Wireless pentest lab Part 6 – Remote Packet Capture

Wireless remote packet capture refers to the process of capturing network traffic on a remote device or network using a wireless connection. This is typically done by using specialized software or tools that can capture network packets and transmit them to a centralized location for analysis.

Remote packet capture can be useful in a variety of scenarios, such as when trying to troubleshoot network issues or monitor network activity from a remote location. By capturing network packets remotely, network administrators and security professionals can gain insight into network performance and identify potential security threats.

There are several tools available for wireless remote packet capture, including Wireshark, tcpdump, and Tshark. These tools allow you to capture network packets and transmit them wirelessly to a centralized location for analysis. Some tools also provide additional features such as filtering and packet decoding, which can help you better understand the data that is being transmitted over the network.

Overall, wireless remote packet capture is a valuable tool for network administrators and security professionals who need to monitor network activity and identify potential security threats.

  1. Verify that the adapter is online
    └─$ iwconfig
    
    lo        no wireless extensions.
    
    eth0      no wireless extensions.
    
    wlan0     IEEE 802.11  ESSID:off/any
              Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm
              Retry short  long limit:2   RTS thr:off   Fragment thr:off
              Power Management:off
    
    wlan1     IEEE 802.11  ESSID:off/any
              Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm
              Retry short  long limit:2   RTS thr:off   Fragment thr:off
              Power Management:off
    

    2. Use airomon-ng to stop the processes that are running on the adapter

    └─$ sudo airmon-ng check kill
    
    Killing these processes:
    
        PID Name
       3653 wpa_supplicant

    3. Put the interface into monitor mode

    └─$ sudo airmon-ng start wlan1
    
    [sudo] password for lab:
    
    Found 1 processes that could cause trouble.
    Kill them using 'airmon-ng check kill' before putting
    the card in monitor mode, they will interfere by changing channels
    and sometimes putting the interface back in managed mode
    
        PID Name
       3653 wpa_supplicant
    
    PHY     Interface       Driver          Chipset
    
    phy0    wlan0           rt2800usb       Ralink Technology, Corp. RT3572
    phy1    wlan1           rt2800usb       Ralink Technology, Corp. RT2870/RT3070
                    (mac80211 monitor mode vif enabled for [phy1]wlan1 on [phy1]wlan1mon)
                    (mac80211 station mode vif disabled for [phy1]wlan1)
    phy2    wlan2mon        rt2800usb       Ralink Technology, Corp. RT2870/RT3070
    phy3    wlan3           rtl8814au       Realtek Semiconductor Corp. RTL8814AU 802.11a/b/g/n/ac
    
    Verify the status of the adapter.
    
    └─$ iwconfig
    
    lo        no wireless extensions.
    
    eth0      no wireless extensions.
    
    wlan0     IEEE 802.11  ESSID:off/any
              Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm
              Retry short  long limit:2   RTS thr:off   Fragment thr:off
              Power Management:off
    
    wlan3     unassociated  Nickname:"WIFI@RTL8814AU"
              Mode:Monitor  Frequency=2.412 GHz  Access Point: Not-Associated
              Sensitivity:0/0
              Retry:off   RTS thr:off   Fragment thr:off
              Power Management:off
              Link Quality:0  Signal level:0  Noise level:0
              Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
              Tx excessive retries:0  Invalid misc:0   Missed beacon:0
    
    wlan2mon  IEEE 802.11  Mode:Monitor  Frequency:2.437 GHz  Tx-Power=20 dBm
              Retry short  long limit:2   RTS thr:off   Fragment thr:off
              Power Management:off
    
    wlan1mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=30 dBm
              Retry short  long limit:2   RTS thr:off   Fragment thr:off
              Power Management:off
    
    

    4. Configure the monitor device to send the capture to the remote host

    4.a Start wireshark > and run the capture on wlan2mon

    5. Open wireshark on the remote machine and point the remote ssh capture to the other side

    note: The remote device does not have a wireless adapter connected.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.