Episode: 86
Title: HPR0086: Kismet
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0086/hpr0086.mp3
Transcribed: 2025-10-07 11:18:51

---

为此为此为此为此为此为此为此为此为此为此为此为此为此
Well, hi and welcome to Finnex's Student Hackers Guide to Linux. My name's Aaron Finne,
but you guys can call me Finnex. So the aim of this segment is to take you through
a Linux-based package that can be used to test your network or system security. There's
an ethical hacking student app at the University in Scotland, and an avid Linux find that
will pleasure a welcome and a number of packages that are functional on Linux car operating
and the package I would like to talk to you today about is a wireless network scanner
and a snifical kismet, and how kismet can be used to scan for wireless networks and devices.
The aim of today's Student Hackers Guide to Linux is to use kismet coupled with a GPS device
and Google Earth for war driving. There is a how-to guide to support this segment.
It's going to be made available on both the Linux basement website and www.bilimicssociety.org.uk.
I do suggest getting a hold of this first,
definitely before you start any installation or configuration. I may refer to it from time to time,
but both this segment and how-to guide are for educational uses.
You've got to remember guys, education is our biggest weapon in the war against insecurity,
so use this guide with responsibility. I suppose I should start off by telling you a little
bit about world driving. World driving is the act of searching for wireless networks by a person
moving vehicle using a Wi-Fi enabled computer such as a laptop or PDA. It's sort of similar to
using a radio scanner or the amateur radio practice in DXing. There is a point that I would like
to make clear. Certainly within the UK it's not illegal to do in war driving, however,
I can't say the same for your part of the world. In this war driving guide we never actually
connect to any of the networks that you discover, and I think clear morally I tend to agree with
that. It's certainly not legal to connect to someone else's network without their permission in
UK, and I would imagine most parts of the world it's pretty much the same there too. If it's not
your network, you haven't been invited, then you don't have any place on it. I don't condone it.
If you do it and get yourself into trouble, I'm not going to have any sympathy for you.
Sorry for the kind of government health warning, but I wanted to make it clear that I don't want
you to use this guide for breaking the law. Well guys, the idea behind this guide is that we run
Kismet and the GPS device, and then with that setup we can go and detect secured and unsecured
wireless networks and plot their position anywhere on the planet. Then you can either hop into your
corner, jump on a bike or have a walk with this setup around an area, and then those results are
stored into a database, which will later use to plot your findings. We can get those findings,
and we're going to insert them onto Google Earth. It goes without saying that a laptop is
required for war driving, however you could use a pda, but for the sake of this tutorial we're
going to use a laptop. It also goes without saying, guys, while you're driving, keep your eyes
on the road, not on the laptop screen. We're not going to be responsible for anyone having any
accidents. Even if you don't have a laptop and you're not going to go and do a war drive,
I seriously suggest installing Kismet. It's a fantastic tool for checking your wireless network,
making sure that devices that are connected to your wireless network are known to you.
Also, if you have a lot of Wi-Fi problems, it's also worth running Kismet to see if you have
a conflict with other wireless networks in your area. We're moving on to the main topic of this
guide. So what is Kismet? Well, apart from it being an Indian word meaning feat or look,
it also happens to be a wireless scanning tool. Kismet describes itself as an 802.11 layer
to wireless network detector, SNF and intrusion detection system. Kismet will work with any wireless
card which supports raw monitoring mode and can sniff out 802.11b, 802.11a, and 802.11g traffic.
Well, simply put what this means is that Kismet's a tool for manipulating the function of your wireless
card and puts into what's known as promiscuous mode. This is also sometimes described as raw
monitoring during the mode, or RFMUN, RFMOM. I suppose the next thing I should really talk about
is active and passive scanning. One of the really cool things about Kismet and it's really known
for this is that it's a passive scanner. Now, I really can't talk about passive scanning without
really touching active scanning and one of the most well-known active scanners that I can think of
as NetStumble. NetStumble works by broadcasting requests for any access point to respond to it.
This is known as any request. Now, the any part of that request is spelled in capital.
Basically what happens is the AP responds to this any request telling the inquire the name of
the network that's responded and thus by doing this it maps that APs there. Now, I can't imagine
this would be to tell your AP not to respond to any request, only respond to requests with its
networks name. This is known as cloaked or hidden wireless networks. However, Kismet doesn't work
like this and this is where the power of Kismet really lines. Kismet makes your card in on what
could be best described as a listening post. A great big ear that's listening out for everything
then it takes that information, dissect it and from there it finds the results. By doing this
is able to decode hidden APs and also detect other wireless devices such as other wireless cards.
Wireless devices send out a constant beacon when they're active. Kismet will see this and then
report that it's found a device program for a network or an AP. It takes that packet that's been
sent out looks inside that packet and from there it can find out a lot of information about that
device such as the MAC address of the device or if it's connected to a network. The MAC address
is needed in a probe or a connection so that any device that receives that probe can respond back.
