Wireless Hacks. 1917 IndustrialStrength Tips and Tools [Electronic resources] نسخه متنی

Hack 31 Detecting Networks with Kismet

Troubleshoot network problems with one of the
most advanced wireless monitoring tools available.

Unlike simple beacon scanners such as
NetStumbler [Hack #21] and
MacStumbler [Hack #22], Kismet
is one of the most advanced diagnostic tools available for wireless
networking. It is a completely passive network scanner, capable of
detecting traffic from APs and wireless clients
alike (including NetStumbler clients). It finds
"closed" networks by
monitoring the traffic sent from its users, and
logs
all raw 802.11 frames in standard pcap format for later use with
specialized diagnostic and analysis toolsas
you'll see in [Hack #39]. If you have a machine with
multiple wireless cards, Kismet even splits the work of network
scanning across all of them, making a scanner capable of
simultaneously tracking all 802.11 traffic in
range. These are just a few of the incredible features of this piece
of free software.

Of course, with all of this power comes a fair amount of complexity.
For starters, you need an 802.11b card capable of entering
RF Monitoring mode.
Some of these cards are Prism-based (such as the Senao/EnGenius,
Linksys, or D-Link cards), some are Lucent/Orinoco/Proxim/Avaya, and
some are Cisco Aironet. Kismet also works with ar5k-based 802.11a
cards. I was able to get Kismet running well on an iBook with an
internal AirPort card (an Orinoco derivative) under Debian. The
following explains what I had to do to make it work.

Installation

Download Kismet from http://www.kismetwireless.net/. Unpack the
source tree and navigate into it. If you want to use
Kismet's dump files with
Ethereal
(highly recommended), you need a copy of the
Ethereal source tree. Configure
Kismet with a line like this:

./configure --with-ethereal=../ethereal-0.9.12/

Of course, substitute the full path to your Ethereal sources. Now you
should be able to build Kismet with a standard:

make; make dep; make install

Depending on your platform and wireless card, you may also need to
install a driver capable of setting up RF Monitor mode. For the
AirPort on my iBook, I used
the precompiled kernel and modules available at http://www.macunix.net:443/ibookl.

Next, create a user that Kismet will assume when it
isn't running as root. You can also use your own UID
if you wish. Kismet needs to run as root initially, but will drop its
privileges to this UID as soon as it begins capturing data.

Now edit /usr/local/etc/kismet.conf to suit your
system. At the very least, set the source= line to
match your hardware. For the iBook, I set it to
source=orinoco,eth1,Airport. The format for this
line is
driver,device,description.
See the comments in the file for supported drivers.

If you want
Kismet
to be able to read the SSID of detected networks aloud, also download
and install the
Festival text to speech package. Kismet will play sound effects if
you wish; by default, it expects /usr/bin/play
to be installed (part of the Sox sound utility), but any command-line
audio player will work. All of the audio and other display parameters
are configured in /usr/local/etc/kismet_ui.conf.

Running Kismet

Before you launch Kismet, you need to
put your wireless card into RF monitoring mode. You can do
this easily by running kismet_monitor as root.
Note that once in RF monitoring mode, your card is no longer able to
associate with a wireless network, so you should use Ethernet (or
another wireless card) if you need a network connection.

Now you can start Kismet by simply running kismet
under your normal UID. This should present you with a screen that
looks something like Figure 3-26.

I say that it will look something like this figure, because more
likely than not you will see only one network, if any. This is
because you need to manually tell your card to start hopping between
channels. From another xterm, run
kismet_hopper
-p as root. This makes your card skip between
channels in an efficient manner. Naturally, the skip pattern is
completely configurable to your tastes. See man
kismet_hopper for details.

Once kismet_hopper
is up and running, you should see the main screen spring to life with
all sorts of information. By default, Kismet initially sorts the
network list based on the last time it saw traffic from each network.
This list constantly changes, making it impossible to select one
network for more detailed operations.
Change the sort order by hitting
s at any time, followed by the desired sort order
(for example, to sort on SSID, hit ss). You can
now use the arrow keys to select a particular network for further
inspection. Hit h at any time to see the keystroke
help, and q to close any pop-up window.

Now that a couple of networks are listed, you can get more
information on any one of them by selecting it and hitting
i. Figure 3-27 shows the network
information screen.

In addition to standard access points, Kismet displays
Ad-Hoc networks, as well as so-called
"closed" networks. If there are no
clients actively using a closed network, it displays the network
information with a name of <no ssid>. Once a
client associates with the closed network, this information is
updated with the proper SSID.

Kismet also tracks a great deal of
information about wireless clients. For example, to see the
associated clients of a particular AP, hit c from
the main screen. This is illustrated in Figure 3-28.

Kismet attempts to guess the IP network in use based on the traffic
it sees. It also keeps statistics about how much traffic each client
is generating, making it easy to discover who is hogging all of the
bandwidth.

If you
find that you are missing packets while
monitoring a particular wireless network, this is probably because
you are still scanning for networks. To focus on a specific channel,
kill kismet_hopper and set your channel
manually. In Linux, this is accomplished with a command such as:

# iwpriv eth1 monitor 2 6

eth1 is set to monitor mode, and the last number
specifies the channel. The above example would set the card to
monitor channel six. When tuned to one channel, this allows Kismet to
capture much more data as it doesn't have to divide
its time between multiple channels. Consult the documentation if you
would like to add more radio cards to completely cover the entire
available spectrum.

Cleaning Up

When you are finished using Kismet, hit
Q (that's a capital Q) to quit,
and then run kismet_unmonitor as root. This takes
your wireless card back out of monitor mode, but does not reset its
original network parameters. Either eject the card and reinsert it,
or configure your SSID and other settings manually to start using
wireless as you normally would.

These are just a few of the insanely useful features that Kismet has
to offer. On top of everything else, Kismet saves all recorded frames
to standard pcap format, so you can use tools like Ethereal or
AirSnort to pour over your captured data for later analysis. It can
be daunting to get Kismet running at first, but it is worth the
effort when serious network analysis is called for.

See Also

Tons of information on RF Monitoring drivers (http://airsnort.shmoo.com/)

AirSnort on the iBook (http://www.macunix.net:443/ibookl)

Passive RF Monitoring on the iBook (http://www.swieskowski.net/code/wifi.php)