Kismet: passively sniffing wireless network traffic

The threat of information leakage via unencrypted wireless networks is quite real and needs to be taken into consideration. Especially if you’re an organization/entity, who handles sensitive information.

Today I’ll be covering a simple demonstration that will have 3 hosts. The three hosts are as follows:

Host A (Attacker)
Host B (Client)
Host C (Server)

Host A will be running kismet, so it will not be connected to the network. The network will only have MAC filtering deployed. Host B and C will be wireless clients on the network, but I will set up netcat loops that will just simply print a string over the network.

Host B will be running this:

while true; do echo "CAPTURE THIS WHILE NOT CONNECTED" | nc -w2 hostC 8080; done

Host C will be running this:

while true; do nc -l -s hostCIP -p 8080 -vv; done

Host A which is the attacker, will simply be within close range of the network and will give the kismet log files a name as well by doing:

kismet -t capture-test

Once kismet has started to run, make sure to use ‘L’ to lock onto the channel that the wireless network is on. With this done, wait a few minutes and you should have captured the test string.

To view your captured information, you need to view the contents of the dump files. The dump files are located in/var/log/kismet.

Upon location of the dump file, what worked for me was using egrep to look for the captured string.

egrep 'CAP*' capture-test*.dump 

This may ‘bork’ your terminal, so just use reset. Per contra, you should see the captured text.

This simple demo demonstrates how real of a threat passive wireless sniffing devices are. If you’re curious, I actually used my Nokia N810 as the attacker. 🙂

I’ll have more to come as usual… (I’m back in school so I’m going to have less time to work on ettersploit 🙁 )

Leave a Reply

Your email address will not be published. Required fields are marked *