Scanning For Wireless Access Point Information Using Airodump-ng Kali Linux Tutorial

Hi welcome back today in this tutorial you will learn how to scan for various wireless network information using airodump-ng. This information will allow further attacks to be preformed on Wireless Access Points in range. Airodump-ng comes pre-installed in Kali Linux.

If your using a different Linux operating system install airodump-ng by installing aircrack-ng.

apt-get install aircrack-ng

For other Operating systems Download Aircrack-ng from their official website.

Download Aircrack-ng

What is Kali Linux ?. Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains several hundred tools which are geared towards various information security tasks, such as Penetration Testing, Security research, Computer Forensics and Reverse Engineering.

What is Airodump-ng ?. Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP IVs (Initialization Vector) for the intent of using them with aircrack-ng. If you have a GPS receiver connected to the computer, airodump-ng is capable of logging the coordinates of the found access points.

What is Monitor Mode ? Monitor mode, or RFMON (Radio Frequency MONitor) mode, allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received from the wireless network. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with an access point or ad hoc network first. Monitor mode only applies to wireless networks, while promiscuous mode can be used on both wired and wireless networks. Monitor mode is one of the seven modes that 802.11 wireless cards can operate in: Master (acting as an access point), Managed (client, also known as station), Ad hoc, Mesh, Repeater, Promiscuous, and Monitor mode. [Source: Wikipedia]

First we will need to put our Wireless Interface in to monitor mode.

ifconfig wlan1 down

(where wlan0 is wireless interface name this command will put the wireless interface down.)

Now put your card into monitor mode using the command below.

iwconfig wlan1 mode monitor

This will allow your wireless interface to be placed in monitor mode.)

Optional: If you would like to spoof you mac address to a random mac address use the following command.

macchanger -r wlan1
ifconfig wlan1 up

(This will then put your wireless interface back up in monitor mode.)

Start airodump-ng, Open up a new terminal and type airodump-ng wlan1 (replace wlan1 with your wireless interface) if you don’t know what the interface of your wireless card is use ifconfig to find it and press enter.

What does all this information mean ? it can be a little confusing to newbies to abbreviate this information. Don’t worry we will break the information down a little into understandable terms.

Beacons = Beacon frame is one of the management frames in IEEE 802.11 based WLANs. It contains all the information about the network. Beacon frames are transmitted periodically to announce the presence of a wireless LAN. Beacon frames are transmitted by the access point (AP) in an infrastructure basic service set (BSS).
#Data = IV/S =  Number of generated IV’s (Initialization Vector) per second. this is a arbitrary number that can be used along side a secret key for data encryption. This number is also know as a nonce, is it only ever employed only once in any session.
#/s = Number of data packets per second.
PWR = Signal level reported by the card. Its signification depends on the driver, but as the signal gets higher you get closer to the AP or the station.
CH = Wi-Fi Channel of Wireless Device (Router).
MB = Maximum speed supported by the AP. If MB = 11, it’s 802.11b, if MB = 22 it’s 802.11b+ and higher rates are 802.11g.
ENC = Tells encryption algorithm in use of the wireless devices in range.
CIPHER = The cipher detected. For example TKIP is typically used with WPA and CCMP is typically used with WPA2.
AUTH = Tells what authentication methods the wireless device uses.
ESSID = Tells the name, label of the wireless network.
STATION = Workstation, Device or Wireless Device that is connected to BSSID or looking for an access point.
Rate = Rate of data packet capture.
Lost = The number of data packets lost over the last 10 seconds.
Frames = Around of frames received
RXQ = Receive Quality as measured by the percentage of packets.
Probe = Tells what a Wireless device is probing in short this means what is the wireless device looking for. Example I own a mobile phone I have connected to a hotspot in the past but forgoten to forget that network the mobile phone would probe put to connect to that network everytime the wireless was enabled on the device.


Of course it can get quite repetitive after a while keep putting your interface down and then back up again every time you want to use airodump-ng. If you prefer to automate the process I have put a bash script together to help you along the way.

What this Bash script does: The Bash script will put the wireless interface down then it will sleep for 1 second. The script will then set a random mac address using macchanger, after the script has set a random mac address it will put the wireless interface into monitor mode using iwconfig (not airmon-ng) after the script has successfully set the interface into monitor mode it will then put the wireless interface back up and start airodump-ng.

Bash Script

How to use:

Save as Bash script using .sh file extention.
Make the script executable.
chmod + x bashscript
From a terminal launch bash script.

 ifconfig wlan1 down
 sleep 1
 macchanger -r wlan1
 sleep 1
 iwconfig wlan1 mode monitor
 sleep 1
 ifconfig wlan1 up
 sleep 1
 airodump-ng wlan1


usage: airodump-ng <options> <interface>[,<interface>,...]

    --ivs                 : Save only captured IVs
    --gpsd                : Use GPSd
    --write      <prefix> : Dump file prefix
    -w                    : same as --write
    --beacons             : Record all beacons in dump file
    --update       <secs> : Display update delay in seconds
    --showack             : Prints ack/cts/rts statistics
    -h                    : Hides known stations for --showack
    -f            <msecs> : Time in ms between hopping channels
    --berlin       <secs> : Time before removing the AP/client
                            from the screen when no more packets
                            are received (Default: 120 seconds)
    -r             <file> : Read packets from that file
    -x            <msecs> : Active Scanning Simulation
    --manufacturer        : Display manufacturer from IEEE OUI list
    --uptime              : Display AP Uptime from Beacon Timestamp
    --wps                 : Display WPS information (if any)
                <formats> : Output format. Possible values:
                            pcap, ivs, csv, gps, kismet, netxml
                            Short format "-o"
                            The option can be specified multiple times.  In this case, each file format
                            specified will be output.  Only ivs or pcap can be used, not both.  
    --ignore-negative-one : Removes the message that says
                            fixed channel <interface>: -1
                <seconds> : Output file(s) write interval in seconds

Filter options:     --encrypt   <suite>   : Filter APs by cipher suite
    --netmask <netmask>   : Filter APs by mask
    --bssid     <bssid>   : Filter APs by BSSID
    --essid     <essid>   : Filter APs by ESSID
    --essid-regex <regex> : Filter APs by ESSID using a regular
    -a                    : Filter unassociated clients

By default, airodump-ng hop on 2.4GHz channels.
You can make it capture on other/specific channel(s) by using:
    --channel <channels>  : Capture on specific channels
    --band <abg>          : Band on which airodump-ng should hop
    -C    <frequencies>   : Uses these frequencies in MHz to hop
    --cswitch  <method>   : Set channel switching method
                  0       : FIFO (default)
                  1       : Round Robin
                  2       : Hop on last
    -s                    : same as --cswitch

    --help                : Displays this usage screen