Difference between revisions of "Monitoring wireless networks"

From Ever changing code
Jump to navigation Jump to search
 
(25 intermediate revisions by the same user not shown)
Line 1: Line 1:
This is another All-In-One page for wireless monitoring solutions. The easiest is to use Kali Linux http://www.kali.org/ . Please follow a few steps to create bootable Live USB:
This is another All-In-One page for wireless monitoring solutions. The easiest is to use Kali Linux http://www.kali.org/ . Please follow a few steps to create bootable Live USB:


==Kali Lnux==
=Kali Linux Live USB=
Download ISO from http://www.kali.org/downloads/ or using wget command
 
wget http://cdimage.kali.org/kali-latest/amd64/kali-linux-1.0.4-amd64.iso
#Download ISO from http://www.kali.org/downloads/ or using wget command<br /><pre>wget http://cdimage.kali.org/kali-latest/amd64/kali-linux-1.0.4-amd64.iso</pre>
Install progress bar package to show information about a data transfer. It is not required to write the image to usb but it is useful to see progress bar. Install <tt>'''bar'''</tt> package but just to remember to append <tt>-s <file_size></tt> . Another way to see the progress is to install <tt>'''pv'''</tt> Pipe Viewer package.
#Install progress bar package to show information about a data transfer. It is not required to write the image to usb but it is useful to see progress bar. Install <tt>'''bar'''</tt> package but just to remember to append <tt>-s <file_size></tt>. Another way to see the progress is to install <tt>'''pv'''</tt> Pipe Viewer package.<br /><pre>apt-get install bar && apt-get install pv</pre>
apt-get install bar
#Copy image on usb drive. Please make sure that you use correct device to write the image as it will not warn you when writting. In ubuntu useful commands are: <tt>lsusb or mount</tt><pre>sudo dd if=kali.iso | bar -s 2.2g | sudo dd of=/dev/sdc bs=512&#10;dd if=kali.iso | pv | sudo dd of=/dev/sdb bs=512k</pre>or<pre>dd if=kali.iso of=/dev/sdb bs=512k& pid=$! && while true; do kill -USR1 $pid && sleep 1 && clear; done</pre>
apt-get install pv
The important thing to grasp here is the fact that you can keep an eye on 'dd' as it's running to see where you are at during its execution.
Copy image on usb drive. Please make sure that you use correct device to write the image as it will not warn you when writting. In ubuntu useful commands are: <tt>lsusb or mount</tt>
 
dd if=kali.iso of=/dev/sdb bs=512k | bar -s 2.2g
dd if=kali.iso | pv | dd of=/dev/sdb bs=512k
or
dd if=kali.iso of=/dev/sdb bs=512k& pid=$! && while true; do kill -USR1 $pid && sleep 1 && clear; done
The important thing to grasp here isn't the filename or location of your input or output, or even the block size for that matter, but the fact that you can keep an eye on 'dd' as it's running to see where you are at during its execution.<br>
For persistance mode please follow this steps at Kali documentation http://docs.kali.org/installation/kali-linux-live-usb-install
For persistance mode please follow this steps at Kali documentation http://docs.kali.org/installation/kali-linux-live-usb-install


==Kismet==
=Kali Linux Persistence mode=
*create additional partition (persistance space) on usb stick using <tt>gparted</tt> and make sure the volume label of the newly created partition is ''''persistence'''', and format it using the '''ext4''' filesystem.
*mount the partition, create in its main folder file <tt>persistence.conf</tt> file and edit adding one line <tt>/ union</tt>, unmount and reboot
mkdir /mnt/usb
mount /dev/sdb2 /mnt/usb
echo "/ union" >> /mnt/usb/persistence.conf
umount /mnt/usb
*select '''Live boot''' from the menu (don’t press enter) when the Kali Linux boot screen is displayed, then press the '''tab''' button. This will allow you to edit the boot parameters. Add the word '''persistence''' to the end of the boot parameter line each time you want to mount your persistent storage.
*Kali will boot and it will mount root folder to <tt>/dev/sdb2</tt> where all changes are saved. Below is part of <code>mount</code> output to visualise it.
/dev/sdb2 on /lib/live/mount/persistence/sdb2 type ext4 (rw,noatime,data=ordered)
 
