airodump-ng Lab

[toggle_content title="Transcript"] In this lab I want to talk about aero dumb-ng now this lab I generally run after I run the air monitor setup which you want to see that in a previous lab But aero dump is great program to run from the command line. It is basically setup to start dumping traffic and get the summary of actually what is going on. Depending on how you actually want to set it up. So we are going to do an air dump -ng and set it up as a listener but first you have got to type it correctly. It is aero dump -h and that will bring you to the help file and you are going to want read this information through. At least one - especially if you are not familiar with it. So basically the command is relatively simple. It is just aero dump any sort of options. Where the interface or interfaces simultaneously that you want to monitor. I generally only run this at one interface at a time but it can support multiple interfaces otherwise let us cover the options. You have got dump the initialization vectors - you can set it up to work with the GPS server. You can do – write or -w these are effectively the same things. This allows you to dump to a file you can record only the beacon information from access point to access point. You can update in a particular time like for example every three seconds flashed to your screen and you update. You can show acknowledgements this prints the acknowledgements and their retries and some basic statistics. I generally stay away from that - especially at first you have got -h which is does not help but hides known stations. This is helpful because once you find the station that you want to target. You really want to filter out all of the other stations that you are not interested in. You have to attack f here - this is time between channeling hopping. You have got a --berlin this is the time before removing access point of the client from the screen where no more packets are received in other words if you don't hear from it from so long. Let us clear it out from what we are looking at - tac-r for read this basically read from a file. -x active scanning simulation in milliseconds. Set the manufacturer - set the output format and I do typically use this because this is actually helpful for documentation. So the formats that are supported are packet capture initialization vectors. Comma Separated Values - GPS - Kismet and NetXML or ignore negative one. Removes the messages that says -fixed channel etc. Otherwise you have some basic filtering options and how you can sort this and if you want to sort the encryption or netmask or basics services that I identifier etc. etc. So it is relatively easy to use - once you understand some basics about wireless sniffing and pen testing which will go up to. Okay - so basically set this up I am just going to run a capture for the initialization vectors and I am going to do this to my wireless interface. it is aero dump -ng capture the ivs or whatever option you want and interface -with what you want to capture that with. So once i do that -then you get the see the different items and how they come in. So at first it may look a little goofy in terms of refreshing and things like that but it is not that bad - it really isn't. So a couple of things here you have your basic service that identifiers. You are always interested i these because these are basically the mac addresses of the access points and remember that these are six byte field. So this your manufacture - this is unique per person. So I am looking for 001F90 that tells me common manufacturers that are in play. This is helpful when you are looking at a group of access points. Next I have got the power which is the signal level. I have got the actual beacons this is the number of announcements in the packets sent by each access point. I have got data or pound sign data. This is the number of captured packets for example unique initialization vector count and things like that. So you can see I have got a couple of higher initialization vector players on the network. I have got a pound sign S, this is the number of data packets per second. Measured over the last ten seconds so in this case not a lot of traffic on the network. I have got the channel which is on - so almost everybody here around me is going to be in channel 1. I have got MB this is the maximum supported by the access point. So in this case I am basically at 54. The dot after 54 indicates that there is a short preamble that is actually supported. I would not worry about that for now but does mean something later when we get into the advanced stuff. You have got ENC for the encryption algorithm that it thinks that it can enumerate. So here is an open access point - here is WAP - here is WPA2 etc. The actual cipher - these cipher could include anything from like CCMP, RAP, TKIP, WEP, WEP40, WEP104 which keep in mind that attracts the 24 bit initialization vector because normally we would call those 64 and 128 but it gives a attract a 24 bit initialization vector. It is 40 and 104 accordingly and or TKIP is an option here for the cipher type. The authentication protocol that is supported. So in this case you can see all of them are setup as pre-shared keys that is huge all in itself. Because what I can enumerate here is if there are basically wriggling the authentication to some sort of radius tac X client or is this basically just a pre-shared key since these are all pre-shared keys. Then I have got a couple of choices of how to attack this type of network. 1. Go find the preshared key - is written on the conference rooms. The boards, office - cubicles - trash cans - on the actually bottom of the devices. If I can get access to the actual devices and things like that and then of course the extended service identifier. This is the so called SSID for lack of better words then you have also the station in itself down here. So the station is the mac address of each associated station or stations. Actually connected to the actual access point - I have also got lost this is the number of data packets lost over the last ten seconds - the number of packets - the number of frames. The number of probes all which can useful depending on the tac that you are actually using. So if you notice here if I scroll on the top - you have got channel six. Elapse one minute allows status update of the top here and basically goes into the core and what is your finding which looks very, very similar to what you would see if you were to go to your wireless network adapter cards and then basically a summary of the basic service that identifies the station. The power rate loss frames in the probes - so when you are done. You can just go ahead and select control C and that will stop it and again capture initialization vectors that was extremely, extremely easy to do. It was basically ever dump -ng --ivs -wlan0 but let us say I want something different. Say I am not interested in the initialization vectors and I want the actual beacons. You just change IVS the beacons here and it will go through and you will see all the beaconing access points and basically it will simply count the number of beacons here. Right here - so in this case I have got the NSA van outside - this looks like it is sending a lot of beacons out - at the moment. So that is it - very simple programs to use. Hope you enjoyed the video and I will see you in the next wireless pen testing lab. Thank you for watching my name is Leo Dregier and don't forget to check us out. If you haven't already by now on Facebook, LinkedIn YouTube and Twitter. [/toggle_content] This lab demonstrates airodump-np, a great utility for dumping flood traffic data to a defined location for further analysis.  You’ll learn the proper launch syntax, interface selections and other output options including selection specific criteria for your monitoring session.  
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?