Main » 2011 » Март » 16 » Kismet
11:04
Kismet
Kismet - is a multifunctional utility for wireless networking, Wi-Fi. Users it is familiar mostly to articles on hacking, where the program is used to detect hidden networks and capture packets. Break into someone else's network - badly, and yet Kismet - is much more than a skeleton key in the hands of an attacker. In the arsenal of information security engineer, this program is an excellent tool for observing and analyzing the ether 802.11.

The origins of the project Kismet takes in the distant 2001. Originally issued under the GNU GPL and regularly updated for nearly 10 years, the program has managed to grow a community and enter my top ten network analyzers. Despite the fact that Kismet - cross-platform development, some features are only available on Linux, and the developer claims in this case is the most complete support, so all the reasons mentioned below is true when running properly under Linux.

Install.


Before you install Kismet, make sure that Wi-Fi card supports monitor mode RFMON. This mode switches the 802.11 adapter in the monitoring mode, in which he captures all the packets going on the air. It all depends on the individual case, some devices support this mode without problems, some can only help third-party driver, and individual copies and not have this feature.

As always, packages in the repositories behind the recent developments, it is reasonable to download the latest source code and compile the program. The procedure does not differ from the standard, no specific requirements for the system is not presented, except that since the user interface is based on Curses, may require the appropriate library. Looking ahead it is worth noting that Kismet has a separate QT graphical interface.

The developer provides different security configurations. As for certain actions (eg change of operating mode network adapter) require root-access, should be approached responsibly towards the setting up security during the installation. The program is built on client-server architecture, so the distribution of rights - it is not tricky, and documentation detailing the nuances of this procedure.

Getting Started


If everything was done correctly, the program, run kismet.



As mentioned earlier Kismet is built on client-server technology, so when you start the client will be asked to run the server or its address. This article assumes that the program is used on one machine, so you should run a local.



Depending on the problem, we can pass the server startup parameters, enable or disable logging, as well as watch the server console directly into the client interface.



Introduction to Kismet


After connecting to the server and start scanning begins. Kismet displays information about the found networks. By default, the red stand out a network with an insecure encryption WEP, green - the network without encryption, and yellow with encryption WPA.



Figures below the list - a visual representation of data packets and passing in the ether, like graphics found in other windows programs. When you select any network in the line have additional information: an identifier (BSSID), time of detection, encryption method, the number of packets and the volume of data transmitted after the discovery. Exclamation point, a point or a space before the name of the network represent three levels of activity, col T - the type of network (A = Access point), C - encryption type (W = WEP, N = none, etc). The data fields can be removed, exactly as add new menu options. On the right shows the general statistics of observation, and the value of Filtered shows the number of packets that fell under the created filters. At the bottom of the log is, a careful reader may have noticed there is a problem connecting to GPSD server. Kismet can work with GPS-device captures the data and provide geographic coordinates.

When choosing a network window opens, displaying more information:



You can add two more graphical indicators: signal level and the number of times through the menu View. Command View> Clients will display a list of clients connected to the selected access point:



Here, in addition to basic information, added an important parameter: IP-address of the client.

Last Kismet window displays information about the client:



Using the program in practice


Conventionally, the problem solved by Kismet can be divided into two areas: analytics and protection. In the first case, the accumulated information should be handled by third-party applications, and in the second Kismet works as a detector of various types of network attacks. Consider both profiles is better at some specific examples.

Gathering geographical statistics

Most recently, the scandal has died down due to the acquisition by Google of information about Wi-Fi access points and the capture of the traffic. Indeed, according to Rafael Leyteritsa (Raphael Leiteritz), brand manager Google, Street View cars gathering coordinates Wi-Fi points and GSM base stations for the sake of development of the service navigation and even the whole list of good deeds. Their system worked like this: Google Street View car antenna used for receiving Maxrad BMMG24005 802.11 ether and moved along the route, taking around all the data in the range of Wi-Fi. The data obtained were processed Kismet, which is in connection with a GPS-receiver allows us to construct high-quality station interception.

Write your own car Street View, which will deal with the so-called vardrayvingom not as difficult as it seems at first glance. Of the additional equipment will need only the GPS-receiver to bind data to geographic location.

To start collecting information the GPS device must be connected and configured to work through the demon GPSD. It should be noted that Kismet works with JSON format and, therefore, be used to test the emulators GPS does not work, unless it came with GPSD utility gpsfake, which can play the existing logs navigators. However, setting up GPS goes beyond the discussion of Kismet.

