performing-wireless-security-assessment-with-kismet
Conduct wireless network security assessments using Kismet to detect rogue access points, hidden SSIDs, weak encryption, and unauthorized clients through passive RF monitoring.
Best use case
performing-wireless-security-assessment-with-kismet is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Conduct wireless network security assessments using Kismet to detect rogue access points, hidden SSIDs, weak encryption, and unauthorized clients through passive RF monitoring.
Teams using performing-wireless-security-assessment-with-kismet should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/performing-wireless-security-assessment-with-kismet/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How performing-wireless-security-assessment-with-kismet Compares
| Feature / Agent | performing-wireless-security-assessment-with-kismet | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Conduct wireless network security assessments using Kismet to detect rogue access points, hidden SSIDs, weak encryption, and unauthorized clients through passive RF monitoring.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Freelancers
Browse AI agent skills for freelancers handling client research, proposals, outreach, delivery systems, documentation, and repeatable admin work.
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
AI Agents for Startups
Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.
SKILL.md Source
# Performing Wireless Security Assessment with Kismet
## Overview
Kismet is an open-source wireless network detector, packet sniffer, and wireless intrusion detection system (WIDS) supporting 802.11a/b/g/n/ac/ax. Unlike active scanners, Kismet operates in passive monitor mode, making it undetectable to the networks being assessed. It captures raw 802.11 frames, identifies access points, clients, probe requests, and encryption types without transmitting any packets. This skill covers deploying Kismet for comprehensive wireless security assessments, identifying rogue access points, detecting weak encryption, mapping hidden networks, and analyzing client behavior.
## When to Use
- When conducting security assessments that involve performing wireless security assessment with kismet
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
## Prerequisites
- Linux system (Kali Linux, Ubuntu 22.04+) with Kismet 2023+ installed
- Wireless adapter supporting monitor mode (e.g., Alfa AWUS036ACH, TP-Link TL-WN722N v1)
- Written authorization for wireless assessment (legal requirement)
- GPS receiver (optional, for geolocation mapping)
- Target environment wireless network documentation
## Core Concepts
### Kismet Architecture
Kismet uses a client-server architecture:
- **kismet** - Main server process that captures and processes packets
- **kismet_cap_linux_wifi** - Capture source for Linux WiFi interfaces
- **kismet_cap_linux_bluetooth** - Capture source for Bluetooth
- **Web UI** - Browser-based interface at http://localhost:2501
### Wireless Frame Types
| Frame Type | Purpose | Security Relevance |
|------------|---------|-------------------|
| Beacon | AP announces its presence | SSID, encryption, vendor |
| Probe Request | Client searches for networks | Reveals preferred networks |
| Probe Response | AP responds to client probe | Hidden SSID disclosure |
| Authentication | Client authenticates to AP | Auth type identification |
| Deauthentication | Disconnects client from AP | Potential attack indicator |
| Association | Client joins network | Client-AP relationship |
### Encryption Assessment
| Encryption | Status | Risk |
|------------|--------|------|
