BackTrack 5 Wireless Penetration Testing Beginner's Guide: Master bleeding edge wireless testing techniques with BackTrack 5.

Management frames: Management frames are responsible for maintaining communication between the access points and wireless clients. The Management frames can have the following sub-types:

Control frames:...

Boot into BackTrack with your Alfa card connected. Once you are within the console, enter iwconfig to confirm that your card has been detected and the driver has been loaded properly:

Use the ifconfig wlan0 up command to bring the card up. Verify the card is up by running ifconfig wlan0. You should see the word UP in the second line of the output as shown:

To put our card into monitor mode, we will use the airmon-ng utility which is available by default on BackTrack. First run airmon-ng to verify it detects the available cards. You should see the wlan0 interface listed in the output:

Now enter airmon-ng start wlan0 to create a monitor mode interface corresponding to the wlan0 device. This new monitor mode interface will be named mon0. You can verify it has been created by running airmon-ng without arguments again:

Also, running ifconfig should now display...

Power up our access point Wireless Lab which we configured in Chapter 1, Wireless Lab Setup.

Start Wireshark by typing Wireshark& in the console. Once Wireshark is running, click on the Capture | Interfaces sub-menu:

Select packet capture from the mon0 interface by clicking on the Start button to the right of the mon0 interface as shown in the preceding screenshot. Wireshark will begin the capture and now you should see packets within the Wireshark window:

These are wireless packets which your Alfa Wireless card is sniffing off the air. In order to view any packet, select it in the top window and the entire packet will be displayed in the middle window:

Click on triangle in front of IEEE 802.11 wireless LAN management frame to expand and view additional information.

Look at the different header fields in the packet and correlate them with the WLAN frame types and sub-types you have learned earlier...

To view all the Management frames in the packets being captured, enter the filter wlan.fc.type == 0 into the filter window and click on Apply. You can stop the packet capture if you want to prevent the packets from scrolling down too fast:

To view Control Frames, modify the filter expression to read wlan.fc.type == 1:

To view the Data Frames, modify the filter expression to wlan.fc.type == 2:

To additionally select a sub-type, use the wlan.fc.subtype filter. For example, to view all the Beacon frames among all Management frames use the following filter (wlan.fc.type == 0) && (wlan.fc.subtype == 8).

Alternatively, you can right-click on any of the header fields in the middle window and then select Apply as Filter | Selected to add it as a filter:

This will automatically add the correct...

Switch on the access point we had named Wireless Lab. Let it remain configured to use no encryption.

We will first need to find the channel on which the Wireless Lab access point is running on. To do this, open a terminal and run airodump-ng --bssid 00:21:91:D2:8E:25 mon0 where 00:21:91:D2:8E:25 is the MAC address of our access point. Let the program run, and shortly you should see your access point shown on the screen along with the channel it is running on:

We can see from the preceding screenshot that our access point Wireless Lab is running on Channel 11. Note that this may be different for your access point.

In order to sniff data packets going to and fro from this access point, we need to lock our wireless card on the same channel...

In order to do an injection test, first start Wireshark and the filter expression (wlan.bssid == 00:21:91:d2:8e:25) && !(wlan.fc.type_subtype == 0x08). This will ensure that we only see non-beacon packets for our lab network.

Now run the following command aireplay-ng -9 -e Wireless Lab -a 00:21:91:d2:8e:25 mon0 on a terminal:

Go back to Wireshark and you should see a lot of packets on the screen now. Some of these packets have been sent by aireplay-ng which we launched, and others are from the access point Wireless Lab in response to the injected packets:

Enter the iwconfig wlan0 command to check the capabilities of your card. As you can see in the following screenshot, the Alfa card can operate in the b and g bands:

Just for demo purposes, when I connect another card, a D-Link DWA-125, we see that it is capable for b, g, and n bands:

To set the card on a particular channel we use the iwconfig mon0 channel X commands:

The iwconfig series of commands does not have a channel hopping mode. One could write a simple script over it to make it do so. An easier way is to use airodump-ng with options to either hop channels arbitrarily or only a subset or only selected bands. All these options are illustrated in the following screenshot when we run airodump-ng –help:

Reboot your computer and do not connect your Alfa card to it yet.

Once logged in, monitor the kernel messages using the tail command:

Insert the Alfa card, you should see something which resembles the following screenshot. This is the default regulatory settings applied to your card:

Let's assume that you are based in the US. To change your regulatory domain to the US, we issue the command iw reg set US in a new terminal:

If the command is successful, we get an output as shown (in the following screenshot) in the terminal where we are monitoring /var/log/messages:

Now try, changing the card to channel 11, it would work. But when you try changing it to channel 12, you get a error. This is because channel 12 is not allowed for use in the US:

The same applies for power levels. The US only allows a maximum of 27dBm (500 milliwatts), so even though the Alfa card has an advertised power of 1 Watt (30 dBm), we cannot set...