قالب وردپرس درنا توس
Home / Tips and Tricks / How to spy on network relationships with Airgraph-Ng «Null Byte :: WonderHowTo

How to spy on network relationships with Airgraph-Ng «Null Byte :: WonderHowTo



What if you can easily visualize which access point every Wi-Fi device is connected in seconds? While programs like Airodump-ng can intercept this wireless information, making it easy for hackers to use and understand is another challenge. Fortunately, a tool called Airgraph-ng can visualize the relationship between Wi-Fi devices from just a few seconds of wireless observation.

Signal Intelligence with Wi-Fi Devices

Signal intelligence is the science of understanding human behavior and systems behind intercepted radio signals. To understand how to attack a goal, we want the maximum information about the target area that we must consider. Without being connected to a network with encryption, such as WPA or WPA2, we cannot rely on tricks like sending packets to search for other connected devices because we look outside.

We can't read traffic streams between devices, but we can look at the relationship between Wi-Fi devices like laptops, smartphones and IoT products to get to know the network and the people behind them. To understand how a network is connected, we can sniff Wi-Fi radio traffic in the area to discover which devices are currently connected to an access point, building a list of relationships.

Recommended on Amazon: IoT Hackers Handbook: An Ultimate Guide to Hacking the Internet on Things and Learning IoT Security

For an attacker it means that you can go through a building and create a map of which access point Each printer, security camera and laptop computer are connected to. It is also possible to learn the names of networks that Wi-Fi devices have recently connected, making it easy to create a fake network that they will automatically connect to.

Making Intercepted Signals Readable

Another use for this type of analysis determines whether a device representing a person, such as a smartphone, is present in a location. Creating a map of when someone comes and goes based on their Wi-Fi activity is an easy way to understand when someone is at home or using some devices.

For this type of signal analysis, Kismet is one of the best ways to scan the relationships between adjacent entities. Despite how useful it is, it is not always easy to set up the work and interpret the results. Here, after some settings, we can reset to a popular public access point and learn about the devices that are currently connected to it.

The information from Kismet is very much for a beginner to absorb. While Kismet allows an operator to detect and then spy on the Wi-Fi activity of a device connected to a nearby network of Wi-Fi networks, there is an easier way to view a tactical snapshot of the local Wi-Fi network. environment. 19659004] With Aigraph-ng, we can make a graphic version of this information. We can take all this text data and convert it into a graphical snapshot of the relationships between nearby devices and the networks to which they are connected.

Airgraph-Ng for Signal Interpretation

To learn about topography of neighboring networks and display the results as a chart, we must then collect and process the data. For collection we use a program as default installed in Kali Linux called Airodump-ng. This program will "dump" Wi-Fi data packets that we listen to with our wireless network adapter to a file. This CSV file allows us to easily process what we discovered and create a PNG chart showing the detected relationships.

To process the packages we listen to, we use a different program by default, Airgraph-ng. This program can visualize two types of information useful to a hacker. The first type of graph is a linkage graph for CAPR or Client Access Point. This graph shows a map of each device that is currently connected to an access point and which network they are currently connected to.

The second type of chart shows us the names of networks that W-Fi devices that are currently not connected to an access point are calling for. This can reveal a list of networks we can create to locate nearby devices for connection.

Airgraph-ng is quite simple, as can be seen from its manual page feed.

  NAME
airgraph-ng - an 802.11 visualization tool

SYNOPSIS
airgraph-ng

DESCRIPITION
airgraph-ng grades the CSV file generated by Airodump-ng. The idea is that we show
customers' relationships with the AP, so were not shocked if you only see a survey that
you just have to take a client

ALTERNATIVE
-h Displays the help screen.

-in Airodump-ng CSV file

-Pput png file.

-g Select the graph type. Current types are [CAPR (Client to AP Relationship) & CPG (Com‐
              mon probe graph)].

-a Print about.

EXAMPLE
airgraph-ng -i dump-01.csv -o dump.png -g CAPR

airgraph-ng -i dump-01.csv -o dump.png -g CPG 

What you need

To follow, you need a wireless network adapter with wireless monitoring mode. You also want a compatible with Kali Linux.

You should run Kali Linux in a virtual machine, dual booted or otherwise that will allow Kali to access the network adapter. If you do so in a virtual machine, you need to connect the USB adapter to the virtual machine for it to appear.

For this guide you do not need to be connected to a network and you do not need permission to do these observations. The information is sent unencrypted, which means that we only observe.

Good long-range adapter on Amazon: Alfa AWUS036NHA Wireless B / G / N USB adapter – 802.11n – 150 Mbps – 2.4 GHz – 5 dBi Antenna

Step 1: Update your system and reinstall it needed

If you are running Kali Linux, you should have everything you need installed. First, we need to update and make sure we have the Aircrack-ng suite. To do so, connect your Kali computer to the internet and run the following commands in a terminal window.

  apt update
apt upgrade
apt install aircrack-ng 

Now, let's check that we have installed the programs. Run the following commands to see the help path for each application.

  airodump-ng --help 
  Airodump-ng 1.5.2 - (C) 2006-2018 Thomas d & # 39;
https://www.aircrack-ng.org

use: airodump-ng    [ ...]