root@kali:/lib/live/mount/persistence/sdb2# ls -al
total 64
drwxr-xr-x 12 root root  4096 Aug 11 11:04 .
drwxr-xr-x  3 root root  4096 Aug 11 11:04 ..
drwxr-xr-x 15 root root  4096 Aug 11 11:09 etc
drwxr-xr-x  3 root root  4096 Aug 11 11:04 home
drwxr-xr-x  3 root root  4096 Mar 15 09:51 lib
drwx------  2 root root 16384 Aug 11 10:56 lost+found
drwxr-xr-x  7 root root  4096 Aug 11 11:04 media
-rw-r--r--  1 root root    8 Aug 11 10:57 persistence.conf
drwxr-xr-x 13 root root  4096 Aug 11 11:10 root
drwxrwxrwt  7 root root  4096 Aug 11 11:17 tmp
drwxr-xr-x  6 root root  4096 Jul 23 12:30 var
-r--r--r--  4 root root    0 Aug 11 11:04 .wh..wh.aufs
drwx------  2 root root  4096 Aug 11 11:04 .wh..wh.orph
drwx------  2 root root  4096 Aug 11 11:04 .wh..wh.plnk
 
=Kismet=
 
== Install Kismet from sources ==
wget https://www.kismetwireless.net/code/kismet-2013-03-R1b.tar.xz
tar xf kismet-2013-03-R1b.tar.xz
cd kismet-2013-03-R1b*
./configure                                #check required software, libraries, and system environment
sudo apt-get install ncurses-dev libnl-dev  #dependencies to install:  libcurses or libncurses, libnl netlink library to control mac80211 vaps
make dep
make                                        #compiling it can take ~5 min
sudo make install
kismet -v                                  #version check
 
== Configure and run ==
 
Kismet is installed by default in Kali linux. A few information to consider:
Kismet is installed by default in Kali linux. A few information to consider:
*it creates virtual interface for monitoring to minimise the WLAN interface reconfiguration in a system. The interface name created by appending ''mon'' to the interface name. We can preview this with <tt>iw dev</tt>. It may also reconfigure your main interface into ''Monitor'' mode, check with <tt>iwconfig</tt>.
*virtual interface is created for monitoring to minimise WLAN interface reconfiguration in a system. The virtual interface name is created by appending <tt>'''mon'''</tt> to the existing interface name. We can verify this with <tt>'''iw dev'''</tt>.  
*it is client-server application by default listening on :2501 port
*it may also reconfigure your main interface into <tt>'''Monitor'''</tt> mode, check with <tt>'''iwconfig'''</tt>.
*when adding source use your ''mon'' interface, eg: <tt>wlan0mon</tt>
*it is client-server application by default listening on ''':2501''' port
*when adding source use your <tt>'''mon'''</tt> interface, eg: <code>'''wlan0mon'''</code>
*requires root privilages to run
*requires root privilages to run
Run with
;Run with <tt>-c <wlan_in_monitor_mode></tt>
  kismet
  sudo kismet -c wlan0mon
;Run server


==Wavemon==
Kismet > Start Server ... > enter source monitoring interface if not specified at the run eg: <tt>wlan0</tt> or <tt>wlan0mon</tt>
 
;You may need to reset your network configuration after exiting from Kismet
sudo /etc/init.d/networking restart
sudo services networking restart
sudo dhclient wlan0                        #renew ip address from DHCP server
 
=Wavemon=
''wavemon'' is an ncurses-based monitoring application for wireless network devices. Home page http://www.erg.abdn.ac.uk/wavemon/
''wavemon'' is an ncurses-based monitoring application for wireless network devices. Home page http://www.erg.abdn.ac.uk/wavemon/
*to measure the link quality we need to be connected to the network first
*to measure the link quality we need to be connected to the network first
*different options are displayed at the bottom of a screen controled by function keys or the first letter of the option<br><tt>F1info  F2lhist F3scan  F4      F5      F6      F7prefs F8help  F9about F10quit </tt>
*different options are displayed at the bottom of a screen controled by function keys or the first letter of the option
;Install wavemon
 
