[ISN] HERT interviews Kismet's author, Mike Kershaw
isn at c4i.org
Fri Aug 20 04:27:27 EDT 2004
August 19, 2004
Kismet is simply the best war driving tool out there plus it's free as
in GPL. It runs on linux, *BSD, Mac OS X and even on your little linux
PDA. The brain and guts driving its development is Mike Kershaw alias
Dragorn, works during the day on IBM mainframes and hack kismet code
at night. Mike graciously agreed to a HERT interview to tell us a
little bit more about himself, his view on WiFi security and the
future of Kismet.
What is your background?
I've been running Linux for about 10 years now, and programming since
I was a wee larva on a TI-99a console.
What do you do for living?
My non-wireless alter ego gets paid for doing work with big iron - IBM
mainframes and large numbers of virtual servers.
What were you working on before you started kismet?
Nothing of any great notice -- I've always had a continual slow
trickle of code for various projects, bugfixing other software I use,
etc. Kismet was my first public project that really caught on.
I guess you probably consider yourself a hacker.
Define hacking? My preference is the old-school definition - if you
mean digging into things, figuring out how they work, and having fun
learning, of course!
Tell us about the first time you played with wireless networks and
what motivated you to start coding kismet?
I'd gotten a cheap linksys card and was poking around and found
Airsnort. At the time, the drivers only supported PF_NETLINK sockets
to fetch packets, which meant only one program could capture packets
at a time, and airsnort had no capabilities to dump the packets to a
file - watching the number of packets seen count up isn't much fun if
you can't do anything with them!
Kismets very beginnings were a set of modifications to airsnort to
display SSIDs and log the data to a dumpfile that ethereal could read.
Once I got a cisco card, I had to rewrite the capture system to
support different drivers, and it just grew from there and became it's
own program entirely.
Did you imagine that the security of wifi networks would be so bad??
Definitely not at the beginning! Now I've become entirely jaded
towards security as a whole (or rather, peoples complete lack of it)
and not much surprises me when it comes to open wireless networks.
Despite all the press about it, the overall percentage of unencrypted
networks is still at about 80% (*), and companies still make the news
for exposing personal data over insecure networks.
(*) Percentage gathered from the pc running in my car that monitors
all the time
I bought a linksys wrt54g access point 2 weeks ago and by default WPA
encryption isn't enabled and the password was admin. Wifi products are
marketed as reliable and secure. Don't you think they give a false
sense of security?
I think it all depends what environment you're using the network in.
Most home users are, bluntly, boring: The chances of someone spending
the time to crack WPA (or even WEP) just to get to your network
connection is pretty slim, especially when they can just go 10 feet
down the road and find an open one. For most people at home, WPA
should be just fine.
I think the program really comes in in the small office segment. If
you run a business that handles personal information about customers,
I DEFINITELY wouldn't trust WEP or WPA alone. Unfortunately, the same
group likely to buy consumer hardware like this for a smaller office
is the same group least likely to understand the security
implications. I don't know how this can be solved, other than more
education about security.
What do you think of the WiFi Alliance's effort to fix WEP with WPA?
Will 802.11i finally raise the bar high enough in terms of security?
It's a step forwards, for sure, but it's not going to solve
everything, Infact, work is being done now which exposes holes in the
key distribution used by most vendors - the IEEE spec doesn't specify
that the backend Radius connection has to be encrypted, and once that
is known the entire key exchange can be extracted.
Have you obtained any financing? major sponsor or donation for your
I've gotten continual donations of hardware from users who want better
support for different cards - without that, I don't think Kismet would
work as well as it does with as many different cards. Obviously, I
won't turn down donations of any sort, but I don't spend a lot of time
actively seeking them.
Are you working on a commercial version of Kismet?
Nope, no real plans for a commercial version. I'm a big fan of open
source, Kismet couldn't haven gotten to where it is without other open
source projects for me to learn from and draw upon, and I wouldn't
feel right turning it into a commercial product.
On the vendor side, do you think any products could compete with
Kismet? what do you think of Air Defense?
I've got a comment I usually make when asked that: "Anyone who can
afford AirDefense isn't going to even consider an open source
I don't really view myself in direct competition with them, though of
course I hope to keep advancing Kismet until it can be considered
enterprise-quality as well. To some extent, the commercial vendors
will always be a step ahead, since they sign NDAs and get full
information on the chipsets, while the open source side is limited to
the information which is made public.
What's the status of the plugin architecture and api?
Still working on it. Every release brings Kismet a little closer to
supporting plugins, as more and more of the core of the program gets
rewritten and modularized. Soon I'll be replacing large sections of
code and redesigning the core packet handlers to be modular, I've got
about 5000 lines pending completion to merge in now.
Kismet is running as root and it uses pcap and ethereal libs; have you
implemented some kind of privilege separation like in openssh yet?
Actually it's had that for a very long time - it does a combination of
process separation and priv dropping. Current versions of Kismet spin
a separate process and communicate via IPC to perform root operations
like channel control, while the main packet
capture/parsing/logging/etc process drops privs to the specified user
immediately after binding to the interfaces.
It's possible to disable this, but I don't suggest it at all.
I know you receive patches from kismet users; I submitted one once :)
but it seems that kismet is still a one man show.
I'm always happy to get patches and talk to people about changes. At
the moment I don't really have anything set up to allow anyone else
direct access to change the code. Part of it is my own coding style -
I usually have a very clear idea of where I want the code to go and
how I want new features to work, which unfortunately makes it somewhat
exclusive. I'd like to think I'm fairly approachable with new ideas
however, and I try to make the interfaces to interact with Kismet as
open as possible (for example, the client/server protocol and the FIFO
Netstumbler always get a lot of press even though it is a very
inferior program compared to Kismet; doesn't that piss you off
I'm sure theres enough media attention to go around. Really,
netstumbler targets a bit of a different audience. It doesn't bother
What do you think of kismac, bsd airtools, abbadon's airjack?
Kismac is some good code, their name causes a little confusion but
they do a good job of making an OSX-native tool. Airjack is more proof
of concept than really workable.
What computers and equipment do you own? You probably receive a bunch
of hardware donations from users who want you to support specific
I've got a sony laptop for most of my development, and I try to get
one of each chipset out there to help with support.
How hard would it be to reverse engineer and implement a RFMON driver
for Airport Extreme and other broadcom chipsets?
Fairly difficult. You'd have to set up a lowlevel debugger in windows
and trace every memory write it does to the pcmcia card, and then try
to interpret them. I haven't even attempted it since I don't run
What's on your todo list?
New tcp core, new packet path, plugins, new IDS stuff, general rewrite
and cleanup of a lot of code, and general cleanup and stability fixes.
War Driving in town using kismet kindda reminds me of the VL glasses
in William Gibson's novel, Virtual Light. These data-glasses overlays
data and plans on top of your vision, the same way you can imagine
wireless networks and IP packets bouncing from building to building.
There are 3d GPS navigation gizmos on the market already; do you have
any long term plan to implement realtime 3d mapping? It would be fun!
I've toyed with the idea, of course, anyone who's interested can write
a gl client to tie into the client/server protocol.
Besides kismet any other projects or ideas?
I'm finishing up the cleanup of the smart-ap code I wrote for hope5 to
try to manage intelligent groups of access points in hostile
environments like hacker conventions.
Your girlfriend or wife isn't jealous you spend a lot of time on
Well, I'm single at the moment. I suppose that answers that question.
More information about the ISN