WiFi Sniffing
Summary
Sniff Wi-Fi traffic using wireless interfaces supporting monitor mode and packet injection (*). WPA/WPA2 uses various types for authentication. Aircrack-ng is only capable of cracking pre-shared keys! Meaning only networks using PSK can be attacked. (To determine if a network uses PSK, airodump-ng is used). The method used to crack the pre-shared key is a plain brute force attack. This means the PSK needs to be in the used dictionary for the brute force attack. If it is not in the list, aircrack-ng can not determine the key. For WPA/WPA2 cracking the initial 4-way handshake is needed. This handshake is conducted between a client and the AP, when a client tries to connect to the network.
Requirements
- Operating system: Kali Linux 64 Bit
- Wireless card: One that can inject packets Injection test
Prerequisites
The following information of the hardware used is needed:
- MAC of PC running the attack:
- MAC of a wireless client in the network:
- BSSID:
- ESSID:
- Channel used by AP:
- Wireless interface:
Description
Overview
The following steps are needed to get the password:
1) Use monitor mode on the wireless interface using the AP channel
2) Using airodump-ng on AP channel, collecting needed handshake
3) Use aireplay-ng to deauthenticate a wireless client in the network
4) Use aircrack-ng to crack the key using the collected handshake
Step 1 - Use monitor mode on the wireless interface using the AP channel
To listen to every packet in the air the wireless card needs to be in monitor mode. If a wireless card is not in monitor mode it will only catch every packet addressed to itself. When listenting to every packet send an attacker eventually captures a 4-way handshake used to crack WPA/WPA2. Additionaly one can deauthenticate wireless clients, explained in a later step.
Depending on the driver used by the card, different methods need to used to enable monitor mode. This tutorial only shows the procedure for the madwifi-ng driver, for further information look at aircrack-ng's tutorial
Open a terminal and type :
airmon-ng
to determine the driver your card is using. The ouput with a wireless card from Atheros is the following:
PHY Interface Driver Chipset phy0 wlan0 ath9k_htc Qualcomm Atheros Communications AR9271 802.11n
The next step is to switch to monitor mode. Syntax: airmon-ng start <interface> <channel used by AP>. Because we dont know the used channel from the AP we only start the monitoring mode without a specific channel:
airmon-ng start wlan0
Ouput:
Found 2 processes that could cause trouble. Kill them using 'airmon-ng check kill' before putting the card in monitor mode, they will interfere by changing channels and sometimes putting the interface back in managed mode PID Name 605 NetworkManager 2948 wpa_supplicant PHY Interface Driver Chipset phy0 wlan0mon ath9k_htc Qualcomm Atheros Communications AR9271 802.11n (mac80211 monitor mode already enabled for [phy0]wlan0mon on [phy0]wlan0mon)
Now we can check if the interface is in monitormode using iwconfig:
iwconfig lo no wireless extensions. eth0 no wireless extensions. tun0 no wireless extensions. wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:off
As we can see the interface changed the name from wlan0 to wlan0mon and uses the monitor mode. With airodump-ng <interface> we can monitor all AP's within reach.
airodump-ng wlan0mon
The output presented shows all AP's with information like ESSUD, BSSID, PWR, beacons, channels, encryption, cipher and authentication methods used
CH 4 ][ Elapsed: 1 min ][ 2021-12-17 10:40 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 68:02:B8:1F:A1:3A -50 46 31 0 11 130 WPA2 CCMP PSK WLAN18250073
Important for the further attack is the BSSID (69:02:B8:1F:A1:3A) and the used channel (11).
Step 2 - Using airodump-ng on AP channel, collecting needed handshake
Now we got the BSSID and channel of the AP we can start capturing the 4-way handshake. With the command airodump-ng -c <channel> --bssid <bssid> -w <filename> <interface>
airodump-ng -c 11 -bssid 68:02:B8:1F:A1:3A -w CapturedData wlan0mon
Ouput:
output muss noch rein
Now the tool starts collecting every packet from this AP. It can take quite a while, until a 4-way handshake is made. Step 3 helps to speed things up.
Step 3 - Use aireplay-ng to deauthenticate a wireless client in the network
A faster way to capture the 4-way handshake is to connect with an additional client to the wireless network manualy. When connecting to the new network, the AP starts the 4-way handshake. Because this is impractical an attacker can deauthenticate clients already connected to WiFi network to reinitialize the 4-way handshake. BSSID and MAC of the device to deauthenticate are needed to conduct the attack.
Display your wireless interfaces:
iwconfig
Connect the external Wi-Fi adapter to your host computer.
iwconfig
The newly added interface in the list is the external adapter. In my case it was 'wlan1'. In the following steps I refer to the external adapter as 'wlan1'.
Start monitor mode on the external adapter (**):
airmon-ng start wlan1
The previous command creates a new interface called 'wlan1mon'. Verify with:
iwconfig
Display active Wi-Fi networks:
airodump-ng wlan1mon
Remember the channel of the network you want to attack. In my case it was channel 11.
Set your adapter to the appropriate channel:
iwconfig wlan1mon channel 11
Verify the frequency:
iwconfig wlan1mon iwlist channel
Start capturing data:
airodump-ng --channel 11 -w alfa wlan1mon
Filter URLs from captured traffic:
urlsnarf -p alfa-01.cap
Filter pictures from captured traffic:
driftnet -f alfa-01.cap -a -d Pictures/
Disable monitor mode:
airmon-ng stop wlan1mon
(*) Test if the adapter supports injection:
aireplay-ng -9 wlan1mon
Detailed information about wireless adapters available in ELVIS can be found here.
(**) This command did not work with ALFA NETWORK AWUS036ACH and ALFA NETWORK AWUS036EAC. The following commands are an alternative way to start monitor mode on the adapter:
ifconfig wlan1 down iwconfig wlan1 mode monitor ifconfig wlan1 up
Results
Browser | urlsnarf | driftnet |
---|---|---|
Microsoft Edge (Windows 10 host) | no results reading the pcap file | no results reading the pcap file |
Mozilla Firefox (Windows 10 host) | no results reading the pcap file | no results reading the pcap file |
Google Chrome (Windows 10 host) | no results reading the pcap file | no results reading the pcap file |
Google Chrome (Android host) | no results reading the pcap file | no results reading the pcap file |
Samsung Internet (Android host) | URLs captured | images captured |
Used Hardware
- Windows 10 host
- Kali Linux host
- Samsung Galaxy A8
- LG Nexus 5X Google Smartphone 32 GB, Android 6.0 Marshmallow, Carbon
- Panda 300 Mbps Wireless N USB Adapter PAU05
- Alfa AWUS036ACH Wide Range AC1200 Wireless Adapter
- Alfa AWUS036EAC AC1200 USB Wireless Adapter