WiFi Harvesting
Installing
Aircrack-ng is a whole suite of tools for Wireless Security Auditing. It can be used to monitor, test, crack or attack Wireless Security Protocols like WEP, WPA, WPA2. Aircrack-ng is command line based and is available for Windows and Mac OS and other Unix based Operating systems. Aircrack-ng suite contains a lot of tools used for various purposes but here we’ll only look at some important tools that are used more often in Wireless Security testing.
Aircrack-ng is easy to install. Just type the following command and this will install all tools available in Aircrack-ng suite.
sudo apt-get update
sudo apt-get install -y aircrack-ng
Sniff Wi-Fi Activity Without Connecting to a Target Router
Airodump-ng is available in all popular Linux distributions and will work on virtual machines and on Raspberry Pi installations. I'll be using Kali Linux to collect data belonging to a Wi-Fi router that I control
To list all available network devices type the following command
ifconfig
In my case you can see that wlan1 is available to place into monitor mode. To enalble monitor mode on a wireless adapter, use the below command.
airmon-ng start wlan0
Now wlan1 in in monitor mode. Then, find the target network. To view Wi-Fi networks in the surrounding area, use the below command. I'll be targeting my "Null Byte" router as an example.
airodump-ng wlan1mon
Start Capturing Wi-Fi Data
To start collecting data belonging to a target network, type the below command, replacing with what you're working with.
airodump-ng --bssid TargetMACaddressHere --essid RouterNameHere -c ChannelNumber -w SaveDestination wlan1mon
I'm saving the collected data into my /tmp directory to a file named "homewifi" using the -w argument. Airodump-ng will automatically append a number to the end of the filename, so it'll actually be saved to the /tmp directory as "homewifi-01.cap."
As long as the Airodump-ng terminal is running, data will continue to accumulate. The Airodump-ng terminal can run for hours or even days. In my example Airodump-ng session, I let the packet collection run for over 15 minutes. The time elapsed can be identified in the top-left corner of the terminal.
When a satisfactory amount of data has been collected, the Airodump-ng session can be stopped by pressing Ctrl + C. There will now be a "homewifi-01.cap" file (or whatever you named it) in the /tmp directory.
Visualizing the data with Airgraph-ng
We can't read the traffic flowing between devices, but we can watch the relationship between Wi-Fi devices like laptops, smartphones, and IoT products to learn about the network and the people behind them. To understand how a network is connected, we can sniff the Wi-Fi radio traffic in the area to discover which devices are currently connected to an access point, building a list of relationships.
For an attacker, this means the ability to walk through a building and create a map of which access point every printer, security camera, and laptop is connected to. It's also possible to learn the names of networks nearby Wi-Fi devices have connected to recently, making it easy to create a fake network they will connect to automatically.
For processing the packets we intercept, we'll be using another program installed by default, Airgraph-ng. This program can visualize two types of information useful for a hacker. The first type of graph is a CAPR, or client access point relationship graph. This graph shows a map of every device currently connected to an access point and which network they are currently connected to.
The second kind of chart shows us the names of networks that W-Fi devices not currently connected to an access point are calling out for. This can reveal a list of networks we could create to lure nearby devices into connecting.
Airgraph-ng is pretty straightforward, as can be seen by its manual page entry.
NAME
airgraph-ng - a 802.11 visualization utility
SYNOPSIS
airgraph-ng [options]
DESCRIPITION
airgraph-ng graphs the CSV file generated by Airodump-ng. The idea is that we are showing the
relationships of the clients to the AP's so don't be shocked if you see only one mapping as
you may only have captured one client
OPTIONS
-h Shows the help screen.
-i Airodump-ng CSV file
-o Output png file.
-g Choose the Graph Type. Current types are [CAPR (Client to AP Relationship) & CPG (Com‐
mon probe graph)].
-a Print the about.
EXAMPLES
airgraph-ng -i dump-01.csv -o dump.png -g CAPR
airgraph-ng -i dump-01.csv -o dump.png -g CPG
Update Your System & Install if Needed
If you're running Kali Linux, you should have everything you need installed. First, we'll need to update and ensure we have the Aircrack-ng suite. To do so, connect your Kali computer to the internet and run the following commands in a terminal window.
apt update
apt upgrade
apt install aircrack-ng
Generate a Graph of AP Relationships
Now, it's time to generate our first graph from the wireless data we've intercepted. You can think of this data like metadata, telling us which devices were calling each other, but not what they were saying.
First, we'll start a graph of the client AP relationships. After locating the CSV file we created, run the following command in a terminal window to create a CAPR graph of which device is connected to which access point. Replace "CAPRintercept.png" with the name of the graph you want to create, and '/root/Desktop/homewifi-01.csv' with the path to the CSV file.
airgraph-ng -o CAPRintercept.png -i '/root/Desktop/homewifi-01.csv' -g CAPR
This should generate a graph to explore. Here we can see an example showing the relationship between access points and devices, clearly giving an overview of the local network topography.
Generate a Graph of Probe Frames
Next, let's target devices nearby which are not currently connected to an AP. From these devices, we can learn the names of networks they have been connected to before, allowing us to potentially trick them into connecting to a fake version with the same name.
To get this information, we'll just re-process the data we intercepted into a different kind of graph. There is no need to go back and collect more information, we're just going to visualize it in another way.
Open a terminal window and type the following commands, swapping out "CPGintercept.png" for the name of the file you want to save the graph under, and '/root/Desktop/homewifi-01.csv' again for the location of the CSV file you created earlier from the captured data.
airgraph-ng -o CPGintercept.png -i '/root/Desktop/homewifi-01.csv' -g CPG
Airgraph-ng should generate a new graph showing networks nearby devices are calling out for. This can allow you to also identify which networks can make multiple nearby devices connect.
Interpret the Results
For a hacker or penetration tester, the previous two graphs provide a goldmine of information. In the first, we're able to see which access point every nearby device is connected to, allowing us to isolate or capture clients onto fake MITM networks if we identify a target. Because of this, we can create a fake version of a network a device is currently connected to, kick them off the real network, and cause them to automatically connect to the fake version.
In the second graph, we're able to identify networks we could create that would cause several different devices to connect. These graphs can also reveal devices using MAC address randomization, because even devices that change their MAC address may call out for a network with a unique name as they continue to change their MAC.
Hackers can use this information about the type of hardware present and the way it's connected to come up with a plan of attack against a network. Because this attack is totally passive and requires no interaction with the network, the risk of being caught snooping on this information is almost nonexistent.
I hope you enjoyed this guide to using Airgraph-ng for Wi-Fi signals intelligence!