aircrack-ng / airmon-ng questions

[Scrag]

Hello Everybody.

I have 2 questions on aircrack:

1.) When I run "airodump-ng mon0" and it lists the AP's/SSID's in the area, there is one wireless network that is not displayed, but is displayed on my android phone. I can see about 12 SSID's but not this one in particular. My pineapple's wireless has a much more powerful signal than my phone so I know its not distance/signal strength. Any thoughts?

2.) When I run "airodump-ng mon0", I see lots of ESSID's that are called:

<length: 1>

<length: 0>

<length: 7> etc...

Does anyone know what this means? Are they hidden AP's?

Thanks,

Scrag

[digip]

possible the AP is set to N only, which if its the case, aircrack suite might not see it. I noticed in BackTrack that at home, if I set my network to N only, no a, b, g, etc, it can't be seen by aircrack, but can under the wifi scan. I think its more to do with them needing to update for the N spec, which frankly many different vendors implement N differently. Try Kismet and also iwlist mon0 scanning to see if it shows. Can also open Wireshark and select mon0, and see if you get proobes for the name of the SSID showing up, but I have a feeling it won't be seen in monitor mode, only managed mode and if the distro is compiled to look for N networks as well as 802.11 a, b, and g. Also, there are two different standards depending on card and drivers, ieee802.11 and mac80211, so that might have something to do with the distro and drivers of the wifi card in use, but not 100% sure.

http://wireless.kernel.org/en/developers/Documentation/mac80211#A802.11n_and_WEP_or_TKIP

http://linux.die.net/man/8/iwlist

Edited October 12, 2013 by digip

[vector]

*SIGH* what people need to start doing is learning about the version features of the aircrack-ng suite install that they are using, also to STOP USING DEPRECIATED TOOLS AND DRIVERS !!

ok so first of all you need to specify the wireless adapter type and driver version that youre using. I can probably already guess its some Alfa card because it seems thats the only thing people know about anymore. im gonna go ahead and guarantee that youre using aircrack-ng suite version 1.1x. and youre likely using iwconfig to manipulate your wireless adapter settings.

you first should download and install the most recent aircrack-ng version source http://download.aircrack-ng.org/aircrack-ng-1.2-beta1.tar.gz

you need to READ THE EFFING "README" FILES AND THE "INSTALLING" FILES THAT ARE INCLUDED. dont just download and do a quick make && make install. the main thing that you will need to do is to compile it with the "libnl" flag so that it will add support for netlink (nl80211). <--- this is important k. you also need to download and install from source the latest iw version

https://www.kernel.org/pub/software/network/iw/ if you get the libnl error when installing iw then you need to sudo apt-get install libnl-dev then you will be able to install iw properly.

now im not going into a whole explanation on what this all really means except for, iwconfig is old and iw is the new way to configure your wireless fullmac settings. you will then be able to have better functionality with new devices and drivers and you will have more options when you use tools like airmon-zc NOT ng, airodump-ng, by default airodump-ng hops on 2.4GHz so if you know the frequency you want to scan you can set it in airoduump-ng now or if you know the channel of the 5GHz frequency you can also set that. otherwise like digip said you wont see any 5GHz wireless and so on. people need to start getting used to the newer versions and drivers. we arent setting things like "managed" mode in iwconfig anymore. and we arent

another thing is, AIRCRACK does not ever "see" wireless signals. airodump-ng does. and with this newer version you will have added support for setting the band or frequency /channel settings in airodump-ng. its not that the vendors have to update the the "N spec" whatever that means. its that the software and tools we are using have not caught up with the hardware device capabilities. as of right now this all has to be done manually from the source, if you try updating or installing these with your distros package manager or with synaptic or apptitude or whatever you use, it wont give you the latest beta version of aircrack-ng-1.2 beta1 and it wont setup the compile flag options either.

thats all im gonna put up for now. if yo uneed more clarification or help just ask. and if you seriosuly want to learn about your wireless devices and how to properly use them start reading here

http://wireless.kernel.org/en/users/Documentation http://wireless.kernel.org/en/users/Documentation/iw Start spending some time on that site and understand it. just because these pentest distros have the tools and drivers installed already, does not mean that its setup to properly work 100% on every device and setup. there are some things that you have to change most of the time as well.

Edited October 13, 2013 by vector

[Scrag]

Gives me something to do this weekend. Thanks much for the info!

Scrag

[digip]

another thing is, AIRCRACK does not ever "see" wireless signals. airodump-ng does.

Was referring more to the aircrack suite in general, but I know what you're saying. I also use airmon-zc and have been doing so for some time now since -ng had always giving me issues with locking up my laptop and nic. I'll have to look into what you linked to though and give that a try and see if I can find my AP now. ;)

[levisiccard]

Get the book from Vivek Ramachandran about backtrack 5. (works of course with kali). free download somewhere on the internet but buying is supporting!

There are some pro's and contra's but the alfa awus036nha or 036h are both good NIC's to get started with.

try to understand the difference between airmon, airodump, aireplay,aircrack, airbase, blahblah..

<length: 0> is a NULL or hidden SSID if i remember good. Using wireshark with filtering and having patience should able you to uncover the hidden ssid. There are probably lots of other tools available.

[vailixi]

Does changing MTU size effect the efficacy of deauthentication attacks or anything else? I noticed there is some code related to MTU size the aircrack suite source code. There's also a linux command to change MTU size. I don't really understand what MTU size is and what it does. But someone had told me MTU size effect deauthentications. Suggested reading?

Edited October 18, 2013 by vailixi

[digip]

MTU is the Maximum transmission unit. Most basic ethernet devices throughput maximum MTU is 1500 and lower for older IPv4 devices and some ISPs. Lowering it can sometimes help stability for older or slower equipment, but thats about it as far as I know and doesn't have much of any effect on wifi injection. I don't see it helping much with deauthentication unless lowering your wifi speed as well for further away AP's. I used to change my Ralink card to transmit at 1MB vs 54MB for better injection results, but never had to mess with MTU settings of any kind when testing WEP cracking or WPA capturing.

There are devices today that have higher throughput than 1500 MTU and what they call jumbo frames(which my current NIC and Router can do, I set it to 6,000 although it can do up to 9,000 it gets wonky if I set it that high) but they depend not only on your NIC, and Router but also your cable or DSL Modem, and also the ISP's throughput and maximum they allow. My ISP offers a higher tier of speeds and I have a Docsis 3.0 modem, so I can get 55mbit download speeds and 20-25mbit upload speeds. With Wireless, not sure MTU will help make a difference though unless its really unreliable or far away which sending at slower speeds in general can sometimes fix connection errors and de-auths, but usually do less for staying connected as it is just for cracking wifi or interfering with someones network(which I leave up to you when it comes to whose wifi you're messing with).

Read up on it more on MTU here: http://en.wikipedia.org/wiki/Maximum_transmission_unit