Try to think that this is an any eye number of mobile phone handset, an absolute address.
You can change your SIM card, you can change the carrier but you're not going to change the
army area, the handset. If a mobile phone operator wanted to send an update rather than picking out
a single mobile phone telephone number to send it to, they would send it to their handset,
they would send it to his any eye fingerprint. It's absolute physical address. As with a MAC address
this number should never be changed, it's a physical identifier for that device. However,
there is a few packages that can be used to spoof MAC addresses.
Well, with Kismet you can run a test and see what wireless networks are open or closed in your
office infrastructure. Like all defensive tools this can be used by a hacker for elicit purposes.
With Kismet you can sit outside a wireless network, never connect to it and then intercept and
sniff all the MAC addresses that connect that that wireless network. If the only security
that you employ on your wireless network is MAC address filtering then you bypass that
ring of security. MAC address filtering is when an AP allows connection to network depending
on the MAC address that the device that's requesting that connection. Most common home wireless
routers have this facility and a number of organisations use MAC address filtering as well.
There are some requirements for your wireless card to use Kismet but the reason it's more of
the Linux tool than Windows tool is more to do with the way that Windows OS interacts with
this hardware via its wireless drivers. If you use NDIS rapid to get your wireless card to work
then unfortunately Kismet's not going to run for you. For most wireless cards in laptops
seem to be supported. I can tell you from personal experience that IPW or the Intel Pro wireless
cards are supported. What to do? Go to www.KismetWireless.net and look for documentation sections to
see if your card is supported. Another package that I want to touch on here is a program called
GPS drive. GPS drive is a navigation system that uses data from GPS devices and plots at
on a MAC. I'm not going to go into much detail about GPS. GPS stands for a global position
in the system and it's a technology it's purpose is to pinpoint your position on the world.
It uses a number of satellites to plot an X and a Y placement. GPS drive works pretty much
hand-in-hand with Kismet and is incredibly easy for Kismet to use. Now for the purpose of this
guide I'm going to use a Ubuntu 7.10 and a pretty standard laptop. The good news install Kismet
with Ubuntu is pretty easy and can be done simply by opening up a command line terminal
using the following command, pseudo aptitude install Kismet or by searching a synaptic package manager.
Kismet is a very popular package indeed and I imagine most package managers and most
distributions will have a copy of it in its repositories. However the source code is available
and it can be downloaded from www.kismetwilis.net and compile from source. But for ease of use I've
used a pre-compiled binary is available in the Ubuntu repositories. Kismet is also available
in the standard Debian repositories as well for anyone that's using a Debian system. The guide
should be pretty much similar. There's a little bit of configuration that needs to be done with
Kismet however it's pretty simple it's only going to take a couple of minutes. Once Kismet's
installed you need to edit the Kismet.conf file which in Ubuntu and in Debian can be found in the
forward slash Etsy forward slash Kismet folder. Now we need to find the wireless capture source which
is going to support your wireless card and Kismet. If you haven't already done so go and visit
www.kismetwilis.net forward slash documentation.shtml and scroll down to section 12.
There is a package that I think is installed by default on Ubuntu but it isn't actually on
Debian called LSHW and it's just to list hardware. The good news that is available in the Debian
repositories and it's also available in the Fedora ones as well if it's not just a quick look around
for it. The reason I say this is you might know what the driver for your wireless card is.
If that's the case you know this package isn't such an important part and you can skip this
step but there is a lot of people where they lack where the hardware is supported by it out of
the box out of Linux and maybe you don't know how your wireless card or what the driver is.
You can download this package. We run this program and what that does is that lists the hardware
for your wireless devices and it did this by issuing the following command. Sudows LSHW space dash
capital C space network. I want this to list all the network devices and the drivers that
are using them. So in my case I issued Sudows LSHW space dash capital C space network from here
that I found my wireless card was using the IPW 3945 driver and then visited the documentation
part of the kismet website, scroll down to section 12 and found that IPW 3945 was supported.
Now in my case there was a couple of choices but I just wanted for a choice that wasn't similar
to my driving name. The next step would be to go and configure the kismet.conf file.
