Natively WiFi is not treated as a very secure network, so to solve this problem we have a lot of technologies that protect our valuable data, such as WPA, WPAPSK, EAP, etc. However, even after all these protections there can be just one single access point in your office, which is not configured and secured properly, and can cause your entire Wi-Fi network to become vulnerable. So the best option is to have a constant watch on your Wi-Fi network and create thresholds and alarms for taking proactive fault-management measures. And for this you have a lot of good software available for both Windows and Linux. In this article we will see how to use one of these software for each Win and Lin platform.
For the Lin guys: Kismet
This de-facto WiFi-monitoring and IDS software for Linux called Kismet has all the necessary features, which you can use to monitor your network traffic and set alarms for detecting intrusion attempts. Installing it is not difficult but configuration is a bit, with its complexity depending on the type of the card you are using. This software supports most of the cards, but you have to labor a bit to configure them. For instance, if you are using the Orinoco driver for your card then you have to download a patch from
http://airsnort.shmoo.com/orinocoinfo.html
and install it. Or let's say if you have a Prism 1/2.5/3 chipset- based card (which happened in our case) then first you have to install the HostAP driver (for installing HostAP drivers see
https://www.pcquest.com/content/linux/2004/104040603.asp)
and then only will you be able to run Kismet. This happens just because the standard drivers for these chipsets don't have the option of monitor mode (rfmon) so Kismet natively doesn't work on them. You can get a list of compatible chipsets and their drivers in the README file shipped with the Kismet tar ball.
Installing and configuring Kismet
Download the latest Kismet source tar ball from http://kismetwireless.net/download.html
and then unpack and install it like this.
|
#tar -zxvf kismet-2005-01-R1.tar.gz
#cd kismet-20015-01-R1
#./configure
#make dep
#make
#make install
Now create a user called Kismet like this.
#adduser kismet
And set a password to it like this.
#passwd kismet
Before starting Kismet you have to do some tinkering with a file called kismet.conf lying in /usr/local/etc. Open up the file in your favorite editor and scroll to the section which says 'suiduser=Your_user_here' and replace the your_user_here to the user you have just created (kismet). Now go to the section which says 'source=none,none,addme' and change it so that it looks something like this.
source=wlan0,hostap,1
|
Here, the first variable stands for the wireless device name, the second is the driver that it is using and the third is the channel from where it will start capturing data. Now scroll to the section where all the alerts are listed and uncomment all those alerts that you want to receive. And you are done with the configuration. Save and close the file. Now the only thing you have to do to run Kismet is to go to the /home/kismet folder and run the command kismet. And it will start a curses-based interface, which will show you all the available access points and Wi-Fi networks. To get alerts in real time, just press the 'w' key and a new window will pop up with all the real-time alerts. For more details about the interface just press the 'h' key and it will show a complete help file.
You don't like the Kismet interface?
The default interface of Kismet is not very pleasing to eyes. Also it is not easy to use as it is completely terminal (curses) based. So you have two options to do something about them. First of all you can use the log files generated by Kismet (the logs in different formats are created in the /home/kismet directory by default) and open them in Ethereal network capture utility, for analysis.
Alert Name |
Alert On |
NETSTUMBLER | NETSTUMBLER |
DEAUTHFLOOD | Deauthenticate/Disassociate Flood |
LUCENTTEST | Lucent link test |
WELLENREITER | Wellenreiter SSID brute force attempt |
CHANCHANGE | Previously detected AP changing to a new channel |
BCASTDISCON | Broadcast disconnect/deauthenticate |
AIRJACKSSID | SSID of 'airjack' |
PROBENOJOIN | Clients probing for networks, being accepted by that network, and continuing to probe for net works |
DISASSOCTRAFFIC | Traffic from a source within 10 seconds of a disassociation |
NOPROBERESP | Probe response packet with 0-length SSID tagged parameter |
BSSTIMESTAMP | Invalid BSS timestamps indicative of an access point being spoofed |
The other option is to use a graphical client for Kismet called gkismet. You can download it from gkismet.sf.net. The installation is just like any other tar ball. Run 'make' and 'make install' after uncompressing it and you are done. While starting the software it will ask you to provide the address of the Kismet server. Type localhost and hit Enter. (Mind that kismet should me running in the same machine at that time.)