Kismac

Kismac is first and foremost a passive scanner. Naturally, it includes support for GPS and the ability to put wireless cards into monitor mode. It also has the capability to store its data in a variety of formats. It can even export to the NetStumbler .ns1 format.

Kismac also includes a variety of other features that aren't strictly related to its role as a scanner. In particular, it has support for various attacks against networks. Though these features will be mentioned briefly in this section, they won't be covered in detail until Chapter 6. Kismac also has active drivers for the Airport/Airport Extreme cards. While these can be used in a pinch, you should really try to use a passive driver with Kismac to get the most functionality from it.

Will It Work With…?

Two of the most frequently asked questions about Kismac are "Will it work with my built-in Airport Extreme card?" and "Does it run on the new Intel-based Macs?" The short answers are yes and maybe.

The chipset used in all PowerPC-based Macs with Airport Extreme cards (802.11g) was from Broadcom. If you recall from Chapter 4, Broadcom chips are about the most useless cards when it comes to war driving. Despite this, the convenience factor for using the built-in card was too high, and many people yearned for a driver that supported monitor mode. Finally, Mick managed to reverse engineer a passive driver for the Broadcom-based Airport Extreme card, and everyone was very happy.

Not too long after this breakthrough, Apple announced that they were moving to Intel-based chips. Along with this move came a transition to Atheros chipsets in the new Intel-based Macs. While having an Atheros chipset built in is definitely a good thing, the porting of Kismac to Intel is significantly more difficult than the average OS X application due to Kismac's tight integration with custom drivers.

Development work is currently in progress on a native Intel version of Kismac. By the time you read this, it may already be 100 percent functional or still in transition. Also, keep in mind that the passive Airport Extreme driver was first included in the r74 release of Kismac. If you don't see it for some reason, make sure you have a recent version. The passive Airport Extreme driver is also somewhat experimental, though the worst thing it ever made me do was reboot to use my Airport card in normal mode.

Kismac's Main Window

Shown here is Kismac's main window. Most of the columns should be self-explanatory. Note the four buttons at the bottom of the window. These provide easy access to Kismac's four main windows: Networks, Traffic, Maps, and Details.

Before you can scan for networks, you will have to tell Kismac which driver you want to use. Naturally, this depends on what sort of card you have. You can set this under the Driver option in the main Kismac Preferences window. You can also set other parameters, such as channels to scan, hopping frequency, and whether or not to save packets to a file. As shown here, Kismac is configured to scan all legal U.S. channels (1–11) using an Atheros driver. Kismac will not save any packets since No Dumping has been selected.

Traffic Window

Kismac's Traffic window is shown next. It shows the amount of data currently moving across the network. It can be configured to display the number of packets, bytes, or signal strength of the nearby networks. In the window shown here, Kismac only has a few networks in range, all of which are fairly idle.

GPS Mapping and Kismac

Kismac has support for GPS. If you are using GPS on a Mac, the safest thing to do is to get a Keyspan serial-to-USB converter and a cheap GPS receiver with a serial port out. This way you are sure to have high quality drivers for your GPS device.

Kismac generates a list of all the available serial ports on your Mac. When you go into the GPS Configuration dialog, you should see the port listed in a drop-down box. If you have selected the correct device, then when you click the Maps window, you will probably see a window telling you your location.

Kismac has support for mapping built in. In order to avoid having to install costly mapping software, it supports importing maps from servers and files. By importing maps from files, you can get whatever sort of custom map you want. Importing maps from a file requires that you help Kismac scale it. The easiest way to get a map into Kismac is from a server.

To import a map from a server, go to File | Import | Map from Server. Some servers already come with scaling data, so you won't need to do anything else. These servers currently include Map24 and Expedia. If you choose another server, you will probably need to help Kismac scale the map, which can be error prone and distracting. Once you have imported a map, you should see a display similar to the following inside Kismac.

Unfortunately, Kismac's mapping code is a little buggy. Occasionally, if you try using one of the advanced built-in mapping features (such as generating a signal strength display), it will crash. Also, importing maps can be cumbersome. One possible solution is to export your data to an .ns1 file, load it into NetStumbler, export it from there into the NetStumbler summary format, and finally load it up into StumbVerter.

Another good way to view map data is inside Google Earth. There is a plug-in available at earth.kismac.de that allows you to render the results of your war drive inside Google's popular visualization tool.

Saving Data and Capturing Packets

There are two types of data you can save with Kismac: packet captures and scanning data. When you save data from your scan, you can load it into Kismac later, allowing for mapping and exporting data after the fact. It will also let you find the location of that interesting network you saw last week, but are having trouble remembering its location. Kismac can save data in its own native format, which ends in .kismac. It can also export data to other formats, the most useful probably being NetStumbler .ns1 files. By exporting to .ns1 files you can use all the third-party tools that work with NetStumbler on data gathered by Kismac.

The other sort of data Kismac lets you save is packets. This is one of the biggest advantages of using a passive scanner-you can save all the data that you gather and analyze it later. One possible use for these packet files includes scanning through them and looking for plaintext username and passwords (you'd be surprised how many unencrypted POP3 servers are still out there). Another use for these files is cracking the wireless network themselves. Most attacks against WEP and WPA require that you gather some (and quite possibly a lot) of packets from the target network. Details of these attacks are covered in Chapter 6.

To get Kismac to save packets for you, just select the desired radio box from the Driver Configuration screen. If you are unsure what you are interested in, it never hurts to save everything. Kismac saves packets in the standard open-source pcap file format. If you would like to examine one of these files, the best tool for the job is Wireshark. Wireshark can be installed fairly easily on OS X using fink.

Finally, Kismac has support for performing various attacks. Currently, these attacks include Tim Newsham's 21-bit attack, various modes of brute-forcing, and RC4 scheduling attacks (aka statistical attacks or weak IV attacks). While Kismac's drop-down menu of attacks is very convenient, you will generally be better off using a dedicated tool to perform these sorts of attacks.

Other features worth mentioning include the ability to inject packets and to decrypt WEP-encrypted pcap files. Currently, Kismac is the only tool capable of injecting packets on OS X. To inject packets with Kismac, you will need a prism2 card and a little luck. One common solution is to buy a D-link dwl-122 USB-based prism2 card for injection purposes. Injecting packets is covered in detail in Chapter 6.