Description
This article describes how to perform an over-the-air packet capture with a NIC card that supports monitor mode.
These captures might be very useful for cases in which is necessary to check the beacons sent by FortiAPs or authentication issues where no log is generated on the FortiAP or the controller (FortiGate).
Disclaimer:
The information provided in this article is intended solely for educational and troubleshooting purposes.
It is crucial to emphasize that capturing or sniffing network packets without proper authorization is illegal and unethical.
The content presented here should not be utilized for any unauthorized or malicious activities. Always ensure to have the necessary permissions and legal rights before attempting any form of network packet capture.
Respect the privacy and security of networks and individuals, and only use these techniques responsibly and lawfully.
The author and publisher of this article are not responsible for any misuse or illegal activities undertaken by readers based on the information provided herein.
It does not endorse or warranty any other products from different vendors. Those brands and models are mentioned here for information purposes only.
Scope
Software used in this example:
Kali Linux 2023.3.
Aircrack-ng.
Hardware used in this example:
Wireless network adapter Alfa AWUS1900.
Be aware only a few WIFI adapters can be used to obtain OTA capture files. The most popular ones are those based on Realtek chips like RTL8814AU and others, other adaptors might work as long can be used on Monitor/promiscuous mode.
Solution
It is important to notice that the Linux OS where the capture is going to be performed must NOT be virtualized. Otherwise, the capture might not be possible.
To run an OTA on Linux, a NIC card that supports monitor mode is necessary. It is possible to take a look into this post of Wireless Network Adapters that support this mode and are recommended to work with Kali.
- Check if the NIC card supports monitor mode. This can be done with the command iw list.
- Start the airmon-ng on the WLAN interface to put it in monitor mode. In this example, the interface is wlan0. Command airmon-ng start wlan0.
- Kill the suggested processes if needed with the command airmon-ng check kill PID.
Optional Wireshark capture: At this point, the user can start capturing with Wireshark by selecting the interface activated with airmon-ng start <interface>, so, for example, to take advantage of the creation of multiple files for the cases where the user wants to capture for an unlimited time or until an issue reproduces.
- Now that the interface wlan0 is in monitor mode, start airodump-ng to start the capture. Command airodump-ng wlan0 --band a --write test.
- Flags explanation:
--band band to be captured. 'a' is used for 5GHz.
--write the name of the files that airodump will create after the capture.
--bssid used to filter a specific FortiAPs MAC address.
--channel to filter on a specific channel.
- The capture will start. Once the issue is reproduced, it is possible to stop it by hitting Ctrl+C on the keyboard.
- Files with the name specified on flag --write will be created. In this case, they were created on the root.
- Return NIC card to managed mode with command airmon-ng stop wlan0.
Share the .cap file created on this capture for TAC analysis.
