🧪Kismet

In this lab, we'll take a look at how we:

• Start the Kismet process

• Access the Kismet UI

• Use Kismet to scan for wireless networks and clients

Starting Kismet

1. To start kismet, simply head over to Terminal in Cockpit, type kismet then press enter:

   

   Launch Kismet
2. Kismet will produce many lines of logging output as it starts up. Don't worry too much about the log messages that scroll up the screen during the start-up process. Once they stop, Kismet is running. Leave it running to complete the labs below.

   

   Kismet startup log messages
3. Kismet launches its own web server process to provide a web UI to view the data that it gathers. Open a new browser tab on your laptop/Mac and navigate to: http://wlanpi-xxx.local:2501 or, if you do not see the login page: http://<wlanpi-ip-address>:2501 (this may work better on Windows)

4. We need to login to Kismet to access its UI. As Kismet has its own credentials store, you will need to create a username and password the first time you browse to it. For ease of use, it's probably not a bad idea (for now) to set your Kismet credentials to be the same as your WLAN Pi credentials:

   

   Set a username and password for Kismet
5. Once you've set the credentials, you'll be taken to the main Kismet UI and will see the following panel pop-up as this is your first login. You can hit "Continue" for now. We do not need to configure any specific settings for this lab.

   

   Settings pop-up on first login - hit "Continue"

If you'd like to stop and restart the Kismet process, hit Ctrl-C in the Terminal window where Kismet was started. Type "kismet" again on the command line to restart Kismet.

Wi-Fi Sniffing

Now that we've got access to Kismet, we'll take a look at how we can use it to gather Wi-Fi network data. We need to tell Kismet which network adapter to use in the WLAN Pi to scan for 802.11 activity over the air.

Step 1 - Specify a data source

We need to tell Kismet that we need to enable wlan0 to start scanning nearby Wi-Fi networks and devices:

1. Click on hamburger menu icon (top left)

2. Select Data Sources

3. Expand wlan0

4. Enable this Source:

   

   Enable wlan0 as a data source
5. You should see a small scrolling bar chart history of packet activity detected by this source. This indicates that Kismet is scanning Wi-Fi channels and gathering data:

   
6. Close the pop-up window

Step 2 - Explore Kismet the Kismet Device List

Kismet is now switching the WLAN Pi wireless adapter between all Wi-Fi channels and gathering frames on each channels. From this data, it builds a table of access points and wireless clients as it receives 802.11 frames from them.

Note that Kismet now supports the 6GHz band with an appropriate wireless adapter. Watch out for 6GHz APs and clients in the Kismet device data

As it has many channels to hop between, each scan cycle takes several seconds to complete and only a small snapshot of the activity on each channel is captured. However, as it provides an overview of both APs and their clients, you can think of Kismet as a Wi-Fi scanner on steroids.

Let's take a look at the data available in the Kismet UI. Later, we'll look at how we can modify scanning to gather data focused on specific channels or frame types to provide more selective network data.

Kismet Device List

Have a look through the Kismet device list and see if you can complete each of the following tasks:

1. Can you find your Wi-Fi devices in the 'Device List'

2. What channel is your device is connected on?

3. Click on your Device to view more detail (Tip: look out for the Monitor button - click on it for detailed scanning on that device)

4. Filter to see only APs (hint: use Search box)

5. Filter to see only client devices

6. Check to verify if devices can be seen on all 3 Wi-Fi bands: 2.4 GHz, 5 GHz and 6 GHz

7. Click on any of the displayed rows to drill down into more detail about that device

8. Click on the "SSIDs" tab of the device list to see a summary of SSIDs detected. Click on any of the SSIDs to see more detail:

   

   Kismet SSID List

There is no easy way to clear the device list to start over. The quickest way is to go the terminal window and kill the Kismet process using Ctrl-C. Then, start Kismet again and select the data source via the hamburger widget.

Step 3 - Selective Scanning: Channel Selections

By default, Kismet scans all Wi-Fi channels that are available, gathering frame data about all devices heard. As it's hopping across many channels, it gathers a very small amount of frames (and hence data) about each channel. To gather more data about a channel (or channels) in which you are interested, it's possible to limit the channels that Kismet scans. Let's give this a try:

• Go back to the hamburger selector in the Kismet UI and select "Data Sources"

• Snap open the "wlan0" interface shown in the "Data Sources" list. You will now see all of the channels being scanned by Kismet. Channels being scanned are orange coloured. Click on channels to deselect them and limit the channels that Kismet will scan:

  
• Select a subset of channels and close the Data Sources panel. In the devices panel, you should only now see activity on the selected channels.

Step4 - Selective Scanning Via CLI Options

Although changing scanning options via the Kismet UI is easy, it can be quite cumbersome when de-selecting large numbers of channels. Also, having the repeat the same workflow to select a data source each time Kismet is started may become annoying.

The good news is that we can start Kismet with CLI parameters that pre-select a data source and channels. Also, we may not want to collect all frames heard over the air - we may just be interested in gathering beacons to get a summary of networks heard nearby.

Let's look at a few command line options to pre-configure the behaviour of kismet and speed up our workflows:

1. Launch Kismet and start capturing using the wlan0 adapter: kismet -c wlan0

2. Launch kismet capturing on the 2.4GHz band only: kismet -c wlan0:name="wlanpi",channels="1,6,11"

3. Launch kismet capturing on the 5GHz band only: kismet -c wlan0:name="wlanpi",channels="36,40,48,52,56,60,100,104,108,112,116,120,124,128,132,136,140,144,149,153,157.161,165"

4. Launch Kismet on the 6GHz band only: kismet -c wlan0:name="wlanpi",channels=\"5\-W6e,9\-W6e,13\-W6e,17\-W6e,21\-W6e,25\-W6e,29\-W6e,23\-W6e,37\-W6e\" Note: This is not the complete 6 GHz band - feel free to complete the list for all the channels you'd like to scan. Note: The "\" characters are required in the channel list above due to the fact that the command is being submitted in a Linux shell.

Check out the references below for more information. You may even consider creating your own custom configuration file to make things even easier! You can also add your own filters to customise the frames captured by Kismet.

• https://www.kismetwireless.net/docs/readme/datasources_wifi/

• https://www.kismetwireless.net/docs/readme/starting_kismet/

• https://www.kismetwireless.net/docs/readme/config_files/#configuration-override-files---kismet_siteconf

Congratulations, you've completed the Kismet lab!