4) Beginning the audit


So is your home network set up? I’m going to assume it is. If this is the case, you’re all ready to start auditing your network. You will need to know your ESSID to make sure you don’t accidentally target someone else’s network. Your ESSID is the name of your network – common examples in the UK would be BeBox, SKY1021, 2WIRE231, Livebox-2117, BTHomeHub-323C – but with different numbers. In other countries other default names will be more common due to differing internet service providers. You may also have given your access point/wireless router a different name of your own choosing (btw, putting a space in the name causes problems for casual snoopers who have default builds of aircrack, and you if you’re trying to audit your network using aircrack).

If your network card is installed correctly and you have just started up, you shouldn’t have any issues at this stage. Just make sure your network card is started up up (‘ifconfig ath0 up’) and try airodump. If your network interface card is called something other than ath0, replace ath0 with the correct name in the above (you should have noted down this name earlier).

Change to the Aircrack directory: e.g. if you uncompressed/installed aircrack2.4.1 in the home directory of the user ‘user’ type ‘cd /home/user/aircrack2.4.1/’

Type ‘./airodump ath0 out 0 1′ (assuming your airodump is called just ‘airodump’ – otherwise replace with ‘airodump-ng’ or whatever else you might have in there – type ‘ls’ to see a list of the files in there).

If all goes well, airodump will start and you will see a list of networks, that looks something like the below (note that I have shamelessly taken the below from http://www.grape-info.com – I’d love to plug that site here as I expect it’s a good site, but I haven’t actually had a chance to read any of the articles properly so I can’t say for sure).

BSSID                     PWR   Beacons  # Data  CH  MB  ENC   ESSID

00:0D:0B:98:96:7F   48        2           0         11  54  WEP?  4B18E8C83ABD
00:A0:B0:40:5C:84   87       13          16         1  54  WEP   HOGE

BSSID                     STATION                 PWR     Packets  ESSID

00:A0:B0:40:5C:84  00:04:23:52:80:41   86        16          HOGE

What does this mean? The top half lists the access points, one of which should be your home network. The bottom half lists the MAC addresses of connected clients (if any) under the ‘station’ column, and the BSSIDs and ESSIDs of the access points to which they are connected under the respective column headers.


It is helpful to note the different types of encryption technology at this stage. WEP (stands for ‘Wired Equivalent Protocol’) is what we will focus on, as this is the original wireless security standard, and the one in which the majority of wireless security issues lie. If your home network says ”WEP?’ you should wait until a packet is sent between the server and the client, at which point Airodump should identify it as WEP or WPA. If it is WEP, proceed as per the below. If it is WPA, skip ahead to the WPA section.

It is helpful to have another connected client (as we have in the above case) so that we can test out the security of the access point without having to resort to undignified meddling (aka packet injection – note that if we’re running WPA we will have to use packet injection to even begin to do anything interesting, but we’ll get onto that in the WPA section). If we do have another client to connect to our access point, we will make this client download a few large files (just go download a couple of Linux ISOs from somewhere) to generate encrypted network traffic.

As soon as you do this, you will notice that the ‘# Data’ counter will start increasing rapidly. This indicates our ‘rogue’ client, the Linux laptop, is capturing encrypted traffic that is being transferred between our ‘valid’ client (the other connected client, in the above case station ’00:04:23:52:80:41′) and the access point (in our case ’00:A0:B0:40:5C:84′ aka ‘HOGE’). This encrypted traffic, or at least the relevant portions of it, will be captured to a text file stored in the same directory as airodump, and will start with ‘out’ because that’s the argument we gave airodump when we ran it (e.g. ‘out-01.ivs’).

However one of the other arguments we started airodump with, namely the zero, indicates the channel to listen on. Zero indicates scanning mode, whereby the ‘rogue’ airodump client will scan across the channels so that it gets a snapshot of what is going on in each channel. However, airodump will miss some packets in this mode. We should change to listen only on the channel we are monitoring, i.e. the channel on which our access point is operating (channel 1 in this case). Therefore we need to do a ctrl-c to kill airodump, then re-run it by changing the zero for a one, i.e. by typing ‘airodump ath0 out 1 1′. Now, after we leave it running for a short while, we’ll get something like this:

BSSID                     PWR   Beacons  # Data        CH  MB  ENC   ESSID

00:A0:B0:40:5C:84  86      1101       36609         1    54  WEP   HOGE

BSSID                     STATION                 PWR     Packets  ESSID

00:A0:B0:40:5C:84  00:04:23:52:80:41   80        34110   HOGE

So we’re seeing broadly the same thing, but we have captured many more packets, and we don’t see any stations/clients from other channels (we will see other stations/clients on this channel, but that’s ok as we’re no longer missing traffic from our channel).

Be Sociable, Share!
 Posted by at 10:37 pm

 Leave a Reply



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>