Alfa AWUS036H not sniffing incoming packets
Topic should be: Alfa AWUS036H not sniffing OUTGOING packets
I have researched this problem and posted in the newbie area (23 reads over a week, no replies) but cannot find a solution. I apologize if this is a simple problem, but I would really appreciate any suggestions.
I am running BT4 pf booting from USB. I have been able to get my Atheros-based integrated NIC to sniff without problems by using:
airmon-ng stop wlan0
airmon-ng start wlan0
(bring up Wicd & connect wlan0)
Then I start Wireshark, interface mon0.
However, with my Alfa AWUS036H plugged in and selected, everything works the same, except outgoing packets from other wireless clients are not shown in Wireshark. I can see the incoming & outgoing from the local machine, but not other clients. I can also see all incoming packets to all wireless clients.
I have not attempted to change drivers, as all sources say the AWUS036H should work "out of the box" with BT4. I did "modprobe -r ath9k" to get the Atheros drivers for the internal NIC out of the way and verified that it worked.
I am doing the following:
airmon-ng stop wlan0
airmon-ng start wlan0
(bring up Wicd & connect wlan0)
Then I start Wireshark, interface mon0.
The only thing I'm not sure about is "wext" is selected in Wicd as the WPA supplicant driver (when connecting with either the Alfa or Atheros card). Is that right? I tried selecting "madwifi" instead but it seemed to have no effect either way. Frankly I'm grasping at straws at this point.
root@bt:~# airmon-ng
Interface Chipset Driver
wlan0 RTL8187 rtl8187 - [phy2]
mon0 RTL8187 rtl8187 - [phy2]
wlanconfig:
wlan0 IEEE 802.11bg ESSID:"netgear"
Mode:Managed Frequency:2.437 GHz Access Point: 00:1F:33:FD:C6:24
Bit Rate=1 Mb/s Tx-Power=15 dBm
Retry min limit:7 RTS thrff Fragment thr=2352 B
Encryption keyff
Power Managementff
Link Quality=72/100 Signal level:-42 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
mon0 IEEE 802.11bg Mode:Monitor Frequency:2.437 GHz Tx-Power=15 dBm
Retry min limit:7 RTS thrff Fragment thr=2352 B
Encryption keyff
Power Managementff
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
lshw:
*-network
description: Wireless interface
physical id: 2
logical name: wlan0
serial: 00:c0:ca:26:ba:a3
capabilities: ethernet physical wireless
configuration: broadcast=yes ip=10.1.10.98 wireless=IEEE 802.11bg
ifconfig:
mon0 Link encap:UNSPEC HWaddr 00-C0-CA-26-BA-A3-30-30-00-00-00-00-00-00-00-00
UP BROADCAST NOTRAILERS RUNNING PROMISC ALLMULTI MTU:1500 Metric:1
RX packets:88377 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:32741463 (32.7 MB) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr 00:c0:ca:26:ba:a3
inet addr:10.1.10.98 Bcast:10.1.10.255 Mask:255.255.255.0
inet6 addr: fe80::2c0:caff:fe26:baa3/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:17571 errors:0 dropped:0 overruns:0 frame:0
TX packets:12698 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:21854334 (21.8 MB) TX bytes:1815867 (1.8 MB)
Hi TomSawyer,
Your machine is a client. You can not sniff traffic from other clients. To sniff traffic from other clients you must be the man in the middle. MITM attacks. You can refer to:
http://forums.remote-exploit.org/bac...tm-rcrack.html
and
http://forums.remote-exploit.org/bac...-sslstrip.html
and to google off curse. You need more reading to figure it out.
Actually, I am able to sniff other clients effectively (seeing both sides of all html and POP traffic on other wireless clients, for example) using the built-in Atheros card and Wireshark. I can also see all traffic sent TO other clients from the internet with the Alfa USB and Wireshark. I am only missing the packets sent FROM other clients on the Alfa. So I must conclude that your assessment is incorrect.Originally Posted by Nick_the_Greek
I would post a screen shot of Wireshark seeing a POP3 session, but the forum thinks the photobucket URL is spam until I have 15 posts.