| Open (No encryption) | Insecure | Critical - all traffic visible |
| WEP | Broken | Critical - crackable in minutes |
| WPA-TKIP | Deprecated | High - known vulnerabilities |
| WPA2-PSK (CCMP) | Acceptable | Medium - depends on passphrase strength |
| WPA2-Enterprise (802.1X) | Recommended | Low - certificate-based |
| WPA3-SAE | Best practice | Low - resistant to offline attacks |
## Workflow
### Step 1: Prepare Wireless Adapter
```bash
# Identify wireless interfaces
iwconfig
# Check adapter capabilities
iw list | grep -A 10 "Supported interface modes"
# Kill processes that may interfere
sudo airmon-ng check kill
# Enable monitor mode
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up
# Verify monitor mode
iw dev wlan0 info | grep type
```
### Step 2: Configure and Launch Kismet
Edit `/etc/kismet/kismet.conf`:
```ini
# Data sources
source=wlan0:name=WiFi-Monitor,channel_hop=true,channel_hoprate=5/sec
# Logging configuration
log_types=kismet,pcapng
log_prefix=/opt/kismet/logs/assessment
# Enable all 802.11 channels (2.4GHz and 5GHz)
channel_hop_speed=5
channel_list=IEEE80211:1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165
# GPS configuration (if available)
gps=gpsd:host=localhost,port=2947
# Alert configuration
alert=ADVCRYPTCHANGE,5/min,1/sec
alert=BSSTIMESTAMP,5/min,1/sec
alert=CRYPTODROP,5/min,1/sec
alert=DISASSOCTRAFFIC,10/min,1/sec
alert=DEAUTHFLOOD,10/min,2/sec
alert=PROBENOMFP,5/min,1/sec
```
Launch Kismet:
```bash
# Start Kismet server
sudo kismet -c wlan0
# Access web interface
# Open browser to http://localhost:2501
# Default credentials: kismet / kismet (change immediately)
```
### Step 3: Conduct Assessment Scans
**Rogue Access Point Detection:**
```bash
# Export device list via Kismet REST API
curl -u kismet:kismet http://localhost:2501/devices/summary/devices.json | \
python3 -m json.tool > all_devices.json
# Filter for access points
curl -u kismet:kismet \
'http://localhost:2501/devices/summary/devices.json' \
-d 'json={"fields":["kismet.device.base.macaddr","kismet.device.base.name","kismet.device.base.type","kismet.device.base.crypt","kismet.device.base.channel","kismet.device.base.manuf","dot11.device/dot11.device.advertised_ssid_map/dot11.advertisedssid.ssid"]}' \
> access_points.json
```
**Client Probe Analysis:**
Probe requests reveal networks that clients have previously connected to, which can indicate:
- Corporate devices connecting to insecure home networks
- Devices searching for known-evil SSIDs (evil twin susceptibility)
- Unauthorized personal devices in corporate space
### Step 4: Analyze Results
Python analysis script for Kismet database:
```python
#!/usr/bin/env python3
"""Analyze Kismet capture database for wireless security findings."""
import sqlite3
import json
import sys
from collections import defaultdict
def analyze_kismet_db(db_path: str):
"""Analyze Kismet SQLite database for security issues."""
conn = sqlite3.connect(db_path)
cursor = conn.cursor()
findings = []
# Query all devices
cursor.execute("""
SELECT devmac, type, device
FROM devices
""")
devices = cursor.fetchall()
ap_count = 0
client_count = 0
open_networks = []
wep_networks = []
wpa_tkip_networks = []
hidden_networks = []
all_aps = []
for mac, dev_type, device_json in devices:
try:
device = json.loads(device_json)
except json.JSONDecodeError:
continue
base = device.get('kismet.device.base.type', '')
if 'Wi-Fi AP' in base or 'Wi-Fi Device' in base:
ap_count += 1
ssid_map = device.get('dot11.device', {}).get(
'dot11.device.advertised_ssid_map', []
)
crypt = device.get('kismet.device.base.crypt', '')
name = device.get('kismet.device.base.name', 'Unknown')
channel = device.get('kismet.device.base.channel', '')
