Wi-Fi

Try kismet for detecting hidden 802.11 wireless networks

Kismet is an open source tool similar to netstumbler, and it's particularly good for discovering hidden wireless networks that might be adversely affecting your network.

Kismet is an open source tool for discovering wireless networks. It can be used to troubleshoot a wireless network and detect network intrusions. It is a similar tool to netstumbler (which is used in the Windows world) but it does have some differences. One area in which kismet is superior is the ability to detect hidden 802.11 wireless networks.

The significant area of difference between kismet and netstumbler is how kismet detects a 802.11 network. Kismet listens for a beacon transmission from a wireless access point; this is in contrast to netstumbler which sends broadcast for any Service Set Identifier (SSID). The advantage of listening rather than broadcasting is that kismet is able to detect networks that do not advertise an SSID.

Kismet uses channel hopping to enable detection of wireless networks. This means that it will listen on one channel, then hop to another channel and listen, then to another and so on. Channel hopping is a simple algorithm that hops from channel to channel in a pre-determined pattern. Kismet can detect a client's response to a beacon frame and uses this to associate the client with a wireless access point.

There are a variety of configurations that kismet can use. This post does not go into the different ways it can be run or configured (though a future post may well do so). Running sudo kismet will start a session. Usually this will auto detect the network card used and make changes to the /etc/kismet/kismet.conf file.

Running kismet gives the following screen on start up.

Figure A

Click to enlarge.
To obtain a list of commands, simply type h. In this example, I have used s to sort the SSIDs based on channel number (channel number is denoted by the column "Ch" in Figure B).

Figure B

Click to enlarge.

A point to note on the channels used: Some wireless routers now come with an auto channel select feature. That is, the router will check which channels are available and will select an unused channel. Otherwise, you have to manually select a channel. Ideally, you want the channel to be far removed frequency-wise from other channels that are in use. Contiguous channels have some overlap, and this can impact the Signal to Noise Ratio (SNR). This in turn can impact on throughput.  Spacing the channels out can alleviate this. As can be seen in Figure B, channels 1,6 and 11 are in use. This is a reasonable spacing.

One of the great features of kismet are the log files. The log files are stored in the directory /var/log/kismet. Here is a list of the log files produced from a run of kismet.

-rw-r--r-- 1 root root       0 2011-11-30 22:43 Kismet-Nov-30-2011-1.cisco
-rw-r--r-- 1 root root    1229 2011-11-30 22:43 Kismet-Nov-30-2011-1.csv
-rw-r--r-- 1 root root  403891 2011-11-30 22:43 Kismet-Nov-30-2011-1.dump
-rw-r--r-- 1 root root    1653 2011-11-30 22:43 Kismet-Nov-30-2011-1.network
-rw-r--r-- 1 root root   18681 2011-11-30 22:43 Kismet-Nov-30-2011-1.xml
We confine ourselves to looking at three of the five files listed. The files with the .dump suffix are readable by applications such as wireshark (as shown in Figure C) or tcpdump.

Figure C

Click to enlarge.
The files with the .csv suffix can be read by LibreOffice (as shown in Figure D).

Figure D

Click to enlarge.

The .network files are a simple text file that can  be viewed using your favourite text editor.  Below is a sample of the .network file.

Network 1: "BigPond639C78" BSSID: "00:24:17:D7:2F:99"
    Type       : infrastructure
    Carrier    : 802.11b
    Info       : "None"
    Channel    : 06
    Encryption : "WEP TKIP WPA PSK AES-CCM "
    Maxrate    : 54.0
    LLC        : 108
    Data       : 8
    Crypt      : 8
    Weak       : 0
    Dupe IV    : 0
    Total      : 116
    First      : "Wed Nov 30 22:32:55 2011"
    Last       : "Wed Nov 30 22:43:26 2011"
    Min Loc: Lat 90.000000 Lon 180.000000 Alt 0.000000 Spd 0.000000
    Max Loc: Lat -90.000000 Lon -180.000000 Alt 0.000000 Spd 0.000000

Kismet is a handy tool for troubleshooting 802.11 networks. You can use it to find out whether other networks are adversely affecting your network. Because it detects hidden wireless networks, you can use it to work out which channels to use (and which ones to avoid).

About

Scott Reeves has worked for Hewlett Packard on HP-UX servers and SANs, and has worked in similar areas in the past at IBM. Currently he works as an independent IT consultant, specializing in Wi-Fi networks and SANs.

4 comments
BALTHOR
BALTHOR

I have the new AT&T 2Wire wireless DSL box.And in my laptop I have to select linksys or it doesn't work.Even with my AT&T password 2Wire doesn't work.Make certain that all of your network and wireless drivers are installed.If you can't reboot just pop the CD out until your computer starts again.The wireless stuff is on the bottom right by the clock.

Neon Samurai
Neon Samurai

I spent just this very morning on this topic. Not broadcasting the SSID (ie. "hidden ssid") actually decreases the network security and usability. Obscurity is not security and provides no operational or protective benefit. - 99% of wifi scanners from the minimalist "what wifi are in range" to the industrial strength scan and crack gear will display SSID. I'm a little shocked that netstumbler hasn't matured to include this function actually as I thought it did this already. - broadcast SSID was never, ever, meant to be a security mechanism and in-fact, the wifi standard requires SSID broadcast. - not broadcasting your SSID can cause connectivity issues notably where Win7 disconnects then instead of re-connecting to the network, re-connects to a third party easier network. - not broadcasting your SSID can also cause further channel congestion as new wifi users blindly assume that a channel is empty just because the Windows "connect to wifi" list doesn't display now many wifi routers are actually trying to use the channel. - not broadcasting your SSID also causes information leakage since your wifi devices now wonder around town with you calling out to the router by announcing your SSID. From the pentesting or malicious folks in the crowds; thank you. If you have a wifi router, please get over this myth of you haven't. Broadcast your SSID and instead rely on actual security mechanisms; WPA2 encryption and a strong random string for a password. If you still choose to not broadcast your SSID; at least realize that your decision provides absolutely no network protection and does not actually hide your network in any way. If you have some other reason for not broadcasting your SSID; all the power too you.

johannlemmer
johannlemmer

The reason why many wisps hide their ssid on their backbone links is to avoid competing wisps to target their back bone and bombards it with a stream of data from a stronger station causing it to fall over or weaken the services render through it.

Neon Samurai
Neon Samurai

Does that really work? The SSID is included visibly in the traffic frames. Anyone capable of setting up an access point to overpower the signal and hijack client connections is going to also be perfectly capable of popping the SSID out of the frames being sprayed through through the air. If it's a competing ISP stealing customer connections then your dealing with a legal issue ultimately. It would be no different than someone sitting beside the local coffee shop running a rogue access point to MITM the customers.