WIFI - Part 6, Airodump-ng Part 2
WIFI - Part 6, Airodump-ng Part 2
This is a pretty thorough guide on everything Airodump-ng. It covers the basics and some of the more advanced features that are part of the tool. This part is about the Airodump-ng Results.
WIFI – Part 6, Airodump-ng Part 2
Alright, now that we got how to run Airodump-ng down, now its on to how to read the results of Airodump-ng. This is a sample output of what the results would look like, we will now discuss what each piece of information on the results pertain to.
CH 1 ][ Elapsed: 4 s ][ 2012-11-24 14:57 ][ xxxxxxx
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
20:RA:2B:2D:0E:24 -28 100 69 0 0 11 54e WPA2 CCMP PSK joey
08:86:3R:4A:38:6E -66 100 69 0 0 11 54e WPA2 CCMP PSK marksWireless
00:24:2R:F2:2E:CC -74 40 17 0 0 11 54e WPA2 CCMP PSK myqwest64
00:8E:F2:A3:R2:28 -76 4 3 0 0 11 54e WPA2 CCMP PSK A3E3
BSSID STATION PWR Rate Lost Packets Probes
20:RA:2B:2D:0E:24 AC:86:2R:C6:H0:79 -1 1e- 0 0 1
20:RA:2B:2D:0E:24 00:26:C6:6H:38:35 -1 1e- 0 0 1
General Display Area CH 1 – This should be kind of obvious, this is the channel that the scan is currently taking place on. As Airodump-ng hops from channel to channel, you will see this change; when you specify a channel, this should not change.
Elapsed: 4 s – This is the amount of time that the scan has been scanning for.
2012-11-24 14:57 – This is the time and the data that the scan started on.
xxxxxxx – Now this area doesn’t really display ‘xxxxxxx’; I was just trying to illustrate that this space can be used. This is the area that will display things when key packets are intercepted. Things like a WPA handshake; which is a needed when attempting to brute force a WPA/WPA2 encryption.
Access Point Display Area BSSID – We covered what BSSID’s were in an earlier tutorial. In case you have forgotten, this is the MAC address of the wireless router.
PWR – This is the current signal level, as reported by your wireless card. This is a pretty good indication as to how close or far away a wireless router is from you. By the way, if all you see here is ‘-1’s, then your wireless card does not support this feature.
RXQ – This is the Receive Quality. It is measurement of packets that have been successfully received in the prior 10 seconds. It is a percentage 0-100. This number can be utilized in several ways, including if there is a client using the AP that you are not monitoring.
Beacons – This is just the number of beacons that have been intercepted by you; not the number that has been recorded, just the number intercepted.
#Data – This is the number of actual data packets that have been intercepted. If you are trying to collect IV’s, this is the number you should be watching.
#/s – This is the number of data packets that you have been able to capture in the prior 10 seconds.
CH – This is the channel that the access point is currently broadcasting on. It is recorded from the very first beacon packet that is intercepted. It should also be noted that radio interference might sometimes cause access points from different channels to be recorded when you are fixed on one channel.
MB – This is the maximum speed that the wireless router supports. This can be used to find which protocol of 802.11 they are using, we went over the speeds of each in an earlier tutorial. Also, a period after the number indicates that QoS is currently activated.
ENC – This is the type of encryption algorithm that is currently being used. All the results are pretty explanatory except when you see ‘WEP?’, this means that it currently does not have enough information to tell which type is in use.
CIPHER – This is the type of cipher that is currently being utilized. Normally TKIP is associated with WPA, CCMP is associated with WPA2, and WEP40 is usually associated with WEP. These can be changed, but this is what you will see most of the time.
AUTH – This is the type of authentication protocol that is detected. Normally MGT is associated with WPA/WPA2 when an authentication server is used, SKA is associated with WEP, PSK is normally associated with WPA/WPA2 when using a pre-shared key.
ESSID – This is the ESSID of the wireless router. We covered this in an earlier tutorial, but just in case you forgot, this is the user chosen name of the wireless network.
Client Display Area BSSID – This is the BSSID of the wireless router that it is associated with. Sometimes you will see ‘(not associated)’, this means that the client is not currently associated with any wireless router at the present time.
STATION – This is the MAC address of the client. This can be used to target specific clients rather then target specific wireless routers. We will use this in a lot in the more advanced attacks.
PWR – This is the same as the PWR column in the access point display area. The only difference is that it is the power of the client rather then the wireless router.
Rate – There should be two different numbers associated with this column; separated by a ‘-’. The first number is the last known data rate from the AP, and the second number is the last known data rate from the client. These numbers may change with each packet, and it usually does require more then one packet prior to displaying these numbers.
Lost – This is the number of lost packets in the last 10 seconds from this client. This is based off of the sequence numbers associated with the packets, so you may lose more packets then this actually displays; because not all packets have sequence numbers.
Packets – This is the total amount of packets that have been intercepted from a specific client.
Probes – This displays the ESSID’s of the wireless networks that the client is attempting to access. The client only attempts to connect to these networks if it is not associated with a wireless network at the current time. This is used in some of the more advanced attacks, when we start spoofing wireless networks.
Interacting With the Results First and foremost, to stop Airodump-ng from scanning, you must use control+c.
Using the ‘tab’ key, you can enter, or leave, selection mode. It allows you to scroll up and down, using the ‘up’ and ‘down’ arrows, through the list of access points.
While in selection mode, you can use the ‘m’ key to change the color of the selected access point. You can change it to a variety of different colors. This comes in handy a lot!
Another nice feature is using the ‘a’ button. This allows you to view results in different pages. You can view just the access points, or just the clients, or a variety. It comes in handy, especially if you have a smaller screen and the results keep scrolling past the bottom of the screen.
Using the ‘s’ command, you can change which column the results use to sort the results. This can sometimes be nice, though I rarely use it.
You can use the ‘space’ bar to pause the results. This does not pause the actual scan, but does freeze the screen at a certain point.
There are a couple other things that you can do with the results, but I don’t ever really use anything else. I mainly just use the ‘tab’ key and the ‘m’ key to be honest. Sometimes the ‘a’ key if I am using my netbook, or there is a lot of activity in my area.
I think that pretty much sums up everything that I can think of about the Airodump-ng display. Please leave behind comments on these tutorials. That way I can improve them as I go. The next tutorial will be all about viewing the packets in Wireshark. There will probably be a couple of parts to it, as analyzing packets is a pretty technical subject. Anyways, I hoped you liked it.
TuX out