Wireless Network Sniffing

Wireless Network Sniffing or Packet Sniffing can be done using a tool called airodump-ng which is a part of Aircrack-ng and comes preinstalled in Kali Linux. Airodump-ng is a packet sniffer used to capture all the packets within the range of the wireless adapter.


How to scan nearby wireless networks:

  • In Terminal, type:
    • Syntax: airodump-ng <ne twork_adapter>
    • Example:  airodump-ng wlan0
  • This will start scanning all the nearby wireless access points and displays all the details about them.
  • Description of every field:
Field Description
BSSID MAC address of the access point. 
PWR Signal level reported by the card. Its signification depends on the driver, but as the signal gets higher you get closer to the AP or the station. If the BSSID PWR is -1, then the driver doesn't support signal-level reporting. If the PWR is -1 for a limited number of stations then this is for a packet that came from the AP to the client but the client transmissions are out of range for your card. Meaning you are hearing only 1/2 of the communication. If all clients have PWR as -1 then the driver doesn't support signal-level reporting.
RXQ Receive Quality as measured by the percentage of packets (management and data frames) successfully received over the last 10 seconds.
Beacons A number of announcement packets were sent by the AP. Each access point has about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far.
# Data The number of captured data packets (if WEP, unique IV count), including data broadcast packets.
#/s The number of data packets per second measure over the last 10 seconds.
CH Channel number (taken from beacon packets). Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference or overlapping channels.
MB Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and up to 54 are 802.11g. Anything higher is 802.11n or 802.11ac. The dot (after 54 above) indicates a short preamble is supported. Displays “e” following the MB speed value if the network has QoS enabled.
ENC Encryption algorithm in use. OPN = no encryption,“WEP?” = WEP or higher (not enough data to choose between WEP and WPA/WPA2), WEP (without the question mark) indicates static or dynamic WEP, and WPA, WPA2 or WPA3 if TKIP or CCMP is present (WPA3 with TKIP allows WPA or WPA2 association, pure WPA3 only allows CCMP). OWE is for Opportunistic Wireless Encryption, aka Enhanced Open.
CIPHER The cipher was detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. Not mandatory, but TKIP is typically used with WPA, and CCMP is typically used with WPA2. WEP40 is displayed when the key index is greater than 0. The standard states that the index can be 0-3 for 40 bits and should be 0 for 104 bits.
AUTH The authentication protocol was used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).
ESSID Shows the wireless network name. The so-called “SSID”, can be empty if SSID hiding is activated. In this case, airodump-ng will try to recover the SSID from probe responses and association requests. See this section for more information concerning hidden ESSIDs.
STATION MAC address of each associated station or station searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of “(not associated)”.
Rate The station's receive rate is followed by the transmit rate. Displays “e” following each rate if the network has QoS enabled.
Lost The number of data packets lost over the last 10 seconds is based on the sequence number. See the note below for a more detailed explanation.
Packets The number of data packets sent by the client.
Notes Additional information about the client, such as captured EAPOL or PMKID.
Probes The ESSIDs were probed by the client. These are the networks the client is trying to connect to if it is not currently connected.

How to scan a specific network:

  • In the terminal, type:
    • Syntax: airodump-ng --bssid <mac> --channel <ch_number> <network_adapter>
    • Example: airodump-ng --bssid e2:33:44:55:66:77 --channel 2 wlan0
  • This process will start scanning a particular network.  To get the MAC address and Channel Number of a particular network use the above-defined method to scan all the networks and get the MAC and CH of a particular network.
  • Additionally, if you want to write the data of scanning to a file. Add one option:
    • Syntax: airodump-ng --bssid <mac> --channel <ch_number> --write <file_name> <network_adapter>
    • Example: airodump-ng --bssid e2:33:44:55:66:77 --channel 2 --write test wlan0
  • This will write all the data to a file in your current directory which can be further used to extract passwords and important data.

Video Tutorial

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

    No comments:

    Post a Comment