I've used G-Edit to work on the kismet.conf file but like I say you can use any text that you
feel comfortable with. So in a terminal I put in the following command. Sudows G-Edit
space 4 slash Etsy 4 slash kismet 4 slash kismet.conf. That would have been Sudows G-Edit
4 slash Etsy 4 slash kismet 4 slash kismet.conf. And then I located the part of the file that
said S U I D user equals your user here. And I'm placed it with my username. Do not put the
root username in here. Kismet starts with super user privileges and then drops back into normal
user privileges. So in my case I changed it so it read S U I D user equals Aaron. Then we need
to set the capture source. I look for the line that reads source equals non-comma, non-comma,
admi. Now the layout of this line is source equals interface comma capture source comma and you
can ignore the admi part. So now I added the file with the interface. I put an ETH one but this
may be different in your case. For whatever reason if you wish you an iF config this will tell you
what your wireless device is. The source for me was ipw3945 and I left the app in a bit. So my
line read source equals ETH one comma ipw3945 comma admi. Then I looked for the part of the
devices. Part of the config file that says do we have gps? And then look for the line that says
gps equals false. We need to change this to read gps equals true and save an exit file.
To test the configuration of kismet issue the following command into the term pseudo kismet.
Now I warn you that if you are connected to your network via wireless you're going to
first need to disconnect. You can do this by with the no network manager is pretty easy. You can
click right click on it and deselect wireless. Either that or you could issue pseudo iF config
whatever your device is down. Now step two would be to install gps to drive. It's pretty
popular package and there's available in both a standard Ubuntu and Debian repositories.
However if you're using a different distribution this and check your package manager or download
a source code and compile it from source. The web address the gps drive is www.gpsdrive.de.
To install gps drive issue the following command into the terminal pseudo aptitude installed gps drive.
Once that's done we need to configure gps drive to work with the gps device. I've used a Bluetooth
gps device I wouldn't suggest using something like that. Not unless it's the only thing that you had
to hand which was the case here. It adds another layer of technology between you and your system
and the desired results that you want. I'll quickly run through how I'm it got the Bluetooth
Dumbledore to communicate with the gps drive. But like I say it's not what I would recommend.
If you have a device that plugs directly into your system and this is what I'd go out far
go by. If this device works you then drawing if not best thing for you to do is have quick google
about and find out how to make your gps device work. I installed a couple of Bluetooth packages
which are in the standard Ubuntu repository. I don't know about other distributions you'll have
to have a search about. Sudo aptitude installed blue z dash p i n blues dash ut i l s. Once they were
installed I then needed to edit the Bluetooth hcid.com file which I did by issuing the following
command into a terminal. Sudo g edd 4 slash ut c 4 slash Bluetooth 4 slash hcid.com. When that
file opened I replaced it with a config file. I'm going to make that config file available within
the how-to guide. I then went and restart the Bluetooth theme and by issuing the following
command into a terminal. Sudo 4 slash ut c 4 slash i n i t dot d 4 slash Bluetooth space restart.
When this is done I use the Bluetooth download scan for a Bluetooth device in its area by issuing
the phone command into the terminal. Hcid 2 space scan. This listed Bluetooth enabled devices that
were running range. So I got a result back like 001167805801bt dash gps which was the
MAC address of the Bluetooth enabled gps device. I then took this MAC address of the gps device
and then I'm going to make a serial connection between the Bluetooth dungle and the gps device.
I took the MAC address of the device and I used the package called sdp2. I issued a
following command into the terminal sdp2.01167805801 and in the results I got back. I found
the channel that I was looking for. In my case it was channel 1 and I needed to make a file
called rfcom.com. That's rfcom.com in the 4 slash ut c 4 slash Bluetooth folder. By issuing the
following command I have made a sample copy of that config file which will also be available in
the h2 guide. Anyway the command was pseudo g-edit 4 slash ut c 4 slash Bluetooth 4 slash rfcom.com
and I added the contents of the file that I've made available in the h2 guide. So the next thing
to do is start the gps device and issue the following command into the terminal rfcom connect 4.
If for some reason you get an error message like concreate rfcom.tty address already used
then issue the following command into a terminal pseudo rfcom release 4 and repeat the rfcom
connect 4 command again. Once this has been done you need to run the gpsd which is a demon for gps
devices. It should have been stored by d4 one way and stored gps drive but if isn't it's
installed by the following command pseudo aptitude installed gpsd. Once this is done you need to tell
the gpsd where it can find the gps device. This is done by issuing the following command into
a terminal pseudo gpsd 4 slash death 4 slash rfcom fall. Once this is done you can check the gps
device to see that it's working properly by issuing the following command into a terminal x gps.
Next thing we want to do is set up a mysql database to store the the results from gps drive.
After you've done that then we're nearly ready. Once your war drive is done then we can extract
the data apart against google earth. So firstly we need to install mysql. I've done this by
installing it through the Ubuntu repository. I want to check your distribution for documentation
on how to install mysql. I'm installing mysql client version 5 and server version 5 although I
don't think it makes much of a difference. For the purpose of this how to guide I've gone for
those packages. There's also a python interface to mysql data to mysql that you also need. You're
about to install it in this command as well. Sudo aptitude installed space mysql-cline-5.0
space mysql-server-5.0 space python-mysqldb that was python-mysqldb. Once this has been done
you'll need to connect to the mysql server and configure a database for the wireless results
to go into. The germany installation of mysql server you should have been asked for a root password.
