Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.
Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic.
NST has been configured to work with Kismet. For 802.11b monitoring I have been using the "Microsoft MN-510 USB" wireless adapter. Many other 802.11 wireless adapters are supported (Ex: Orinoco and aironet).
In addition to 802.11 wireless monitoring, Kismet also includes tools and integration for producing graphical maps depicting 802.11 wireless network topologies. A NST probe running the "gpsd" daemon (found in the section called “GPSD”) coupled with an attached Chapter 12, Global Positioning System (GPS) receiver can be integrated with Kismet to produce these wireless network topologies. This ensemble of hardware/software collectively forms the necessary equipment to perform wireless 'War Driving'.
I will now demonstrate how to use Kismet with NST. An example 'War Driving' exercise will be shown.
The diagram shown in Figure 3.1, “Kismet - NST 802.11b Wireless Network Monitoring Configuration” is our NST configuration for this Kismet demonstration.
First we need to start our GPS daemon "gpsd" with an attached GPS receiver. I use a Magellan Meridian Color GPS receiver. One needs to enabled the NMEA V2.1 GSA data stream (i.e. found in the Setup/NMEA menu) to feed the GPS daemon (gpsd). Remember to first flush/reset your connecting serial device on the NST probe with the reset_serial script before running the "gpsd" daemon.:
[root@probe root]#
/usr/local/bin/reset_serial /dev/ttyS0 > /dev/null 2>&1
[root@probe root]#
/usr/local/bin/gpsd -p /dev/ttyS0
To verify that the NMEA data stream is being received by the "gpsd" daemon, one can connect to the daemon with the "NetCat" - (nc) TCP/IP network utility as shown in Figure 12.1, “NetCat - (nc) TCP/IP Network Utility Interrogating the GPSD Daemon”
Next we will setup the kismet "setup_kismet" script found in the "/usr/local/kismet-RELEASE" directory (where "RELEASE" is the Kismet release used in the NST distribution, Ex: 2004.04.R1, the directory location would be: "/usr/local/kismet-2004.04.R1") is the primary means to run the kismet server on a NST probe system.
Output information is shown for running the kismet setup script (setup_kismet):
[root@probe root]#
/usr/local/kismet-2004.04.R1/setup_kismet
============================================================
= Creating a 65536KB RAM disk at mount point: /mnt/ram4... =
============================================================
*** Zeroing out RAM device: /dev/ram4
/bin/dd if=/dev/zero of=/dev/ram4 bs=1k count=65536
65536+0 records in
65536+0 records out
*** Create a 65536KB Linux ext2 file system on RAM device: /dev/ram4
/sbin/mke2fs -vm 0 /dev/ram4 65536
mke2fs 1.32 (09-Nov-2002)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
16384 inodes, 65536 blocks
0 blocks (0.00%) reserved for the super user
First data block=1
8 block groups
8192 blocks per group, 8192 fragments per group
2048 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 22 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
*** Mounting RAM disk device: /dev/ram4 at mount point: /mnt/ram4
*** Show all current mounts...
/bin/df -k
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/ram 63461 32781 30680 52% /
none 127024 0 127024 0% /dev/shm
/dev/cdrom 482112 482112 0 100% /mnt/cdrom
/dev/ram5 31729 22209 9520 70% /mnt/ram5
/dev/ram4 63461 13 63448 1% /mnt/ram4
*** Moving Kismet's runtime script to: /mnt/ram4/kismet ...
*** Kismet's runtime script in: /mnt/ram4/kismet ...
total 4
drwxr-xr-x 2 root root 1024 Apr 23 13:59 .
drwxr-xr-x 4 root root 1024 Apr 23 13:59 ..
-rwxr-xr-x 1 root root 1032 Oct 16 2003 run_kismet_server
*** Edit the Kismet configuration file: "/etc/kismet/kismet.conf"
for your appropriate wireless network adapter settings.
Other Kismet configuration parameters may also need to be
changed for your environment (Ex: GPS or sound usage).
*** Use the "run_kismet_server" script to start up the
Kismet Server with NST. The "kismet_client" can then be
used to start monitoring wireless network traffic. Also
"gkismet" can be used within the X or VNC environment as
a GTK GUI frontend to the Kismet wireless sniffer.
