惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

小众软件
小众软件
量子位
博客园 - 叶小钗
Apple Machine Learning Research
Apple Machine Learning Research
U
Unit 42
IT之家
IT之家
F
Fortinet All Blogs
GbyAI
GbyAI
MongoDB | Blog
MongoDB | Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
大猫的无限游戏
大猫的无限游戏
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The Register - Security
The Register - Security
NISL@THU
NISL@THU
Webroot Blog
Webroot Blog
A
Arctic Wolf
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
Visual Studio Blog
Recent Announcements
Recent Announcements
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Blog — PlanetScale
Blog — PlanetScale
L
LangChain Blog
P
Palo Alto Networks Blog
Y
Y Combinator Blog
WordPress大学
WordPress大学
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
AWS News Blog
AWS News Blog
有赞技术团队
有赞技术团队
Engineering at Meta
Engineering at Meta
C
Cybersecurity and Infrastructure Security Agency CISA
aimingoo的专栏
aimingoo的专栏
Know Your Adversary
Know Your Adversary
Cyberwarzone
Cyberwarzone
Martin Fowler
Martin Fowler
The Hacker News
The Hacker News
P
Privacy International News Feed
T
Threat Research - Cisco Blogs
G
GRAHAM CLULEY
宝玉的分享
宝玉的分享
博客园 - 聂微东
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
The GitHub Blog
The GitHub Blog
S
Securelist
T
The Exploit Database - CXSecurity.com
T
Threatpost
Microsoft Azure Blog
Microsoft Azure Blog
The Cloudflare Blog
F
Full Disclosure

Black Hills Information Security, Inc.

