Appearance
Kismet Cheat Sheet
Overview
Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework. It works with Wi-Fi interfaces, Bluetooth interfaces, some SDR (software defined radio) hardware like the RTLSDR, and other specialized capture hardware. Kismet can passively detect wireless networks, clients, and their relationships, making it an essential tool for wireless security assessment and monitoring.
⚠️ Warning: Only use Kismet in environments you own or have explicit permission to monitor. Unauthorized wireless monitoring may violate local laws and regulations.
Installation
Ubuntu/Debian Installation
bash
# Add Kismet repository
wget -O - https://www.kismetwireless.net/repos/kismet-release.gpg.key | sudo apt-key add -
echo 'deb https://www.kismetwireless.net/repos/apt/release/$(lsb_release -cs) $(lsb_release -cs) main' | sudo tee /etc/apt/sources.list.d/kismet.list
# Update package list
sudo apt update
# Install Kismet
sudo apt install kismet
# Add user to kismet group
sudo usermod -aG kismet $USER
# Log out and back in for group changes to take effectManual Compilation
bash
# Install dependencies
sudo apt update
sudo apt install -y build-essential git libmicrohttpd-dev pkg-config \
zlib1g-dev libnl-3-dev libnl-genl-3-dev libcap-dev \
libpcap-dev libnm-dev libdw-dev libsqlite3-dev libprotobuf-dev \
libprotobuf-c-dev protobuf-compiler protobuf-c-compiler \
libsensors4-dev libusb-1.0-0-dev python3 python3-setuptools \
python3-protobuf python3-requests python3-numpy python3-serial \
python3-usb python3-dev python3-websockets librtlsdr0 librtlsdr-dev \
libfftw3-dev libncurses5-dev libpcre3-dev
# Clone Kismet repository
git clone https://www.kismetwireless.net/git/kismet.git
cd kismet
# Configure and compile
./configure
make -j$(nproc)
# Install
sudo make suidinstall
# Add user to kismet group
sudo usermod -aG kismet $USERKali Linux Installation
bash
# Kismet is pre-installed on Kali Linux
kismet --version
# If not installed
sudo apt update
sudo apt install kismet
# Add user to kismet group
sudo usermod -aG kismet $USERDocker Installation
bash
# Pull Kismet Docker image
docker pull kismetwireless/kismet
# Run Kismet in Docker with host networking
docker run -it --rm --net=host \
--privileged \
-v /dev/bus/usb:/dev/bus/usb \
kismetwireless/kismet
# Create persistent volume for logs
docker volume create kismet-logs
# Run with persistent storage
docker run -d --name kismet \
--net=host \
--privileged \
-v kismet-logs:/opt/kismet/logs \
-v /dev/bus/usb:/dev/bus/usb \
kismetwireless/kismetBasic Configuration
Initial Setup
bash
# Create Kismet configuration directory
mkdir -p ~/.kismet
# Generate default configuration
kismet --print-config > ~/.kismet/kismet.conf
# Edit configuration
nano ~/.kismet/kismet.conf
# Key configuration options:
# server=tcp://127.0.0.1:2501
# allowedusers=kismet
# logprefix=/tmp/kismet
# logtypes=kismetdb,pcapngInterface Configuration
bash
# List available interfaces
kismet --list-interfaces
# Check interface capabilities
iw dev
# Put interface in monitor mode manually
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up
# Configure Kismet to use specific interface
echo "source=wlan0" >> ~/.kismet/kismet.conf
# Multiple interfaces
echo "source=wlan0" >> ~/.kismet/kismet.conf
echo "source=wlan1" >> ~/.kismet/kismet.conf
# Interface with specific options
echo "source=wlan0:name=primary,hop=true" >> ~/.kismet/kismet.confUser Management
bash
# Add user to Kismet
sudo kismet_site_config --add-user username
# Set user password
sudo kismet_site_config --set-password username
# List users
sudo kismet_site_config --list-users
