diff --git a/docs/Concurrent_Mode.md b/docs/Concurrent_Mode.md index c92d87c..b281cef 100644 --- a/docs/Concurrent_Mode.md +++ b/docs/Concurrent_Mode.md @@ -60,7 +60,7 @@ sudo ./remove-driver.sh ``` Step 5: Follow the installation instructions but do not run the -optional `cmode-on.sh script`. +optional `cmode-on.sh` script. ----- diff --git a/docs/Monitor_Mode.md b/docs/Monitor_Mode.md new file mode 100644 index 0000000..fc7565e --- /dev/null +++ b/docs/Monitor_Mode.md @@ -0,0 +1,345 @@ +----- + +2021-12-18 + +## Monitor Mode + +Purpose: Provide information and tools for testing and using monitor +mode with the following Realtek drivers: + +``` +https://github.com/morrownr/8812au-20210629 +https://github.com/morrownr/8821au-20210708 +https://github.com/morrownr/88x2bu-20210702 +``` + +For adapters that use in-kernel drivers, use any of the many guides that +are available as the in-kernel drivers work in the textbook, standards +compliant manner. + +Please submit corrects or additions via Issues. + +Monitor mode, or RFMON (Radio Frequency MONitor) mode, allows a computer +with a wireless network interface controller (WNIC) to monitor all +traffic received on a wireless channel. Monitor mode allows packets to +be captured without having to associate with an access point or ad hoc +network first. Monitor mode only applies to wireless networks, while +promiscuous mode can be used on both wired and wireless networks. +Monitor mode is one of the eight modes that 802.11 wireless cards and +adapters can operate in: Master (acting as an access point), Managed +(client, also known as station), Ad hoc, Repeater, Mesh, Wi-Fi Direct, +TDLS and Monitor mode. + +Note: This document and the `test-mon.sh` script have been tested on the +following: + +``` +Kali Linux +Raspberry Pi OS +Linux Mint +Ubuntu +``` +----- + +## Steps to test monitor mode + +#### Install USB WiFi adapter and driver per instructions. + + +#### Update system +``` +sudo apt update +``` +``` +sudo apt full-upgrade +``` + +----- + +#### Ensure WiFi radio is not blocked +``` +sudo rfkill unblock wlan +``` + +----- + +#### Install the aircrack-ng and wireshark packages +``` +sudo apt install -y aircrack-ng wireshark +``` + +----- + +#### Check wifi interface information +``` +iw dev +``` + +----- + +#### Information + +The wifi interface name `wlan0` is used in this document but you will +need to substitute the name of your wifi interface while using this +document. + +----- + +#### Enter and check monitor mode + +A script called `test-mon.sh` is available in the driver directory. +It will automate much of the following. It is a work in progress so +please feel free to make and submit improvements. It is written in Bash. + +Usage: + +``` +sudo ./test-mon.sh [interface:wlan0] +``` + +How, if you want to do things manually, continue below. + +----- + +#### Disable interfering processes + +``` +sudo airmon-ng check kill +``` + +#### Change to monitor mode + +Option 1 (the airmon-ng way) + +Note: This option may not work with some driver/adapter combinations +(I'm looking at you Realtek). If this option does not work, you can +use Option 2 or the `test-mon.sh` script that was previously mentioned. +``` +sudo airmon-ng start +``` + +Option 2 (the manual way) + +Check the wifi interface name and mode +``` +iw dev +``` + +Take the interface down +``` +sudo ip link set down +``` + +Set monitor mode +``` +sudo iw set monitor control +``` + +Bring the interface up +``` +sudo ip link set up +``` + +Verify the mode has changed +``` +iw dev +``` + +----- + +### Test injection + +Option for 5 GHz and 2.4 GHz +``` +sudo airodump-ng --band ag +``` +Option for 5 GHz only +``` +sudo airodump-ng --band a +``` +Option for 2.4 GHz only +``` +sudo airodump-ng --band g +``` +Set the channel of your choice +``` +sudo iw dev set channel [NOHT|HT20] +``` +``` +sudo