Advanced Wireless Sniffing

16 min read

In this article by Raghu Reddy, author of the book Mastering Kali Linux Wireless Pentesting, we will be introduced to advanced wireless sniffing. Also, we will discuss various ways to capture, decrypt, and analyze traffic with WireShark to sniff and extract sensitive information from wireless networks.

(For more resources related to this topic, see here.)

Extracting sensitive information from a target network is often the goal of an attacker. To achieve this goal, they perform tedious tasks, such as crafting and sending spear phishing e-mails with malicious attachments. When the staff in an organization, unaware of the phishing e-mail, clicks on the links in the phishing e-mail and compromise their credentials, they even get infected by executing the malicious attachments that come with the phishing e-mail. Once the machines on the target network are compromised, attackers get a foothold on the target network and extract sensitive information. This task is often very tedious; the success of the attack depends on various factors, such as the software’s patching cycle, security applications/appliances deployed, user security awareness, and so on. Typically, the sniffing network traffic on the target network is given less importance during penetration testing activities. In my view, attack-infect-extract is not the only way by which an attacker achieves their goal. At times, simply sniffing on a target network can yield the same results. Sniffing data on a wireless network is easy when compared to a wired network.

Preparing the wireless card

Capturing traffic on a wireless network requires you to be present in the radio frequency range of the target network. If the wireless signal weakens when you move away from the network, try to get to the network as close as you can. If you want to capture the wireless traffic on the first floor, try to be in and around first the floor, closer to the target. It again depends on your wireless card power, antenna capabilities, and so on. It is recommended that you use a suitable wireless card for sniffing activities. Start with the following checklist before you start sniffing on a wireless network:

  • You need a wireless adapter that is capable of supporting the monitor mode; try to get one that supports the Monitor mode.
  • A wireless card should support the frequency range of the target network. A card with support for 802.11bgn mode is sufficient.
  • Get close to the target network as much as you can. The signal strength degrades when you move away from the network.

    Sniffing on a channel that is different from that of an access point will also show no packets.

The wireless card can be in any one of the following operating modes:

  • The Managed mode
  • The Ad-Hoc mode
  • The Monitor mode

The Managed mode: In this mode, the wireless card is not capable of receiving packets from the SSIDs that it is not associated to. If a card is associated to SSID “PACKT”, then it turns a blind eye to the packets from the other SSIDs. Whenever a wireless card is used to connect to an access point, it is in the managed mode.

The Ad-Hoc mode: This is used only in situations where peer-to-peer connections are made. This mode is used to construct a wireless network in the absence of an access point. Usually, access points are not seen in Ad-Hoc wireless networks.

The Monitor mode: This is the preferable mode if you wish to sniff wireless traffic. In this mode, the card can capture traffic from all SSIDs in the range without being associated to a particular SSID.

Run the iwconfig utility in Kali Linux to check the capabilities of the card, as follows:


The following screenshot is the result of the preceding command:

The output from iwconfig shows that the card is in the Managed mode and supports the IEEE 802.11bgn mode. Once we have detected the card and its capability, it’s time to start using the card to sniff. To start capturing using the card, put the card in the monitor mode by running the following command:

#airmon-ng start wlan1

The following screenshot is the result of the preceding command:

You can also use iwconfig to put the card in the monitor mode, but airmon-ng does it better. By running airmon-ng, you should have a new monitor mode interface named mon0 created as a result. Use the mon0 interface to sniff on the channel where the access point is functioning. To check the supported channels of your card, you can use the following iwlist command:

#iwlist mon0 channel

The following screenshot is the result of the preceding command:

As evident from the output, the card is currently in channel 1. To change it to different channel, say channel 6, use the iwconfig utility, as follows:

#iwconfig mon0 channel 6

The following screenshot is the result of the preceding command:

The output shows that the current frequency of the card is 2.437 GHz (Channel 6). Try playing with the card by putting it into different channels using iwconfig and checking the status with the iwlist command, as previously described.

Capturing traffic with WireShark

WireShark is a famous packet analyzer. It is a widely used open source tool; it could mean many things to many people. An SOC (short for Security Operations Center) analyst will use it as an incident response tool to investigate an incident, whereas an NOC (short for Network Operations Center) analyst can use it to troubleshoot network connectivity problems. WireShark has the capability to capture traffic on live interfaces, which enables us to capture wireless traffic via the monitor mode interface created on the wireless card.

The Monitor mode is not supported on Windows systems. This limits the capability of WireShark’s use on Windows systems for sniffing. Perform the following steps to start WireShark and capture the wireless traffic:

Before trying to capture with WireShark, scan the air with airodump-ng to get a list of access points and the channel in which they are functioning. Once the target access point’s channel is identified, use iwconfig to configure the channel of the wireless card.

