TheInterW3bs.com

Just another guy griping on his blog

Archive for category WiFi

Kismet Protocol

Aug 25

Posted by nick in WiFi

Today I started messing around with the Kismet protocol and quickly became excited as I discovered there is a ton of really cool field options in each protocol.  These field options can be used to query live data being feed into Kismet. For example, if I want to see the bssid’s of each AP being feed into Kismet and have it list the bssid, the type of AP, channel, first time seen, manuf, signal_dbm, noise_dbm you could do something like the the following to pull this information out.

StinkBook:tmp nick$ nc localhost 2501
*KISMET: 0.0.0 1251257823 Kismet_2009 pcapdump,netxml,nettxt,gpsxml,alert 0
*PROTOCOLS: KISMET,ERROR,ACK,PROTOCOLS,CAPABILITY,TERMINATE,TIME,PACKET,STATUS,PLUGIN,SOURCE,ALERT,WEPKEY,STRING,GPS,BSSID,SSID,CLIENT,BSSIDSRC,CLISRC,NETTAG,CLITAG,REMOVE,CHANNEL,INFO,BATTERY
*TIME: 1251257883
!1234 enable bssid bssid,type,channel,firsttime,manuf,signal_dbm,noise_dbm
*TIME: 1251257884
*BSSID: 00:12:17:10:88:6C 0 6 1251257828 Unknown 0 0
*BSSID: 00:14:BF:F6:D1:6E 0 6 1251257824 Unknown 0 0
*BSSID: 00:18:01:E1:A6:B8 0 6 1251257824 Unknown 0 0
*BSSID: 00:22:5F:16:53:99 2 0 1251257830 Unknown 0 0
*BSSID: 00:22:68:F5:7B:AD 2 0 1251257870 Unknown 0 0
*BSSID: 00:23:DF:F1:0C:E7 2 0 1251258268 Unknown 0 0
*BSSID: 00:18:01:E1:16:24 0 1 1251257823 Unknown 0 0
*BSSID: 00:18:01:E7:B0:F6 0 11 1251257844 Unknown 0 0
*BSSID: 00:18:01:F1:E6:FD 0 1 1251257823 Unknown 0 0
*BSSID: 00:18:01:F6:95:E8 0 1 1251257823 Unknown 0 0
*BSSID: 00:18:01:E8:7F:D5 0 6 1251257824 Unknown 0 0
*BSSID: 00:18:01:F1:A0:A3 0 1 1251257824 Unknown 0 0

So it lists the BSSID then the type detected, channel, time, manufacture then signal and noise.  I believe the types are 0=Infrastructure AP, 1=Ad-Hoc, 2=Client Probe.  The time is in posix time which can be easily converted in multiple different ways.  I am running this on my Macbook and Kismet is listing all the manufactures as unknown because I haven’t listed where it can find WireShark’s OUI manuf list.  I am also going to assume my signal and noise levels are 0 0 because the Mac wireless driver’s suck.

Communicating directly to the Kismet protocol can allow you to real time query the data allowing you to awk, grep, save or do whatever to the data.

echo -e '!1234 enable bssid bssid,type,channel,firsttime,manuf,signal_dbm,noise_dbm' | nc localhost 2501 >> /tmp/bssid-output

I will post some more examples of pulling data out of Kismet soon but in the meantime here are the capability options in the Kismet protocol.

