Kismet + Metasploit?

[bobbyb1980]

Hello all. I've been experimenting a lot lately on my home network. I've found for pentesting msf3 works great but it lacks one thing - nmap often isn't adequate for network scanning in a timely fashion (or resource friendly!). Often times I scan the network with nmap, but it seems like just about everybody can hide from the basic nmap scan (I know I can do more thorough scans but they are very time consuming). So what I do is use Kismet to match IP's and MAC addresses and map out the network.

I was wondering if it is somehow possible to save kismet's output (regarding MAC's & IP's) in .xml or .nbe format and then I would be able to use "db_import kismet.xml" to msfconsole can see the network more clearly?

I am able to find the IP's on the network, but I am having problems getting Metasploit to see them. For some reason my version of metasploit doesn't support "db_add_entry" feature so everything must be imported. I'll often find a single ip (via kismet), use nmap to do a quick scan (nmap -sP target -oA target or similar) then I'll upload the .xml file that nmap gives me, but when I issue "hosts" in msf I can't see my target.

I am running msf3 (full version), BT5, MySQL and the mysql driver in msfconsole (tried postgresql but I got a lot of different errors and find that MySQL is more stable).

Any ideas?

[Infiltrator]

msf > load db_mysql 

Is this how you are loading the mysql database command? Also make sure your metasploit has the latest updates.

http://en.wikibooks.org/wiki/Metasploit/UsingMetasploit

Edited September 22, 2011 by Infiltrator

[bobbyb1980]

After exhausting all other previous options I tried using Armitage and I was able to manually add hosts and do successful nmap scans. I don't know what Armitage does differently than plain old msfconsole, but it works. It's also worth saying metasploit seems to be very particular in the files that it imports (ie it will import nmap scans but only -oX ones and not say -oA scans) and I think this has something to do with my problems.

I am having one other problem. I know it's probably due to my n00bn3ss, but on one network in particular (Cisco) I can't map the thing! I've tried doing Nmap quick scans, ping scans, and it finds nothing. I've also tried using Kismet to get ip's, and I don't know why but Kismet gives me a bad IP's (I'll try to ping them and they're down). I've also tried using arp-scan and that will only reveal the IP/MAC of my machine and the router.

Do certain AP's broadcast bogus ARP information to try to confuse people who are mapping the network? On this network I seem to only be able to communicate with the router and no one else. I attached 4 other machines to the network so I know they are there and they all stay hidden very well. Whats going on?!

[Infiltrator]

If this is not your network, I can certainly say that whoever is the network administrator of it, he must have have tighten the security pretty darn good. Cisco switches in particular, comes with a security feature that prevents arp poisoning from taking place. So in this circumstance you won't be able to arp spoof the network.

How are you connected to the network via wireless or wired connection?

Also have you checked Kismet documentation for more details?

http://www.kismetwireless.net/documentation.shtml

Edited September 24, 2011 by Infiltrator

[bobbyb1980]

The security is quite high, finally I was able to get Nmap to map it after trying a particular string (have it written down can't remember).

It seems that Cisco routers either broadcast or have some mechanism that responds to arp requests with bogus information. Clients cannot communicate with each other using a regular ping (I read that could have something to do with a switch). It would seem that the router is trying to stop arp cache poison attacks (pretty cool way of doing it).

[Infiltrator]

The security is quite high, finally I was able to get Nmap to map it after trying a particular string (have it written down can't remember).

It seems that Cisco routers either broadcast or have some mechanism that responds to arp requests with bogus information. Clients cannot communicate with each other using a regular ping (I read that could have something to do with a switch). It would seem that the router is trying to stop arp cache poison attacks (pretty cool way of doing it).

If you are on wireless network there is a security feature called "AP Isolation", which basically isolates yourself from any other wireless client. So in this case you won't be able to see any wireless client but yourself and the router.

Edited September 24, 2011 by Infiltrator

[bobbyb1980]

Thanks for explaining that to me Infiltrator, I've read about AP isolation but never realized that's what this is (duh).

Maybe I'm wrong, but it seems like AP Isolation relies on MAC addresses and ARP caches (the client knows the router's MAC, therefore it knows who to trust and who not to trust). So in theory, I should be able to fire up airodump or kismet, find out the mac addy of the router, then set my MAC as the router's MAC and, in theory, all clients on the network would then trust me. The rules SEEM to be set at the MAC addy layer, so if I set my MAC addy to that of my router, the victim would then have my MAC in their arp cache and therefore be allowed to trust me and we would be able to ping each other (regardless of the fact that I'd have a different IP than than the router)? It's on my list of things to do : )

I want to see how deep the wormhole goes but I don't think it has a bottom :P

[Infiltrator]

AP Isolation does rely on Mac address, and in order to work the router maintains a table containing all the MAC addresses of all devices it knows. However by changing your MAC address to the router's MAC address, it won't make any difference it will more than likely cause the router to drop all the packets, since it won't know to which device to send it to because of the duplicated MAC addresses.

But its an interesting theory and worth testing it out to really find out.