Wednesday, August 13, 2008

How to Kismet wireless sniffer | your neighbor

Last week I discovered that my neighbor is connecting to my unsecured wireless router, and been using my internet connection, I don't know how long she have been doing it, anyway I logged into my router and check the DHCP client table, there I saw a hostname and mac address that is not familiar to me, at first I thought about setting up the WEP key to prevent her from connecting, but realize that won't be fun, instead decided to sniff her wireless traffic and see what data I can get, after sniffing for couple of days I sent her a letter with some details of her traffic and suggestion on what to surf on the net, just to see if I can scare here off, right now my wireless router is still unsecure but no one is connecting to it and its been 3 days, anyway this is a quick and dirty how to on configuring and using Kismet

By the way I don't know my neighbor, I know its a She because I searched her on Facebook using her login e-mail that I found on the dumps.

Now onto Kismet how to

What you need
- A Linux OS - in this case I use Mepis as it is already installed on my laptop
- Wireless card that is supported by Kismet check Kismet documentation
- Kismet - an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
- Ncurses
- Tcpdump - to read the dump files, you can also use ethereal
- And finally intruder in your network using wireless

In my case I installed Kismet using apt-get as I have Mepis installed on my Laptop.

Once Kismet is installed do
$cd /etc/kismet
$vi /etc/kismet/kismet.conf

And edit the following line in

Kismet configuration file - kismet.conf
-----------------------------
You need to set the user, in my case I run it as root as it is not working for me as regular user

# User to setid to (should be your normal user)
#suiduser=your_user_here



You need to define your interface in my case the chip I have is "ipw3945", interface "eth1" and i want it named "Kismet", search the Kismet documentation for the source type of your interface
# Sources are defined as:
# source=sourcetype,interface,name[,initialchannel]
# Source types and required drivers are listed in the README under the
# CAPTURE SOURCES section.
# The initial channel is optional, if hopping is not enabled it can be used
# to set the channel the interface listens on.
# YOU MUST CHANGE THIS TO BE THE SOURCE YOU WANT TO USE
source=ipw3945,eth1,kismet


We don't want channel hopping since we already know what channel their connecting to
# Do we channelhop?
channelhop=false


Since we don't want channel hop I defined the channel(11) I want to sniff on for 802.11b network
# Users outside the US might want to use this list:
# defaultchannels=IEEE80211b:1,7,13,2,8,3,14,9,4,10,5,11,6,12
#defaultchannels=IEEE80211b:1,6,11,2,7,3,8,4,9,5,10
defaultchannels=IEEE80211b;11

And for 802.11g network
# 802.11g uses the same channels as 802.11b...
defaultchannels=IEEE80211g;11
----------------------------

you can edit the log format, the log limit or the path where you want it to log if you want.

After changing the values on the configuration files type
$kismet

Once kismet is running press on the letter "s" it should select the AP it see, then type on "t" to tag that AP, now pree "d" to see dumps on your screen, press "h" for more help on other command.

Once your through sniffing go to the log files save under /var/log/kismet
$cd /var/log/kismet

Now to read your dumps issue the command
$tcpdump -vvv -XX -p tcp -nr /var/log/kismet/Kismet.date.dump

Short description of tcpdump option used above

- vvv for very verbose
- XX Print headers of each packet, print the data of each packet, including its link level header, in hex and ASCII.
- p Protcol
-n Do not resolve IP
-r Read packets from file


Thats it and enjoy sniffing.

3 comments:

caesium5 said...

After running kismet , how would you "wake up" networkmanager?

Genius24k said...

You wouldn't need to use networkmanager, Kismet should be able to sniff the network passively

Adam said...

hehe, that's pretty funny about the note for the neighbor. It sound like something I would do.

I just wanted to inform users that Ubuntu is no longer updating the repos for kismet.

You can download the deb files directly from the kismet website.

For suggestion and concerns E-mail