  1. Run the following command to start WireShark:
  2. You can start capturing by selecting the monitor mode interface of the wireless card, as shown in the following screenshot:

  3. You can also do this by using another way, navigate to Capture | Interface. Select the interface that you need to start capturing the traffic. In our case, it is mon0 as shown in the following screenshot:

  4. Click on Start. You should see packets coming in and being displayed by WireShark. If you are not receiving packets, try to check whether the wireless card is in the same channel as that of the target access point. Save the PCAP to a file on disk for later analysis.

Decrypting using WireShark

Enable the wireless toolbar by navigating to View | Wireless Toolbar. This toolbar is handy when analyzing wireless capture files. You can input the decryption keys in the Decryption Keys… tab shown in the toolbar or via the Edit | Preferences | IEEE 802.11 tab. The keys are tested in the order in which they are listed. For example, if you have configured more than one key in WireShark, it will try the first key. If this is not successful, it tries the second key in the order.

You can decrypt the WEP, WPA, and WPA2 traffic using WireShark. You need to have the correct key configured to decrypt the traffic. Go to the Decryption Keys… tab in the wireless toolbar. Enter the new keys by selecting New. Then, input the key along with SSID, as shown in the following screenshot:

Once the key is added to the store, it will display all the keys present in the store. Currently, we have configured a WEP and WPA-PWD key, as shown in the following screenshot:

You also have the option to input the keys via the Edit | Preferences | Protocols | IEEE 802.11 tab, as shown in the following screenshot:

After capturing the traffic, open the trace file in WireShark. It will automatically decrypt the traffic with the correct key and show us the decrypted traffic. Once decrypted, we can see the normal traffic and extract useful information from it.

Analyzing the wireless traffic

Until now, we discussed how to create monitor mode on a wireless card and capture the traffic on the wireless network. After capturing the packet, it is time to analyze the trace file and extract useful information from it. In this section, we will discuss display filters in WireShark to focus on a specific type of packets. The more you are comfortable with display filters, the more you can extract from the PCAP.

Capture filters are applied during the live capturing session. These packets, which pass the criteria, are passed to the WireShark capturing engine. It will reduce the amount of packets that need to be captured. For example, if you do not wish to capture the Address Resolution Protocol (ARP) traffic and then apply the No ARP capture filter (as shown in the following screenshot), this will exclude all the ARP traffic during the live capturing session. Thus, you will get a Packet Capture (PCAP) trace with no ARP information in it. It is recommended that you don’t use capture filters sparingly, because packets discarded by capture filters cannot be retrieved. Try to capture the traffic with less or no capture filters so that you can capture all the packets flowing in the network. Later, you can focus on certain traffic by using the display filters.

Display filters are used to focus on a certain type of traffic. They are applied to the existing PCAP files. There is a lot of difference between a capture filter and a display filter. Capture filters are applied before capturing the traffic, whereas display filters are applied on PCAP files, which already exist. Use a display filter often rather than capture filters. For example, apply a DNS display filter to view all the DNS (short for Domain Name System) traffic captured on the network. In this way, we can find out the most visited domain and further conduct man-in-the-middle attacks using the most visited domains. The following screenshot shows the usage of the bootp display filter that focuses on only the DHCP traffic:

Rogue access points: Finding out the rogue access points in the network can be accomplished by using display filters in WireShark by performing the following steps:

  1. Start WireShark and capture the wireless traffic.
  2. Apply display filters for Beacon frames by using the wlan.fc.type_subtype ==8 command.
  3. Export the traffic to the CSV format and compare it with a list of the authorized access points.

Extracting data

HTTP (short for Hypertext Transfer Protocol) is an application layer protocol that is used to surf the Internet. It is a clear text protocol. You can extract the data passing through HTTP in clear text. As there is no encryption involved, anyone who’s capable of sniffing HTTP traffic can analyze and extract sensitive information, such as login credentials, office documents, data submitted through forms, and so on.

HTTP communications use the request and response model. An HTTP client is usually a web browser such as Mozilla Firefox, IE, Google Chrome, and so on. To make requests to HTTP servers, servers in turn send the response to the client’s request along with status codes. Data sent through HTTP is not encrypted; a third party can read the information to their benefit.

In order to avoid attackers who snoop on your traffic, HTTPS (short for HyperText Transfer Protocol Secure) is used as an alternative to HTTP. In HTTPS, the normal HTTP traffic is encrypted and sent to the server. In this scenario, even if the attacker captures the HTTPS traffic, they cannot decrypt the traffic. In both cases, we cannot prevent the attacker from sniffing the network, but with HTTPS, we can render the attack unsuccessful.

Analyzing the HTTP traffic can reveal useful information, which can be used in later stages of the penetration test assignment.

An attack scenario

Let’s consider a scenario where we have a sample PCAP of a web session in which a user’s login credentials are sent through HTTP. Ramesh is a user in the target wireless network who visits to get the latest updates on security. Let’s suppose that during the course of sniffing, we ended up with his login credentials sent through HTTP. By analyzing the PCAP, we can extract the username and password of the user. As it is sent over HTTP, it can be clearly viewed in plain text. Once the user credentials are compromised, further attacks such as sending spear phishing e-mails on behalf of the user and extracting valuable information from the user’s account are all possible. In this section, we will use various display filters, which will help us focus on the HTTP traffic.

