 I would like to give a short introduction to my good friend Ted, look no last name here Ted Ted just some random dude who hangs out here and on our discord and I said man I really want to re-implement this thing that dragworn wrote for old kismet in new kismet, but um, I suck at programming So do you think maybe you could like anybody want to help and he's like, oh, yeah Sure, I want to do that and then he wrote the whole bloody thing and sent it to me and I'm like Hey, cool. This this works great. Let's let's use this So not only is he giving a talk about that and some other fun stuff that he's done We're using his tool that he wrote because I begged for somebody anybody to write it for our gear talk to talk about how we select gear so um Yeah, kismet is an amazing tool and it's got an amazing rest interface and you can apparently spend a few hours and make Several really neat things so listen to Ted. No last name here Hi, hey, I'm Ted. I Started doing wireless cache of the flag with these guys About a year ago at B sides DC and I kind of have been addicted ever since So, yeah, I'm Ted. This is my talk. This is my first time at Defcon be gentle But it's not a Ted talk If you don't already know what kismet is and you're in this room you should Google it kismet is good Kismet happens to have a rest API I Think technically it's a rest like API, but whatever it has an interface that you can use over HTTP To get lots of really cool information out of it the reason I wanted to give this talk was because I like integrating things and making tools and this is a really powerful way to do that for Wi-Fi and other types of stuff that kismet does so I figured people here might be into it Like I said, it's it's an HTTP interface you make requests to it so You can ask it for its status about the host system You can ask for a status about specific devices and it gives you back lots and lots of JSON Which you can then parse and do fun things with My favorite feature the rest API is actually that you can get PCAP over HTTP I'll talk about that later, but Extremely powerful integration opportunities there and it's also for an open-source project. It is Extremely well documented the guy that writes Kismet drag-or-ring obviously put a lot of time into documenting this rest API Which makes it a lot easier to use Like zero chaos said I Kind of my introduction to the Kismet rest API was the program shootout that he wrote that needed to be refactored because they changed the Kismet changed significantly a couple years ago And I kind of just wanted to learn new things and help this group out because like I said, I'm addicted to WCTF So I'm actually taking time away from it to tell you this Right, so this was kind of a funny story so I I'm the C++ programmer and so when this idea when when the shootout needed to be refactored he was written in Ruby and You know nobody programs in Ruby So I wanted to rewrite in C++ and make a Kismet plug-in because that was like kind of the old school way of doing it So I went in drag-or-ring discord and talked to him and it was like, you know What's the best way to do this and he was like don't don't write a plug-in just use the rest API everything You need is right there. I kept trying to write a plug-in though because I don't know. I don't know why So I wasted a lot of time realize writing Kismet plug-ins is hard There are good reasons to do that if you're adding a new fi or new I don't know You want to add something to the packet chain or whatever? For everything else use the rest API. So it's kind of a lesson learned trust drag-or-ring use simple API as when possible Anyway, they end up working. This is what shootout looks like. I'm not going to go too much into What shootout does and what it looks like, but I am going to talk about how it works because it's very relevant to the talk I think I think the village people are going to go into how to use it and what it does later So basically shootout you give it a list of data sources for Kismet and Using the rest API it grabs packet counters for all of them and kind of compares them So when you first start up, obviously it's got to connect It's got to make sure that the interfaces that you told it to look for are actually there and if they're not Well if they're there, but they're not enabled it will enable them for you And then it just goes into a loop forever and ever and grabs the device JSON and looks at the packet counters and compares the The received packet count for each device. So it tunes them all to the same channels. So the idea is Given some initial offset they should all be seeing the same number of packets So it gives you a super non-scientific rough idea of Monitor mode performance for Wi-Fi cards Anyway The way you make all that stuff happen is using the rest API endpoints So they have kind of a general format where you know, it's some URI right? So you're actually you're going like HTTP and then usually local host 2501 And then some topic. I just kind of made that word up there like either system or devices or something else Criteria I also kind of made that up and shoved that in there like Some of the topics have filters so you can filter By a key or by MAC address. We'll talk about that more later and then a serialization. So The primary serialization you're going to use if you're interested in this is probably JSON There's also EK JSON, which I have no idea what that