My Wireshark Issues!

[Inked]

Ok after a little more playing around in BT4 and wireshark I am starting to get frustrated. Maybe if I break down my process someone can spot my error.

I boot up BT4

sudo start-network

wicd - connect to neighbors wireless (yes, he gave me permission)

airmon-ng start wlan0

(note, after issuing this command I do get a notice about a process that could cause trouble. Reference screen shot1 below)

At this point i should be set up for a MITM attack. (monitor mode enabled)

I boot up wireshark>capture>interfaces>start wlan0

(under devices it does seem like a lot is listed. Reference screen shot2 below)

I filter out HTTP traffic

look for the POST under the info column (after my neighbor has went to an unsecured site and logged in)

AND THAT IS WHERE THINGS GO TO CRAP.

I can never see the post and hardly ANY http traffic, which tells me I am not collecting the necessary packets from my neighbor. If anyone can point me in the right direction it would be GREATLY appreciated.

Hardware used:

Acer aspire one running BT4 final

alfa awus036h netowork adapter

Screen shot1

http://img11.imageshack.us/img11/7372/snapshot1xv.jpg

Screen shot2

http://img641.imageshack.us/img641/9797/snapshot2x.jpg

[Netshroud]

To my understanding, you can't have it connected to the AP AND in monitor mode at the same time.

[digip]

@Inked - You cant use monitor mode with MITM, its sort of the reverse to monitor mode. The point of MITM, is to get all the packets sent through your machine which then lets you see them between the router and your target/victim/neighbor, etc. To do MITM you have to be on the same subnet and associated with the router.

Pic 1 is telling you that you are connected through DHCP and that most likely it will keep trying to reconnect to the DHCP server when you go to monitor mode which will remove you from the network, thus why you wont do minitor mode with MITM.

Pic 2 I imagine you would want to use wlan0, but seems no packets are seen on that interface. Probably because you started the aircrack stuff instead of just capturing the nic natively once associated with the access point. Once you get on the network, youll need to identify other machines on the network using something like nmap. If you already know his IP and MAC address on the lan, you can then just run arpspoof or whatever you want for the MITM.

To my understanding, you can't have it connected to the AP AND in monitor mode at the same time.

This is true although you could do both with two wireless cards.

[Inked]

@Inked - You cant use monitor mode with MITM, its sort of the reverse to monitor mode. The point of MITM, is to get all the packets sent through your machine which then lets you see them between the router and your target/victim/neighbor, etc. To do MITM you have to be on the same subnet and associated with the router.

Pic 1 is telling you that you are connected through DHCP and that most likely it will keep trying to reconnect to the DHCP server when you go to monitor mode which will remove you from the network, thus why you wont do minitor mode with MITM.

Pic 2 I imagine you would want to use wlan0, but seems no packets are seen on that interface. Probably because you started the aircrack stuff instead of just capturing the nic natively once associated with the access point. Once you get on the network, youll need to identify other machines on the network using something like nmap. If you already know his IP and MAC address on the lan, you can then just run arpspoof or whatever you want for the MITM.

This is true although you could do both with two wireless cards.

Thanks digip for pointing me in the right direction! It looks like I am back to tinkering around to get it right. You are correct, I started the aircrack suite and dropped wlan0 into monitor mode.

Thanks again for the help!