0

I guess that this is a dumb question, but i really thought for a longtime that the wireless sniffing attack consists of listening to all the packets that get over the air, but apparently it isn't that, cause no matter how I try, i can only see my traffic with wireshark (even in promiscuous mode).

So what is the wireless sniffing attack, how is it done, and what is the damage that it can do.

PS : I've tried wireshark both on Ubuntu 15.10 (with Linux version > 4), and on Windows 7.

Sidahmed
  • 639
  • 2
  • 9
  • 26
  • Are you running Wireshark in Windows? Promiscuous mode does not work very well in Windows. – AstroDan Feb 29 '16 at 21:12
  • I am running wireshark in Ubuntu 15.10 , i should of mention that in my question. – Sidahmed Feb 29 '16 at 21:14
  • Are you trying to listen to other people's network traffic remotely? – Mark Buffalo Feb 29 '16 at 21:22
  • Describe your network ifrastrucutre. Is it ad-hoc/iBSS? BSS? or ESS? Does you access point use WEP, WPA or WPA-2 (aka IEEE 802.11i)? In case of .11i with AES cipher you may be able to sniff data but not decrypt it. – user996142 Feb 29 '16 at 21:25
  • One more question: what is your network card and driver? Driver should support " tmac80211 framework" to enable promis. mode in Linux. In Windows, how ever, almost no driver support it (except special cards). Check this link: https://wiki.wireshark.org/CaptureSetup/WLAN#Linux – user996142 Feb 29 '16 at 21:30
  • @MarkBuffalo Not really. I have a project where i have to find a way to detect the sniffing, and before i detect it, i must at least try it, but don't worry, i'm only trying it on my machines. – Sidahmed Feb 29 '16 at 21:39
  • @user996142 I'm trying to do the test on a simple network with one AP, so i guess it is an BSS. For the encrypting, I tried both on APs using WPA and WPA-2 . And here is the network card that i've tried with 'Qualcomm Atheros AR9462 Wireless Network Adapter (rev 01)'. Please tell me, you tried sniffing with your own hand, and you could see other machines traffic (without using arp spoofing) ?? – Sidahmed Feb 29 '16 at 21:46
  • On linux, provide output of ``airmon-ng start wlan0``. Do you have ``monitor mode enabled on mon0``? You should be able to see foreign traffic, but not read data actually – user996142 Feb 29 '16 at 21:49
  • You probably need *monitor mode*, not *promis. mode*: see http://security.stackexchange.com/questions/80500/promiscuous-vs-monitor-mode-in-802-11?rq=1 – user996142 Feb 29 '16 at 21:52

2 Answers2

2

So what is the wireless sniffing attack

It is capturing packets (recording some traffic) that traverse your wireless network, without you knowing about it.

how is it done

You need a network card that supports monitor mode, an OS and version that properly supports delivering traffic captured in monitor mode, and drivers that properly support it. Linux is your best bet here.

In this mode, your wireless card will receive packets without having to be associated to an AP. It will capture all traffic it hears on a given Wifi channel. Other STAs or APs won't know this is happening.

This is different than promiscuous mode - a wireless NIC has to be associated before promiscuous mode will work. Monitor mode has no such requirement.

what is the damage that it can do

  • Collect valid MAC addresses to bypass SSID hiding.

  • Passively and undetectably collect data needed to break WEP/WPA (not WPA2) encryption.

  • Receive all data transmitted/received on open networks/networks without encryption, with the ability to read any plaintext information.

LawrenceC
  • 224
  • 1
  • 5
  • Thanks Bro, I did try with the promiscous mode when I am connected to the AP, but even in that mode, it only shows my packets, what is the problem here !!?? – Sidahmed Feb 29 '16 at 22:29
  • The problem here is that you're using *promiscuous* mode, not *monitor* mode. As has been pointed out in other answers and comments, they're not the same mode, and, on a Wi-Fi network, you need *monitor* mode to capture other hosts' traffic. Monitor mode is available on Ubuntu, but not Windows, in Wireshark, but, currently, [it's complicated on Linux](https://wiki.wireshark.org/CaptureSetup/WLAN#Linux). –  Feb 29 '16 at 23:37
  • AP may be in isolation mode and not letting you see other STA traffic. – LawrenceC Feb 29 '16 at 23:41
1

So lets say you got an normal wifi network with wpa 2 encryption.

First you need to ensure your card is in monitor mode and listening on the channel the AP is transmitting on.

Now you are going to capture all the packets. But they won't make sense since they are encrypted But then you will of course say I got the key well you do but the key is only used to encrypt the 4 way handshake which occurs when a client associates with the ap after that the client and the AP encrypt the traffic with what is stated in the 4way handshake.

So what you need to do is to capture the 4 way handshake. This can be done easily with wireshark. But you need to wait for somebody to connect to the AP so that you can capture this 4 way handshake.

This would take a long time good thing there is this awesome toolkit made by mistrx called aircrack-Ng which allows you to do mess around with wifi and even deauthenticate sombody which are authenticated making the handshake occur again.

What you do is this Aireplay-Ng -0 1 -a [mac of ap] -c [mac to deauth] (name of wifi card)

You should have wireshark running already for this

You should then or even before go to (in wireshark) Edit->prefrences->protocols->iee 802.11 and ad your keys If you have any difficulty You could follow this

https://wiki.wireshark.org/HowToDecrypt802.11

Stay safe

Storm Kavlie
  • 111
  • 5