To start things off, firstly we need to change our wireless adapter to go into monitor mode, so that it can start to detect packets. Go into terminal and type iwconfig to check that the wireless adapter is picked up by Kali and is shown on the terminal.
Then let’s turn on the wireless adapter by typing in the terminal:
ifconfig wlan1 up
You can check the status of the adapter by typing in
and checking that the adapter has the UP, BROADCAST, MULTICAST field in the terminal
Now that we have our adapter powered on, let’s put it into monitor mode. To find out what interfaces we can turn into monitor mode, type the following command into the terminal:
Remember when we said that the TP-Link wireless adapter didn’t work for us? When we attached it to the laptop and tried to find usable interfaces, it only showed the laptops internal wi-fi card, and another row with only NULL in it. We looked for answers in the internet, and found out that the adapter we bought was the newer version of the adapter, that had Realtek RTL8188EUS chipset inside it.
From what we could figure out, the Realtek chipset does not support monitor mode and packet sniffing/injection, or would need at least require numerous tweaks and drivers installed and skill in the subject to make it work. When we figured out that, we decided that it would be best to just buy the Alpha AWUS036H adapter, since eventually it worked with that one.
Now let’s set the adapter into monitor mode with the following command:
airmon-ng start wlan1
Now once you type airmon-ng again in the terminal, you can verify in the Interface section, that our adapter wlan1 is now set into wlan1mon.
Another way to check that the monitor mode turned on is by typing
So now that we have our adapter turned into monitor mode, it will be able to detect packets in the network that we specify it to observe. Let’s start Wireshark with the terminal, or by selecting it from the Kali application menu. Wireshark is a free, open-source based packet analyzer, that we will use in this exercise to sniff and inject packets.
In Wireshark, navigate into the Capture section and choose the wlan1mon adapter from the list of options, and click on Start to begin capturing data packets.
Now Wireshark should be showing all the wireless packets that are being broadcasted, and your wireless adapter is sniffing them. You can also click on any packet to show the entire packet in a new window.
You can also apply filters to show only management frames, data frames or control frames. For what I understood from searching online, data frames are the basic frames that contain data, management frames are mostly used in the authentication of packets, and control frames help deliver the data and management frames. Again I will not delve too deep into this subject, but here is a blog post about 802.11 frames, and their main functionality.
To filter Wireshark to only show management frames, type into the programs text box the following command:
If you want Wireshark to only show control frames, type the following command:
If you wish Wireshark to only show data packets, type in the following command:
You can also make subtype filters to Wireshark. In the picture below we have filtered only to show all beacon frames in all the management frames. This link that I shared before shows a few examples that you can use to filter subtypes in the different frames.
To filter Wireshark to only show beacon frames in all management frames, type in the following command:
(wlan.fc.type ==0) && (wlan.fc.subtype==8)
Now let’s lock our wireless adapter to our access point, so that we can inject packets into the network. Firstly we need to find out what channel our wireless router is broadcasting on. To do this we will use airodump command, which will come later in use also – in WEP cracking for example.
Open up the terminal and type the following command:
airodump-ng --bssid *mac address here* wlan1mon
After typing in the following command, airodump will show all networks in the radio frequency range. From the CH column, you can see the channel that the router is broadcasting on.
To lock our wireless adapter into the correct channel, type in the following command:
iwconfig wlan1mon channel *number here*
You can verify that the command succeeded by typing
and checking the output – it should show the frequenncy range of 2.4 GHz that we will be using.
Now that our wireless adapter is locked into the router, let’s lock Wireshark into our router also by filtering with our router’s mac address.
You can also add subtype filters in the mac address filter. In the picture below, it only shows data packets in the routers traffic.
Now that Wireshark is monitoring our router, and our wireless adapter is locked into it, let’s start the actual injection. Filter Wireshark to show only non-beacon packets in our routers network:
(wlan.bssid == *routers mac address*) && !(wlan.fc.type_subtype==0x08)
Now open up the terminal. We will use aireplay to re-send numerous packets to the access point, which is a tool that we will also use in the upcoming WEP cracking exercise.
Type in the following command to the terminal:
aireplay-ng -9 -e *routers name* -a *routers mac address* wlan1mon
Now if you go to Wireshark again, you can see that there have been a lot of packets sent. Aireplay has generated some of them, and the others are the routers response to the injected packets.