Hacker tool talk: kismet
1 like1,069 views
This document summarizes a presentation given by Chris Hammond-Thrasher on the wireless security tool Kismet. The presentation covers setting up a wireless security lab, an overview of Kismet including its features and history. It also demonstrates how to install and use Kismet, including passively monitoring wireless networks and cracking WEP keys. The document encourages attendees to use Kismet to audit their own and nearby wireless networks to check for security issues and ways to improve configuration.
Hacker tool talk: kismet
- 1. Hacker tool talk: Kismet “Security through knowledge” Chris Hammond-Thrasher chris.hammond-thrasher <at> ca.fujitsu.com Fujitsu Edmonton Security Lab December 2010 Fujitsu Edmonton Security Lab 1
- 2. Agenda • Why are we here? • Setting up a wireless security lab • About Kismet • Installing Kismet • Kismet demo • What’s next? Fujitsu Edmonton Security Lab 2
- 3. Why are we here? Fujitsu Edmonton Security Lab 3
- 4. Ethics and motives “Every single scam in human history has worked for one key reason; the victim did not recognize it as a scam.” - R. Paul Wilson Fujitsu Edmonton Security Lab 4
- 5. Setting up a wireless security lab Fujitsu Edmonton Security Lab 5
- 6. Wireless security lab reqs • It’s actually pretty easy to setup – Wireless access point (AP) • Recommendation: Almost any will do – Attack/dev box • Wireless card and driver that supports packet injection • On Windows there is only one choice: AirPCAP from CACE (starting at US $200) • PCAP compliant network packet analyzer • Aircrack-ng wireless cracking and audit suite • Recommendation: OS: Backtrack Linux, Packet tool: Wireshark, H/W: ALFA AWUS36H for 802.11b/g (~$40) – Target box • Wireless card and driver compatible with your AP – Logging/monitoring box (Optional) • Wireless card and driver that supports monitor mode Fujitsu Edmonton Security Lab 6
- 7. Choices • If you have a shortage of hardware, you can employ virtualization to cut down on the number of boxes in your lab. However,VMs can only use USB wireless cards. • Booting from a Backtrack DVD or other bootable device is often the best option for the attack/dev box; it has Kismet and drivers for many wireless chipsets. Fujitsu Edmonton Security Lab 7
- 8. Caution • Unless your lab is in a rural area or in a Faraday cage, there will be innocent networks within range of your equipment • You are welcome to attack your own equipment, but attacking others’ networks without permission is potentially illegal Fujitsu Edmonton Security Lab 8
- 9. About Kismet Fujitsu Edmonton Security Lab 9
- 10. History • Kismet is one of the longest running and most successful open source wireless tool projects – dates back to the early 2000s • The Kismet project is lead by Dragorn (aka Mike Kershaw) • It was originally created to fill a void for an affordable full featured wireless scanner • Kismet-newcore is the recently released total rewrite of Kismet • Kismet-newcore is included in the latest Backtrack 4 release Fujitsu Edmonton Security Lab 10
- 11. Features • Kismet is a passive 802.11a/b/g/n network sniffer (assuming you have the right drivers and hardware) • Broad support for wireless chip sets and reliable driver auto- detection • ncurses interface • GPS integration (+ Google Earth KML mapping tool) • Packet capture • Wireless protocol dissection and analysis • Some wireless IDS features • Can be deployed in a distributed architecture with remote sensors (drones) linked to a central console • Extensible plug-in framework (WEP crack and DECT sniffing via plug-ins) • Free (as in beer and speech) Fujitsu Edmonton Security Lab 11
- 12. Kismet vs. others • Kismet passively monitors wireless networks – it never transmits – Cannot be detected – Can see non-beaconing networks if they are in use – Recovers cloaked SSIDs by listening to connection handshakes • Stumblers broadcast probes and listen for responses – Can be detected – Find many networks faster – Cannot find non-beaconing networks – Cannot recover cloaked SSIDs – Cannot packet capture Fujitsu Edmonton Security Lab 12
- 13. Legit uses of Kismet • Site survey planning and measurement – "Do we have enough coverage?“ • Security auditing – "Does the network comply with policy?“ • Penetration Testing and Vulnerability Assessment – "What opportunities are there to exploit the network?“ • Security Monitoring and IDS Analysis – "Is someone attacking my network?" Fujitsu Edmonton Security Lab Props to Josh Wright for this slide. 13
- 14. h4X0r$ • Undetectable eavesdropping – “Do you have unencrypted data on the airwaves?” • Undetectable WEP cracking (with plug-in) – “Do you ‘protect’ your data with the worst encryption protocol ever published by the IEEE?” • Undetectable reconnaissance in advance of another attack – “Do you reveal any vulnerabilities that I can exploit?” Fujitsu Edmonton Security Lab 14
- 15. Installing Kismet Fujitsu Edmonton Security Lab 15
- 16. Choices • Easiest: Get latest Backtrack (BT4R2 right now) http://www.backtrack-linux.org/downloads/ • Linux power user: Use your distro’s package manager to install the latest binary sudo apt-get install kismet • Windows power user (with AirPCAP adaptor): Get the latest win32 installer from the Kismet site http://www.cacetech.com/downloads.html • Developer: Get latest snapshot from svn and compile with gcc svn co https://www.kismetwireless.net/code/svn/trunk kismet cd kismet ./configure --prefix=/opt && make && make install Fujitsu Edmonton Security Lab 16
- 17. Kismet demo Fujitsu Edmonton Security Lab 17
- 18. Kismet demo • Starting it up • Tour through Kismet screens • Eavesdropping on open networks • Cracking WEP keys • Eavesdropping on WEP encrypted networks Fujitsu Edmonton Security Lab 18
- 19. What’s next Fujitsu Edmonton Security Lab 19
- 20. Learn more • Read Josh Wright’s much better intro to Kismet http://www.willhackforsushi.com/presentations/budget-wireless- assessment-newcore.pdf • Read Josh Wright’s book https://www.amazon.ca/Hacking-Exposed-Wireless-Second- Johnny/dp/0071666613/ref=sr_1_8?ie=UTF8&qid=1291838235&sr=8-8 Fujitsu Edmonton Security Lab 20
- 21. Act locally • At home – Turn on WPA2 PSK using a strong password – WEP is bad and “open” is worse – Try using Kismet on your laptop to determine your home network range – note that the range at which you can listen to your network is different from the range at which you can connect to your network – Use Kismet to audit your community league, church, friend’s store, parents’ networks to make sure they are configured securely Fujitsu Edmonton Security Lab 21
- 22. Act locally • At home – Watch your network for high volumes of retransmitted packets – this may indicate interference from nearby networks or other wireless devices – Warwalk your neighborhood to determine the channel with the least interference for your home network – Use Kismet to help diagnose wireless network connectivity issues Fujitsu Edmonton Security Lab 22
- 23. Thank you! Want more presentations like this? Is there a particular tool or hack that you would like to see demoed? Chris Hammond-Thrasher Fujitsu Edmonton Security Lab Email: chris.hammond-thrasher <at> ca.fujitsu.com Twitter: thrashor Fujitsu Edmonton Security Lab 23
- 24. Fujitsu Edmonton Security Lab 24