Kali Linux & over the air promiscuous capture

Based on the following link by Ray:https://supportforums.cisco.com/blog/12200881/using-live-linux-distro-getwireless-packet-capture

I was trying to use kali linux in lab windows machine, and thought of sharing
my observations. Kali has inbuilt wireshark, tcpdump, dumpcap, airmon-ng
support. So you can have wireless frames scrolling right in front of you in
wireshark, like you sniff a wired adaptor. This way you can make sure, you got
the right frames, right at the time. Its loaded with other tons of utilities, you
might never know when you can use.
1. Get your Kali copy:http://www.kali.org/downloads/
I normally use the kali linux 32 bit ISO. 3.2GB in size.
2. Now use any USB imaging software, to make a bootable linux USB drive
(Formatted in FAT32 & at least 4GB in capacity), using the image iso
downloaded in the above step.
http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/
This is the longest part, ~10 minutes. Once done, remove USB safely.
3. Change the boot order on the sniffer/subject laptop, to boot from USB.
Pressing F12 while booting up, does it for me.
Then you will be presented with kali boot up screen:-

Just go with Live (forensic mode).

4. Kali linux java installation is not an easy process, so you will not be able to
get it joined on the webex, via kalis default browser iceweasel.

However making VNC viewer work with it is pretty easy. Go to

applications>internet>Desktop sharing. So the customer can remote into
client, from a windows client which is connected on webex.

Start a terminal session, clicking on fourth icon from left in title bar and find
Kalis IP on wired interface:-

Now you can use free VNC viewer to remote into kali, as you know its wired
IP:https://www.realvnc.com/download/viewer/
5. Create a monitor interface for wlan interface and set its channel & channel
width:root@kali:~# ifconfig
eth0

Link encap:Ethernet HWaddr 00:24:7e:e1:ca:19

inet addr:64.101.150.104 Bcast:64.101.150.255 Mask:255.255.255.0

inet6 addr: 2001:420:1702:100c:224:7eff:fee1:ca19/64 Scope:Global

inet6 addr: fe80::224:7eff:fee1:ca19/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:910 errors:0 dropped:0 overruns:0 frame:0
TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:120086 (117.2 KiB) TX bytes:5956 (5.8 KiB)
Interrupt:20 Memory:fc200000-fc220000

lo

Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:960 (960.0 B) TX bytes:960 (960.0 B)

wlan0

Link encap:Ethernet HWaddr 00:21:6a:8d:48:b0

UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

//So above there is no mon0, aka monitor interface.

//Use the below command to get a monitor interface.

root@kali:~# airmon-ng start wlan0
Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID

Name

3513

NetworkManager

3610

wpa_supplicant

3922

dhclient

Interface Chipset

wlan0

Driver

Intel 5300AGN

iwlwifi - [phy0]

(monitor mode enabled on mon0)

//As you see a mon0 was created on wlan0, 5300 AGN, phy0.
//Now if you do an ifconfig again, you can see the monitor interface.
root@kali:~# ifconfig
eth0

Link encap:Ethernet HWaddr 00:24:7e:e1:ca:19

inet addr:64.101.150.104 Bcast:64.101.150.255 Mask:255.255.255.0
inet6 addr: 2001:420:1702:100c:224:7eff:fee1:ca19/64 Scope:Global
inet6 addr: fe80::224:7eff:fee1:ca19/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1015 errors:0 dropped:0 overruns:0 frame:0
TX packets:72 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000
RX bytes:134272 (131.1 KiB) TX bytes:6242 (6.0 KiB)
Interrupt:20 Memory:fc200000-fc220000

lo

Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:960 (960.0 B) TX bytes:960 (960.0 B)

mon0
Link encap:UNSPEC HWaddr 00-21-6A-8D-48-B0-00-00-00-0000-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1585 errors:0 dropped:1585 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:428563 (418.5 KiB) TX bytes:0 (0.0 B)

wlan0

Link encap:Ethernet HWaddr 00:21:6a:8d:48:b0

UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

//iwconfig will show you all the wireless settings. Check that mon0 is in monitor
mode.
root@kali:~# iwconfig
wlan0

IEEE 802.11abgn ESSID:off/any

Mode:Managed Access Point: Not-Associated Tx-Power=15 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off

lo

mon0

no wireless extensions.

IEEE 802.11abgn Mode:Monitor Tx-Power=15 dBm

Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off

eth0

no wireless extensions.