Bad Habits: An ANTISOC Operation Same Problem, Different Angles: When Red Team and Blue Team Actually Talk to Each Other How to Identify and Exploit New Vulnerabilities Swapper – A Pure Regex Match/Replace Burp Extension A Practical Guide to BloodHound Data Collection Network Engineering Basics Signed, Trusted, and Abused: Proxy Execution via WebView2 Getting Started In Pentesting – Advice From The BHIS Pentest Lead Cloud Security: Tips and Resources for Securing the Cloud Lessons From A Chatbot Incident How to Lead Effective Tabletops Understanding GRC: How to Navigate Risks and Compliance Standards The “P” in PAM is for Persistence: Linux Persistence Technique Malware Analysis: How to Analyze and Understand Malware OSINT: How to Find, Use, and Control Open-Source Intelligence What to Do with Your First Home Lab When the SOC Goes to Deadwood: A Night to Remember Social Engineering and Microsoft SSPR: The Road to Pwnage is Paved with Good Intentions Common Cyber Threats Finding the Right Penetration Testing Company Deceptive-Auditing: An Active Directory Honeypots Tool The Curious Case of the Comburglar How to Set Smart Goals (That Actually Work For You) Inside the BHIS SOC: A Conversation with Hayden Covington Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation Why You Got Hacked – 2025 Super Edition Abusing Delegation with Impacket (Part 2): Constrained Delegation Abusing Delegation with Impacket (Part 1): Unconstrained Delegation GoSpoof – Turning Attacks into Intel Model Context Protocol (MCP) Bypassing WAFs Using Oversized Requests Getting Started with AI Hacking Part 2: Prompt Injection Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2) DomCat: A Domain Categorization Tool Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 1) Microsoft Store and WinGet: Security Risks for Corporate Environments Default Web Content MailFail Commonly Abused Administrative Utilities: A Hidden Risk to Enterprise Security Stop Spoofing Yourself! Disabling M365 Direct Send Bypassing CSP with JSONP: Introducing JSONPeek and CSP B Gone Offensive Tooling Cheatsheets: An Infosec Survival Guide Resource DNS Triage Cheatsheet GraphRunner Cheatsheet Burp Suite Cheatsheet Impacket Cheatsheet Wireshark Cheatsheet Hashcat Cheatsheet EyeWitness Cheatsheet Nmap Cheatsheet Netcat (nc) Cheatsheet Hunt for Weak Spots in Your Wireless Network with Airodump-ng from the Aircrack-ng Suite Detecting ADCS Privilege Escalation Vulnerability Scanning with Nmap Getting Started with NetExec: Streamlining Network Discovery and Access How to Use Dirsearch Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 3: Arcanum Cyber Security Bot How to Design and Execute Effective Social Engineering Attacks by Phone Abusing S4U2Self for Active Directory Pivoting Why Use a Macro Pad? Espanso: Text Replacement, the Easy Way Caging Copilot: Lessons Learned in LLM Security Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 2: Copilot Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 1: Burpference Intercepting Traffic for Mobile Applications that Bypass the System Proxy How to Root Android Phones Communicating Security to the C-Suite: A Strategic Approach Offline Memory Forensics With Volatility Getting Started with AI Hacking: Part 1 Go-Spoof: A Tool for Cyber Deception How to Test Adversary-in-the-Middle Without Hacking Tools Canary in the Code: Alert()-ing on XSS Exploits How to Hack Wi-Fi with No Wi-Fi Why Your Org Needs a Penetration Test Program Burp Suite Extension: Copy For Light at the End of the Dark Web Wi-Fi Forge: Practice Wi-Fi Security Without Hardware Avoiding Dirty RAGs: Retrieval-Augmented Generation with Ollama and LangChain Gone Phishing: Installing GoPhish and Creating a Campaign 5 Things We Are Going to Continue to Ignore in 2025 John Strand’s 5 Phase Plan For Starting in Computer Security Questions From a Beginner Threat Hunter GRC for Security Managers: From Checklists to Influence AI Large Language Models and Supervised Fine Tuning Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan One Active Directory Account Can Be Your Best Early Warning Introduction to Zeek Log Analysis Indecent Exposure: Your Secrets are Showing Creating Burp Extensions: A Beginner’s Guide Pitting AI Against AI: Using PyRIT to Assess Large Language Models (LLMs) The Top Ten List of Why You Got Hacked This Year (2023/2024) ICS Hard Knocks: Mitigations to Scenarios Found in ICS/OT Backdoors & Breaches Intro to Data Analytics Using SQL Finding Access Control Vulnerabilities with Autorize The Detection Engineering Process Cyber Risk Lessons We Can Learn From Hurricane Preparedness Intro to Desktop Application Testing Methodology What Is Penetration Testing? Adversary in the Middle (AitM): Post-Exploitation Pentesting, Threat Hunting, and SOC: An Overview
Ghost in the Wireless: An introduction to Airspace Analysis with Kismet
BHIS · 2024-08-15 · via Black Hills Information Security, Inc.

This is the first installment in a series of blogs relating to practical analysis of wireless communications: what they are, how they work, and how they can be attacked. In this post, we are going to walk through setting up the Kismet tool and performing basic analysis of 802.11x traffic. 

Background 

This section provides background on wireless communications and the electromagnetic spectrum. If you simply want instructions on setting up Kismet, skip to the “Setup” section. 

Rather than sending messages via electrical signal going over wires, WIFI, Bluetooth, and other recent technologies utilize waves of various frequencies to transmit information. This transmission relies on digital data being converted into an analogue waveform which will be projected onto the carrier wave using some modulation technique (i.e., Amplitude modulation or Frequency Modulation). The antenna then takes this modulated signal and transmits it out through the airspace. 

The WIFI signals we’re talking about today transmit waves in the 2.4GHz and 5.8GHz ranges (“5G” operates at a frequency of 5.8GHz). The image below shows approximately where 2.4 GHz WIFI falls on EMF spectrum. 

A Diagram Showing the Electromagnetic Spectrum 

The above may be a bit misleading as cellphones and 2.4G wireless, as well as microwave ovens, have some overlap; however, it gets the general idea across. 5G wireless would fall just on the right of microwaves and before infrared remote controls. 

The next section provides a detailed walkthrough on setting up an adapter and software to view these signals. Then we will move on to interpreting and analyzing the data. 

