MY NOTES ON WIFI PACKET CAPTUREING
###################################
lsusb
lspci
apt-get update
apt-get upgrade
apt-get install tcpdump
apt-get install pcap
apt-get install build-essential libssl-dev
iwconfig
ifconfig wlan0 down
iwconfig wlan0 mode Monitor
iwconfig wlan0 mode Managed/Auto
ifconfig wlan0 up
apt-get install wireshark
wget http://download.aircrack-ng.org/aircrack-ng-1.2-beta2.tar.gz
tar xvf aircrack-ng-1.2-beta2.tar.gz
cd aircrack-ng-1.2-beta2
rfkill list
rfkill unblock wlan0
rfkill unblock all
make
cd scripts/
make
chmod +x airmon-ng
./airmon-ng start wlan0
wireshark &
LISTEN TO mon0
OR:
wireshark
control-z
bg 1
OR:
%1 &
OR:
tcpdump -i mon0 -w captures.cap
WPA packet explained:
http://www.aircrack-ng.org/doku.php?id=wpa_capture
LINKS:
http://sandilands.info/sgordon/capturing-wireless-lan-with-ubuntu-tcpdump-kismet
https://sickbits.net/extracting-ssids-from-pcaps-multiple-methods/
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Power_Management_Guide/RFKill.html
http://wireless.kernel.org/en/users/Documentation/rfkill
http://wiki.wireshark.org/CaptureSetup/WLAN
http://www.aircrack-ng.org/
http://www.aircrack-ng.org/doku.php?id=airmon-ng
TUTORIALS LINK: http://www.aircrack-ng.org/doku.php?id=tutorial
Airmon-ng – Usage Examples – Typical Uses
###########################################
To start wlan0 in monitor mode: airmon-ng start wlan0
To start wlan0 in monitor mode on channel 8: airmon-ng start wlan0 8
To stop wlan0: airmon-ng stop wlan0
To check the status: airmon-ng
WHAT EACH aircrack-ng SOFTWARE DOES
####################################
* airbase-ng: Airbase-ng is multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself.
* aircrack-ng: Aircrack-ng can recover the WEP key once enough encrypted packets have been captured with airodump-ng.
* airdecap-ng: With airdecap-ng you can decrypt WEP/WPA/WPA2 capture files. As well, it can also be used to strip the wireless headers from an unencrypted wireless capture.
* airdecloak-ng: Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) actively “prevent” cracking a WEP key by inserting chaff (fake wep frames) in the air to fool aircrack-ng. In some rare cases, cloaking fails and the key can be recovered without removing this chaff. In the cases where the key cannot be recovered, use this tool to filter out chaff.
* airdriver-ng: Airdriver-ng is a script that provides status information about the wireless drivers on your system plus the ability to load and unload the drivers. Additionally, airdriver-ng allows you to install and uninstall drivers complete with the patches required for monitor and injection modes.
* airdrop-ng: airdrop-ng is a program used for targeted, rule-based deauthentication of users. It can target based on MAC address, type of hardware, (by using an OUI lookup, IE, “APPLE” devices) or completely deauthenticate ALL users. lorcon and pylorcon are used in the transmission of the deauth packets.
* aireplay-ng: The primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection. With the packetforge-ng tool it’s possible to create arbitrary frames.
* airgraph-ng: makes graphs
CAPR: Client to AP Relationship. This shows all the clients attached to a particular AP.
CPG: Common Probe Graph. This will show all probed SSID by clients.
* airmon-ng:This script can be used to enable monitor mode on wireless interfaces. It may also be used to go back from monitor mode to managed mode. Entering the airmon-ng command without parameters will show the interfaces status.
* airodump-ng: Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP IVs (Initialization Vector) for the intent of using them with aircrack-ng. If you have a GPS receiver connected to the computer, airodump-ng is capable of logging the coordinates of the found access points. Additionally, airodump-ng writes out several files containing the details of all access points and clients seen.
* airolib-ng: Airolib-ng is an aircrack-ng suite tool designed to store and manage essid and password lists, compute their Pairwise Master Keys (PMKs) and use them in WPA/WPA2 cracking. The program uses the lightweight SQLite3 database as the storage mechanism which is available on most platforms.
* airserv-ng:Airserv-ng is a wireless card server which allows multiple wireless application programs to independently use a wireless card via a client-server TCP network connection. All operating system and wireless card driver specific code is incorporated into the server. This eliminates the need for each wireless application to contain the complex wireless card and driver logic. It is also supports multiple operating systems.
When the server is started, it listens on a specific IP and TCP port number for client connections. The wireless application then communicates with the server via this IP address and port. When using the aircrack-ng suite functions, you specify ”<server IP address> colon <port number>” instead of the network interface. An example being 127.0.0.1:666.
This allows for a number of interesting possibilities:
– By eliminating the wireless card/driver complexity, software developers can concentrate on the application functionality. This will lead to a larger set of applications being available. It also dramatically reduces the maintenance effort.
– Remote sensors are now easy to implement. Only a wireless card and airserv-ng are required to be running on the remote sensor. This means that small embedded systems can easily be created.
– You can mix and match operating systems. Each piece can run on a different operating system. The server and each of the applications can potentially run under a different operating system.
– Some wireless cards do not allow multiple applications to access them at once. This constraint is now eliminated with the client-server approach.
– By using TCP networking, the client and server can literally be in different parts of the world. As long as you have network connectivity, then it will work.
* airtun-ng: Airtun-ng is a virtual tunnel interface creator. There are two basic functions:
Allow all encrypted traffic to be monitored for wireless Intrusion Detection System (wIDS) purposes.
Inject arbitrary traffic into a network.