<span style="color: blue"><tt>'''F1info  F2lhist F3scan  F4      F5      F6      F7prefs F8help  F9about F10quit'''</tt></span>
 
;Install and run wavemon <tt>''-i <interface>''</tt>
  aptget install wavemon
  aptget install wavemon
;Run with -i <interface>
  wavemon -i wlan0
  wavemon -i wlan0


==Monitor link quality from command line==
=Aircrack-ng=
See link quality continuously on screen
Create virtual monitoring interface. It will re configure also your main wireless interface into Monitor mode. Please isse <code>iwconfig</code> to chec it.
watch -n 1 cat /proc/net/wireless
# airmon-ng start mon0
Interface Chipset Driver
<span style="color:green">'''mon0 Intel 6205 iwlwifi - [phy0]'''</span>
(monitor mode enabled on mon3)
mon1 Intel 6205 iwlwifi - [phy0]
mon2 Intel 6205 iwlwifi - [phy0]
wlan0 Intel 6205 iwlwifi - [phy0]
Then start capturing packets
airodump-ng mon0
 
=Monitor link quality from command line=
See link quality continuously on the screen
<source lang=bash>
$ watch -n 1 cat /proc/net/wireless
Inter-| sta-|  Quality        |  Discarded packets              | Missed | WE
face | tus | link level noise |  nwid  crypt  frag  retry  misc | beacon | 22
wlp4s0: 0000  47.  -63.  -256        0      0      0      0      4        0
 
printf "$(cat /proc/net/wireless) $(date)\n" | tee -a 20190815-proc-net-wireless.log; \
  while true; do printf "$(cat /proc/net/wireless|tail -1) $(date)\n" | tee -a 20190815-proc-net-wireless.log; sleep 1; done
</source>
 
Wifi parameters
<source lang=bash>
$ ls -1 /sys/module/mac80211/parameters
beacon_loss_count
ieee80211_default_rc_algo
max_nullfunc_tries
max_probe_tries
minstrel_vht_only
probe_wait_ms
 
$ cat beacon_loss_count probe_wait_ms
7    # once reached wifi card will disassociate with AP and try to associate again
500  # once reached wifi card will disassociate with AP and try to associate again
 
You can try to lower number of beacon losses to get disconnected from actual AP and try to switch to another by your WiFi card, edit /etc/modprobe.d/wifi-sensitivity.conf and add those lines: <code>module options mac80211 beacon_loss_count=1 max_probe_tries=1</code> Reboot, and check if it makes your WiFi more sensitive to AP signal changes. If not, try add another parameter to the line above: probe_wait_ms=100. On really poor signal these setting may give you no WiFi connection at all, don't panic, just set those limit a little higher, you can use two strategies, keep probe_wait_ms higher (default is 500 but you can go higher) and keep other two options low or the opposite, the two other options higher and probe_wait_ms lower than default 500.
 
All those setting "live" without reboots in /sys/module/mac80211/parameters/... directory, for example: <code>echo 1 > /sys/module/mac80211/parameters/beacon_loss_count</code>
</source>
 
= Debug Wifi traffic =
Useful script, produces wireless-info.txt log file.
<source lang=bash>
wget -N -t 5 -T 10 https://github.com/UbuntuForums/wireless-info/raw/master/wireless-info && chmod +x wireless-info && ./wireless-info
# then you can send to termbin.com
cat wireless-info.txt | nc termbin.com 9999
</source>
 
 
Another script that actually set up you with the strongest signal cell
<source lang=bash>
https://gist.github.com/archy-bold/9a4cdee49309e4a2d059c900362fa9dc
</source>
 
 
<source lang=bash>
$ rfkill list all
0: tpacpi_bluetooth_sw: Bluetooth
Soft blocked: yes
Hard blocked: no
1: phy0: Wireless LAN
Soft blocked: no
Hard blocked: no
</source>
 
