This Kismet tutorial provides a basic framework for using Kismet drones.
Kismet is an 802.11 wireless network detector, sniffer, and intrusion
detection system. Kismet will work with any wireless card which
supports raw monitoring mode, and can sniff 802.11b, 802.11a, 802.11g,
and 802.11n traffic (devices and drivers permitting).

Kismet also sports a plugin architecture allowing for additional
non-802.11 protocols to be decoded.

Kismet identifies networks by passively collecting packets and detecting
networks, which allows it to detect (and given time, expose the names
of) hidden networks and the presence of non-beaconing networks via data
traffic.

Kismet Drones are designed to turn Kismet into a distributed IDS system.
Drones support all of the capture methods Kismet normally supports,
including multiple capture devices per drone. Drones capture wireless
data and forward to a Kismet server over a secondary connection (ie,
wired Ethernet). Drones do not do any decoding of packets and have
minimal hardware requirements.

A Kismet server connects to the drones and will provide a single Kismet
UI display, packet dump, and alert generation point. Capture sources on
remote Kismet drones are forwarded to the Kismet server and appear as
independent capture devices which can be configured for channel hopping,
locking, etc.

Using the tun/tap export function, the central Kismet server can export
the packets from all attached drones to a virtual network interface for
use with external IDS/packet capture systems (such as Snort).

To start using Drones, launch the kismet_drone process on a remote
system (editing the kismet_drone.conf file to control what hosts are
allowed to connect) or turn on drone capabilities in the Kismet server
(by enabling the drone config options in kismet_server.conf). When
running a kismet_server instance as a drone, local logging will act as
usual and Kismet clients can be connected to the server as normal; When
running kismet_drone, Kismet clients cannot connect directly to it, and
it will not log, a Kismet server instance must be started to provide
packet decoding, logging, and Kismet UI connectivity.

Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b and 802.11g traffic. The program runs under Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS X. The client can also run on Microsoft Windows, although, aside from external drones, there’s only one supported wireless hardware available as packet source.

Kismet-2.7.1 Screenshot

Distributed under the GNU General Public License, Kismet is free software.

Kismet is unlike most other wireless network detectors in that it works passively. This means that without sending any loggable packets, it is able to detect the presence of both wireless access points and wireless clients, and associate them with each other.

Kismet also includes basic wireless IDS features such as detecting active wireless sniffing programs including NetStumbler, as well as a number of wireless network attacks.

Kismet has the ability to log all sniffed packets and save them in a tcpdump/Wireshark or Airsnort compatible fileformat.

To find as many networks as possible, kismet supports channelhopping. This means that it constantly changes from channel to channel non-sequentially, in a user-defined sequence with a default value that leaves big holes between channels (for example 1-6-11-2-7-12-3-8-13-4-9-14-5-10). The advantage with this method is that it will capture more packets because adjacent channels overlap.

Kismet also supports logging of the geographical coordinates of the network if the input from a GPS receiver is additionally available.

Kismet has three separate parts. A drone can be used to collect packets, and then pass them on to a server for interpretation. A server can either be used in conjunction with a drone, or on its own, interpreting packet data, and extrapolating wireless information, and organizing it. The client communicates with the server and displays the information the server collects.

Wardriving – The Same Old Song and Dance
By D Grady

It seems like its been forever since wardriving was used to map out the neighborhood wifi scene. I remember when statistics about mass wireless networks first started to emerge. I remember building antennas out of soup cans and a wire coat hanger. I remember having to build GPS drivers from source so Kismet could include coordinates in its output. I even remember cracking my first WEP network – it took me the better part of a week. It all seems like ancient history now.

If that was forever ago, we must have come up with some new way to secure wireless networks. We must all be running high-end encryption and have everything locked down right from the factory. After all, wireless vendors know what can be done with a laptop and some free wireless utilities. Even non-techies can tell you the dangers of WEP and running default networks. If that’s true – wardriving would probably be a waste of time these days. That’s what I thought about one weekend, so I set out to get a glimpse on the current state of wireless security.

I grabbed my Eee PC, fired up Kismet, hopped in the Jeep, and tore off across the countryside. After an hour of driving through the little beach town I live in, I had collected information on about 900 unique networks. Once I got back to the house, I fired up a shell and got to work analyzing the data. The spread of open, WEP, and WPA encrypted networks surprised me. I didn’t think I would find almost 300 open networks in this little town. Add in the 345 WEP protected networks, and that’s about 70% of total networks either completely open or protected with exceedingly crackable encryption.

