In this article, we will cover the concept of capturing or sniffing network traffic on a Wi-Fi/wireless network using free tools on Kali Linux. In order to successfully capture traffic on a wireless network, we will need to have a wireless network adapter that can be placed into monitor mode. Most wireless adapters can only support managed mode which does not allow us to monitor traffic on a wireless network.
To check the status of our wireless adapter, we will use the iwconfig command on the terminal. Once we run the iwconfig command we will be able to see that our wireless adapter is in either managed mode or monitor mode.
The command that we will use to put our wireless adapter into monitor mode is airmon-ng. We can see what options are available to us when using this command:
sudo airmon-ng –help
The options available include start, stop, and check. Now, we will start the monitor mode by running the below command:
sudo airmon-ng start wlan0
To check the status of our wireless adapter, we will use the below command again:
iwconfig
As we can see from the output, the wireless adapter has changed to monitor mode and its name has also changed to wlan0mon. It is worth noting that while in monitor mode, our device will not have internet connectivity.
Next, we will introduce a new command that we can use to view information on the various wireless networks that are within our range. The command is airodump-ng. We will run the command and input the new name for our wireless adapter from above:
sudo airodump-ng wlan0mon
The output displays a list of networks with their associated information such as the mac address of the wireless router (or BSSID), the channel number, the type of encryption and authentication being used, and the name of the wireless network. To stop the airodump-ng tool, we use the CTRL+C command. With this information, we can launch a targeted attack by specifying a given network’s specific MAC address of the wireless router. In our case, we will focus on our own router whereby the wireless network has a bssid of 54:AF:97:62:74:9C.
We will use the below command to gather much more information about our target network. The captured packets will be saved or written in a file named wificapture1:
sudo airodump-ng –channel 2 –bssid 54:AF:97:62:74:9C –write wificapture1 wlan0mon
Once we run the command we will start to see MAC address information for the different stations or end-user devices that are communicating on that Wi-Fi network. We will stop the command by pressing CTRL+C. We can also view the different files that were generated by our command. To view a list of the files, we will use this command:
ls -l
As we can see, there is a total of five different files that have a name beginning with that which we specified in our command. In our case, the file name is wificapture1. Now, when it comes to viewing network capture files, specifically those with file names ending with .cap, there is a popular and useful tool that will allow us to view and analyze the network traffic. The name of the tool is Wireshark and we can open it via the terminal or by searching for it via the GUI. In the terminal, we will just type the word wireshark to open the tool.
With Wireshark open, we will click on File>Open then we will select the file that ends with .cap and click open or double-click on the file.
The resulting window will display various packets that were being sent by different devices on the wireless network. We can drill down into the different packets to analyze more details associated with the communication.
For every packet on the list, we are able to see different information such as the source MAC address, destination MAC address, and type of packet. We can filter the packets based on this information to narrow down our analysis. It is worth pointing out that if the wireless network is utilizing some form of protection or encryption, it will be hard to decipher the data contents of the packets.