Alternative:
--ivs: Save only captured IVs
--gpsd: Use GPSd
- : Dump file prefix
-w: same as - write
--beacons: Record all tiles in the dump file
- Update : Display update delay in seconds
- Showack: Writes acc / cts / rts statistics
-h: Hides famous stations for - showack
-f : Time in ms between jump channels
--berlin : Time before removing the AP / client
from the screen when no more packages
received (default: 120 seconds)
-r : Read packages from that file
-x : Active Scanning Simulation
- Manufacturer: View manufacturers from the IEEE OUI list
- uptime: View AP Uptime from Beacon Timestamp
--wps: View WPS information (if any)
--Utmatningsformat
: Output format. Possible values:
pins, ivs, csv, gps, kismet, netxml, logcsv
--ignore-negative-one: Removes the message that says
fixed channel : -1
--write interval
: Output file (s) write interval in seconds
--background : Override background detection.

Filter options:
- encrypt : Filter APs with cipher suite
- mesh mask : Filter APs with mask
--bssid : Filter APs by BSSID
--essid : Filter APs by ESSID
--esside-regex : Filter APs by ESSID with a regular
expression
-a: Filter unassociated customers

By default, airodump ng hopes on 2.4 GHz channels.
You can capture it on other / specific channels using:
--ht20: Set channel to HT20 (802.11n)
--ht40-: Set channel to HT40- (802.11n)
--ht40 +: Set channel to HT40 + (802.11n)
- channel : Capture on specific channels
--band : Band on which airodump-ng should jump
-C : Uses these frequencies in MHz to jump
--cswitch : Set the channel switching method
0: FIFO (default)
1: Round Robin
2: Jump last
-s: same as -cswitch

--help: Displays this usage screen 
  airgraph-ng --help 
  Usage: airgraph-ng option [-o -i -g ]

Alternative:
-h, - help Show this help message and exit
-o OUTPUT, --output = OUTPUT
Our Output Image ie ... Image.png
-in INPUT, --dump = INPUT
Airodump Txt file in CSV format. NOT the window
-g GRAPH_TYPE, --graph = GRAPH_TYPE
Graph Type Current [CAPR (Client to AP Relationship)
                        OR CPG (Common probe graph)] 

If you see the help line for both Airodump-ng and Airgraph-ng, we are ready to start listening and interpreting packages!

Step 2: Connect Your Card and Activate the Monitor Mode

Connect the wireless network card you intend to use to cheat Wi-Fi packages. This should be a wireless network adapter compatible with Kali Linux. Alfa AWUS036NHA is a solid one to use, but there is much more to suit your needs better.

Once you have connected your adapters, we can put it in screen mode by using another program installed with Aircrack-ng. We use Airmon-ng to put our card in monitor mode after running ifconfig to get the name of our network adapter. In our example, our adapter is called "wlan2."

  airmon-ng start wlan2 
  Found 3 processes that can cause problems.
Kill them using "airmon-ng check kill" before setting
the card in display mode, they will interfere with changing channels
and sometimes the interface returns in managed mode

PID name
561 NetworkManager
627 wpa_supplicant
3561 dhclient

PHY Interface Driver Chipset

phy0 wlan0 ath9k Qualcomm Atheros QCA9565 / AR9565 Wireless network adapter (rev 01)
phy5 wlan2 rt2800usb Ralink Technology, Corp. RT2870 / RT3070

(mac80211 display mode vif enabled for [phy5] wlan2 on [wc2mon])
(Mac80211 station mode vif disabled for [phy5] wlan2) 

Now run again ifconfig . You should see that your card has added to the end. This means that your card is now in wireless display mode, and you are ready to move on to the next step.

Step 3: Run Airodump-Ng and Save CSV File

Now that our wireless card can listen to any Wi-Fi package in the area, we must start recording this information into a file. We use Airodump-ng to do so, effectively dump any packages received on our network adapter into a file so that we can interpret later.

Remember the name of our wireless network adapter that is now in monitor mode, run the following command to save all packets listened to by the "wlan2mon" interface (or whatever is called) to a file named capturefile .

  airodump-ng wlan2mon -w file name 
  CH 10] [ Elapsed: 4 mins ] [2019-02-03 21:32

