Follow us on Twitter!
It is never to LATE to become what you never WERE.
Monday, February 27, 2017
 Need Help?
Members Online
Total Online: 66
Guests Online: 64
Members Online: 2

Registered Members: 98799
Newest Member: induru
Latest Articles

WIFI - Part 6, Airodump-ng Part 2

Arrow Image This is a pretty thorough guide on everything Airodump-ng. It covers the basics and some of the more advanced features that are part of the tool. This part is about the Airodump-ng Results.

This is a pretty thorough guide on everything Airodump-ng. It covers the basics and some of the more advanced features that are part of the tool. This part is about the Airodump-ng Results.

WIFI Part 6, Airodump-ng Part 2

Alright, now that we got how to run Airodump-ng down, now its on to how to read the results of Airodump-ng. This is a sample output of what the results would look like, we will now discuss what each piece of information on the results pertain to.

CH 1 ][ Elapsed: 4 s ][ 2012-11-24 14:57 ][ xxxxxxx


20:RA:2B:2D:0E:24 -28 100 69 0 0 11 54e WPA2 CCMP PSK joey
08:86:3R:4A:38:6E -66 100 69 0 0 11 54e WPA2 CCMP PSK marksWireless
00:24:2R:F2:2E:CC -74 40 17 0 0 11 54e WPA2 CCMP PSK myqwest64
00:8E:F2:A3:R2:28 -76 4 3 0 0 11 54e WPA2 CCMP PSK A3E3

BSSID STATION PWR Rate Lost Packets Probes

20:RA:2B:2D:0E:24 AC:86:2R:C6:H0:79 -1 1e- 0 0 1
20:RA:2B:2D:0E:24 00:26:C6:6H:38:35 -1 1e- 0 0 1

General Display Area
CH 1 This should be kind of obvious, this is the channel that the scan is currently taking place on. As Airodump-ng hops from channel to channel, you will see this change; when you specify a channel, this should not change.

Elapsed: 4 s This is the amount of time that the scan has been scanning for.

2012-11-24 14:57 This is the time and the data that the scan started on.

xxxxxxx Now this area doesn't really display 'xxxxxxx'; I was just trying to illustrate that this space can be used. This is the area that will display things when key packets are intercepted. Things like a WPA handshake; which is a needed when attempting to brute force a WPA/WPA2 encryption.

Access Point Display Area
BSSID We covered what BSSID's were in an earlier tutorial. In case you have forgotten, this is the MAC address of the wireless router.

PWR This is the current signal level, as reported by your wireless card. This is a pretty good indication as to how close or far away a wireless router is from you. By the way, if all you see here is '-1's, then your wireless card does not support this feature.

RXQ This is the Receive Quality. It is measurement of packets that have been successfully received in the prior 10 seconds. It is a percentage 0-100. This number can be utilized in several ways, including if there is a client using the AP that you are not monitoring.

Beacons This is just the number of beacons that have been intercepted by you; not the number that has been recorded, just the number intercepted.

#Data This is the number of actual data packets that have been intercepted. If you are trying to collect IV's, this is the number you should be watching.

#/s This is the number of data packets that you have been able to capture in the prior 10 seconds.

CH This is the channel that the access point is currently broadcasting on. It is recorded from the very first beacon packet that is intercepted. It should also be noted that radio interference might sometimes cause access points from different channels to be recorded when you are fixed on one channel.

MB This is the maximum speed that the wireless router supports. This can be used to find which protocol of 802.11 they are using, we went over the speeds of each in an earlier tutorial. Also, a period after the number indicates that QoS is currently activated.

ENC This is the type of encryption algorithm that is currently being used. All the results are pretty explanatory except when you see 'WEP?', this means that it currently does not have enough information to tell which type is in use.

CIPHER This is the type of cipher that is currently being utilized. Normally TKIP is associated with WPA, CCMP is associated with WPA2, and WEP40 is usually associated with WEP. These can be changed, but this is what you will see most of the time.

AUTH This is the type of authentication protocol that is detected. Normally MGT is associated with WPA/WPA2 when an authentication server is used, SKA is associated with WEP, PSK is normally associated with WPA/WPA2 when using a pre-shared key.

ESSID This is the ESSID of the wireless router. We covered this in an earlier tutorial, but just in case you forgot, this is the user chosen name of the wireless network.

Client Display Area
BSSID This is the BSSID of the wireless router that it is associated with. Sometimes you will see '(not associated)', this means that the client is not currently associated with any wireless router at the present time.

STATION This is the MAC address of the client. This can be used to target specific clients rather then target specific wireless routers. We will use this in a lot in the more advanced attacks.

PWR This is the same as the PWR column in the access point display area. The only difference is that it is the power of the client rather then the wireless router.

Rate There should be two different numbers associated with this column; separated by a '-'. The first number is the last known data rate from the AP, and the second number is the last known data rate from the client. These numbers may change with each packet, and it usually does require more then one packet prior to displaying these numbers.

Lost This is the number of lost packets in the last 10 seconds from this client. This is based off of the sequence numbers associated with the packets, so you may lose more packets then this actually displays; because not all packets have sequence numbers.

Packets This is the total amount of packets that have been intercepted from a specific client.

Probes This displays the ESSID's of the wireless networks that the client is attempting to access. The client only attempts to connect to these networks if it is not associated with a wireless network at the current time. This is used in some of the more advanced attacks, when we start spoofing wireless networks.

Interacting With the Results
First and foremost, to stop Airodump-ng from scanning, you must use control+c.

Using the 'tab' key, you can enter, or leave, selection mode. It allows you to scroll up and down, using the 'up' and 'down' arrows, through the list of access points.

While in selection mode, you can use the 'm' key to change the color of the selected access point. You can change it to a variety of different colors. This comes in handy a lot!

Another nice feature is using the 'a' button. This allows you to view results in different pages. You can view just the access points, or just the clients, or a variety. It comes in handy, especially if you have a smaller screen and the results keep scrolling past the bottom of the screen.

Using the 's' command, you can change which column the results use to sort the results. This can sometimes be nice, though I rarely use it.

You can use the 'space' bar to pause the results. This does not pause the actual scan, but does freeze the screen at a certain point.

There are a couple other things that you can do with the results, but I don't ever really use anything else. I mainly just use the 'tab' key and the 'm' key to be honest. Sometimes the 'a' key if I am using my netbook, or there is a lot of activity in my area.

I think that pretty much sums up everything that I can think of about the Airodump-ng display. Please leave behind comments on these tutorials. That way I can improve them as I go. The next tutorial will be all about viewing the packets in Wireshark. There will probably be a couple of parts to it, as analyzing packets is a pretty technical subject. Anyways, I hoped you liked it.

TuX out


zerozerocoolon December 14 2012 - 02:03:13
today. i got my 4th wifi connections around me..tnx for this.:ninja:
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.