Aircrack-ng forum

Hi, newbie here.
I can't get from Wlan0 to Wlan0mon, but the mode is Monitor.

Win10
ALFA AWUS036ACS

┌──(kali㉿kali)-[~]
└─$ cat /etc/os-release
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2022.2"
VERSION_ID="2022.2"
VERSION_CODENAME="kali-rolling"
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="https://www.kali.org/"
SUPPORT_URL="https://forums.kali.org/"
BUG_REPORT_URL="https://bugs.kali.org/"
                                                                                                         
┌──(kali㉿kali)-[~]
└─$ uname -a

Linux kali 5.16.0-kali7-amd64 #1 SMP PREEMPT Debian 5.16.18-1kali1 (2022-04-01) x86_64 GNU/Linux
                                                                                                         
┌──(kali㉿kali)-[~]
└─$ iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11AC  ESSID:"WiFimodem-3815"  Nickname:"<WIFI@REALTEK>"
          Mode:Managed  Frequency:5.3 GHz  Access Point: 44:AD:B1:2C:38:1B   
          Bit Rate:434 Mb/s   Sensitivity:0/0 
          Retry:off   RTS thr:off   Fragment thr:off
          Power Management:off
          Link Quality=45/100  Signal level=-30 dBm  Noise level=0 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

                                                                                                         
┌──(kali㉿kali)-[~]
└─$ sudo airmon-ng check kill
[sudo] password for kali:

Killing these processes:

    PID Name
   1693 wpa_supplicant

                                                                                                         
┌──(kali㉿kali)-[~]
└─$ sudo airmon-ng start wlan0


PHY     Interface       Driver          Chipset

phy0    wlan0           88XXau          Realtek Semiconductor Corp. Realtek 8812AU/8821AU 802.11ac WLAN Adapter [USB Wireless Dual-Band Adapter 2.4/5Ghz]
                (monitor mode enabled)

                                                                                                         
┌──(kali㉿kali)-[~]
└─$ sudo airmon-ng           

PHY     Interface       Driver          Chipset

phy0    wlan0           88XXau          Realtek Semiconductor Corp. Realtek 8812AU/8821AU 802.11ac WLAN Adapter [USB Wireless Dual-Band Adapter 2.4/5Ghz]

                                                                                                         
┌──(kali㉿kali)-[~]
└─$ iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     unassociated  ESSID:""  Nickname:"<WIFI@REALTEK>"
          Mode:Monitor  Frequency=2.457 GHz  Access Point: Not-Associated   
          Sensitivity:0/0 
          Retry:off   RTS thr:off   Fragment thr:off
          Power Management:off
          Link Quality=0/100  Signal level=0 dBm  Noise level=0 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0
What to do?

Ok, I didn't know that it's not possible, it was just a concept. Thank you for your precious time.

That's not how things work. You are lacking knowledge on the 802.11 protocol.

If you have a whitepaper published, or if you pass your CWNP, we can revisit this topic.

> Is there a document that explains how we can reproduce this?
I'm fairly new to the domain, this is just a concept but I really believe it's feasible in some way.

> They can only send one packet at a time the same way a wired network card does.
Exactly, this is why I think it would work.
What Slowloris does is that it sends requests to a web server as slowly as possible, little by little; and just before the webserver thinks the client is gone and closes the thread, Slowloris continues its unfinished request.
If there's a way to send an unfinished packet, and the default behaviour of routers is to wait for the following packets, then this is definitely feasible.
I think there are two parts of this attack that are worth trying:
1. Send packets at low speed. This would help waste the router's time exchanging with other devices.
2. Send partial packets and let the router wait. Just before the router quits the program continues and lets the router wait again. (I don't know the default behaviour of routers on this yet.)
This combined with MAC address spoofing, we could let the router think that there are different clients that are not having a good connection, and hence upscale the attack. (While the router is waiting we could sent more partial packets to it using different MAC addresses)

With this said I don't have the required knowledge to build low-level software to send some partial requests at low speed, what do you think?

Thank you

After more than 2 years, we are making a release with a decently large amount of fixes, improvements, and additions. We also broke the 4000 commits barrier, and this release has more than 400 commits.

