Kismet

1
Kismet

• CS653 Network Security
• By
• Clark Brown
• 5 Dec 2006

2
What is Kismet?

• Kismet is a network detector, packet sniffer, and
  intrusion detection system for 802.11 wireless
  LANs. Kismet will work with any wireless card
  which supports raw monitoring mode, and can sniff
  802.11b, 802.11a and 802.11g traffic. The program
  runs under Linux, FreeBSD, NetBSD, OpenBSD, and
  Mac OS X. The client can also run on Windows,
  although a drone is the only compatible packet
  source.

3
Kismet Screen Shot
4
Kismet Screen Shot
5
Kismet Screen Shot
6
Architecture

• Kismet has three separate parts.
• Drone
• Server
• Client
• A drone can be used to collect packets, and then
  pass them on to a server for interpretation. A
  server can either be used in conjunction with a
  drone, or on its own, interpreting packet data,
  and extrapolating wireless information, and
  organizing it. The client communicates with the
  server and displays the information the server
  collects.

7
Features

• Passive
• Unlike most other wireless network detectors in
  that it works passively. This means that without
  sending any traceable packets, it is able to
  detect the presence of both wireless access
  points and wireless clients, and associates them
  to each other
• Includes basic wireless intrusion detection
  system features
• Detects active wireless sniffing programs
  including NetStumbler, as well as a number of
  wireless network attacks

8
More Features

• Logging
• Has the ability to log all sniffed packets and
  save them in a WireShark or TCPdump or Airsnort
  compatible fileformat
• Wire shark
• TCPdump
• Airsnort
• supports optional channelhopping
• Channellhopping means that it constantly changes
  from channel but not in a repeating
  1-2-3-4-5-6-7-8-9-10-11-12-13-14 sequence but in
  a user-defined sequence with a default value that
  leaves big holes between channels (for example
  1-6-11-2-7-12-3-8-13-4-9-14-5-10). The advantage
  with this method is that it will capture more
  packets because adjacent channels overlap.
• Or Channel hopping is a term used by British
  citizens making short trips across the English
  Channel. It is most commonly used for trips to
  France, often for the purposes of a booze cruise.
• Cool Feature Kismet also supports logging of the
  geographical co-ordinates of the network if the
  input from a GPS receiver is additionally
  available

9
AirSnort
10
Features Expanded

• Kismet has many features useful in different
  situations for monitoring wireless networks
• Ethereal/Tcpdump compatible data logging
• Airsnort compatible weak-iv packet logging
• Network IP range detection
• Built-in channel hopping and multicard split
  channel hopping - Hidden network SSID decloaking
  (also works in the Klingon Empire)
• Graphical mapping of networks - Client/Server
  architecture allows multiple clients to view a
  single Kismet server simultaneously
• Manufacturer and model identification of access
  points and clients
• Detection of known default access point
  configurations
• Runtime decoding of WEP packets for known
  networks
• Named pipe output for integration with other
  tools, such as a layer3 IDS like Snort
• Multiplexing of multiple simultaneous capture
  sources on a single Kismet instance
• Distributed remote drone sniffing
• XML output
• Over 20 supported card types

11
Hacker Threats

• Hacker can use these same tools in the same way
  the security manager is able
• Sniff Packets
• Open air data detection
• WEP decryption
• Channelhopping
• Determines the physical location of the network
• Kismet identifies networks by passively
  collecting packets and detecting standard named
  networks, detecting (and given time, decloaking)
  hidden networks, and inferring the presence of
  non-beaconing networks via data traffic.

12
Security Benefits

• How would a security manager benefit from using
  Kismet
• Finding holes in the network
• Wireshark is a free software protocol analyzer,
  or packet sniffer" application, used for network
  troubleshooting, analysis, software and protocol
  development, and education. It has all of the
  standard features of a protocol analyzer.
• Features
• Data can be captured "from the wire" from a live
  network connection or read from a capture file.
• Live data can be read from Ethernet, FDDI, PPP,
  Token Ring, IEEE 802.11, Classical IP over ATM,
  and loopback interfaces (at least on some
  platforms not all of those types are supported
  on all platforms).
• Captured network data can be browsed via a GUI,
  or via the TTY-mode "tshark" program.
• Captured files can be programmatically edited or
  converted via command-line switches to the
  "editcap" program.
• Display filters can also be used to selectively
  highlight and color packet summary information.
• Data display can be refined using a display
  filter.
• Hundreds of protocols can be dissected.

13
Security Benefits

• TCPdump is a common computer network debugging
  tool that runs under the command line. It allows
  the user to intercept and display TCP/IP and
  other packets being transmitted or received over
  a network to which the computer is attached
• Features
• Used to debug the network setup itself, by
  determining whether all necessary routing is or
  is not occurring properly, allowing the user to
  further isolate the source of a problem
• to intercept and display the communications of
  another user or computer. Some protocols, such as
  telnet and HTTP, transmit information unencrypted
  over the network. A user with control of a router
  or gateway through which other computers'
  unencrypted traffic passes can use tcpdump to
  view login IDs, passwords, the URLs and content
  of websites being viewed, or any other
  information.

14
Security Benefits

• AirSnort is a Linux utility (using GTK) for
  decrypting WEP encryption on an 802.11b network.
• Netstumbler provides a means of detecting
  wireless LANs
• Detects active wireless sniffing programs on a
  number of wireless network attacks

15
Yeah But How Can I Use IT?

• Wardriving Mobile detection of wireless
  networks, logging and mapping of network
  location, WEP, etc.
• Site survey Monitoring and graphing signal
  strength and location.
• Distributed IDS Multiple Remote Drone sniffers
  distributed throughout an installation monitored
  by a single server, possibly combined with a
  layer3 IDS like Snort.
• Rogue AP Detection Stationary or mobile sniffers
  to enforce site policy against rogue access
  points.
• Now this is cool Kismet can write to Festival
  for speaking information about networks. They
  even considered the guy too lazy to read!

16
Where Can I Find Information

• http//www.kismetwireless.net/documentation.shtml
  is the best source of information I found.
• 1. What is Kismet
• 2. Quick Start
• 3. Feature Overview
• 4. Typical Uses
• 5. Upgrading From Previous Versions
• 6. Suidroot Security
• 7. Required Libraries Utilities
• 8. Compiling
• 9. Configuration
• 10. Panels Interface
• 11. Operating Systems
• 12. Capture Sources
• 13. Graphical Network Mapping
• 14. Drone Remotes
• 15. Intrusion Detection
• 16. Reporting Bugs
• 17. Troubleshooting
• 18. Frequently Asked Questions

17
Conclusion

• Kismet can be used equally effectively by a
  security manager and a Hacker.

18
Sources

• http//en.wikipedia.org/wiki/Kismet_28program29
• http//en.wikipedia.org/wiki/Wireshark
• http//en.wikipedia.org/wiki/Tcpdump
• http//www.kismetwireless.net/
• http//www.kismetwireless.net/documentation.shtml

19
Questions

• What is Kismet in its most basic definition?
• List 2 features of Kismet
• Is Kismet more advantageous to a hacker or
  security manager? why?