kismet vs netstumbler

themastermind1 · 05-26-2002

I have used both Kismet and NetStumbler and was wondering how come NetStumbler is able to detect the names and SSIDs of APs while Kismet usually does not. Also, if you notice the activity lights on the card while the two softwares are functioning, its very different.

Does anyone know how exactly NetStumbler's "probing" method works? Is Kismet different because its passive?

jeffrowe · 05-28-2002

I think the main difference if the fact that kismet is a passive sniffer and Netstumbler is an active searcher...

Kismet only see's the SSID like netstumbler if it see's a beacon... if you could somehow have your machine send out NS like beacon requests whiel sniffing you woudl probably not have any problems getting the SSIDs all the time...

Kinda like using ARP flodding to get interesting packets for WEP Cracking...

Is there a Linux utility that will send let you send out beacon requests and etc?

JoeTampa · 05-29-2002

Let's tighten this up a tad:

NetStumbler sends out 802.11 "Probe Request" frames for the SSID "ANY". Normally, any AP will answer with a "Probe Response" frame containing it's SSID and capability information (does the AP support WEP, what speeds does it support, etc..).

Kismet simply listens to the "Beacon Frame" that each AP sends out constantly, usually 5-10 per second or so. The SSID is embedded within the frame.

The caveat: Most (all, by now?) APs include a configuration option normally called "Broadcast SSID Disable". This tells the AP to modify it's behavior in 2 ways. First, it blanks the SSID in the Beacon Frames. Second, it no longer answers Probe Requests for SSID "ANY". This (in theory) prevents you from associating to the AP unless you know the SSID, which is no longer sent in the Beacon Frames. NetStumbler, therefore, will never know that the AP is even there. Kismet will detect the AP, but report the SSID as "no ssid".

The caveat to the caveat: Whenever a client associates to the AP, he sends a Probe Request with the SSID. The AP responds with a Probe Response with the SSID. Kismet will see this exchange and then "fill in the blank" with the newly discovered SSID.

There is no such thing as a "beacon request" as I hope the above has demonstrated. Further, Kismet is and will be the (much) better tool for stumbling until/unless Marius modifies NetStumbler to work the same way (and I surely hope he does..).

Other differences: Kismet will also discover, if possible, the IP range in use on the network as well as the netmask and default gateway. It will also detect "weak" WEP encrypted packets and save them for later use with AirSnort. It logs Cisco Discovery packets and all of the AP data as described above.

- Joe

themastermind1 · 05-29-2002

Ah, thanks. That makes a lot more sense now. A couple of questions though:

Does Kismet even attempt to probe to find out SSIDs?

and how does Netstumbler get the MAC addresses of the APs? Is this information just included in the packets it sniffs out?

Also, do you know if there is a reason that Netstumbler doesn't work with non-hermes cards? Is it because it is not possible (that doesn't make sense since it works in linux) or because it just hasn't been programmed in yet.

themastermind1 · 05-29-2002

Oh another thing:

Does anyone know the procedure for using an AP to get access to a network in Linux? I have successfully gotten online with APs in Windows, but that's just because it automatically sets up everything.

I was trying to figure out how I could do the same thing in Linux. One of the main problems is that you need to get out of the rfmonitor mode in Linux to be able to transmit and use the card. How does Netstumbler do this?

Aman

JoeTampa · 05-29-2002

There is no need for Kismet to probe. You only have two possibilities:

1. Broadcast SSID is enabled, the SSID is present in the Beacon Frames, and thus is immediately known. Done!

2. Broadcast SSID is DISabled, the SSID is not known, and the AP will not respond to a Probe Request with any other SSID but the correct one. Kismet (or any other program) would have to try literally every possible character combination to find the right SSID.. In effect, you're guessing a password. Much easier to either wait for a client to associate (passively) or run some software that will spoof a dissasociate frame and force the client to re-associate.

- Joe

themastermind1 · 05-29-2002

OOOH. I understand. Thanks a lot.

BTW, have you seen Wellenrieter for linux? It looks like a Netstumbler clone and seem like it works very well. It has built in channel changing and a lot of the other features that Netstumbler has, and even allows exporting data in the same format as Netstumbler.

Aman

JoeTampa · 05-29-2002

Played with it briefly, but I greatly prefer Kismet.

One nice feature - integration with Festival, a speech synthesis program. Kismet now tells me when it finds an AP, the SSID (if known), and if WEP is in use or not. I don't even have to look!

Dr3D1zzl3 · 05-29-2002

kismet is a pretty bad ass program. i must admit there is allso airtraf and wellenwhateverthehellitscalled (i think im going to send an email to the author (_MAX_ to see if he will change the name of the proggie to that hehe)

o and not to be a dick netstumbler doesnt sniff at all

to sum it up for you..

