A year ago…
Almost one year ago, we investigated how to enable monitor mode WiFi sniffing using Windows 10 Pro and a network adapter that only allows promiscous mode. We read that the NetGear WiFi A6210 was able to do that, however, we found some limitations in our experimients. You can find all the details here.
If you follow our blog, you may already know that we created this new section, “Cyber-security hacks”, and showed you how we installed Kali Linux in a VMWare virtual machine hosted by a Windows 10 Pro OS. You can check that out here.
Kali Linux is a really cool tool for people who love cybersecurity. Therefore, still being really interested in finding a way to capture 802.11 with a Windows 10 Pro PC, we were really amazed when we got it to work with our Kali VM!
If you already have your Kali Linux VM, and can get this network adapter (about $20), you are ready to follow our tutorial and get this working too!
Step 1: Set up the network adapter in Kali VM
Plugin your USB network adapter and make sure you unselect the Network Adapter option that uses your PC network adapter. Then, connect the USB one so the Kali VM will use it.
Step 2: Enable monitor mode in Kali
Check your wireless interfaces with the command “iwconfig” and you’ll see wlan0 is in Managed mode rather than Monitor mode.
Now, if you followed our tutorial to install Kali, your VM already has this amazing tool called “wifite” that enables your wlan0 interface in monitor mode:
and it also searchs for APs and clients vulnerable to crack 🙂
However, if you quit it (by doing Ctrl+C), the wlan0 will come back to Managed mode:
So if you want to sniff 802.11 using monitor mode (at the same time you audit the wireless devices around you), you just need to select some (or all if you want to sniff for longer) targets so the wifite tool will keep your wlan0 in monitor mode:
Then, open a new console and type:
airodump-ng -w capture.pcap wlan0mon
Step 3: Check your captures
With this process, you have two types of pcaps. Have a look at the ones you captured using the second console (airodump):
We used our phone as an AP (sharing the WiFi) and checked that the packets were captured:
Then, you have the packets captured by Wifite. They have the name of the vulnerable target:
You can also see that Wifite is able to capture security protocols such as EAPOL when doing the handshaking:
Therefore, the used (cracked) WPA Key Data is visible as well:
Step 4: directly sniffing in monitor mode
If you just want to go straight away into the monitor mode sniffing (without checking if the devices around can be cracked), you can simply enable your wireless adapter interface as such:
sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor
As you can see in the picture above, now it says “Mode: Monitor”. Then, you can just type:
airodump-ng -w capture.pcap wlan0mon
and start capturing packets in monitor mode. I turned on my mobile phone just after typing the sniffing command in order to see the association transaction:
In the picture above, you can see there are also “Probe Responses” sent by my router to somebody else’s station.
Also, I could check the entire “conversation” between my phone and my router, including authentication information, as my phone has my router WiFi saved:
What I wrote in the previous filter is my phone’s wireless MAC address.
You can also do the inverse: filter with your router MAC address and check which devices are connected to your network.
With this tutorial not only have you found a way to sniff packets on monitor mode (802.11 packets) but also, you are able to audit the wireless devices around and see which ones have a low security level.
We hope you liked this tutorial and if you have any question/feedback/comment, make sure you write it below or just drop us an email.
Next steps? We are investigating how to enable monitor mode on Raspberry Pi 3 😉