airodump-ng basic operation - novice

[sam_wood]

Hi all,

Just to start I am very new to this world so my question may seem a bit on the easy side for most, and I may need any replies explained in single syllabus.

So here goes. I currently run airodump-ng through kali Linux on a laptop connected to a alfa card and aerial. I need to monitor specific ap over a long term soak (ie over many hours where I leave the kit) for the mac addresses of the devices that connect to it. Then through wireshark carry out analysis to establish when certain devices connect to it and leave and at what times. so currently I will put in command:

airodump-ng -c (channel) --bssid=(mac address) -w (filename) --output-format=pcap mon0

I now have the pineapple V and obviously want to use this (as I can then hopefully use just the pineapple and battery left in situ instead of laptop and aerial). I know I can do a tcpdump to achieve this but it gains too much info of other ap's and all the associated data that i'm not interested in.

So looking on the forums I have downloaded 'putty' to make and SSH connection and put in the above command, which seemed to work but was saving to the device memory and obviously this wont be enough to store much data, so I changed directory to /sd (ie cd /sd) then re entered the command in a hope to get the output onto the sd card. The problem with this is I then had to download filezilla to get the saved data off the Pineapple onto my windows desktop to play with it in Wireshark. The bigger problem is that I set the command running but as soon as I shut down putty the Pineapple stops collecting data, therefore putting me back to square one of needing to have the laptop attached .

So ladies and gents what I am trying to achieve is obtaining information from a already identified AP of the devices that have associated to it and at what times, I don't need mountains of data (hence when doing it from tcpdump I also include in the command '(type mgt or type ctl) and (not type mgt subtype beacon)' to reduce the data I don't need) here are the questions:

Is there an easier way to achieve what I want?

If I am to use airodump-ng through putty how do I get it to save specifically to the SD card (or possible a USB memory stick)?

If I am to use airodump-ng through putty how do I set the pineapple off running and then disconnect the laptop and come back later to the juicy data?

As I have said i'm very much a novice so please be gentle.

Sam

[DataHead]

Well to answer one of your questions, if you wish to have it run in the background in a session without having to have putty or etc, you can create sessions with screen or tmux and it will run with out your intervene and you can reattach to the sessions.

They aren't installed by default on the pineapple. So you will have to

opkg update

opkg -d sd install screen

Or

opkg update

opkg -d sd install tmux

Then just google for the commands of which you choose to create sessions and reattach etc etc

Edit:

The '-d sd' means to install the packages to the sd card, ifbyou wish to have it installed to your internal, just rid of the -d sd

Or if wish to install it to usb, then I believe is just -d usb

Edited March 13, 2015 by DataHead

[troter]

trying to use following

airodump-ng -c 11 --bssid xx:xx:xx:xx -d -w test1 wlan0

getting error

 bssid already given 

ifconfig not showing mon0 not present

what im doing wrong ?

Edited March 14, 2015 by troter

[magik]

Is mon0 even enabled, perhaps its not thats why you don't see it...

Try the following

ifconfig wlan0 down

iwconfig wlan0 mode monitor

ifconfig wlan0 uo

Does mon0 show up after this?

When mon0 does show up, the command should be

airodump-ng -c 11 --bssid xx:xx:xx:xx -d -w test1 mon0

Edited March 14, 2015 by magik

[troter]

each time it trying to use

ifconfig wlan0 up

then

Network error connection timed out

pineapple crashes for 2-6 minutes.. ..after connecting back to pineapple it shows the same

root@Pineapple:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr xxx
          inet addr:172.16.42.1  Bcast:172.16.42.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:695 errors:0 dropped:214 overruns:0 frame:0
          TX packets:128 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:68948 (67.3 KiB)  TX bytes:34546 (33.7 KiB)


eth0      Link encap:Ethernet  HWaddr xxx
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:889 errors:0 dropped:55 overruns:0 frame:0
          TX packets:128 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:101706 (99.3 KiB)  TX bytes:34546 (33.7 KiB)
          Interrupt:4


lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:164 errors:0 dropped:0 overruns:0 frame:0
          TX packets:164 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:11637 (11.3 KiB)  TX bytes:11637 (11.3 KiB)


wlan0     Link encap:Ethernet  HWaddr xxx
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


wlan1     Link encap:Ethernet  HWaddr xxx
          inet addr:192.168.0.44  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:63 errors:0 dropped:9 overruns:0 frame:0
          TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6755 (6.5 KiB)  TX bytes:8064 (7.8 KiB)

root@Pineapple:~# airodump-ng -c 11 --bssid xxx -d -w test1 mon0
root@Pineapple:~#: not found
root@Pineapple:~# airodump-ng -c 11 --bssid xxx -d -w test1 mon0
root@Pineapple:~#:Notice: bssid already given

no crash on wlan1 but it a same output

root@Pineapple:~#: not found
root@Pineapple:~#:Notice: bssid already given

Edited March 14, 2015 by troter

[magik]

What does 'iwconfig' report after issuing the command: ifconfig wlan0 down && iwconfig wlan0 mode monitor?

