-Sony Vaio laptop running Back|Track 4 Final w/ Intel Pro4965agn wireless card
Machine to be monitored:
-Acer 5741 running Windows 7 connected to 802.11g wireless network w/ WPA2 authentication
Monitor Mode vs. Promiscuous Mode
There seems to be some confusion as to the differences between monitor mode and promiscuous mode with people often thinking that both modes are just two different names for the same thing. Monitor mode is a mode that wireless cards can be placed in whereby your wireless card will sniff all traffic in the air that it can regardless of where the traffic comes from or where it is going.
Promiscuous mode allows your wireless (or wired) card to sniff all traffic on a network regardless of where it is going on that particular network. Thus, wireless promiscuous mode requires you to be associated with an access point to work. Under normal circumstances, promiscuous mode will sniff all traffic that is within the same collision domain. If you are dealing with a normal wireless network, all computers connected to an access point are within the same collision domain. This is because most wireless networks act like a non-switched ethernet LAN with the difference being they use CSMA/CA instead of CSMA/CD.
The authentication used on a wireless network will also have to be taken into consideration when monitoring. I will be using monitor mode for sniffing traffic on a WPA2 encrypted network.
Setting up Monitor Mode
Log in to Back|Track 4, open a terminal window, and bring up wlan0:
root@bt:~# ifconfig wlan0 upPlace the wireless card into monitor mode with airmon-ng (creating a virtual monitoring interface called mon0):
root@bt:~# airmon-ng start wlan0Begin monitoring the traffic going to and from your wireless access point:
root@bt:~# airodump-ng mon0 --bssid [AP:MAC:address:goes:in:here] --channel [AP channel number]Setting up Wireshark
Back|Track Menu-->Internet-->WiresharkOnce Wireshark opens up, press the Capture Interfaces button located directly under the File menu in the upper left corner. It is also located in the menu bar under
Capture-->InterfacesYou should see your mon0 interface listed among other interfaces available for capturing traffic.
Select the "Options" button for interface mon0. Next, you should see an options window open up for interface mon0. Press the "Capture Filter" button in the window.
A second window will open with Capture Filter settings. The first filter available should be "Ethernet Address" followed by a MAC address. Select this filter and change the MAC address in the two boxes at the bottom of the screen (labeled "Filter name" and "Filter string") to the MAC address of your wireless access point. This will filter down traffic to just your wireless access point.
Click "OK" to close the Capture Filter window and then click "Start" in the remaining window. You are now monitoring traffic flowing over your wireless network. However, the traffic is encrypted...
Wireshark has built-in on-the-fly decryption capabilities as long as you properly set up the encryption key. In order to decrypt WPA2 traffic you'll first go to the Wireshark Preferences located in the menu bar under
Edit-->PreferencesExpand the "Protocols" field on the left by clicking the arrow beside it. next, scroll down until you find the "IEEE 802.11" protocol and highlight it. Make sure the "Enable decryption" box is checked and the enter the WPA2 key in the field labeled "Key #1" (or the next available key field).
The format for entering WPA and WPA2 keys is the same and there are examples located just above the key fields. In my case, I use a text password so my format was "wpa-pwd:mypass:mySSID" minus the quotes.
Once you have entered the key in the proper format, click ok. Wireshark is now ready to decrypt traffic on-the-fly.
Kicking Clients off the Network
Now that Wireshark is set up to capture and decrypt traffic on your network, you can start kicking clients off.
In order for Wireshark to decrypt WPA and WPA2 traffic, it must capture an Extensible Authentication Protocol Over LAN (aka 802.1x) handshake. This EAPOL handshake is a four-way handshake used by WPA and WPA2 that sets up keys used in encrypting traffic between the client and the AP.
To capture this handshake you can use aireplay-ng to force a client (or all clients) on your wireless network to reassociate:
root@bt:~# aireplay-ng -0 1 -a [AP:MAC:address:goes:in:here] mon0This command send a deauthentication broadcast to all clients associated with the AP, causing them to reassociate and allows Wireshark to capture the EAPOL four-way handshake.
Once this is done, Wireshark immediately begins decrypting packets and allows you to see everything that is going on in your wireless network.
How to Decrypt 802.11
Real 802.11 Security Online Book