[[Category:linux]]
 
= Wifi info =
<source lang=bash>
$ iwlist wlp4s0 scan # scan for available access points
wlp4s0    Scan completed :
          Cell 01 - Address: 94:0B:19:EF:11:22
                    Channel:100
                    Frequency:5.5 GHz (Channel 100)
                    Quality=40/70  Signal level=-70 dBm 
                    Encryption key:on
                    ESSID:"bt-hub1234"
                    Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s
                              36 Mb/s; 48 Mb/s; 54 Mb/s
                    Mode:Master
                    Extra:tsf=00000000ca95be46
                    Extra: Last beacon: 142228ms ago
                    ...
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : TKIP
                        Pairwise Ciphers (2) : CCMP TKIP
                        Authentication Suites (1) : PSK
                    ...
                    IE: WPA Version 1
                        Group Cipher : TKIP
                        Pairwise Ciphers (2) : CCMP TKIP
                        Authentication Suites (1) : PSK
                    IE: Unknown: DD180050F2020101800003A4000027A4000042435E0062322F00
 
$ sudo iw dev wlp4s0 scan | grep -A 9 BSS | grep -B 9 <wifiName> # get a list of APs with signal strengh
$ sudo iw dev wlp4s0 scan # scan for available access points
$ sudo iw dev wlp4s0 link # show current ap-association
Connected to 94:0b:19:ef:11:22 (on wlp4s0)
SSID: bt-hub1234
freq: 5500
RX: 50957 bytes (323 packets)
TX: 39580 bytes (286 packets)
signal: -65 dBm
tx bitrate: 780.0 MBit/s VHT-MCS 8 80MHz short GI VHT-NSS 2
bss flags: short-slot-time
dtim period: 3
beacon int: 100
</source>

Latest revision as of 16:29, 8 January 2020

This is another All-In-One page for wireless monitoring solutions. The easiest is to use Kali Linux http://www.kali.org/ . Please follow a few steps to create bootable Live USB:

Kali Linux Live USB

  1. Download ISO from http://www.kali.org/downloads/ or using wget command
    wget http://cdimage.kali.org/kali-latest/amd64/kali-linux-1.0.4-amd64.iso
  2. Install progress bar package to show information about a data transfer. It is not required to write the image to usb but it is useful to see progress bar. Install bar package but just to remember to append -s <file_size>. Another way to see the progress is to install pv Pipe Viewer package.
    apt-get install bar && apt-get install pv
  3. Copy image on usb drive. Please make sure that you use correct device to write the image as it will not warn you when writting. In ubuntu useful commands are: lsusb or mount
    sudo dd if=kali.iso | bar -s 2.2g | sudo dd of=/dev/sdc bs=512
dd if=kali.iso | pv | sudo dd of=/dev/sdb bs=512k
    or
    dd if=kali.iso of=/dev/sdb bs=512k& pid=$! && while true; do kill -USR1 $pid && sleep 1 && clear; done

The important thing to grasp here is the fact that you can keep an eye on 'dd' as it's running to see where you are at during its execution.

For persistance mode please follow this steps at Kali documentation http://docs.kali.org/installation/kali-linux-live-usb-install

Kali Linux Persistence mode

  • create additional partition (persistance space) on usb stick using gparted and make sure the volume label of the newly created partition is 'persistence', and format it using the ext4 filesystem.
  • mount the partition, create in its main folder file persistence.conf file and edit adding one line / union, unmount and reboot
mkdir /mnt/usb
mount /dev/sdb2 /mnt/usb
echo "/ union" >> /mnt/usb/persistence.conf
umount /mnt/usb
  • select Live boot from the menu (don’t press enter) when the Kali Linux boot screen is displayed, then press the tab button. This will allow you to edit the boot parameters. Add the word persistence to the end of the boot parameter line each time you want to mount your persistent storage.
  • Kali will boot and it will mount root folder to /dev/sdb2 where all changes are saved. Below is part of mount output to visualise it.
/dev/sdb2 on /lib/live/mount/persistence/sdb2 type ext4 (rw,noatime,data=ordered)

