Mac Tips and "How To" On a Mac: KIsMAC

Showing posts with label KIsMAC. Show all posts

Kismac: The Ultimate WiFi Stumbler

How to Crack WEP / WPA Step by Step
KisMAC for Dummies & Step by Step KisMAC Tutorial
KisMAC Tutorials for dummies, beginners & advanced users

Update of update : a Brand New Improved Video in HD, con la musica muy entertaining is available at the end of this post. it should cover KisMAC 101 and walk you trough WEP and WPA cracking

For the curious, advanced users and KisMAC geniuses , we have the following articles available:

Best Wifi Card for KisMac about 20 X more powerful than Airport or Hawking

Troubleshooting KisMAC
KisMAC Q&A
Cracking WPA with KisMAC
KisMAC Resources
KisMAC Deep Digging , Advanced Features
How To Install Aircrack On Mac

Best Wifi Card for KisMac about 20 X more powerful than Airport or Hawking

Before you post a question, PLEASE be sure to Read the 3 following post:
KisMAC + KisMAC troubleshooting + KisMAC Q & A

Once you are sure that the answer to your question can not be found, Please, Post your question in the Q&A Article: CLICK HERE.

ALL QUESTIONS WITHOUT KisMAC Version and OS Full Version will be ignored. Please Include Model and FCC number of the Network Adapter (the USB thingy) if applicable. And YES the FCC number is on it! and NO, it's not the MAC address.

Cracking WEP with Injection
Cracking WEP without Injection (Airport, Airport Extreme)
Cracking WPA
KisMAC Troubleshooting Guide
KisMAC Resources Dictionary file, Password list, etc

KisMAC is a free WIFI Network discovery tool and has a large array of powerful features: Detection, Authentication, Injection, GPS, and the ability to crack WPA & WEP keys.
KisMac is really powerful and leave Windows based NetStumbler in the dust. By a large margin.

Kismac is not for absolute beginners and the first step with KisMAC is to read the FAQ. The second step is to read the FAQ again.

Just a little legal warning:
- It is illegal to download, possess, and/or use Kismac in Germany, Austria, Switzerland and Lichtenstein (StGB § 202c)*
- It is illegal, in most countries, including the USA, to crack or attempt to crack, penetrate, listen to, intercept, or “Inject” any WI-FI network others than yours, or Networks where the unequivocal permission was not given to you by the rightful owner.
- Kismac is a tool that should be used on the sole purpose to check and/or verify, audit your own network

Now that I warned you :-) you can enjoy it!

Cracking WEP with Re-Injection

Whatever you do, if you have an injection device (WIFI card or USB Adapter) DO NOT install the drivers of the card / USB adapter.
DO NOT INSTALL DRIVERS FROM THE CD PROVIDED WITH THE DEVICE unless you have read this post

How to Crack WEP Step by Step

This tutorial is solely for you to audit your own network. I take no responsibility whatsoever, implied or not.
If you NEED an access, just ask politely your neighbor and either share the cost or discuss with him. A six-pack can be used as lubricant.

Cracking with Injection device

(Hawking HWUG1 shown here, RT73 Chipset. DO NOT BUY THAT ONE

Read review and comparison before: best card is here

Best Wifi Card for KisMac about 20 X more powerful than Airport or Hawking

The most successful method by far, with one little issue: you will NEED a Re-injection device: Either a USB WIFI Adapter or a WIFI card.

But, here comes the trick:
-You cannot use any WIFI card: You must use specific ones.
The list of “approved” hardware is here: http://trac.kismac-ng.org/wiki/HardwareList
As of today, you can NOT inject packet with your Airport / Airport Extreme Apple card alone.

Step 1
Download KisMAC from a trusted source such as: http://trac.kismac-ng.org/wiki/Downloads
Install KisMAC
Plug your Injection device, Whatever you do, DO NOT install the drivers of the card / USB adapter, or you may dearly regret it.
Start KisMAC

Step 2
On the Tab KisMAC >>> Preferences >>>Drivers
Select your Injection device i.e. : “USB RT73 device”
If you have a doubt on what to choose, check the "approved" hardware list.

