Kali linux to sniff over the air traffic

Kali Linux & over the air promiscuous capture

Based on the following link:-

https://supportforums.cisco.com/blog/12200881/using-live-linux-distro-get-wireless-packet-capture

I was trying to use kali linux in lab windows machine, and thought of sharing my observations. Kali has inbuilt wireshark, tcpdump, dumpcap, airmon-ng support. So you can have wireless frames scrolling right in front of you in wireshark, like you sniff a wired adaptor. This way you can make sure, you got the right frames, right at the time. It’s loaded with other tons of utilities; you might never know when you can use.

  1. Get your Kali copy:-

    http://www.kali.org/downloads/

    I normally use the kali linux 32 bit ISO. 3.2GB in size.

  2. Now use any USB imaging software, to make a bootable linux USB drive (Formatted in FAT32 & at least 4GB in capacity), using the image iso downloaded in the above step.

    http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/

    This is the longest part, ~10 minutes. Once done, remove USB safely.

  3. Change the boot order on the sniffer/subject laptop, to boot from USB. Pressing F12 while booting up, does it for me.

    Then you will be presented with kali boot up screen:-

    Just go with Live (forensic mode).

  4. Kali linux java installation is not an easy process, so you will not be able to get it joined on the webex, via kali’s default browser iceweasel.

    However making VNC viewer work with it is pretty easy. Go to applications>internet>Desktop sharing. So the customer can remote into client, from a windows client which is connected on webex.

    Start a terminal session, clicking on fourth icon from left in title bar and find Kali’s IP on wired interface:-

    Now you can use free VNC viewer to remote into kali, as you know its wired IP:-

    https://www.realvnc.com/download/viewer/

  5. Create a monitor interface for wlan interface and set its channel & channel width:-

    root@kali:~# ifconfig

eth0 Link encap:Ethernet HWaddr 00:24:7e:e1:ca:19

inet addr:64.101.150.104 Bcast:64.101.150.255 Mask:255.255.255.0

inet6 addr: 2001:420:1702:100c:224:7eff:fee1:ca19/64 Scope:Global

inet6 addr: fe80::224:7eff:fee1:ca19/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:910 errors:0 dropped:0 overruns:0 frame:0

TX packets:68 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:120086 (117.2 KiB) TX bytes:5956 (5.8 KiB)

Interrupt:20 Memory:fc200000-fc220000

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:65536 Metric:1

RX packets:16 errors:0 dropped:0 overruns:0 frame:0

TX packets:16 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:960 (960.0 B) TX bytes:960 (960.0 B)

wlan0 Link encap:Ethernet HWaddr 00:21:6a:8d:48:b0

UP BROADCAST MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

//So above there is no mon0, aka monitor interface.

//Use the below command to get a monitor interface.

root@kali:~# airmon-ng start wlan0

Found 3 processes that could cause trouble.

If airodump-ng, aireplay-ng or airtun-ng stops working after

a short period of time, you may want to kill (some of) them!

-e

PID    Name

3513    NetworkManager

3610    wpa_supplicant

3922    dhclient

Interface    Chipset        Driver

wlan0        Intel 5300AGN    iwlwifi – [phy0]

                (monitor mode enabled on mon0)

//As you see a mon0 was created on wlan0, 5300 AGN, phy0.

//Now if you do an ifconfig again, you can see the monitor interface.

root@kali:~# ifconfig

eth0 Link encap:Ethernet HWaddr 00:24:7e:e1:ca:19

inet addr:64.101.150.104 Bcast:64.101.150.255 Mask:255.255.255.0

inet6 addr: 2001:420:1702:100c:224:7eff:fee1:ca19/64 Scope:Global

inet6 addr: fe80::224:7eff:fee1:ca19/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:1015 errors:0 dropped:0 overruns:0 frame:0

TX packets:72 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:134272 (131.1 KiB) TX bytes:6242 (6.0 KiB)

Interrupt:20 Memory:fc200000-fc220000

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:65536 Metric:1

RX packets:16 errors:0 dropped:0 overruns:0 frame:0

TX packets:16 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:960 (960.0 B) TX bytes:960 (960.0 B)

mon0 Link encap:UNSPEC HWaddr 00-21-6A-8D-48-B0-00-00-00-00-00-00-00-00-00-00

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:1585 errors:0 dropped:1585 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:428563 (418.5 KiB) TX bytes:0 (0.0 B)

wlan0 Link encap:Ethernet HWaddr 00:21:6a:8d:48:b0

UP BROADCAST MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

//iwconfig will show you all the wireless settings. Check that mon0 is in monitor mode.

root@kali:~# iwconfig

wlan0 IEEE 802.11abgn ESSID:off/any

Mode:Managed Access Point: Not-Associated Tx-Power=15 dBm

Retry short limit:7 RTS thr:off Fragment thr:off

Encryption key:off

Power Management:off

lo no wireless extensions.

mon0 IEEE 802.11abgn Mode:Monitor Tx-Power=15 dBm

Retry short limit:7 RTS thr:off Fragment thr:off

Power Management:off

eth0 no wireless extensions.

