This is the second part in a four (five?) part series on WiFi security and the dangers of not being aware of it. I would recommend reading the first one if you haven’t yet, although it isn’t completely essential to understand this article if you are already familiar with Linux and basic wireless networking. I’ll save you from another long-winded introduction and let’s just jump right in.
Gaining Awareness
In the previous WiFi story we connected to a wireless network on a Linux computer via the command line. Now it’s time to disconnect. Think of it as taking a step back so you can gain a wider perspective on the network. We can do this by putting our network card into monitor mode. Monitor mode is one of those network operating modes we talked about in the previous article. A network card in monitor mode is able to see any 802.11 network traffic flying through the air. To set the adapter to monitor mode we will need to kill any interfering services like we did in the previous post, but this time we’ll use a neat little utility provided to us by the Aircrack-ng suite.
dj@siriusA # sudo airmon-ng check kill
Airmon-ng is one tool in the Aircrack-ng toolkit which provides a way for us to quickly kill any network traffic that might interfere with our network card. We can also use it to put our network card into monitor mode, but for the sake of learning I’d rather do it with native Linux commands. We will come back to Aircrack-ng later. As with the last article, we will use the adapter name ‘alfa’. Change your adapter’s alias to alfa or replace it with the name of your adapter.
dj@siriusA # sudo ip link set alfa down
dj@siriusA # sudo iw alfa interface add mon0 type monitor
dj@siriusA # sudo ip link set alfa up
dj@siriusA # sudo ip link set mon0 up
Now to confirm what we just did.
dj@siriusA # iwconfiglo no wireless extensions.enp0s31f6 no wireless extensions.wlp4s0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=22 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:onalfa IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:on
mon0 IEEE 802.11 Mode:Monitor Tx-Power=20 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off
We just brought the adapter down, created a virtual interface called mon0 and set it’s operating mode to monitor mode, then brought the main interface back up. Now not only do we have interface called alfa that can be connected to an access point, but also another interface called mon0 that can listen to all wireless network traffic detectable in your vicinity. Fun, right? Not yet? Well let’s keep going.
Taking a closer look
While we’re here, let’s see those MAC addresses we’ve heard so much about in action. When it comes to monitoring the network we will need to use the mon0 interface from now on.
dj@siriusA # sudo tcpdump -ne -i mon0tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
21:15:45.242996 1.0 Mb/s 2437 MHz 11b -79dBm signal antenna 1 BSSID:dc:a6:32:67:7a:df DA:ff:ff:ff:ff:ff:ff SA:dc:a6:32:67:7a:df Beacon (Arcturus) [1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 Mbit] ESS CH: 6, PRIVACY
21:15:45.260561 1.0 Mb/s 2437 MHz 11b -79dBm signal antenna 1 BSSID:68:8f:2e:e9:61:92 DA:ff:ff:ff:ff:ff:ff SA:68:8f:2e:e9:61:92 Beacon (Pretty Fly for a WiFi) [6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Mbit] ESS CH: 6, PRIVACY
21:15:45.262562 24.0 Mb/s 2437 MHz 11g -77dBm signal antenna 1 RA:c4:ac:59:a4:21:4b Acknowledgment
<snip>
Woah! So what did we just do? The tcpdump utility is a network data packet analyzer that has far more options and versatility then we can (or should) cover in five blog posts. The -e flag tells the tool to print the link-layer header on each line. In other words, it shows the MAC addresses associated with the traffic. If you want to analyze this data in a somewhat friendlier way, try adding a ‘-w output.pcap’ flag to your tcpdump command to write it to a file called output.pcap. From there you can open it up in a program called Wireshark which will help you analyze and break down the packets in a more coherent fashion. Seeing as we have a lot to cover still, I’ll assume you’re the relentless autodidact you deserve to be and let you tinker with that on your own. Before we move on though, do you remember reading about probe packets in the last article? If you want to know what those look like tcpdump has you covered.
dj@siriusA # sudo tcpdump -i mon0 -e -s 256 type mgt subtype probe-resp or subtype probe-req -Xtcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 256 bytes
21:29:41.931800 1.0 Mb/s 2437 MHz 11b -79dBm signal antenna 1 BSSID:Broadcast DA:Broadcast SA:8a:75:a3:53:b2:fe (oui Unknown) Probe Request () [1.0 2.0 5.5 11.0 Mbit]
0x0000: 0000 0104 0204 0b16 3208 0c12 1824 3048 ........2....$0H
0x0010: 606c 0301 012d 1a6e 0103 ff00 0000 0000 `l...-.n........
0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030: 00dd 0700 50f2 0800 0000 ....P.....
21:29:41.932641 1.0 Mb/s 2437 MHz 11b -77dBm signal antenna 1 BSSID:Broadcast DA:Broadcast SA:8a:75:a3:53:b2:fe (oui Unknown) Probe Request () [1.0 2.0 5.5 11.0 Mbit]
0x0000: 0000 0104 0204 0b16 3208 0c12 1824 3048 ........2....$0H
0x0010: 606c 0301 012d 1a6e 0103 ff00 0000 0000 `l...-.n........
