Ethical hacking: wireless hacking with Kismet
To continue our ethical hacking series, we are now going to dive deeper into the process of wardriving, wireless hacking and the roles that the Linux tool Kismet plays in an ethical hacker’s toolbox.
We have all heard that it is important to secure your wireless network with WPA2 encryption, channel control and a strong, non-default password. But why? What sort of attacks are organizations and individuals actually protecting themselves against?
In short, whether a hacker has a target in mind or they are on the lookout for any vulnerable device worth attacking, wireless networks are a common vector to exploit. In either case, hackers — both black- and white-hat hackers — can use a powerful and highly configurable tool called Kismet to identify potential target wireless networks, capture specific information about that network to use with other tools and develop a plan to further penetrate that network.
Because wireless networks are meant for convenience and flexibility, hackers are able to turn these advantages for users into potential vulnerabilities for their own use. For example: Without prior knowledge of a target’s network or user credentials, a penetration tester can “sniff” out a network, watch its packet traffic, identify specific routers and then utilize a variety of different techniques to gain access to them to further their goals.
So just how can an ethical hacker use Kismet? Let’s dive right in.
Overview of Kismet
In short, Kismet is a very powerful wireless sniffing tool that is found in Kali Linux. This is an open-source tool very familiar to ethical hackers, computer network security professionals and penetration testers. While it can run on Windows and macOS, most users prefer to run Kismet on Linux because of a bigger range of configurations and drivers available. Wirelessly, Kismet is able to sniff 802.11a/b/g/n traffic.
Of course, Kismet can be used for more benign purposes, such as for wireless network scanning and even intrusion detection. It is most often used for its “RFMON” or ”radio frequency monitoring” mode. Kismet’s ability to facilitate RFMON means that a user is able to monitor traffic and identify wireless networks without having to associate with an access point, which is common for Wireshark, NetScout or Aircrack packet-sniffing tools. In other words, Kismet is able to display all of the packets it captures and not just those specific to one access point broadcasting under one Service Set Identifier (SSID).
In addition to its configurability and broad packet capture ability, Kismet’s ability to capture packets without leaving any signs that it is in use makes it a popular ethical hacking tool.
Wireless network identification
A wireless access point (WAP) broadcasting its signal and SSID is easy for any device with a wireless card to detect. On the other hand, some individuals and organizations choose to attempt to hide or not broadcast their SSID in an effort to be more secure.
In either case, Kismet is able to identify wireless network traffic as packets are traversing its antennae, giving hackers the ability to identify potential targets as they move. This is a technique called wardriving and is possible because Kismet is limited solely by the ability of the wireless network interface controller (WNIC) to catch packets based on the range and strength of the WAP(s) broadcasting.
Of course, there is a downside to this ability: a hacker will have to know what they are looking for and potentially wade through a lot of network traffic to find the information that they need.
Kismet and penetration testing
Kismet is also a powerful tool for penetration testers that need to better understand their target and perform wireless LAN discovery. Although it should not be the only tool and technique employed, Kismet is able to identify WAPs in use, SSIDs and the type of encryption used on a network. With this information, penetration testers can use additional open-source tools to gain additional access and privileges into the network.
To facilitate this, Kismet has built-in reporting and network summarizing features which a penetration tester or hacker can use to evaluate for common trends in network usage, network strength and WAP configuration. Additionally, users can set Kismet to trigger an audio or pop-up alert if a certain condition is met, so further action — defensive or offensive — can be taken.
Taking the Next Step
So how do ethical hackers and penetration testers make use of the data they have captured in Kismet? While there is no one way to move forward, there are three common paths: MAC address spoofing, packet injection and wireless encryption protection (WEP) cracking.
The first path is simple. As Kismet is operating, it is capturing network traffic and the devices that are connected to the WAP (including their MAC address) as packets are flying through the air. From here, hackers can change their own Wi-Fi router hardware to mimic a target network device and wait for a target WAP to reestablish a connection with that device, effectively connecting the hacker to the Wi-Fi network under certain conditions. This MAC address “spoofing” effectively tricks the router into believing the hacker’s device is legitimate, bypassing any MAC address-based filtering access controls that may be in place.
Another way for an ethical hacker to build off of Kismet’s functionality is to use it to facilitate packet injection. Packet injection, or spoofing packets, is when a hacker interferes with a network or server connection by first collecting legitimate packet traffic and then either intercepting packets that may contain useful data, such as handshakes or content, or by inserting additional traffic for man-in-the-middle, denial-of-service or distributed-denial-of-service attacks.
A third potential Kismet-enabled hacker tool is WEP password cracking. With the information obtained by Kismet (namely the type of encryption, SSID, signal strength, devices connected and WAPs), a hacker can then use other open source tools like BackTrack or Reaver. Each of these tools will capture network traffic in a way similar to Kismet, but the information gained by Kismet will allow a tool like BackTrack to narrow its collection and, over time, potentially collect enough information to attempt to crack the WEP password.
Other Kismet deployments
Finally, Kismet has also been deployed by hackers and information security professionals in other capacities, including as an individual or series of drones, passive sensors or in coordination with geographic network mapping.
Because of its open-source availability and configurability, Kismet has also been installed to serve as a drone, either on its own or within a network of several machines. These drones continuously collect data from WAPs in the area and send it back to a central server for logging and even alerting, based on established criteria. This can allow network security professionals to evaluate the footprint of their WAPs or be used to monitor for the presence of specific devices, WAPs or other packets that a hacker may be interested in.
Another way that ethical hackers and information security professionals can use Kismet is in coordination with the tool’s native mapping capability. As it is capturing data, the Kismet native data format allows it to integrate nicely with mapping applications, especially Kismet’s own GPSMap feature. GPSMap uses its own WAP and network data as well as online repositories to overlay Kismet data onto them. Other repositories, such as WiGLE, can be used to identify other SSIDs and networks of interest, which can be used in coordination with a user’s own packet capture.
Armed with this information, a hacker can continue their wardriving, better understand their network environment or use openly available data to find potential vulnerabilities.
Whether you are in the penetration testing or ethical hacking business, Kismet is a must-have tool to understand and have in your toolbox. It can enable techniques such as wardriving, GPS mapping, network reporting and alerts, and more advanced actions such as packet injection and DOS.
By understanding Kismet and its strengths, any cybersecurity professional can go a long way toward understanding their target, its vulnerabilities and what a potential attacker may see if they have more dangerous intentions.
- An Introduction To The Kismet Packet Sniffer, Linux.com
- Check and Enable Monitor Mode Packet Injection in Kali Linux, Kali4Hacking