Kismet tool wiki

This driver defaults to the name 'rausbX' which exposes a bug in some versions of libpcap and may require the device be renamed See 'Troubleshooting' section WL Linux, Intel Broadcom has released a binary version of their drivers called WL. These drivers are incapable of monitor mode, and cannot be used with Kismet. Kismet will attempt to autodetect them and report this to the user.

Users of Broadcom cards should use the b43 or b43xx in-kernel drivers. The ar driver project is providing mac kernel support for this card, and works with Kismet. It should be disconnected from any network, but wireless must be turned on. The Nokia drivers often return FCS-invalid packets. The Nokia device does not autodetect properly, a driver type of 'nokia', 'nokia', 'nokia', or 'nokiaitt' must be set. Kismet will attempt to use the device, but warn the user that it will probably fail.

For non-hermes chipsets like prism2, use hostap also in the kernel. These drivers are not capable of monitor mode, and will not work with Kismet. Note: The rndis drivers are NOT the same as ndiswrapper. Channel detection and device type autodetection are currently not supported. This is the only device Kismet can capture packets from on Windows. USB devices are, in general, not supported because the drivers lack monitor mode or a method to set the channel.

Supported capture source types Capture source types are only required in specific situations where Kismet cannot detect the capture source type automatically. Linux Capture Sources: All modern drivers on Linux use the mac driver framework. Kismet will auto-detect any driver using this framework. A generic source type 'mac' can be used for forcing a type, however it is not strictly useful to do so.

Will autodetect the channel ranges. Default Plugins Kismet plugins can do almost anything that the native Kismet process can do.

This includes extending the logging capability, adding IDS alerts, defining new capture sources within some limitations , and adding new features to the Kismet UI. Plugins need access to the Kismet source and configuration information to compile, and should ALWAYS be recompiled when the Kismet version changes for those using Kismet-SVN development code, this may require rebuilding plugins every time a checkout is done.

Plugins bundled with Kismet and third-party plugins extracted into the Kismet source dir can be built with 'make plugins' and installed with 'make plugins-install' or 'make plugins-userinstall'. When running Kismet without privilege separation launching as root , plugins run with root privileges. This is not recommended. Server plugins are only loaded when kismet.

The Kismet UI provides mechanisms for loading plugins and specifying plugins to be loaded automatically on startup via the Plugins menu item. Once a Kismet UI plugin is loaded, it cannot be unloaded. To unload a Kismet plugin, go to the Plugins window, configure the plugin to not load on start, and restart Kismet. To configure plugin loading in the UI, select the plugin the list is automatically generated from plugins installed in the system and user plugin directories and press enter.

Plugins will be loaded when the plugin window is closed. Kismet server plugins cannot currently be manipulated via the Kismet UI, but loaded plugins will be displayed. If a plugin causes startup problems most likely because it was compiled for a different Kismet binary , Kismet will exit and explain which plugin caused the crash during startup.

Plugins may also cause instability during runtime; if runtime crashes occur while plugins are loaded, remove them and re-test. Often, recompiling the plugins against the running Kismet source will help resolve these issues. These can be logged to the pcap file when PPI logging is enabled, and to an XML file for processing with Kismap, included with the Kismet source, as well as other third-party tools.

The GPS is controlled with the Kismet server config, kismet. Check the output of "dmesg" after plugging in your device. Kismet cannot know the location of a network, it can only know the location where it saw a signal. By circling the suspected location, you can provide more GPS data for processing the network center point. Kismet keeps running averages of the network location, however this is not incredibly accurate, due to averaging and imprecision in floating point math. Logging By default Kismet will log the pcap file, gps log, alerts, and network log in XML and plaintext.

Logs are enabled by name nettxt, gpsxml, etc or by class text, pcap, etc. When enabled by class, Kismet will enable all logs of that class. For example, enabling 'pcap' will turn on pcap logging for plugins which can save packets. The PPI header is a well-documented header supported by Wireshark and other tools, which can contain spectrum data, radio data such as signal and noise levels, and GPS data.

PPI is only available with recent libpcap versions. When it is not available, Kismet will fall back to standard By default, Kismet logs in the directory it is started in unless modified with the "--log-prefix" option. Most users should never need to change the logtemplate, however the option remains available. Filtering Kismet supports basic filtering; networks can be excluded from tracking, pcap logging, or general logging, based on BSSID, source, or destination MAC addresses.