aireplay-ng --test +``` + +----- + +### Test deauth + +Option for 5 GHz and 2.4 GHz +``` +sudo airodump-ng --band ag +``` +Option for 5 GHz only +``` +sudo airodump-ng --band a +``` +Option for 2.4 GHz only +``` +sudo airodump-ng --band g +``` +``` +sudo airodump-ng --bssid --channel +``` +Option for 5 GHz: +``` +sudo aireplay-ng --deauth 0 -c -a -D +``` +Option for 2.4 GHz: +``` +sudo aireplay-ng --deauth 0 -c -a +``` + +----- + +### Revert to Managed Mode + +Check the wifi interface name and mode +``` +iw dev +``` + +Take the wifi interface down +``` +sudo ip link set down +``` + +Set managed mode +``` +sudo iw set type managed +``` + +Bring the wifi interface up +``` +sudo ip link set up +``` + +Verify the wifi interface name and mode has changed +``` +iw dev +``` + +----- + +### Change the MAC Address before entering Monitor Mode + +Check the wifi interface name, MAC address and mode +``` +iw dev +``` + +Take the wifi interface down +``` +sudo ip link set dev down +``` + +Change the MAC address +``` +sudo ip link set dev address +``` + +Set monitor mode +``` +sudo iw set monitor control +``` + +Bring the wifi interface up +``` +sudo ip link set dev up +``` + +Verify the wifi interface name, MAC address and mode has changed +``` +iw dev +``` + +----- + +### Change txpower +``` +sudo iw dev set txpower fixed 1600 +``` + +Note: 1600 = 16 dBm + +----- + +### Information + +airodump-ng can receive and interpret key strokes while running. + +``` + +The following list describes the currently assigned keys and supported +actions: + + +a + +Select active areas by cycling through these display options: + AP+STA; AP+STA+ACK; AP only; STA only + + +d + +Reset sorting to defaults (Power) + + +i + +Invert sorting algorithm + + +m + +Mark the selected AP or cycle through different colors if the selected AP is +already marked + + +o + +Enable colored display of APs and their stations. + + +p + +Disable colored display. + + +q + +Quit program. + + +r + +(De-)Activate realtime sorting - + applies sorting algorithm every time the display will be redrawn + + +s + +Change column to sort by, which currently includes: + + BSSID; + PWR level; + Beacons; + Data packets; + Packet rate; + Channel; + Max. data rate; + Encryption; + Strongest Ciphersuite; + Strongest Authentication; + ESSID +``` + +----- + diff --git a/test-mon.sh b/test-mon.sh new file mode 100755 index 0000000..25a9e44 --- /dev/null +++ b/test-mon.sh @@ -0,0 +1,369 @@ +#!/bin/bash + + +SCRIPT_NAME="test-mon.sh" +SCRIPT_VERSION="20211218" + + +# Check that sudo was used to start the script +if [[ $EUID -ne 0 ]] +then + clear + echo "You must run this script with superuser (root) privileges." + echo "Try: \"sudo ./${SCRIPT_NAME}\"" + exit 1 +fi + + +# Set color definitions (https://en.wikipedia.org/wiki/ANSI_escape_code) +# Black 0;30 Dark Gray 1;30 +# Red 0;31 Light Red 1;31 +# Green 0;32 Light Green 1;32 +# Brown/Orange 0;33 Yellow 1;33 +# Blue 0;34 Light Blue 1;34 +# Purple 0;35 Light Purple 1;35 +# Cyan 0;36 Light Cyan 1;36 +# Light Gray 0;37 White 1;37 +RED='\033[1;31m' +YELLOW='\033[0;33;1m' +GREEN='\033[1;32m' +CYAN='\033[1;36m' +NoColor='\033[0m' + + +# Display docs +clear +echo -e "${GREEN}" +echo ' --------------------------------' +echo -e " ${SCRIPT_NAME} ${SCRIPT_VERSION}" +echo ' --------------------------------' +echo +echo ' Purpose: Test monitor mode on the provided wlan interface' +echo +echo ' Usage: $ sudo ./test-mon.sh [interface:wlan0]' +echo +echo ' Please feel free to help make this script better.' +echo +echo ' Some parts of this script require the installation of:' +echo +echo ' aircrack-ng' +echo ' wireshark' +echo +echo ' Note: To exit this script and install the above: Ctrl + c' +echo +echo ' Note: For installation on Debian based systems:' +echo +echo ' $ sudo apt install -y aircrack-ng wireshark' +echo +echo ' --------------------------------' +echo -e "${NoColor}" +# Interfering processes must be disabled prior to running this script: +# +#``` +# $ sudo airmon-ng check kill +#``` + + +# Assign default monitor mode interface name +iface0mon='wlan0mon' + +# Assign default channel +chan=6 + +# Activate option to set automatic or manual interface mode +# +# Option 1: if you only have one wlan interface (automatic detection) +#iface0=`iw dev | grep 'Interface' | sed 's/Interface //'` +# +# Option 2: if you have more than one wlan interface (default wlan0) +iface0=${1:-wlan0} + +# Set iface0 down +ip link set dev $iface0 down +# Check if iface0 exists and continue if true +if [ $? -eq 0 ] +then +# Disabled interfering processes +# clear + echo + read -p " Do you want to use airmon-ng to disable interfering processes? [y/N] " -n 1 -r + echo + if [[ $REPLY =~ ^[Yy]$ ]] + then + airmon-ng check kill + read -p " Press any key to continue. " -n 1 -r + fi + +# Display interface settings + clear + echo -e "${GREEN}" + echo ' --------------------------------' + echo -e " ${SCRIPT_NAME} ${SCRIPT_VERSION}" + echo ' --------------------------------' + echo ' WiFi Interface:' + echo ' '$iface0 + echo ' --------------------------------' + iface_name=$(iw dev $iface0 info | grep 'Interface' | sed 's/Interface //' | sed -e 's/^[ \t]*//') + echo ' name - ' $iface_name + iface_type=$(iw dev $iface0 info | grep 'type' | sed 's/type //' | sed -e 's/^[ \t]*//') + echo ' type - ' $iface_type + iface_state=$(ip addr show $iface0 | grep 'state' | sed 's/.*state \([^ ]*\)[ ]*.*/\1/') + echo ' state - ' $iface_state + iface_addr=$(iw dev $iface0 info | grep 'addr' | sed 's/addr //' | sed -e 's/^[ \t]*//') + echo ' addr - ' $iface_addr + echo ' --------------------------------' + echo -e "${NoColor}" + +# Set addr (has to be done before renaming the interface) + iface_addr_orig=$iface_addr + read -p " Do you want to set a new addr? [y/N] " -n 1 -r + echo + if [[ $REPLY =~ ^[Yy]$ ]] + then + read -p " What addr do you want? ( 12:34:56:78:90:ab ) " iface_addr + ip link set dev $iface0 address $iface_addr + fi +# iface_addr=$(iw dev $iface0 info | grep 'addr' | sed 's/addr //' | sed -e 's/^[ \t]*//') +# echo ' addr - ' $iface_addr +# exit 1 + +# Set monitor mode +# iw dev set monitor +# Valid monitor flags are: +# none: no special flags +# fcsfail: show frames with FCS errors +# control: show control frames +# otherbss: show frames from other BSSes +# cook: use cooked mode +# active: use active mode (ACK incoming unicast packets) +# mumimo-groupid : use MUMIMO according to a group id +# mumimo-follow-mac : use MUMIMO according to a MAC address + iw dev $iface0 set monitor control + +# Rename interface + ip link set dev $iface0 name $iface0mon + +# Bring the interface up + ip link set dev $iface0mon up + +# Run airodump-ng +# airodump-ng will display a list of detected access points and clients +# https://www.aircrack-ng.org/doku.php?id=airodump-ng +# https://en.wikipedia.org/wiki/Regular_expression +# Display interface settings + clear + echo -e "${GREEN}" + echo ' --------------------------------' + echo -e " ${SCRIPT_NAME} ${SCRIPT_VERSION}" + echo ' --------------------------------' + echo ' WiFi Interface:' + echo ' '$iface0 + echo ' --------------------------------' + iface_name=$(iw dev $iface0mon info | grep 'Interface' | sed 's/Interface //' | sed -e 's/^[ \t]*//') + echo ' name - ' $iface_name + iface_type=$(iw dev $iface0mon info | grep 'type' | sed 's/type //' | sed -e 's/^[ \t]*//') + echo ' type - ' $iface_type + iface_state=$(ip addr show $iface0mon | grep 'state' | sed 's/.*state \([^ ]*\)[ ]*.