Equipment Setup 

We can see many interesting things while monitoring our surrounding airspace including nearby devices, our neighbors SSIDs, and if we’re lucky, maybe even capturing some 4-way handshakes. You can follow along from the comfort of your own home, or wherever you’d like, provided you are able to acquire the following items. 

You will need: 

  • 1 Machine running Kali Linux (virtual machine is fine) 
  • 1 USB WIFI adapter capable of running in monitor mode 
  • 1 nerdy friend with a sense of adventure (optional) 

Our setup consists of an ARM-64 Kali instance running in VMWare and a USB-C connected ALFA AWUS036ACH WIFI adapter.  

ALFA AWUS036ACH 

Once you have your Kali machine up and running, you will need to install drivers for the wireless adapter. If you are using the same wireless adapter mentioned above, the following commands should be sufficient. 

sudo apt install dkms  

git clone https://github.com/aircrack-ng/rtl8812au 
 
cd rtl8812au 
 
sudo make dkms_install 
 
# if you get an error about missing kernel headers, install them 

sudo apt install linux-headers-6.6.9-arm64  # your version may differ. The error should tell you which version is requested. 
 
make dkms_install  # again, after headers are installed 
 
make clean  # run if the previous command fails 

make 
 
make install

Once you have your Kali machine up and running, you will need to install drivers for the wireless adapter. If you are using the same wireless adapter mentioned above, the following commands should be sufficient. 

Your machine should now be able to communicate with your wireless adapter. To verify, we can use the utility iwconfig. This utility is used to view and modify parameters of wireless interfaces. In the screenshot below, we only see two interfaces: the loopback, and eth0. This is because we forgot to plug in the adapter. 

iwconfig Output When No Wireless Devices Present 

To connect the USB adapter to the virtual machine, go to Virtual Machine -> USB & Bluetooth -> Connect Realtek 802.11 NIC as shown in the screenshot below. 

Now, we can run iwconfig again, and we see that Kali recognizes a new wireless interface, wlan0. 

iwconfig Output with Wireless Device Attached 

In the screenshot above it can also be seen that the interface is being managed by NetworkManager, a popular network management service which comes pre-installed and will typically take over your WIFI adapter by default. To snoop the airwaves, we need to put the wireless card in Monitor mode. This can be done by issuing the following commands: 

 (Note that you will need to change the interface name if yours is not wlan0) 

sudo ip link set wlan0 down 
sudo iw dev wlan1 set type monitor 
sudo ip link set wlan0 up

To verify that we successfully put the device in monitor mode, we can simply run iwconfig one more time. 

iwconfig showing interface in monitor mode 

Finally, we are ready to run Kismet and start exploring. If it is not installed on your machine, you can either download it from the GitHub repo or run sudo apt install Kismet. You can verify the install by running which Kismet or Kismet --version

(Optional step) Logging data in PCAP-NG format 

Kismet will save all captured traffic to a Kismet log file.  There are various file types available but, by default, it will only capture the Kismet log. This is fine and can be converted to a PCAP later. However, if you’d like, Kismet to also capture a PCAP file while it’s running, edit the config file as shown below. 

We are going to edit the default configuration file and add PCAP-NG logging. If you installed Kismet via the apt repository, this will be in the location: /etc/Kismet/Kismet_logging.conf

Kismet Log File and Relevant Field 

You can also convert Kismet logs to PCAP-NG files after they’ve been captured using the following command. 

Kismetdb_to_pcap --in some-Kismet-log.Kismet --out some-pcap-log.pcapng 

Airspace Analysis 

It is finally time to launch Kismet. We will be running it with the following command. 

Kismet -c wlan0 -p ~/log_directory -t output_file 

This tells Kismet we want to use wlan0 as our data source. If you leave this part out, the program will start, but you will not see any traffic in the interface. In theory, one should be able to select the data source from the web interface, however, this has not always been reliable. The -p flag tells Kismet which directory to write the log files to, and the -t determines what the output file will be titled.  

