Saturday, November 17, 2012

Enabling Wireless Interface (NIC Card) to Sniff Traffic

    Unlike wired sniffing, wireless sniffing is not straight forward. In this post we will figure out how to enable wireless interface/NICcard into Promiscuous Mode. In wireless parlance promiscuous mode is called as Monitor mode. For wireless hacking we use aircrack-ng tool suite.

iwconfig or ifconfig must detect your interface. If your interface is not getting detected install proper drivers.

airmon-ng without arguments shows available list of wireless interfaces and drivers loaded.
Below command creates virtual interface mon0 which is used for sniffing traffic.
airmon-ng start wlan0

If we are able to successfully execute above command iwconfig should show below output. mon0 is the virtual interface which is used for sniffing.

Wireless cards can be on only one channel at a time so wireless card cannot sniff on all channels and bands at the same time. To Sniff on specific channel (default)
airodump-ng --channel 1 mon0

To sniff on all channels present in bands b and g, run below command.

airodump-ng --band bg mon0
hops on all channels present in b and g bands else by default hops on 2.4GHz channel only. Output after hopping on all channels is shown in below snapshot.
Running wireshark on interfaces wlan0 and mon0 shows below output. We can see 802.11 in Protocol filed.

For better understanding of Bands, Channels, Sniffing visit
This post is mostly based on above video.

If you are interested in Snort IDS related follow
For l7-proto
For VoIP