# Remove user
sudo kismet_site_config --remove-user username
# Create admin user
sudo kismet_site_config --add-admin admin_userBasic Usage
Starting Kismet
bash
# Start Kismet server
kismet
# Start with specific interface
kismet -c wlan0
# Start with multiple interfaces
kismet -c wlan0,wlan1
# Start in background
kismet --daemonize
# Start with custom config
kismet -f /path/to/custom.conf
# Start with specific log location
kismet --log-prefix /var/log/kismet/Web Interface
bash
# Access web interface (default)
firefox http://localhost:2501
# Custom port configuration
echo "httpd_port=8080" >> ~/.kismet/kismet.conf
# Enable HTTPS
echo "httpd_ssl=true" >> ~/.kismet/kismet.conf
echo "httpd_ssl_cert=/path/to/cert.pem" >> ~/.kismet/kismet.conf
echo "httpd_ssl_key=/path/to/key.pem" >> ~/.kismet/kismet.conf
# Allow remote access (security risk)
echo "httpd_bind_address=0.0.0.0" >> ~/.kismet/kismet.confCommand Line Interface
bash
# Connect to Kismet server
kismet_client
# Connect to remote server
kismet_client --server 192.168.1.100:2501
# Non-interactive mode
kismet_client --autostart --user username --password password
# Export data
kismet_client --export-xml networks.xml
kismet_client --export-csv devices.csvAdvanced Monitoring
Channel Hopping
bash
# Configure channel hopping
echo "channel_hop=true" >> ~/.kismet/kismet.conf
echo "channel_hop_speed=5" >> ~/.kismet/kismet.conf
# Specific channels only
echo "channel_hop_channels=1,6,11" >> ~/.kismet/kismet.conf
# 5GHz channels
echo "channel_hop_channels=36,40,44,48,149,153,157,161" >> ~/.kismet/kismet.conf
# Disable channel hopping for specific interface
echo "source=wlan0:hop=false,channel=6" >> ~/.kismet/kismet.confGPS Integration
bash
# Configure GPS
echo "gps=gpsd:host=localhost,port=2947" >> ~/.kismet/kismet.conf
# Start gpsd
sudo gpsd /dev/ttyUSB0 -F /var/run/gpsd.sock
# Test GPS connection
gpsmon
# Configure GPS logging
echo "gps_log=true" >> ~/.kismet/kismet.confBluetooth Monitoring
bash
# Enable Bluetooth capture
echo "source=hci0:type=linuxbluetooth" >> ~/.kismet/kismet.conf
# Multiple Bluetooth interfaces
echo "source=hci0:type=linuxbluetooth,name=bt0" >> ~/.kismet/kismet.conf
echo "source=hci1:type=linuxbluetooth,name=bt1" >> ~/.kismet/kismet.conf
# Configure Bluetooth scanning
echo "bluetooth_scan_interval=30" >> ~/.kismet/kismet.confSDR Integration
bash
# RTL-SDR configuration
echo "source=rtlsdr-0:type=rtlsdr" >> ~/.kismet/kismet.conf
# HackRF configuration
echo "source=hackrf:type=hackrf" >> ~/.kismet/kismet.conf
# Configure frequency ranges
echo "source=rtlsdr-0:frequency=433920000" >> ~/.kismet/kismet.conf
# Multiple SDR devices
echo "source=rtlsdr-0:type=rtlsdr,name=rtl0" >> ~/.kismet/kismet.conf
echo "source=rtlsdr-1:type=rtlsdr,name=rtl1" >> ~/.kismet/kismet.confData Analysis
Log File Analysis
bash
# List log files
ls -la ~/.kismet/logs/
# Analyze Kismet database
kismet_log_to_kml --in kismet.kismet --out networks.kml
# Extract specific data
kismet_log_devices --in kismet.kismet --out devices.csv
# Convert to other formats
kismet_log_to_pcap --in kismet.kismet --out capture.pcap
# Filter by time
kismet_log_devices --in kismet.kismet --start-time "2023-01-01 00:00:00" --end-time "2023-01-01 23:59:59"Database Queries
bash
# Connect to Kismet database
sqlite3 ~/.kismet/logs/Kismet-*.kismet
# Common queries
.tables
# List all devices
SELECT devmac, devtype, firsttime, lasttime FROM devices;
# List access points
SELECT devmac, device FROM devices WHERE devtype = 'Wi-Fi AP';
# List clients
SELECT devmac, device FROM devices WHERE devtype = 'Wi-Fi Client';
# Show encryption types
SELECT devmac, device, crypt FROM devices WHERE devtype = 'Wi-Fi AP';
# Find WPS enabled networks
SELECT devmac, device FROM devices WHERE device LIKE '%WPS%';
# Exit database
.quitREST API Usage
bash
# Get system status
curl http://localhost:2501/system/status.json
# Get device list
curl http://localhost:2501/devices/views/all/devices.json
# Get specific device
curl http://localhost:2501/devices/by-key/DEVICE_KEY/device.json
# Get alerts
curl http://localhost:2501/alerts/definitions.json
# Get channels
curl http://localhost:2501/channels/channels.json
# Authentication required for some endpoints
curl -u username:password http://localhost:2501/devices/views/all/devices.jsonAutomation Scripts
Automated Monitoring Script
bash
#!/bin/bash
# Automated Kismet monitoring with alerting
KISMET_CONFIG="$HOME/.kismet/kismet.conf"
LOG_DIR="$HOME/kismet_monitoring"
ALERT_EMAIL="security@company.com"
SCAN_DURATION=3600 # 1 hour
INTERFACE="wlan0"
mkdir -p "$LOG_DIR"
# Function to send alert
send_alert() {
local message="$1"
local log_file="$2"
echo "$message" | mail -s "Kismet Alert" -A "$log_file" "$ALERT_EMAIL" 2>/dev/null || \
echo "Alert: $message (email failed)"
}
# Function to analyze results
analyze_results() {
local kismet_db="$1"
local timestamp="$2"
echo "[+] Analyzing results from $kismet_db"
# Count devices by type
ap_count=$(sqlite3 "$kismet_db" "SELECT COUNT(*) FROM devices WHERE devtype = 'Wi-Fi AP';")
client_count=$(sqlite3 "$kismet_db" "SELECT COUNT(*) FROM devices WHERE devtype = 'Wi-Fi Client';")
# Find open networks
open_networks=$(sqlite3 "$kismet_db" "SELECT COUNT(*) FROM devices WHERE devtype = 'Wi-Fi AP' AND crypt = 'None';")
# Find WPS networks
wps_networks=$(sqlite3 "$kismet_db" "SELECT COUNT(*) FROM devices WHERE devtype = 'Wi-Fi AP' AND device LIKE '%WPS%';")
# Generate report
report_file="$LOG_DIR/report_$timestamp.txt"
cat > "$report_file" << EOF
Kismet Monitoring Report - $(date)
=====================================
Scan Duration: $SCAN_DURATION seconds
Interface: $INTERFACE
Summary:
- Access Points: $ap_count
- Clients: $client_count
- Open Networks: $open_networks
- WPS Enabled: $wps_networks
EOF
# Add detailed findings
if [ "$open_networks" -gt 0 ]; then
echo "Open Networks Found:" >> "$report_file"
sqlite3 "$kismet_db" "SELECT devmac, device FROM devices WHERE devtype = 'Wi-Fi AP' AND crypt = 'None';" >> "$report_file"
echo "" >> "$report_file"
fi
if [ "$wps_networks" -gt 0 ]; then
echo "WPS Enabled Networks:" >> "$report_file"
sqlite3 "$kismet_db" "SELECT devmac, device FROM devices WHERE devtype = 'Wi-Fi AP' AND device LIKE '%WPS%';" >> "$report_file"
echo "" >> "$report_file"
fi
# Send alerts for concerning findings
if [ "$open_networks" -gt 5 ]; then
send_alert "High number of open networks detected: $open_networks" "$report_file"
fi
if [ "$wps_networks" -gt 10 ]; then
send_alert "High number of WPS-enabled networks detected: $wps_networks" "$report_file"
fi
echo "[+] Report generated: $report_file"
}
# Main monitoring function
run_monitoring() {
local timestamp=$(date +%Y%m%d_%H%M%S)
local log_prefix="$LOG_DIR/kismet_$timestamp"
echo "[+] Starting Kismet monitoring session: $timestamp"
# Configure Kismet for this session
cat > "/tmp/kismet_monitor.conf" << EOF
source=$INTERFACE
logprefix=$log_prefix
logtypes=kismetdb,pcapng
server=tcp://127.0.0.1:2501
allowedusers=kismet
channel_hop=true
channel_hop_speed=5
gps=false
EOF
# Start Kismet
kismet -f "/tmp/kismet_monitor.conf" --daemonize --silent
if [ $? -eq 0 ]; then
echo "[+] Kismet started successfully"
# Wait for scan duration
echo "[+] Scanning for $SCAN_DURATION seconds..."
sleep "$SCAN_DURATION"
# Stop Kismet
pkill kismet
sleep 5
# Analyze results
kismet_db="${log_prefix}.kismet"
if [ -f "$kismet_db" ]; then
analyze_results "$kismet_db" "$timestamp"
else
echo "[-] Kismet database not found: $kismet_db"
fi
else
echo "[-] Failed to start Kismet"
return 1
fi
# Cleanup
rm -f "/tmp/kismet_monitor.conf"
}
# Check if interface exists and is available
if ! ip link show "$INTERFACE" > /dev/null 2>&1; then
echo "[-] Interface $INTERFACE not found"
exit 1
fi
# Put interface in monitor mode
echo "[+] Setting $INTERFACE to monitor mode"
sudo ip link set "$INTERFACE" down
sudo iw dev "$INTERFACE" set type monitor
sudo ip link set "$INTERFACE" up
if [ $? -eq 0 ]; then
echo "[+] Interface configured successfully"
run_monitoring
else
echo "[-] Failed to configure interface"
exit 1
fi
echo "[+] Monitoring session completed"Wardriving Script
bash
#!/bin/bash
# Automated wardriving with GPS logging
GPS_DEVICE="/dev/ttyUSB0"
INTERFACE="wlan0"
OUTPUT_DIR="wardriving_$(date +%Y%m%d)"
SCAN_TIME=7200 # 2 hours
mkdir -p "$OUTPUT_DIR"
# Function to setup GPS
setup_gps() {
echo "[+] Setting up GPS"
# Start gpsd
sudo gpsd "$GPS_DEVICE" -F /var/run/gpsd.sock
# Wait for GPS fix
echo "[+] Waiting for GPS fix..."
timeout=60
while [ $timeout -gt 0 ]; do
if gpsmon -n 1 | grep -q "3D"; then
echo "[+] GPS fix acquired"
return 0
fi
sleep 5
timeout=$((timeout - 5))
done
echo "[-] GPS fix not acquired, continuing without GPS"
return 1
}
# Function to create KML from results
create_kml() {
local kismet_db="$1"
local kml_file="$2"
echo "[+] Creating KML file: $kml_file"
python3 << EOF
import sqlite3
import xml.etree.ElementTree as ET
from xml.dom import minidom
# Connect to Kismet database
conn = sqlite3.connect('$kismet_db')
cursor = conn.cursor()
# Create KML structure
kml = ET.Element('kml', xmlns='http://www.opengis.net/kml/2.2')
document = ET.SubElement(kml, 'Document')
ET.SubElement(document, 'name').text = 'Kismet Wardriving Results'
# Query for devices with GPS coordinates
cursor.execute('''
SELECT devmac, device, crypt, min_lat, min_lon, max_lat, max_lon
FROM devices
WHERE devtype = 'Wi-Fi AP' AND min_lat != 0 AND min_lon != 0
''')
for row in cursor.fetchall():
devmac, device, crypt, min_lat, min_lon, max_lat, max_lon = row
# Create placemark
placemark = ET.SubElement(document, 'Placemark')
ET.SubElement(placemark, 'name').text = device or devmac
# Description
description = f"MAC: {devmac}\\nEncryption: {crypt}"
ET.SubElement(placemark, 'description').text = description
# Style based on encryption
style = ET.SubElement(placemark, 'Style')
icon_style = ET.SubElement(style, 'IconStyle')
icon = ET.SubElement(icon_style, 'Icon')
if crypt == 'None':
ET.SubElement(icon, 'href').text = 'http://maps.google.com/mapfiles/kml/paddle/red-circle.png'
elif 'WEP' in crypt:
ET.SubElement(icon, 'href').text = 'http://maps.google.com/mapfiles/kml/paddle/ylw-circle.png'
else:
ET.SubElement(icon, 'href').text = 'http://maps.google.com/mapfiles/kml/paddle/grn-circle.png'
# Point coordinates (use average of min/max)
avg_lat = (min_lat + max_lat) / 2
avg_lon = (min_lon + max_lon) / 2
point = ET.SubElement(placemark, 'Point')
ET.SubElement(point, 'coordinates').text = f"{avg_lon},{avg_lat},0"
# Write KML file
rough_string = ET.tostring(kml, 'unicode')
reparsed = minidom.parseString(rough_string)
with open('$kml_file', 'w') as f:
f.write(reparsed.toprettyxml(indent=" "))
conn.close()
print(f"KML file created: $kml_file")
EOF
}
# Function to generate statistics
generate_stats() {
local kismet_db="$1"
local stats_file="$2"
echo "[+] Generating statistics: $stats_file"
cat > "$stats_file" << EOF
Wardriving Statistics - $(date)
===============================
EOF
# Basic counts
echo "Device Counts:" >> "$stats_file"
sqlite3 "$kismet_db" "SELECT devtype, COUNT(*) FROM devices GROUP BY devtype;" | \
sed 's/|/ : /' >> "$stats_file"
echo "" >> "$stats_file"
# Encryption breakdown
echo "Encryption Types:" >> "$stats_file"
sqlite3 "$kismet_db" "SELECT crypt, COUNT(*) FROM devices WHERE devtype = 'Wi-Fi AP' GROUP BY crypt;" | \
sed 's/|/ : /' >> "$stats_file"
echo "" >> "$stats_file"
# Channel usage
echo "Channel Usage:" >> "$stats_file"
sqlite3 "$kismet_db" "SELECT channel, COUNT(*) FROM devices WHERE devtype = 'Wi-Fi AP' GROUP BY channel ORDER BY channel;" | \
sed 's/|/ : /' >> "$stats_file"
echo "" >> "$stats_file"
# Vendor breakdown (top 10)
echo "Top 10 Vendors:" >> "$stats_file"
sqlite3 "$kismet_db" "SELECT manuf, COUNT(*) as count FROM devices WHERE devtype = 'Wi-Fi AP' GROUP BY manuf ORDER BY count DESC LIMIT 10;" | \
sed 's/|/ : /' >> "$stats_file"
echo "" >> "$stats_file"
# Security concerns
echo "Security Concerns:" >> "$stats_file"
open_count=$(sqlite3 "$kismet_db" "SELECT COUNT(*) FROM devices WHERE devtype = 'Wi-Fi AP' AND crypt = 'None';")
wep_count=$(sqlite3 "$kismet_db" "SELECT COUNT(*) FROM devices WHERE devtype = 'Wi-Fi AP' AND crypt LIKE '%WEP%';")
wps_count=$(sqlite3 "$kismet_db" "SELECT COUNT(*) FROM devices WHERE devtype = 'Wi-Fi AP' AND device LIKE '%WPS%';")
echo "Open Networks: $open_count" >> "$stats_file"
echo "WEP Networks: $wep_count" >> "$stats_file"
echo "WPS Enabled: $wps_count" >> "$stats_file"
}
# Main wardriving function
run_wardriving() {
local timestamp=$(date +%Y%m%d_%H%M%S)
local log_prefix="$OUTPUT_DIR/wardriving_$timestamp"
echo "[+] Starting wardriving session: $timestamp"
# Setup GPS
gps_available=false
if setup_gps; then
gps_available=true
fi
# Configure Kismet
cat > "/tmp/kismet_wardriving.conf" << EOF
source=$INTERFACE
logprefix=$log_prefix
logtypes=kismetdb,pcapng,gpsxml
server=tcp://127.0.0.1:2501
allowedusers=kismet
channel_hop=true
channel_hop_speed=3
EOF
if [ "$gps_available" = true ]; then
echo "gps=gpsd:host=localhost,port=2947" >> "/tmp/kismet_wardriving.conf"
echo "gps_log=true" >> "/tmp/kismet_wardriving.conf"
fi
# Start Kismet
kismet -f "/tmp/kismet_wardriving.conf" --daemonize --silent
if [ $? -eq 0 ]; then
echo "[+] Kismet started successfully"
echo "[+] Wardriving for $SCAN_TIME seconds..."
echo "[+] Press Ctrl+C to stop early"
# Wait for scan time or user interrupt
sleep "$SCAN_TIME" &
wait $!
# Stop Kismet
echo "[+] Stopping Kismet..."
pkill kismet
sleep 5
# Process results
kismet_db="${log_prefix}.kismet"
if [ -f "$kismet_db" ]; then
echo "[+] Processing results..."
# Generate KML
create_kml "$kismet_db" "${log_prefix}.kml"
# Generate statistics
generate_stats "$kismet_db" "${log_prefix}_stats.txt"
# Convert to other formats
kismet_log_to_pcap --in "$kismet_db" --out "${log_prefix}.pcap"
echo "[+] Results processed successfully"
echo "[+] Files created:"
ls -la "${log_prefix}"*
else
echo "[-] Kismet database not found: $kismet_db"
fi
else
echo "[-] Failed to start Kismet"
return 1
fi
# Cleanup
rm -f "/tmp/kismet_wardriving.conf"
# Stop GPS daemon
if [ "$gps_available" = true ]; then
sudo pkill gpsd
fi
}
# Check prerequisites
if ! command -v kismet &> /dev/null; then
echo "[-] Kismet not found. Please install Kismet first."
exit 1
fi
if ! ip link show "$INTERFACE" > /dev/null 2>&1; then
echo "[-] Interface $INTERFACE not found"
exit 1
fi
# Setup interface
echo "[+] Setting up interface $INTERFACE"
sudo ip link set "$INTERFACE" down
sudo iw dev "$INTERFACE" set type monitor
sudo ip link set "$INTERFACE" up
if [ $? -eq 0 ]; then
echo "[+] Interface configured successfully"
run_wardriving
else
echo "[-] Failed to configure interface"
exit 1
fi
echo "[+] Wardriving session completed"
echo "[+] Results saved in: $OUTPUT_DIR"Rogue AP Detection Script
bash
#!/bin/bash
# Detect rogue access points using Kismet
KNOWN_APS_FILE="known_aps.txt"
INTERFACE="wlan0"
SCAN_TIME=300 # 5 minutes
ALERT_EMAIL="security@company.com"
# Function to create known APs file if it doesn't exist
create_known_aps() {
if [ ! -f "$KNOWN_APS_FILE" ]; then
echo "Creating known APs file: $KNOWN_APS_FILE"
cat > "$KNOWN_APS_FILE" << 'EOF'
# Known legitimate access points
# Format: MAC_ADDRESS|SSID|LOCATION
00:11:22:33:44:55|CompanyWiFi|Building A
AA:BB:CC:DD:EE:FF|GuestNetwork|Reception
# Add your known APs here
EOF
echo "Please edit $KNOWN_APS_FILE with your known access points"
exit 1
fi
}
# Function to detect rogue APs
detect_rogue_aps() {
local kismet_db="$1"
local timestamp="$2"
echo "[+] Detecting rogue access points"
# Create temporary files
local detected_aps="/tmp/detected_aps_$timestamp.txt"
local rogue_aps="/tmp/rogue_aps_$timestamp.txt"
local report_file="rogue_ap_report_$timestamp.txt"
# Extract detected APs
sqlite3 "$kismet_db" "SELECT devmac, device FROM devices WHERE devtype = 'Wi-Fi AP';" > "$detected_aps"
# Compare with known APs
> "$rogue_aps" # Clear file
while IFS='|' read -r detected_mac detected_ssid; do
# Skip empty lines
[ -z "$detected_mac" ] && continue
# Check if this AP is in known list
found=false
while IFS='|' read -r known_mac known_ssid known_location; do
# Skip comments and empty lines
[[ "$known_mac" =~ ^#.*$ || -z "$known_mac" ]] && continue
if [ "$detected_mac" = "$known_mac" ]; then
found=true
break
fi
done < "$KNOWN_APS_FILE"
# If not found in known list, it's potentially rogue
if [ "$found" = false ]; then
echo "$detected_mac|$detected_ssid" >> "$rogue_aps"
fi
done < "$detected_aps"
# Generate report
cat > "$report_file" << EOF
Rogue Access Point Detection Report
Generated: $(date)
Scan Duration: $SCAN_TIME seconds
EOF
rogue_count=$(wc -l < "$rogue_aps" 2>/dev/null || echo "0")
if [ "$rogue_count" -gt 0 ]; then
echo "⚠️ ROGUE ACCESS POINTS DETECTED: $rogue_count" >> "$report_file"
echo "================================================" >> "$report_file"
echo "" >> "$report_file"
while IFS='|' read -r mac ssid; do
echo "MAC: $mac" >> "$report_file"
echo "SSID: $ssid" >> "$report_file"
# Get additional details from database
details=$(sqlite3 "$kismet_db" "SELECT crypt, channel, manuf FROM devices WHERE devmac = '$mac';")
if [ -n "$details" ]; then
echo "Details: $details" >> "$report_file"
fi
echo "---" >> "$report_file"
done < "$rogue_aps"
# Send alert
echo "Rogue access points detected: $rogue_count" | \
mail -s "SECURITY ALERT: Rogue APs Detected" -A "$report_file" "$ALERT_EMAIL" 2>/dev/null || \
echo "Alert: $rogue_count rogue APs detected (email failed)"
else
echo "✅ No rogue access points detected" >> "$report_file"
fi
echo "[+] Report generated: $report_file"
# Cleanup
rm -f "$detected_aps" "$rogue_aps"
}
# Function to run rogue AP scan
run_rogue_scan() {
local timestamp=$(date +%Y%m%d_%H%M%S)
local log_prefix="/tmp/rogue_scan_$timestamp"
echo "[+] Starting rogue AP detection scan"
# Configure Kismet
cat > "/tmp/kismet_rogue.conf" << EOF
source=$INTERFACE
logprefix=$log_prefix
logtypes=kismetdb
server=tcp://127.0.0.1:2501
allowedusers=kismet
channel_hop=true
channel_hop_speed=5
EOF
# Start Kismet
kismet -f "/tmp/kismet_rogue.conf" --daemonize --silent
if [ $? -eq 0 ]; then
echo "[+] Scanning for $SCAN_TIME seconds..."
sleep "$SCAN_TIME"
# Stop Kismet
pkill kismet
sleep 3
# Analyze results
kismet_db="${log_prefix}.kismet"
if [ -f "$kismet_db" ]; then
detect_rogue_aps "$kismet_db" "$timestamp"
else
echo "[-] Kismet database not found"
fi
else
echo "[-] Failed to start Kismet"
return 1
fi
# Cleanup
rm -f "/tmp/kismet_rogue.conf"
rm -f "${log_prefix}"*
}
# Main execution
create_known_aps
# Check interface
if ! ip link show "$INTERFACE" > /dev/null 2>&1; then
echo "[-] Interface $INTERFACE not found"
exit 1
fi
# Setup interface
echo "[+] Setting up interface $INTERFACE"
sudo ip link set "$INTERFACE" down
sudo iw dev "$INTERFACE" set type monitor
sudo ip link set "$INTERFACE" up
if [ $? -eq 0 ]; then
run_rogue_scan
else
echo "[-] Failed to configure interface"
exit 1
fi
echo "[+] Rogue AP detection completed"Integration with Other Tools
Wireshark Integration
bash
# Convert Kismet logs to pcap for Wireshark
kismet_log_to_pcap --in kismet.kismet --out capture.pcap
# Open in Wireshark
wireshark capture.pcap
# Filter specific traffic in Wireshark
# wlan.fc.type_subtype == 0x08 # Beacon frames
# wlan.fc.type_subtype == 0x04 # Probe requests
# wlan.fc.type_subtype == 0x05 # Probe responsesAircrack-ng Integration
bash
# Extract handshakes from Kismet capture
aircrack-ng -J handshakes capture.pcap
# Use with hashcat
hashcat -m 2500 handshakes.hccapx wordlist.txt
# Convert Kismet pcap for aircrack-ng
aircrack-ng capture.pcapNmap Integration
bash
# Extract IP addresses from Kismet for network scanning
sqlite3 kismet.kismet "SELECT DISTINCT ip FROM devices WHERE ip != '';" | \
while read ip; do
nmap -sS "$ip"
doneTroubleshooting
Common Issues
Interface Problems
bash
# Check interface status
ip link show
# Reset interface
sudo ip link set wlan0 down
sudo ip link set wlan0 up
# Check for conflicting processes
sudo lsof /dev/wlan0
sudo fuser -k /dev/wlan0
# Restart network manager
sudo systemctl restart NetworkManager
# Check kernel modules
lsmod | grep 80211Permission Issues
bash
# Check user groups
groups $USER
# Add user to kismet group
sudo usermod -aG kismet $USER
# Fix file permissions
sudo chown -R kismet:kismet /var/log/kismet/
sudo chmod -R 755 /var/log/kismet/
# Check capabilities
getcap /usr/bin/kismet_cap_linux_wifiGPS Issues
bash
# Check GPS device
ls -la /dev/ttyUSB*
ls -la /dev/ttyACM*
# Test GPS manually
sudo gpsd /dev/ttyUSB0 -F /var/run/gpsd.sock
gpsmon
# Check gpsd status
sudo systemctl status gpsd
# Restart gpsd
sudo systemctl restart gpsdDatabase Issues
bash
# Check database integrity
sqlite3 kismet.kismet "PRAGMA integrity_check;"
# Repair database
sqlite3 kismet.kismet ".recover" | sqlite3 kismet_recovered.kismet
# Check database schema
sqlite3 kismet.kismet ".schema"
# Vacuum database
sqlite3 kismet.kismet "VACUUM;"Performance Optimization
bash
# Reduce logging
echo "logtypes=kismetdb" >> ~/.kismet/kismet.conf
# Optimize channel hopping
echo "channel_hop_speed=10" >> ~/.kismet/kismet.conf
# Limit data sources
echo "source=wlan0:hop=true,channel=1,6,11" >> ~/.kismet/kismet.conf
# Increase buffer sizes
echo "packet_buffer_size=65536" >> ~/.kismet/kismet.confResources
- Official Kismet Documentation
- Kismet GitHub Repository
- Kismet REST API Documentation
- Wireless Security Testing
- 802.11 Wireless Networks
- Wardriving Best Practices
- Wireless Intrusion Detection
This cheat sheet provides a comprehensive reference for using Kismet for wireless network detection and monitoring. Always ensure you have proper authorization before using this tool in any environment.