Sunday 17 May 2009

Using airodump-ng to monitor wireless networks

When checking wireless networks, one of the first things I use is airodump.

Kismet is also a fantastic tool, however I find that airodump is good to find info quickly and you are able to quickly apply filters to narrow down your search easily.
Kismet on the other hand is able to give other information such as IP ranges, hidden ssids (given enough time) and can also function as an IDS, so all depends what you want to do / what you need.

In my case I am using an Asus eeepc with an Atheros wireless interface and am using trusty 'ol Back|Track3 Final on a live-usb.
My test setup is a router with hidden SSID with 128bit WEP encryption.


The atheros chipset has a so-called master interface and virtual access points or VAPs.
What we do is use the master interface (in this case wifi0) to create virtual interfaces.

The first action to take is to check what wireless interfaces are up and to put your wireless card into monitor mode.

Open up a terminal and do the below ;

airmon-ng

airmon-ng start wifi0

Now I have 2 working VAPs,
ath0 & ath1

ath0 is in managed mode
ath1 is in monitor mode

Now our card is in monitor mode (this can be checked by doing an iwconfig).

iwconfig ath1





To start airodump, simply type in the terminal

airodump-ng ath1

airodump will run without any filters showing all networks within range.
Some access points / routers are set to send beacons at a lower speed than normal, with the channels hopping as quickly as they are in standard mode, it can take a while for airodump to find the AP.
We can adjust the channel hopping speed by using the -f command;
To keep the results on the display for longer you can adjust the time limit with the --berlin option.
Now airodump will only change channels every 2000 milliseconds (2 seconds) and keep the results on the display for 600 seconds.

airodump-ng ath1 -f 2000 --berlin 600




If you are looking specifically for an open network or a wep network, you can filter the results using the -t option and to only have clients listed which are connected to networks, apply the -a filter.

airodump-ng ath1 -f 2000 --berlin 600 -t OPN -t WEP -a




(hard to believe people actually still use WEP ! but they do..)

Now to limit the results to the test network, we filter it down to show only the results for my test network using the --bssid command. The other filter options can be removed as we will be limiting the view to a single access point only.
Best to also lock the channel to the channel the test network is using with the -c command.

airodump-ng ath1 -a -c 2 --bssid 00:13:D4:09:32:60




To write all packets to a file we add the -w command, this will capture all the dta packets from the access point which can be used (when enough packets have been captured) to crack the WEP key.
airodump-ng ath1 -a -c 2 --bssid 00:13:D4:09:32:60 -w test

To save only the captured ivs (which will enable a quicker wep crack, if you have sufficient!) add the --ivs option.
airodump-ng ath1 -a -c 2 --bssid 00:13:D4:09:32:60 -w test --ivs

If you want to have airodump check 3 specific channels only (for instance channels 4, 7 & 11), this can also be specified with the -c command ;
airodump-ng ath1 -c 4,7,11


Video showing the above;

http://blip.tv/file/2123543/
or
http://www.youtube.com/watch?v=AUPw15m-6uM



Information on airodump-ng can be found here.

7 comments:

  1. what about wpa/wpa2 and other forms of encryption?

    ReplyDelete
    Replies
    1. Sure, you can use the following ;
      -t opn == filter Open networks
      -t wep == filter Wep encrypted networks
      -t wpa == filter WPA/WPA2 networks

      Delete
  2. btw 10 * walk through i found it verry useful thank you

    ReplyDelete
  3. First of all Thanks for the post! Quick question:
    How did you get the prompt to come back up once you had airodump running. I'm kinda new to Linux but I got this far but once its running the only way I can stop it is by powering down the machine. Space bar does pause it...

    ReplyDelete
    Replies
    1. In command line you can use Ctrl + C to stop the running process.

      Same goes for MS-DOS as in linux command line.

      Delete
  4. Hi, what i have to do when i wrote: airmon-ng, and I see: don't find description?
    Can u write me step by step how I must install this?

    ReplyDelete

 
Google Analytics Alternative