Airodump-ng is part of the Aircrack-ng suite used extensively to penetrate wireless 802.11 networks. Airodump-ng captures raw 802.11 frames from the wireless medium in the vicinity; it is also capable of capturing weak IVs (Initialization Vectors) that are used in cracking the WEP key. The output from airodump-ng is saved in several formats (pcap, ivs, csv, gps, kismet, netxml, and so on), which can be analyzed once the scan is finished. Airodump-ng typically detects the available access points by hopping to every channel in the band that's selected. If we set the channel explicitly, using the –c option, it will hook to that particular channel and list all the access points found transmitting on that channel as well as the clients communicating with those access points or probing for available access points. By default, airodump-ng hops around the available channels and records all the wireless traffic to a PCAP file specified with –w option; once the scan is finished, the pcap file can be read with airodump-ng later in order to view the results.

Non-beaconing access points that are actively serving client stations can be detected with Airodump-ng using data frames. Access points that ignore probe request frames will be detected when a valid client station connects to the access point. Airodump-ng is considered a passive scanner and does not send any probe request frames to actively discover clients or infrastructure devices. The ability to operate totally in a passive mode, while still discovering non-beaconing APs, makes it more desirable than other tools, such as Netstumbler, during a penetration test.

Follow these steps to conduct a simple scan using airodump-ng:

The preceding command instructs Airodump-ng to listen on channel 11 and save the output into a file with the name dump.

In addition to simply scanning all the traffic on a specific channel from all participating BSSIDs and clients, you can leverage additional flags in airodump-ng to filter and map relationships within the wireless network and enumerate details about the infrastructure servicing the wireless clients. For example, you can capture all the traffic to and from specific AP by using its MAC address with --bssid filter option.

The following screenshot lists the available flags that can be utilized with airodump-ng. We will provide some specific combinations that will be helpful during your penetration test.

During the scanning phase of your assessment, many of the preceding flags can help you get a picture of the deployed wireless infrastructure, connected clients, and relationships:

#airodump-ng --manufacturer wlan0mon

The preceding command displays the manufacturer of the wireless access points based on the MAC address matched to the IEEE OUI list. This information can be very useful as we delve into identifying specific vulnerabilities and potential weaknesses with the infrastructure itself. This information is covered in more detail in Chapter 3, Exploiting Wireless Devices. The following screenshot shows the itemized BSSIDs and their associated manufacturers:

The following command displays only the traffic sent to and from the access point denoted by the MAC address that follows the bssid flag:

#airodump-ng --essid Internet --bssid XX:XX:XX:XX:XX:XX wlan0mon

The ESSID flag, Internet in this case, identifies which network should be watched for the traffic. The output of this command, as shown in the following screenshot, will also show you which clients are associated with this particular access point. This information can be helpful later, when we are targeting specific clients on the wireless network; these are clients that are known to be associated with a particular wireless network.

What can go wrong during a scanning activity? Let's take a look:

When using airodump-ng's file output capabilities, several different file types will be written to the disk. Each type contains information gathered during the scanning session. The following screenshot shows a sampling of the file types that are collected:

The .cap file is a packet capture file that can be imported into many packet analyzers, such as Wireshark, discussed later.

The .csv file contains the information displayed on the output screen, including BSSIDs, the number of data packets, and the client information.

We can use the .csv file to visually represent clients and access points using a tool from the aircrack-ng suite called airgraph-ng.

Airgraph-ng is not installed on Kali by default, so you will need to download it from the aircrack-ng repository using svn, preferably by following these steps:

Airgraph-ng takes the .csv file created from airodump-ng as the input and outputs a .png file that displays the access points and associated clients. This makes it easy to find out which clients are associated with which access points.

The following screen capture shows a sample airgraph-ng image created using the CAPR graph type:

Knowing which wireless networks a client has associated with in the past can help you determine relationships between them and the organizations they work with. You may be able to find an unassociated client looking for an access point they have previously connected to, giving you as an attacker the opportunity to capture that client and initiate a man-in-the-middle attack, which will be discussed in future chapters. Hoover is a script created just for this purpose. It can use your monitor interface and itemize which unassociated clients are probing for networks. This script is not included with Kali, but it can easily be obtained by cloning the git respository:

The output from this tool is represented in the following screen capture. You will be able to see the client MAC initiating the probe and the SSID they are requesting.

Wireless Provisioning Service (WPS) is a function on consumer and SMB wireless devices that allow the simple onboarding of clients. Clients looking to associate with an access point can either use a pin or push a button to enable a pairing mode. Early versions of WPS have been found to be vulnerable to attacks that enable the key to be discovered over the network without requiring physical access to the device. The process of actually exploiting this vulnerability will be discussed later; however, during our discovery phase, it can be very helpful in identifying the devices that are in the range that has WPS enabled. Wash is an application designed to quickly identify these devices using the monitor mode interface that was created previously.

The following command enables WPS discovery and enumerates the device's ESSID and BSSID:

#wash –I wlan0mon –C

You should see the following output as a result:

Kismet is a powerful sniffer and intrusion-detection system available as part of the Kali Linux distribution or as a separate download on other Linux-based distributions. It can be used to scan wireless 802.11 networks. Kismet is a passive scanner that listens on a specified band, collects the 802.11 packets, and detects the networks that are active. It can also discover non-beaconing and hidden networks using data packets. Kismet has features that are similar to airodump-ng. Both the tools are similar in nature, except that Kismet can be used as an intrusion-detection system, and it operates in client/server architecture. The decoupled client and server architecture allows the configuration of a single server and distributed clients where data collection (scanning) can occur and a reporting interface on the server. Custom signatures can be written to detect any wireless intrusion. There are some predefined rules in Kismet to detect common wireless attacks. The scan output is saved in the pcap file format in the folder where Kismet is installed. For these reasons, it is more often used by administrators to proactively monitor and test wireless networks rather than the point-in-time scanning that is accomplished by airmon-ng as part of a penetration test.

To configure Kismet, edit the kismet.conf file, typically located in the /etc/kismet/ directory. Kismet is divided into a client and server process, wherein kismet_server and kismet_client can be run on a single machine or distributed among several machines. When Kismet drones are created on different machines, the Kismet server process treats the drones as one of the sources of a packet capture. The data accumulated in the central Kismet server process can be exported to a virtual interface where an administrator can enable Snort, or other IDS packages, to monitor the captured traffic. Here are some tweaks to Kismet that can be useful during the scanning of a wireless network.

Let's take a look at some of the usages of Kismet:

The following screen capture shows the output from the Kismet application and the itemization of the discovered wireless network attributes:

Wireshark is a very popular network analyzer tool that's most widely used in the security domain for multiple purposes. Wireshark can be effectively used to perform a scan on wireless networks in order to discover access points. Similar to the other tools we looked at, Wireshark does not create any noise during scanning and passively listens on the interface specified and captures all the traffic. Consistent with the other tools in the chapter, the wireless adapter will need to be put into the monitor mode in order to capture traffic and identify the wireless networks. All the packets from the currently selected channel are captured. We can configure the monitor mode interface to listen on a particular channel and then run Wireshark. Though the focus of this book is Kali Linux, Wireshark itself will run on multiple platforms.

Follow these steps to start sniffing on WLAN using Wireshark:

Once you've completed scanning, stop the Wireshark process; we can filter the data collected using Wireshark filters. The following are some useful filters used to extract the frames of our interest.

Wireshark is a very powerful tool and its use in wireless penetration tests is very significant. We will be covering these in much greater detail in the subsequent chapters.