Follow us on Twitter!
The important thing is not to stop questioning. - Albert Einstein
Sunday, August 20, 2017
 Need Help?
Members Online
Total Online: 73
Guests Online: 64
Members Online: 9

Registered Members: 101576
Newest Member: tanffff
Latest Articles

WIFI - Part 6, Airodump-ng Part 1

Arrow Image This is a pretty thorough guide on everything Airodump-ng. It covers the basics and some of the more advanced features that are part of the tool. This part is about the Airodump-ng options and syntax.

WIFI Part 6, Airodump-ng Part 1

Last detail on Airmon-ng
I should have mentioned this in the Airmon-ng tutorial, but it skipped my brain. Sometimes when you put your wireless card into monitor mode, it will continue hopping channels even if you specify a particular channel in Airodump-ng. The solution I found to this was to bring your wireless interface down prior to putting the card into monitor mode.
ifconfig wlan0 down
airmon-ng start wlan0

It should be clear that to use Airodump-ng to it's fullest, you must place your wireless interface into monitor mode. Throughout this tutorial, I will depict monitor mode as 'mon0', though it could be different then that.

What is Airodump-ng?
Airodump-ng is the part of the Aircrack-ng suite of tools that deals with capturing wireless packets. It is capable of identifying access points and clients within it's vicinity, and contains a host of different options that allow you to manipulate this data. It is not used to view the packets that are captured, rather just give indications on whether or not a few key packets have been intercepted.

Airodump-ng Man Page
By just typing in 'airodump-ng' into the console, it will automatically bring up the man page. This page is extremely important, and I am sure that you will utilize it once you begin using the tool itself. You don't have to memorize the exact syntax for every command, that is depicted in the man page; what you do have to memorize is what each option is used for, and when you should use them.

Getting Started
The basic syntax for Airodump-ng is the following:
airodump-ng <options> <interface>

The options are optional, and the only required bit of information that you must give Airodump-ng to get started is the interface, mon0. When just given the interface, and nothing else, it begins a scan of everything within the vicinity, displaying all the access points and the clients it finds.
airodump-ng mon0

Optional Syntax
Most of the options have two different ways of specifying them. The first way is to use the full name of the option, which seems easier to memorize because they make more sense to the human brain. Like writing the results to a file is '--write fileName'. The second way is easier to type, yet is a little harder to memorize because in some cases it just doesn't make all that much sense. Like specifying a BSSID of an access point is '-d 00:11:22:33:44:55'. It is OK to use a combination of the two, which is what I do sometimes.

Popular Options
Writing the results to a file is almost a necessity; from beginner attacks to advanced attacks, you will need your results in a file. When you write the results to a file, it will create four different files by default, each with different extensions; .cap, .csv, .kismet.csv, and .kistmet.netxml.
airodump-ng --write fileName mon0
airodump-ng -w fileName mon0

Most of the time, you won't want to see every access point in the vicinity, you will just want to see the information that is flowing to and from the access point that you are targeting. In order to do this, you must specify the BSSID of the router you wish to to target. I usually use a basic 'airodump-ng mon0' search, and then copy and paste the BSSID into the this command.
airdump-ng --bssid 00:11:22:33:44:55 mon0
airdump-ng -d 00:11:22:33:44:55 mon0

When you specify the BSSID of your target, Airodump-ng only intercepts packets from that BSSID, but that does not mean that it doesn't still hop around the channels. If you don't specify the channel the target is on, you will be missing a lot of the traffic. To specify a specific channel, use the following command.
airdump-ng --channel 4 mon0
airdump-ng -c 4 mon0

Another thing that you will run into is the fact there there seems to be unassociated clients everywhere. So when you do specify a BSSID, as in the above option, you will still be intercepting packets from clients that are not associated with any access point. To stop Airodump-ng from intercepting packets from unassociated clients use the following command.
airdump-ng -a mon0

This feature I don't use to often, but that is mainly because I am not in a heavily crowded area. When you look for a target, you may be looking for a target that uses a specific type of security, usually WEP. The input for this option is opn for open, wep for WEP, wpa for either WPA1 or WPA2, wpa1 for just WPA1, and wpa2 for just WPA2. To only display results from targets using WEP use the following command.
airdump-ng --encrypt wep mon0
airdump-ng -t wep mon0

