Difference between revisions of "WiFi Sniffing"
MMehlfuehrer (talk | contribs) |
MMehlfuehrer (talk | contribs) |
||
Line 33: | Line 33: | ||
4) Use aircrack-ng to crack the key using the collected handshake | 4) Use aircrack-ng to crack the key using the collected handshake | ||
=== Step 1 - Use monitor mode on the wireless interface using the AP channel === | |||
To listen to every packet in the air the wireless card needs to be in monitor mode. If a wireless card is not in monitor mode it will only catch every packet addressed to itself. When listenting to every packet send an attacker eventually captures a 4-way handshake used to crack WPA/WPA2. Additionaly one can deauthenticate wireless clients, explained in a later step. | |||
Open a terminal. | Open a terminal. | ||
Depending on the driver used by the card, different methods need to used to enable monitor mode. This tutorial only shows the procedure for XXXX, for further information look at [https://www.aircrack-ng.org/doku.php?id=cracking_wpa aircrack-ng]'s tutorial | |||
Display your wireless interfaces: | Display your wireless interfaces: |
Revision as of 10:22, 17 December 2021
Summary
Sniff Wi-Fi traffic using wireless interfaces supporting monitor mode and packet injection (*). WPA/WPA2 uses various types for authentication. Aircrack-ng is only capable of cracking pre-shared keys! Meaning only networks using PSK can be attacked. (To determine if a network uses PSK, airodump-ng is used). The method used to crack the pre-shared key is a plain brute force attack. This means the PSK needs to be in the used dictionary for the brute force attack. If it is not in the list, aircrack-ng can not determine the key. For WPA/WPA2 cracking the initial 4-way handshake is needed. This handshake is conducted between a client and the AP, when a client tries to connect to the network.
Requirements
- Operating system: Kali Linux 64 Bit
- Wireless card: One that can inject packets Injection test
Prerequisites
The following information of the hardware used is needed:
- MAC of PC running the attack:
- MAC of a wireless client in the network:
- BSSID:
- ESSID:
- Channel used by AP:
- Wireless interface:
Description
Overview
The following steps are needed to get the password:
1) Use monitor mode on the wireless interface using the AP channel
2) Using airodump-ng on AP channel, collecting needed handshake
3) Use aireplay-ng to deauthenticate a wireless client in the network
4) Use aircrack-ng to crack the key using the collected handshake
Step 1 - Use monitor mode on the wireless interface using the AP channel
To listen to every packet in the air the wireless card needs to be in monitor mode. If a wireless card is not in monitor mode it will only catch every packet addressed to itself. When listenting to every packet send an attacker eventually captures a 4-way handshake used to crack WPA/WPA2. Additionaly one can deauthenticate wireless clients, explained in a later step.
Open a terminal.
Depending on the driver used by the card, different methods need to used to enable monitor mode. This tutorial only shows the procedure for XXXX, for further information look at aircrack-ng's tutorial
Display your wireless interfaces:
iwconfig
Connect the external Wi-Fi adapter to your host computer.
iwconfig
The newly added interface in the list is the external adapter. In my case it was 'wlan1'. In the following steps I refer to the external adapter as 'wlan1'.
Start monitor mode on the external adapter (**):
airmon-ng start wlan1
The previous command creates a new interface called 'wlan1mon'. Verify with:
iwconfig
Display active Wi-Fi networks:
airodump-ng wlan1mon
Remember the channel of the network you want to attack. In my case it was channel 11.
Set your adapter to the appropriate channel:
iwconfig wlan1mon channel 11
Verify the frequency:
iwconfig wlan1mon iwlist channel
Start capturing data:
airodump-ng --channel 11 -w alfa wlan1mon
Filter URLs from captured traffic:
urlsnarf -p alfa-01.cap
Filter pictures from captured traffic:
driftnet -f alfa-01.cap -a -d Pictures/
Disable monitor mode:
airmon-ng stop wlan1mon
(*) Test if the adapter supports injection:
aireplay-ng -9 wlan1mon
Detailed information about wireless adapters available in ELVIS can be found here.
(**) This command did not work with ALFA NETWORK AWUS036ACH and ALFA NETWORK AWUS036EAC. The following commands are an alternative way to start monitor mode on the adapter:
ifconfig wlan1 down iwconfig wlan1 mode monitor ifconfig wlan1 up
Results
Browser | urlsnarf | driftnet |
---|---|---|
Microsoft Edge (Windows 10 host) | no results reading the pcap file | no results reading the pcap file |
Mozilla Firefox (Windows 10 host) | no results reading the pcap file | no results reading the pcap file |
Google Chrome (Windows 10 host) | no results reading the pcap file | no results reading the pcap file |
Google Chrome (Android host) | no results reading the pcap file | no results reading the pcap file |
Samsung Internet (Android host) | URLs captured | images captured |
Used Hardware
- Windows 10 host
- Kali Linux host
- Samsung Galaxy A8
- LG Nexus 5X Google Smartphone 32 GB, Android 6.0 Marshmallow, Carbon
- Panda 300 Mbps Wireless N USB Adapter PAU05
- Alfa AWUS036ACH Wide Range AC1200 Wireless Adapter
- Alfa AWUS036EAC AC1200 USB Wireless Adapter