Module 15: Kismet Essentials

Installation

Installing Kismet:

kali@kali:~$ sudo apt install kismet
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  kismet-capture-common kismet-capture-linux-bluetooth kismet-capture-linux-wifi kismet-capture-nrf-51822 kismet-capture-nrf-mousejack
  kismet-capture-nxp-kw41z kismet-capture-ti-cc-2531 kismet-capture-ti-cc-2540 kismet-core kismet-logtools libmicrohttpd12 libprotobuf22
  python3-kismetcapturefreaklabszigbee python3-kismetcapturertl433 python3-kismetcapturertladsb python3-kismetcapturertlamr python3-protobuf
Suggested packages:
  gpsd kismet-doc kismet-plugins festival
The following NEW packages will be installed:
  kismet kismet-capture-common kismet-capture-linux-bluetooth kismet-capture-linux-wifi kismet-capture-nrf-51822 kismet-capture-nrf-mousejack
  kismet-capture-nxp-kw41z kismet-capture-ti-cc-2531 kismet-capture-ti-cc-2540 kismet-core kismet-logtools libmicrohttpd12 libprotobuf22
  python3-kismetcapturefreaklabszigbee python3-kismetcapturertl433 python3-kismetcapturertladsb python3-kismetcapturertlamr python3-protobuf
0 upgraded, 18 newly installed, 0 to remove and 112 not upgraded.
Need to get 0 B/6,237 kB of archives.
After this operation, 29.1 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Preconfiguring packages ...
...
Setting up kismet (2020.04.R3-0kali1) ...
Processing triggers for man-db (2.9.3-2) ...
Processing triggers for kali-menu (2020.3.2) ...
Processing triggers for libc-bin (2.30-8) ...

Configuration Files

Config files can be found in /etc/kismet/.

kali@kali:~$ ls -al /etc/kismet/
drwxr-xr-x   2 root root  4096 Sep 17 13:34 .
drwxr-xr-x 164 root root 12288 Sep 17 13:23 ..
-rw-r--r--   1 root root  4033 Sep 14 07:53 kismet_80211.conf
-rw-r--r--   1 root root  3723 Sep 14 07:53 kismet_alerts.conf
-rw-r--r--   1 root root  7768 Sep 14 07:53 kismet.conf
-rw-r--r--   1 root root  3486 Sep 14 07:53 kismet_filter.conf
-rw-r--r--   1 root root  2717 May 15 03:21 kismet_httpd.conf
-rw-r--r--   1 root root  5106 May 15 03:21 kismet_logging.conf
-rw-r--r--   1 root root  4977 Sep 14 07:53 kismet_memory.conf
-rw-r--r--   1 root root  4737 May 15 03:21 kismet_uav.conf

Output Files

Log files are in three formats: kismet, PcapPpi, and PcapNg. Kismet is the default and includes all the gathered data in a SQLite database. PcapPpi is a legacy Pcap format while PcapNg is the modern.

We can override settings in multiple files by creating a kismet_site.conf file in /etc/kismet/.

Converting PcapNg to Pcap:

kali@kali:~$ tshark -F pcap -r ${pcapng file} -w ${pcap file}

Creating an override to store data in a new directory and create log files in kismet and PcapNg formats:

kismet_site.conf

log_prefix=/var/log/kismet/
log_types=kismet,pcapng

Data Sources

Data sources include Wi-Fi, Bluetooth, Software Defined Radio (SDR), and nRF signals.

Starting Kismet

Running kismet, disabling the ncurses library:

kali@kali:/etc/kismet$ cd ~
kali@kali:~$ sudo kismet -c wlan0 --no-ncurses
INFO: Including sub-config file: /etc/kismet/kismet_httpd.conf
INFO: Including sub-config file: /etc/kismet/kismet_memory.conf
INFO: Including sub-config file: /etc/kismet/kismet_alerts.conf
INFO: Including sub-config file: /etc/kismet/kismet_80211.conf
INFO: Including sub-config file: /etc/kismet/kismet_logging.conf
INFO: Including sub-config file: /etc/kismet/kismet_filter.conf
INFO: Including sub-config file: /etc/kismet/kismet_uav.conf
INFO: More than one override file included; Kismet will process them in the order they were defined.
INFO: Loading config override file '/etc/kismet/kismet_package.conf'
INFO: Optional sub-config file not present: /etc/kismet/kismet_package.conf
INFO: Loading config override file '/etc/kismet/kismet_site.conf'
INFO: Loading optional sub-config file: /etc/kismet/kismet_site.conf
...
KISMET - Point your browser to http://localhost:2501 (or the address of this system) for the Kismet UI
INFO: Starting Kismet web server...
INFO: Started http server on 0.0.0.0:2501
...
INFO: Found type 'linuxwifi' for 'wlan0'
INFO: wlan0 telling NetworkManager not to control interface 'wlan0': you may need to re-initialize this interface later or tell NetworkManager to control it again via 'nmcli'
INFO: wlan0 bringing down parent interface 'wlan0'
INFO: Data source 'wlan0' launched successfully
INFO: Detected new 802.11 Wi-Fi access point 5B:5C:79:0B:A8:F2
INFO: 802.11 Wi-Fi device 5B:5C:79:0B:A8:F2 advertising SSID 'Galain'
INFO: Detected new 802.11 Wi-Fi access point D5:89:1D:35:20:62
INFO: 802.11 Wi-Fi device D5:89:1D:35:20:62 advertising SSID 'Liosan'
INFO: Detected new 802.11 Wi-Fi device AC:D5:64:3B:A7:BB
INFO: Detected new 802.11 Wi-Fi access point 67:CB:81:07:A7:57
INFO: 802.11 Wi-Fi device 67:CB:81:07:A7:57 advertising SSID 'Emurlahn'
^C
*** KISMET IS SHUTTING DOWN ***
Shutting down plugins...
...
Kismet exiting.
kali@kali:~$

Listing the Kismet log directory:

kali@kali:~$ ls -al /var/log/kismet/
total 76
drwxr-xr-x  2 root root  4096 Sep 17 12:26 .
drwxr-xr-x 19 root root  4096 Sep 17 11:49 ..
-rw-r--r--  1 root root 61440 Sep 17 11:38 Kismet-20200917-15-38-41-1.kismet
-rw-r--r--  1 root root   744 Sep 17 11:38 Kismet-20200917-15-38-41-1.pcapng

Running Kismet on channels 4, 5, and 6:

kali@kali:~$ sudo kismet -c wlan0:channels="4,5,6"
...
INFO: Data sources passed on the command line (via -c source), ignoring
      source= definitions in the Kismet config file.
INFO: Probing interface 'wlan0' to find datasource type
...
INFO: Found type 'linuxwifi' for 'wlan0:channels="4,5,6"'
...
INFO: Data source 'wlan0:channels="4,5,6"' launched successfully
INFO: Detected new 802.11 Wi-Fi device AC:D5:64:3B:A7:BB
^C
*** KISMET IS SHUTTING DOWN ***
Shutting down plugins...
...
Kismet exiting.

Starting Kismet as a daemon:

kali@kali:~$ sudo kismet --daemonize
Silencing output and entering daemon mode...
INFO: Including sub-config file: /etc/kismet/kismet_httpd.conf
INFO: Including sub-config file: /etc/kismet/kismet_memory.conf
INFO: Including sub-config file: /etc/kismet/kismet_alerts.conf
INFO: Including sub-config file: /etc/kismet/kismet_80211.conf
INFO: Including sub-config file: /etc/kismet/kismet_logging.conf
INFO: Including sub-config file: /etc/kismet/kismet_filter.conf
INFO: Including sub-config file: /etc/kismet/kismet_uav.conf
INFO: More than one override file included; Kismet will process them in the order they were defined.
INFO: Loading config override file '/etc/kismet/kismet_package.conf'
INFO: Optional sub-config file not present: /etc/kismet/kismet_package.conf
INFO: Loading config override file '/etc/kismet/kismet_site.conf'
INFO: Loading optional sub-config file: /etc/kismet/kismet_site.conf
INFO: Setting server UUID 00000000-0000-0000-0000-4B49534D4554
INFO: Serving static content from '/usr/share/kismet/httpd/'
INFO: Serving static userdir content from '/root/.kismet/httpd/'
INFO: Loading saved HTTP sessions
INFO: Opened OUI file '/usr/share/kismet/kismet_manuf.txt
INFO: Indexing manufacturer db

Web Interface

Web Interface is available on localhost:2501 by default.