At this time, the server must run a logging mode to start gathering information. By default, will be available for 5 types of logs: an alarming report, the geographic XML-log, a text list of detected networks, network log, and XML-dump of packets in the format of Pcap. That's because Google was the last public prosecution, as theoretically in this file could be personal data, flying in the air.

If done correctly, it is now in the main window will display information about the current geographical position. Contrary to popular belief, Kismet does not know the coordinates of Wi-Fi points, and geographic data - no more than the coordinates of the GPS-receiver. And although the presence of large amounts of information zapelengovat point is quite real, the program does not set himself a goal - it is the case of third-party products.



During the movement of logs will grow rapidly, so you should think of free memory.

Data from the program stored in a simple understandable format. For example, we are interested, the geographic XML-log consists of a set of elements:

<gps-point bssid = "00:0 C: 42:2 C: DA: C6" source = "00:0 C: 42: 2C: DA: C6 "time-sec =" 1280155487 "time-usec =" 724329 "lat =" 47.133453 "lon =" 28.504967 "spd =" 0.000000 "heading =" 0.200000 "fix =" 3 "alt =" 1225.000000 " signal_dbm = "-61" noise_dbm = "0" />

All the attributes are intuitive and understand the data will not be difficult to any programmer. How to use this data - the solution developer. We can construct a map of Wi-Fi hotspots in your area, you can develop a system of direction finding. In Google have to collect these data for the pseudo-GPS navigation, when used as a guide not satellites and base stations. Combining data from various logs can collect statistics, analyze, draw maps and charts - all of limited imagination. Anyone can build in his car part of Google Street View, and do some useful research.

Intrusion Detection

Y Kismet is more serious, though less in demand functionality. It is no secret that many businesses use Wi-Fi for internal communication. The information in such networks are often not designed for the general public. Protecting wireless ether - no less important measure than any other, aimed at maintaining the level of internal security. Kismet can detect a long list of network attacks at the data link and network level. To this end, the program has a mechanism to alert, or simply put - alerts.

Rules of alarm for a specific case specified in a configuration file. Consider the work of intrusion detection systems on the example of the rules APSPOOF. This is perhaps one of the simplest methods - it allows us to identify an attack in which an attacker acting as a fake access point.

The configuration of this rule is as follows:

apsproof = Rule1: ssid = "Politia", validmacs = "70:3 A: 02:01: CE: AF"

Validmacs - valid values ??for the MAC address for access point to the name «Politia», which must be protected. Provoked by Karma Tools attack, Kismet detects instantly as it says in the window and the Alerts log.



In the same way to set up and other rules of anxiety. Use Kismet for wireless network security is no more difficult than capturing packets, in conjunction with other measures, the overall level of security is much higher.

From the stories of the former employee's Intelligence and Security Service of Moldova. In 2005, some company appealed to the administration asking for help. The company has for almost a year on a regular basis with cash transfers in the wrong direction. Internal security service shrugged: Accountants checked inside and out, the errors of the bank was not, however, appeared from somewhere payment orders, which account numbers were changed. Everything was more than trivial: some enterprising guys rented room on the floor below, heard the password for Wi-Fi network, and sometimes change the data in the payment to an accountant meticulously maintained in a shared folder, and then for every print to the printer in some important offices. During the work of fraudsters managed to lead a fairly large sum of money.

True or not - is unknown, but this story could easily happen, and it is designed to once again remind the engineers, information security an important and vulnerable component of a modern corporate networks - Technology Wireless Data Wi-Fi.

Conclusions


In fact, on this small program you can talk on and on. The article is not touched upon the plug-ins, greatly expanding its possibilities. Not so long ago, Kismet has moved to a new kernel, so the number of plug-ins are not large, but among them is worthy of an instance - DECT Sniffer, allowing to use Kismet to work with telephony networks, there is a plugin for Bluetooth. But it is - a topic for a separate publication. And this article will, hopefully, their task - to acquaint the Russian-speaking users with one more good network design. Perhaps Kismet will help someone in a once helped me.

In preparation of this article use the documentation Kismet, which is very detailed account of the work with the program; interesting letters Google; materials copyright wve.org, where all kinds of network attacks on the wireless network project site GPSD (very good documentation on GPS in Linux), personal experiences, stories of friends and veterans' advocates networking front.

The latest version is always available at https: / / www.kismetwireless.net / download.shtml

UPD: Transferred to the blog "Information Security".
Views: 523 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: