Open source software security

Wireless Hacking with Kismet

30 November -0001

The proliferation of wireless networks is sometimes scary when you consider how insecure most wireless configurations are. With a little work, and some technical know-how you can easily break into most wireless networks or simply monitor the wireless traffic flowing all around you. The good news is that setting up a wireless monitor takes a bit of persistence and isn't very feasible for the average computer user.

The easiest way to begin monitoring wireless network traffic is with kismet. Kismet is most easily installed on Linux, but be warned, it isn't all that easy. To begin you need to download Kismet from http://www.kismetwireless.net. You'll need to be sure you have gcc and make installed in order to compile the sources. On Mandriva you can install these using:

sudo urpmi gcc

and

sudo urpmi make

You'll also need tar and zip to open up the sources. Once you've downloaded the latest version (for instance kismet-2006-04-R1.tar.gz) you need to inflate the archive. Unzip using:

unzip kismet-2006-04-R1.tar.gz

Then untar the archive using:

tar -xvf kismet-2006-04-R1.tar

This will create a new directory for you with kismet. Next you'll have to configure and compile the source. Use the following sequence of commands to do this:

./configure
make
make install

Be sure to note any errors. You may need to resolve some extra dependencies to get kismet up and running. Once kismet is installed it is vital to configure it. To do this edit /usr/local/etc/kismet.conf. The important item to modify is the line:

source=any,any,addme

You need to change this lie so that it specifies the type of connection you're using and the ethernet device. For instance:

source=BCM43XX,eth1,bcm43xx

is a perfectly valid entry. I found that the exact device type isn't all that important, as long as your wireless device can be placed in monitor mode (meaning it is promiscuously collecting packets).

You'll also want to change the suiduser line to a valid user. Once these two options are set you can run kismet as root. Be sure to run kismet in a new directory unless you've changed the logging options since kismet logs output in the directory where it starts up.

Once you have kismet up and running press the space bar to get rid of the initial help screen. You can view the help options at any time by pressing the 'h' key. You can also quit kismet any time by pressing Shift+q (or capital Q).

Once you've got kismet up and running you quickly realize how powerful it is. Kismet will sniff *any* wireless traffic floating by your interface. This includes traffic from any passing wireless devices. Wireless ESSIDs (including hidden ones), device names, MAC addresses, IP addressed, access point locations, and much more is easily capturable.

Kismet logs all this information in a series of logfiles that are a bit unwieldy to sift though on your own. Using another tool like wireshark (ethereal) is advisable. Wireshark can load up the kismet dump files and provides a handy GUI, search capability and packet analysis tools. Using the two in conjunction you can easily sort through large volumes of wireless traffic.

Using kismet you can also monitor wireless networks to gather encrypted packets to do WEP cracking. The logs can also be useful to monitor IP addresses and MAC addresses of devices connected to various networks. This information can be used to hand craft IP addresses or spoof MAC addresses in order to join networks with MAC filters or those that lack DHCP services.

Fortunately WEP cracking takes a long time to accomplish. The challenge isn't necessarily breaking the encryption but logging enough packets in order to carry out an attack. If a network is idle, meaning there aren't any clients communicating over it, it can take an extremely long time to capture encrypted packets. The baseline recommendation is that WEP cracking use half a million packets and without much traffic this is nearly impossible to gather. Even on an active network gathering this many packets could take hours if not days. WEP cracking is quite easy once enough packets have been gathered though, so the only hurdle is time to monitor the network.