Linux, BSD, and their handheld versions
Kismet is a free wireless (802.11b) sniffer that includes a powerful set of tools and options. It supports Prism II chipset cards using the drivers provided by the Wlan-NG project. Kismet can capture data from multiple packet sources, and can log in Ethereal-, tcpdump-, and AirSnort-compatible log files, which makes it extremely versatile for data analysis and WEP cracking. In addition, it also provides graphical mapping, and can detect network addressing schemes. This tool is one of the best Linux programs available for wireless data capture.
This is a Linux program, which means installation involves several steps, unless other programs such as Ethereal are already installed. In addition, there might be various idiosyncrasies that occur because of the nature of the operating system and the open source software. You will want to be familiar with how Linux works, and how to troubleshoot errors.
Kismet does have several software prerequisites before it can be correctly installed. The following is a list of these programs and their locations.
The first step of installing Kismet is to ensure that the previously mentioned programs are fully installed. Each requires its own list of requirements (See the Ethereal segment for more information), which means it could take several hours before you have all the preliminary software correctly installed. At this point, you should download the Kismet code and compile it.
Kismet comes as source code. This means you can access the code and tweak it as you desire . It also means you must compile the software to make it work. However, before this step, there are several options built into Kismet that you need to consider. These options are handled by the configure script, which will create the code to be compiled based on the selected options. Table 9.1 lists these options, which can be flagged with the listed command (for example, ./configure ”disable- curses ).
Table 9.1. Kismet options
Once Kismet is configured via the ./configure script, run make dep and make install to compile and install the program. Figures 9.13 and 9.14 illustrate what the make commands look like while they are executing. If there is a problem, this is where you will be able to gather information for troubleshooting. After this step is successfully completed, the program will be ready to set up and run.
Figure 9.13. Running the make command for Kismet installation.
Figure 9.14. Running the make install command for Kismet installation.
Version 2.0 of Kismet has redefined the concept of wireless sniffers. It uses a client/server relationship and allows any number of remote connections to access the sniffer program. In other words, a network admin can have the Kismet sniffer safely tucked away on a network on the other side of a campus and be able to monitor WLAN activity without requiring a visit. On the other hand, a hacker could also install this server program on a computer deep inside his target's network and be able to capture all the wireless data traversing the airwaves. This particular design feature was new to the field of wireless sniffers, which is one of the reasons Kismet earned its place in the all-star list for WLAN monitoring tools.
The client side of Kismet is handled through a type of graphic interface known as ncurses. This is not some type of witchcraft or other evil device, but is ironically more of a blessing for those who choose to or need to use text-based clients . ncurses is actually a library of functions or programs that enable an application to create a display within the confines of a text-only screen. This means you do not need the standard graphical interface in order to run Kismet or any application that incorporates ncurses. It also means you can run this type of program remotely without the need for a desktop environment like KDE or GNOME.
The only downside to using an ncurses-based program is that you must be familiar with the commands used to operate the features and functions. There is no point-and-click capability in Kismet. The operations segment will cover these commands.
Installing Kismet 2 over previous versions of Kismet can result in some errors. If you have any previous version of Kismet installed, be sure to remove (or rename) the kismet.conf file located in /usr/local/etc/ . If you don't do this, you might get various configuration errors.
To use Kismet, you need to define the parameters for both the server and client when executing the program. This is accomplished by using a command in the format of kismet < server options > ” < client options > . The script launches both the server part of Kismet ( kismet_server ) and the client part ( kismet_curses ).
There are numerous options available to Kismet users. Although many are hardcoded into the kismet.conf file, Kismet provides users the capability to override default options with their own. Table 9.2 lists the options for your reference. This list can be generated using the kismet ”help command.
Table 9.2. Kismet User Options
Once you are ready to use Kismet, you need to determine whether you want the program to enter promiscuous mode ( assuming you are using a Prism II card). This will enable it to capture data from all existing networks, including the one to which the computer is legitimately connected. To do this, use the following command:
wlanctl-ng wlan0 lnxreq_wlansniff enable=true channel=6
The following describes the various settings that you can configure using the wlanclt-ng commands.
If successful, you will get a message similar to the following. Note the success message at the end. If this does not appear, your card is most likely not in promiscuous mode.
message=lnxreq_wlansniff enable=true channel=6 resultcode=success
Once you get the success result, execute the program using the options at your disposal. Upon execution, you should see a screen similar to Figure 9.15.
Figure 9.15. Kismet 2.0 detecting a local WEP-encrypted WLAN.
By looking at Figure 9.15, you can see Kismet has three main frames , or panels. Each of these panels serves a purpose and presents information about various aspects of the collected data. The following breaks down each panel and its associated fields.
The Networks Panel
These are the fields associated with the Networks panel:
The Info Panel
These are the fields associated with the Info panel:
Although this information alone makes Kismet valuable , the program can do much more. Using overlaying curses panels, Kismet expounds on the basic information presented in the default screen (Figures 9.16 and 9.17). It does this through the use of a handful of commands. The following lists the commands you can use when running Kismet, and provides some examples of what type of data can be viewed :
Figure 9.16. Sample detailed network information.
Figure 9.17. Kismet's many sort options.
As if this much information was not enough, Kismet is also available on selected palmtop computers (iPAQ/ARM and Zaurus/ARM). The only other requirement for this miniaturized version of Kismet is that they have embedded Linux installed on them. See Figure 9.20 for an example of Kismet operating on a Sharp Zaurus. This is not the typical method for sniffing wireless networks, because captured data will fill up the relatively small amount of memory quickly. However, it does serve as a useful analysis tool, and foreshadows a new wave of technology to come.
Figure 9.20. Kismet operating on a Sharp Zaurus.
This program is well worth the price (free). The valuable features in this program set a difficult standard for future imitators to match. The only addition that might be useful for WLAN auditing is a built-in cracker. Keep your eyes on this tool as it grows in functionality. In addition, note that this is the only WLAN auditing tool we have mentioned that operates as a client/server. This facilitates enterprise wide auditing, with a central logging location for easier log review.