Click on “Add”
Check box “Use as primary device”
Select ~~“All Channels”~~ Correction: Select only 1-11 If you are in USA, 1-13 If you are in Europe, 1-14 if You are in Japan.
In some Cases, Ch 12-14 can pick up interferences from other home devices: Stay within 1-11 !
Check box “keep everything”
Close Dialog Box

Step 3
On the main screen, select “Start Scan”
KisMAC is now listening to the accessible networks
Look for a network with a WEP key (column “ENC”), a good signal as well as traffic (see Packets and Data)
OR
Enter “WEP” on the search box (top right) and select “encryption” to filter the results

If the Column ENC is “NO”, the network is OPEN: No need of cracking anything
Once you have selected a network, look for the CHANNEL of the network, i.e 1, 2 etc …
Go back to Preferences >>>> Drivers
Select only the Network selected i.e 1

Step 4
Let KisMac work for 5 minutes collecting data
On the “NETWORK” Tab, select “Reinject Packets”
KisMAC will now try to reinject packets to speed up the process
Keep an eye on the “Unique IV’s” number, once it has reach at least 130,000 (200,000 is recommended) you may start considering cracking.

Step 5
Once you have collected enough, On the NETWORK Tab, Select “Crack” >>> “Weak Scheduling Attack” >>> “Against Both”
KisMAC will now try to crack the key…
Reminder: the more Unique IV’s you have collected, the greater are the chances to crack the key.
I have experienced crack as fast as 10 sec with 200,000 Unique IV’s (on a 64 bit key) and sometimes 30 minutes with only 110,000

If you know for sure that the key is either 40 bit or 104 bit, then select the appropriate one. If you are not sure, select "both"
40 bit is a 64 bit (40+24)
104 bit is a 128 bit (104+24)

If you have followed the steps, you should see something like that appears :-)))
remove the semicolon, and there you have it, or take a look at the main screen under Key or ASCII Key

How to crack WEP / WPA with Airport Extreme, Passive mode
WITHOUT Injection Device (Airport, Airport Extreme Alone)

WEP attack

Step 1
Read the FAQ http://trac.kismac-ng.org/wiki/FAQ
Step 2
Read the “Newbie Guide” http://trac.kismac-ng.org/wiki/NewbieGuide
Step 3
Download KisMAC from a trusted source such as: http://trac.kismac-ng.org/wiki/Downloads
Last build is 0.3.3

Install KisMAC
Start KisMAC

Step 4 (without an Injection Device)
On the Tab KisMac >>> Preferences >>>Drivers
Select your card. (Capture devices) i.e : Airport Extreme Card, Passive Mode
Click on “Add”
Select Channels 1-11
Close Dialog Box, and select “Start Scan” on the main window
A dialog box opens and load the card. Your Admin password may be required.

Step 5
KisMAC is now listening to the networks accessible
Look for a network with a WEP key (column “ENC”), a good signal as well as traffic (see Packets and Data)
If the Column ENC is “NO”, the network is OPEN: No need of cracking anything
Once you have selected a network, look for the CHANNEL of the network, i.e 1, 2 etc …
Go back to Preferences >>>> Drivers
Select only one Network selected i.e Channel 1

Step 6
Be patient: open a beer, pour yourself a nice glass of wine or have a nice cup of coffee.
Without an injection device, you will need to collect a minimum of 130,000 unique IV’s before you can start cracking a 40/64-bit WEP
Recommended:
200,000 Unique IV’s for weak scheduling attack on a 40/64-bit WEP
1,000,000 Unique IV’s for weak scheduling attack on a 104/128-bit WEP
It may take a long time (based on: Network traffic, re-injection or not)

Those are recommendations. Weak Scheduling is basically a statistical attack: The greater the number of IV's collected , the greater the chances.
Are you in a hurry? : Capture with KisMAC, Crack with Aircrack-ng
You can have a successful recovery with as low as 21,000 IV's

Step 7
Once the packets are collected, Go to the tab “Network” >>> Crack and select the method,
For a start, I would suggest: “Crack” >>>”Weak Scheduling Attack” >>> “Against Both”
Once started, you’ll have to wait between 5 and 20 minutes depending on your machine for KisMAC to try all the keys.
The more packets you have collected, the better are your chances to be able to crack the key: The WEP Attack is Statistical, hence ....

