Kismet-PTW

1.  What is Kismet-PTW
2.  Caveats
3.  Compiling
4.  Installing
5.  Using

1.  What is Kismet-PTW

	Kismet-PTW is a Kismet plugin which performs the Aircrack-NG PTW attack
	against data captured by Kismet.

	The Aircrack-NG PTW attack exploits flaws in WEP to expose the original
	keystream.  Because the PTW attack needs relatively few packets (50,000
	to 100,000) and is relatively CPU cheap, it makes sense to include this
	as an automatic feature.

	While Aircrack-NG can use injection to accelerate the rate at which
	packets are generated, increasing the chances of deriving the key, the
	Kismet-PTW version is 100% passive.  Kismet will NOT inject packets or
	actively attack a network, with this plugin it will simply examine the
	data it has already recorded.

	The code for the PTW attack is directly extracted from Aircrack-NG, this
	plugin simply wraps the Aircrack-NG library into a form Kismet can use
	directly.  For complete info about the PTW attack or Aircrack, see the
	Aircrack-NG project at:
		http://www.aircrack-ng.org

2.  Caveats

	Memory Usage
	  Because this plugin needs to store fragments of the packet data, it
	  can dramatically increase the amount of memory Kismet uses.  Memory
	  usage is mitigated with timeout factors; if a network generates no WEP
	  data in 30 minutes, the existing WEP data will be forgotten.

	CPU Usage
	  Similarly, this will cause the CPU requirements of Kismet to rise
	  considerably.  The PTW calculations are run only at intervals when
	  there have been sufficient new packets (1000 packets of known types
	  and 5000 packets of unknown types), but during the calculations the
	  load may be considerable.

	Packet Generation
	  Kismet will not spoof packets or cause the network to increase the
	  generation of packets.  This may prevent the attack from working as
	  quickly (or at all), depending on the network traffic generated by a
	  network.

	Usage and Legality
	  Using this against a network that is not your own is a Bad Idea.

	  No support will be given for using this plugin as a means to gain
	  access to a network.

3.  Compiling

	Compiling the Kismet-PTW plugin requires the Kismet source be installed
	and configured.

	By default, Kismet-PTW expects the Kismet source to be in
	/usr/src/kismet; this can be overridden by setting the
	KIS_SRC_DIR environment variable:

		cd plugin-ptw/
		KIS_SRC_DIR=/home/foo/src/kismet make

4.  Installing

	Kismet plugins may be installed system-wide in the plugins directory (by
	default, /usr/local/lib/kismet/) or in the users home directory
	(~/.kismet/plugins)

    The default installation path can be overridden with the KIS_DEST_DIR
    variable if you have not installed Kismet in the default location and
    wish to install the plugin in the system-wide plugins directory:
        cd plugin-ptw
        KIS_DEST_DIR=/usr make install

    Plugins can be installed in the current users home directory with:
        cd plugin-ptw
        make userinstall

5.  Using

    Kismet-PTW is essentially automated.  Once loaded, it will gather IV
    information for any WEP encrypted network detected.  There is no
    kismet-client side plugin - WEP key disclosures will be registered as an
    alert, and the key and progress information will be shown in the network
    details.

    While running, Kismet-PTW will put the IV counts into the network as
    WEP-PTW-IV (number of packets seen with guessable IVs, such as ARP
    packets) and WEP-PTW-UNK (number of packets seen without guessable
    characteristics).

    Every 5,000 packets collected will trigger a PTW cracking attempt on the
    gathered data.

    If the PTW attack is successful, an IDS alert will be raised, and a
    WEP-PTW field will be added to the network containing the WEP key.

    Network fields can be viewed under Network Details in the Kismet UI and
    will be logged in the nettxt and netxml files.

    Networks which have not generated any data packets in 30 minutes will be
    "forgotten"; That is, their PTW records will be cleared, to prevent
    Kismet from using an obscene amount of RAM.