0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030: 00dd 0700 50f2 0800 0000 ....P.....
What you’re seeing there are packets being sent by mobile stations looking for networks to connect to. The ‘-X’ flag allows us to see the data frames in both hex (the block of numbers and letters on the left) and ASCII (the dots and such on the right). I highly recommend spending some time learning how to use tcpdump more thoroughly.
On the subject of MAC addresses…
We already know that MAC addresses are unique identifiers tied to your hardware, and now you know how trivial it is to see them in transit. What this means is that any party with the appropriate motivation can theoretically observe your actions on a network with impunity and associate it with your specific hardware. Keep in mind that MAC addresses will also be stored in logs on the access point as well. You may be wondering if there’s a way to keep your unique hardware private while operating on a network. Well, there is. Turns out it’s also quite trivial.
dj@siriusA # sudo ip link set alfa down
dj@siriusA # sudo ip link set dev alfa address f4:00:12:ab:cc:0a
dj@siriusA # sudo ip link set alfa up
dj@siriusA # ip link show alfa3: alfa: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
link/ether f4:00:12:ab:cc:0a brd ff:ff:ff:ff:ff:ff
That MAC address I chose was completely random; if you want to be more realistic about it you need to know that the first three groups of hexadecimal numbers are specific to the manufacturer of the network card. For example, the prefix 00:03:7F is specific to network cards made by Atheros Communications, Inc. If you’re interested, check out this list of MAC prefixes and their associated vendors. Perhaps you can write yourself a script out of it. If not, there’s always the macchanger utility.
Getting tactical
If you’ve made it this far I applaud you. From now on I’ll be making a point to be a little bit less verbose. It’s time for us to start getting our hands dirty, and if we’re going to get tactical it’s best not to talk so much. Remember Aircrack-ng?
dj@siriusA # sudo airodump-ng mon0 -w output.pcap
That command instructs the adapter to continuously listen to any traffic in the area and then dumps it to standard output. The -w flag dumps the capture data to a file which can be viewed later using something like Wireshark. The output you will see should look something like this.
To protect the innocent I chose to capture on my network only. If you try this yourself you’ll likely see much more traffic. What you’re seeing here is a list of access points and their associated BSSID, SSID, and various other bits of information gleaned from the intercepted packets. Below you will start to see the MAC addresses of stations which are connected to the various access points. You’ll notice that in the top left corner there is a number which keeps changing. This number is the channel number. In wireless networking, the channel corresponds to the specific frequency the card is listening on. All WiFi signals operate within a 2.4 GHz range (or 5 GHz but let’s not talk about that). However, to limit interference there are different frequencies — or channels — within the 2.4 GHz range. Let’s try a little experiment.
dj@siriusA # sudo iwconfig alfa channel 1
dj@siriusA # iwconfig alfa
alfa IEEE 802.11 ESSID:off/any
Mode:Managed Frequency:2.412 GHz Access Point: Not-Associated
Tx-Power=20 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off# sudo iwconfig alfa channel 7
# iwconfig alfa
alfa IEEE 802.11 ESSID:off/any
Mode:Managed Frequency:2.442 GHz Access Point: Not-Associated
Tx-Power=20 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off
Take a look at the Frequency field. We’ve just changed the listening frequency from 2.412 to 2.442. If you only want to capture traffic on a certain frequency all you have to do is tell airodump-ng to do that for you.
dj@siriusA # sudo airodump-ng mon0 -c 7 -w output.pcap
To narrow the output even further we can specify just one network to capture traffic on. You just need to grab the BSSID of whichever access point you are trying to eavesdrop on from the above output.
dj@siriusA # sudo airodump-ng mon0 --bssid BC:FE:17:FE:23:D8
Ok. Great. So what do we do with all of this data? For starters we can attempt to get a visual on all this traffic flying through the air.
dj@siriusA # sudo airgraph-ng -i output-01.csv -o graph.png -g CAPR
Aircrack offers us a handy little utility which takes our capture data and creates a visual graphic for us to see the relationships between stations an access points.
dj@siriusA # xdg-open graph.png
As before, I chose a picture which only shows my network. Again, you’d likely see a much bigger picture if you listened to all traffic in the area. The CAPR parameter stands for Client to AP Relationship. This will show you a map of all the access points in the area and any stations that are associated with them. The other option would be CPG which stands for Client to Probe Request. Play around with it to gain a better understanding.
That’s all… for now
But don’t worry, there’s much more to cover. Now that we’ve gone over some basic wireless reconnaissance it’s time to get a little more aggressive. In the next blog post we will get introduced to wireless attacks against access points and ways to prevent them from happening to you!