Using airodump-ng to tap the air

Let's investigate by using another utility from the aircrack suite, airodump-ng, as follows:

By providing the airodump-ng wlan0mon command, starts sniffing the wireless networks around us while continually hopping to different channels. This will give us a list containing the numerous wireless networks that are available in the vicinity. The list in the upper half of the screen displays wireless access points that have a BSSID (MAC address of the access point) and an ESSID (name of the network) and many other details. The bottom half of the screenshot contains the stations which are nothing but the endpoint devices.

We can also see that the preceding list contains CH, which is the channel number on which the access point is operating. The channels are nothing but frequencies, with channel 1 being 2,412 MHz and channel 14 being 2,484 MHz. The channels are separated by a 5 MHz gap, which means that if channel 1 is 2,412 MHz, then channel 2 is 2,417 MHz, channel 3 is 2,422 MHz, and so on.

Additionally, we have a PWR field that denotes the power. A lower power value means that the access point is far from our wireless interface. We can see that the wireless network VIP3R has -51 PWR, which means that it's quite near to us, while the access point dlink-DAD9_EXT is very far from us, with the least power. The power value is very important when physically locating the device in a building or a floor.

Moreover, we can see the type of encryption used, the cipher, the authentication type, and much more in the preceding list. In the lower pane, we can see the devices that are connected to the listed Wi-Fi access points.

Let's capture all the details from a single wireless network VIP3R by using the following command:

airodump-ng wlan0mon --bssid 78:44:76:E7:B0:58 -c 11 -w viper

In the preceding command, we used the -bssid switch to filter the packets originating only from the 78:44:76:E7:B0:58 (VIP3R) access point while only capturing from channel 11 by using the -c 11 switch. We have also chosen to write all the output to a file named viper by using the -w switch. The preceding command would yield the following details:

We can see that by running the command, we obtain the details listed in the preceding screenshot. We can see three stations connected to the access point, and, along with that, we have a WPA handshake as well. A WPA handshake means that someone tried to authenticate with the wireless network. If there is an increase in the number of stations after a WPA handshake, then this would typically mean that the authentication was successful; if there is no increase, then it was not successful. Again, finding stations can be done through the PWR signal as well. Generally, attackers capture this WPA handshake through two different means:

  • Listening when someone tries to authenticate
  • Intentionally forcing away stations connected to the access point and allowing them to reconnect

Attackers will brute-force the handshake to find the network password and gain access to the network. We saw that we captured the handshake using airodump-ng as soon as we stop the capturing, airodump-ng will create capture file along with some others as shown through the ls -la command in the following screenshot:

Let's open the capture (.cap) file in Wireshark by issuing wireshark viper-01.cap & command and selecting WLAN traffic from the Wireless tab:

We will be shown the statistics of the wireless traffic, as shown in the preceding screenshot. Additionally, airodump captures other networks as well. Let's put a filter on the MAC address of our wireless access point, as follows:

Well, we can see that using wlan.addr followed by the MAC/ BSSID of the access point filters all the packets for the access point (AP) of interest. We can see that one of the client starting with the MAC address 2c:33:61:xx:xx:xx is from an Apple device. Additionally, all the base stations and MAC addresses can be resolved for the type using the Resolved Addresses option from Wireshark, as shown in the following screenshot:

We can see that we are not able to get precise statistics on how many stations our AP is talking to from Wireshark. Let's use tshark -r viper-01.cap -2 -R wlan.da==78:44:76:e7:b0:54 -T fields -e wlan.sa | sort | uniq to help us out, as follows:

The tshark tool runs by reading the file from the -r switch and using the filter wlan.da==78:44:76:e7:b0:54 as the destination address while printing only the wlan sources using the -T fields and -e wlan.sa switch. With the output, we sort and print unique items by using the sort and uniq Linux commands.

In case of LUA errors for the preceding command, disable LUA by editing line 29 of the /usr/share/Wireshark/init.lua file and setting disable_lua=true.

We can check the found MAC addresses at https://macvendors.com/, as follows:

Additionally, since MAC vendors provide an API, we can always develop a nice Python script to do the MAC checking for us. You can look at one of the scripts at https://macvendors.co/api/python.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset