Promiscuous Mode Not Working?

[Jim O]

Here is a simple program:

bool sniff(PDU &pdu)
{
    // do something with the PDU
}

int main(int argc, char **argv)
{
    SnifferConfiguration config;
    config.set_promisc_mode(true);
   
    Sniffer sniffer("wlan0", config);
    sniffer.sniff_loop(sniff);

    return 0;
}

Whether the call to set_promisc_mode is included or commented out, I get only packets that are destined for the computer running this program as root and not packets being sent to other computers on the network. OS is Lubuntu 14.10.

Am I doing something wrong, is there something I am not doing, or is promiscuous mode not working?

[Matias Fontanini]

Setting a wireless interface to promiscuous mode doesn't have the same results as doing the same thing for an ethernet one. On wireless interfaces, since you are very likely using some sort of encryption on your access point, you won't be able to decrypt packets that are meant for other clients on the same network. If you don't use encryption, then you should be getting packets sent to other hosts as well, but this is probably not the case.

If you want to get packets sent to other clients, you could either use something like ARP spoofing so all packets are sent to you, or decrypt the traffic using the interface in monitor mode (see the WEP/WPA2Decrypter class on libtins for this).

[Jim O]

Thanks for the info. It seems the simplest way to decrypt the traffic is to use your dot11decrypt program. First, I downloaded the latest libtins zip file, extracted it, and rebuilt libtins and installed it. I then downloaded the dot11decrypt zip file and extracted it, then built dot11decrypt. Now I have the following problem:

If I run:   sudo ./dot11decrypt wlan0 spa:mynetSSID:mynetpasswd

without putting wlan0 into monitor mode, I get the following output:

Using device: tap0

Device is up.

If I put wlan0 into monitor mode and then run dot11decrypt as above, I get:

Using device: tap0

Device is up.

[-] That device is not up

In neither case do I get any output when I run my program (after changing the interface from wlan0 to tap0, of course). Am I still missing something?

[Matias Fontanini]

That seems to be an error message generated by libpcap, indicating that wlan0 is not up. Are you sure that you are both putting it into monitor mode and then making it active via ifconfig wlan0 up?

[Jim O]

Well that got me one step closer. I did not up the interface.

However, I am still not getting any output from my program so it appears that dot11decrypt is not sending anything to tap0.

I did check to make sure that my program is still works when wlan0 is in managed mode. And yes, I changed the interface specified for the Sniffer to tap0 before testing with dot11decrypt.

[Jim O]

To run dot11decrypt, I have been doing the following:

sudo ifconfig wlan0 down

sudo iwconfig wlan0 mode monitor

sudo ifconfig wlan0 up

sudo codeblocks

Then I run dot11decrypt in debug mode using the following program arguments:   wlan0 wpa:myssid:mypass

where myssid is the the name of the Wifi network I am attempting to monitor and mypass is the password required to connect to that Wifi network.

I get the following output:

Using device: tap0

Device is up.

In the program, packet_buffer.try_decrypt( ) always returns false because the call to decrypter.decrypt(pdu) returns false. I assume this probably means that I have the wrong values for myssid or mypass, If I am not using the correct values, what should they be.

What else might the problem be?

[Matias Fontanini]

WPA decryption requires capturing a handshake (meaning, you must see a client connecting to an access point). You can't decrypt traffic from clients which were already connected when you started the capture. Are you sure that you are capturing a handshake?

[Jim O]

I powered on my Android phone and connected to the network: no decryption. I powered off, then on my Windows 7 laptop and connected to the network: no decryption.