kismet vs netstumbler

kismet vs netstumbler

Postby themastermind1 » Sun May 26, 2002 7:17 pm

I have used both Kismet and NetStumbler and was wondering how come NetStumbler is able to detect the names and SSIDs of APs while Kismet usually does not. Also, if you notice the activity lights on the card while the two softwares are functioning, its very different.

Does anyone know how exactly NetStumbler's "probing" method works? Is Kismet different because its passive?
themastermind1
 
Posts: 24
Joined: Sun May 26, 2002 7:13 pm

Kismet vs NS

Postby jeffrowe » Tue May 28, 2002 12:36 pm

I think the main difference if the fact that kismet is a passive sniffer and Netstumbler is an active searcher...

Kismet only see's the SSID like netstumbler if it see's a beacon... if you could somehow have your machine send out NS like beacon requests whiel sniffing you woudl probably not have any problems getting the SSIDs all the time...

Kinda like using ARP flodding to get interesting packets for WEP Cracking...

Is there a Linux utility that will send let you send out beacon requests and etc?
-Jeffrowe
jeffrowe
Mini Stumbler
 
Posts: 142
Joined: Sat Apr 13, 2002 6:17 am
Location: Northern Suburbs, Chicago, IL

Postby JoeTampa » Wed May 29, 2002 6:09 pm

Let's tighten this up a tad:


NetStumbler sends out 802.11 "Probe Request" frames for the SSID "ANY". Normally, any AP will answer with a "Probe Response" frame containing it's SSID and capability information (does the AP support WEP, what speeds does it support, etc..).

Kismet simply listens to the "Beacon Frame" that each AP sends out constantly, usually 5-10 per second or so. The SSID is embedded within the frame.

The caveat: Most (all, by now?) APs include a configuration option normally called "Broadcast SSID Disable". This tells the AP to modify it's behavior in 2 ways. First, it blanks the SSID in the Beacon Frames. Second, it no longer answers Probe Requests for SSID "ANY". This (in theory) prevents you from associating to the AP unless you know the SSID, which is no longer sent in the Beacon Frames. NetStumbler, therefore, will never know that the AP is even there. Kismet will detect the AP, but report the SSID as "no ssid".

The caveat to the caveat: Whenever a client associates to the AP, he sends a Probe Request with the SSID. The AP responds with a Probe Response with the SSID. Kismet will see this exchange and then "fill in the blank" with the newly discovered SSID.


There is no such thing as a "beacon request" as I hope the above has demonstrated. Further, Kismet is and will be the (much) better tool for stumbling until/unless Marius modifies NetStumbler to work the same way (and I surely hope he does..).

Other differences: Kismet will also discover, if possible, the IP range in use on the network as well as the netmask and default gateway. It will also detect "weak" WEP encrypted packets and save them for later use with AirSnort. It logs Cisco Discovery packets and all of the AP data as described above.


- Joe
JoeTampa
Mini Stumbler
 
Posts: 51
Joined: Sat Apr 13, 2002 10:11 pm

Postby themastermind1 » Wed May 29, 2002 6:15 pm

Ah, thanks. That makes a lot more sense now. A couple of questions though:

Does Kismet even attempt to probe to find out SSIDs?

and how does Netstumbler get the MAC addresses of the APs? Is this information just included in the packets it sniffs out?

Also, do you know if there is a reason that Netstumbler doesn't work with non-hermes cards? Is it because it is not possible (that doesn't make sense since it works in linux) or because it just hasn't been programmed in yet.
themastermind1
 
Posts: 24
Joined: Sun May 26, 2002 7:13 pm

Postby themastermind1 » Wed May 29, 2002 6:16 pm

Oh another thing:

Does anyone know the procedure for using an AP to get access to a network in Linux? I have successfully gotten online with APs in Windows, but that's just because it automatically sets up everything.

I was trying to figure out how I could do the same thing in Linux. One of the main problems is that you need to get out of the rfmonitor mode in Linux to be able to transmit and use the card. How does Netstumbler do this?

Aman
themastermind1
 
Posts: 24
Joined: Sun May 26, 2002 7:13 pm

Postby JoeTampa » Wed May 29, 2002 6:19 pm

There is no need for Kismet to probe. You only have two possibilities:

1. Broadcast SSID is enabled, the SSID is present in the Beacon Frames, and thus is immediately known. Done!

2. Broadcast SSID is DISabled, the SSID is not known, and the AP will not respond to a Probe Request with any other SSID but the correct one. Kismet (or any other program) would have to try literally every possible character combination to find the right SSID.. In effect, you're guessing a password. Much easier to either wait for a client to associate (passively) or run some software that will spoof a dissasociate frame and force the client to re-associate.

