KISMETABSTRACTIn this paper we explore Kismet, the wireless and mobile penetration testing tool.

Kismet

Kismet is “a wireless network detector, sniffer, and intrusion detection system” (OpenManiak,

2010). It can be used for detecting wireless devices as well as wireless networks, and it is also

frequently used in wardriving with the aid of a gps receiver and sometimes a Rasberry Pi (Null

Byte, 2017). As a GIS professional, I wanted to see if I could map the networks that I discover. In

order to do that I first needed to get Kismet working and configure the gps adapter to work

with it.

Getting Kismet working

Kismet comes pre-installed in Kali Linux so there is technically no reason to install it. I wanted to

ensure that I didn’t start with any mysterious configuration issues, so I ran apt-get update and

then apt-get install kismet. When I first ran the kismet command via the terminal, I got a

warning that Kismet is running as root. Most tutorials recommend ignoring this message and

continuing, at least at the beginning, so I clicked OK and continued.

1

The Kismet server starts and connects to the network adapter. The next message we get is that

“No packet sources have been defined.”

We want to enter the packet source, but we first we need to find out what to type. Most

tutorials recommend typing wlan0 and this works fine, but I wanted to step through the

2

process of discovering what I network adapter I should enter. To identify the adapter I typed

iwconfig at the command prompt.

In the screenshot above we can see that wlan0 and wlan1 are available, but I want to see which

is associated with my gps receiver. To accomplish this, I typed lsusb, then dmesg | grep tty. It

seems that the GPS receiver is at /dev/ttyUSB0, so I enabled it using the gpsd package, which I

had already installed. To enable to gps receiver I typed gpsd /dev/ttyUSB0.

3

Finally, to confirm that the GPS is enabled and configured to run with Kismet, I then ran cgps.

We get the following output. (I actually took a couple hours of configuring gpsd to get a

successful output from the cgps command).

With the GPS receiver enabled and configured, I restarted Kismet and entered wlan1, which is

the gps receiver.

4

(Note: We can skip this step if we set the source when we run Kismet at the command line:

Kismet -c ttyUSB0,wlan1,gps)

Commands

I have already noted some of the commands I used to get Kismet and the wireless adapter

running and configured, but we can also use commands to control kismet once we get it

started. After reading several tutorials, however, including the main Kismet tutorial, I concluded

that although commands can be run, the commands are really just run-time modifications to

the config file (OpenManiak, 2010). If found that it was better to take the time to properly

configure Kismet by editing the kismet.config file as the post below suggests.

Figure 1: (chili555, 2009)

I accessed the kismet file like this:

5

Running Kismet

Once Kismet was running, I could begin to learn something about the wireless networks and

devices around me.

6

If we highlight and select one of the discovered networks, we can get more information, such as

the BSSID (Broadcast ID), and how the device is encrypted (below).

7

Logs Files

The log files are a great way to view the data that we’ve collected and the analyze it.

If we changed directories to /var/log/kismet and type cat <file.gpsxml> we can read the content

of the kismet logs. Since I was using the gps receiver I got the BSSID as well as the gps

information in the output. An SSID is the name of a network and the BSSID, or Broadcast SSID is

the AP MAC address (Juniper Networks, 2015). Kismet records the BSSID (Lipsvitch, 2017). With

the BSSID there are ways that we can get the IP address and go deeper with our penetration

test.

8

I also uploaded the .gpsxml file to Wigle.net, which created a .kml file that I could download

and open in Google Earth.

9

In Google Earth discovered networks showed up but somehow I did not have the BSSD, even

though the log file contained the BSSID (above). Perhaps this is because Google Earth was

looking for the SSID and Kismet recorded the BSSID. I have a suspicion that if I changed the

name of the field to SSID, it might display in Google Earth. I’ll have to try that approach in the

future.

What I learned

I was able to identify many wireless networks and devices around me and this was an

empowering experience. I was pleased that I was able to get GPS data for the networks and

devices I discovered, but was somewhat disappointed that I could not yet visualize it in Google

Earth. I look forward to learning more about Kismet and network discovery.

10

Works Cited

chili555. (2009, February 12). Configuring Kismet. Retrieved from Ubuntu Forums:

https://ubuntuforums.org/archive/index.php/t-1067390.html

Juniper Networks. (2015, February 12). Understanding the Network Terms SSID, BSSID, and

ESSID. Retrieved from Juniper Networks:

https://www.juniper.net/documentation/en_US/junos-space-apps/network-

director2.0/topics/concept/wireless-ssid-bssid-essid.html

Lipsvitch, D. (2017, June 3). Knowing Only a BSSID, Can an Address Be Found for It? Retrieved

from Null Byte: https://null-byte.wonderhowto.com/forum/knowing-only-bssid-can-

address-be-found-for-it-0177884/

Null Byte. (2017, June 21). Wardrive with the Kali Raspberry Pi to Map Wi-Fi Devices. Retrieved

from Null Byte: https://null-byte.wonderhowto.com/how-to/wardrive-with-kali-

raspberry-pi-map-wi-fi-devices-0176558/

OpenManiak. (2010, December 7). Kismet. Retrieved from openmaniak.com:

https://openmaniak.com/kismet_platform.php

11