BSSID PWR Beacons #Data, # / s CH MB ENC CIPHER AUTH ESSID

14: CC: 20: 6D: 22: BA -26 69 0 0 8 130 WPA2 CCMP PSK CafeMak4_2.4G
AA: 6B: AD: 6F: AC: 55 -31 136 0 0 6 65 WPA2 CCMP PSK DIRECT-HQHL-L9310CDW_BRac55
EG: 1D: 7F: F9: 10: 03 -33 159 0 0 6 65 WPA2 CCMP PSK cafemak_pwm
2C: FD: A1: E4: 9D: 50 -40 109 152 0 9 260 WPA2 CCMP PSK CafeMak1_2.4G
84: 1B: 5E: E9: 8A: 1A -52 136 3668 0 11 54e WPA2 CCMP PSK CafeMak6_2.4G
16: 18: D6: 04: F1: 1E -58 54 2 0 1 195 WPA2 CCMP PSK 770staff1
26: 18: D6: 04: F1: 1E -59 74 0 0 1 195 WPA2 CCMP PSK 770guest
F8: 18: 97: 65: BC: F3 -59 50 0 0 1 130 WPA2 CCMP PSK ATT717_guest
06: 18: D6: 04: F1: 1E -60 52 0 0 1 195 WPA2 CCMP PSK exec
04: 18: D6: 04: F1: 1E -60 87 0 0 1 195 WPA2 CCMP PSK 770org
3C: 36: E4: F7: 6D: 20 -61 84 0 0 6 130 WPA2 CCMP PSK ATT120
36: 18: D6: 04: EF: 0F -62 71 0 0 6 195 WPA2 CCMP PSK 
06: 18: D6: 04: EF: 0F -62 66 0 0 6 195 WPA2 CCMP PSK exec
36: 18: D6: 04: F1: 1E -62 64 0 0 1 195 WPA2 CCMP PSK 
04: 18: D6: 04: EF: 0F -63 123 0 0 6 195 WPA2 CCMP PSK 770org
F8: 18: 97: 65: BC: F2 -64 46 5 0 1 130 WPA2 CCMP PSK ATT717
04: 18: D6: 04: 2E: FA -64 44 0 0 1 195 WPA2 CCMP PSK rb
26: 18: D6: 04: EF: 0F -64 97 0 0 6 195 WPA2 CCMP PSK 770guest
16: 18: D6: 04: EF: 0F -64 78 0 0 6 195 WPA2 CCMP PSK 770staff1
A0: 8C: FD: B7: 9D: A9 -65 68 0 0 6 65 WPA2 CCMP PSK DIRECT-A8-HP OfficeJet 4650
E8: 8D: 28: 60: BE: 77 -68 63 3 0 6 195 WPA2 CCMP PSK Joel's Wi-Fi network 

When we are ready to collect packages, you can write Ctrl-c to stop the catch. This will generate a CSV file containing all the information we need.

Step 4: Generate a Graph for Connected Devices

Now is the time to generate our first graph from the wireless data we've been listening to. You can think of these data as metadata and tell which units are calling each other, but not what they said.

First, we begin a graph of the client's AP relationships.When you have found the CSV file we created, you run the following command in a terminal window to create a CAPR chart of which device is connected to which access point. Replace "CAPRintercept.png" with the name of the graph you want to create and "/root/Desktop/cafemak-01.csv" with the path to the CSV file. [19659017] airgraph-ng -o CAPRintercept.png – I & # 39; /root/Desktop/cafemak-01.csv' -g CAPR

  **** WARNING Images can be large, up to 12 feet with 12 feet ****
Create your graph with /root/Desktop/cafemak-01.csv and write to, cafemak.png
Depending on your system, it may take a little. Please wait ...... 

This should generate a graph to explore. Here we can see an example that shows the relationship between access points and units, which clearly gives an overview of the local network's topography.

Step 5: Generating a Graph of Disconnected Devices

Then let's target nearby devices that are not connected to an AP. From these devices we can get to know the names of the networks to which they have previously been connected, so that we can possibly trick them into connecting to a false version with the same name.

To get this information, we will only process the data we listened to in another type of graph. There is no need to go back and collect more information, we should only visualize it in another way.

Open a terminal window and type the following commands, replace "CPGintercept.png" for the name of the file You want to save the graph below and "/root/Desktop/cafemak-01.csv" again for the location of the CSV file you created earlier from the captured data.

  airgraph-ng -o CPGintercept.png -i & / 39; /root/Desktop/cafemak-01.csv' -g CPG 
  **** WARNING Images can be large, up to 12 feet by 12 feet ****
Create your graph with /root/Desktop/cafemak-01.csv and write to, cafemak.png
Depending on your system, it may take a little. Please wait ...... 

Airgraph-ng will generate a new chart that shows networks nearby devices calling out. Here you can also identify which networks can connect several nearby devices.

Interpreting the Results

For a hacker or penetration tester, the previous two graphs provide a gold mine of information. In the first, we can see which access point each adjacent device is associated with so that we can isolate or capture clients on false MITM networks if we identify a target. Because of this, we can create a fake version of a network that a device is currently connected to, kick them off from the real network and make them automatically connect to the fake version.

In the second graph, we can identify networks we can create that would cause multiple devices to connect. These charts can also reveal devices that use MAC address validation, as even devices that change their MAC address can dial out a network with a unique name because they continue to change their MAC.

Hackers can use this information about the hardware type present and how it is linked to arriving at a plan for attack on a network. Since this attack is completely passive and requires no interaction with the network, the risk of catching on this information is almost non-existent.

I hope you had this guide to using Airgraph-ng for Wi-Fi signal intelligence! If you have any questions about this guide on Wi-Fi recon or if you have a comment, ask below or feel free to contact me on Twitter @ KodyKinzie .

Do not miss: Stealing Wi-Fi password with an evil twin attack

Cover photo and screenshots of Kody / Zero Byte




Source link