*CAPABILITY: KISMET version,starttime,servername,dumpfiles,uid
*CAPABILITY: ERROR cmdid,text
*CAPABILITY: ACK cmdid,text
*CAPABILITY: PROTOCOLS protocols
*CAPABILITY: CAPABILITY capabilities
*CAPABILITY: TERMINATE text
*CAPABILITY: TIME timesec
*CAPABILITY: PACKET type,subtype,timesec,encrypted,weak,beaconrate,sourcemac,destmac,bssid,ssid,prototype,sourceip,destip,sourceport,destport,nbtype,nbsource,sourcename
*CAPABILITY: STATUS text,flags
*CAPABILITY: PLUGIN filename,name,version,description,unloadable,root
*CAPABILITY: SOURCE interface,type,username,channel,uuid,packets,hop,velocity,dwell,hop_time_sec,hop_time_usec,channellist,error,warning
*CAPABILITY: ALERT sec,usec,header,bssid,source,dest,other,channel,text
*CAPABILITY: WEPKEY origin,bssid,key,encrypted,failed
*CAPABILITY: STRING bssid,source,dest,string
*CAPABILITY: GPS lat,lon,alt,spd,heading,fix,satinfo,hdop,vdop
*CAPABILITY: BSSID bssid,type,llcpackets,datapackets,cryptpackets,manuf,channel,firsttime,lasttime,atype,rangeip,netmaskip,gatewayip,gpsfixed,minlat,minlon,minalt,minspd,maxlat,maxlon,maxalt,maxspd,signal_dbm,noise_dbm,minsignal_dbm,minnoise_dbm,maxsignal_dbm,maxnoise_dbm,signal_rssi,noise_rssi,minsignal_rssi,minnoise_rssi,maxsignal_rssi,maxnoise_rssi,bestlat,bestlon,bestalt,agglat,agglon,aggalt,aggpoints,datasize,turbocellnid,turbocellmode,turbocellsat,carrierset,maxseenrate,encodingset,decrypted,dupeivpackets,bsstimestamp,cdpdevice,cdpport,fragments,retries,newpackets,freqmhz
*CAPABILITY: SSID mac,checksum,type,ssid,beaconinfo,cryptset,cloaked,firsttime,lasttime,maxrate,beaconrate,packets,beacons,dot11d
*CAPABILITY: CLIENT bssid,mac,type,firsttime,lasttime,manuf,llcpackets,datapackets,cryptpackets,gpsfixed,minlat,minlon,minalt,minspd,maxlat,maxlon,maxalt,maxspd,agglat,agglon,aggalt,aggpoints,signal_dbm,noise_dbm,minsignal_dbm,minnoise_dbm,maxsignal_dbm,maxnoise_dbm,signal_rssi,noise_rssi,minsignal_rssi,minnoise_rssi,maxsignal_rssi,maxnoise_rssi,bestlat,bestlon,bestalt,atype,ip,gatewayip,datasize,maxseenrate,encodingset,carrierset,decrypted,channel,fragments,retries,newpackets,freqmhz,cdpdevice,cdpport,dot11d,dhcphost,dhcpvendor
*CAPABILITY: BSSIDSRC bssid,uuid,lasttime,numpackets
*CAPABILITY: CLISRC bssid,mac,uuid,lasttime,numpackets
*CAPABILITY: NETTAG bssid,tag,value
*CAPABILITY: CLITAG bssid,mac,tag,value
*CAPABILITY: REMOVE bssid
*CAPABILITY: CHANNEL channel,time_on,packets,packetsdelta,usecused,bytes,bytesdelta,networks,maxsignal_dbm,maxsignal_rssi,maxnoise_dbm,maxnoise_rssi,activenetworks
*CAPABILITY: INFO networks,packets,crypt,noise,dropped,rate,filtered,clients,llcpackets,datapackets,numsources,numerrorsources
*CAPABILITY: BATTERY percentage,charging,ac,remaining
No Comments

Building a Kismet Drone with OpenWRT

Jun 14

Posted by nick in Hardware, Linux, WiFi

I did a short talk today on building an OpenWRT image at one of our local Linux Users Groups.  I also briefly showed how to use it to be a Kismet drone since that is one of my favorite uses.

Here is a brief run down of some steps needed to build OpenWRT from source for your router.  This wiki article mentions the WRTsl54gs but it really isn’t tailored to it so the steps are basically the same for any router supported.
OpenWRT for the WRTSL54GS

No Comments

Gentoo on the Alix

May 18

Posted by nick in Hardware, Linux, WiFi

I finished my write-up for the embedded Gentoo Alix How-To. Now I just need to get the Wiki up and running.

No Comments