Locking Down Your Home WiFi with Kismet and Python

In my years working as a wireless security consultant and pentester, I‘ve seen countless organizations neglect the security of their wireless infrastructure. Misconfigured access points, weak encryption protocols, rogue devices – the list of vulnerabilities goes on. Threat actors are increasingly targeting WiFi as an entry point into corporate networks, making it critical to proactively monitor your airspace for suspicious activity.

But it‘s not just businesses at risk. With the explosion of smart home devices and always-connected mobile gadgets, our home wireless networks are now a juicy target. Unsecured IoT products, unpatched routers, default passwords – all potential cracks just waiting to be exploited.

Fortunately, we have a powerful tool at our disposal for detecting and alerting on wireless threats: Kismet.

Introducing Kismet

Kismet is the industry standard for passive wireless network detection, sniffing, and intrusion detection. It‘s an essential part of any wireless security toolkit, and one I never leave home without.

Key features include:

• Supports 802.11a/b/g/n/ac protocols
• Passive scanning (doesn‘t transmit any packets)
• Detects hidden/cloaked SSIDs
• Intrusion detection for common wireless attacks
• Extensive logging in PCAP, Wireshark, and other formats
• REST API for integration with other tools
• Runs on Linux, MacOS, Windows, and embedded devices

Under the hood, Kismet is a packet capture and analysis engine with built-in channel hopping. It leverages monitor mode NICs to silently collect wireless traffic across multiple channels and frequency ranges. This traffic is then dissected to identify access points, clients, and their associated metadata like SSIDs, BSSIDs, signal strength, and encryption.

Compared to other WiFi scanners like inSSIDer or NetSurveyor, Kismet‘s strength is in its focus on security. It has a robust IDS engine that can detect all sorts of wireless attacks out of the box:

Attack	Description
KARMA attacks	Detects KARMA evil twin access points
WEP/WPA attacks	Detects active WEP or WPA cracking
Deauth floods	Alerts on deauth floods used for offline WPA cracking
Spoofed MACs	Flags devices using spoofed WiFi MAC addresses
Broadcast probe SSIDs	Lists clients probing for common/insecure SSIDs

Let‘s walk through installing and using Kismet to secure our home wireless network.

Setting Up Kismet

While Kismet is available in the package repositories for most Linux distributions, I recommend installing from source to ensure you have the latest features and security fixes.

First, install the build dependencies (example for Ubuntu):

$ sudo apt install build-essential git libmicrohttpd-dev 
libnl-3-dev libnl-genl-3-dev libcap-dev libpcap-dev
libnm-dev libdw-dev libsqlite3-dev libprotobuf-dev
libprotobuf-c-dev protobuf-compiler protobuf-c-compiler 
libsensors4-dev libusb-1.0-0-dev python3 python3-setuptools
python3-protobuf python3-requests python3-numpy 
python3-serial python3-usb python3-dev python3-websockets

Then clone the Kismet git repo and compile:

$ git clone https://www.kismetwireless.net/git/kismet.git
$ cd kismet
$ ./configure
$ make
$ sudo make suidinstall

The suidinstall target will install the Kismet binaries and set the necessary file capabilities for capturing as a non-root user.

Next, we need to configure a WiFi adapter for monitor mode. Kismet will work with any 802.11 card that supports monitor mode, but I‘ve found the best results with Atheros chipsets.

To see if your card has monitor mode capability:

$ sudo kismet_cap_linux_wifi --check-setup

If supported, enable monitor mode with:

$ sudo kismet_cap_linux_wifi --monitor-enable wlan1

We also need to disable several WiFi features that can interfere with Kismet‘s scanning:

$ sudo iw wlan1 set power_save off
$ sudo iw wlan1 set channel 6 HT20

Let‘s do a quick test run:

$ kismet -c wlan1

If all goes well, you should see Kismet‘s curses-based UI with live device and packet counts. Verify you‘re getting packet capture with:

$ kismet_client -c localhost:2501 -s
INFO: Found 1 data source 
DATA SOURCE: wlan1mon

Looks good! Time to dive into Kismet‘s web-based UI for some data exploration.

Exploring the Kismet WebUI

While the ncurses UI is great for real-time monitoring, Kismet‘s HTML5 web interface is where the real magic happens. It provides a wealth of data visualizations and drill-down tools for analyzing your wireless environment.

By default, the Kismet web server runs on port 2501. Fire up a browser and navigate to http://<kismet_ip>:2501.

The first thing you‘ll notice is the device list. This shows all detected access points, clients, and bridged devices along with key info like signal strength, channel, and encryption. Clicking on a device brings up a detail pane with extended information.

One of my favorite features is the signal graph. It plots signal strength over time so you can visually identify rogue devices, spot interference, and track down "chatty" clients.

The channel graph is handy for verifying Kismet‘s channel hopping coverage and identifying congested channels.

Be sure to explore the "Alerts" tab as well. This is where Kismet surfaces potentially malicious activity like spoofed MAC addresses, denial-of-service attacks, and evil twin SSIDs.

Scripting with the Kismet API

Where Kismet really shines is its REST API. This allows us to programmatically interact with Kismet and integrate it with our other security tools and workflows.

