The definitive KisMAC article.
Having lurked the KisMAC IRC for a few years I have picked up on the in’s and out’s of the application. With the help of quite a few users including Fishman, BugDave, Alchemy Thunder, Jeroenimo, and others. This article is more of a guide for users curious about what KisMAC offers, how to use it properly, and maybe even contribute. At the time of this article version 0.2.99 is the most current.
So lets get started. KisMAC is a wireless stumbler, cracker, and PCAP dumper. What this means for the uninitiated is that you can do a multitude of wi-fi sniffing right within OSX without having to resort to virtual machines or dual boot systems. Not only can KisMAC use compatible USB and PCMCIA cards but all Airport cards are supported for scanning meaning anyone with relatively new portable Mac can use this application.
Before I get into some serious lingo I want to fore warn you that KisMAC is not for the type of people who don’t like to trouble shoot or search for answers. If something doesn’t work you’ll have to search for an answer. A kernel panic can result from manipulating your Macs system files so make sure you know what you’re doing before you break something.
With that out of the way lets learn two new terms. Active and Passive.
- Sends probes
- Allows for standard stumbling
- Pretty much garbage
Passive mode (Monitor mode)
- Ability to see everything within range
- Allows for injection attacks
- De-authentication attacks
You can pretty much see that you want Passive mode support if you really want to stir up some packets. All Airport Extreme cards are supported in some sort depending on their chipset. Apple uses a broad name for their wireless card however supports different vendors. My MacBook came with an Atheros card, however I upgraded to a Broadcom based chip which allows for wireless N on 5GHZ. You can read all about the limitations of the Apple Airport Extreme here.
I want to inject and de-authenticate, what card should I buy?
So you’ve got some money burning through your pocket and you want to have the ability to use the advanced features of KisMAC. You can spend anywhere from $20-50 depending on your location and preference. Personally you have two choices for chipsets, the rt73 and the RTL8187L. You can see which specific cards contain those chipsets here. I have the Hawking HWUG1 and the Asus WL-167G. The Hawking has an external R-SMA connector which allows me to connect an external antenna for even better reception. It is highly recommended.
Setup– KisMAC Preferences
Before you can slap your card in and hit scan you need to open the preferences and select your driver. This is a crucial step than many new users over look. KisMAC can’t figure out what card you have on its own so you have to do the work and tell it which driver to use. You can easily find out what chipset your device uses by looking at this chart. Here you can See I have the rt73 driver selected.
Now some of the settings are hidden due to the drop down. The screenshot below shows the settings I use. Be sure to check “Keep everything” if you want to import the raw PCAP dumps into your favorite packet analyzer. KisMAC uses a proprietary storage format and you cannot import the files into Aircrack or Wireshark.
Attack! I want to harness the power of my card and inject! How do I do it?
First lets start by defining what injection means. A certain type of packet will query a computer on the network to respond. It’s similar to saying “Hello?” on the phone. If your card supports injection it will send that specific packet out to the network and hopefully the computer will respond back. Take this idea and multiply it hundreds of times and you will start to get a huge number of packets. The more packets the easier it is to crack the key. To inject packets simply go to Network –> Reinject Packets. KisMAC will do the rest.
Where do I use injection?
Injection is currently only used for cracking a WEP networking. WPA networks require a different type of attack. Here you can see what it looks like to use injection.
How many packets do I need to crack my WEP key?
Assuming you’ve either been streaming video on your network capturing packets like crazy or you’ve succeeded in injecting packets you can crack your WEP key with around 200,000 packets however using a heavier encrypted key you can need as many as a million packets. This is why injection is so important because capturing that many packets manually will take forever. Purchasing a card that can inject is worth your time as opposed to using your built in Airport Extreme.
I’ve got quite a few packets, now what do I do?
By this time you’re getting anxious. You’ve captured what seems to be a lot of packets and you want to see the key. First double check you actually have around 200,000 data packets and then collect some more. The more the better. Now to crack WEP it’s as easy as clicking on Network –> Crack –> Weak Scheduling Attact –> Against 40-bit. If that route doesn’t work you can try the other attacks available to you. If you have the correct amount of packets then one of these attacks should work. If you can’t get any of these to work triple check your data packet count, save your KisMAC file, and start looking through the wiki. If you don’t find anything there either post in the KisMAC forums or try the IRC. Please read the readme and FAQs before posting too!
WEP is easy to crack, I want to crack WPA.
So you want to crack WPA eh? Well for KisMAC it can be either very easy or impossible. The first limitation is that in order to crack WPA you need to capture a handshake. A handshake is when a computer connects to a wireless router. You can get this pretty easily by sending a de-authenticate attack, kicking the computer of the network only to join again quickly. The second limitation is that with KisMAC you test the handshake against a wordlist file. This is similar to a rainbow table except it only contains ASCII words. If the password of the WPA network is in your wordlist file then you are quickly granted access to your network. If the password is not in the file then you are not able to gain access using KisMAC. There are other ways to crack WPA however they are not built into KisMAC.
I have the handshake captured so now what do I do?
First lets make sure you have the actual handshake. In KisMAC this is represented by a red or green icon on the far right of the networks page. You can see in the image below that the handshake for DD-WRT has not been acquired. If that icon glows green you have successfully captured the handshake.
Assuming you have captured the handshake now go to Network –> Crack –> Wordlist Attack –> Against WPA key. This will open an open dialog box for you to select your wordlist file. If the password is found KisMAC will congratulate you and show you the correct password. I have cracked my WPA password with as little as 6 packets de-authenticating immediately as I start scanning. Again you need to have the password in the wordlist file but it is still fast. Some say this isn’t exactly “cracking” WPA but more of testing it against what you already know but personally with a good wordlist file you can get into normal secured networks, yet I don’t condone that.
I think I just want to use KisMAC for good and not evil.
KisMAC can crack networks yes but it also a great stumbler. It supports just about any GPS adapter that works on Macs and can even export to NetStumbler so you can upload your finds to WiGLE. The map function of KisMAC works pretty well and I’ve used it to war drive a few times. The KisMAC WiGLE team is pretty good too! So grab a copy of KisMAC, a power inverter, a few buddies, some sort of GPS device, and stumble some networks. Be sure to join our WiGLE network or hangout in the KisMAC IRC (#kismac on irc.freenode.net). The KisMAC team is currently looking for coders, graphic designers, and just about anything else. If you want to contribute let us know in the forums or the IRC!
I can’t get this application to work, KisMAC is stupid!
I can’t tell you how many tries it took me to get injection or WPA cracking to work. It took a lot of time reading the wiki, asking questions on the IRC, and being patient. The current build is pretty solid and with some time I’m sure you can get it working. The biggest thing you need to understand is that there are people out there to help you, just be sure to read the FAQ so you don’t start off on the wrong foot.
I hope this article either helps or gets someone interested in KisMAC. I have been working on a better landing page for the application for a little bit and it inspired me to write this article. If you need help you can look for me lurking in the IRC, my handle is post_break.