is. It's some big data thing I don't I don't do that and then there's pretty JSON, which You know makes the JSON have new lines in it So some examples I mentioned the system status There's actually a ton of data in there like if you run it on a laptop. It gives you like your battery life It gives you CPU temperature for this crazy laptop. It actually tells me the temperature of my internal Wi-Fi card. It's cool The device status Basically, there's there's two ways to look at that you can see it by key or by Mac again We'll get into it later But you know you you give Kizmet via this URI MAC address and it gives you back all the JSON Data source status is actually how we do shootout. So that's pulling for each Each data source has its own big JSON object and you get that back each time you access this URI Location is something that I haven't messed with too much, but I'm really interested in so You may already know that Kizmet can take data from GPSD Can take NMEA 0183 data over the network or something like that If you don't have one of those fancy things You can also tell Kizmet where it is by sending a command to that location and point which is sort of neat So if you were running Kizmet in some place where you don't have normal GPS So you have some fancy GPS that doesn't do that stuff You could still do this integration entirely using the REST API without having to write crazy fancy code And then like I said my favorite thing getting peak app The device JSON is like 400 lines or something if you You know if you shove it in a sublime and like pretty JSON it It's a lot of data. So there's a lot of detail in there The the thing that I'm usually looking at is received signal strength He just calls it last signal I think but there's tons of stuff in there There's round robin databases for signal strength and packet counts and all kinds of stuff So here's an example I'm gonna move this a little bit So this is one of the tools that I kind of whipped up just to show what the REST API can do so I'm running Kizmet and you guys You ever see one of these this is an ESP8266. It's like an IoT microcontroller It's basically an Arduino with Wi-Fi This one happens to be serving up an access point called WCTF underscore king of the hill Which may have significance to those people? Interestingly, there was so many people connected to this fake king of the hill that it was crashing So hopefully it's not crashed right now. Anyway, the KRR SSI tool uses the Kizmet REST API Based on this Mac so I'm feeding it Wow, that's small You have to trust me. I'm giving it a Mac address and then basically it's just showing you this shitty little bar of Received signal strength. So if I go over here or cover this up or something You should see the signal strength go down and if I get closer to my little TP link Fancy card. It's it's turning red, which is you know more signal So that's how that works really simple tool. It's just polling the REST API one Hertz using that device endpoint Another slightly more sophisticated version of the RSSI tool does the same thing But instead of using so that last tool used a scalar field in the REST API So it's just telling you this is instantaneously the last signal strength that I saw for the Mac address You just gave me. There's also a round robin database in there that gives you 60 seconds worth of that data obviously with one second interval so I Made a tool to use that instead and it gives you this pretty little graph and You can kind of you probably can't read it, but on the screen. It's showing you the big vector that These programs written Python and there's a cool JSON library for Python. It basically turns Raw JSON into Python dictionaries, which is super convenient So I'm just dumping out that dictionary there to show you the received signal strength And then I'm feeding that to pi plot which is you know doing fancy things So again It's kind of harder to see. Oh, yeah, okay. It's not harder to see the signal got stronger when I made it close so Anyway, that's KR RSSI and RSSI too So those use the REST API to look at signal strength But there's more so in addition to just kind of passively polling for stuff You can send commands to kids met over the same API again, it's all in JSON so Two examples up here. You can add a data source. Remember how I was talking about was shoot out Like it would be a pain if I wanted to test say 30 Wi-Fi cards and for each one of those I had to test I needed to go into the web UI and like click on that source to enable it like that get annoying so shoot out adds them all for you so it Like basically this add data source or this add source dot cmd endpoint Takes an interface kids met knows about turns it into a data source and then the set channel endpoint Similarly, you know sets of channel. You can also set hopping and hop rate and other things like that Like I said before it's really well documented Google it Here's an example that actually kind of solves a practical problem So if actually, I'll show you this first. Have any of you hopefully you're using kids met if any of you seen this This issue where like you go into the web GUI and you you click lock and then you click on a channel And it like doesn't actually do that it like lights up for a second and then goes back to whatever channel it was on super annoying so to overcome that I use the rest API to Make a little program kR tune that lets me change