Even without a GUI (no Desktop) you can very quickly analyze the Wi-Fi environment around you.
The aim of this tutorial is to analyze stations and access points in order to better lure people and devices into the honey pot.
You should already have read (and successful carried out) the following tutorials.
Install (or ensure they are installed) following packages.
# update system (optional)
$ sudo apt update -y && sudo apt upgrade -y
# install optional packages (optional)
$ sudo apt install -y vim wireless-tools
# install needed packages
$ sudo apt install -y tcpdump wavemon aircrack-ngIn this tutorial we need the
wlan1interface in the so-called monitor mode. You cannot use thewlan0interface from the Raspberry PI for this.
If you have already set up an Access Point and/or a Captive portal, you should stop them now!
# stop nodogsplash service
$ sudo systemctl stop nodogsplash
# stop hostapd service
$ sudo systemctl stop hostapd
# stop dnsmasq service
$ sudo systemctl stop dnsmasqThe Wi-Fi interface (wlan1) must be set into "monitor mode".
# set interface down
$ sudo ip link set wlan1 down
# turn interface into monitor mode
$ sudo iwconfig wlan1 mode monitor
# set interface up
$ sudo ip link set wlan1 up
# set interface to specific channel
$ sudo iwconfig wlan1 channel 9Note: Read this Wikipedia article to get more information.
To analyze STA's, which do looking for already know access points, you can capture there probe-req with tcpdump.
# capture STA's looking for SSID
$ sudo tcpdump -i wlan1 -s 0 type mgt subtype probe-req
# capture STA's looking for SSID and show mac address
$ sudo tcpdump -i wlan1 -s 0 -e type mgt subtype probe-reqThat output is looking ugly, do you know grep?
# filter SSID's with grep
$ sudo tcpdump -i wlan1 -s 0 -l type mgt subtype probe-req | grep -o -P '\(\K[^\)]+'
# filter mac addresses with grep
$ sudo tcpdump -i wlan1 -s 0 -l -e type mgt subtype probe-req | grep -o -E '([[:xdigit:]]{2}:){5}[[:xdigit:]]{2}'Nobody like to watch all the time on the screen, you can save all information's to a text file.
# save to file
$ sudo tcpdump -i wlan1 -s 0 -l type mgt subtype probe-req | grep -o -P '\(\K[^\)]+' --line-buffered | tee -a STAs.txt
# sort duplicates and count them
$ sort STAs.txt | uniq -cdTo analyze access points around you, you can capture beacon and/or probe-resp with tcpdump.
# capture AP's
$ sudo tcpdump -i wlan1 -e -s 256 -l type mgt subtype beacon or subtype probe-respIn order not to always have to change the channel manually, create a tiny bash script (channel_hopping.sh) that does the work for you in the background.
# create bash script
$ vim channel_hopping.sh
# change permissions
$ chmod u+x channel_hopping.sh
# run in background
$ sudo ./channel_hopping.sh &The content of channel_hopping.sh.
#!/usr/bin/env bash
echo "Current PID: $$"
while true; do
for channel in {1..14}; do
echo "Current Channel: $channel"
iwconfig wlan1 channel $channel
sleep 2
done
doneWavemon is another awesome Wi-Fi analyzing tool, which is very simple to us.
Note: Please set back you interface into "managed mode" first!
# set interface down
$ sudo ip link set wlan1 down
# turn interface into managed mode
$ sudo iwconfig wlan1 mode managed
# set interface up
$ sudo ip link set wlan1 upExecute Wavemon
# show help (optional)
$ wavemon -h
# start wavemon
$ sudo wavemon -i wlan1Press F3 key to scan, F2 to show the histogram, press F10 key to exit.
Note: Read this man page to learn more about Wavemon.
The Aircrack-ng suite includes many tools to assess Wi-Fi networks. Here the focus is on airodump-ng only. Please set your interface wlan1 into monitor mode first (but no need to specify the channel)!
# show help (optional)
$ airodump-ng --help
# run the simplest airodump
$ sudo airodump-ng -i wlan1
# run more precise airodump
$ sudo airodump-ng -i wlan1 --manufacturer --wps --ignore-negative-onePress CTRL + c keys to stop the scan and exit.
Note: Read the online documentation to get more information.