If you did set one up you'll need to pass the dashp option on in the following command if you
haven't then just ignore that part. The command is mysql-u space root space dashp space the less
than sign space forward slash usr forward slash share forward slash gps drive forward slash curate.sql
c-r-e-a-t-e.sql then you need to load gps drive up and take the box on the left hand side that
says use sql. Now make sure that gps drive is using gps device that you've set up. You can do that
by going in and clicking the preference box select some sentence to and just confirming that
gps drive is looking at the correct gps device location. In my case that was forward slash
slash rf-4 but it might be forward slash tt-y usb you can close gps drive down. Now if you
look isn't it up again what you'll notice at the bottom of the page is the latitude and the
longitude of your position that's just right above the status bar at the bottom of the screen.
That's kind of all the hard work done. Now if you would load gps drive up again what you
would notice is that on the map any epp points that you detected in Clismet will show up on the gps drive
map. So that's your rig setup and now what you need to do is basically go and get some data.
So like I said before hop into the car have a drive about and go and find some epp points.
Once I get back and you're ready to do the next part what we have to do is extract the data
from the SQL database and then convert that data so that Google Earth can read it. So one of
the things that will probably be a good idea to do now would be to install Google Earth.
Now this is to be honestly quite simple just go to the website www.earth.google.com forward slash
download-earth.html or you could check to see if your package manager has it. Mine does but
that's because I had the Google Ubuntu slash devian repository setup already in there. But once you
have installed Google Earth then you can look at extracting the data from my SQL database into a
.kml format which is the format that Google Earth supports. There is a script that I use to do
this and to be honest with you that would be my suggestion. You could later on if you wanted to get
more data you could look at that script and see how much data you're pulling out. But you would
also probably have to look at constructing a little bit more of a complicated database for GPS
driving and kismet yourself to download data into. But anyway I mean that's for you to have a look
later on kind of went further if this interests you and then you can kind of go deeper into it.
So the script that I'm going to use is a script that's called gpsdrive to google.ers.py.
You can go and download a copy of it from www.delinuxsociety.org.uk forward slash content forward slash
copy of gpsdrive.google.ers.google.ers.py I'll read that address again that the linuxsociety.org.uk forward slash
content forward slash copy dash of dash gpsdrive to google.ers.py. And what to do is just cut and paste
that page's content and then copy that into a new file. The new file will load up by issuing the
following command sudo g-edit gpsdrive to google.ers.py. Copy the contents of that web page into that file
save it and then what we need to do is make it executable. So sudo change mod space plus x space gps
drive to google.ers.py then the next thing to do is move it to where the database is stored.
Now if you're unsure of where the database is stored, it's normally stored in forward slash bar,
it's forward slash lib, forward slash myc, or certainly isn't a Ubuntu and devian. However,
what you could do is you could run the update db command which would be sudo update db and then
locate g-o-imp for which is the name of the database. So what I did then I moved the gpsdrive google.ers.py
file to where the database was stored by doing the sudo mv space gpsdrive to google.ers.py
space forward slash bar forward slash lib forward slash myc, or once that file has been transferred
then what it has run the script I did that by issuing sudo python gps to google.ers.py. Once that's
been done you should see a file left called ap.kml that's the file that we need for google
earth to plot our results I'm to. So sudo mv ap.kml space forward slash home forward slash user
forward slash desktop. Replace the user obviously with your name so in my case it was a home slash
alan slash desktop. Once there we need to load up google earth and then from there we can open ap.xml file
and see where you went on your wall drive and the results are plotted. Well guys that brings us
to the end of Finnex student hackers guide to Linux for this week. I'm going to close by saying
a couple of things. Now I have said that this guide is for educational purposes only and it's not
meant for you to go around and map where you can get free internet access for. I'm very serious when
I say education is the biggest weapon I have in the war against insecurity but showing people
easy it is for us to go and find this information out but and we're not even interacting with a wireless
network we're just listening to it. We can show people that you need to think about wireless security
it is an important thing. You could have people stealing bandwidth from you. You could have a
hackers sit outside a wireless network and hack someone else from your IP address. So like I say
just use the guide with responsibility. They're very interesting results but remember not to break
not to break the law with it. I'd like to thank you guys for bearing with me. This is my first time
that I've done anything like this. If I'm earning an iron a lot and I stumble a bit please forgive me.
I would just like to say remember you wouldn't leave the front door to your house wedo so please
don't leave the front door to your network wedo. This has been Aaron Finne. Phoenix is student
H.P.R. sponsored by caro.net so head on over to C.A.R.O.N.C. for all of us in the