WEBVTT 0 00:00.900 --> 00:09.430 In this lecture we’ll discuss Wireless Modes of Operation. WiFi or IEEE 802.11 (eight-oh-two-dot-eleven) 1 00:09.540 --> 00:12.990 defines the following modes of operation for wifi cards: 2 00:12.990 --> 00:18.020 AP, infrastructure or master mode! 3 00:18.030 --> 00:26.230 The wireless card creates a network with a specified name (called the SSID) and channel and offers 4 00:26.310 --> 00:33.960 network services on it. Wireless cards in master mode can only communicate with cards that are associated 5 00:33.960 --> 00:35.940 with it in managed mode. 6 00:38.440 --> 00:40.420 These are the names, 7 00:40.420 --> 00:41.920 SSID or service set 8 00:41.920 --> 00:51.290 identifiers, of all networks in the range. In the managed aka. Client Mode wireless cards will join 9 00:51.350 --> 00:58.670 a WiFi network created by an AP and will automatically change their channel to match the channel of that 10 00:58.670 --> 01:06.110 WiFi network. Managed mode cards do not communicate with each other directly and will only communicate 11 01:06.140 --> 01:08.550 with an associated master. 12 01:08.630 --> 01:13.470 Then there is the Ad -hoc mode. In the Ad-hoc mode 13 01:13.490 --> 01:17.470 there is no master, access point or a wireless router. 14 01:17.480 --> 01:22.630 Each wireless card communicates directly with its neighbors. 15 01:22.640 --> 01:31.440 Notes must be in range of each other to communicate and must agree on a network name and channel. And 16 01:31.440 --> 01:41.250 finally the Monitor Mode. Monitor Mode, RFMON or Radio Frequency Monitor mode, allows a wireless 17 01:41.250 --> 01:48.900 card to monitor all traffic received on a wireless channel. Monitor Mode allows packets to be captured 18 01:49.140 --> 01:53.470 without having to first associate with an access point. 19 01:53.640 --> 02:01.740 Do not confuse it with the Promiscuous Mode used for sniffing. A wireless card can be put in promiscuous 20 02:01.740 --> 02:10.450 mode after associating with an AP and will sniff the traffic of the WiFi network to which is associated. 21 02:11.100 --> 02:19.230 The Monitor Mode works by sniffing the packets in the air without associating or linking with any 22 02:19.230 --> 02:27.540 access point. Monitor mode is not used for normal communication but only for troubleshooting or hacking 23 02:27.600 --> 02:31.200 wireless networks. At this moment 24 02:31.200 --> 02:40.200 The WiFi card of the Windows machine I'm using to record this video is in Managed Mode; it's associated 25 02:40.590 --> 02:48.960 and authenticated to an AP which is also the router of the LAN, this one called CMA. 26 02:51.610 --> 03:00.010 If I start sniffing on this interface it will capture only data packets destined to it, it won't capture 27 03:00.070 --> 03:09.610 other wireless frames like Management or Control Frames, only data frames. I'm starting capturing WiFi 28 03:09.610 --> 03:10.170 traffic. 29 03:14.620 --> 03:22.930 Note that there are many types of packets, not only data packets in WiFi networks such as beacons, 30 03:23.020 --> 03:31.360 association requests and responses, authentication requests and responses, requests to send and clear to 31 03:31.360 --> 03:33.650 send and many more. 32 03:33.900 --> 03:45.300 Look we see only data packets; there are no because, association or authentication packets captured. 33 03:45.470 --> 03:53.720 In addition the radio header of the frame is converted to what is called a fake Ethernet header. 34 03:53.750 --> 04:02.890 This is the fake Ethernet Heather; so in fact we don't see the full layer to header of the WiFi packet 35 04:02.980 --> 04:06.100 because many fields have been removed. 36 04:06.100 --> 04:09.660 This is not the real layer 2 header of the frame. 37 04:10.680 --> 04:15.480 Note that I've used the terms packet and frame interchangeable. 38 04:15.480 --> 04:22.310 Normally a frame is a L2 PDU and a packet is a Layer3 PDU 39 04:22.320 --> 04:29.280 so when referring to the wireless and Ethernet protocols which are L2 protocols the correct 40 04:29.280 --> 04:30.470 term is frame 41 04:30.570 --> 04:34.100 but I think there is no such a big mistake if we call them packets 42 04:34.140 --> 04:42.360 sometimes. Now let's go ahead and put the wireless interface into monitor mode. 43 04:42.360 --> 04:46.050 Remember that you cannot use Monitor Mode on Windows. 44 04:46.800 --> 04:53.940 I'd recommend you to watch the previous videos where I've explained how to check if the WiFi card supports 45 04:53.940 --> 04:55.840 the Monitor Mode or not. 46 04:57.270 --> 05:05.320 For this lab I'm gonna use Kali Linux. There are more ways to enable the monitoring mode and I'll show 47 05:05.320 --> 05:06.980 you two of them. 48 05:07.090 --> 05:13.360 The first one will use airmon-ng and the second one 49 05:13.390 --> 05:15.880 iwconfig. 