Filters, when enabled, are "positive-pass"; anything matched by the filter will be allowed, and all other matches are excluded. Kismet can alert on fingerprints specific single-packet attacks and trends unusual probes, disassociation floods, etc.

Kismet as an IDS is most effective in a stationary ie, non-wardriving setup, and for best results, a non-hopping source should be available on the channels the primary networks are on. Kismet IDS functions CAN be used in mobile or channel-hopping installations and are turned on by default but accuracy may suffer.

The throttle option controls how many alerts are allowed total per time unit, while the burst option controls how many alerts are allowed in a row. This may be a normal configuration change though unlikely or it may indicate a spoofed AP which did not correctly clone the original.

This alert is no longer relevant as the Airjack tools have long since been discontinued. APs with fluctuating BSS timestamps could be suffering an "evil twin" spoofing attack, as many tools do not attempt to sync the BSS timestamp at all, and the fine-grained nature of the BSS timestamp field makes it difficult to spoof accurately.

By spoofing a legitimate AP on a different channel, an attacker can lure clients to the spoofed access point. An AP changing channel during normal operation may indicate such an attack is in process, however centrally managed networks may automatically change AP channels to less-used areas of the spectrum.

The only situation in which an access point should reduce encryption security is when the AP is reconfigured. This can indicate a spoofed client attempting to incorrectly inject data into a network, or can indicate a client being the victim of a denial-of-service attack.

These values should only change if the client has changed drastically such as a dual-boot system. Over-sized SSIDs are indicative of an attack attempting to exploit vulnerabilities in several drivers.

This vulnerability is exploited by the Metasploit framework. This vulnerability is documented in the paper by Stefan Viehbock and implemented in his tool and the Reaver attack tool. The server portion responsible for capture, logging, and decoding is controlled by kismet.

Lines beginning with are considered comments and are ignored. Most configuration options are self-explanatory or documented in the config file itself. By default Kismet only listens to the loopback interface on port By default, for security reasons, Kismet will listen only on To listen on any interface, use the IP 0.

Comma-separated list of IP addresses allowed to connect to the Kismet server. IP ranges may be specified with netmasks ie This also affects the amount of RAM potentially used by the Kismet server process, and may need to be lowered on extremely RAM-limited systems. May be reduced on extremely RAM-limited systems. Sound and speech can be generated by the Kismet server, however typically this would be done by the Kismet UI instead.

The OUI file used by Kismet to determine the manufacturer of a device can be shared with other tools such as Wireshark , so long as they use a compatible format. Navigation between elements of the UI is done with 'tab'. Use of a mouse is supported in much of the Kismet UI, although not all widgets fully support mouse operation. Basic use of the UI with no keyboard should be reasonable, however.

The main Kismet window consists of the network list, GPS information, a summary of the current server statistics and packet source status, and the status panel where errors and announcements are printed.

Additional components of the main window may be turned on with the 'View' menu. Preference changes are for the most part immediate and do not require restarting. Speech is supported on Festival and Flite. Any other text-to-speech program should work as long as it accepts plain text on standard in. The supported events and replacements are: New network: 1.

Network SSID encoded to speech encoding setting spell, nato, plain 2. Network channel 3. In the Kismet UI, networks and clients can both have tags added to them.

Tags can be set as permanent; By checking the "Remember note when restarting Kismet" checkbox in the Network and Client Note windows, the note is saved and will be re-applied to networks every time Kismet loads. Client tags are applied to a specific client in a specific network; Currently there is no mechanism for adding a note to every instance of the client.

Because autofit mode is so variable, it doesn't make sense to try to allow selecting networks in autofit. To select a network and view details, first sort by another method such as channel, time, etc via the Sort menu, then select a network. Kismet code under development is in the master branch of the git repository. The development of new features happens here. While the development code may be unstable, generally it is quite usable.

To get the latest code prior to another beta release, grab the git master branch:. This package contains the kismet text interface client. The client is the user interface to display the results on your screen. Project Website. This website uses cookies.

By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website. OK More information about cookies. This package contains the kismet remote sniffing and monitoring drone.