WPA crack / Attack

>>>>> Packets RE-Injection DOES NOT WORK on WPA attack <<<<<<
>>> I said RE-Injection and not "Injection"

In order to crack a WPA key, you'll need the handshakes, a serious dictionary file or fileS and a LOT of CPU time. Hours and probably days of it. (read the "I am bored part" at the end)

You first need to capture 4-way EAPOL handshakes (connection between the computer and the network) -When captured, you'll see the Ch/Re red dot turns green. You are ready to try...

To speed up the process of capturing the 4-way EAPOL handshakes, you can try a deauthenticate attack: it will force the network to shutdown and restart, hence speeding up the process.
Go to Network >>> Deauthenticate
Some network may recognize the attack and change channel.

Once the Ch/Re is ready, Go to the tab "Network" >>Crack >>WPA
It will then ask you for the dictionary file, select the file you want to use, and start...

Nota Bene:
KisMAC will try every word (from the list provided) to attempt to crack the key, hence it may take a lot of time....if you have a slow machine, be really patient.
I have a not so bad machine, and I run about 170 words per second. You can leave a comment with your config and speed for me to compare.
Mine: MacBook Pro 2.5GHz Intel Core 2 Duo + 4GB DDR2 SDRAM : about 170 Word/sec

As for the Dictionary files, you can find links on the KisMAC website or take a look at the "RESSOURCES" post.

Note on dictionary files:
Wordlist = dictionary file
- The words are tested "as is" and not in combination.
Example: the password is "I love Kismac"
If your dictionary contains the words "I" + "love" + "Kismac" it will NOT work, your wordlist must contain the exact (verbatim) "I love Kismac" as a word to successfully attempt to crack.
The files must be a text format .txt and contain a empty line at the end.

KisMAC Troubleshooting Guide , KisMAC Issues, KisMAC Ressources are on the NEXT post....
KisMAC for Windows, ditto...next post

WPA: Wordlist links and files Download are here

KisMAC Resources

KisMAC Resources, Wordlist, Dictionary files

Is there a KisMAC Tutorial?
Yes, a Video tutorial and a written one. Also a troubleshooting one and a debugger in progress. it's here: http://tinyurl.com/nxdcsd

What injection device should I use?
Definitely this one:
Best Wifi Card for KisMac about 20 X more powerful than Airport or Hawking

This card is a winner hands down!
Mentioning a Hawking or an Edimax as "competition" is a pure act of charity.

Otherwise, The list of “approved” hardware is here: http://trac.kismac-ng.org/wiki/HardwareList
I have tried the Edimax EW-7318 USg, Hawking HWUG1 & HWUG1A (about $40)
I am not really impressed by the sensitivity of the Hawking “as is”, nor by the Edimax.
After few tests and compared to the one mentioned above in "best card" I would not consider buying them again.

Nota Bene:
KisMAC will try every word (from the list provided) to attempt to crack the key, hence it may take a lot of time....if you have a slow machine, be really patient.
I have a not so bad machine, and I run about 170 words per second. You can leave a comment with your config and speed for me to compare.
Mine: MacBook Pro 2.5GHz Intel Core 2 Duo + 4GB DDR2 SDRAM : about 170 Word/sec

Can you find listing or maps of available networks?
-Yes you can, check the Wigle Webpage http://wigle.net

How to uninstall Drivers ? Plist?
Your best shot at uninstalling Plist is to use the free App called "App Cleaner"
You'll find the link, directions, etc, on the blog (left hand side)
If you have installed the drivers provided with a CD for a specific chipset, you will need:
The Admin Rights, the use of Terminal, and you'll need to unload the driver before removing it. Unloading the driver only works for one session: When you'll reboot, the driver will be loaded again.