to a different channel. So right now. I'm gonna change T2 UH is my little Wi-Fi adapter up here. I'm gonna change channel six cool done I'm gonna go back to one because That's where my fake King of the Hill is Anyway, that's really convenient If you're having that issue and it's also exactly how shootout works if those would be beneficial to you all They're on my github. It's there If you don't feel like I don't know typing that out or something just come ask me so Drag going to put a lot of work into this a Feature like this like you would only add something like this if you were really thinking hard about how somebody would use this API Field selection lets you Build selection lets you limit the amount of Json you get back So I said before and I kind of showed a little snippet of it The Json you get back from the Kismet rest API like for a device is like 400 lines serializing anything via some text-based Mechanism like XML or Json is hugely inefficient in terms of bandwidth So field selection lets you tell Kismet. I want the device Json, but I really only care about this one field And you can do that by using a command just like the command I showed you before or you can actually just tack some stuff onto the URL to filter it So when you use command-based selection Basically, you just make a command it looks like this that has a fields property And you shove all the fields that you want into an array and boom that's it Kismet gives you back what you want When you do it via URI that's probably really hard for you to read But you can trust me that after device.json there's a bunch of fields tacked on to the end so They do the same thing. They're just slightly different Right peek out so The sort of powerful thing you can do with the rest API is this all packets dot peek app ng That is every packet that peek app is sorry the Kismet is seeing no matter how many sources you have So you're gonna get lots of packets like if you're over there, you know with 30 Wi-Fi cards and stuff You can limit that to one data source which I don't know why you do that But you can do it and the really powerful thing is you can limit it by device So I can tell Kismet No matter how many devices I have No matter how many data sources I have I can tell it. I want the peek app, but only from this thing Which is incredibly powerful when you're playing that game and there's people with you know fake challenges And there's just there's tons of Wi-Fi like if you were to open up that all packets over there It probably is crash wire shark is there's too much so Anyway, before I get to that. I'll show you what that looks like So hopefully this works Instead of using Python, I'm just using curl right from the command lines. This is kind of a one-liner. I'm logging into Kismet I'm telling it. I want devices by key You can get that key from the web user interface. You can copy paste it And then slash peek app then slash the key again for some reason dot peek app ng And you can pipe that to wire shark and tell it to read from standard input And then magic happens This is just the Traffic from this little device right here, even though there's lots and lots of traffic I keep pointing over there because that's where the game is happening and those guys are doing all kinds of crazy things making more traffic But kids that filtered this for me, which is really cool Especially if you're just you know if you're looking for that needle in a haystack you're looking for You know one emitter in a sea of other emitters. This is a really powerful integration tool No, I don't want to say that I don't care Okay There are some advanced points end points that honestly, I haven't looked at that much But I wanted to mention because they seem really cool to me Views is kind of like a database view thing. I haven't used it. So I don't know how it works But you can combine different sets of data and filter them by defining these views Points of interest sounds kind of cool to me There's a way you can send a command to that endpoint and tell it Right now at this moment in time something super interesting to me happened. So Kismet is logging all this stuff to an sqlite database So you can go back in time it after your you know post event analysis or if you're up late in the hotel room trying to Get more flags you can go back and and look and see you know Hey, what time did that thing that doesn't happen that often happen? And then Kismet DB I mentioned pcap. I don't have a demo for this unfortunately But another really powerful thing with Kismet REST API and pcap is you can go back in time. So the The curl kind of one-liner piping the pyro shark piping to wire shark But I showed you is real-time data ingest for all sources for the filter selection that I picked You can go back and you can tell Kismet I want all the pcap between this date timestamp and this other date timestamp, which I also think is really cool Again like I said in the beginning The the reason I think this is interesting is because there's a lot of bad APIs out there. There's tons of bad code There's tons of poorly documented code This this is not those things. It's really good And I think there's lots of opportunity to make new tools and to integrate Kismet with You know whatever kind of system you can dream up that cares about Wi-Fi So so that's it. That's my talk Hope you guys get something out of that Kismet. It's cool. Please use it. Thanks