قالب وردپرس درنا توس
Home / Tips and Tricks / How to Spy on Network Relationships with Airgraph Ng «Null Byte :: WonderHowTo

How to Spy on Network Relationships with Airgraph Ng «Null Byte :: WonderHowTo



What if you could easily imagine which access point would connect every nearby Wi-Fi device in seconds? While programs like Airodump-ng can intercept this wireless information, it's a challenge that makes it easy for hackers to use and understand it. Fortunately, a tool called Airgraph-ng can visualize the relationships between Wi-Fi devices after just a few seconds of wireless observation.

Signal Intelligence with Wi-Fi Devices

Signal intelligence is the science of understanding human behavior and systems behind intercepted radio signals. To understand how to attack a target, we want to know the maximum amount of information about the target surface that we need to consider. Without being connected to a network with encryption such as WPA or WPA2, we can not rely on tricks like sending packets to look for other connected devices because we are looking from outside to inside.

We Can not Read Traffic You can observe the relationship between Wi-Fi devices such as laptops, smart phones, and IoT products to learn more about the network and the people behind it. To understand how a network is connected, we can explore the surrounding Wi-Fi traffic to find out which devices are currently connected to an access point and build a list of relationships.

Recommended on Amazon: IoT Hacking Manual: An Ultimate Guide to Hacking the Internet of Things and Learning IoT Security

For an attacker, this means being able to walk through a building and create a map to which every printer, a security camera and a laptop are connected. It is also possible to learn the names of networks near Wi-Fi devices that have recently been connected, making it easier to create a fake network that automatically connects.

Making sampled signals readable

Another use for this type of analysis determines whether a device that represents a person like a smartphone is present in one place. Creating a map when someone comes and goes, based on their Wi-Fi activity, is an easy way to understand when someone is at home or using certain devices.

For this type of signal analysis Kismet is one of the best ways to scan relationships between neighboring devices. Despite the usefulness, setting up the work is child's play and the interpretation of the results is not always easy. After a few setups, we can orient ourselves to a popular public access point and find out which devices are currently connected to it.

The information provided by Kismet is a lot for a beginner. While Kismet provides an operator with the ability to locate and spy on the Wi-Fi activity of a device connected to a Wi-Fi network near a network, there is an easier way to take a snapshot of the local Wi-Fi environment. 19659004] With Aigraph-ng we can create a graphical version of this information. We can convert all of this text data into a graphical snapshot of the relationships between neighboring devices and the networks they're connected to. This provides immediate insight into the topography of Wi-Fi networks within reach.

Airgraph Ng for Signal Interpretation

To learn more about the topography of nearby networks and view the results as a graph, we must collect them and then process the data. For the collection, we use a program that is installed by default in Kali Linux named Airodump-ng. This program "unloads" the Wi-Fi data packets that we intercept with our wireless network adapter into a file. With this CSV file, we can easily process what we have discovered and create a PNG graph representing the relationships we have identified.

For the processing of the packages we intercept, we use a default installed program, Airgraph-ng. This program can display two types of information that are useful to a hacker. The first type of chart is a CAPR or Client Access Point relationship chart. This graphic shows a map of each device that is currently connected to an access point and which network they are currently connected to.

The second type of chart shows us the names of the networks that are W-Fi devices that are not currently connected to an access point call. This can show a list of networks that we could create to attract nearby devices for connection.

Airgraph-ng is pretty straightforward as you can tell from its manual page entry.

  NAME
airgraph-ng - an 802.11 visualization program

SUMMARY
airgraph-ng [options]

description
airgraph-ng shows the CSV file generated by Airodump-ng. The idea is that we show that
The client's relationships with the APs are not shocked if you see only one association as
You may have only one customer

OPTIONS
-h Displays the help screen.

-i Airodump-ng CSV file

-png file output.

-g Select the chart type. Current types are [CAPR (Client to AP Relationship) & CPG (Com‐
              mon probe graph)].

-a Print the info.

EXAMPLES
airgraph-ng -i dump-01.csv -o dump.png -g CAPR

airgraph-ng -i dump-01.csv -o dump.png -g CPG 

What you need

To follow this, you need a wireless network adapter that is suitable for wireless surveillance mode. You also want one that is compatible with Kali Linux.

You should run Kali Linux in a virtual machine, with two boats, or in another way that allows Kali to access the network adapter. If you do this in a virtual machine, you must connect the USB adapter to the virtual machine for it to be displayed.

For this guide you do not need to be connected to a network and do not need this permission. The information is transmitted unencrypted, which means we are just watching.

Good Long-Range Adapter at Amazon: Alfa AWUS036NHA Wireless B / G / N USB Adapter – 802.11n – 150 Mbps – 2.4 GHz – 5 dBi Antenna

Step 1: Update your System and install as needed

If you use Kali Linux, you should have everything installed that you need. First we need to do an update and make sure we have the Aircrack-ng-Suite . To do this, connect your Kali computer to the Internet and run the following commands in a terminal window.

  apt update
suitable upgrade
apt install aircrack-ng 

Now we check if the programs are installed. Run the following commands to view the Help output for each program:

  airodump-ng --help 
  Airodump-ng 1.5.2 - (C) 2006-2018 Thomas d & # 39; Otreppe
https://www.aircrack-ng.org

Use: Airodump-ng    [ ...]

options:
--ivs: Save only captured IVs
- gpsd: Use GPSd
--write : prefix for dump files
-w: same as -write
--beacons: Records all beacons in the dump file
--update : Displays the update delay in seconds
--showack: Returns ack / cts / rts statistics
-h: hides known stations for --showack
-f : Time in ms between the jump channels
--berlin : Time before removing the AP / client
from the screen when no more packages
are received (default: 120 seconds)
-r : Reads packages from this file
-x : Active scan simulation
- Manufacturer: Display manufacturer of the IEEE OUI list
--uptime: Displays the AP uptime from the beacon timestamp
--wps: Display WPS information (if available)
--Ausgabeformat
: Output format. Possible values:
pcap, ivs, csv, gps, kismet, netxml, logcsv
--ignore-negative-one: Removes the message that says
fixed channel : -1
- Write interval
: Output file (s) Write interval in seconds
--background : Override background detection.

Filtering options:
--encrypt : Filter APs by cipher suite
--netmask : Filter APs by mask
--bssid : Filter APs by BSSID
--essid : Filter APs by ESSID
--essid-regex : Filter APs by ESSID with a regular element
Expression
-a: Filter unmapped clients

By default, airodump-ng hops on 2.4GHz channels.
You can capture it on other / specific channels by using:
--ht20: Set channel to HT20 (802.11n)
--ht40-: Set channel to HT40- (802.11n)
--ht40 +: Set channel to HT40 + (802.11n)
--channel : Record on certain channels
band : band to hop on the airodump-ng
-C : Uses these frequencies in MHz for jumping
--cswitch : Set the channel switching method
0: FIFO (default)
1: Round robin
2: Enter at the end
-s: same as --cswitch

--help: displays this application screen 
  airgraph-ng --help 
  usage: airgraph-ng options [-o -i -g ]

options:
-h, --help View and exit this help message
-o OUTPUT, --output = OUTPUT
Our output image ie ... Image.png
-i INPUT, --dump = INPUT
Airodump text file in CSV format. NOT the pcap
-g GRAPH_TYPE, --graph = GRAPH_TYPE
Graph Type Current [CAPR (Client to AP Relationship)
                        OR CPG (Common probe graph)] 

When the help output for Airodump-ng and Airgraph-ng is displayed, you can begin intercepting and interpreting packages!