---- To run the Kismet Server... ----
# cd /mnt/ram4/kismet
# vi /etc/kismet/kismet.conf
# ./run_kismet_server
A 64MByte RAM disk and directory structure at mount point: "/mnt/ram4" was created when the kismet setup script was run. This RAM disk will be used as the kismet data storage repository for all output associated with a kismet session.
Edit the kismet configuration file" "/etc/kismet/kismet.conf" to change parameters such as: "capture sources, GPS connectivity, and audio characteristics". After this, enter the kismet NST directory and run the script (run_kismet_server) to start-up the kismet server. A user named: "kismet" will be created and own the kismet server process. The following depiction is the results from starting the script:
[root@probe root]#
cd /mnt/ram4/kismet
[root@probe kismet]#
./run_kismet_server
*** Initialize the USB Wireless Adapter...
Starting WLAN Devices: [ OK ]
*** Adding user: "kismet"...
*** Starting up the Kismet Server...
[root@probe kismet]# Will drop privs to kismet (1001) gid 1001
No specific sources given to be enabled, all will be enabled.
Enabling channel hopping.
Enabling channel splitting.
Source 0 (prism2source): Enabling monitor mode for wlanng source interface wlan0 channel 6...
Source 0 (prism2source): Opening wlanng source interface wlan0...
Spawned channelc control process 1793
Dropped privs to kismet (1001) gid 1001
Allowing clients to fetch WEP keys.
configdir '/home/kismet/.kismet/' does not exist, making it.
SSID cloak file did not exist, it will be created.
IP track file did not exist, it will be created.
Logging networks to Kismet-Apr-23-2004-1.network
Logging networks in CSV format to Kismet-Apr-23-2004-1.csv
Logging networks in XML format to Kismet-Apr-23-2004-1.xml
Logging cryptographically weak packets to Kismet-Apr-23-2004-1.weak
Logging cisco product information to Kismet-Apr-23-2004-1.cisco
Logging gps coordinates to Kismet-Apr-23-2004-1.gps
Logging data to Kismet-Apr-23-2004-1.dump
Writing data files to disk every 300 seconds.
Mangling encrypted and fuzzy data packets.
Tracking probe responses and associating probe networks.
Reading AP manufacturer data and defaults from /usr/local/etc/ap_manuf
Reading client manufacturer data and defaults from /usr/local/etc/client_manuf
Dump file format: wiretap (ethereal libwiretap) dump
Crypt file format: airsnort (weak packet) dump
Kismet 2004.04.R1 (Kismet)
Logging data networks CSV XML weak cisco gps
Listening on port 2501.
Allowing connections from 127.0.0.1/255.255.255.255
Registering builtin client/server protocols...
Registering requested alerts...
Registering builtin timer events...
Gathering packets...
Fri Apr 23 21:31:04 2004 Found new network "shop" bssid 00:06:25:B3:9D:BF WEP Y Ch 6 @ 54.00 mbit
Fri Apr 23 21:31:10 2004 Found new network "midget" bssid 00:06:25:E8:B9:CC WEP Y Ch 3 @ 54.00 mbit
[root@probe kismet]#
A few evenings back, I took a trip in my truck with the NST apparatus described above and did some War Driving. I spent about 1/2 hour driving in the vicinity of my residence and detected about 111 wireless networks. A subset of the wireless network power strength topology and the actual path I followed is show in Figure 3.2, “Kismet - Wireless Network Power Distribution Topology and Track Map”
To produce the topology map shown above, the following "gpsmap" command was executed:
[root@probe kismet]#
gpsmap -o kismetwardriving -tkrp -q0 ./Kismet-Apr-23-2004-1.gps
My biggest concern and advice to the owners of these networks is to at least enable WEP (Wired Equivalent Privacy - 802.11's optional encryption standard) wireless security at their AP (Access Point). Ease of use and strong security are at opposite ends of the spectrum. Most of the networks I detected had wireless security disabled. This is a bad situation for all. Education, security vulnerablities, and implementation of wireless networking for the non-technical person needs to occur. Typically default setting on the consumer grade wireless network equipment have wireless security disabled and the SSID (Service Set Identification) in broadcast mode. Wireless equipment manufacturers make the experience of using wireless networking easy right out of the box. This does come with a price and a bad side effect: Provides an "Identity Theft" environment for the wireless hacker.