One of the complaints you will often hear about Macs is that "there's no program to do X on a Mac." Fortunately for wireless scanners, this is not the case. OS X is home to a very advanced passive scanner that has support for monitor mode on quite a few cards. There are also easy-to-use active stumblers, suitable if you are only mildly interested in the networks around you.
The passive scanner for Macs is named Kismac. Kismac has been in development for many years by Michael Rossberg (aka Mick). Despite the similarity in names, Kismac doesn't share any code with the popular UNIX scanner Kismet. Recently, maintenance of Kismac has shifted hands to Geoffrey Kruse and globo. They have been doing a very good job of keeping Kismac up to date.
Popularity: |
6 |
Simplicity: |
6 |
Impact: |
5 |
Risk Rating: |
6 |
Kismac is first and foremost a passive scanner. Naturally, it includes support for GPS and the ability to put wireless cards into monitor mode. It also has the capability to store its data in a variety of formats. It can even export to the NetStumbler .ns1 format.
Kismac also includes a variety of other features that aren't strictly related to its role as a scanner. In particular, it has support for various attacks against networks. Though these features will be mentioned briefly in this section, they won't be covered in detail until Chapter 6. Kismac also has active drivers for the Airport/Airport Extreme cards. While these can be used in a pinch, you should really try to use a passive driver with Kismac to get the most functionality from it.
Shown here is Kismac's main window. Most of the columns should be self-explanatory. Note the four buttons at the bottom of the window. These provide easy access to Kismac's four main windows: Networks, Traffic, Maps, and Details.
Before you can scan for networks, you will have to tell Kismac which driver you want to use. Naturally, this depends on what sort of card you have. You can set this under the Driver option in the main Kismac Preferences window. You can also set other parameters, such as channels to scan, hopping frequency, and whether or not to save packets to a file. As shown here, Kismac is configured to scan all legal U.S. channels (1–11) using an Atheros driver. Kismac will not save any packets since No Dumping has been selected.
Kismac's Traffic window is shown next. It shows the amount of data currently moving across the network. It can be configured to display the number of packets, bytes, or signal strength of the nearby networks. In the window shown here, Kismac only has a few networks in range, all of which are fairly idle.
Kismac has support for GPS. If you are using GPS on a Mac, the safest thing to do is to get a Keyspan serial-to-USB converter and a cheap GPS receiver with a serial port out. This way you are sure to have high quality drivers for your GPS device.
Kismac generates a list of all the available serial ports on your Mac. When you go into the GPS Configuration dialog, you should see the port listed in a drop-down box. If you have selected the correct device, then when you click the Maps window, you will probably see a window telling you your location.
Kismac has support for mapping built in. In order to avoid having to install costly mapping software, it supports importing maps from servers and files. By importing maps from files, you can get whatever sort of custom map you want. Importing maps from a file requires that you help Kismac scale it. The easiest way to get a map into Kismac is from a server.
To import a map from a server, go to File | Import | Map from Server. Some servers already come with scaling data, so you won't need to do anything else. These servers currently include Map24 and Expedia. If you choose another server, you will probably need to help Kismac scale the map, which can be error prone and distracting. Once you have imported a map, you should see a display similar to the following inside Kismac.
Unfortunately, Kismac's mapping code is a little buggy. Occasionally, if you try using one of the advanced built-in mapping features (such as generating a signal strength display), it will crash. Also, importing maps can be cumbersome. One possible solution is to export your data to an .ns1 file, load it into NetStumbler, export it from there into the NetStumbler summary format, and finally load it up into StumbVerter.
Another good way to view map data is inside Google Earth. There is a plug-in available at earth.kismac.de that allows you to render the results of your war drive inside Google's popular visualization tool.
