Packet sniffing and injection

To start things off, firstly we need to change our wireless adapter to go into monitor mode, so that it can start to detect packets. Go into terminal and type iwconfig to check that the wireless adapter is picked up by Kali and is shown on the terminal.


Then let’s turn on the wireless adapter by typing in the terminal:

ifconfig wlan1 up


You can check the status of the adapter by typing in

ifconfig wlan1

and checking that the adapter has the UP, BROADCAST, MULTICAST field in the terminal


Now that we have our adapter powered on, let’s put it into monitor mode. To find out what interfaces we can turn into monitor mode, type the following command into the terminal:


Remember when we said that the TP-Link wireless adapter didn’t work for us? When we attached it to the laptop and tried to find usable interfaces, it only showed the laptops internal wi-fi card, and another row with only NULL in it. We looked for answers in the internet, and found out that the adapter we bought was the newer version of the adapter, that had Realtek RTL8188EUS chipset inside it.

From what we could figure out, the Realtek chipset does not support monitor mode and packet sniffing/injection, or would need at least require numerous tweaks and drivers installed and skill in the subject to make it work. When we figured out that, we decided that it would be best to just buy the Alpha AWUS036H adapter, since eventually it worked with that one.


Now let’s set the adapter into monitor mode with the following command:

airmon-ng start wlan1


Now once you type airmon-ng again in the terminal, you can verify in the Interface section, that our adapter wlan1 is now set into wlan1mon.


Another way to check that the monitor mode turned on is by typing

ifconfig wlan1mon


So now that we have our adapter turned into monitor mode, it will be able to detect packets in the network that we specify it to observe. Let’s start Wireshark with the terminal, or by selecting it from the Kali application menu. Wireshark is a free, open-source based packet analyzer, that we will use in this exercise to sniff and inject packets.


In Wireshark, navigate into the Capture section and choose the wlan1mon adapter from the list of options, and click on Start to begin capturing data packets.

Screenshot from 2018-04-06 15-45-1910Screenshot from 2018-04-06 15-45-19

Now Wireshark should be showing all the wireless packets that are being broadcasted, and your wireless adapter is sniffing them. You can also click on any packet to show the entire packet in a new window.

Screenshot from 2018-04-06 15-45-33Screenshot from 2018-04-06 15-46-19

You can also apply filters to show only management frames, data frames or control frames. For what I understood from searching online, data frames are the basic frames that contain data, management frames are mostly used in the authentication of packets, and control frames help deliver the data and management frames. Again I will not delve too deep into this subject, but here is a blog post about 802.11 frames, and their main functionality.

To filter Wireshark to only show management frames, type into the programs text box the following command:


Screenshot from 2018-04-06 15-48-10

If you want Wireshark to only show control frames, type the following command:


Screenshot from 2018-04-06 15-48-21

If you wish Wireshark to only show data packets, type in the following command:


Screenshot from 2018-04-06 15-48-29

You can also make subtype filters to Wireshark. In the picture below we have filtered only to show all beacon frames in all the management frames. This link that I shared before shows a few examples that you can use to filter subtypes in the different frames.

To filter Wireshark to only show beacon frames in all management frames, type in the following command:

(wlan.fc.type ==0) && (wlan.fc.subtype==8)

Screenshot from 2018-04-06 15-49-43

Now let’s lock our wireless adapter to our access point, so that we can inject packets into the network. Firstly we need to find out what channel our wireless router is broadcasting on. To do this we will use airodump command, which will come later in use also – in WEP cracking for example.

Open up the terminal and type the following command:

airodump-ng --bssid *mac address here* wlan1mon

Screenshot from 2018-04-06 16-01-22

After typing in the following command, airodump will show all networks in the radio frequency range. From the CH column, you can see the channel that the router is broadcasting on.

To lock our wireless adapter into the correct channel, type in the following command:

iwconfig wlan1mon channel *number here*

You can verify that the command succeeded by typing

iwconfig wlan1mon

and checking the output – it should show the frequenncy range of 2.4 GHz that we will be using.

Screenshot from 2018-04-06 16-02-04

Now that our wireless adapter is locked into the router, let’s lock Wireshark into our router also by filtering with our router’s mac address.

Screenshot from 2018-04-06 16-04-04

You can also add subtype filters in the mac address filter. In the picture below, it only shows data packets in the routers traffic.

Screenshot from 2018-04-06 16-11-46

Now that Wireshark is monitoring our router, and our wireless adapter is locked into it, let’s start the actual injection. Filter Wireshark to show only non-beacon packets in our routers network:

(wlan.bssid == *routers mac address*) && !(wlan.fc.type_subtype==0x08)

Screenshot from 2018-04-06 16-24-03

Now open up the terminal. We will use aireplay to re-send numerous packets to the access point, which is a tool that we will also use in the upcoming WEP cracking exercise.

Type in the following command to the terminal:

aireplay-ng -9 -e *routers name* -a *routers mac address* wlan1mon

Screenshot from 2018-04-06 16-17-24

Now if you go to Wireshark again, you can see that there have been a lot of packets sent. Aireplay has generated some of them, and the others are the routers response to the injected packets.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s