Kismet Lab

[toggle_content title="Transcript"] Hi Leo Dregier here. I want to talk about some of the wireless pen testing tools and one of the first tools that you are going to want to run is basically a packet sniffer. A wireless scanner called kismet, kismet is a great little scanner I would like to think of it as a kind of police scanner for wireless networks. So what we are going to do is walk through this setup basically just do some basic wireless sniffing. First thing we are going to do in our Kali operating system is we are going to go over to Kali - go over to wireless tools and then start kismet from the menu. You can of course just type kismet from the bash prompt and that would be just fine. So kismet – it says kismet is running its root - kismet was starting as root - this is not recommended and can be dangerous - only because basically it gets a higher priority to the system. If you are just poking and prodding around. It is absolutely fine so you could say do not show the warning again or just go ahead and select okay. So automatically start the kismet server - launch kismet server and connect to it automatically. If you use a kismet server started elsewhere choose no. In this case I don't have another instance of it running - so I am going to go ahead and select yes. Startup options if I want anything - set login to on - the log title is kismet show the console and then go ahead and click start and you should start seeing some basic information and / or error messages pop to the screen. They can see one of the error messages that I am getting towards the bottom here. Couldn't I connect to the GPS server or reconnect in five seconds and then ten seconds and fifteen seconds and it will continue to doing this. But it did accept the connection from kismet started with no packets or system find. No sources were to find or all defined sources has encountered unrecoverable errors. Kismet will not be able to capture any data until it capture interfaces at it. Would you like to do this - this is a relatively easy message to get around because we just simply have to add our interfaces. So go ahead and select yes. In this case the interface is going to be WLAN0 the name of it wireless LAN0 and any sort of options you could add. Otherwise just go ahead and select them and it says kismet. You can read these messages here - they go by relatively quickly but I am already starting to see traffic because of all these detected, detected, detected plus I am seeing the mac addresses of the interfaces plus the actual SSID names of the interfaces. That is there coming in - the one that we are going to be working with Cybrary which you can see right there towards the top. So close the console window that is going to be fine and then you can see if I make this a little bit bigger that basically I have my console. Basically detecting information now just this in itself is huge because tells me a lot of things. One I have my wireless card connected - wireless card that I am using right now which you can see in the BM setup is the etherous UB91C interface wireless card which is a great card to use. You can basically setup up a wireless pen testing kit for right around a hundred dollars and that would probably get you a decent card. Maybe a GPS receiver and if you are lucky maybe a blue tooth sniffer or blue tooth antennae. So we are going to go here and you can see the Cybrary interface here if I scroll down. It is going to bounce around a little bit but if I just read Cybrary - it is you can see that it is on channel one. It is receiving packets - I have some size and some traffic on it and there is a couple of things running on channel one. Others are running on channel six and eleven. So those are definitely the high traffic channels at the moment and then basically it is just going through this and you can click on this menu up here. There is your server console - I can do a d for disconnect or c to connect. I can add a source - I can configure a channel - configure plugins and you can basically just kind of through this if you wanted to. So if I wanted to add a plugin I could select the plugin and it is basically. You scroll down with your up and down arrows - hit enter here. So preferences - I wanted to set up some preference I could setup colors or GPS or columns or servers or hoardings or start and stop the server. Also I can sort I can - right now set to auto sort. But I can sort by type channel what is encrypted versus not. So I just do e this will basically set it up to what setup for encryption and that will stop it from bouncing around a little bit. So that is a good idea the sort - otherwise if you do a just click on the sort menu here at the top. You will be able to see the networks in play here - so like s for sword or k for kismet or v for view and w for windows. So I like to do a Ctrl Alt and that will give me that menu and s for sword or hit enter etc, etc. So you can scroll through that - you can do first scene, last scene, sort by the SSID or SSID and then you can just basically either type the letter here that you want and that will automatically do it for you. If you are into keyboard shortcuts or you can actually just scroll through and actually select it if you want. So now I have got a set SSID another cool part about what kismet does is that it actually shows you which people have their SSID set to do not broadcast and I like that because what are they trying to hide at that point. But we are going to scroll here and look at Cybrary which is the access point that I currently have setup. You can see the BSSID001 F9028614 and it is basically setup to encrypt away traffic. So I can go ahead and hit enter there and I can kind of scroll through here and get a basic overview of how that access point setup. So I have your SSID, Cybrary your B SSID again 001F and we will just call 001F for short and it is definitely very helpful to go ahead and write that down because whenever you are doing any sort of the attack. You are going to need the reference these b SSID's and especially if you start getting into spoofing access points and things like that. The manufacturer is action te which is action tech which is basically default horizon access point that we have for some time now - I just started it so it is first seen as accurate. It is an access point setup as a managed infrastructure. It is running on channel one shows me the frequencies that is running on and what packets it has seen per frequency and what percentage of the traffic. So it is running on frequency 24, 12 and 17 the most because that is where about 70% of the traffic is actually coming on. The SSID is Cybrary - so not only does it say the name at the top but also the SSID at the bottom. The beacon - beacons are types of traffic this is basically an advertisement to one access point to another access point. The 802.11 D country I am set in the United States - the encryption level is set - 10% of the traffic has been weakens. Also I have my signals, noise – what encryption it thinks it is set as. So it is picking up as it is set up as WEP which is correct and the interface which it is seen on wireless LAN zero and so that will give you a basic overview of basically how this is setup. So accidentally shutdown the server, so let me start back up again and you notice it is okay to that. Sometimes you go in and out of this little scanner. Time after time after time - on a second it should pop up or you can actually tell it to start the server. So kismet starts server – started give it a second to run - okay now that the server is back and running. We can go ahead and basically look at the different types of traffic here. So you can set for specific networks if you want to do an Alt N that will bring it to network menu. We are not going to need that right now - so we are going to close out of that. Also you could do an Alt V and that will show you the view menu as well. So - if you want to mess with that you certainly could. Now that kismet is up and running and I have it sorted to Cybrary and you get all of the basic details that you need here right in this menu and you get to specifically see some of the traffic in the pattern and I have got a sorted the Cybrary. Otherwise some of the other things that you guys can do in here is you can go through the sort menus. The view menus - if you want to look at the GPS data battery information. Status these are all different things that can add - specifically like client list and things like that per interface. So you can see that I have got a couple of clients connected to the Cybrary interface as well that is how full because that tells you one corresponding to the number of packets that the access point is actually seeing. You would expect with large number of clients that produce a lot more traffic. So that would make sense as well otherwise you kind of poke around that is all based on keyboard shortcuts like I said it is used as a police scanner of sorts. If you just want to read these information messages right here. You can kind of see what is happening between the clients and server and things like that - if you do decide to use this with a particular GPS client that will be really, really helpful for plotting the networks up. I currently don't have the GPS setup at this time but I could easily do that as well I would just have to plug it in and then have kismet basically read the GPS data as well. Then you can go out and you start war driving or war walking or war chalking which is your symbols and you can go ahead do all the classic stuff right here. Otherwise it is basically just poking and prodding around and getting an idea of how this works. The kismet menu really, really simple plug in preferences disconnecting connect. Start the server, stop the server sword by type channel. If it is encrypted or not basic service that identifier. The number of packets and what you actually want to be like the client list. Sometimes it is easier to take off that client list just because it cleans up your interface your little bit. So like I said basic program to use - I love it as a basic sniffer. A quick sanity check for who is out there and then you can have some with it. Then you start getting into some of the advanced details. You want to start seeing the client list for that particular interface. You can start pooling the mac addresses of the clients connected to it. And then finally you just shut down the server Ctrl+C will shut it down. It will say kismet client is - so that is the basic setup of little wireless scanner like kismet. There are other ones that are certainly more popular but this gives you all the critical information that you need. So that if you want to start doing air monitor or something like this. You get the basic service that identifier and things like that because the next step would be to take the things that you would learn from kismet and then start learning. How to do some of that - air cracking G suits. So for example air monitor -ng is certainly going to be one of the next things that you are going to do. So I just did an airmon ng -h and you can see that air mon -ng start stop, check the interface and then the channel. So just to give you an idea air mon -ng start sniffing the traffic, use your interface. WLAN Zero and we were set to channel one. Channel frequency now some of the mandatory stuff is going to be in the greater and less than bracket. So start stop check that is mandatory and then interface is mandatory and then the channel of frequency is optional but if you know it. You don't add it in - Okay. So here is an airmon found through processes that could cause trouble. If air dump player - tunes starts working after the short period. You may want to kill some of that - so in this case the network manager. The WPA client and DH client these are all potentially interfering with this which is similar to doing an airmon -ng check. So in the some of the old conventions you could do a check kill and so that would actually - is very, very helpful because anything that has the potential for interfering this. It is will actually kill the processes that are interfering. So you can do that right from within this as opposed to doing something like a kill or ps kil or something like that where you actually have to type all of this stuff in. Basically if you put kill at the end of your statement that will certainly speed things up and then we will just go and turn it on again. And now we get something completely different. Airmon started for the wireless interface channel one. So we have got WLAN0 monitor interface with my arrows and monitor mode enabled on my monitor one and then we also get out monitor channel. So basically we are set to monitor mode at this point. I have just done very very basic stuff here. i setup kismet as a scanner. I looked around I looked around I have got some basic information that I need and then I can go ahead and spin that offer and run that into some other labs like air monitor and things like that. And who would cover those in sequence videos and things like that. I just want to get the basics for kismet setup first so that I can start sniffing out basic service identifiers and it will be hopeful to have a pen and paper handy. So that you can jot down SSID's and clients and mac addresses and extended service identifier or some things like that. So that is an overview of kismet thanks for watching my name is Leo Dregier and I will see you in the next video? [/toggle_content] The last lab of the Wireless module series focuses on Kismet scanning. Kismet is a wireless “police like” scanner for the internet.  In the Kismet lab, you'll learn proper setup and other basic wireless network sniffing tasks. You'll see a demonstration of how it works in real time and learn what criteria specific options are available to select for the desired type of monitoring analysis you want to perform in your penetration testing routine.
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?