*/\1/') + echo ' state - ' $iface_state + iface_addr=$(iw dev $iface0mon info | grep 'addr' | sed 's/addr //' | sed -e 's/^[ \t]*//') + echo ' addr - ' $iface_addr + echo ' --------------------------------' + echo -e "${NoColor}" + echo -e " airodump-ng can receive and interpret key strokes while running..." + echo + echo -e " a - select active area" + echo -e " i - invert sorting order" + echo -e " s - change sort column" + echo -e " q - quit" + echo ' ----------------------------' + echo + read -p " Do you want to run airodump-ng to display a list of detected access points and clients? [y/N] " -n 1 -r + echo + if [[ $REPLY =~ ^[Yy]$ ]] + then +# usage: airodump-ng [,,...] +# +# -c : Capture on specific channels +# -a : Filter unassociated clients +# --ignore-negative-one : Removes the message that says fixed channel : -1 +# --essid-regex : Filter APs by ESSID using a regular expression +# +# Select option +# +# 1) shows hidden ESSIDs +# airodump-ng -c 1-165 -a --ignore-negative-one $iface0mon +# +# 2) does not show hidden ESSIDs +# + airodump-ng -c 1-165 -a --ignore-negative-one --essid-regex '^(?=.)^(?!.*CoxWiFi)' $iface0mon + fi + +# Set channel + read -p " Do you want to set the channel? [y/N] " -n 1 -r + echo + if [[ $REPLY =~ ^[Yy]$ ]] + then + read -p " What channel do you want to set? " chan +# ip link set dev $iface0mon down + iw dev $iface0mon set channel $chan +# ip link set dev $iface0mon up + fi + +# Display interface settings + clear + echo -e "${GREEN}" + echo ' --------------------------------' + echo -e " ${SCRIPT_NAME} ${SCRIPT_VERSION}" + echo ' --------------------------------' + echo ' WiFi Interface:' + echo ' '$iface0 + echo ' --------------------------------' + iface_name=$(iw dev $iface0mon info | grep 'Interface' | sed 's/Interface //' | sed -e 's/^[ \t]*//') + echo ' name - ' $iface_name + iface_type=$(iw dev $iface0mon info | grep 'type' | sed 's/type //' | sed -e 's/^[ \t]*//') + echo ' type - ' $iface_type + iface_state=$(ip addr show $iface0mon | grep 'state' | sed 's/.*state \([^ ]*\)[ ]*.*/\1/') + echo ' state - ' $iface_state + iface_addr=$(iw dev $iface0mon info | grep 'addr' | sed 's/addr //' | sed -e 's/^[ \t]*//') + echo ' addr - ' $iface_addr + iface_chan=$(iw dev $iface0mon info | grep 'channel' | sed 's/channel //' | sed -e 's/^[ \t]*//') + echo ' chan - ' $chan + iface_txpw=$(iw dev $iface0mon info | grep 'txpower' | sed 's/txpower //' | sed -e 's/^[ \t]*//') + echo ' txpw - ' $iface_txpw + echo ' --------------------------------' + echo -e "${NoColor}" + +# Set txpw + read -p " Do you want to set the txpower? [y/N] " -n 1 -r + echo + if [[ $REPLY =~ ^[Yy]$ ]] + then + read -p " What txpw setting do you want? ( 2300 = 23 dBm ) " iface_txpw +# ip link set dev $iface0mon down + iw dev $iface0mon set txpower fixed $iface_txpw +# ip link set dev $iface0mon up + fi + +# Display interface settings + clear + echo -e "${GREEN}" + echo ' --------------------------------' + echo -e " ${SCRIPT_NAME} ${SCRIPT_VERSION}" + echo ' --------------------------------' + echo ' WiFi Interface:' + echo ' '$iface0 + echo ' --------------------------------' + iface_name=$(iw dev $iface0mon info | grep 'Interface' | sed 's/Interface //' | sed -e 's/^[ \t]*//') + echo ' name - ' $iface_name + iface_type=$(iw dev $iface0mon info | grep 'type' | sed 's/type //' | sed -e 's/^[ \t]*//') + echo ' type - ' $iface_type + iface_state=$(ip addr show $iface0mon | grep 'state' | sed 's/.*state \([^ ]*\)[ ]*.*/\1/') + echo ' state - ' $iface_state + iface_addr=$(iw dev $iface0mon info | grep 'addr' | sed 's/addr //' | sed -e 's/^[ \t]*//') + echo ' addr - ' $iface_addr + iface_chan=$(iw dev $iface0mon info | grep 'channel' | sed 's/channel //' | sed -e 's/^[ \t]*//') + echo ' chan - ' $chan + iface_txpw=$(iw dev $iface0mon info | grep 'txpower' | sed 's/txpower //' | sed -e 's/^[ \t]*//') + echo ' txpw - ' $iface_txpw + echo ' --------------------------------' + echo -e "${NoColor}" + +# Test injection capability with aireplay-ng + read -p " Do you want to test injection capability? [y/N] " -n 