Sniffing Wireless Traffic With Backtrack
Introduction
Picking up traffic that is not destined for your MAC address on a network interface is generally done by putting the interface in promiscuous mode. On a wired Ethernet interface this works fine. However, in the case of wireless 802.11 traffic, there is a lot of traffic that promiscuous mode will not pick up.
In order to detect all packets in the air, even those that are not associated with an access point or ad-hoc network, you will need a chipset that supports monitor mode. This guide describes how to enable monitor mode on Backtrack 4, with the Intel Wireless Lan 3945 chipset. However, it should work for most Linux/WLAN card combinations, assuming your kernel supports the WLAN card and your wireless chipset supports monitor mode.
Enabling Monitor Mode
Fire up Wireshark and try to capture on your wireless network interface (in my case it was called wlan0). You will probably only see your own traffic. Now we will use the aircrack-ng package to create a new interface in monitor mode, that will pass ALL traffic in the air to Wireshark.
$ airmon-ng start wlan0
This creates a new interface called mon0. Now start a capture with Wireshark on that interface (be sure promiscuous mode is enabled in Wireshark settings) to see every packet in the air.
$ airodump-ng mon0
The airodump-ng command will provide a realtime overview of all detected basestations and client devices, including MAC addresses, signal strength and more.
-
- The airodump-ng interface
The 802.11 standard has 14 (partially overlapping) channels. Airodump-ng can listen to a single channel at a time (it extracts the channel data from the WiFi beacons). If you are listening on channel 1, traffic on other channels will not be detected. By default, airodump-ng will hop between channels frequently in order to detect as many devices as possible.
-
- The 802.11 WiFi channels
Hopping can only occur when your wireless interface is not in use. If the channel (upperleft) is not changing in airodump-ng, you need to disable wlan0.
$ ifconfig wlan0 down
This disables the wlan0 network interface, enabling channel hopping. Use your wired network card if you still want to have internet access.
Hi,
THere seems to be quite a lot of information regarding the “how to listen to a WiFi” signal out there with the use of, for example BackTrack 5.
But I have a different challenge. I have an Ubiquity High Gain antena that feeds me an ethernet cable righ to my computer with many channels and signals on each channel.
The question that I have is how can I use Backtrack to test the security of these signals.
Using Backtrack 5, I need to put the PC ehternet card in monitoring mode, as well as being able to dump the list of signals, and initiate an attack.
UNfortunatedly I don’t seem to find the apprpriate BackTrack commands to do this.
ANy recommendations?