Wireless Reconnaissance
1. Monitor Mode
We are surrounded by packets everywhere, packets that we are not able to perceive, packets that contain information about the environment in which we move.
These packets can be captured with network cards that accept monitor mode. Monitor mode is nothing more than a mode by which we can listen to and capture all packets traveling through the air. Best of all, we can not only capture them, but also manipulate them.
- Connect WiFi adapter that accepts monitor mode
To make sure it's connected, add it in allowed USB's in Virtualbox or Vmware and type:
lsusb
Then to get more details about that device:
lsusb -D /dev/bus/usb/{bus_number}/{device_number}
To check network card:
ifconfig
iwconfig
- Starting Monitor Mode
When we are in monitor mode, we lose internet connectivity. This mode does not support internet connection. We will see how to disable this mode so that everything goes back to normal.
To start Monitor Mode:
airmon-ng start wlan0
Then we need to kill conflicting porcesses (which are in charge of giving us connectivity and keeping us connected to a network):
pkill dhclient && pkill wpa_supplicant
or
airmon-ng check kill
To check if we are in Monitor Mode, wlan0 name should change to wlan0mon, we can check this through ifconfig or iwconfig.
Now we are able to capture all packets traveling around us.
- Disable Monitor Mode and bring connectivity back
airmon-ng stop wlan0mon && service NetworkManager restart
or
/etc/init.d/networking restart
2. Analysis of the environment
Now that we are in monitor mode, to capture all the packets around us:
airodump-ng wlan0mon
- Output Interpretation
Upper part:
BSSID --> Verify the MAC address of the access point
PWR --> The closer it 's to 0, the closer we are to the AP
CH --> Channel where the AP is located, each AP is positioned on a different channel
ENC, CIPHER y AUTH --> Check what type of AP we are dealing with
ESSID --> Name of the AP
DATA -->
Lower part (This section corresponds to the clients section):
Here we can check the MAC and the BSSID it's associed with, so we can check to which network belongs and then we now that the network has an asociated client.
Sometimes we may capture stations that are not associated to any access point, which in this case will be indicated with a 'not associated' in the BSSID field. It is through the Frames field of the stations that we can see what kind of activity the client has on that AP (Access Point). If the Frames increase considerably at short time intervals, this means that the station is active at the time of capture.
3. Filter modes
To attack and specific AP we need to aply filter modes:
airodump-ng -c {channel} –essid {victim_essid} wlan0mon
airodump-ng -c {channel} –bssid {victim_bssid} wlan0mon
airodump-ng -c {channel} –bssid {victim_bssid} –essid {victim_essid} wlan0mon
4. Exporting evidences
To export all monitored traffic to a file, so that it can be analyzed later on.
airodump-ng -c {channel} -w {File_name} –essid {victim_essid} wlan0mon
airodump-ng -c {channel} -w {File_name} –bssid {victim_bssid} wlan0mon
airodump-ng -c {channel} -w {File_name} –bssid {victim_bssid} –essid {victim_essid} wlan0mon
Last updated