How to select a single channel?
Take a look at "Step B", the picture shows "all channel selected"
you just have to click on "none" and the check the single channel wanted
you can also use directly the tab "Channel"

I am a Super Geek, is there something more powerful than KisMAC?
Aircrack-ng (Reserved for Advanced User)
How to install Aircrack on a Mac : http://easymactips.blogspot.com/2010/10/how-to-install-aircrack-on-mac.html
Wireshark is also a powerful one, but no so friendly for the beginner

Passwords Lists

One of the best is here:
http://easymactips.blogspot.com/2009/11/support-donate.html

Worst password list: Please, don't use them .....;-) they are often the first checked ....
http://aloah.free.fr/mactips/Wordlists.html
http://trac.kismac-ng.org/wiki/wordlists

List of Dictionary files or Wordlist / Wordlists
Sometimes called wordkey or word key (as per the results of your queries via Google Analytics
for WPA attack:
http://aloah.free.fr/mactips/Wordlists.html
http://trac.kismac-ng.org/wiki/wordlists
or you can compile your own.
I may suggest you to skip passwords of 1,2,3 & 4 characters, very few people use 3 ch passwords... A bruteforce attack will not take a long time on 3 ch....
WPA:
Minimum 8ch, so you can skip all pswd of less than 8 characters.

Note on dictionary files:
the words are tested "as is" and not in combination.
Example: the password is "I love Kismac"
If your dictionary contains the words "I" + "love" + "Kismac" it will NOT work, your dictionary must contain the exact "I love Kismac" as a word to successfully attempt to crack.

This is the only way to end with a successful attack is to use a dictionary containing the (exact) word(s).
Pure Brute Force attacks do NOT work with KisMAC (trying every single combination starting at "a" then "aa", "aaa", etc) You need to provide KisMAC with a dictionary file, format TXT, with an empty line at the end.

Passwords hints
A Dictionary attack uses a list of existing words. Often those lists are all lowercase or mixed, in English, and use "common" words
the more complex is your password, the greater is the chance that it will take a mind-boggling and un-human length of CPU time to try all the possible combination. (million of years)
If you use Kismac on a WPA attack, the only way to end with a successful attack is to use a dictionary containing the (exact) word.
Brute Force attacks do NOT work with KisMAC
As a possible target of WPA attack, "I", use stupid-strength passwords on full ASCII.
I do not use English words, or any common language, and I use lots of $igns and numbers.
So, how patient is the attacker?

Memotechnic tips
Instead of your "123456" dummy password you can use an HARD TO GUESS word and add numbers to it PLUS a second set of numbers while holding the "Shift" key
Example: the maiden name of your mom is Kismac, her Bday is 07 12 1962
you got a "07121962Kismac)&_!@_!(^@"
You just have a 20 Ch length password that you can easily retain.
As KisMac does not use pure Bruteforce to crack WPA, you are pretty safe with a password like this. finding such a word a in dictionary would be...surprising.
Be aware that you can find list of names, towns, zipcodes, etc . So, using "Smith" or "Boston" is not really foolproof

Even in the improbable case of a very, very tenacious "auditor", a 20 character full ASCII password (255 characters possibility) is up to 20^255 possibilities.
How big is 20^255?
well, that's: 1,351,461,283,755,590,000,000,000,000,000,000,000,000,000,000,000
it's already stupid strong. Unless you are the NSA, it's probably out of your reach:

Update on Oct 6 2009.
You may have heard of the Yahoo! password heist*.
*(Dec 2009: Forget the Yahoo! heist, a bunch of highly educated monkeys running a website have left their entire database of passwords in clear plain text. The result is 32,000,000 passwords and login stolen. More on that later....)