If you still aren’t seeing traffic, try unplugging the adapter and plugging it back in again.  

If this is your first time logging in, you will be prompted for credentials. Don’t forget these! 

Kismet Credential Prompt

If you do forget your credentials, they can be found in the ~/.Kismet/Kismet_httpd.conf, where ~ is the home directory of the user who installed Kismet. 

Data Sources 

As soon as you launch the Web UI, you should see the data start flooding in. Before we look at the data, let’s have a quick look at how the data collection is actually working.  Access the Data Sources tab by expanding the hamburger menu on the top right of the interface.  

Kismet Menu 

This next screen shows us which network interface is being used, as well as some basic hardware information. The “Channel Options” listed underneath show how our wireless adapter is ingesting data from the airspace.   

To a noob like myself, the “channels” label showing all channels highlighted may make it appear as though we are monitoring the entire airspace at once. With current hardware, this is a physical impossibility. Only a single channel can be monitored at any given time. The second highlight in the screenshot below shows that the channel speed is set to 5 channels per second. This means Kismet is listening on a single channel for 1/5 of a second, moving to the next one, and so on. This results in a very useful but incomplete analysis of the spectrum. With this configuration, Kismet is very likely to see new devices, but less likely to capture data such as complete 4-way handshakes since so little time is spent on each channel. 

Data Source Options in Kismet Interface 

You can change which channel you’re interested in by only selecting those.  For example, if you are only interested in data in the 2.4GHz range (WIFI, Bluetooth, Baby Monitors, etc.) You can select channels 1 through 11 and Kismet will hop between these channels only. 

Reconnaissance 

On the default page, we are looking at a summary of all devices picked up by Kismet. In my case, I am primarily surrounded by WIFI access points, which can be seen in the screenshot below. The AP names and BSSIDs are redacted, as these pieces of information combined with OSINT tools such as WIGLE1 could likely be used to pinpoint my exact physical location. (OSINT is pretty scary) 

Kismet Interface

In the next post, when we talk about attacks, data such as the encryption type and number of clients, will be discussed in depth. Here, we will only discuss the two columns highlighted above, each of which can give us some interesting information about the device. 

The signal strength column indicated how close the device is to us. The number represents the power level received by our wireless adapter.  This is useful for tracking down unknown devices, since, as we bring our receiver closer to the unknown device, the signal strength should get stronger. This nerd rendition of Marco-Polo is not infrequently employed on client sites. 

In the same way, if our receiver is not moving, and the signal strength of a device is constantly changing, we can infer that the device is in motion, such as a cellphone or other wireless hotspot. 

But how far are the devices exactly? Signal strength is measured in dBm (decibels per milliwatt) and typically range from 0dBm to -100dBm. The closer the signal is to 0, the closer you are to the transmitting device. However, in practice, the maximum achievable signal strength is about -30dBm. -90 is approaching the noise floor. Though you may pick up the signal, it is unlikely you would be able to interact with the network in any meaningful way. 

Signal Strength Visualization 

The channel tells us which frequency the device is operating on. Some devices may show up twice. For example, a WIFI router that transmits both 2.4 and 5G signals will show up twice, because our receiver picks them up as two different signals. 

Clicking on one of the devices can bring up more information about the device as shown in the screenshot below. 

Device Information for Home WIFI AP

The BSSID for a device is typically the same as the MAC address, hence why both are redacted in screenshots. The MAC address is what Kismet uses to determine the manufacturer of a device. The first 4-6 digits in the MAC address can typically be used to identify the device vendor. One list of known prefixes can be found on GitHub2 

Recap 

You should now have a solid foundation to jump into more advanced wireless analysis.  We discussed the electromagnetic spectrum, installed Kismet, and captured wireless signals in real-time. Additionally, we demonstrated how this information can be used to identify and locate wireless devices. In future installments, we will cover how to correlate devices, identify rogue access points, and launch some active attacks against PSK networks.  

Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand

  1. https://www.wigle.net/  ↩︎

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。