There are two types of data you can save with Kismac: packet captures and scanning data. When you save data from your scan, you can load it into Kismac later, allowing for mapping and exporting data after the fact. It will also let you find the location of that interesting network you saw last week, but are having trouble remembering its location. Kismac can save data in its own native format, which ends in .kismac. It can also export data to other formats, the most useful probably being NetStumbler .ns1 files. By exporting to .ns1 files you can use all the third-party tools that work with NetStumbler on data gathered by Kismac.
The other sort of data Kismac lets you save is packets. This is one of the biggest advantages of using a passive scanner-you can save all the data that you gather and analyze it later. One possible use for these packet files includes scanning through them and looking for plaintext username and passwords (you'd be surprised how many unencrypted POP3 servers are still out there). Another use for these files is cracking the wireless network themselves. Most attacks against WEP and WPA require that you gather some (and quite possibly a lot) of packets from the target network. Details of these attacks are covered in Chapter 6.
To get Kismac to save packets for you, just select the desired radio box from the Driver Configuration screen. If you are unsure what you are interested in, it never hurts to save everything. Kismac saves packets in the standard open-source pcap file format. If you would like to examine one of these files, the best tool for the job is Wireshark. Wireshark can be installed fairly easily on OS X using fink.
Finally, Kismac has support for performing various attacks. Currently, these attacks include Tim Newsham's 21-bit attack, various modes of brute-forcing, and RC4 scheduling attacks (aka statistical attacks or weak IV attacks). While Kismac's drop-down menu of attacks is very convenient, you will generally be better off using a dedicated tool to perform these sorts of attacks.
Other features worth mentioning include the ability to inject packets and to decrypt WEP-encrypted pcap files. Currently, Kismac is the only tool capable of injecting packets on OS X. To inject packets with Kismac, you will need a prism2 card and a little luck. One common solution is to buy a D-link dwl-122 USB-based prism2 card for injection purposes. Injecting packets is covered in detail in Chapter 6.
Popularity: |
3 |
Simplicity: |
6 |
Impact: |
1 |
Risk Rating: |
3 |
MacStumbler is an easy-to-use active scanner on OS X. It has fewer features than NetStumbler (the other active scanner covered in this book) and only works with Apple's integrated Airport or Airport Extreme cards. MacStumbler hasn't been updated in a long time (since 2003) and the lack of maintenance is starting to show. For example, MacStumbler has support for GPS integration, but has a hard-coded list of serial ports where you can look for your device (see Figure 5-12). The latest KeySpan USB-to-serial converters create a device that MacStumbler does not know about, and there appears to be no way to tell MacStumbler to look elsewhere.
MacStumbler also won't report any closed networks (whereas NetStumbler might be able to depending on your drivers). In general, if you are serious about finding wireless networks using your Apple hardware, use Kismac or Kismet. If you are just curious or don't want to be bothered with using a tool that has to load special drivers, give MacStumbler a try.
Popularity: |
3 |
Simplicity: |
6 |
Impact: |
1 |
Risk Rating: |
3 |
iStumbler is another active scanner that runs on OS X. iStumbler lacks GPS support and is pretty obviously not a serious wardriving tool. It's designed for people who are casually looking for nearby networks. It does have some interesting features, including Bluetooth and Bonjour support. iStumbler is more of a tool for finding nearby "things" than finding nearby wireless networks.
iStumbler does have some pretty innovative user interfaces, however. One optional component is a dashboard widget that will show you the names of nearby networks and the channels they are on.
Kismet can, in fact, be run on OS X. Most people who use Macs prefer Kismac for a few reasons, however. One obvious reason is that most Mac users are, unfortunately, averse to command-line or text-mode programs. The other is that currently (and this may change very shortly), Kismet has very limited driver support on OS X.
The only card on OS X that Kismet currently knows how to interface with is the old Airport (not Airport Extreme) card. Kismet does this via the open-source Viha driver that can put the Airport card into monitor mode.
The ability to put the Airport Extreme card into monitor mode is a recent occurrence. Though Kismet doesn't yet have support for this, it probably will sometime in the near future.