What is Kismet?
It is very important for specialists in the domain of computer security or particularly information security to know about Kismet and what it can do. Fundamentally, Kismet is a software. It is utilized to detect network traffic, sniff the packets, and also as an intrusion prevention system. It is also important to know that it is an open source security tool.This means that it is a free software, which is a plus.
All platforms which are compliant with Portable Operating System Interface (POSIX) can have Kismet software running on them perfectly. This includes Microsoft Windows, Mac OS X, and BSD. Nevertheless, it works the best on Linux operating systems. This is because monitoring devices for such systems are unencumbered.
Now, it is essential for Kismet to work under the monitoring mode. But why is that? Basically, this aspect is attributed to the fact that any packet which Kismet is capable of hearing could be read and further examined. Yet, when there is no monitor mode capability, there is a certain access point (AP) you are currently associated with from which packets could be sniffed.
Radio Frequency MONitor (RFMON) mode is a critical mode for Kismet in order to be able to use it efficiently to the maximum. A driver supporting RFMON — monitor mode is the first step to use Kismet. Such driver should get configured on the used wireless network interface card (NIC).
What are the configuration models of Kismet?
In fact, there are a plenty of models in which Kismet could be configured. While it is essentially a client-server application, it is allowable to harness it as a standalone application. Moreover, it could operate as a server which supports several clients. Elsewhere, installations of drone Kismet inside the network could make Kismet work as a server. This is where all the captured packets of individual wireless hardware pieces are gathered for analysis and monitoring of the server afterward. The built-in client is used whenever the standalone Kismet is run, although there are several other third-party clients which could work for Kismet as well.
How do Kismet drones work?
Let’s now discuss how Kismet drones are capable of reporting the captured network packets into their own server at the end of the day. Well, this feature is pretty simple since each Kismet drone forwards the captured packets of its own configured wireless card source into one integrated server for all the captured packets. A single log file the combines all of such captured packets in order to execute one unified wireless intrusion alerts for the entire network. Via this way, any LAN having one or two APs can have a wireless intrusion detection system (IDS) represented by Kismet drones.
It is advisable to note that a particular configuration file is required for using each of these components. The rationale beyond this feature is to have a great performance when running Kismet. Such files include Kismet.conf, kismet_ui.conf, and kismet_drone.conf files.
What about the User Interface?
Although there is not anything new or creative about the user interface, it allows a great speed and speed for operating such software. When running Kismet, it first opens the Autofit where all the detected networks are displayed in a list. Some details about each network are displayed as well, but no further details could be viewed other than the ones which are already displayed on the user interface.
So what details are displayed in the first place? Well, there is the decay indicator, network name, network type, WEP status, channel used, packets seen, flags, IP range, and the size of a capture file. All of these details are accessible by the user interface. Nonetheless, there are three cases for the decay indicator:
- A recent activity could be indicated by an exclamation mark (!)
- A less recent activity could be on the other hand indicated through a period (.)
- The non-existence of a recent activity is displayed through a blank, though.
But a good question to ask is: what determines if an activity is actually recent or not? Fundamentally, this is decided by decay variable included inside kismet_ui.conf. Usually, it is around 3 seconds passed and an activity is considered as a recent one.
How can I get help when using Kismet?
It is very vital to seek help when using a software especially if you are pretty new to it. Entering an “h” is the solution to get help from the software; it will pop-up a window from where the Page Up and Page Down could be utilized for navigation through the window. Also, entering “x” simply terminates the window.
How can changing modes have their effect?
The following could be seen all in capital letters at the end of the help window. They include – ALL NETWORK SELECTION, TAGGING, GROUPING, SCROLLING, AND SO ON IS DISABLED IN AUTOFIT MODE. Let’s change this mode and know the Kismet’s reaction regarding such change.
First of all, we need to get the help screen closed. Then, the network list could have its own order changed through entering a simple “s”. The network’s AP’s MAC address could be the means to have the list sorted depending on them in the first place, this can be attained by simply entering “b” now which represents the first letter of the word BSSID, meaning such MAC addresses.
The arrow key of up and down on the keyboard could be relied on for the sake of selecting a specific network. Entering on “i” would yield on getting another window with all the details of this particular AP.
Moreover, Statistics of a channel’s traffic could be shown by entering “a”. In addition, all the MAC addresses interacting with a particular AP could be recognized with a simple “c”. The client list will appear right now. Changing the way in which such addresses are ordered could be done the same way used before as well. For instance, they can be viewed in an order according to the last seen. On the other side, such order could be reversed by a simple “L”.
This aspect, in general, is pretty important to get any AP protected. This is through knowing all the MAC addresses of devices talking to it. In order to view the details of a particular client, we get it highlighted and then selected by a simple “i”. This would show the type of connection in which the client is involved. It also shows the MAC address, and much more information about the client.
Entering an “h” now will display another help window which is more specific than the previously generic one displayed before. Various connection types: From DS, To DS, Intra DS, Established, Sent To, and Unknown is now explained by the help window in this case.
How to get the log files edited?
While a log file gets stored by default inside the directory where Kismet started running, this could be easily manipulated. Inside Kismet.conf, the logtemplate directive could be edited and changed. The created logs will be by default dump, network, CSV, XML, weak, Cisco, and GPS logs. This, however, could be changed through editing the logtypes directive inside kismet.conf as well. The created dump file could be used for analysis by Wireshark and Aircrack-ng if preferred afterward. More information about such security tools could be found on this website as well.
Try Certified Ethical Hacker for FREE!!!– https://infosecaddicts.com/course/certified-ethical-hacker-v10/
References
https://www.kismetwireless.net/
https://en.wikipedia.org/wiki/Kismet_(software)
https://www.linux.com/news/introduction-kismet-packet-sniffer
https://www.quora.com/How-do-I-secure-my-wireless-network
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!
In this FREE webinar Joe McCray will cover the fundamentals of the network penetration testing, and how to perform basic penetration testing tasks. This webinar is designed for people with little to no network penetration testing experience.
