How to test wireless systems: A step-by-step guide (part 2)

In my previous post I went over the high level details of conducting a wireless network survey. In this blog post I’m going to go into a little more detail with a tool called Kismet. There will be other blog posts covering other tools and hardware platforms. But for now, grab your favourite beverage, relax, and enjoy!

Kismet

Kismet is the most prevalent and useful tool for wireless network assessments. I’ve used it for a number of years now, and each new release has introduced new features and greater ease of use. After all, the last thing you want during a test is to be battling with your toolset just to get it to work.

One thing I’m not going to go into detail about here is the different versions of the 802.11 protocol. That’s even more under the proverbial bonnet than I want to go into in this post.

Kismet needs to grab packets from your laptop’s wireless card. In order to do that we need to list which ones we have. I’m going to assume that you’re using an Alfa Network AWUS036H USB wireless adapter. If you’re using something different then adjust accordingly, but on Kali it will be listed as “wlan${X}” where ${X} is a number from 0 upwards. The screenshot below shows the wireless interfaces on my laptop:

Figure 1: Wireless interfaces

In this instance:

• Wlan0 is the built-in interface. Depending on the laptop vendor and model, it may or may not support monitor mode. You can try adding it as a source (see later), but generally using the Alfa card or similar is your best bet.
• Wlan2 is the Alfa Network AWUS036H USB wireless adapter shown below:

Figure 2: Alfa USB network card

As mentioned in the previous blog post, this has the advantage that it can be used with either a native Kali install or with a VM as it can be directly connected to the virtual machine.

There’s an important caveat here: using USB devices will drain your laptop battery. Depending on the type of assessment you’re doing, make sure you have your power adapter with you. If the laptop vendor says the laptop battery will last 7 hours then plan on it being, at most, half that. If you add a GPS USB device into the mix then battery life will reduce even more. This isn’t usually a problem in an office environment, but if you are doing a wireless assessment that requires you walk around a fairly large campus then can run out of battery before you finish. That could mean the difference between finding and not finding the juicy targets (Sod’s Law works all too well here).

Monitor Mode

In order for Kismet to gather packets from the air the wireless adapter has to be placed into monitor mode. This is roughly analogous to promiscuous mode for an Ethernet card. What this means is that the card will push all packets it sees to Kismet. The screenshot below shows a new wireless interface, wlan2mon, created by Kismet:

Figure 3: Wlan2 in monitor mode

The Process

This section details how to get Kismet up and running. I’m going to assume that you’re using the Kali Linux distribution, either natively or as a virtual machine. There are too many variations for me to list them all here. That said, you shouldn’t have too many difficulties in getting Kismet running on most Linux distributions. For those of you who are BSD fans (Open, Net, Free) then I’m afraid you’re on your own for now…. The following screenshots show the process of starting Kismet:

Figure 4: Running as root

Unless you’ve done something different, Kali generally uses the root account for all activities, Kismet is run as root. Kismet will complain about this, but just accept it and move on. NB: Be aware that there can potentially be vulnerabilities in security software just as much as any other genre. For example, Wireshark, the ubiquitous network sniffer, has had a few that could give a remote attacker access to the machine that is running it. You have been warned…

Figure 5: Start the Kismet server

We need to start the Kismet server. Although you don’t really see this when running Kismet, it is actually two pieces of software: client and server. You can run the Kismet server separately and connect to it with the client. I’ll go into more detail regarding this in another blog post and a possible scenario for why you’d want to do this. However, we generally run the server and client on the same machine, so that’s what we’ll do here.

Figure 6: Kismet server options

Generally, the start-up options for the server are all we need, so just accept them and move on.

Figure 7: Server start up output

Once the server starts, it dumps a load of output to a console screen. Effectively a dmesg for Kismet, it shows what it is doing and which TCP ports it opens up. There is normally one port that it opens up, 2501/TCP, which you can connect to with any client such as Telnet, netcat, and so forth. This is the port that the Kismet client connects to. As mentioned above, I’ll go into a bit more detail regarding the separation of client and server, and the roles they play.

Figure 8: Do we want sources? Why yes we do!

As there aren’t any wireless adapter sources configured by default, we need to tell Kismet where we want it to grab packets from.

Figure 9: Defining a packet source

As mentioned previously, the packet source for the Alfa card is wlan2, but that will likely be different for other operating systems etc. Running iwconfig will tell you what sources you have. You can also have more than one source, which can be useful. Once it is up and running, assuming nothing went wrong, you should see something like the following screen (I’ve obscured some of the details):

Figure 10: Kismet running

Kismet is a fantastic tool, and in my humble opinion, is the wireless pen tester’s equivalent of Nmap or Netcat. The next blog post will go into some more detail about using Kismet in a distributed mode and how that can help with ensuring your wireless environment is safe.