try using an ARPspoofer/poisoner (google it)
I'm using BT4 with a Realtek 8187 chipset USB wireless dongle.
Using Kismet in channel (H)opping mode, it sees plenty of APs on several channels.
I then find MY home router on the list and (L)ock Kismet onto that channel. Then I fire up Wireshark.
I see enough packets to convince me that Monitor mode is working successfully. Lots of BROADCAST packets with the SSID, some ARP traffic (Who Has x.x.x.x? Tell x.x.x.x), etc.
The problem is - I'm not seeing ANY HTTP traffic! I know it exists on the network. To be sure, I even turned on the Wifi mode of my Touch Pro "smart" phone, verified that I was indeed connected to MY router (and therefore on the correct channel), and surfed a bunch of websites. Not a single HTTP packet, DNS packet, anything showed up in Wireshark. Just lots of "Broadcast" packets.
BTW The phone was right next to the monitoring computer (less than 2 feet), and the router was over 20 feet away, so range / signal strength shouldn't have been an issue.
I closed Kismet and Wireshark kept capturing (wlan0) on the same channel. In console I typed in "iwconfig wlan0" and it showed that the interface was on the channel. I typed "iwconfig -i wlan0 channel 6 mode monitor" (or whatever exact command would accomplish that - I'm new and always look directly at the help for the verbiage but don't always remember it exactly) and got no error messages.
I must be missing a setting on the network card? The reason I'm thinking this is that this reminds me of Packet Radio from my Ham Radio days. (Packet radio = wireless modems back before the internet).
My packet radio wireless modem could be set to "monitor" mode with decreasing levels of verbosity. For example, on a scale of 1 to 6, it might be:
1. All traffic
3. Traffic broadcast by a BBS
6. Only traffic which is intended for you
each level showing less and less data. Make sense? It's as if my card is "set" to only receive certain types of data?
By the way - NO capture filters in Wireshark. No display filters either. I can post a quick packet dump file if necessary, the output to any commands, etc. I'm willing to do my part to find the answer.
I must have had 2 instances of Kismet running or something. I didn't see it in ps, and didn't scour through all of ps -augx.
But anyhow. Working fine as intended now after a reboot.
Writing this from within BT4 now, which means my next post will be in the "Working Hardware section!"
There's no need for monitor mode.
Just put the interface into managed mode
then connect to your networkCode:iwconfig wlan0 mode managed
now you have 2 options:
arpspoof may be easier to use, since it's only meant for arp poisoning (ettercap has other functions, Google it if u want)
example:Code:root@bt:~# arpspoof Version: 2.4 Usage: arpspoof [-i interface] [-t target] host
in the target you type the ip of the victim(the PC you want to sniff data from), and in the host you write the ip of your gateway. that will tell the victim that you are the gateway, so all the data will be redirected to you.Code:root@bt:~# arpspoof -i wlan0 -t 192.168.1.23 192.168.1.1
Now open a new shell, arpspoof again but now change the ip's like these:
target -> gateway
host -> victim
so that the gateway thinks we are the "victim"
Don't worry about the victim connectivity, arpspoof will redirect all the data it receives to the right ip address.
Now you can open wireshark and see all that data flowing like water
Hope it helps
And sorry for my english...
No problem. Your english is very good! :-)
I will try all of that next time I'm logged in.
What you described is basic APR, which I appreciate. And I'm curious to see if arpspoof works better than other programs I've tried in the past.
However, Monitor mode is important to me. Maybe it's my radio background using scanners. But it also doesn't involve you associating with the router. You know, "The quieter you become, the more you are able to hear." I'm sure you've heard that before. :-)
yeah, you're right. About monitor mode, I've seen a tutorial on how to do it. I know that to do this you have to use airodump-ng to capture packets and airdecap-ng to decrypt data, using the WEP/WPA key, I think...
ok, I found the link: hxxp://forums.remote-exploit.org/newbie-area/7393-packet-sniffing-my-network.html
Hope it helps