Some common API use cases:

• Enriching existing wireless asset inventory
• Populating a CMDB with rogue device findings
• Generating real-time alerts on suspicious activity
• Initiating packet capture on interesting traffic
• Triangulating device locations with multiple sensors

There‘s a variety of ways to work with the API in Python. Let‘s start by using the requests library to retrieve the list of currently active alerts:

import requests

url = ‘http://localhost:2501/alerts/last-time/300/alerts.json‘

r = requests.get(url)

print(r.json())

This will return any alerts triggered within the last 300 seconds as a JSON object. We could then parse this data, filter on severity or type, and kick off a response action like notifying the security team.

For more advanced use cases, Kismet supports a WebSocket-based real-time event stream. This allows us to subscribe to specific event types and receive push notifications.

Here‘s an example of monitoring the event stream for SSID changes:

import websockets
import asyncio
import json

async def event_mon():
    uri = ‘ws://kismet:2501/eventbus/events.ws‘
    async with websockets.connect(uri) as websocket:

        # Subscribe to SSID events
        sub_req = {
            "SUBSCRIBE": [
                "SSID_CHANGED"
            ]
        }
        await websocket.send(json.dumps(sub_req))

        while True:
            evt = await websocket.recv()
            print(f"New event: {evt}")

asyncio.get_event_loop().run_until_complete(event_mon())

This opens a WebSocket connection and subscribes to the SSID_CHANGED event. Anytime an access point changes its SSID, we‘ll receive a notification in real-time.

Some other interesting event types to monitor:

• NEW_DEVICE – Newly detected access point or client
• ALERT – Newly generated alert
• MESSAGE – Kismet server messages and warnings
• DOT11_PROBE_REQ – Client probe request packets
• TRACKINFO – GPS coordinates of Kismet server

With the event stream, some Python chops, and a little creativity the sky‘s the limit for Kismet integrations. At one gig, I used Kismet‘s event stream to trigger a packet capture anytime a new SSID was detected. I then ran that PCAP through a behavioral analysis engine to identify potential command-and-control traffic. Automated wireless threat hunting!

Visualizing Kismet Data

While Kismet has some nice visualizations baked in, we can use Python to generate our own custom views. The plotting library Matplotlib is great for this.

As an example, let‘s plot the most common SSIDs seen by Kismet over a 24 hour window:

import requests
import matplotlib.pyplot as plt  

url = ‘http://localhost:2501/aggregated/ssids/rrd.json‘

resp = requests.get(url)

ssid_data = resp.json()

ssids = []
counts = []

for ssid, data in ssid_data.items():
    ssids.append(ssid)
    counts.append(data[‘kismet.common.rrd.last_time‘][‘kismet.common.rrd.aggregator.max‘])

plt.figure(figsize=(12,8))
plt.bar(ssids, counts)   
plt.xticks(rotation=45, ha=‘right‘)
plt.xlabel(‘SSID‘)
plt.ylabel(‘Count‘)
plt.title(‘Most Common SSIDs‘)

plt.tight_layout()
plt.show()

This code pulls the aggregated SSID data from Kismet, extracts the relevant bits, and generates a nice bar chart with Matplotlib.

We could also plot the most active wireless clients, access point encryption breakdowns, or even the signal strength distribution across channels.

The Kismet REST API combined with Python visualization libraries really lets you slice and dice the data any way you want. Perfect for building custom wireless dashboards or even a DIY wireless IDS.

Defending Your WiFi in Depth

Hopefully by now you‘re convinced of Kismet‘s potential as a wireless monitoring powerhouse. Combined with some Python know-how, it can be an incredibly effective tool for identifying threats and anomalies on your home network.

But don‘t stop there! Defense in depth is key when it comes to WiFi security. Here are some other best practices to consider:

• Use WPA3 encryption with a strong passphrase
• Enable MAC filtering on your access points
• Disable WPS and UPnP on all devices
• Segregate IoT devices on a separate VLAN
• Configure client isolation where possible
• Use strong, unique passwords for all admin interfaces
• Perform regular RF site surveys to detect rogue devices
• Keep all firmware and software up-to-date

I also can‘t stress enough the importance of security monitoring at scale. While Kismet is great for local monitoring, you‘ll want a SIEM or other log aggregation tool for centralizing wireless events across multiple locations. At one job, I used Kismet‘s log files to feed a Splunk instance and built correlation searches to detect multi-site attacks. Invaluable for incident response and forensics.

Wireless Security in the 5G Era

It‘s an exciting time for wireless security as we enter the 5G era. With increased speeds and lower latency, 5G will no doubt revolutionize industries and spawn new categories of connected devices. But with that comes a larger attack surface and new threats to defend against.

I believe open source tools like Kismet will play an increasingly important role in 5G and IoT security. We‘ll need flexible, extensible monitoring platforms to deal with the volume and variety of devices. And as 5G enables more mission-critical use cases, the ability to rapidly detect and respond to threats will be paramount.

So whether you‘re a home networking enthusiast, professional security researcher, or somewhere in between – give Kismet a spin. Combine it with a little Python magic and you‘ll have a powerful wireless monitoring setup to keep your airwaves clean. Stay vigilant friends!