//With kali linux, mon0 is what you need for sniffing. Wlan0 can be turned down now.

root@kali:~# ifconfig wlan0 down

//Find your physical interface name and set its channel width & channel.

root@kali:~# iw list | grep phy

Wiphy phy0

         * set_wiphy_netns

//So phy0 is the physical interface.

root@kali:~# iw phy phy0 set channel 36 HT40+

//This is the most important command. I have set it to sniff on channel 36 and channel 44. For Below use HT40-. For 20 MHz use HT20.

  1. Now you can start wireshark or tcpdump or dumpcap, and start sniffing on mon0 interface. I would make sure of the following settings, if using wireshark:-

    Application->internet->wireshark to start wireshark

For longer captures, you can always use a ring buffer, “Use multiple files”.

  • Start capturing. After capturing, you can save the file in the underlying disk, used by windows. You can access the underlying windows filesystem, if you mount it like this:-

Once mounted, the windows file system will be on desktop for you to save captures. You can later boot using windows and find the capture stored on disk.

Notes:-

  • Make sure the adaptor in the kali laptop, is capable of catching all the streams, the intended client is working on. For example, if you have 1SS wireless NIC in kali laptop, then you can not capture a communication, between a 3SS client and Cisco access point.
  • Default user in kali, is root and password is toor.
  • Following link has always helped me to crack WPA2 encrypted ssid, if I was able to capture the eapol handshake:-

http://mrncciew.com/2014/08/16/decrypt-wpa2-psk-using-wireshark/

If you leave the key calculated by the below link in wireshark, the packets being captured, after eapol, will be decrypted on the fly in wireshark, if eapol handshake was captured right->

http://jorisvr.nl/wpapsk.html

  • NTP syncing of packet capturing machine/kali linux and WLC is a must, else we might be looking at different packets:-

    root@kali:~# date

    Mon Oct 13 10:54:07 UTC 2014

    root@kali:~# hwclock

    Mon 13 Oct 2014 10:54:14 AM UTC -0.547837 seconds

    root@kali:~# apt-get install ntpdate

    Reading package lists… Done

    Building dependency tree

    Reading state information… Done

    The following extra packages will be installed:

    lockfile-progs

    The following NEW packages will be installed:

    lockfile-progs ntpdate

    0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.

    Need to get 91.0 kB of archives.

    After this operation, 291 kB of additional disk space will be used.

    Do you want to continue [Y/n]? Y

    Get:1 http://http.kali.org/kali/ kali/main ntpdate i386 1:4.2.6.p5+dfsg-2 [80.5 kB]

    Get:2 http://http.kali.org/kali/ kali/main lockfile-progs i386 0.1.17 [10.5 kB]

    Fetched 91.0 kB in 1s (58.6 kB/s)

    Selecting previously unselected package ntpdate.

    (Reading database … 318056 files and directories currently installed.)

    Unpacking ntpdate (from …/ntpdate_1%3a4.2.6.p5+dfsg-2_i386.deb) …

    Selecting previously unselected package lockfile-progs.

    Unpacking lockfile-progs (from …/lockfile-progs_0.1.17_i386.deb) …

    Processing triggers for man-db …

    Setting up ntpdate (1:4.2.6.p5+dfsg-2) …

    Setting up lockfile-progs (0.1.17) …

root@kali:~# ntpdate us.pool.ntp.org

13 Oct 11:01:28 ntpdate[6984]: no server suitable for synchronization found

//The above failed as my network blocks access to outside ntp server, below i will use an internal ntp server, which will work.

root@kali:~# ntpdate 10.88.1.98

13 Oct 11:05:02 ntpdate[6995]: step time server 10.88.1.98 offset 18010.420247 sec

  • As this is live usb, any softwares you install or files you save on the linux install itself, will be deleted once you reboot. That is the reason, if you want a stable sniffer, either you would create dual boot disk, where kali resides in one partition permanently, OR create a live persistence disk:-

    http://www.youtube.com/watch?v=_Jev5iEUuvo

    If you go for persistent way, never remove the USB drive, while shutting down, as the CLI asks you to.

    While start up, always use live USB persistence mode. Save the wireshark captures in the persistence folder created. Persistence is totally optional.

    Else just go with Live (forensic mode) & save the capture files in the windows file system, which is accessible via the kali liux, as explained above.

  • There are many other ways of turning the wireless NIC into monitor mode like:-

    http://wireless.kernel.org/en/users/Documentation/iw#Adding_interfaces_with_iw

But as the above has worked reliably for me, I will keep that as a reference.

  • The step where I disable the wlan0 has had no effect on my packet capture, as far as I have seen. Even if I keep it enabled, I get a good pcap. Skipping this step has been ok too. If issues, try toggling it.

    root@kali:~# ifconfig wlan0 down

  • tcpdump and dumpcap come preinstalled with kali. You can use them instead of wireshark for longer captures, if you like.

  • Quick cmd summary:-

    airmon-ng start wlan0

    iw phy phy0 set channel 36 HT20/HT40+/HT40-

    Sample setup/diagram->

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s