- Joe
JoeTampa
Mini Stumbler
 
Posts: 51
Joined: Sat Apr 13, 2002 10:11 pm

Postby themastermind1 » Wed May 29, 2002 6:37 pm

OOOH. I understand. Thanks a lot.

BTW, have you seen Wellenrieter for linux? It looks like a Netstumbler clone and seem like it works very well. It has built in channel changing and a lot of the other features that Netstumbler has, and even allows exporting data in the same format as Netstumbler.

Aman
themastermind1
 
Posts: 24
Joined: Sun May 26, 2002 7:13 pm

Postby JoeTampa » Wed May 29, 2002 6:41 pm

Played with it briefly, but I greatly prefer Kismet.

One nice feature - integration with Festival, a speech synthesis program. Kismet now tells me when it finds an AP, the SSID (if known), and if WEP is in use or not. I don't even have to look!
JoeTampa
Mini Stumbler
 
Posts: 51
Joined: Sat Apr 13, 2002 10:11 pm

Postby Dr3D1zzl3 » Wed May 29, 2002 6:51 pm

kismet is a pretty bad ass program. i must admit there is allso airtraf and wellenwhateverthehellitscalled (i think im going to send an email to the author (_MAX_ to see if he will change the name of the proggie to that hehe)

o and not to be a dick netstumbler doesnt sniff at all

to sum it up for you..

Netstumbler is like that loud annoying kid at the other end of the pool that is screaming MARCO! Waiting for everyone to say polo.

Kismet is like that sneaky little bastard sitting right next to the dork screaming marco. One big difference the kismet kid cheats and doesnt say anything and is completly passive. They both hear all the polos but the kismet guy has the advantage of cheating and having his eyes open.


hehe Maybe that can go into the FAQ!

;)
Dr3D1zzl3
 
Posts: 371
Joined: Thu Apr 18, 2002 1:12 pm

Postby unclex » Mon Jun 03, 2002 4:45 am

Kismet rocks - upgrade every day. Thanks Mike;)
unclex
 
Posts: 127
Joined: Sat Apr 13, 2002 12:55 am
Location: MARS

kismet rocks!

Postby lincomatic » Wed Jun 19, 2002 5:21 pm

just got back from my first drive w/ kismet. just had the laptop propped in the center of the car. USR2410 card w/ no external antenna. and i STILL found about double the networks i normally find w/ NS on the same route using an orinoco w/ antenna. there are a lot of nets out there w/ beacons turned off. scary thing is there were 2 w/ SSID=POS and WEP off :eek:

butt-kicking prog, mon. i'm thinking of writing a log converter to write to NS format.
~lincomatic
User avatar
lincomatic
Mini Stumbler
 
Posts: 1682
Joined: Tue Apr 16, 2002 12:53 am
Location: Tinsel Town

Postby themastermind1 » Wed Jun 19, 2002 9:45 pm

nice, just dont' use VB or java :0)

c/c++ all the way!
themastermind1
 
Posts: 24
Joined: Sun May 26, 2002 7:13 pm

Postby lincomatic » Wed Jun 19, 2002 9:47 pm

Originally posted by themastermind1
nice, just dont' use VB or java :0)

c/c++ all the way!


ugh...surely u jest...of course i program exclusively in C++ ;)
~lincomatic
User avatar
lincomatic
Mini Stumbler
 
Posts: 1682
Joined: Tue Apr 16, 2002 12:53 am
Location: Tinsel Town

Postby fungus » Mon Jun 24, 2002 12:15 am

[SIZE="1"][SIZE="2"][color="Blue"]Work: http://www.wlanparts.com BLOG: http://www.unwiredadventures.com Fun: http://www.socalwug.org[/color][/SIZE][/SIZE]
User avatar
fungus
Mini Stumbler
 
Posts: 177
Joined: Wed Apr 17, 2002 2:09 pm
Location: So. Calif.

Postby lincomatic » Mon Jun 24, 2002 7:32 am

Originally posted by fungus
Kismet vs. Netstumbler streaming video:

http://www2.lpbn.org:8080/ramgen/UNWIRED061302h.rm?usehostname


watched that...and it pushed me over the edge to finally get kismet running. thanks, fungus. :)
~lincomatic
User avatar
lincomatic
Mini Stumbler
 
Posts: 1682
Joined: Tue Apr 16, 2002 12:53 am
Location: Tinsel Town

Next

Return to Unix/Linux

Who is online

Users browsing this forum: No registered users and 2 guests

cron