Step 2: Insert your card and enable Monitor mode

Connect the wireless network adapter you want to use to listen to Wi-Fi packets. This should be a wireless network adapter that is compatible with Kali Linux. The Alfa AWUS036NHA is solid to operate, but there are many others that are better suited to your needs.

Once you've connected your adapter, you can switch it to monitor mode with another program Aircrack-ng. We use Airmon-ng to put our card in monitor mode after we ran ifconfig to get the name of our network adapter. In our example, our adapter is called "wlan2".

  airmon-ng start wlan2 
  Found 3 processes that could cause problems.
Kill her with 'airmon-ng check kill' before you throw her off
If the card is in monitoring mode, it will be disturbed by changing channels
and sometimes put the interface back in managed mode

PID name
561 NetworkManager
627 wpa_supplicant
3561 dhclient

PHY interface driver chipset

phy0 wlan0 ath9k Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (Rev 01)
phy5 wlan2 rt2800usb Ralink Technology, Corp. RT2870 / RT3070

(mac80211 monitor mode vif enabled for [phy5] wlan2 on [phy5] wlan2mon)
(mac80211 station mode vif for [phy5] wlan2 disabled) 

Now execute ifconfig again. You should see that your card was added on mon . This means your card is now in wireless monitoring mode and you can proceed to the next step.

Step 3: Start the Airodump NG file and save the CSV file

Now you can use our wireless card If you need to listen to a Wi-Fi package in the area You record this information in a file. We use Airodump-ng to effectively save all packets received on our network adapter to a file that we can interpret later.

If you remember the name of our wireless network adapter, which is now in monitor mode, run the following command to save all packets intercepted by the wlan2mon interface (or whatever you call it) a file named capturefile . Wlan2mon -w capturefilename

  CH 10] [ Elapsed: 4 mins ] [2019-02-03 21:32

BSSID PWR beacons #data, # / s CH MB ENC CIPHER AUTH ESSID

14: CC: 20: 6D: 22: BA -26 69 0 0 8 130 WPA2 CCMP PSK CafeMak4_2.4G
AA: 6B: AD: 6F: AC: 55 - 31 136 0 0 6 65 WPA2 CCMP PSK DIRECT-HQHL-L9310CDW_BRac55
EC: 1D: 7F: F9: 10: 03 -33 159 0 0 6 65 WPA2 CCMP PSK cafemak_pwm
2C: FD: A1: E4: 9D: 50? 40 109 152 0 9 260 WPA2 CCMP PSK CafeMak1_2.4G
84: 1B: 5E: E9: 8A: 1A -52 136 3668 0 11 54e WPA2 CCMP PSK CafeMak6_2.4G
16: 18: D6: 04: F1: 1E -58 54 2 0 1 195 WPA2-CCMP-PSK 770-Stab1
26: 18: D6: 04: F1: 1E -59 74 0 0 1 195 WPA2 CCMP PSK 770guest
F8: 18: 97: 65: BC: F3 -59 50 0 0 1 130 WPA2 CCMP PSK ATT717_guest
06: 18: D6: 04: F1: 1E -60 52 0 0 1 195 WPA2 CCMP PSK exec
04: 18: D6: 04: F1: 1E -60 87 0 0 1 195 WPA2 CCMP PSK 770org
3C: 36: E4: F7: 6D: 20 - 61 84 0 0 6 130 WPA2 CCMP PSK ATT120
36: 18: D6: 04: EF: 0F -62 71 0 0 6 195 WPA2-CCMP-PSK 
06: 18: D6: 04: EF: 0F -62 66 0 0 6 195 WPA2 CCMP PSK exec
36: 18: D6: 04: F1: 1E -62 64 0 0 1 195 WPA2-CCMP-PSK 
04: 18: D6: 04: EF: 0F -63 123 0 0 6 195 WPA2 CCMP PSK 770org
F8: 18: 97: 65: BC: F2 -64 46 5 0 1 130 WPA2 CCMP PSK ATT717
04: 18: D6: 04: 2E: FA -64 44 0 0 1 195 WPA2 CCMP PSK rb
26: 18: D6: 04: EF: 0F -64 97 0 0 6 195 WPA2 CCMP PSK 770guest
16: 18: D6: 04: EF: 0F -64 78 0 0 6 195 WPA2-CCMP-PSK 770-Stab1
A0: 8C: FD: B7: 9D: A9 -65 68 0 0 6 65 WPA2-CCMP-PSK Directive-A8-HP OfficeJet 4650
E8: 8D: 28: 60: BE: 77 -68 63 3 0 6 195 WPA2 CCMP PSK Joel's Wi-Fi Network 

