Description
This article describes how to perform an Over The Air packet capture with a NIC card that supports monitor mode.
These captures might be very useful for cases in which is necessary to check the beacons sent by FortiAPs or authentication issues where no log is generated on the FortiAP or the controller (FortiGate).
Disclaimer:
The information provided in this article is intended solely for educational and troubleshooting purposes.
It is crucial to emphasize that capturing or sniffing network packets without proper authorization is illegal and unethical.
The content presented here should not be utilized for any unauthorized or malicious activities. Always ensure to have the necessary permissions and legal rights before attempting any form of network packet capture.
Respect the privacy and security of networks and individuals, and only use these techniques in a responsible and lawful manner.
The author and publisher of this article are not responsible for any misuse or illegal activities undertaken by readers based on the information provided herein.
Scope
Software used in this example:
Kali Linux 2023.3.
Aircrack-ng.
Hardware used in this example:
Wireless network adapter Alfa AWUS1900.
Solution
It is important to notice that the Linux OS where the capture is going to be performed must NOT be virtualized. Otherwise, the capture might not be possible.
To run an OTA on Linux, a NIC card that supports monitor mode is necessary. It is possible to take a look into this post of Wireless Network Adapters that support this mode and are recommended to work with Kali.
- Check if the NIC card supports monitor mode. This can be done with the command iw list.
- Start the airmon-ng on the WLAN interface to put it in monitor mode. In this example, the interface is wlan0. Command airmon-ng start wlan0.
- Kill the suggested processes if needed with the command airmon-ng check kill PID.
- Now that the interface wlan0 is in monitor mode, start airodump-ng to start the capture. Command airodump-ng wlan0 --band a --write test.
- Flags explanation:
--band band to be captured. 'a' is used for 5GHz.
--write the name of the files that airodump will create after the capture.
--bssid used to filter a specific FortiAPs MAC address.
--channel to filter on a specific channel.
- The capture will start. Once the issue is reproduced, it is possible to stop it by hitting Ctrl+C on the keyboard.
- Files with the name specified on flag --write will be created. In this case, they were created on root.
- Return NIC card to managed mode with command airmon-ng stop wlan0.
Share the .cap file created on this capture for TAC analysis.