Netstumbler is like that loud annoying kid at the other end of the pool that is screaming MARCO! Waiting for everyone to say polo.

Kismet is like that sneaky little bastard sitting right next to the dork screaming marco. One big difference the kismet kid cheats and doesnt say anything and is completly passive. They both hear all the polos but the kismet guy has the advantage of cheating and having his eyes open.

hehe Maybe that can go into the FAQ!

unclex · 06-03-2002

Kismet rocks - upgrade every day. Thanks Mike

lincomatic · 06-19-2002

just got back from my first drive w/ kismet. just had the laptop propped in the center of the car. USR2410 card w/ no external antenna. and i STILL found about double the networks i normally find w/ NS on the same route using an orinoco w/ antenna. there are a lot of nets out there w/ beacons turned off. scary thing is there were 2 w/ SSID=POS and WEP off

butt-kicking prog, mon. i'm thinking of writing a log converter to write to NS format.

themastermind1 · 06-19-2002

nice, just dont' use VB or java :0)

c/c++ all the way!

lincomatic · 06-19-2002

Quote:

Originally posted by themastermind1
nice, just dont' use VB or java :0)

c/c++ all the way!

ugh...surely u jest...of course i program exclusively in C++

fungus · 06-24-2002

Kismet vs. Netstumbler streaming video:

http://www2.lpbn.org:8080/ramgen/UNW...rm?usehostname

lincomatic · 06-24-2002

Quote:

Originally posted by fungus
Kismet vs. Netstumbler streaming video:

http://www2.lpbn.org:8080/ramgen/UNW...rm?usehostname

watched that...and it pushed me over the edge to finally get kismet running. thanks, fungus.

05-26-2002	#1 (permalink)
themastermind1 *n?x stumbler Join Date: May 2002 Posts: 24	kismet vs netstumbler I have used both Kismet and NetStumbler and was wondering how come NetStumbler is able to detect the names and SSIDs of APs while Kismet usually does not. Also, if you notice the activity lights on the card while the two softwares are functioning, its very different. Does anyone know how exactly NetStumbler's "probing" method works? Is Kismet different because its passive?

05-28-2002	#2 (permalink)
jeffrowe Registered Member Join Date: Apr 2002 Location: Northern Suburbs, Chicago, IL Posts: 142	Kismet vs NS I think the main difference if the fact that kismet is a passive sniffer and Netstumbler is an active searcher... Kismet only see's the SSID like netstumbler if it see's a beacon... if you could somehow have your machine send out NS like beacon requests whiel sniffing you woudl probably not have any problems getting the SSIDs all the time... Kinda like using ARP flodding to get interesting packets for WEP Cracking... Is there a Linux utility that will send let you send out beacon requests and etc? __________________ -Jeffrowe

05-29-2002	#9 (permalink)
Dr3D1zzl3 Mental Penis Fencer Join Date: Apr 2002 Posts: 371	kismet is a pretty bad ass program. i must admit there is allso airtraf and wellenwhateverthehellitscalled (i think im going to send an email to the author (_MAX_ to see if he will change the name of the proggie to that hehe) o and not to be a dick netstumbler doesnt sniff at all to sum it up for you.. Netstumbler is like that loud annoying kid at the other end of the pool that is screaming MARCO! Waiting for everyone to say polo. Kismet is like that sneaky little bastard sitting right next to the dork screaming marco. One big difference the kismet kid cheats and doesnt say anything and is completly passive. They both hear all the polos but the kismet guy has the advantage of cheating and having his eyes open. hehe Maybe that can go into the FAQ! Last edited by Dr3D1zzl3 : 06-24-2002 at 07:01 PM.

06-03-2002	#10 (permalink)
unclex ER - working on Oil Drums Join Date: Apr 2002 Location: MARS Posts: 127	Kismet rocks - upgrade every day. Thanks Mike __________________ Have Fun. http://www.ackers.org.uk http://forums.netstumbler.com/showthread.php?s=&postid=14030#post14030

06-19-2002	#11 (permalink)
lincomatic Squaaawk! WiFi! WiFi! Join Date: Apr 2002 Location: Tinsel Town Posts: 1,682	kismet rocks! just got back from my first drive w/ kismet. just had the laptop propped in the center of the car. USR2410 card w/ no external antenna. and i STILL found about double the networks i normally find w/ NS on the same route using an orinoco w/ antenna. there are a lot of nets out there w/ beacons turned off. scary thing is there were 2 w/ SSID=POS and WEP off butt-kicking prog, mon. i'm thinking of writing a log converter to write to NS format. __________________ ~lincomatic