Next, I did analysis on the SSID’s (the name of the network). This was also pretty interesting. Almost 10% of all networks had ‘linksys’ as their SSID. If they didn’t change the default SSID, I can imagine they changed little else. A number of the networks had personal names as their SSID’s (identity theft waiting to happen?). A few more had their street addresses as the network name. Some of the apartments and condos even had their apartment number worked in somehow.

Another interesting thing I noticed was wireless used by businesses. Digging through the raw output – I came across a lot of networks with familiar names because they belonged to businesses in town. A large CNC and prototyping shop in town had an open wifi network. A few other smaller businesses had wireless networks with their name on it. I also came across a large amount of hidden networks when I drove through industrial areas – I can only assume that some more prodding would produce more business networks. The biggest shock to me was the local police station running WEP! At least if I ever got arrested I could email someone for bail money.

It appears it’s the same old sad state of wireless security out there. I don’t expect general consumers to fret over the differences between WPA1 and WPA2, or how much overhead AES encryption has – but I expect businesses to know their risk. They should invest in a wireless penetration test or wireless security audit if they intend on rolling out wireless. Hire a professional to assess your physical surroundings for existing wireless networks you may not know about, and then have them help plan out implementation strategies with you. Wireless can be a great way to get some freedom from traditional networks, but all that freedom can come at paralyzing costs. A little planning and research can help slim down attack surfaces, and can help make casual wardriving a thing of the past.

Redspin’s cost effective penetration testing services utilize the latest technology. http://www.redspin.com

Wireless Security: 6 Ways to Stop and Catch Hackers and War Drivers
By Eric Meyer

War drivers are in the business of finding wireless access points, documenting them and uploading their locations to the web. Why would someone do this, well for several reasons:

First they want free internet access. Next they could just be war driving as a hobby; finally they could be targeting your network for financial gain.
One of the most asked questions is how do you stop hackers from trying to hack your wireless lan and how to catch them in the act.

Stopping Wardrivers:

1. Use directional antennas: One of the most under stated uses of directional antennas are how they keep your wireless signal within your area of operation. If you are using a Omni directional antenna that is causing half the signal to travel outside your building, you have a major security problem. Also while using your wireless directional antenna turndown transmit power to reduce your signal strength if you can.

2. Blend your wireless antennas into your buildings architecture or keep them low profile. This is not expensive, the whole point is not letting your antennas stick out like a sore thumb so anyone driving by doesn’t say, wow they have a wireless network. Once again the best way to stop people from trying to hack your wireless network is to keep it hidden.

3. Use Kismet or Airsnort – Make a cheap wireless Intrusion detection system. Use an older desktop computer install Linux, install a USB wireless adapter or PCI wireless adapter and boom you have your wireless war driver stopper. Both Kismet and airsnort will alert you when wireless clients are probing your network. If a wireless client is using netstumber and not joining networks they will be found by Kismet. Their wireless adapters MAC address will be logged and other details of the operating system. Most of the time these could be false hits but if you notice a pattern of the same MAC address probing networks you could have hacker issues.

4. Security Cameras – No matter how hard you try not to have your signal bleed outside your operations area it will…to a point. Probe your own network as if you were a wardriver. Don’t just use a standard wireless adapter to find out where you still can detect your network. You will want to use a highly directional antenna to see how far away you can detect your own network. Once you know your weak points setup some cheap security cameras to monitor those areas.

5. Setup a Honey Pot – Give the Wardriver what they want, a network to hack. Take an access point connect it to a standalone switch with another junk computer connected to that switch. Name the SSID something sounding important like server WLAN and name the computer Database. Finally use a weak password or just leave the access point without any security. Script kiddies who say they “hack networks” really are only connecting to open wireless lans with no security. If you give them a “Important sounding SSID with a “database to hack” this will keep them occupied until you can track them down. There are many honeypot programs free and commercial that will simulate networks or servers but are really just recording all the hackers’ information and types of attacks.

6. Use a RADIUS Server – RADIUS servers require Wireless clients to authenticate with a username and password not just with a PSK (Pre- Shared Key). With out a RADIUS server you really don’t know who is on your WLAN. With a RADIUS server you know who is accessing your WLAN and when they accessed it. Also a RADIUS server gives you the ability of creating policies for times your WLAN can be accessed and other required security features the wireless clients must have enabled their computers.

Now let’s put this all together to catch our hacker. First you are going through your daily routine of checking logs on your Kismet IDS server and you notice the same MAC address probing networks but not joining. Next you check your help tickets and notice that in one area of the building clients were having trouble connecting to the wireless network or they had trouble staying connected.
Flags go up in your head, so you go over to your honeypot server and check that . You notice it was accessed around the same time of the Kismet logs showed a client probing the network. The honey pot recorded the MAC address of the WAR driver and the operating system and the computer name.