One such PCAP is analyzed in the following section. Perform the following the steps to extract the user credentials that are sent via the HTTP Post request.

Use the http display filter to focus on the HTTP traffic, as shown in the following screenshot. You can also drill down to specific packets using advanced display filters:

Figure: showing display filter “http”

Try out the http.request.method ==POST display filter to focus on only the POST requests. This will show the POST requests sent to the servers. Usually, POST requests contain sensitive information. In this example, it is the username and password used to administer the access point.

Figure: showing POST request

Extracting HTTP objects

All the documents downloaded from the internet through HTTP can be extracted by using the HTTP objects option in WireShark. Navigate to File | Export Objects | HTTP. You can select the objects from the HTTP objects pane and save them to the disk for later reference.

Figure: HTTP objects pane

For example, let’s suppose that while capturing a packet, a user downloaded a document containing sensitive information at We can extract the documents by exporting the HTTP objects from WireShark. Save it to the disk for future analysis. A user who’s downloading a PDF file on beauty tips may not be useful to the penetration test, but an IT guy who’s downloading a PDF with usernames and passwords can be of tremendous use to us. You can also save all the HTTP objects by selecting the Save All option.

It is very hard to go through each and every packet in a PCAP file to determine whether a protocol is used or not. To view the statistics of all the protocols captured in the PCAP file, use the Protocol Hierarchy option in the Statistics tab. This will let us know what information is present in the trace file by protocol wise. Navigate to Statistics | Protocol Hierarchy. By using this option, we can see all the protocols used on the target network and extract information from the protocol of our choice.

Figure: Protocol hierarchy

Extracting the most visited sites

The DNS is typically used to obtain the IP address associated with a host name. Along with name resolution, it can also be used to query information about a domain, such as reverse DNS names, the e-mail server address, and so on. The DNS uses port 53 by default. Apply the dns display filter to focus on the DNS traffic, which reveals the domains visited by the users of the target network. This information can be used to figure out the most visited domain among the users. Once we identify the domain, we can host the fake webpage related to that domain and conduct a man-in-the-middle attack.

Figure: DNS filter

An SMTP (short for Simple Mail Transfer Protocol) is used to send e-mails. By default, SMTP is not secure. A third party that is capable of sniffing the communication between an SMTP client and an SMTP server can read the e-mail in clear text. To secure the communication, SMTPS is used. In SMTPS, a secure channel is established between the SMTP client and the server before sending the e-mail.

Thus, even if an attacker captures the traffic between the two parties, they cannot read the e-mail without decrypting it. The key used to secure a channel is kept private. Therefore, unless the key is compromised, there is no way to read the e-mail sent. By default, SMTP communications happen on port 25; SMTPS uses port 587. Apply the SMTP display filter to focus on e-mail traffic. At times, we come across sensitive e-mails in PCAP, which helps us penetrate further. POP is used to retrieve e-mails from the server. Use the pop display filter to focus on the POP traffic.

Figure: showing SMTP traffic

Merging PCAPs

Often, we end up collecting more than one PCAP trace file while sniffing. To merge two or more PCAP files into one, use mergecap. You can also select the File | Merge option in WireShark to do this. There are many ways to merge PCAP files. You can use the mergecap tool that comes in Kali Linux. The following command merges two PCAP files into one. The mergecap tool takes two individual PCAP files as a parameter:

#mergecap –w combined.pcap inputfile1.pcap inputfile2.pcap

The following screenshot shows how to use mergecap:

Figure: showing usage of mergecap


Sniffing is an activity where an attacker tries to capture the traffic on a wireless network and later cracks the decryption key by using cracking tools, which are readily available. Once you’ve cracked the decryption key, the attacker can read each and every packet that is encrypted by using the key.

If the WEP,WPA/WPA2 key is compromised, a potential attacker can capture and decrypt all the wireless traffic and extract useful information from them. WireShark can decrypt the WEP,WPA/WPA2 traffic. In this article, we discussed how to decrypt wireless traffic with the help of WireShark. We learned how to use display filters and capture filters effectively. Mastering the use of display filters to dig deep down and find the information that one is looking for is a valuable skill.

Wireshark has the capability to export HTTP objects, which can be used to extract the sensitive documents that were captured, such as .doc, .pdf, .pptx, .xls, and so on. All clear text protocols such as HTTP, FTP, SMTP, and so on are important candidates for further investigation. The data that passes through these protocols are not encrypted. Digging the information sent through these protocols can help us in the future stages of the penetration test assignment.

In this article, we discussed how to extract the documents sent via HTTP, e-mails sent over SMTP, and so on. This information may seem to be less important, but proper investigation can lead to a wealth of information. Every packet captured is valuable to an attacker.

Resources for Article:

Further resources on this subject:


Please enter your comment!
Please enter your name here