What is monitor mode
The monitor mode is also known as listening mode or promiscuous mode. In this mode of operation, the WIFi card will be in charge of listening to each and every one of the packets that are in the “air” and we will have the possibility of capturing them with different programs. In this operating mode, we will not only listen to what our router or AP sends us, but also the exchange of information that exists in other WiFi networks, such as those of our neighbors. The monitor mode will be in charge of scanning in all frequencies and collecting as much data as possible, however, as it is scanning in all WiFi frequencies continuously, if we want to obtain all the information of a certain router or AP, we must set a specific channel that is the one that said router or AP is broadcasting, so as not to lose any important packets that it exchanges with clients.
In this mode of operation, and using quite specific programs, we will be able to know the MAC address of all the clients that are connected to a specific WiFi router or access point, because it will be able to capture the frames that travel through the air from the origin to the destination. This monitor mode feature on some Wi-Fi cards is essential for conducting Wi-Fi network studies and also wireless audits.
A well-known program to perform Wi-Fi network scans, check SSIDs, channels, number of clients and how many clients are connected to a certain AP, is Acrylic Wi-Fi, either in its Home or Professional version. Although this program works with any WiFi network card, if we are lucky enough that the chipset of our WiFi card is compatible with monitor mode, and we have the appropriate drivers installed, then we will be able to obtain a large amount of information, and even export it to pcap format for later study with programs that are responsible for analyzing packets such as WireShark among many others.
A very important detail of the monitor mode is that it must be compatible both the WiFi card chipseteither a WiFi card via USB or PCIe, as well as the drivers we use. If both are not met, our WiFi network card will not be able to work in monitor mode.
What is it for and how to activate it
This operating mode is mainly used to audit WiFi wireless networks, that is, to hack WiFi networks and check their security. When we are going to carry out an audit of WiFi networks, it is essential to have the monitor mode to capture the packets that travel through the air, to later use this information to start trying to hack wireless networks.
For example, if we want to hack a WiFi network with the WPA or WPA2 protocol, it is absolutely necessary to configure the WiFi card in monitor mode to capture the handshake. This handshake is the exchange of information that occurs when a WiFi client connects to the router and uses the WPA or WPA2 protocol. Once the handshake is captured, we can try to crack the password by brute force or by dictionary. When the WEP protocol existed in the routers, it was also absolutely necessary to have a WiFi card with monitor mode capabilities, with the aim of capturing all the “frames” of the wireless network, and later injecting them to obtain the password much more easily. fast.
Activate it in Acrylic Wi-Fi
If we are going to use a program like Acrylic WiFi to carry out an in-depth study of all the WiFi networks around us, and we want to capture all the data from the wireless networks, it is very important to have a WiFi network card that works in monitor mode . To make monitor mode work in this program we will need two things:
- That the WiFi network card has a chipset compatible with monitor mode.
- That we have the appropriate drivers installed on our computer, to activate it.
Once we meet both requirements, we can activate the monitor mode in the program to see all types of WiFi packets, including Beacons, data packets and also control packets, including all wireless clients that are currently connected to the network. wireless. Another way is using the NDIS drivers and using a WiFi card compatible with this driver and the Acrylic operating mode.
Activate it on Linux
In Linux-based operating systems, if we use the Aircrack-ng suite, we can put the WiFi card in monitor mode very easily and quickly, we will only have to execute the following command to activate it:
sudo airmon-ng start wlan0
Of course, in this case it will also be completely necessary to have a compatible WiFi card, and with the appropriate drivers for Linux installed, otherwise it will not work. If you are interested in performing WiFi audits, our recommendation is that you use WiFiSlax because it is the distribution that has the greatest default support for a very large number of WiFi card models, detection is completely automatic and we can enable or disable the monitor mode via ifconfig, or by using the pre-installed Aircrack-ng auditing suite.
As you have seen, the monitor mode of WiFi cards, whether with a USB or PCIe interface, will allow us to capture each and every one of the packets that are in the “air”, and with the appropriate software we will be able to know the number of clients and which clients (with their MAC address) are connected to a certain WiFi router or access point. Also, if you are going to carry out WiFi audits, this mode of operation is absolutely necessary to activate it, otherwise you will not be able to achieve your goal of verifying security.