Noticeable changes and fixes are present in a number of tools: airodump-ng, aircrack-ng, airdecap-ng, airmon-ng, aireplay-ng, airgraph-ng, besside-ng. And also osdep, our os-dependent interface for Wi-Fi capture and injection, as well as WPE patches for freeradius and hostapd.

On the less visible side, we get a number of improvements and fixes as well. We did code refactoring, deduplication, cleanup, code style fixes, as well as miscellaneous improvements. We also fixed a bunch of typos, spelling, and wording issues across the board. We fixed a number of issues reported by different static analysis tools we use, among others, PVS-Studio, Coverity Scan, Infer.

Read more in our blog post, or head to the download page.

And finally, the full changelog:

• Airdecap-ng: Endianness fixes
• Airdecap-ng: Output PCAP as little endian
• Airodump-ng: Fixed blank encryption field when APs have TKIP (and/or CCMP) with WPA2
• Airodump-ng: Updated encryption filter (-t/--encrypt) for WPA3 and OWE
• Airodump-ng: Fixed out-of-order timestamp captures
• Airodump-ng: Ignore NULL PMKID
• Airodump-ng: Fixed dropping management frames with zeroed timestamp
• Airodump-ng: Fixed sorting where sometimes it started with a different field
• Airodump-ng: Allow setting colors only in AP selection mode
• Airodump-ng: Fix crash on 4K Linux console
• Airodump-ng: Fixed issue where existing clients not linked to an AP become hidden when hitting 'o'
• Airodump-ng: Allow use of WiFi 6E 6GHz frequencies
• Airodump-ng: Look for oui.txt in /usr/share/hwdata
• Airgraph-ng: Fixed graphviz package conflict
• Airgraph-ng: Fixed downloading OUI with python3
• Airgraph-ng: Ensure support/ directory is created when installing
• Aircrack-ng: Fixed static compilation
• Aircrack-ng: Fix handshake replay counter logic
• Aircrack-ng: Handle timeout when parsing EAPOL
• Aircrack-ng: Fixed WEP display
• Aircrack-ng: Fixed spurious EXIT messages
• Aircrack-ng: Improved handshake selection by fixing EAPOL timing and clearing state
• Aircrack-ng: Ignore NULL PMKID
• Aircrack-ng: Added Apple M1 detection
• Aireplay-ng: In test mode, detect tampering of sequence number by firmware/driver
• Aireplay-ng: Fixed incorrectly rewritten loops affecting fragmentation attack, and in some cases, SKA fake auth
• Aireplay-ng: Fixed a bunch of instances where packets had their duration updated instead of the sequence number
• Airmon-ng: Fix avahi killing
• Airmon-ng: rewrite service stopping entirely
• Airmon-ng: Codestyle fixes and code cleanup
• Airmon-ng: Added a few Raspberry Pi hardware revisions
• Airmon-ng: Fixes for 8812au driver
• Airmon-ng: Fix iwlwifi firmware formatting
• Airmon-ng: Remove broken KVM detection
• Airmon-ng: Show regdomain in verbose mode
• Airmon-ng: Updated Raspberry Pi hardware revisions
• Airmon-ng: Document frequency usage
• Airmon-ng: Add a sleep to help predictable names due to udev sometimes renaming interface
• Airmon-ng: Added warning for broken radiotap headers in kernel 5.15 to 5.15.4
• Airmon-ng: shellcheck fixes
• Airmon-ng: support systemctl as some systems don't support 'service' anymore
• Airmon-ng: Fixes for pciutils 3.8, backward compatible
• Airbase-ng: use enum for frame type/subtype
• Airbase-ng: remove a few IE in association responses
• Besside-ng: Support and detect all channels in 5GHz in Auto-Channel mode
• OSdep: Search additional IE for channel information
• OSdep: Android macro fixes
• Patches: Add missing patches that were on https://patches.aircrack-ng.org but not in repo
• Patches: Updated freeradius-wpe patch for v3.2.0
• Patches: Updated hostapd-wpe patch for v2.10
• Patches: Added docker containers to test WPE patches
• Autotools: make dist now creates VERSION file
• Autotools: Added maintainer mode
• Autotools: Initial support for Link Time Optimization (LTO) builds
• Integration tests: Added a new test, and improved some existing ones
• Airgraph-ng: switch airodump-join to Python 3
• Manpages: Fixes (typos, tools name, etc.) and improvements
• README: Updated dependencies and their installation on various distros in README.md and INSTALLING
• README: Fixed typos and spelling in README.md and INSTALLING
• Packages: Packages on PackageCloud now support any distro using .deb and .rpm, however, it requires reinstalling repo (BREAKING CHANGE)
• General: Fix compilation with LibreSSL 3.5
• General: Fix issues reported by Infer
• General: Updated buildbots
• General: Add Linux uclibc support
• General: Compilation fixes on macOS with the Apple M1 CPU
• General: Removed TravisCI and AppVeyor
• General: Use Github Actions for CI (Linux, Win, macOS, code style, and PVS-Studio)
• General: Added vscode devcontainer and documentation
• General: Fix warnings from PVS-Studio and build with pedantic (See PR2174)
• General: Shell script fixes thanks to shellcheck
• General: Fixes for GCC 10 and 11
• General: Fixed cross-compilation
• General: Code refactoring, deduplication, cleanup, and misc code improvements
• General: Coverity Scan fixes, which includes memory leaks, race conditions, division by 0, and other issues
• General: PVS Studio improvements,fixes and updates
• General: Code formatting/style fixes
• General: Various fixes and improvements (code, CI, integration tests, coverity)
• General: Update bug reporting template and update the process