Semi-Popular Options
When attempting to penetrate a network that is using a WEP encryption, all you need to do is capture enough IV's. You do not need the rest of the packets that might be being transferred around on the network. The following option is to ignore all packets except those that contain an IV; this option does require that you write the results to a file, and creates a file with the extension .ivs.
airodump-ng --ivs --write fileNamemon0
airodump-ng -i -w fileNamemon0

A lot of the time clients will come and go from your vicinity, so you may want to put a time limit upon when Airodump-ng should remove clients from your display results after they become inactive. To make a time limit of 15 seconds, use the following option.
airodump-ng --berlin 15 mon0
airodump-ng -- mon0

The next option is a little more technical then the rest. This option is used in several different ways, though the main reason we will use it, in the future, is when we utilize injection, which is just sending packets of a certain type to a certain place. We will go over this option more when we reach the injection tutorial. Another thing about this option is that you can add '-h' to hide known stations.
airodump-ng --showack mon0

Sometimes you may want to restrict channel hopping based on the band, rather then the actual channel. You cannot use this option along with the channel option. Also, you can specify more then one band if you wish to do so. We went over bands in an earlier tutorial, so I am not going to get into them now.
airodump-ng --band g
airodump-ng -b abg

Another rather technical option is the option to restrict how Airodump-ng hops through the channels. I know that Airodump-ng, by default, uses the FIFO method to hop channels. It is based upon an algorithm that determines the most likely channels for traffic in your vicinity, and visits them the most often. The round robin method is the simplest; it just starts at 1, then goes to 2, then goes to 3, and so on. To be honest, I don't exactly know how the Hop on Last method works. If someone does know, please leave it in the comments below; I could no locate the answer online myself. The FIFO method is specified as 0, the Round Robin method is specified as 1, and the Hop on Last method is specified as 3. To use the Round Robin method, use the following command.
airodump-ng --cswitch 1 mon0
airodump-ng -c 1 mon0

An option that comes in handy every once in awhile is the netmask option. This allows you to specify a series of access points that all have a common portion of the MAC address. Say that all the access points you wish to target start with 11:22:33, you can target them all using this option. What you do is use the '--bssid' option to target 11:22:33 and pad the rest of the MAC address with 0's; so it would look like 11:22:33:00:00:00. Then you use the '--netmask' option to specify which portion of the MAC address is padding, and which is not. You use 0's for padding, and F's for the similar portion; so it would look like FF:FF:FF:00:00:00. The final option would look like the following.
airodump-ng --bssid 11:22:33:00:00:00 --netmask FF:FF:FF:00:00:00 mon0
airodump-ng -d 11:22:33:00:00:00 -m FF:FF:FF:00:00:00 mon0

This option is mainly useful if you have a slower PC. This option allows you to set the time, in seconds, for how often the results get updated on the screen. The default for this option is 1 second. Slower PC's might want to increase the time between updates to 5 or 10 seconds. To increase the refresh time to 5 seconds, use the following command.
airodump-ng --update 5 mon0
airodump-ng -u 5 mon0

Another thing that you might want to change for slower PC's is the time intervel between the channel hops. This is measured in milliseconds. If you wanted to change it to 200 milliseconds, you would use the following command.
airodump-ng -f 200 mon0

I have never used this feature, mainly because I do not have GPS in my laptop of netbook. This feature sounds pretty cool; it allows you to also record the exact GPS coordinates of where the networks were found. All you do is the following.
airodump-ng --gpsd mon0

This feature allows you to intercept more then one beacon packet from an access point. It is used like in the following command.
airdump-ng --beacons mon0

That is pretty much all I got, or can think of, for getting Airodump-ng up and running. The next tutorial will be all about viewing the results that you get from running any of the above commands. Some of the results are pretty self explanatory, but others are a little confusing. Please leave behind comments on these tutorials. That way I can improve them as I go.

TuX out


Arturiouson January 11 2013 - 15:56:33
TuX great work with this tuturials! Keep giving us more.:ninja: Thanks for the tips, I also have searched for the Round-robin_scheduling search for that and Backpressure_routing the big picture is deliver the most atemps in the fastest time possible. The implementation of the first is more simple than the second. If anyone disagree speak, Im here to learn.Pfft
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.