*] GPS: /dev/ttyACM0 @ 4800 baud
[*] GPS lock acquired: -23.550500, -46.633300 (satellites: 8, HDOP: 1.2)
[*] Scanning...

[+] BSSID: AA:BB:CC:DD:EE:FF | SSID: HomeWifi     | Ch:6  | Sec:WPA2  | RSSI:-58 | GPS:(-23.5505,-46.6333)
[+] BSSID: 11:22:33:44:55:66 | SSID: OfficeNet    | Ch:11 | Sec:WPA3  | RSSI:-72 | GPS:(-23.5507,-46.6335)
[+] BSSID: AA:11:BB:22:CC:33 | SSID: GuestWifi    | Ch:1  | Sec:WPA2  | RSSI:-81 | GPS:(-23.5510,-46.6340)
[+] BSSID: FF:EE:DD:CC:BB:AA | SSID: Printer_Setup | Ch:6 | Sec:OPEN  | RSSI:-91 | GPS:(-23.5512,-46.6342)

[*] Networks found: 4 | Elapsed: 00:02:15 | Distance: 0.3 km
^C
[*] Stopping...
[+] Unique networks: 4
[+] Exports:
    /wardrive/run_20260608/wardrive_20260608_0815.csv
    /wardrive/run_20260608/wardrive_20260608_0815.json
    /wardrive/run_20260608/wardrive_20260608_0815.kml

Simulate mode (no GPS)

wxf (WardrivingLogger) > set SIMULATE true
wxf (WardrivingLogger) > run

[!] SIMULATE mode: using fixed coordinates -23.5505, -46.6333
[*] WiFi: wlan0mon | Channel hopping: enabled
[+] BSSID: AA:BB:CC:DD:EE:FF | SSID: HomeWifi | Ch:6 | Sec:WPA2 | RSSI:-58 | GPS:(simulated)
...

Output Formats

CSV

bssid,ssid,channel,security,rssi,lat,lon,first_seen,last_seen,manufacturer
AA:BB:CC:DD:EE:FF,HomeWifi,6,WPA2,-58,-23.5505,-46.6333,2026-06-08T08:15:00Z,2026-06-08T08:17:30Z,TP-Link Technologies
11:22:33:44:55:66,OfficeNet,11,WPA3,-72,-23.5507,-46.6335,2026-06-08T08:15:10Z,2026-06-08T08:16:00Z,Cisco Systems

JSON

[
  {
    "bssid": "AA:BB:CC:DD:EE:FF",
    "ssid": "HomeWifi",
    "channel": 6,
    "security": "WPA2-PSK",
    "rssi": -58,
    "lat": -23.5505,
    "lon": -46.6333,
    "first_seen": "2026-06-08T08:15:00Z",
    "last_seen": "2026-06-08T08:17:30Z",
    "manufacturer": "TP-Link Technologies"
  }
]

KML (Google Earth / Maps)

The KML export creates a Google Earth compatible file with:

  • One placemark per network
  • Color-coded by security type (red=OPEN, orange=WEP, yellow=WPA, green=WPA2, blue=WPA3)
  • Popup with BSSID, SSID, RSSI, channel, and security

gps_wardriving_ndjson

Lightweight NDJSON (newline-delimited JSON) logger for high-volume wardriving. Each line is a self-contained JSON record for streaming analysis with tools like jq.

wxf > use generic/wifi_lab/gps_wardriving_ndjson
wxf (GPSWardrivingNDJSON) > set INTERFACE wlan0mon
wxf (GPSWardrivingNDJSON) > set GPS_HOST localhost
wxf (GPSWardrivingNDJSON) > set GPS_PORT 2947
wxf (GPSWardrivingNDJSON) > set OUTPUT_FILE /tmp/wardrive.ndjson
wxf (GPSWardrivingNDJSON) > run

[*] Logging to /tmp/wardrive.ndjson
[*] GPS: gpsd at localhost:2947
{"ts":"2026-06-08T08:15:00Z","bssid":"AA:BB:CC:DD:EE:FF","ssid":"HomeWifi","ch":6,"sec":"WPA2","rssi":-58,"lat":-23.5505,"lon":-46.6333}
{"ts":"2026-06-08T08:15:01Z","bssid":"11:22:33:44:55:66","ssid":"OfficeNet","ch":11,"sec":"WPA3","rssi":-72,"lat":-23.5507,"lon":-46.6335}

Filter with jq:

# Show only open networks
cat wardrive.ndjson | jq 'select(.sec == "OPEN")'

# Count by security type
cat wardrive.ndjson | jq -r .sec | sort | uniq -c

# Extract coordinates for mapping
cat wardrive.ndjson | jq '[.bssid, .ssid, .lat, .lon] | @csv'

Automated Wardriving with Capture

The wardriving_deauth_loop module combines wardriving discovery with opportunistic handshake capture. When a target network passes the scoring threshold (configurable RSSI, WPA2 target), it sends deauth and attempts PMKID/handshake capture.

wxf > use generic/wifi_lab/wardriving_deauth_loop
wxf (WardrivingDeauthLoop) > set INTERFACE wlan0mon
wxf (WardrivingDeauthLoop) > set GPS_PORT /dev/ttyACM0
wxf (WardrivingDeauthLoop) > set MIN_RSSI -70
wxf (WardrivingDeauthLoop) > set TARGET_SECURITY WPA2
wxf (WardrivingDeauthLoop) > set CAPTURE_DIR /captures
wxf (WardrivingDeauthLoop) > set SIMULATE true
wxf (WardrivingDeauthLoop) > run

[*] Wardriving with adaptive capture: RSSI >= -70, target=WPA2
[+] AA:BB:CC:DD:EE:FF (HomeWifi) RSSI=-58 score=HIGH -> [SIMULATE] would attempt PMKID+deauth
[+] 11:22:33:44:55:66 (OfficeNet) security=WPA3 -> skip (WPA3 not target)
[*] Networks discovered: 4 | Capture attempts: 1 (simulated)

GPS Setup

gpsd (recommended)

sudo apt install gpsd gpsd-clients
sudo gpsd /dev/ttyACM0 -F /var/run/gpsd.sock

# Test
cgps -s
# Verify lock before wardriving

Direct serial (no gpsd)

Set GPS_PORT to the serial device (e.g. /dev/ttyACM0) and GPS_BAUD to match your GPS module (most use 4800 or 9600).

Network GPS (NMEA over TCP)

wxf (WardrivingLogger) > set GPS_PORT tcp:192.168.1.200:4352

Integration with Evidence Vault

For documented engagements, combine wardriving with Evidence Vault to maintain chain of custody:

wxf > use generic/evidence_vault/evidence_vault
wxf (EvidenceVault) > set SESSION_ID wardrive_client_2026_06
wxf (EvidenceVault) > set OPERATOR analyst.name
wxf (EvidenceVault) > run init

# After wardrive_logger completes:
wxf (EvidenceVault) > run capture \
    --type wardrive_log \
    --file /wardrive/run_20260608/wardrive_20260608_0815.json \
    --note "External perimeter scan, northwest block"
[+] Evidence #0001 recorded

Related pages: Evidence & Forensics | WIDS | Wi-Fi Attacks

Author: Andre Henrique (@mrhenrike) | Uniao Geek

WirelessXPL-Forge v1.8.0

Home-pt-BR | Home

Português (pt-BR)

Primeiros Passos

Ataques Wireless

Drones e UAV

Protocolos Especializados

Ferramentas de Pentest

Hardware

Clone this wiki locally