Pay attention here because skipping this step will cost you time and effort.You will need them to feed the next steps. Once you pick a target, note the Channel and the BSSID values.These are the networks the client is trying to connect to if it is not currently connected. Probe = The ESSIDs probed by the client.See note below for a more detailed explanation. Lost = The number of data packets lost over the last 10 seconds based on the sequence number.Those correspond to the rate of each, so BSSID is xmitting 36Mbps – STATION is xmitting 24Mbs. Look at the first two column which are BSSID (on the left) and STATION (just to the right of it). Notice that it looks like 0e- 1e, 0 - 1, or 36 - 24, etc. Rate = This gets a little tricky because there is two numbers here.Clients not currently associated with an AP have a BSSID of “(not associated)”. STATION = MAC address of each associated station or stations searching for an AP to connect with.The BOTTOM section will have these fields:.See this section for more information concerning hidden ESSIDs. In this case, airodump-ng will try to recover the SSID from probe responses and association requests. The so-called “SSID”, which can be empty if SSID hiding is activated. ESSID = Shows the wireless network name.One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP). AUTH = The authentication protocol used.The standard states that the index can be 0-3 for 40bit and should be 0 for 104 bit. WEP40 is displayed when the key index is greater then 0. Not mandatory, but TKIP is typically used with WPA and CCMP is typically used with WPA2. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. OPN = no encryption,“WEP?” = WEP or higher (not enough data to choose between WEP and WPA/WPA2), WEP (without the question mark) indicates static or dynamic WEP, and WPA or WPA2 if TKIP or CCMP is present. Displays “e” following the MB speed value if the network has QoS enabled. The dot (after 54 above) indicates short preamble is supported. MB = Maximum speed supported by the AP.Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference. CH = Channel number (taken from beacon packets).#/s = Number of data packets per second measure over the last 10 seconds.#Data = Number of captured data packets (if WEP, unique IV count), including data broadcast packets.Each access point sends about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far. Beacons = Number of announcements packets sent by the AP.
If all clients have PWR as -1 then the driver doesn’t support signal level reporting. Meaning you are hearing only 1/2 of the communication. If the PWR is -1 for a limited number of stations then this is for a packet which came from the AP to the client but the client transmissions are out of range for your card. If the BSSID PWR is -1, then the driver doesn’t support signal level reporting. Its signification depends on the driver, but as the signal gets higher you get closer to the AP or the station. PWR = Signal level reported by the card.In this unassociated state, it is searching for an AP to connect with. In the Client section, a BSSID of “(not associated)” means that the client is not associated with any AP. BSSID = MAC address of the access point.If everything is working correctly, you will see the screen split into two sections (look at the selfie above).Type airodump-ng wlan1mon, to monitor the air traffic.If this works then running airmon-ng again will show that wlan1 is now wlan1mon (because it’s monitoring).You may have to use airmon-ng check kill, to stop other things from using it.Pending of course that wlan1 is the correct interface. Type airmon-ng, to see which wifi interfaces are available to use.I have a few with an Atheros chipsets, for this demo I used one by a company named ALFA with the model number of AWUS036NH. You will more than likely need to buy a USB wifi adapter capable of using monitor mode.
Airmon-ng (Enable Monitor Mode)īefore you can crack anything, you must listen to who is talking across the air, and before that your adapter must be switched into monitor mode. I used a separate application named Crunch to create a brute-force dictionary. The suite contains around 18 tools depending on the version, but I will only mention a few here (Airmon-ng, Airodump-ng, Aireplay-ng, and most famously Aircrack-ng). While conducting an Air Assault on a wireless network, my weapon of choice is the Aircrack-ng suite. Grant using airodump-ng on the big screen.