//With kali linux, mon0 is what you need for sniffing. Wlan0 can be turned down
now.
root@kali:~# ifconfig wlan0 down
//Find your physical interface name and set its channel width & channel.
root@kali:~# iw list | grep phy
Wiphy phy0
* set_wiphy_netns

//So phy0 is the physical interface.

root@kali:~# iw phy phy0 set channel 36 HT40+

//This is the most important command. I have set it to sniff on channel 36 and
channel 44. For Below use HT40-. For 20 MHz use HT20.
6. Now you can start wireshark or tcpdump or dumpcap, and start sniffing on
mon0 interface. I would make sure of the following settings, if using
wireshark:Application->internet->wireshark to start wireshark

For longer captures, you can always use a ring buffer, Use multiple files.
7. Start capturing. After capturing, you can save the file in the underlying disk,
used by windows. You can access the underlying windows filesystem, if you
mount it like this:-

Once mounted, the windows file system will be on desktop for you to save
captures. You can later boot using windows and find the capture stored on
disk.
Notes: Make sure the adaptor in the kali laptop, is capable of catching all the
streams, the intended client is working on. For example, if you have
1SS wireless NIC in kali laptop, then you can not capture a
communication, between a 3SS client and Cisco access point.
Default user in kali, is root and password is toor.
Following link has always helped me to crack WPA2 encrypted ssid, if I
was able to capture the eapol handshake:http://mrncciew.com/2014/08/16/decrypt-wpa2-psk-using-wireshark/
If you leave the key calculated by the below link in wireshark, the
packets being captured, after eapol, will be decrypted on the fly in
wireshark, if eapol handshake was captured right->
http://jorisvr.nl/wpapsk.html

NTP syncing of packet capturing machine/kali linux and WLC is a must,

else we might be looking at different packets:root@kali:~# date
Mon Oct 13 10:54:07 UTC 2014
root@kali:~# hwclock
Mon 13 Oct 2014 10:54:14 AM UTC -0.547837 seconds
root@kali:~# apt-get install ntpdate
Reading package lists... Done
Building dependency tree

Reading state information... Done

The following extra packages will be installed:
lockfile-progs
The following NEW packages will be installed:
lockfile-progs ntpdate
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 91.0 kB of archives.
After this operation, 291 kB of additional disk space will be used.
Do you want to continue [Y/n]? Y
Get:1 http://http.kali.org/kali/ kali/main ntpdate i386 1:4.2.6.p5+dfsg-2
[80.5 kB]
Get:2 http://http.kali.org/kali/ kali/main lockfile-progs i386 0.1.17 [10.5
kB]
Fetched 91.0 kB in 1s (58.6 kB/s)
Selecting previously unselected package ntpdate.
(Reading database ... 318056 files and directories currently installed.)
Unpacking ntpdate (from .../ntpdate_1%3a4.2.6.p5+dfsg2_i386.deb) ...
Selecting previously unselected package lockfile-progs.
Unpacking lockfile-progs (from .../lockfile-progs_0.1.17_i386.deb) ...
Processing triggers for man-db ...
Setting up ntpdate (1:4.2.6.p5+dfsg-2) ...
Setting up lockfile-progs (0.1.17) ...
root@kali:~# ntpdate us.pool.ntp.org
13 Oct 11:01:28 ntpdate[6984]: no server suitable for synchronization
found
//The above failed as my network blocks access to outside ntp server,
below i will use an internal ntp server, which will work.
root@kali:~# ntpdate 10.88.1.98
13 Oct 11:05:02 ntpdate[6995]: step time server 10.88.1.98 offset
18010.420247 sec

As this is live usb, any softwares you install or files you save on the
linux install itself, will be deleted once you reboot. That is the reason, if
you want a stable sniffer, either you would create dual boot disk, where
kali resides in one partition permanently, OR create a live persistence
disk:http://www.youtube.com/watch?v=_Jev5iEUuvo
If you go for persistent way, never remove the USB drive, while
shutting down, as the CLI asks you to.

While start up, always use live USB persistence mode. Save the
wireshark captures in the persistence folder created. Persistence is
totally optional.
Else just go with Live (forensic mode) & save the capture files in the
windows file system, which is accessible via the kali liux, as explained
above.

There are many other ways of turning the wireless NIC into monitor
mode like:http://wireless.kernel.org/en/users/Documentation/iw#Adding_interface
s_with_iw
But as the above has worked reliably for me, I will keep that as a
reference.

The step where I disable the wlan0 has had no effect on my packet
capture, as far as I have seen. Even if I keep it enabled, I get a good
pcap. Skipping this step has been ok too. If issues, try toggling it.
root@kali:~# ifconfig wlan0 down

tcpdump and dumpcap come preinstalled with kali. You can use them
instead of wireshark for longer captures, if you like.

If you want to make java work with kali, so it can join webex directly
using Mozilla based default browser iceweasel. This link shows you how
to download, unzip, install & create iceweasel dependency on Java:https://www.java.com/en/download/help/linux_install.xml

Quick cmd summary:airmon-ng start wlan0

iw phy phy0 set channel 36 HT20/HT40+/HT40Sample setup/diagram->