Newbie Guide

NOTE: If a previous installation of KisMAC has been used, please make sure to delete the following files if they exist:

  • ~/Library/Preferences/de.binaervarianz.kismac.plist (where '~' is your home folder)
  • ~/Library/Preferences/com.kismac-ng.kismac.plist (where '~' is your home folder)
  • ~/Library/Preferences/org.kismac-ng.kismac.plist (where '~' is your home folder)

Before you start using KisMAC, it is imperative that you familiarize yourself with the FAQ. This "newbie guide" will only serve most users with a good starting point of how to operate KisMAC. For a reference of terminology, visit this page. Also, please visit the hardware list to see if your capture device is supported and with what limitations/features.

KisMAC is NOT to be used to illegally connect to any Wi-Fi network, encrypted or otherwise. You MUST have the network administrator or owner's express permission to test the network with KisMAC or ANY other auditing tool. Cracking ANY encryption or testing without such permission is highly illegal internationally, and will neither be condoned nor supported!

How to use KisMAC

  1. Read the FAQ again (or for the first time). We cannot stress this enough. It will answer most questions a new user will have and even some that older users will have.
  2. Repeat step one.
  3. Most users will need to download the latest binary found at the  downloads page. If you wish to build your copy from source, there is an easy to follow guide here.
    1. Most Leopard users wishing to use their AirPort or AirPort Extreme card will need to use r242 through the latest revision in the trunk. Be aware that these cards have significant restrictions; see the AirPort page for more details.
    2. Most Tiger users wishing to use their AirPort or AirPort Extreme card will need to use r239 in the trunk. Be aware that these cards have significant restrictions; see the AirPort page for more details.
    3. Users of a USB device with Prism2 chipset should currently use r279 in the trunk for packet reinjection support.
    4. Users of a USB device with Ralink chipset (rt73, rt2570) or Realtek chipset (RTL8187L) should use the latest revision in the trunk. We have finally merged the USB-Drivers/New?-USB-Drivers branches into the trunk as of r281.
  4. Launch KisMAC. You may be prompted to authenticate. KisMAC must run on an account with administrative access/control. Simply entering the credentials of an administrator is not enough. KisMAC needs to be run by a member of the "admin" group.
  5. Open KisMAC's preference window (COMMAND + COMMA hotkey works). Driver selection is going to be the most important option and the only preference procedure covered in this tutorial.
    1. Select the driver for your capture device's chipset. Again, refer to the hardware list if you do not know.
    2. Check which channels you wish to scan if you do not want to scan on all FCC/IC channels.
    3. If you are using a Prism2 card or USB Intersil (with Prism2 chipset), Ralink (rt73 or rt2570 only), or Realtek (RTL8187L only) USB adapter and wish to use the device for injection, check the "use as primary device" box. Currently, ONLY devices with these chipsets can inject under KisMAC.
    4. If you wish to save the raw packet dumps for later use with KisMAC or another third party application, select the radio button for what you'd like to save in the PCAP dumps.
  6. Exit KisMAC's preference window and click the 'Start Scan' button. There may be a brief pause before you see the network list begin to populate.
    1. If you notice that the signal to noise ratio is jumping, that's because channel hopping is enabled. This is normal. If there is a specific SSID or channel that you would like to scan, select the desired frequency from the channel list.
    2. If you selected the Apple Airport or Airport Extreme card, active mode driver, you will not collect data from networks. If you wish to collect data from networks using your AirPort or AirPort Extreme, please use the Apple Airport card, passive mode or Apple Airport Extreme card, passive mode driver instead.
  7. You may view more information on a network by double clicking its line in the network list. From this view, you have the option to run various attacks on the network including deauthentication, authorization flood, or reinject packets into the network to speed up the data collection process.
  8. After you've collected enough packets, you may attempt to crack the network.
    1. WEP Encryption
      1. Weak Scheduling: Generally, UniqueIVs should be ≈ 200,000 to successfully run a Weak Scheduling attack on 40/64-bit WEP and ≈ 1,000,000 on 104/128-bit WEP.
      2. Bruteforce/Wordlist?: At least, 8 Data Packets are required to run Bruteforce (including Newsham's) and Wordlist attacks. KisMAC expects a simple wordlist: a plain text file with no formatting which contains all the words and phrases that KisMAC will try for you. The words/phrases need to be separated by newline or linefeed characters, as well as one after the last word in the list. You may find wordlists that others have created on this page.
    2. WPA/WPA2 Encryption
      1. To crack a network encrypted with WPA/WPA2, you will need to capture the 4-way EAPOL handshake when a valid client successfully connects to the wireless access point. When you successfully capture a full handshake (a challenge and a response), the "Ch/Re?" gem on the network's line in the main Networks window will switch from red to green. We also recommend using  Growl as there is a notification displayed when either half of the necessary handshake packets are captured. After you have this (you only need one; subsequent ones will not make a difference) you can run a Wordlist against the pcap dump to attempt to find the password.
      2. Wordlist: The ONLY currently known vulnerability to WPA/WPA2 encrypted networks is bruteforce. The only cracking method that KisMAC allows on a WPA/WPA2 network is a wordlist attack. Again, KisMAC expects a simple wordlist: a plain text file with no formatting which contains all the words and phrases that KisMAC will try for you. The words/phrases need to be separated by newline or linefeed characters, as well as one after the last word in the list. You may find wordlists that others have created on this page.
  9. If the KisMAC finds the WEP Key, it will be displayed as hex (or hex AND ASCII, if applicable, in newer builds). When attempting to join the network using a hex key, select the "WEP 40/128-bit hex" option from the AirPort Wireless Security drop-down and enter the characters without the colons (':'). The OK button is only usable when you've entered a correct quantity of characters (either five or thirteen hex digits [each digit being two characters]). WPA/WPA2 passwords will be ASCII and you will enter them verbatim into the password field when attempting to connect to the network.
  10. If the password is not revealed after a cracking attempt or appears to be incorrect, you will either need to collect more data or the password may have changed during the packet collection process. Please repeat the packet collection and cracking process or try another cracking method with the current information collected. Please be aware that the definitive source for network key recovery is  Aircrack-ng's cracking engine and suite of tools. While KisMAC does include Aircrack 0.3, it's really quite old at this point and nowhere near as effective as the current Aircrack-ng suite of tools is (currently at 1.0).

How Do You Get Further Help?

  1. Please make an effort to find the answer for yourself before asking other members for help. We cannot stress this enough. Here are some helpful resources:
    1. The FAQ
    2.  Searching our support documents
    3. The forums: Use the  search function! Many questions have been asked before.
  2. If you come to the forums with a question and it's obvious that you've put the time in looking through our documents, our community will be delighted to help you resolve your issue. Be sure to  follow the rules!
  3. You may also try our IRC channel:  #KisMAC.

What Hardware Should You Buy?

  1. This is a frequently asked question.
  2. Our hardware list is a more specific resource.
  3. Have a look at what other members of our community use.
  4. Check out the driver comparison table to see the functionality of devices in KisMAC based on driver/chipset.