OUI database can be found at /usr/share/kismet/kismet_manuf.txt

Securing the Web Interface

Restricting access, changing from listening on all interfaces to only our loopback:

kismet_site.conf

log_prefix=/var/log/kismet/
log_types=kismet,pcapng
httpd_bind_address=127.0.0.1

Remote Capture

To enable remote capture, we need to setup an SSH tunnel to the server or configure the remote instance of Kismet to listen on a specific network interface. Starting a Kismet server without a data source on Kali:

kali@kali:~$ sudo kismet
...
INFO: Launching remote capture server on 127.0.0.1:3501
INFO: No data sources defined; Kismet will not capture anything until a
      source is added.
INFO: Opened kismetdb log file '/var/log//Kismet-20200917-15-18-55-1.kismet'
INFO: Saving packets to the Kismet database log.
INFO: Opened pcapng log file '/var/log/kismet//Kismet-20200917-15-18-55-1.pcapng'
ALERT: rootuser Kismet is running as root; this is less secure.  If you
       are running Kismet at boot via systemd, make sure to use `systemctl
       edit kismet.service` to change the user.  For more information, see
       the Kismet README for setting up Kismet with minimal privileges.
INFO: Starting Kismet web server...
INFO: Started http server on port 2501

Establishing a SSH tunnel with port 8000 forwarded:

kali@kaliremote:~$ ssh kali@192.168.62.192 -L 8000:localhost:3501
kali@192.168.62.192's password:
Linux kali 4.19.0-kali5-amd64 #1 SMP Debian 4.19.37-6kali1 (2019-07-22) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Sep 16 10:21:11 2020 from 192.168.62.219
kali@kali:~$

Starting a remote capture:

kali@kaliremote:~$ sudo kismet_cap_linux_wifi --connect 127.0.0.1:8000 --source=wlan0
INFO - Connected to '127.0.0.1:8000'...
INFO - 127.0.0.1:8000 starting capture...

Log Files

Command line switches related to logging:

 -T, --log-types <types>      Override activated log types
 -p, --log-prefix <prefix>    Directory to store log files
 -n, --no-logging             Disable logging entirely

Using sqlite3 to interact with the database:

kali@kali:~$ sudo sqlite3 /var/log/kismet/Kismet-20200917-18-45-34-1.kismet
SQLite version 3.33.0 2020-08-14 13:23:32
Enter ".help" for usage hints.
sqlite> .tables
KISMET       data         devices      packets
alerts       datasources  messages     snapshots

Let's quickly review each table.

The KISMET table contains the database version and which version of Kismet created the log file.
The alerts table contains any alerts or WIDS issues.
The data table contains records that are not packet related, such as SDR data.
The datasources table contains information about the data sources used to capture data.
The devices table contains information about the devices Kismet was able to identify.
The messages table contains informational messages, such as those displayed in the console or web application.
The packets table contains the raw packets captured by Kismet. The table can contain multiple DLTs.
The snapshots table contains time-based information.

Schema for the devices table:

sqlite> .schema devices
CREATE TABLE devices (first_time INT, last_time INT, devkey TEXT, phyname TEXT, devmac TEXT, strongest_signal INT, min_lat REAL, min_lon REAL, max_lat REAL, max_lon REAL, avg_lat REAL, avg_lon REAL, bytes_data INT, type TEXT, device BLOB, UNIQUE(phyname, devmac) ON CONFLICT REPLACE);

Let's review the columns.

The first_time and last_time columns contain when Kismet saw a device, the first time and last time, respectively.
The devkey column contains a unique identifier for each device.
The phyname column contains the physical layer for the device.
The devmac column contains a device's MAC address.
The strongest_signal column contains the strongest recorded signal for the device.
The min_lat, max_lat, and avg_lat columns contain the minimum, maximum, and average latitude values for the device.
The min_lot, max_lot, and avg_lot contain the minimum, maximum, and average longitude values.
The bytes_data column contains the number of bytes of data seen for the device.
The type column contains a human readable value for the physical layer device type.
Finally, the device column contains a JSON version of the device record, which can be quite lengthy.

