Kismet Lab
Last updated
Last updated
In this lab, we'll take a look at how we:
Start the Kismet process
Access the Kismet UI
Use Kismet to scan for wireless networks and clients
Before we can do anything with Kismet on the WLAN Pi, it is necessary to manually start the process.
Using the Web UI, hover over KISMET
in the menu bar.\
From the dropdown, you should be able to see whether Kismet is running or not.\
Select "START"
\
Once the Kismet process is running, you should see a new option within the dropdown menu.
Select Launch Kismet
.\
We need to log in to Kismet to access its UI. The Kismet service has a discrete credential store, you will need to create a username and password the first time you browse to it. For ease of use, it's not a bad idea (for now) to set your Kismet credentials to be the same as your WLAN Pi credentials:\
Once you've set the credentials, you'll be taken to the main Kismet UI and will see the following panel pop-up as this is your first log in. You can hit "Continue" for now. We do not need to configure any specific settings for this lab. \
It is also possible to start / stop the Kismet service via FPMS
Now that we've got access to Kismet, we'll take a look at how we can use it to gather Wi-Fi network data.
By default, when you start Kismet from FPMS, it is already configured with wlan0
as a data source. It's probably already collecting data too.
If you are using a WLAN Pi with multiple wireless interfaces, you can specify an alternative or additional data sources by following the steps below:
Click on hamburger menu icon (top left)
Select Data Sources
Expand the desired wireless interface
Click on "Enable Source"\
You should see a small scrolling bar chart history of packet activity detected by this source. This indicates that Kismet is scanning Wi-Fi channels and gathering data:\
Close the pop-up window
By default, Kismet will cycle through all the Wi-Fi channels, gathering frames on each channel, from this data it builds a table of access points and wireless clients as it receives 802.11 frames from them.
Note that Kismet now supports the 6 GHz band with an appropriate wireless adapter. Watch out for 6 GHz APs and clients in the Kismet device data.
As it has many channels to hop between, each scan cycle takes several seconds to complete, and only a small snapshot of the activity on each channel is captured. Bear in mind that Kismet provides an overview of both APs and their clients, you can think of Kismet as a Wi-Fi scanner on steroids.
Let's take a look at the data available in the Kismet UI. Later, we'll look at how we can configure the scanning behavior to gather data focused on specific channels or frame types.
Have a look through the Kismet device list and see if you can complete each of the following tasks:
Can you find your Wi-Fi devices in the "Device List"?
What channel is your device connected on?
Click on your Device to view more detail (Tip: look out for the Monitor button โ click on it for detailed scanning on that device)
Filter to see only APs (hint: use Search box)
Filter to see only client devices
Check to verify if devices can be seen on all 3 Wi-Fi bands: 2.4 GHz, 5 GHz and 6 GHz
Click on any of the displayed rows to drill down into more detail about that device
Click on the "SSIDs" tab of the device list to see a summary of SSIDs detected. Click on any of the SSIDs to see more detail:
There is no easy way to clear the device list to start over. The quickest way is to go back to the Web UI or FPMS and restart Kismet.
By default, Kismet scans all Wi-Fi channels that are available, gathering frame data about all devices heard. As it's hopping across many channels, it only gathers a few frames (and hence little data) about each channel. To gather more data about a specific channel (or channels) in which you are interested, we can reduce the number of channels that Kismet scans.
Go back to the hamburger selector in the Kismet UI and select "Data Sources"
Expand the "wlan0" interface shown in the "Data Sources" list. You will now see all the channels being scanned by Kismet. Channels being scanned are orange colored. Click on channels to deselect them and limit the channels that Kismet will scan:
Select a subset of channels and close the Data Sources panel. In the devices panel, you should only now see activity on the selected channels.
Although changing scanning options via the Kismet UI is "easy", it is cumbersome when deselecting numerous channels, also repeating this workflow each time Kismet is restarted is inefficient.
The good news is that we can start Kismet from the command line and use parameters that pre-select a data source and channel selection.
Kismet can be launched as a "service" (via Web UI / FPMS) or it can be launched from the command line with "arguments" additional parameters
STOP the Kismet service by navigating back to the WLAN Pi WebUI, hovering over KISMET
and selecting STOP
To initiate Kismet from the command line, head over to the Terminal in Cockpit
type kismet
then press enter:
\
This will launch Kismet in the "default" configuration state, identical to launching Kismet via Web UI or FPMS.
Kismet will produce many lines of logging output as it starts up. Do not stress about these log messages that scroll up the screen during the start-up process. Once they stop, Kismet is up and running.
To stop the Terminal session instance of Kismet you have initiated, use the keyboard combo "control + c"
Kill the Terminal session instance of Kismet:
Ctrl + C
Let's look at a few command line options to pre-configure Kismet and speed up our config:
Launch Kismet and configure wlan0
as the data source:
Launch Kismet and rename the data source:
Now is an opportune moment to re-visit the Kismet WebUI, if you kept the original tab open, you can refresh it! Or re-launch via the WLAN Pi WebUI menu bar. Navigate to data sources and see if your data source appears with the specified name.
Launch Kismet, capturing on the 2.4 GHz band only:
Launch Kismet, capturing on the 5 GHz band only:
Launch Kismet on the 6 GHz band only:
This is not the complete 6 GHz band โ feel free to complete the list for all the channels you would like to scan.
The "\" characters are required in the channel list above because the command is being submitted in a Linux shell.
Going wardriving? Consider installing GPSd
with sudo apt install gpsd
for offline time sync and geotagging in Kismet.
Congratulations, you have completed the Kismet lab!
Refer to the references below for more information. You may even consider creating your own custom configuration file to make things even easier! You may add filters of your own to further customize the frames captured by Kismet.