Is there a document that explains how we can reproduce this?

They can only send one packet at a time the same way a wired network card does.

Hello,

I watched a [Computerphile video](https://www.youtube.com/watch?v=vvKbMueRzrI). In the end Dr. Bagley talked about the fact that a router can only receive/send a packet at a time, so if one device is slow it will slow every device down, because all device talk sequentially to the router. He also mentioned that around 15 slow device is enough to drag the WiFi down to unusable speed.

Assuming the attacker has the network passphrase, I wonder if it's possible to use the concept of Slow Loris Attack - having one device faking its MAC address pretending to be multiple devices, sending out really slow packets to the router to slow down the whole network. Or even without the network passphrase.

Is this possible? What would it take to experiment this on my own network?
Thanks!

You misunderstood: when 802.11w is used, there is a mechanism triggered if an unencrypted deauth frame is sent. What it can do, is if that frame matches our deauth parameters is notify it happened, thus letting you know it failed.

If you feel there is already a lot of information on the screen then you could always make showing the encryption type optional which gets shown only when airodump-ng is executed with a parameter to show it.

Putting the client encryption type in aireplay-ng doesn't seem logical to me because one does intelligence gathering with airodump-ng before the death attack. It would be annoying to write a script to deauth multiple devices, only to find out afterwards that it was all for nothing.


I needed aircrack-ng because my lunatic neighbour was purposely waking me up every morning at 7am by throwing glass bottles in her bin, two metres from my front door. I tried making her stop by jamming her WiFi and while I jammed her WPA2 devices, it was not enough to make her to stop waking me up as she had many WPA3 devices. Now I've started throwing my glass bottles in the bin at night in my backyard near her bedroom, and now she has stopped waking me up, so I am done with aircrack-ng.

Thanks for the great app and all the best to you.

Something like that? That adds 17 characters on an already long line.

CH  9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ BAT: 2 hours 10 mins ][ WPA handshake: 00:14:6C:7E:40:80

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID

00:09:5B:1C:AA:1D   11  16       10        0    0  11  54. OPN              <length: 7>
00:14:6C:7A:41:81   34 100       57       14    1   9  11  WEP  WEP         bigbear
00:14:6C:7E:40:80   32 100      752       73    2   9  54  WPA  TKIP   PSK  teddy

BSSID              STATION            PWR   Rate   Lost   Frames  ENC  CIPHER AUTH Notes  Probes

00:14:6C:7A:41:81  00:0F:B5:32:31:31   51   11-11     2       14  WEP  WEP                bigbear
(not associated)   00:14:A4:3F:8D:13   19   11-11     0        4                          mossy
00:14:6C:7A:41:81  00:0C:41:52:D1:D1   \-1    11-2     0        5  WEP  WEP                bigbear
00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35   36-24     0       99  WPA  TKIP   PSK         teddy

That's not realistic, there is already a lot of info on these lines.

How about that: it is possible to add in aireplay-ng something (and maybe on the top right in airodump-ng) when it sees frames indicating that deauth is useless, but it doesn't always happen.