10,000 passwords and emails listed on the web, plus another 30,000 accounts of Gmail and Comcast compromised.
According to serious sources, the list was a possible snippet of 250,000 email and password for resale.
Email? not a big deal, huh? who cares? they just need to go to your online banking, and reset the password. They will get the message. You won't ....
I could not access the list on time, but the excellent Reusable Security Blog did
Here is his (Matt Weir) analysis about what you use

So on to the analysis:

Total Passwords: 9,845 - This number excludes all the e-mail addresses that had blank passwords
Average Password Length: 8.7 characters long
Percentage that contained an UPPERCASE letter: 7.2%
Percentage that contained a special, (aka !@#$), character: 5.2%
Percentage that contained a digit: 51.7%
Percentage that only contained lowercase letters: 43.3%
Percentage that only contained digits: 17.6%
Percentage the started with a digit, (aka '1password'): 25.0%
Percentage that ended with a digit, (aka 'password1'): 44.1%
Percentage that started with a special character: 0.5%
Percentage that ended with a special character: 2.2%
Percentage that started with an uppercase letter: 6.1%

Overall letter frequency analysis:

aeoi1r0ln2st9mc83765u4dbpghyvfkjAzEIOxRLwSNq.MTC_DB-UP*G@H/ZYF+VJK,\$&X!Q=W?'#")(%^][}< {`>

First character, letter frequency analysis:

a1mbc2sp0lterdjfgn3hi6k759vo48yAwMzBSCuqPLExJRTFDGNV*HOZYKI\W@/-+(.$U&?Q^[,#

Last character, letter frequency analysis:

aos01326e57849nrilydzmtuAhbO.gck*SxpfE@+LvjNRw_-I?/$q!ZX)YKH"UPMDCB#GF'&%}T,]\VJ(

As a repeat, the previous is from Matt Weir, from Reusable Security

So, it tells me that there are still a large number of people using password vulnerable to dictionary attacks.
Furthermore:
40% of users are using the same password for everything.
92.7% did not use an UPPERCASE
94.8% did not use a special character
and the best: Only contained digits: 17.6%
Average length 8.7 >> rounded to 9 Characters
For the 18% (of dummies) that only use digit:
Digit only = 10 possibility per Ch. 9Ch long = 10^9 = 1,000,000,000 possible combination
Realistic number of test before cracking: 50% (10^4.5)
Time to crack : 0,015 hour = Joke
For those 18%, Read this carefully:
"Neil O'Neil, a digital forensics investigator at secure payments firm The Logic Group, found that "123456" cropped up on the list 64 times. There were 18 uses of the second most popular password, "123456789",
Big surprise!!! Just like the ones mentioned in the 500 most used password. Can you guess what was the #3 and 4#? probably 1234567 and 12345678.
the 500 most used passwords is 4 or 5 yrs old, but it seems like it was brand new.
#1 to #10: 123456,password, 12345678,1234, pussy , 12345, dragon , qwerty , 696969, mustang

So, if I had to create a password list, guess what ..
First on the list would be 8 or 9 Ch long, all digit, then all lowercase, then adding a digit or 2 first, then adding a digit or 2 last.
That list It should cover about 80% of all password.
That would be a big list of 7,518,774,324,736 possibilities, but it would cover 80% of the general public. Not bad.
So, GET A REAL PASSWORD!

Because it's raining and I am bored:
Let 's assume a cluster of 10,000 Macbook Pro, dual core etc, working all together for you (distributed):
A Mac Book Pro, on intensive uses 263 Watt and generates 894 BTU/h output of heat
Cracking possibilities : up to 10,000,000 pswd /second/computer
If you do the math, you'll realize that cracking by brute force a 20 characters Full ASCII password will cost you up to 40 million dollars worth of electricity, create enough BTU to generate a heat wave the size of Texas and take you hundred of thousands of years.
You could hit the jackpot and find the pswd within minutes, but generally, it will take 50% of the maximum time possible to break a password
This is the reason why Keyloggers, Phishing and Clickjacking were invented. That's were, in my opinion, where the real danger is ...

Kismac for Windows
I am not aware of a Windows version of KisMAC (KisDOWS???) , nevertheless, you can Google NetStumbler, Aircrack, Airsnort, etc..
To the best of my knowledge, NetStumbler does not have cracking capabilities, nor the capabilities to uncloak hidden or deauthenticate networks.
If you want serious power, you'll need to forget about Windows (breaking news, huh?) and move on to Linux with Aircrack-ng
If you download a (working) version of KisMAC for Windows, please let me know.
If you download one, especialy from a torrent, I am suggesting you to be VERY careful and scan the file left, right up and down for viruses or malware. ( hint )