Sunday, February 1, 2009

Kismac vs Aircrack

I've been fooling around with wireless hacking for a few years and have always found aircrack to be an awesome tool. In the past, i've used a Linux laptop with either Gentoo, Ubuntu, or Backtrack. This has always worked well for me because I only had a couple Cardbus wifi adapters, and up until now, I never had a laptop which did not have PCMCIA slots. A couple years ago, I got my Macbook and decided to see what it's capabilities were from a wifi hacking perspective. What I found, however, was not so exciting.

From what I could tell, there was no way to do packet injection with the built-in wifi. Kismac could put the card into monitor mode, though with 10.4, but once os 10.5 came out, that stopped as well. You combine those with the fact that the original developer of Kismac had to abandon the project due to new laws being passed in Germany, and that left Kismac in a somewhat sorry state.

Recently, though, I finally got around to buying a USB wifi adapter. This meant that I could finally try out Kismac since it can actually do packet injection with a variety of USB adapters. So, for the first time in two years, I grab the latest version of Kismac, fire it up, pick a network (one I'm allowed to crack, of course), and attempt to do some packet injection. This network had a small amount of client data, so I figured I'd catch an ARP packet and be able to replay it back into the network. Shortly after starting packet injection, Kismac completely crashed. I tried another two or three times on the same network with same results. Looking at the console log, I saw that it failed an assertion in the inject function of the WLAN driver: [net mode] == managed. I noticed that for some reason, the network was flopping back and forth between "tunnel" and "managed". I guess that explains the crash...

Alright, I'll pick a different network. Next best one from a power perspective doesn't have much client data on it, but what they hey, well try it anyhow. I figure if I start some injection, then perform a deauth attack, we may be able to get something. I try it out, but then... hey, I can't do the deauth while injecting, what's the deal? I can do the deauth then inject, but I can't get it to go quick enough to capture the handshake and any ARP requests by the time I click inject. Hmm... I give up, I can't work with it. I mean, the UI is great and all, it's great that you can monitor clients and have it make noises when they're active, but it just doesn't work the way I want it to.

As a comparison, I could have fired up Backtrack in VMWare Fusion, hook the USB wifi adapter up to the VM, and tried using aircrack. I know without a doubt that I could have cracked that same network, with little to no data without any problems. Simply start up airmon, try a chop chop or fragment attack until you get enough keystream, forge an ARP packet with packetforge, then begin replaying that arp packet into the network. The greatest part is, you can monitor, replay arp packets, perform deauth and fakeauth attacks ALL AT THE SAME TIME! I've done this before to get a 64-bit key in a matter of 2 or 3 minutes, and a 128-bit would only take 5-10 in these situations.

Bottom line is that Kismac looks nice, and probably works well in simple circumstances. My guess is that it might be the perfect set of training wheels for the beginning wifi hacker, but isn't practical if you want to be serious about it.

Oh well, at least I tried it :)


  1. Thank you for this!
    I will stick to aircrack for my WEP hacking and not try to get KisMAC working on Ubuntu.

  2. the backtrack live cd enables me to do packet injection with the built in airport card; ie. macbooks can do packet injection, just not in Mac OS.