root@kali:/lib/live/mount/persistence/sdb2# ls -al
total 64
drwxr-xr-x 12 root root  4096 Aug 11 11:04 .
drwxr-xr-x  3 root root  4096 Aug 11 11:04 ..
drwxr-xr-x 15 root root  4096 Aug 11 11:09 etc
drwxr-xr-x  3 root root  4096 Aug 11 11:04 home
drwxr-xr-x  3 root root  4096 Mar 15 09:51 lib
drwx------  2 root root 16384 Aug 11 10:56 lost+found
drwxr-xr-x  7 root root  4096 Aug 11 11:04 media
-rw-r--r--  1 root root     8 Aug 11 10:57 persistence.conf
drwxr-xr-x 13 root root  4096 Aug 11 11:10 root
drwxrwxrwt  7 root root  4096 Aug 11 11:17 tmp
drwxr-xr-x  6 root root  4096 Jul 23 12:30 var
-r--r--r--  4 root root     0 Aug 11 11:04 .wh..wh.aufs
drwx------  2 root root  4096 Aug 11 11:04 .wh..wh.orph
drwx------  2 root root  4096 Aug 11 11:04 .wh..wh.plnk

Kismet

Install Kismet from sources

wget https://www.kismetwireless.net/code/kismet-2013-03-R1b.tar.xz
tar xf kismet-2013-03-R1b.tar.xz
cd kismet-2013-03-R1b*
./configure                                 #check required software, libraries, and system environment
sudo apt-get install ncurses-dev libnl-dev  #dependencies to install:  libcurses or libncurses, libnl netlink library to control mac80211 vaps
make dep
make                                        #compiling it can take ~5 min
sudo make install
kismet -v                                   #version check

Configure and run

Kismet is installed by default in Kali linux. A few information to consider:

  • virtual interface is created for monitoring to minimise WLAN interface reconfiguration in a system. The virtual interface name is created by appending mon to the existing interface name. We can verify this with iw dev.
  • it may also reconfigure your main interface into Monitor mode, check with iwconfig.
  • it is client-server application by default listening on :2501 port
  • when adding source use your mon interface, eg: wlan0mon
  • requires root privilages to run
Run with -c <wlan_in_monitor_mode>
sudo kismet -c wlan0mon
Run server

Kismet > Start Server ... > enter source monitoring interface if not specified at the run eg: wlan0 or wlan0mon

You may need to reset your network configuration after exiting from Kismet
sudo /etc/init.d/networking restart
sudo services networking restart
sudo dhclient wlan0                         #renew ip address from DHCP server

Wavemon

wavemon is an ncurses-based monitoring application for wireless network devices. Home page http://www.erg.abdn.ac.uk/wavemon/

  • to measure the link quality we need to be connected to the network first
  • different options are displayed at the bottom of a screen controled by function keys or the first letter of the option

F1info F2lhist F3scan F4 F5 F6 F7prefs F8help F9about F10quit

Install and run wavemon -i <interface>
aptget install wavemon
wavemon -i wlan0

Aircrack-ng

Create virtual monitoring interface. It will re configure also your main wireless interface into Monitor mode. Please isse iwconfig to chec it. 

# airmon-ng start mon0
Interface	Chipset		Driver

mon0		Intel 6205	iwlwifi - [phy0]
				(monitor mode enabled on mon3)
mon1		Intel 6205	iwlwifi - [phy0]
mon2		Intel 6205	iwlwifi - [phy0]
wlan0		Intel 6205	iwlwifi - [phy0]

Then start capturing packets 

airodump-ng mon0

Monitor link quality from command line

See link quality continuously on the screen 

$ watch -n 1 cat /proc/net/wireless
Inter-| sta-|   Quality        |   Discarded packets               | Missed | WE
 face | tus | link level noise |  nwid  crypt   frag  retry   misc | beacon | 22
wlp4s0: 0000   47.  -63.  -256        0      0      0      0      4        0

printf "$(cat /proc/net/wireless) $(date)\n" | tee -a 20190815-proc-net-wireless.log; \
  while true; do printf "$(cat /proc/net/wireless|tail -1) $(date)\n" | tee -a 20190815-proc-net-wireless.log; sleep 1; done

