To continue our ethical hacking series, we now dive deeper into the process of wardriving, wireless hacking, and the roles that the Linux tool Kismet plays in an ethical hacker’s toolkit.
We’ve all heard the importance of securing your wireless network with WPA2 encryption, channel inspection, and a strong, non-default password. But why? What kind of attacks are organizations and individuals actually protecting against?
In short, whether a hacker has a target in mind or is looking for any vulnerable device worth attacking, wireless networks are a common vector that can be exploited. In either case, hackers—both black hat and white hat—can use a powerful and highly configurable tool called Kismet to identify potential target wireless networks, capture specific information about that network for use with other tools, and create a plan for further penetration. the network.
Because wireless networks are designed for convenience and flexibility, hackers are able to turn these benefits for users into potential vulnerabilities for their own use. For example: Without prior knowledge of the target network or user credentials, a penetration tester can “sniff” the network, monitor its packet traffic, identify specific routers, and then use a number of different techniques to gain access to them to achieve their goals. .
So how can an ethical hacker use Kismet? Let’s dive right in.
In short, Kismet is a very powerful wireless sniffing tool found in Kali Linux. It is an open-source tool very well known to ethical hackers, computer network security experts and penetration testers. Although it can run on Windows and MacOS, most users prefer to run Kismet on Linux due to the greater range of available configurations and drivers. Wirelessly, Kismet is capable of sensing 802.11a/b/g/n traffic.
Of course, Kismet can be used for more benign purposes, such as wireless network scanning and even intrusion detection. It is most commonly used for its “RFMON” or “radio frequency monitoring” mode. Kismet’s ability to facilitate RFMON means that the user is able to monitor traffic and identify wireless networks without having to associate with an access point, which is common with Wireshark, NetScout or Aircrack packet sniffing tools. In other words, Kismet is able to display all the packets it captures, not just those specific to a single access point broadcasting under a single Service Set Identifier (SSID).
In addition to its configurability and broad packet capture capabilities, Kismet’s ability to capture packets without leaving any signs that it is being used makes it a popular ethical hacking tool.
Wireless network identification
A wireless access point (WAP) broadcasting its signal and SSID will easily discover any device with a wireless card. On the other hand, some individuals and organizations choose to try to hide or not broadcast their SSID in an effort to be more secure.
In either case, Kismet is able to identify the traffic of a wireless network as packets pass through its antennas, giving hackers the ability to identify potential targets as they move. This is a technique called wardriving and is possible because Kismet is limited solely by the ability of the wireless network interface controller (WNIC) to intercept packets based on the range and strength of the WAP’s broadcasts.
Of course, this ability has a downside: the hacker will have to know what they’re looking for and potentially sift through a lot of network traffic to find the information they need.
Kismet and penetration testing
Kismet is also a powerful tool for penetration testers who need to better understand their target and perform wireless LAN discovery. Although it should not be the only tool and technique used, Kismet is able to identify the WAP in use, the SSID and the type of encryption used on the network. With this information, penetration testers can use other open-source tools to gain additional network access and privileges.
To facilitate this, Kismet has built-in reporting and network summary capabilities that a penetration tester or hacker can use to evaluate common trends in network usage, network strength, and WAP configuration. In addition, users can set Kismet to trigger an audio or pop-up alert when a certain condition is met, so that further action – defensive or offensive – can be taken.
Taking the next step
So how do ethical hackers and penetration testers use the data they capture in Kismet? While there is no single way forward, there are three common paths: MAC address spoofing, packet injection, and wireless encryption (WEP) cracking.
The first way is simple. As Kismet operates, it captures network traffic and devices that are connected to the WAP (including their MAC address) as the packets fly through the air. From there, hackers can change their own Wi-Fi router hardware to mimic the target network device and wait for the target WAP to re-establish a connection with that device, thus connecting the hacker to the Wi-Fi network under certain conditions. This MAC address “spoofing” effectively tricks the router into believing that the hacker’s device is legitimate, bypassing any MAC address filtering-based access controls that may be in place.
Another way an ethical hacker can build on Kismet’s functionality is to use it to facilitate packet injection. Packet injection, or packet spoofing, is when a hacker disrupts a network or server connection by first collecting legitimate packet traffic and then either intercepting packets that may contain useful data such as handshakes or content, or injecting additional traffic for man-in . -middle, denial-of-service or distributed-denial-of-service attacks.
A third potential Kismet-enabled hacking tool is WEP password cracking. With the information obtained by Kismet (specifically encryption type, SSID, signal strength, connected devices and WAPs), the hacker can then use other open source tools such as BackTrack or Reaver. Each of these tools will capture network traffic in a similar way to Kismet, but the information gained by Kismet will allow a tool like BackTrack to narrow down the collection and potentially gather enough information over time to attempt to crack a WEP password.
Another deployment of Kismet
Finally, Kismet has also been deployed by hackers and information security professionals in other capacities, including as individual or series of drones, passive sensors, or in coordination with geographic network mapping.
Because of its open source availability and configurability, Kismet has also been installed as a drone, either alone or in a network of several machines. These drones continuously collect data from WAPs in the area and send it back to a central server for logging and even alerts based on set criteria. This is what eva can enable network security professionals to do track their WAPs or use to track the presence of specific devices, WAPs or other packets that a hacker may be interested in.
Another way ethical hackers and information security professionals can use Kismet is by coordinating with the tool’s native mapping capability. Because it captures data, Kismet’s native data format allows it to integrate well with mapping applications, especially Kismet’s own GPSMap feature. GPSMap uses its own WAP and network data as well as online storage to overlay Kismet data on top of it. Additional repositories such as WiGLE can be used to identify additional SSIDs and networks of interest, which can be used in coordination with the user’s own packet capture.
Armed with this information, the hacker can continue their journey, gain a better understanding of their network environment, or use openly available data to find potential vulnerabilities.
Whether your business is penetration testing or ethical hacking, Kismet is an essential tool to understand and have in your toolbox. It can enable techniques such as wardriving, GPS mapping, network reporting and alerts, and more advanced actions such as packet injection and DOS.
By understanding Kismet and its strengths, any cybersecurity professional can go a long way toward understanding their target, their vulnerabilities, and what a potential attacker might see if they have more dangerous intentions.
- An Introduction To The Kismet Packet Sniffer, Linux.com
- Check and Enable Monitor Mode Packet Injection in Kali Linux, Kali4Hacking