03. WiFi Monitoring (Passive Scanning)

Monitor WiFi Networks with airodump-ng

Perfom channel hopping among various channels. Scan 2.4GHz (default):

airodump-ng mon0

Perfom channel hopping among various channels. Scan 5GHz:

airodump-ng --band a mon0

Monitor specific channel(s):

airodump-ng -c <channel> mon0
airodump-ng -c <chan1>,<chan2> mon0  # Monitoring with channel hopping on specified channels

Monitor specific AP, write dump to file

airodump-ng -c <channel> --bssid <MAC_AP> -w <capture_file> mon0

Generate Graph Images of Monitored WiFi

Generate graph of WiFi connections around (APs and clients connected to APs):

airodump-ng -r targetnet.pcap -w TARGETNET
airgraph-ng -i TARGETNET-01.csv -g CAPR -o targetnet-connections.png

Generate graph of probe requests sent by devices around (Very interesting to rebuild devices' PNLs):

airodump-ng -r targetnet.pcap -w TARGETNET
airgraph-ng -i TARGETNET-01.csv -g CPG -o targetnet-pnl.png

Alternative with BeaconGraph: https://github.com/daddycocoaman/BeaconGraph

Monitor WiFi Networks with Kismet (nice all-in-one WEB UI)

kismet -c mon0

Find Hidden SSID

airodump-ng –c <channel> --bssid <MAC_AP> mon0
aireplay-ng -0 20 –a <MAC_AP> mon0

Determine WPA/WPA2-Enterprise EAP type

1. Capture an EAP Handhshake:

airodump-ng -c <channel> --bssid <MAC_AP> -w <capture_file> mon0

2. Analyze EAP handshake packet capture with Wireshark:
   • Filter on "eap"
   • Check field "Type" in EAP message

Wardriving

https://wigle.net/