When you're done collecting packages, you can use ctrl-c Stop recording. This creates a CSV file containing all the information we need.

Step 4: Creating a Diagram of the AP Relationships [Connected Devices]

Now is the time to generate our first graph from the wireless data. intercepted. You can think of these data as metadata that tell us which devices are calling each other, not what they say.

First, let's start with a graphical representation of the relationships between client access points. After finding the .csv file we created, run the following command in a terminal window to create a CAPR graph that connects the device to which access point. Replace "CAPRintercept.png" with the name of the graphic you want to create and "/root/Desktop/cafemak-01.csv" with the path to the CSV file.

  airgraph-ng -o CAPRintercept.png - i & # 39; /root/Desktop/cafemak-01.csv' -g CAPR 
  **** WARNING Pictures can be tall, up to 12 feet in 12 feet ****
Create your diagram with /root/Desktop/cafemak-01.csv and write in cafemak.png
Depending on your system, this may take a while. Please standby ...... 

This should generate a graph to examine. Here's an example that shows the relationship between access points and devices and provides a clear overview of the topography of the local network.

Step 5: Create a Diagram of Probe Frames (Separate Devices)

Next, we will address devices that are not currently connected to an AP. From these devices, we can learn the names of the networks to which they were previously connected, so we may be tempted to connect to a fake version of the same name.

To get this information, we only need to reprocess it. The data we intercepted was displayed in a different kind of graphic. It is not necessary to gather more information, we will only visualize it in another way.

Open a terminal window, enter the following commands and swap the name of the file with "CPGintercept.png" You want the chart under, and & # 39; /root/Desktop/cafemak-01.csv&# 39; Save again to the location of the CSV file you created earlier from the captured data.

  airgraph-ng -o CPGintercept.png -i & # 39; /root/Desktop/cafemak-01.csv' -g CPG 
  **** WARNING Pictures can be tall, up to 12 feet in 12 feet ****
Create your diagram with /root/Desktop/cafemak-01.csv and write in cafemak.png
Depending on your system, this may take a while. Please standby ...... 

Airgraph-ng should create a new graphic that displays networks that are displayed near devices. In this way you can also determine which networks can be used to connect several devices in the vicinity.

Interpretation of Results

For a hacker or a penetration tester, the two previous graphics provide a goldmine of information. In the first, we can see to which access point each nearby device is connected. This allows us to isolate or detect clients in fake MITM networks when we identify a target. Because of this, we can create a fake version of a network to which a device is currently connected, turn off the real network, and automatically connect to the fake version.

In the second graphic we can do it To identify networks, we could connect several different devices. These graphs can also indicate devices with MAC address randomization because even devices that change their MAC address can request a network with a unique name if they change their MAC further.

Hackers can use this information about the hardware type present and the way it is connected to work out an attack plan against a network. Since this attack is completely passive and requires no interaction with the network, there is little risk of snooping that information.

I hope you liked this guide on using Airgraph-ng for Wi-Fi signal intelligence! If you have questions about this Wi-Fi Recon tutorial or have a comment, please ask below or call me: Twitter @KodyKinzie .

Do not Miss: Stealing Wi-Fi Passwords with a Wicked Double Attack

Cover Picture and Screenshots of Kody / Null Byte




Source link