Getting MAC addresses from the devices table:

sqlite> .headers on
sqlite> select type, devmac from devices;
type|devmac
Wi-Fi AP|67:CB:81:07:A7:57
Wi-Fi Device|E0:46:9A:29:49:F9
Wi-Fi Client|64:B0:A6:D9:73:52
Wi-Fi Device|AC:D5:64:3B:A7:BB
Wi-Fi AP|5B:5C:79:0B:A8:F2
Wi-Fi AP|D5:89:1D:35:20:62
Wi-Fi Client|00:0F:13:F6:A7:A6

sqlite one-liner:

kali@kali:~$ sudo sqlite3 /var/log/kismet/Kismet-20200917-18-45-34-1.kismet "select type, devmac from devices;"
Wi-Fi AP|67:CB:81:07:A7:57
Wi-Fi Device|E0:46:9A:29:49:F9
Wi-Fi Client|64:B0:A6:D9:73:52
Wi-Fi Device|AC:D5:64:3B:A7:BB
Wi-Fi AP|5B:5C:79:0B:A8:F2
Wi-Fi AP|D5:89:1D:35:20:62
Wi-Fi Client|00:0F:13:F6:A7:A6

Reading Log Files

Processing a PcapNg file with Kismet:

kali@kali:~$ sudo kismet -c Documents/Network_Join_Nokia_Mobile.pcap:realtime=true
...
INFO: Pcapfile 'Documents/Network_Join_Nokia_Mobile.pcap' will replay in
      realtime
INFO: Data source 'Documents/Network_Join_Nokia_Mobile.pcap:realtime=true'
      launched successfully
INFO: Detected new 802.11 Wi-Fi access point 00:01:E3:41:BD:6E
INFO: 802.11 Wi-Fi device 00:01:E3:41:BD:6E advertising SSID 'martinet3'
INFO: Detected new 802.11 Wi-Fi device 00:01:E3:42:9E:2B
INFO: Detected new 802.11 Wi-Fi device 00:15:00:34:18:52
INFO: Detected new 802.11 Wi-Fi device 00:16:BC:3D:AA:57
ALERT: noclientmfp IEEE80211 network BSSID 00:01:E3:41:BD:6E client
       00:16:BC:3D:AA:57 does not support management frame protection
       (MFP) which may ease client disassocation or deauthentication
^C
*** KISMET IS SHUTTING DOWN ***
Shutting down plugins...
...

Exporting Data

Pcap

Checking datasources in a kismet file:

kali@kali:~$ kismetdb_to_pcap --in Kismet-20200917-18-45-34-1.kismet --list-datasources
Datasource #0 (5FE308BD-0000-0000-0000-26C65C9CEA7A wlan0 wlan0) 104 packets
   DLT 127: IEEE802_11_RADIO 802.11 plus radiotap header

Converting a kismet file to a PcapNg file:

kali@kali:~$ kismetdb_to_pcap --in Kismet-20200917-18-45-34-1.kismet --out sample.pcapng --verbose
* Preparing input database 'Kismet-20200917-18-45-34-1.kismet'...
* Found KismetDB version 6
* Collecting info about datasources...
* Opening pcapng file sample.pcapng
kali@kali:~$

JSON

Using kismetdb_dump_devices to create a .json file:

kali@kali:~$ kismetdb_dump_devices --in /var/log/kismet/Kismet-20200917-17-45-17-1.kismet --out sample.json --skip-clean --verbose
* Preparing input database '/var/log/kismet/Kismet-20200917-17-45-17-1.kismet'...
* Found KismetDB version 6 6 devices
* 17% Processed 1 devices of 6
* 34% Processed 2 devices of 6
* 51% Processed 3 devices of 6
* 67% Processed 4 devices of 6
* 84% Processed 5 devices of 6
* 101% Processed 6 devices of 6
* Processed 6 devices
* Done!

PreviousModule 14: Determining Chipsets and Drivers NextModule 16: Manual Network Connections

Last updated 1 year ago

hashtagInstallation

hashtagConfiguration Files

hashtagOutput Files

hashtagData Sources

hashtagStarting Kismet

hashtagWeb Interface

hashtagSecuring the Web Interface

hashtagRemote Capture

hashtagLog Files

hashtagReading Log Files

hashtagExporting Data

hashtagPcap

hashtagJSON