From dmesg:
wlan0 (rtl8187): not using net_device_ops yet
phy2: hwaddr 00:c0:ca:26:ba:a2, RTL8187vB (default) V1 + rtl8225z2
Just post the link but change http to hxxp or something similar.
I would post a screen shot of Wireshark seeing a POP3 session, but the forum thinks the photobucket URL is spam until I have 15 posts.
hxxp://i692.photobucket.com/albums/vv290/TomSawyer777/snapshot1.jpg
In this photo, I am NOT 10.1.10.100. .100 is another notebook on the wireless network. This is what it looks like when capturing using the internal Atheros-based NIC. When I try to do the same with the Alfa, I get a similar result, but it only grabs the packets going TO 10.1.10.100, not from it.
TomSawyer my fault. Misunderstanding.
No worries Nick. I had reached the same conclusion a few weeks ago... That somehow a wireless network (or at least MY router) was "switched" and therefore you had to MITM to sniff it effectively. But thankfully, that's not true. The wireless router is spewing all of its packets into the air that are going to any of the wireless clients, and the clients are doing the same, so there should be nothing (assuming you can decrypt them) to keep you from intercepting all of them.
So anyway... Anyone have a suggestion for getting this Alfa sniffing outgoing internet traffic not coming from localhost?
Maybe this could be useful for you:
http://forums.remote-exploit.org/pro...-sniffing.html
I just read this thread:
hxxp://forums.remote-exploit.org/newbie-area/22432-promiscuous-mode.html
*rubs his temples* It SEEMS like the "best USB dongle for BT" is not capable of seeing client -> server traffic. If there was a solution to the problem posted in the above thread, then I missed it. But the problem described is EXACTLY the problem I'm having with the Alfa. I see the packets going TO other wireless clients. I cannot see packets going FROM other wireless clients to the internet. However, when I use the internal wireless Atheros-based card, I see ALL packets (to and from all wireless clients) as shown in the picture above.
I'm sorry but if the Alfa (which was chosen after much research and rave reviews, including from the aircrack-ng guys) can't do what my integrated nic can... That makes me sad. I feel gipped! (sp?) But seriously, is there a fix? Drivers that can do it? Anyone? Bueller?
It was a simple fix. User error. What I didn't get is that you do NOT associate with the wireless network you want to sniff. So you bring up the interface with airmon-ng to put it in monitor mode, set it to the channel you want it on, open up wireshark and select mon0 as the interface (or whichever one is getting swamped with packets in your case). If the network is open, you can see it in Wireshark. If its WEP, you still can, but have to put the key into Wireshark. If it's WPA, you have to use airdecap-ng on the log file to decrypt it (assuming you have the WPA passphrase).
So, while it's interesting that my internal wireless interface can see all sides of all traffic from all wireless clients WHILE CONNECTED to the target network ... and that my Alfa can see everything except traffic outgoing to the internet WHILE CONNECTED, it's trivial because there's no need to connect! And they both sniff all traffic flawlessly WITHOUT connecting! (Sorry for the excitement, but I'm at the "I finally get it" stage). Plus it's 100% passive. I think the only time you would want to see all traffic while connected would be in the case of a WPA network and you want to monitor all wireless clients in real-time with Wireshark.
I thought all of the tutorials said that a wireless card in monitor mode can't associate. I bet a lot of noobs get hung up on this. It seems "natural" to associate to, and become a part of, the network you are trying to sniff. Like promisc mode in a wired NIC. But with a radio-based system, there's no way to keep the packets contained to a single interface. It's all "spewing out into the air" we just have to turn on our radio receiver and tune it to the right channel to listen in. I was way over-complicating things.
But anyway, technically I never solved the question of why the two cards behave differently when associated and trying to sniff. I just realized it's a trivia question.
Thank you BackTrack team and Aircrack-ng! You were right, the Alfa is the shiznaya.
Posting Permissions