Next you check your security cameras for that time but don’t really notice anything. So for the next couple days you keep monitoring your honey pot server and watch the hacker try and crack the WLAN and the database server. The whole process of cracking wireless encryption is actually two steps. The first step is gathering enough packets for your cracking program to crack. This whole process of gathering enough packets can takes days or weeks not five minutes. Now once you do have enough packets 64 bit WEP encryption can be cracked in less that five minutes. 128 bit encryption can take many times longer, WPA with TKIP and AES encryption can takes months to crack.

My whole point is that you have some time to catch your hacker because he will be back many times, assuming that you already have at least the basic security features in place.
Now once you have all your logs compiled and your honey pot data you should have a good idea how the hacker behaves. Check your security cameras and you probably notice the same car or person in the area around that time. Take that information to your in house security and tell them to watch for that vehicle or person and call the police.

If you are lucky security or police will spot him and apprehend him. Convicting him or her will be tough but with your compiled logs and video you should have a lot of evidence to help your case.

Simple and secure wireless solutions. Join the most popular wireless networking newsletter on the internet at http://www.wirelessninja.com Keep your home and family safe with Ninja certified wireless hidden cameras [http://www.wirelessninja.com/wireless_hidden_cameras.htm]

Wireless Network Security: How to Use Kismet
By Eric Meyer

Kismet is a wireless network detector / sniffer which can give you a vast amount of information about wireless networks. Wireless network security flaws are well documented but often very hard for the common person to understand. I will be showing you how to use kismet with out even having to install Linux, or compile kismet.

First you need to proceed to remote-exploit.org and download and burn their Auditor CD. (IF you don’t know how to burn an ISO image, go to Google). This version of Linux doesn’t install or modify your hard drive; it will boot from the CD and use a Ram Drive (On your Memory).

Auditor is not only a great tool for testing wireless network security with kismet but it also has many other computer security tools on it as well.

Client Window

Next, to start Kismet proceed to the Linux version of the start menu, and press Auditor.
Now proceed to the wireless /scanning/kismet tools/kismet.

Once you click on Kismet it will ask you for a default location to place the Kismet log files for analyzing later, just press the desktop or temp file.

Now I will show you how to use Kismet. When kismet initially opens you will see a greenish box with numbers and network names (If any are near you) clicking away don’t be overwhelmed. (Also I can’t show you how to use kismet if you don’t have the correct wireless adapter, get an ORINICO Gold Classic Card off EBAY.) The Orninco gold classic card will be automaticly detected by auditor linux.

The Kismet columns will show the wireless networks SSID (Name), Type of device (Access point, gateway) Encryption or no Encryption, an IP range and number of packets. Kismet will pick up hidden networks with SSID broadcast Disabled also, Netstumbler will not.

Now Press H, to bring up the Help Menu. This will give the nuts and bolts on how to use kismet. If you tab down to the network you are auditing and press “C”, Kismet will show you all the computers that are using that wireless access point / gateway. This Kismet screen will show you the clients MAC address, Manufacture of Wireless Adapter, IP address range and traffic.

Kismet: Help Menue

Now to get out of that screen press “Q”. Tab Down on the Main Kismet Screen to another SSID and press “I”. This Kismet window will show detailed information about the wireless network. The Kismet detail screen will show the type of network (Infrastructrure / Adhoc), signal strength, channel, encryption type, and much more.

Kismet will also give you sound alerts when new wireless networks are discovered or security alerts or suspicious clients are in range. Suspicious clients would be people like you who are using Kismet or Networkstumbler. Unlike you these could be Wardrivers looking for venerable networks to hack into.

Kismet Alert Page

You can prevent War drivers from discovering your wireless network by performing a proper site survey which will help limit signal bleed off to unneeded areas. You should write down the suspicious MAC address and keep an eye on your access logs. If the War Drivers are really stupid just look out your window and look for cars with weird antennas.HA HA HA.

Kismet is more than just a tool to discover wireless networks; it can be used in conjunction with other tools to crack WEP/WPA. Many websites will claim that WEP can be cracked in less that five minutes. This is only half the truth because it could take many hours,days,months to gather enough packets to crack. Good luck and have fun learning the more advanced applications of kismet.

Keep your wireless network simple and secure. Join the most popular wireless networking newsletter on the internet http://www.wirelessninja.com