* besside-ng: Besside-ng is a tool like Wesside-ng but it support also WPA encryption. Wich will crack automatically all the WEP networks in range and log the WPA handshakes. WPA handshakes captured can be uploaded to the online cracking service at Darkircop.org (Besside-ng Companion) to attempt to get the password and where provides useful statistics based on user-submitted capture files about the feasibility of WPA cracking
* easside-ng: Easside-ng is an auto-magic tool which allows you to communicate via an WEP-encrypted access point (AP) without knowing the WEP key. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme and then setup a TAP interface so that you can communicate with the AP without requiring the WEP key. All this is done without your intervention.
* packetforge-ng: The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for injection. You may create various types of packets such as arp requests, UDP, ICMP and custom packets. The most common use is to create ARP requests for subsequent injection.
* tkiptun-ng: This tool is able to inject a few frames into a WPA TKIP network with QoS.
* wesside-ng: Wesside-ng is an auto-magic tool which incorporates a number of techniques to seamlessly obtain a WEP key in minutes. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme, reinject ARP requests and finally determine the WEP key. All this is done without your intervention.
Capturing Wireless LAN Packets on Ubuntu with tcpdump and Kismet
#################################################################
Submitted by Steve on Wed, 29/12/2010 – 10:15am
Capturing packets on a wireless LAN interface can be fun because you can see what other nearby laptops and access points are sending. By inspecting individual wireless LAN frames, you can see the detailed operation of the wireless LAN medium access control. I first tried capturing wireless LAN packets in 2002. Then, as it is now, the major difficulty was having drivers for your wireless card that support capturing (i.e. monitor or promiscuous mode). Then I used Cisco Aironet 350 PCMCIA cards, RedHat Linux and Ethereal (now called Wireshark). Nowadays many more cards are supported, but most features of capturing are usually only possible under Unix-like operating systems (its hard/impossible in Windows).
Here are some instructions for using my Samsung NC10 Ubuntu laptop to capture wireless LAN packets. First using the basic commands of iwconfig and tcpdump, and then the dedicated software Kismet. Of course capturing other peoples traffic may be illegal/unethical in some situations; don’t do it if you are not sure. Update (22 Mar 2012): Also I have a screencast below showing the steps on a Lenovo laptop. Either read on or watch the 16 minute video.
Capture Wireless LAN Packets with tcpdump
#############################################
First make sure NetworkManager is not automatically connecting or turning interfaces on/off. Right-click on the network icon in Gnome and de-select Enable Networking (i.e. so networking is disabled).
Turn the wireless LAN interface off (on my computer the OS labels the interface wlan0):
$ sudo ifconfig wlan0 down
Now use iwconfig to put the interface into monitor mode, check the interface status and then turn the interface on again:
$ sudo iwconfig wlan0 mode monitor
$ iwconfig wlan0
wlan0 IEEE 802.11bg Mode:Monitor Frequency:2.462 GHz Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:off
$ sudo ifconfig wlan0 up
Update (29 Aug 2013): To set the channel to monitor you should select it before you enter monitor mode. That is, while the interface is in managed mode (e.g. connected to an AP), set the channel, e.g.:
$ sudo iwconfig wlan0 chan 6
Packet capture software can now be used, and the wireless LAN card will capture all packets it can receive, even if they are not direct to your laptop. Here I use tcpdump:
$ sudo tcpdump -i wlan0 -n
tcpdump will print out a single line on standard output for each packet received. Update (22 Mar 2012): the -n option prevents DNS lookups (e.g to convert an IP to DNS) – without this option it is possible that tcpdump will not capture all packets as it will be too slow performing the DNS lookups. To stop the capture press Ctrl-C. Note that by default in Ubuntu 12.04 and later tcpdump captures 65535 Bytes – effectively the entire packet. If you want to capture only a selection of the packet (e.g. first 64 Bytes to save storage space when capturing over a long period of time) and save to a file try:
$ sudo tcpdump -i wlan0 -n -s 64 -w file.cap
The file file.cap can now be opened in Wireshark for easier viewing.
In monitor mode your wireless interface only receives packets–it cannot transmit (i.e. you have no normal network access via wireless).
to return your wireless card to normal (managed) mode run:
$ sudo ifconfig wlan0 down
$ sudo iwconfig wlan0 mode managed
$ sudo ifconfig wlan0 up
$ iwconfig wlan0
wlan0 IEEE 802.11bg ESSID:”MyWirelessNet”
Mode:Managed Frequency:2.462 GHz Access Point: 00:23:69:12:34:56
Bit Rate=1 Mb/s Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:off
Link Quality=68/70 Signal level=-42 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
The wireless card is now associated with an access point again.
Monitor Wireless LAN with Kismet
################################
Another way to monitor wireless LAN activities is to use a dedicated application like Kismet (on Windows similar software includes Netstumbler and Inssider). Kismet puts your wireless card into monitor mode and then provides a basic view of the different APs nearby (as identified by the captured packets).
To install and configure on Ubuntu:
$ sudo apt-get install kismet
$ cd /etc/kismet
$ sudo nano kismet.conf
You must edit the kismet.conf file to configure. Two things must be set (others are optional). First the SUID user should be set to your username:
suiduser=sgordon
And the source needs to be set to identify your wireless LAN interface (wlan0 on my computer, as well as the driver and card (ath5k is the driver for my atheros based wireless card on my Samsung laptop. Steps for setting up Kismet on a Lenovo Ideapad V470 are described here.):
#source=none,none,addme
source=ath5k,wlan0,atheros
After saving kismet.conf, start Kismet:
$ sudo kismet
If all is well, after a few seconds the Kismet interface will start showing you a list of APs. Press h for help and start exploring. To quit press Q. Make sure when Kismet exists it puts your wireless LAN interface back into managed mode. Check with iwconfig, and if not, do so your self with the above commands.