Hack 28. Scan Passively with KisMAC

Glean detailed network information with KisMAC, a passive scanner for Mac OS X.

KisMAC (http://www.binaervarianz.de/projekte/programmieren/KisMAC) is a Mac OS X tool that shares part of its name with the popular monitoring tool Kismet [Hack #29]. This is a much more advanced network discovery and monitoring tool than either MacStumbler or iStumbler [Hack #27]. It requires Mac OS X 10.3 or above.

As covered in previous hacks, active scanners work by sending out probe requests to all available access points. Since these scanners rely on responses to active probing, it is possible for network administrators to detect the presence of tools such as MacStumbler and iStumbler, or any other tool that makes use of active network probes.

KisMAC is a passive network scanner. Rather than send out active probe requests, it instructs the wireless card to tune to a channel, listen for a short time, then tune to the next channel, listen for a while, and so on. In this way, it is possible not only to detect networks without announcing your presence, but also to find networks that don't respond to probe requestsnamely, closed networks (i.e., access points that have beaconing disabled). But that's not all. Passive monitors have access to every frame that the radio can hear while tuned to a particular channel. This means that you can detect not only access points, but also the wireless clients of those access points.

Newer Macs with Airport Extreme cards are a problem for KisMAC. The Airport Extreme is an 802.11g radio based on a chipset from Broadcom. Broadcom does not publish details on their chipsets, so it is impossible for open source projects to write supporting drivers. This is a bigger problem than just network monitors for Mac OS X. It affects anyone wanting to run Linux or BSD on laptops with Broadcom-based wireless hardware.

For older Macs with 802.11b AirPort cards, there is better news. The standard AirPort driver doesn't provide the facility for passive monitoring, but KisMAC uses the open source Viha AirPort driver (http://www.dopesquad.net/security). It swaps the Viha driver for your existing AirPort driver when the program starts and automatically reinstalls the standard driver on exit. To accomplish this driver switcheroo, you have to provide your administrative password when you start KisMAC.

While KisMAC is running, your regular wireless connection is unavailable.

KisMAC also supplies an alternate driver called MacJack for Orinoco/Avaya/Proxim cards, as well as Prism II-based wireless cards. Prism II-based USB dongles are particularly handy for passive scanning on a new Mac laptop. Support for Atheros and PrismGT 802.11a/b/g cards, as well Cisco 802. 11b equipment, is new to the latest R64 release of KisMAC for Mac OS X 10.4.

To use any of the non-Apple wireless hardware, you'll have to add support for the specific type of card in the KisMAC Preferences pane. Click on the Driver icon to bring up the screen shown in Figure 2-24. Select the type of card you need and click Add. You can set a number of options for each card, but for the purposes of this hack, just accept the defaults.

Once you've set any other options, close the Preferences pane and click Start Scan. If you have any of the cards loaded that require alternate drivers, you'll again be asked for your administrative password to load the required driver.

KisMAC's main screen provides much of the same information as MacStumbler or iStumbler: SSID, signal strength, and so on. Double-clicking any available network shows a wealth of new information, as shown in Figure 2-25.

Figure 2-24. Adding a network card type

One interesting side effect of passive scanning is that channel detection isn't 100 percent reliable. Since 802.11b channels overlap, it is sometimes difficult for a passive scanner to know for certain which channel an access point is tuned to, and it can be off by one from time to time.

Now, let's go back to the Options page. As shown in Figure 2-26, KisMAC allows you to specify which channels you would like to scan on. This can help if you are trying to find access points that are using the same channel as your own.

KisMAC has a slew of nifty features, including GPS support with user-defined maps, raw frame injection (for Prism II and Orinoco cards), and even a real-time relative traffic graph (Figure 2-27). If it detects a WEP network, it can use a number of advanced techniques to try to guess the password. And yes, it can read discovered ESSIDs aloud using Apple Text-to-Speech.

Figure 2-25. Detailed network information

Perhaps the most powerful feature of all is KisMAC's ability to log raw 802. 11 frames to a standard pcap dump. Check the Keep Everything or the Data Only option in the Driver tab of KisMAC Preferences to save a dump file that can be read by tools such as Ethereal [Hack #31].

KisMAC is probably the most advanced wireless network monitor available for Mac OS X, although it is still quite beta. Keep iStumbler handy, because it is more stable and can operate without mucking about with replacement drivers. If you are simply looking for available networks, KisMAC is probably overkill. Sometimes you need as much detail as you can get to troubleshoot difficult network problems, and when you do, KisMAC is the right tool for the job.

Категории