05-29-2002	#3 (permalink)
JoeTampa Registered Member Join Date: Apr 2002 Posts: 51	Let's tighten this up a tad: NetStumbler sends out 802.11 "Probe Request" frames for the SSID "ANY". Normally, any AP will answer with a "Probe Response" frame containing it's SSID and capability information (does the AP support WEP, what speeds does it support, etc..). Kismet simply listens to the "Beacon Frame" that each AP sends out constantly, usually 5-10 per second or so. The SSID is embedded within the frame. The caveat: Most (all, by now?) APs include a configuration option normally called "Broadcast SSID Disable". This tells the AP to modify it's behavior in 2 ways. First, it blanks the SSID in the Beacon Frames. Second, it no longer answers Probe Requests for SSID "ANY". This (in theory) prevents you from associating to the AP unless you know the SSID, which is no longer sent in the Beacon Frames. NetStumbler, therefore, will never know that the AP is even there. Kismet will detect the AP, but report the SSID as "no ssid". The caveat to the caveat: Whenever a client associates to the AP, he sends a Probe Request with the SSID. The AP responds with a Probe Response with the SSID. Kismet will see this exchange and then "fill in the blank" with the newly discovered SSID. There is no such thing as a "beacon request" as I hope the above has demonstrated. Further, Kismet is and will be the (much) better tool for stumbling until/unless Marius modifies NetStumbler to work the same way (and I surely hope he does..). Other differences: Kismet will also discover, if possible, the IP range in use on the network as well as the netmask and default gateway. It will also detect "weak" WEP encrypted packets and save them for later use with AirSnort. It logs Cisco Discovery packets and all of the AP data as described above. - Joe

05-29-2002	#4 (permalink)
themastermind1 *n?x stumbler Join Date: May 2002 Posts: 24	Ah, thanks. That makes a lot more sense now. A couple of questions though: Does Kismet even attempt to probe to find out SSIDs? and how does Netstumbler get the MAC addresses of the APs? Is this information just included in the packets it sniffs out? Also, do you know if there is a reason that Netstumbler doesn't work with non-hermes cards? Is it because it is not possible (that doesn't make sense since it works in linux) or because it just hasn't been programmed in yet.

05-29-2002	#5 (permalink)
themastermind1 *n?x stumbler Join Date: May 2002 Posts: 24	Oh another thing: Does anyone know the procedure for using an AP to get access to a network in Linux? I have successfully gotten online with APs in Windows, but that's just because it automatically sets up everything. I was trying to figure out how I could do the same thing in Linux. One of the main problems is that you need to get out of the rfmonitor mode in Linux to be able to transmit and use the card. How does Netstumbler do this? Aman

05-29-2002	#6 (permalink)
JoeTampa Registered Member Join Date: Apr 2002 Posts: 51	There is no need for Kismet to probe. You only have two possibilities: 1. Broadcast SSID is enabled, the SSID is present in the Beacon Frames, and thus is immediately known. Done! 2. Broadcast SSID is DISabled, the SSID is not known, and the AP will not respond to a Probe Request with any other SSID but the correct one. Kismet (or any other program) would have to try literally every possible character combination to find the right SSID.. In effect, you're guessing a password. Much easier to either wait for a client to associate (passively) or run some software that will spoof a dissasociate frame and force the client to re-associate. - Joe

05-29-2002	#7 (permalink)
themastermind1 *n?x stumbler Join Date: May 2002 Posts: 24	OOOH. I understand. Thanks a lot. BTW, have you seen Wellenrieter for linux? It looks like a Netstumbler clone and seem like it works very well. It has built in channel changing and a lot of the other features that Netstumbler has, and even allows exporting data in the same format as Netstumbler. Aman

05-29-2002	#8 (permalink)
JoeTampa Registered Member Join Date: Apr 2002 Posts: 51	Played with it briefly, but I greatly prefer Kismet. One nice feature - integration with Festival, a speech synthesis program. Kismet now tells me when it finds an AP, the SSID (if known), and if WEP is in use or not. I don't even have to look!

06-19-2002	#12 (permalink)
themastermind1 *n?x stumbler Join Date: May 2002 Posts: 24	nice, just dont' use VB or java :0) c/c++ all the way!

06-24-2002	#14 (permalink)
fungus Banned by the masses Join Date: Apr 2002 Location: So. Calif. Posts: 177	Kismet vs. Netstumbler streaming video: http://www2.lpbn.org:8080/ramgen/UNW...rm?usehostname __________________ Work: http://www.wlanparts.com BLOG: http://www.unwiredadventures.com Fun: http://www.socalwug.org

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode