Kismet Wireless

Kismet Forums

 

Posted by:dragorn
Subject:IDS testing
Date:14:27:58 13/08/2009

> Attempting to test functionality of Kismet IDS. Have netstumbler but have been unable to generate an alert.

Netstumbler very, very, very rarely (and with newer versions, never) generates the packets which are identifiable as netstumbler.

> Looking for suggestions or testing technique to force an alert in Kismet. Also have metasploit. Reviewed prior forum posts but most were pre-2006 with not much detail.

Perform an attack, or get pcap files of an attack and replay them with the pcap source.

> Would like to build some type of event or batch process that will send alert event to monitoring system.
>
> Is the kismet::client module the way to go to grab alerts? or should I look at parsing the .alert file?

I don't think kismet::client has been maintained in years, however, yes, talking to the network socket is definitely the way to go. There was an example blog posting a month or two ago about using netcat and awk to link into the network protocol and generate a json file. The protocol is very very simple.

> What would be approach to query the server? issue !0 CAPABILITY ALERT then catch response? or would alert info be in status message as written in kismetaclient.pl example?

Capability lists the fields. Enable whatever ones you want in whatever order, and you'll get them. I don't know what kismetaclient.pl does, code wasn't written by me and isn't, as far as I know, maintained. Probably won't work with any modern version of kismet, however the basic network protocol parsers are probably still useful.

-m


Reply to this message