Newbie Guide¶

NOTE: If a previous installation of KisMAC has been used, please make sure to delete the following files
if they exist:

 ~/Library/Preferences/de.binaervarianz.kismac.plist (where '~' is your home folder)

 ~/Library/Preferences/com.kismac-ng.kismac.plist (where '~' is your home folder)
 ~/Library/Preferences/org.kismac-ng.kismac.plist (where '~' is your home folder)

Before you start using KisMAC, it is imperative that you familiarize yourself with the FAQ. This "newbie
guide" will only serve most users with a good starting point of how to operate KisMAC. For a reference of
terminology, visit this page. Also, please visit the hardware list to see if your capture device is supported and
with what limitations/features.

KisMAC is NOT to be used to illegally connect to any Wi-Fi network, encrypted or otherwise. You MUST
have the network administrator or owner's express permission to test the network with KisMAC or ANY other
auditing tool. Cracking ANY encryption or testing without such permission is highly illegal internationally, and
will neither be condoned nor supported!

How to use KisMAC¶

1. Read the FAQ again (or for the first time). We cannot stress this enough. It will answer most questions
a new user will have and even some that older users will have.
2. Repeat step one.
3. Most users will need to download the latest binary found at the downloads page. If you wish to build
your copy from source, there is an easy to follow guide here.
a. Most Leopard users wishing to use their AirPort or AirPort Extreme card will need to use r242
through the latest revision in the trunk. Be aware that these cards have significant restrictions;
see the AirPort page for more details.
b. Most Tiger users wishing to use their AirPort or AirPort Extreme card will need to use r239 in
the trunk. Be aware that these cards have significant restrictions; see the AirPort page for more
details.
c. Users of a USB device with Prism2 chipset should currently use r279 in the trunk for packet
reinjection support.
d. Users of a USB device with Ralink chipset (rt73, rt2570) or Realtek chipset (RTL8187L) should
use the latest revision in the trunk. We have finally merged the USB-Drivers/New-USB-
Drivers branches into the trunk as of r281.
4. Launch KisMAC. You may be prompted to authenticate. KisMAC must run on an account with
administrative access/control. Simply entering the credentials of an administrator is not enough.
KisMAC needs to be run by a member of the "admin" group.
5. Open KisMAC's preference window (COMMAND + COMMA hotkey works). Driver selection is going
to be the most important option and the only preference procedure covered in this tutorial.
a. Select the driver for your capture device's chipset. Again, refer to the hardware list if you do not
know.
b. Check which channels you wish to scan if you do not want to scan on all FCC/IC channels.
c. If you are using a Prism2 card or USB Intersil (with Prism2 chipset), Ralink (rt73 or rt2570
only), or Realtek (RTL8187L only) USB adapter and wish to use the device for injection, check
the "use as primary device" box. Currently, ONLY devices with these chipsets can inject under
KisMAC.
d. If you wish to save the raw packet dumps for later use with KisMAC or another third party
application, select the radio button for what you'd like to save in the PCAP dumps.
6. Exit KisMAC's preference window and click the 'Start Scan' button. There may be a brief pause before
you see the network list begin to populate.
a. If you notice that the signal to noise ratio is jumping, that's because channel hopping is enabled.
This is normal. If there is a specific SSID or channel that you would like to scan, select the
desired frequency from the channel list.
b. If you selected the Apple Airport or Airport Extreme card, active mode driver, you will not
collect data from networks. If you wish to collect data from networks using your AirPort or
AirPort Extreme, please use the Apple Airport card, passive mode or Apple Airport Extreme
card, passive mode driver instead.
7. You may view more information on a network by double clicking its line in the network list. From this
view, you have the option to run various attacks on the network including deauthentication,
authorization flood, or reinject packets into the network to speed up the data collection process.
8. After you've collected enough packets, you may attempt to crack the network.
a. WEP Encryption
i. Weak Scheduling: Generally, UniqueIVs should be ≈ 200,000 to successfully run a Weak
Scheduling attack on 40/64-bit WEP and ≈ 1,000,000 on 104/128-bit WEP.

ii. Bruteforce/Wordlist: At least, 8 Data Packets are required to run Bruteforce (including
Newsham's) and Wordlist attacks. KisMAC expects a simple wordlist: a plain text file
with no formatting which contains all the words and phrases that KisMAC will try for
you. The words/phrases need to be separated by newline or linefeed characters, as well
as one after the last word in the list. You may find wordlists that others have created on
this page.

b. WPA/WPA2 Encryption
i. To crack a network encrypted with WPA/WPA2, you will need to capture the 4-way
EAPOL handshake when a valid client successfully connects to the wireless access
point. When you successfully capture a full handshake (a challenge and a response), the
"Ch/Re" gem on the network's line in the main Networks window will switch from red
to green. We also recommend using Growl as there is a notification displayed when
either half of the necessary handshake packets are captured. After you have this (you
only need one; subsequent ones will not make a difference) you can run a Wordlist
against the pcap dump to attempt to find the password.

ii. Wordlist: The ONLY currently known vulnerability to WPA/WPA2 encrypted networks
is bruteforce. The only cracking method that KisMAC allows on a WPA/WPA2
network is a wordlist attack. Again, KisMAC expects a simple wordlist: a plain text file
with no formatting which contains all the words and phrases that KisMAC will try for
you. The words/phrases need to be separated by newline or linefeed characters, as well
as one after the last word in the list. You may find wordlists that others have created on
this page.
 9. If the KisMAC finds the WEP Key, it will be displayed as hex (or hex AND ASCII, if applicable, in
newer builds). When attempting to join the network using a hex key, select the "WEP 40/128-bit hex"
option from the AirPort Wireless Security drop-down and enter the characters without the colons (':').
The OK button is only usable when you've entered a correct quantity of characters (either five or
thirteen hex digits [each digit being two characters]). WPA/WPA2 passwords will be ASCII and you
will enter them verbatim into the password field when attempting to connect to the network.

10. If the password is not revealed after a cracking attempt or appears to be incorrect, you will either need
to collect more data or the password may have changed during the packet collection process. Please
repeat the packet collection and cracking process or try another cracking method with the current
information collected. Please be aware that the definitive source for network key recovery is Aircrack-
ng's cracking engine and suite of tools. While KisMAC does include Aircrack 0.3, it's really quite old
at this point and nowhere near as effective as the current Aircrack-ng suite of tools is (currently at 1.0).

How Do You Get Further Help?¶

1. Please make an effort to find the answer for yourself before asking other members for help. We cannot
stress this enough. Here are some helpful resources:
a. The FAQ
b. Searching our support documents
c. The forums: Use the search function! Many questions have been asked before.
2. If you come to the forums with a question and it's obvious that you've put the time in looking through
our documents, our community will be delighted to help you resolve your issue. Be sure to follow the
rules!
3. You may also try our IRC channel: #KisMAC.

What Hardware Should You Buy?¶

1. This is a frequently asked question.

2. Our hardware list is a more specific resource.
3. Have a look at what other members of our community use.
4. Check out the driver comparison table to see the functionality of devices in KisMAC based on
driver/chipset.