Kali Linux & over the air promiscuous captureBased on the
following link by
Ray:-https://supportforums.cisco.com/blog/12200881/using-live-linux-distro-get-wireless-packet-captureI
was trying to use kali linux in lab windows machine, and thought of
sharing my observations. Kali has inbuilt wireshark, tcpdump,
dumpcap, airmon-ng support. So you can have wireless frames
scrolling right in front of you in wireshark, like you sniff a
wired adaptor. This way you can make sure, you got the right
frames, right at the time. Its loaded with other tons of utilities,
you might never know when you can use.1. Get your Kali
copy:-http://www.kali.org/downloads/I normally use the kali linux
32 bit ISO. 3.2GB in size.2. Now use any USB imaging software, to
make a bootable linux USB drive (Formatted in FAT32 & at least
4GB in capacity), using the image iso downloaded in the above step.
http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/This
is the longest part, ~10 minutes. Once done, remove USB safely.
3. Change the boot order on the sniffer/subject laptop, to boot
from USB. Pressing F12 while booting up, does it for me.Then you
will be presented with kali boot up screen:-
Just go with Live (forensic mode).4. Kali linux java
installation is not an easy process, so you will not be able to get
it joined on the webex, via kalis default browser iceweasel.However
making VNC viewer work with it is pretty easy. Go to
applications>internet>Desktop sharing. So the customer can
remote into client, from a windows client which is connected on
webex.
Start a terminal session, clicking on fourth icon from left in
title bar and find Kalis IP on wired interface:-
Now you can use free VNC viewer to remote into kali, as you know
its wired IP:-https://www.realvnc.com/download/viewer/
5. Create a monitor interface for wlan interface and set its
channel & channel width:-root@kali:~# ifconfigeth0 Link
encap:Ethernet HWaddr 00:24:7e:e1:ca:19 inet addr:64.101.150.104
Bcast:64.101.150.255 Mask:255.255.255.0 inet6 addr:
2001:420:1702:100c:224:7eff:fee1:ca19/64 Scope:Global inet6 addr:
fe80::224:7eff:fee1:ca19/64 Scope:Link UP BROADCAST RUNNING
MULTICAST MTU:1500 Metric:1 RX packets:910 errors:0 dropped:0
overruns:0 frame:0 TX packets:68 errors:0 dropped:0 overruns:0
carrier:0 collisions:0 txqueuelen:1000 RX bytes:120086 (117.2 KiB)
TX bytes:5956 (5.8 KiB) Interrupt:20 Memory:fc200000-fc220000
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536
Metric:1 RX packets:16 errors:0 dropped:0 overruns:0 frame:0 TX
packets:16 errors:0 dropped:0 overruns:0 carrier:0 collisions:0
txqueuelen:0 RX bytes:960 (960.0 B) TX bytes:960 (960.0 B)
wlan0 Link encap:Ethernet HWaddr 00:21:6a:8d:48:b0 UP BROADCAST
MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0
overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0
carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX
bytes:0 (0.0 B)
//So above there is no mon0, aka monitor interface.//Use the
below command to get a monitor interface.root@kali:~# airmon-ng
start wlan0Found 3 processes that could cause trouble.If
airodump-ng, aireplay-ng or airtun-ng stops working aftera short
period of time, you may want to kill (some of) them!-e
PIDName3513NetworkManager3610wpa_supplicant3922dhclient
InterfaceChipsetDriver
wlan0Intel 5300AGNiwlwifi - [phy0](monitor mode enabled on
mon0)//As you see a mon0 was created on wlan0, 5300 AGN, phy0.//Now
if you do an ifconfig again, you can see the monitor
interface.root@kali:~# ifconfigeth0 Link encap:Ethernet HWaddr
00:24:7e:e1:ca:19 inet addr:64.101.150.104 Bcast:64.101.150.255
Mask:255.255.255.0 inet6 addr:
2001:420:1702:100c:224:7eff:fee1:ca19/64 Scope:Global inet6 addr:
fe80::224:7eff:fee1:ca19/64 Scope:Link UP BROADCAST RUNNING
MULTICAST MTU:1500 Metric:1 RX packets:1015 errors:0 dropped:0
overruns:0 frame:0 TX packets:72 errors:0 dropped:0 overruns:0
carrier:0 collisions:0 txqueuelen:1000 RX bytes:134272 (131.1 KiB)
TX bytes:6242 (6.0 KiB) Interrupt:20 Memory:fc200000-fc220000
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536
Metric:1 RX packets:16 errors:0 dropped:0 overruns:0 frame:0 TX
packets:16 errors:0 dropped:0 overruns:0 carrier:0 collisions:0
txqueuelen:0 RX bytes:960 (960.0 B) TX bytes:960 (960.0 B)
mon0 Link encap:UNSPEC HWaddr
00-21-6A-8D-48-B0-00-00-00-00-00-00-00-00-00-00 UP BROADCAST
RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1585 errors:0
dropped:1585 overruns:0 frame:0 TX packets:0 errors:0 dropped:0
overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:428563
(418.5 KiB) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr 00:21:6a:8d:48:b0 UP BROADCAST
MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0
overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0
carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX
bytes:0 (0.0 B)
//iwconfig will show you all the wireless settings. Check that
mon0 is in monitor mode.root@kali:~# iwconfigwlan0 IEEE 802.11abgn
ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=15
dBm Retry short limit:7 RTS thr:off Fragment thr:off Encryption
key:off Power Management:off lo no wireless extensions.
