Page 1 of 2

kismet vs netstumbler

PostPosted: Sun May 26, 2002 7:17 pm
by themastermind1
I have used both Kismet and NetStumbler and was wondering how come NetStumbler is able to detect the names and SSIDs of APs while Kismet usually does not. Also, if you notice the activity lights on the card while the two softwares are functioning, its very different.

Does anyone know how exactly NetStumbler's "probing" method works? Is Kismet different because its passive?

Kismet vs NS

PostPosted: Tue May 28, 2002 12:36 pm
by jeffrowe
I think the main difference if the fact that kismet is a passive sniffer and Netstumbler is an active searcher...

Kismet only see's the SSID like netstumbler if it see's a beacon... if you could somehow have your machine send out NS like beacon requests whiel sniffing you woudl probably not have any problems getting the SSIDs all the time...

Kinda like using ARP flodding to get interesting packets for WEP Cracking...

Is there a Linux utility that will send let you send out beacon requests and etc?

PostPosted: Wed May 29, 2002 6:09 pm
by JoeTampa
Let's tighten this up a tad:


NetStumbler sends out 802.11 "Probe Request" frames for the SSID "ANY". Normally, any AP will answer with a "Probe Response" frame containing it's SSID and capability information (does the AP support WEP, what speeds does it support, etc..).

Kismet simply listens to the "Beacon Frame" that each AP sends out constantly, usually 5-10 per second or so. The SSID is embedded within the frame.

The caveat: Most (all, by now?) APs include a configuration option normally called "Broadcast SSID Disable". This tells the AP to modify it's behavior in 2 ways. First, it blanks the SSID in the Beacon Frames. Second, it no longer answers Probe Requests for SSID "ANY". This (in theory) prevents you from associating to the AP unless you know the SSID, which is no longer sent in the Beacon Frames. NetStumbler, therefore, will never know that the AP is even there. Kismet will detect the AP, but report the SSID as "no ssid".

The caveat to the caveat: Whenever a client associates to the AP, he sends a Probe Request with the SSID. The AP responds with a Probe Response with the SSID. Kismet will see this exchange and then "fill in the blank" with the newly discovered SSID.


There is no such thing as a "beacon request" as I hope the above has demonstrated. Further, Kismet is and will be the (much) better tool for stumbling until/unless Marius modifies NetStumbler to work the same way (and I surely hope he does..).

Other differences: Kismet will also discover, if possible, the IP range in use on the network as well as the netmask and default gateway. It will also detect "weak" WEP encrypted packets and save them for later use with AirSnort. It logs Cisco Discovery packets and all of the AP data as described above.


- Joe

PostPosted: Wed May 29, 2002 6:15 pm
by themastermind1
Ah, thanks. That makes a lot more sense now. A couple of questions though:

Does Kismet even attempt to probe to find out SSIDs?

and how does Netstumbler get the MAC addresses of the APs? Is this information just included in the packets it sniffs out?

Also, do you know if there is a reason that Netstumbler doesn't work with non-hermes cards? Is it because it is not possible (that doesn't make sense since it works in linux) or because it just hasn't been programmed in yet.

PostPosted: Wed May 29, 2002 6:16 pm
by themastermind1
Oh another thing:

Does anyone know the procedure for using an AP to get access to a network in Linux? I have successfully gotten online with APs in Windows, but that's just because it automatically sets up everything.

I was trying to figure out how I could do the same thing in Linux. One of the main problems is that you need to get out of the rfmonitor mode in Linux to be able to transmit and use the card. How does Netstumbler do this?

Aman

PostPosted: Wed May 29, 2002 6:19 pm
by JoeTampa
There is no need for Kismet to probe. You only have two possibilities:

1. Broadcast SSID is enabled, the SSID is present in the Beacon Frames, and thus is immediately known. Done!

2. Broadcast SSID is DISabled, the SSID is not known, and the AP will not respond to a Probe Request with any other SSID but the correct one. Kismet (or any other program) would have to try literally every possible character combination to find the right SSID.. In effect, you're guessing a password. Much easier to either wait for a client to associate (passively) or run some software that will spoof a dissasociate frame and force the client to re-associate.

- Joe

PostPosted: Wed May 29, 2002 6:37 pm
by themastermind1
OOOH. I understand. Thanks a lot.

BTW, have you seen Wellenrieter for linux? It looks like a Netstumbler clone and seem like it works very well. It has built in channel changing and a lot of the other features that Netstumbler has, and even allows exporting data in the same format as Netstumbler.

Aman

PostPosted: Wed May 29, 2002 6:41 pm
by JoeTampa
Played with it briefly, but I greatly prefer Kismet.

One nice feature - integration with Festival, a speech synthesis program. Kismet now tells me when it finds an AP, the SSID (if known), and if WEP is in use or not. I don't even have to look!

PostPosted: Wed May 29, 2002 6:51 pm
by Dr3D1zzl3
kismet is a pretty bad ass program. i must admit there is allso airtraf and wellenwhateverthehellitscalled (i think im going to send an email to the author (_MAX_ to see if he will change the name of the proggie to that hehe)

o and not to be a dick netstumbler doesnt sniff at all

to sum it up for you..

Netstumbler is like that loud annoying kid at the other end of the pool that is screaming MARCO! Waiting for everyone to say polo.

Kismet is like that sneaky little bastard sitting right next to the dork screaming marco. One big difference the kismet kid cheats and doesnt say anything and is completly passive. They both hear all the polos but the kismet guy has the advantage of cheating and having his eyes open.


hehe Maybe that can go into the FAQ!

;)

PostPosted: Mon Jun 03, 2002 4:45 am
by unclex
Kismet rocks - upgrade every day. Thanks Mike;)

kismet rocks!

PostPosted: Wed Jun 19, 2002 5:21 pm
by lincomatic
just got back from my first drive w/ kismet. just had the laptop propped in the center of the car. USR2410 card w/ no external antenna. and i STILL found about double the networks i normally find w/ NS on the same route using an orinoco w/ antenna. there are a lot of nets out there w/ beacons turned off. scary thing is there were 2 w/ SSID=POS and WEP off :eek:

butt-kicking prog, mon. i'm thinking of writing a log converter to write to NS format.

PostPosted: Wed Jun 19, 2002 9:45 pm
by themastermind1
nice, just dont' use VB or java :0)

c/c++ all the way!

PostPosted: Wed Jun 19, 2002 9:47 pm
by lincomatic
Originally posted by themastermind1
nice, just dont' use VB or java :0)

c/c++ all the way!


ugh...surely u jest...of course i program exclusively in C++ ;)

PostPosted: Mon Jun 24, 2002 12:15 am
by fungus

PostPosted: Mon Jun 24, 2002 7:32 am
by lincomatic
Originally posted by fungus
Kismet vs. Netstumbler streaming video:

http://www2.lpbn.org:8080/ramgen/UNWIRED061302h.rm?usehostname


watched that...and it pushed me over the edge to finally get kismet running. thanks, fungus. :)