WEBVTT

0
00:01.370 --> 00:09.290
In this video I'll show you how to use airodump-ng, a tool that’s included in the aircrack-ng package and

1
00:09.650 --> 00:17.690
is used for IEEE 802.11 frames capturing.  It’s a reconnaissance tool used also to capture 

2
00:17.690 --> 00:25.600
the wpa2 4-way handshake that’s needed to crack the wifi password. All commands should 


3
00:25.600 --> 00:27.130
be executed as root.

4
00:31.970 --> 00:33.110
in Kali Linux

5
00:33.140 --> 00:42.560
the tool is already available but on other distributions you can install it by executing apt install

6
00:42.710 --> 00:52.950
aircrack-ng. Aircrack-ng is the package that contains airodump-ng so apt install aircrack-ng.

7
00:57.940 --> 01:04.300
To see a summary of its options execute  airodump-ng --help.


8
01:09.010 --> 01:16.000
Every access point in the range sends out about 10 so called beacon frames per second.

9
01:16.060 --> 01:23.800
These small frames contain a lot of information about the WiFi networks and their clients like the

10
01:23.800 --> 01:33.400
network name or essid, the encryption used, the channel the AP operates on and many more.


11
01:33.400 --> 01:42.550
So in fact airodump-ng performs passive reconnaissance. It listens for beacons and displace the information

12
01:42.550 --> 01:51.120
continuously on the screen. Airodump-ng is used at the beginning of an attack to look out for potential

13
01:51.120 --> 01:51.830
targets.

14
01:52.690 --> 02:00.410
Prior to looking for WiFi networks and clients you must put your WiFi card into Monitor Mode. Monitor

15
02:00.410 --> 02:07.370
Mode is a spatial mode that allows your WiFi adapter to listen to every wireless packet in the range.

16
02:07.670 --> 02:10.760
Let's put the adapter into Monitor Mode.

17
02:10.760 --> 02:18.770
I've explained all these commands in the last lecture so I'm going to just execute them fast airmon

18
02:18.860 --> 02:19.880
-ng check

19
02:24.150 --> 02:26.790
aimon-ng check kill

20
02:33.690 --> 02:39.390
and arimon -ng start wlen0 the name of the interface.

21
02:42.850 --> 02:50.650
If your interface has another name use that name, you can check the name by executing ifconfig. In

22
02:50.650 --> 02:52.570
my case is wlen0.

23
03:00.800 --> 03:12.320
It has created another interface and append “mon” to it; so wlen0 has become wlan0mon and to

24
03:12.320 --> 03:22.060
confirm it is in Monitor Mode I've executed "iwconfig"  and we see the mode; and we start airdump-ng

25
03:22.060 --> 03:32.120
on wlan0mon wifi card: airdump-ng -i
and the name of the interface

26
03:37.370 --> 03:40.880
I'll change the theme to a darker one to see it better.

27
03:45.530 --> 03:53.300
Okay all the visible access points are listed in the upper part of the screen and the clients are listed

28
03:53.480 --> 03:55.900
in the lower part of the screen.

29
03:56.300 --> 04:04.550
You cannot see the lower part of the screen because there are so many APs. Airdum-ng hopes from

30
04:04.550 --> 04:08.090
channel to channel and shows all access points

31
04:08.090 --> 04:14.870
it can receive beacons from. Keep in mind that a WiFi card can operate on a single channel at the

32
04:14.870 --> 04:15.660
moment.

33
04:15.920 --> 04:23.450
Airdump-ng has to jump from channel to channel to scan the entire frequency bend; the current channel

34
04:23.540 --> 04:33.480
is shown in the top left corner. The AP section shows the following information BSSID is 


35
04:33.480 --> 04:43.830
MAC address of the access point; BWR is the signal strength or power; Beacons column displays the

36
04:43.830 --> 04:51.840
number of beacon frames received ( the more beacons the better the signal quality); data column displays

37
04:51.870 --> 05:01.590
the number of data frames received and CH is the channel on which the AIP operates and MB column displays

38
05:01.620 --> 05:04.340
the speed of AP Mode.

39
05:04.470 --> 05:09.930
Then comes ENC which is the encryption used and CIPHER,

40
05:10.020 --> 05:17.240
the protocol where CCMP is used with wpa2 and means advanced encryption standard.

41
05:18.420 --> 05:27.370
Or is the authentication type where for example PSK means Pre-shared key; and finally, the last

42
05:27.370 --> 05:31.720
column is the ESSID which is the network name.

43
05:32.080 --> 05:34.150
Sometimes this can be hidden.

44
05:36.680 --> 05:42.800
Because of the channel hoping it won't capture all packets from your target network.

45
05:43.880 --> 05:50.480
If we want to listen just on one channel we use -C and the channel number.

46
05:50.480 --> 05:59.750
I'm stopping it by pressing control C and then start it again only on channel 1; so I am adding  -

47
05:59.810 --> 06:00.830
C and 1.

48
06:04.940 --> 06:08.620
Now it's capturing packets only on channel 1.

49
06:10.560 --> 06:18.990
And if you want to capture the frames only from one AP you add -- BSSID option and the

50
06:18.990 --> 06:27.780
MAC address of the AP, like this--bssid and let's take this one

51
06:34.760 --> 06:44.060
It's capturing packets only from this network and if you want to save the capture to a file you use -w

52
06:44.120 --> 06:53.500
and the name of the file, let's say dump. In the bottom section you will see all clients connected

53
06:53.560 --> 07:00.370
to that particular access point and network; in this case there is only one client.