mon0 IEEE 802.11abgn Mode:Monitor Tx-Power=15 dBm Retry short
limit:7 RTS thr:off Fragment thr:off Power Management:off eth0 no
wireless extensions.//With kali linux, mon0 is what you need for
sniffing. Wlan0 can be turned down now.root@kali:~# ifconfig wlan0
down//Find your physical interface name and set its channel width
& channel.root@kali:~# iw list | grep phyWiphy phy0 *
set_wiphy_netns
//So phy0 is the physical interface.root@kali:~# iw phy phy0 set
channel 36 HT40+//This is the most important command. I have set it
to sniff on channel 36 and channel 44. For Below use HT40-. For 20
MHz use HT20.6. Now you can start wireshark or tcpdump or dumpcap,
and start sniffing on mon0 interface. I would make sure of the
following settings, if using
wireshark:-Application->internet->wireshark to start
wireshark
For longer captures, you can always use a ring buffer, Use
multiple files.
7. Start capturing. After capturing, you can save the file in
the underlying disk, used by windows. You can access the underlying
windows filesystem, if you mount it like this:-
Once mounted, the windows file system will be on desktop for you
to save captures. You can later boot using windows and find the
capture stored on disk.
Notes:- Make sure the adaptor in the kali laptop, is capable of
catching all the streams, the intended client is working on. For
example, if you have 1SS wireless NIC in kali laptop, then you can
not capture a communication, between a 3SS client and Cisco access
point. Default user in kali, is root and password is toor.
Following link has always helped me to crack WPA2 encrypted ssid,
if I was able to capture the eapol
handshake:-http://mrncciew.com/2014/08/16/decrypt-wpa2-psk-using-wireshark/If
you leave the key calculated by the below link in wireshark, the
packets being captured, after eapol, will be decrypted on the fly
in wireshark, if eapol handshake was captured
right->http://jorisvr.nl/wpapsk.html NTP syncing of packet
capturing machine/kali linux and WLC is a must, else we might be
looking at different packets:-root@kali:~# dateMon Oct 13 10:54:07
UTC 2014root@kali:~# hwclockMon 13 Oct 2014 10:54:14 AM UTC
-0.547837 secondsroot@kali:~# apt-get install ntpdateReading
package lists... DoneBuilding dependency tree Reading state
information... DoneThe following extra packages will be installed:
lockfile-progsThe following NEW packages will be installed:
lockfile-progs ntpdate0 upgraded, 2 newly installed, 0 to remove
and 0 not upgraded.Need to get 91.0 kB of archives.After this
operation, 291 kB of additional disk space will be used.Do you want
to continue [Y/n]? YGet:1 http://http.kali.org/kali/ kali/main
ntpdate i386 1:4.2.6.p5+dfsg-2 [80.5 kB]Get:2
http://http.kali.org/kali/ kali/main lockfile-progs i386 0.1.17
[10.5 kB]Fetched 91.0 kB in 1s (58.6 kB/s) Selecting previously
unselected package ntpdate.(Reading database ... 318056 files and
directories currently installed.)Unpacking ntpdate (from
.../ntpdate_1%3a4.2.6.p5+dfsg-2_i386.deb) ...Selecting previously
unselected package lockfile-progs.Unpacking lockfile-progs (from
.../lockfile-progs_0.1.17_i386.deb) ...Processing triggers for
man-db ...Setting up ntpdate (1:4.2.6.p5+dfsg-2) ...Setting up
lockfile-progs (0.1.17) ...
root@kali:~# ntpdate us.pool.ntp.org13 Oct 11:01:28
ntpdate[6984]: no server suitable for synchronization found
//The above failed as my network blocks access to outside ntp
server, below i will use an internal ntp server, which will
work.
root@kali:~# ntpdate 10.88.1.9813 Oct 11:05:02 ntpdate[6995]:
step time server 10.88.1.98 offset 18010.420247 sec
As this is live usb, any softwares you install or files you save
on the linux install itself, will be deleted once you reboot. That
is the reason, if you want a stable sniffer, either you would
create dual boot disk, where kali resides in one partition
permanently, OR create a live persistence
disk:-http://www.youtube.com/watch?v=_Jev5iEUuvoIf you go for
persistent way, never remove the USB drive, while shutting down, as
the CLI asks you to.While start up, always use live USB persistence
mode. Save the wireshark captures in the persistence folder
created. Persistence is totally optional.Else just go with Live
(forensic mode) & save the capture files in the windows file
system, which is accessible via the kali liux, as explained above.
There are many other ways of turning the wireless NIC into monitor
mode
like:-http://wireless.kernel.org/en/users/Documentation/iw#Adding_interfaces_with_iw
But as the above has worked reliably for me, I will keep that as
a reference.
The step where I disable the wlan0 has had no effect on my
packet capture, as far as I have seen. Even if I keep it enabled, I
get a good pcap. Skipping this step has been ok too. If issues, try
toggling it.root@kali:~# ifconfig wlan0 down
tcpdump and dumpcap come preinstalled with kali. You can use
them instead of wireshark for longer captures, if you like.
If you want to make java work with kali, so it can join webex
directly using Mozilla based default browser iceweasel. This link
shows you how to download, unzip, install & create iceweasel
dependency on
Java:-https://www.java.com/en/download/help/linux_install.xml
Quick cmd summary:-
airmon-ng start wlan0iw phy phy0 set channel 36
HT20/HT40+/HT40-
Sample setup/diagram->