manuf = device.get('kismet.device.base.manuf', 'Unknown')
ap_info = {
'mac': mac,
'ssid': name,
'encryption': crypt,
'channel': channel,
'manufacturer': manuf,
}
all_aps.append(ap_info)
if 'None' in crypt or crypt == '':
open_networks.append(ap_info)
elif 'WEP' in crypt:
wep_networks.append(ap_info)
elif 'WPA+TKIP' in crypt and 'AES' not in crypt:
wpa_tkip_networks.append(ap_info)
for ssid_entry in ssid_map:
if isinstance(ssid_entry, dict):
ssid = ssid_entry.get('dot11.advertisedssid.ssid', '')
if ssid == '' or ssid is None:
hidden_networks.append(ap_info)
elif 'Wi-Fi Client' in base:
client_count += 1
# Generate findings
print(f"\n{'='*70}")
print("WIRELESS SECURITY ASSESSMENT REPORT")
print(f"{'='*70}")
print(f"\nTotal Access Points Detected: {ap_count}")
print(f"Total Clients Detected: {client_count}")
if open_networks:
print(f"\n[CRITICAL] Open Networks (No Encryption): {len(open_networks)}")
for net in open_networks:
print(f" - SSID: {net['ssid']}, MAC: {net['mac']}, "
f"Channel: {net['channel']}, Vendor: {net['manufacturer']}")
if wep_networks:
print(f"\n[CRITICAL] WEP-Encrypted Networks: {len(wep_networks)}")
for net in wep_networks:
print(f" - SSID: {net['ssid']}, MAC: {net['mac']}, "
f"Channel: {net['channel']}")
if wpa_tkip_networks:
print(f"\n[HIGH] WPA-TKIP Networks (Deprecated): {len(wpa_tkip_networks)}")
for net in wpa_tkip_networks:
print(f" - SSID: {net['ssid']}, MAC: {net['mac']}, "
f"Channel: {net['channel']}")
if hidden_networks:
print(f"\n[MEDIUM] Hidden SSIDs Detected: {len(hidden_networks)}")
for net in hidden_networks:
print(f" - MAC: {net['mac']}, Channel: {net['channel']}, "
f"Vendor: {net['manufacturer']}")
# Channel utilization analysis
channel_usage = defaultdict(int)
for ap in all_aps:
ch = ap.get('channel', 'Unknown')
channel_usage[ch] += 1
print(f"\n[INFO] Channel Utilization:")
for ch, count in sorted(channel_usage.items()):
print(f" Channel {ch}: {count} APs")
conn.close()
if __name__ == '__main__':
db_path = sys.argv[1] if len(sys.argv) > 1 else 'Kismet-*.kismet'
analyze_kismet_db(db_path)
```
### Step 5: Detect Rogue Access Points
Compare discovered APs against authorized inventory:
```python
#!/usr/bin/env python3
"""Detect rogue access points by comparing against authorized AP list."""
import json
import sys
def load_authorized_aps(filepath: str) -> set:
"""Load authorized AP MAC addresses from file."""
authorized = set()
with open(filepath, 'r') as f:
for line in f:
mac = line.strip().lower()
if mac and not mac.startswith('#'):
authorized.add(mac)
return authorized
def detect_rogues(kismet_json: str, authorized_file: str):
"""Compare discovered APs against authorized list."""
authorized = load_authorized_aps(authorized_file)
with open(kismet_json, 'r') as f:
devices = json.load(f)
rogues = []
for device in devices:
mac = device.get('kismet.device.base.macaddr', '').lower()
dev_type = device.get('kismet.device.base.type', '')
if 'AP' in dev_type and mac not in authorized:
rogues.append({
'mac': mac,
'ssid': device.get('kismet.device.base.name', 'Unknown'),
'encryption': device.get('kismet.device.base.crypt', ''),
'channel': device.get('kismet.device.base.channel', ''),
'manufacturer': device.get('kismet.device.base.manuf', ''),
'signal': device.get('kismet.device.base.signal', {}).get(
'kismet.common.signal.last_signal', 0),
})
if rogues:
print(f"\n[ALERT] {len(rogues)} ROGUE ACCESS POINTS DETECTED\n")
for rogue in rogues:
print(f" MAC: {rogue['mac']}")
print(f" SSID: {rogue['ssid']}")
print(f" Encryption: {rogue['encryption']}")
print(f" Channel: {rogue['channel']}")
print(f" Vendor: {rogue['manufacturer']}")
print(f" Signal: {rogue['signal']} dBm")
print()
else:
print("No rogue access points detected.")
