No discussion on wireless attacks is adequate without the Aircrack-ng suite. Though the name implies it's just a password cracker, it's actually a fully featured wireless attack suite.  In our example, we're going to take a look at the wireless sniffer with the airodump-ng wlan0 command.

This is the exact same task, but this tool is able to organize the wireless environment and the identities of all participating devices. An especially useful column is Data, which tells us how many observed packets contain network data. This is handy because as we saw when watching the raw environment, there are a lot of packets that are for wireless management. It's easy enough to sort packets in Wireshark, but now we're getting a tidy list of networks, the MAC addresses of the clients and access points (BSSIDs), and an idea of how busy they are.

The ENC column tells us what encryption method – if any – is in use for the listed network. OPN means there is no encryption. This is unusual these days, but in this example the open network is a guest network. It's been left open on purpose to allow easy access, but clients will be dropped into a captive portal environment after associating. You'll recall from the first chapter that we worked to intercept authentication to the captive portal from the network layer by attacking the data-link layer. But in this case, we're sitting in radio range and the packets aren't encrypted. We should be able to intercept anything that isn't protected with some tunneling method (for instance, HTTPS) by merely listening – no injection required, and with zero detectable footprint. So how do we leverage the information here to sift through the wilderness captured in monitor mode? Let's target the guest network by filtering on the access point's MAC address (the BSSID): 40:16:7E:59:A7:A1. 

As you know, the 2.4 GHz band for 802.11 communication is split into channels. Airodump-ng will hop these channels by default – jump from one channel to the next, rapidly, listening for data on whatever channel it's on at the moment. As you can imagine, if a juicy packet is being transmitted on channel 1 while Airodump-ng is listening on channel 4, you'll miss it. So when you know your target, you need to tell Airodump-ng to focus. In our example, the open network is on channel 11. We use --channel to specify our listening frequency, and we use --bssid to filter out our target access point by MAC address. We'll use --output-format to specify a .pcap file (any packet analyzer can work with this output format):

# airodump-ng -w test_capture --output-format pcap --bssid 40:16:7e:59:a7:a1 --channel 11 wlan0

While we watch the metadata on our screen, our test file is being written. We can let this run as long as we like; then, we hit Ctrl + C and import to Wireshark:

Without sending any data whatsoever, we've already discovered a legit IP address (10.108.108.108), and we know that a web service is running there (SSDP NOTIFY for HTTP service). We have a decent start on our reconnaissance phase for this particular network, and we haven't even sent any packets.