Changing several characteristics of the wireless card Basic tools Toretrievealistofinterfaces(eventheinactiveones)ifconfig–a
Typically,wirelessinterfacesarerepresentedaswlanXXIfthewirelessinterfaceisontheDOWNstate(disabled),thenweshouldenableitbeforedoinganythingmeaningfulwithitifconfig<interface>upToseethecharacteristicsofthewirelessextensionsoftheinterfacesonoursystemiwconfig
Inthecaseofourexampletheonlywirelessinterfaceisthewlan1Changing the channel Tochangethechannelofthecardiwconfig<interface>channel<channelnumber>Afterdoingso,ifyouruntheiwconfigcommandagainyouwillnoticethatthecardissetto2.412GHzwhichcorrespondstothefrequencyofthefirstchannel.
Changing the transmission power Theregionofthedeviceisanimportantsettingwhichindirectlydictatesthestrengthofthesignalinwhichthecardtransmits.Differentcountrieshavedifferentlegislationsregardingthemaximumstrengthofthesignalofawirelesscard.Forpentestingpurposesitistothebestbenefittohaveacardsettothemaximumsupportingpower.Togetthecurrentregioniwregget
Tochangetheregionthus,thetransmissionpowerofthecardifconfig<interface>downiwregset<regioncode>ifconfig<interface>upiwregget
Acomprehensivelistofregioncodescanberetrievedhere:https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2 Changing the operation mode Typically,wirelesscardsaresettomanagedmode,sotheycanfunctionasclientstoinfrastructurebasednetworks.Monitormodeallowscardstoreadalltrafficincludingpacketsthatoriginatefromnon-associatednetworks.Tosetthecardinmonitormodeonecanrelyonthetoolairmon-ngoftheaircracksuiteairmon-ngstart<interface>Changing the mac address ItispossibletochangetheMACaddressoftheNICcardIfconfig<interface>downmacchanger–m<newmacaddress><interface>Ifconfig<interface>up
Analyzing Traffic Whenawirelesscardissetinmonitormodeitcapturesallpacketsfromtheairinterface.Itispossiblewiththerighttoolstoview,analyzeandstorethesepackets.The airodump-ng tool ToviewalistofalltheAPsintheareaandtheSTAsconnectedtoeachoneairodump-ng<interfaceinmonitormode>
Note:bydefault,airodump-ngforcesthecardtohopamongchannels.Keepinmindthattoachievethis,thecardspendsonlyaportionoftimeoneachchannel.However,whenlisteningtoachannelallpacketstransmittedtotherestofthechannelswillevadethemonitoring.Torestrainthemonitoringtoaspecificchannelairodump-ng<interfaceinmonitormode>-c<numberofdesiredchannel>ThisisusuallydonewhentheattackerhaslocatedthevictimAPorSTAandwishestocaptureasmanypacketsaspossibleforfurtheranalysis.Airodumphasthecapabilityofsavingallpacketsonthedisk.airodump-ng<interfaceinmonitormode>-c<numberofdesiredchannel>-w<nameoffile>Notethatairodump-ngsavespacketsonlyrelevanttoWEPkeycrackingorpentesting.Therefore,thecreatedfilewillnotcontainallthepacketsinthechannel.Formoreinformationonthecapabilitiesofairodump-ngtoolvisit:http://www.aircrack-ng.org/doku.php?id=airodump-ngThe Wireshark tool
ItispossibletoassociateWireshark’soutputwithawirelessnetworkinterfacethus,gaininginsighttothepacketsofthelivecapture.Moreover,onecanapplydifferentkindsoffiltersregardingvariousfieldsofthepackets(e.g.theirtypeandsubtype).Thiscanbedonebyinsertingthemnemonicandthedesiredvalueinthefilterinputfield.Alternatively,filteringcanbeachievedbylocatingapacketwithadesiredattributeandsettingitasanexamplefilter.Moreover,itispossibletocombinemultiplefiltersbyapplyingthestandardCoperators(e.g.,==,!=,>,<=,!,&&,||etc.).Someofthemostimportantfiltersforwirelesscapturecanberetrievedfromhere:https://www.wireshark.org/docs/dfref/w/wlan.htmlhttps://www.wireshark.org/docs/dfref/w/wlan_mgt.htmlThesubtypecodesof802.11framescanberetrievedhere:https://supportforums.cisco.com/document/52391/80211-frames-starter-guide-learn-wireless-sniffer-tracesThetrafficcapturedwithWiresharkcanbesavedasabinaryfile(pcap)oranotherfiletypeincludingtextualformats(e.g.,CSV).Thisisusefulforprocessingwithconventionaltoolsandmethods.TodothatinWiresharkonesimplycanchooseFile->ExportPacketDissections->as“CSV”.
Availability Attacks Itispossibletoreducetheavailabilityofawirelessnetworkorcausedenial-of-service(DoS)againstspecificclientsbyforgingandtransmittingspecificmanagement(inmostcases)frames.Thissteamsfromthefactthatin802.11networksmanagementframesaretransmittedunencrypted.Deauthentication attack Thisattackisbasedonthetransmissionofdeauthenticationframes.ItisconsideredtheeasiestandmosteffectivewayofcreatingaDoSattackagainstallorspecificclientsofthenetwork.Theaircracksuitehastoolsthatautomatethisprocess.TounleashadeauthenticationattackagainstallclientsconnectedtoaspecificAP,firstonehastoknowtheMACaddressofthevictimAP.Thiscanbeeasilydoneviaairodump-ngorwireshark.Then,byusingthe-0(or--deauth)optionoftheaireplay-ngtoolonecancauseafloodofdeauthenticationframestobetransmitted.aireplay-ng--ignore-negative-one-0<packetstobesent>-a<APMACAddress><interfaceinmonitormode>
Noticethatyoucaninsert0insteadofapredefinednumberofpacketsandtheprocesswillcarryonindefinitely.Anothertoolthatcanunleashadeautheticationattackismdk3.Actually,thespecifictoolfollowsadeadliermethodology(butatthesametimemoreobvioustointrusiondetectionsystems)forthisattack.Toexecuteadeauthenticationattackwithmdk3
mdk3<interface>d