if __name__ == '__main__':
if len(sys.argv) < 3:
print("Usage: python detect_rogues.py <kismet_devices.json> <authorized_aps.txt>")
sys.exit(1)
detect_rogues(sys.argv[1], sys.argv[2])
```
## Assessment Checklist
- [ ] All authorized APs identified and verified
- [ ] Rogue/unauthorized APs identified and located
- [ ] Encryption types documented for all SSIDs
- [ ] Hidden SSIDs discovered and documented
- [ ] Client probe requests analyzed for sensitive patterns
- [ ] Evil twin susceptibility assessed
- [ ] WPS status checked on all APs
- [ ] Signal coverage boundaries mapped
- [ ] Guest network isolation verified
- [ ] Management interfaces not exposed on wireless
## Best Practices
- **Written Authorization** - Always obtain signed authorization before performing wireless assessments
- **Passive Only** - Use Kismet in passive mode; do not transmit deauth frames or probe requests
- **Comprehensive Channel Coverage** - Scan both 2.4GHz and 5GHz bands including DFS channels
- **Multiple Locations** - Perform captures from multiple physical locations for complete coverage
- **Time Duration** - Capture for at least 30-60 minutes to observe intermittent devices
- **GPS Mapping** - Use GPS to create heat maps for signal boundary analysis
- **Baseline Comparison** - Maintain an authorized AP inventory and compare against each assessment
## References
- [Kismet Documentation](https://www.kismetwireless.net/docs/)
- [CISA Kismet Resources](https://www.cisa.gov/resources-tools/services/kismet)
- [NIST SP 800-153 - Wireless Network Security](https://csrc.nist.gov/publications/detail/sp/800-153/final)
- [Wi-Fi Alliance WPA3 Specification](https://www.wi-fi.org/discover-wi-fi/security)Related Skills
triaging-security-incident
Performs initial triage of security incidents to determine severity, scope, and required response actions using the NIST SP 800-61r3 and SANS PICERL frameworks. Classifies incidents by type, assigns priority based on business impact, and routes to appropriate response teams. Activates for requests involving incident triage, security alert classification, severity assessment, incident prioritization, or initial incident analysis.
triaging-security-incident-with-ir-playbook
Classify and prioritize security incidents using structured IR playbooks to determine severity, assign response teams, and initiate appropriate response procedures.
triaging-security-alerts-in-splunk
Triages security alerts in Splunk Enterprise Security by classifying severity, investigating notable events, correlating related telemetry, and making escalation or closure decisions using SPL queries and the Incident Review dashboard. Use when SOC analysts face queued alerts from correlation searches, need to prioritize investigation order, or must document triage decisions for handoff to Tier 2/3 analysts.
testing-websocket-api-security
Tests WebSocket API implementations for security vulnerabilities including missing authentication on WebSocket upgrade, Cross-Site WebSocket Hijacking (CSWSH), injection attacks through WebSocket messages, insufficient input validation, denial-of-service via message flooding, and information leakage through WebSocket frames. The tester intercepts WebSocket handshakes and messages using Burp Suite, crafts malicious payloads, and tests for authorization bypass on WebSocket channels. Activates for requests involving WebSocket security testing, WS penetration testing, CSWSH attack, or real-time API security assessment.
testing-jwt-token-security
Assessing JSON Web Token implementations for cryptographic weaknesses, algorithm confusion attacks, and authorization bypass vulnerabilities during security engagements.
testing-api-security-with-owasp-top-10
Systematically assessing REST and GraphQL API endpoints against the OWASP API Security Top 10 risks using automated and manual testing techniques.
performing-yara-rule-development-for-detection
Develop precise YARA rules for malware detection by identifying unique byte patterns, strings, and behavioral indicators in executable files while minimizing false positives.
performing-wireless-network-penetration-test
Execute a wireless network penetration test to assess WiFi security by capturing handshakes, cracking WPA2/WPA3 keys, detecting rogue access points, and testing wireless segmentation using Aircrack-ng and related tools.
performing-windows-artifact-analysis-with-eric-zimmerman-tools
Perform comprehensive Windows forensic artifact analysis using Eric Zimmerman's open-source EZ Tools suite including KAPE, MFTECmd, PECmd, LECmd, JLECmd, and Timeline Explorer for parsing registry hives, prefetch files, event logs, and file system metadata.
performing-wifi-password-cracking-with-aircrack
Captures WPA/WPA2 handshakes and performs offline password cracking using aircrack-ng, hashcat, and dictionary attacks during authorized wireless security assessments to evaluate passphrase strength and wireless network security posture.
performing-web-cache-poisoning-attack
Exploiting web cache mechanisms to serve malicious content to other users by poisoning cached responses through unkeyed headers and parameters during authorized security tests.
performing-web-cache-deception-attack
Execute web cache deception attacks by exploiting path normalization discrepancies between CDN caching layers and origin servers to cache and retrieve sensitive authenticated content.