Wifi parameters 

$ ls -1 /sys/module/mac80211/parameters
beacon_loss_count
ieee80211_default_rc_algo
max_nullfunc_tries
max_probe_tries
minstrel_vht_only
probe_wait_ms

$ cat beacon_loss_count probe_wait_ms 
7     # once reached wifi card will disassociate with AP and try to associate again
500   # once reached wifi card will disassociate with AP and try to associate again

You can try to lower number of beacon losses to get disconnected from actual AP and try to switch to another by your WiFi card, edit /etc/modprobe.d/wifi-sensitivity.conf and add those lines: <code>module options mac80211 beacon_loss_count=1 max_probe_tries=1</code> Reboot, and check if it makes your WiFi more sensitive to AP signal changes. If not, try add another parameter to the line above: probe_wait_ms=100. On really poor signal these setting may give you no WiFi connection at all, don't panic, just set those limit a little higher, you can use two strategies, keep probe_wait_ms higher (default is 500 but you can go higher) and keep other two options low or the opposite, the two other options higher and probe_wait_ms lower than default 500.

All those setting "live" without reboots in /sys/module/mac80211/parameters/... directory, for example: <code>echo 1 > /sys/module/mac80211/parameters/beacon_loss_count</code>

Debug Wifi traffic

Useful script, produces wireless-info.txt log file. 

wget -N -t 5 -T 10 https://github.com/UbuntuForums/wireless-info/raw/master/wireless-info && chmod +x wireless-info && ./wireless-info
# then you can send to termbin.com
cat wireless-info.txt | nc termbin.com 9999


Another script that actually set up you with the strongest signal cell 

https://gist.github.com/archy-bold/9a4cdee49309e4a2d059c900362fa9dc


$ rfkill list all
0: tpacpi_bluetooth_sw: Bluetooth
	Soft blocked: yes
	Hard blocked: no
1: phy0: Wireless LAN
	Soft blocked: no
	Hard blocked: no

Wifi info

$ iwlist wlp4s0 scan # scan for available access points
wlp4s0    Scan completed :
          Cell 01 - Address: 94:0B:19:EF:11:22
                    Channel:100
                    Frequency:5.5 GHz (Channel 100)
                    Quality=40/70  Signal level=-70 dBm  
                    Encryption key:on
                    ESSID:"bt-hub1234"
                    Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s
                              36 Mb/s; 48 Mb/s; 54 Mb/s
                    Mode:Master
                    Extra:tsf=00000000ca95be46
                    Extra: Last beacon: 142228ms ago
                    ...
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : TKIP
                        Pairwise Ciphers (2) : CCMP TKIP
                        Authentication Suites (1) : PSK
                    ...
                    IE: WPA Version 1
                        Group Cipher : TKIP
                        Pairwise Ciphers (2) : CCMP TKIP
                        Authentication Suites (1) : PSK
                    IE: Unknown: DD180050F2020101800003A4000027A4000042435E0062322F00

$ sudo iw dev wlp4s0 scan | grep -A 9 BSS | grep -B 9 <wifiName> # get a list of APs with signal strengh
$ sudo iw dev wlp4s0 scan # scan for available access points
$ sudo iw dev wlp4s0 link # show current ap-association 
Connected to 94:0b:19:ef:11:22 (on wlp4s0)
	SSID: bt-hub1234
	freq: 5500
	RX: 50957 bytes (323 packets)
	TX: 39580 bytes (286 packets)
	signal: -65 dBm
	tx bitrate: 780.0 MBit/s VHT-MCS 8 80MHz short GI VHT-NSS 2
	bss flags:	short-slot-time
	dtim period:	3
	beacon int:	100
Retrieved from ‘http://wiki.ciscolinux.co.uk/index.php?title=Monitoring_wireless_networks&oldid=4969