Wireless Reconnaissance

1. Monitor Mode

We are surrounded by packets everywhere, packets that we are not able to perceive, packets that contain information about the environment in which we move.

These packets can be captured with network cards that accept monitor mode. Monitor mode is nothing more than a mode by which we can listen to and capture all packets traveling through the air. Best of all, we can not only capture them, but also manipulate them.

- Connect WiFi adapter that accepts monitor mode

To make sure it's connected, add it in allowed USB's in Virtualbox or Vmware and type:

lsusb

Then to get more details about that device:

lsusb -D /dev/bus/usb/{bus_number}/{device_number}

To check network card:

ifconfig

iwconfig

- Starting Monitor Mode

When we are in monitor mode, we lose internet connectivity. This mode does not support internet connection. We will see how to disable this mode so that everything goes back to normal.

To start Monitor Mode:

airmon-ng start wlan0

Then we need to kill conflicting porcesses (which are in charge of giving us connectivity and keeping us connected to a network):

pkill dhclient && pkill wpa_supplicant

or

airmon-ng check kill

To check if we are in Monitor Mode, wlan0 name should change to wlan0mon, we can check this through ifconfig or iwconfig.

Now we are able to capture all packets traveling around us.

- Disable Monitor Mode and bring connectivity back

airmon-ng stop wlan0mon && service NetworkManager restart

or

/etc/init.d/networking restart

2. Analysis of the environment

Now that we are in monitor mode, to capture all the packets around us:

airodump-ng wlan0mon

- Output Interpretation

  • Upper part:

    • BSSID --> Verify the MAC address of the access point

    • PWR --> The closer it 's to 0, the closer we are to the AP

    • CH --> Channel where the AP is located, each AP is positioned on a different channel

    • ENC, CIPHER y AUTH --> Check what type of AP we are dealing with

    • ESSID --> Name of the AP

    • DATA -->

  • Lower part (This section corresponds to the clients section):

    • Here we can check the MAC and the BSSID it's associed with, so we can check to which network belongs and then we now that the network has an asociated client.

    • Sometimes we may capture stations that are not associated to any access point, which in this case will be indicated with a 'not associated' in the BSSID field. It is through the Frames field of the stations that we can see what kind of activity the client has on that AP (Access Point). If the Frames increase considerably at short time intervals, this means that the station is active at the time of capture.

3. Filter modes

To attack and specific AP we need to aply filter modes:

airodump-ng -c {channel} –essid {victim_essid} wlan0mon

airodump-ng -c {channel} –bssid {victim_bssid} wlan0mon

airodump-ng -c {channel} –bssid {victim_bssid} –essid {victim_essid} wlan0mon

4. Exporting evidences

To export all monitored traffic to a file, so that it can be analyzed later on.

airodump-ng -c {channel} -w {File_name} –essid {victim_essid} wlan0mon

airodump-ng -c {channel} -w {File_name} –bssid {victim_bssid} wlan0mon

airodump-ng -c {channel} -w {File_name} –bssid {victim_bssid} –essid {victim_essid} wlan0mon

PreviousWireless PentestingNextWifite

Last updated