50 05:15.920 --> 05:25.220 This is the WiFi interface which is associated to an AP. The first step is to stop the processes that 51 05:25.250 --> 05:30.240 could cause troubles while working with the interface in Monitor Mode. 52 05:32.580 --> 05:40.020 I'm running airmon-ng check to list all possible processes like the network manager that could 53 05:40.020 --> 05:47.950 interfere with the WiFi card. If it says "airmon-ng command not found" 54 05:48.020 --> 05:51.840 that means that you have not installed aircrack-ng, 55 05:51.980 --> 06:00.260 the program which contains airmon-ng. On Kali Linux it's already installed but on Ubuntu, Linux 56 06:00.260 --> 06:09.260 Mint or other Linux distributions you can install it by executing a apt install aircrack-ng. 57 06:11.500 --> 06:14.230 This is how you install it on Ubuntu 58 06:14.230 --> 06:15.010 for example. 59 06:17.640 --> 06:22.490 And it found two processes that could cause trouble. 60 06:22.590 --> 06:28.790 Now I'll try to kill them: airmon-ng check kill. 61 06:29.150 --> 06:30.930 It's killing the processes 62 06:35.970 --> 06:37.290 Let's check it again. 63 06:39.160 --> 06:48.520 No process will interfere with my interface so I'll put it into Monitor Mode: airmon-ng start 64 06:49.000 --> 06:51.500 and the name of the interface. 65 06:51.550 --> 07:02.390 In this example the name of the interface is wlen0. Check the name of your interface before executing 66 07:02.510 --> 07:03.650 this command. 67 07:03.650 --> 07:04.370 You can run 68 07:04.460 --> 07:08.450 ifconfig before killing these processes. 69 07:12.320 --> 07:20.670 The tool has created a new interface called wlan0mon which is in Monitor Mode. 70 07:20.720 --> 07:28.380 This is the interface; it's the old name wlan0 and mon. 71 07:28.470 --> 07:40.260 You can check it also by executing iwconfig; Xit's like ifconfig but for WiFi cards; and it's in Monitor 72 07:40.260 --> 07:40.620 Mode. 73 07:41.730 --> 07:50.400 Now if we start a packet capture tool like Wireshark or tcpdump we will select that interface to capture 74 07:50.460 --> 07:59.670 packets and it will capture all packets on the shared medium. so tcpdump -i and the name of the 75 07:59.670 --> 08:06.060 interface wlan0mon and we see all WIFi traffic in the range. 76 08:10.790 --> 08:13.510 I am stopping it by pressing ctr c 77 08:15.050 --> 08:17.690 To return the interface to normal 78 08:17.690 --> 08:23.050 we need to disable Monitor Mode as following airmon 79 08:23.110 --> 08:24.660 -ng stop 80 08:24.890 --> 08:26.750 wlan0mon 81 08:29.620 --> 08:40.460 and iwconfig. It's showing that the interface is in Managed Mode and its name is wlan0. Let's see 82 08:40.470 --> 08:44.240 the second method used to put the interface in monitor mode. 83 08:46.490 --> 08:50.720 The first step is to disable the WiFi interface. 84 08:50.720 --> 09:03.250 ifconfig wlen0 down then I'll use iwconfig like this: iwconfig wlan0 mode monitor 85 09:06.660 --> 09:12.420 and finally I'm enabling the interface ifconfig wlan0 up 86 09:15.120 --> 09:23.330 Now the interface is running in Monitor Mode. Let's start capturing packets on the interface, 87 09:23.330 --> 09:25.220 this time with Wireshark. 88 09:28.940 --> 09:38.720 And I'm starting capturing packets on the interface in Monitor Mode and we notice how it's capturing 89 09:38.870 --> 09:40.640 all the WiFi traffic. 90 09:40.640 --> 09:50.210 Note that the interface is not authenticated or associated with any AP. It's just capturing all the traffic 91 09:50.300 --> 09:58.060 including management and control packets, not only data packets from all clients and wireless routers 92 09:58.160 --> 10:03.970 in its range; note that the medium which is the air is shared 93 10:04.270 --> 10:10.010 so if a device like a mobile phone is surfing the web at another floor 94 10:10.120 --> 10:19.030 the packets are reaching this point too and are captured. Of course they are encrypted but this is another 95 10:19.030 --> 10:29.130 discussion. I'm stopping the capture. Also notice how it captured beacons and all kinds of WiFi traffic, 96 10:29.190 --> 10:30.740 not only data. 97 10:30.740 --> 10:35.620 And if we are searching for a data packet and take a deeper look, 98 10:35.700 --> 10:37.120 this is data packet, 99 10:37.290 --> 10:45.120 we also notice the radio header, not the fake Ethernet header like in the example from the beginning 100 10:45.120 --> 10:46.380 of this lecture, 101 10:46.470 --> 10:50.220 when I've captured packets with the interface in the managed mode. 102 10:53.190 --> 10:54.570 This is the radio header. 103 11:01.690 --> 11:02.950 And the final note: 104 11:03.130 --> 11:08.800 if you need to restart the network manager use systemctl 105 11:08.830 --> 11:10.780 start NetworkManager.