Kismet | Detect if You Are Being Hacked with Reaver

Discussion in 'Resources' started by Mr. Penguin, 20 Jul 2012.

  1. Mr. Penguin

    Mr. Penguin Administrator
    Staff Member Admin Moderator VIP

    18 May 2012
    Likes Received:
    Kismet-SVN now detects a WPS brute force attack underway via tools such as Reaver.

    Reaver exploits a weakness in WPS which reduces the potential keyspace to 11,000 PINs, exploitable in a matter of hours. Kismet WPS brute-force detection alerts on an access point which is doing an unusual amount of WPS traffic, specifically by monitoring for the M3 exchange of the WPS handshake. An access point should only perform a WPS exchange with new clients, excessive WPS communications indicate a likely attack.


    The WPS detector is implemented in the newly minted phy-neutral tracking layer of Kismet, which will become the primary tracking code in the next release of Kismet. As such, alerts are available from the client protocol under the standard *ALERT sentence, but will not be attached to the network list in the Kismet UI due to pending changes to code.

    To be most effective, Kismet should be locked onto the channel of the AP being monitored, however depending on the frequency of the attack, a channel-hopping instance should also detect it.

    [Update] When testing, don't forget to enable the WPABRUTE alert in your kismet.conf!

    [Update #2] Also included in Kismet-SVN by popular demand is a basic Ruby client which bridges Kismet alerts to syslog:

    Jan 10 11:15:27 drd1812 kismet: WPSBRUTE server-ts=1326212106 bssid=00:14:21:E6:8F:F8 source=00:14:21:E6:8F:F8 dest=18:3D:A2:4A:65:80 channel=1 IEEE80211 AP 'rootsdkwlan' (00:14:21:E6:8F:F8) sending excessive number of WPS messages which may indicate a WPS brute force attack such as Reaver

    [Update #3] Kismet-SVN now includes the plugin-alertsyslog server plugin, which also logs alerts to syslog, without needing ruby or needing to run a separate client.

    [Update #4] Expanded the timeline for WPS brute detection to 5 minutes to catch more during channel-hop configs. WPS negotiation is so rare that this shouldn't be triggering false positives even with the expanded window.

    Kismet SVN code is available via svn co kismet-devel
    • Like Like x 1
  • About Us

    We are a community mixed with professionals and beginners with an interest in wireless security, auditing and pentesting. Feel free to check out and upload resources.

    You can also find us on: Twitter and Facebook

  • Donate to Us

    Did you find our forums useful? Feel free to donate Bitcoin to us using the form below. Those who donate the equivlent of $10 USD or more will be upgraded to VIP membership. Don't have Bitcoin? Use your credit card to GO VIP here. Don't want to fork out some coin? There are other ways to GO VIP. Bitcoin: 1LMTGSoTyJWXuy2mQkHfgMzD7ez74x1Z8K