1 -r + echo + if [[ $REPLY =~ ^[Yy]$ ]] + then +# ip link set dev $iface0mon up + aireplay-ng --test $iface0mon + fi + +# Start wireshark + read -p " Do you want to start Wireshark? [y/N] " -n 1 -r + echo + if [[ $REPLY =~ ^[Yy]$ ]] + then +# ip link set dev $iface0mon up + wireshark --interface wlan0mon +# test filter: wlan.fc.type_subtype == 29 + # Display interface settings + clear + echo -e "${GREEN}" + echo ' --------------------------------' + echo -e " ${SCRIPT_NAME} ${SCRIPT_VERSION}" + echo ' --------------------------------' + echo ' WiFi Interface:' + echo ' '$iface0 + echo ' --------------------------------' + iface_name=$(iw dev $iface0mon info | grep 'Interface' | sed 's/Interface //' | sed -e 's/^[ \t]*//') + echo ' name - ' $iface_name + iface_type=$(iw dev $iface0mon info | grep 'type' | sed 's/type //' | sed -e 's/^[ \t]*//') + echo ' type - ' $iface_type + iface_state=$(ip addr show $iface0mon | grep 'state' | sed 's/.*state \([^ ]*\)[ ]*.*/\1/') + echo ' state - ' $iface_state + iface_addr=$(iw dev $iface0mon info | grep 'addr' | sed 's/addr //' | sed -e 's/^[ \t]*//') + echo ' addr - ' $iface_addr + iface_chan=$(iw dev $iface0mon info | grep 'channel' | sed 's/channel //' | sed -e 's/^[ \t]*//') + echo ' chan - ' $chan +# iface_txpw=$(iw dev $iface0mon info | grep 'txpower' | sed 's/txpower //' | sed -e 's/^[ \t]*//') +# echo ' txpw - ' $iface_txpw + echo ' --------------------------------' + echo -e "${NoColor}" + fi + +# Return the adapter to original settings + read -p " Do you want to return the adapter to original settings? [Y/n] " -n 1 -r + if [[ $REPLY =~ ^[Nn]$ ]] + then +# ip link set dev $iface0mon up +# Display interface settings + clear + echo -e "${GREEN}" + echo ' --------------------------------' + echo -e " ${SCRIPT_NAME} ${SCRIPT_VERSION}" + echo ' --------------------------------' + echo ' WiFi Interface:' + echo ' '$iface0 + echo ' --------------------------------' + iface_name=$(iw dev $iface0mon info | grep 'Interface' | sed 's/Interface //' | sed -e 's/^[ \t]*//') + echo ' name - ' $iface_name + iface_type=$(iw dev $iface0mon info | grep 'type' | sed 's/type //' | sed -e 's/^[ \t]*//') + echo ' type - ' $iface_type + iface_state=$(ip addr show $iface0mon | grep 'state' | sed 's/.*state \([^ ]*\)[ ]*.*/\1/') + echo ' state - ' $iface_state + iface_addr=$(iw dev $iface0mon info | grep 'addr' | sed 's/addr //' | sed -e 's/^[ \t]*//') + echo ' addr - ' $iface_addr + echo ' --------------------------------' + echo -e "${NoColor}" + else + ip link set dev $iface0mon down + ip link set dev $iface0mon address $iface_addr_orig + iw $iface0mon set type managed + ip link set dev $iface0mon name $iface0 + ip link set dev $iface0 up +# Display interface settings + clear + echo -e "${GREEN}" + echo ' --------------------------------' + echo -e " ${SCRIPT_NAME} ${SCRIPT_VERSION}" + echo ' --------------------------------' + echo ' WiFi Interface:' + echo ' '$iface0 + echo ' --------------------------------' + iface_name=$(iw dev $iface0 info | grep 'Interface' | sed 's/Interface //' | sed -e 's/^[ \t]*//') + echo ' name - ' $iface_name + iface_type=$(iw dev $iface0 info | grep 'type' | sed 's/type //' | sed -e 's/^[ \t]*//') + echo ' type - ' $iface_type + iface_state=$(ip addr show $iface0 | grep 'state' | sed 's/.*state \([^ ]*\)[ ]*.*/\1/') + echo ' state - ' $iface_state + iface_addr=$(iw dev $iface0 info | grep 'addr' | sed 's/addr //' | sed -e 's/^[ \t]*//') + echo ' addr - ' $iface_addr + echo ' --------------------------------' + echo -e "${NoColor}" + fi + exit 0 +else + echo -e "${YELLOW}ERROR: Please provide an existing interface as parameter! ${NoColor}" + echo -e "${NoColor}Usage: $ ${CYAN}sudo ./$SCRIPT_NAME [interface:wlan0] ${NoColor}" + echo -e "${NoColor}Tip: $ ${CYAN}iw dev ${NoColor}(displays available interfaces)" + exit 1 +fi