[troter]

What does 'iwconfig' report after issuing the command: ifconfig wlan0 down && iwconfig wlan0 mode monitor

root@Pineapple:~# iwconfig
lo        no wireless extensions.


wlan1     IEEE 802.11bg  ESSID:"xxx"
          Mode:Managed  Frequency:2.412 GHz  Access Point: xxx
          Bit Rate=36 Mb/s   Tx-Power=27 dBm
          RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=47/70  Signal level=-63 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:1  Invalid misc:265   Missed beacon:0


wlan0-1   IEEE 802.11bgn  ESSID:off/any
          Mode:Managed  Access Point: Not-Associated   Tx-Power=18 dBm
          RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off


wlan0     IEEE 802.11bgn  Mode:Master  Tx-Power=18 dBm
          RTS thr:off   Fragment thr:off
          Power Management:off


eth0      no wireless extensions.


br-lan    no wireless extensions.

Edited March 14, 2015 by troter

[magik]

hrm odd, I assume you are using the latest and greatest firmware?

What happens if you rtun the same commands on wlan1?

[troter]

firm-soft-ware is all up to date..

wlan1 is exactly same error

root@Pineapple:~#: not found
root@Pineapple:~#:Notice: bssid already given

is it something im doing wrong ?

[fringes]

Drop the "-d"

[fringes]

Is it just me, or do those aircrack-ng scripts not work so well with busybox?

For example:

root@Pineapple:~# airmon-ng stop mon0


Interface Chipset Driver

wlan2 Ralink RT2870/3070 rt2800usb - [phy2]
mon0 Ralink RT2870/3070 rt2800usb - [phy2] (removed)
wlan1 Realtek RTL8187L rtl8187 - [phy1]
wlan0-1 Atheros AR9330 ath9k - [phy0]
IEEE Unknown Unknown (MONITOR MODE NOT SUPPORTED)
802.11bgn Unknown Unknown (MONITOR MODE NOT SUPPORTED)
Mode:Master Unknown Unknown (MONITOR MODE NOT SUPPORTED)
Tx-Power=18 Unknown Unknown (MONITOR MODE NOT SUPPORTED)
dBm Unknown Unknown (MONITOR MODE NOT SUPPORTED)
wlan0 Atheros AR9330 ath9k - [phy0]

[troter]

well...

root@Pineapple:~# airmon-ng stop mon0




Interface       Chipset         Driver


wlan1           Realtek RTL8187L        rtl8187 - [phy1]
wlan0-1         Atheros AR9330  ath9k - [phy0]
IEEE            Unknown         Unknown (MONITOR MODE NOT SUPPORTED)
802.11bgn               Unknown         Unknown (MONITOR MODE NOT SUPPORTED)
ESSID:off/any           Unknown         Unknown (MONITOR MODE NOT SUPPORTED)
wlan0           Atheros AR9330  ath9k - [phy0]

anyone ? any suggestions ?

anyone had any luck working via busybox ?

Edited March 15, 2015 by troter

[fringes]

Well,

That's the output when you haven't startted monitor mode. But I'm pointing out all the non-interfaces in the interfaces column.

Did you start monitor mode and drop the -d?

[troter]

all point is use -d to store logs on the memory card ((

found out that have to kill some processes before using it..

Edited March 15, 2015 by troter

[fringes]

I use the -w to save the files. What does the help page say about -d?

Edited March 15, 2015 by fringes

[DataHead]

"

-d <bssid>, --bssid <bssid>

It will only show networks, matching the given bssid.

"

Try it without -d

If you are putting -d in confusion with my other post, that was only with regaurds to opkg.

Edited March 15, 2015 by DataHead

[sam_wood]

Thanks Honkey,

Is there a way to just target one bssid in tcpdump? As this would get rid of the need, in my case, to use airodump?