上QQ阅读APP看书，第一时间看更新

Passive wireless analysis

So far, we've been studying layer-2 and above. The magical world of layer-1 – the physical layer – is a subject for another (very thick) book, but in today's world, we can't talk about the physical means of accessing networks without playing around with wireless.

There are two core strategies in sniffing attacks: passive and active. A passive sniffing attack is also commonly referred to as stealthy as it isn't detectable by the target. We're going to take a look at passive wireless reconnaissance – which is just a really fancy way of saying listening to the radio. When you tune into your favorite station on your car's FM radio, the radio station has no way of knowing that you have started listening. Passive wireless reconnaissance is the same concept, except we're going to record the radio show so we can analyze it in detail later.

To pull this off, we need the right hardware. A wireless card has to be willing to record everything it can see and pass it along to the operating system. This is known as monitor mode and not all wireless cards support it. My card of choice is an Alfa AWUS036NEH, but a little research online will help you find an ideal device.

We'll use iwconfig to enable monitor mode and to confirm the status after bringing the device up:

# ifconfig wlan0 down
# iwconfig wlan0 mode monitor
# ifconfig wlan0 up
# iwconfig wlan0

Note the use of both configuration utilities: ifconfig and iwconfig. Don't mix up their names!

When we run the last command, we can confirm monitor mode is enabled. If you check the RX packet count, you'll see it's already rapidly climbing (depending on how busy your RF surroundings are) – it's receiving packets even though you are not associated with an access point. This is what makes this type of analysis stealthy – there is no detection of a device that is merely listening.

It's important to note that true stealth requires that your device is not sending any data. Sometimes, we intend to simply listen and we thus assume we're being stealthy, but if the card is announcing its presence in some way, it isn't really passive. When you're good at analyzing your environment, use your skill to check your stealth!

Now, we'll fire up Wireshark and select the interface specified previously – in this example, wlan0.

Whoa, okay – hold on a second. The screen just lit up at a pace of 37 packets per second, and this is a relatively quiet environment. (Fire this up in an apartment building and enjoy the fun.) Don't get me wrong, I'm a data hound, this number of packets excites me – but we need to find out what's actually happening in this environment so we can tune in on the good stuff. We'll revisit the high-altitude view of a wireless environment with Wireshark in the next section.