UnicMinds

Menu
What are Monitor and Injection Modes in WiFi Adapters - Cyber Security and Ethical Hacking

Monitor and Injection Modes in Wireless Adapters

WiFi vs. Ethernet

WiFi and Ethernet are two ways to connect to the network and Internet. Ethernet uses wires to connect to the router and to the computers, whereas WiFi uses wireless connection (essentially radio waves) to connect to the router. Ethernet is faster due to a wired connection with low latency whereas WiFi is relatively slow.

WiFi scores higher in convenience than the Ethernet as people can easily move around with no wires around. However, from a security point of view, Ethernet is more secure with a standard plugged in connection to the Internet. WiFi on the other hand communicates wirelessly in air and hence it is prone to interception and interference.

NIC vs. WNIC Card vs. WiFi Card vs. Wireless Adapters

In order to connect to a network using Ethernet, the device needs a Network Interface Card (NIC), whereas to connect to a WiFi network wirelessly the device needs a WiFi card which is nothing but a Wireless Network Interface Card (WNIC) Card. WNIC cards are a larger class of wireless cards and among them the ones that adhere to the WiFi standard are the WiFi Cards. These wireless cards are also called Wireless Adapters.

WNIC is nothing but a radio

Your wireless network interface is, in its most basic form, a radio. As such, it is capable of receiving and sending radio frequency signals at various frequencies. However, due to RF spectrum regulations and standards, wireless network adapters (NICs) will most likely transmit at either the 2.4 GHz band, or the 5 GHz band.

Our routers at home follow the 802.11 wireless standards at 2.4 GHz and 5 GHz. Wireless Standards —— IEEE 802.11ac/n/a 5 GHz, IEEE 802.11n/b/g 2.4 GHz

Modes of NICs

Network interface cards (NIC) are the physical devices that allow network capable devices to communicate over a specified network medium. Each NIC has a Media Access Code (MAC), which is meant to be unique to that specific NIC. This, along with an Internet Protocol (IP) address, allows for network devices to identify where to route network traffic for proper delivery. On the receiving end a NIC normally only looks for network traffic directed to it, so that processing software on the device is not flooded with all of the network traffic from the communication medium. If NICs did not do this, the device’s network communication speed would slow down. NICs have several different execution modes; though only one mode can be active at a time. These modes allow for different operations from the perspective of traffic handled and the administration of the device. Two of these that are of interest in this thesis are promiscuous and monitor mode, which allow for the capture of packets not destined for the host NIC. The other modes are Master, Managed, Ad-Hoc, Mesh, and Repeater. A NIC can be placed in these other modes, but they do not allow for packet capture in a manner that is of interest in this post or in our Ethical Hacking course.

Managed vs. Promiscuous vs. Monitor Mode on WiFi Adapter

Managed mode will enable the device to only see the traffic intended to the mac address and ip of the device running wireshark. Promiscuous mode will enable the device to see traffic of the WiFi network- meaning traffic intended to all devices on the same WiFi network. Monitor mode will enable you to see all wireless traffic from other networks too.

Most user machines run in managed mode. It is called managed mode because it is a constrained mode meant just for use among users, and not network devices. This allows them to connect 4 to a network under normal circumstances. This can be through a wired network or through a wireless base station depending on the NIC being used.

Normally a NIC runs in managed mode. In managed mode a NIC will only handle traffic with the correct MAC and IP addresses for the device that the NIC is attached to. Running a NIC in promiscuous mode allows for the capture of all traffic on the network that can be seen by the machine. This means that any traffic that a NIC can see is no longer ignored by the NIC. While capturing packets in promiscuous mode a NIC passes all of the captured packets to the operating system to handle. These are then handled by a software device driver used by an application running on the device

Monitor mode is similar to promiscuous mode, but it is only available on wireless NICs. It allows a user to sniff all network traffic in the wireless spectrum without first being associated with a wireless network, which cannot be done on a wired network. In general, a typical association would be where a computer that is authenticated with an access point has an assigned IP and can bi-directionally communicate with other devices on the network. With no association to a network there is no standard way to detect this type of wireless sniffing, as the machine doing the sniffing is completely passive. As a result the access point has no way of eliciting a response.

When your wireless network interface is in Monitor Mode, it will pass all incoming packets to the CPU. After which, you would be able to run various traffic analyzers.

Does that mean that you need to set your card to Monitor mode anytime you want to analyze the traffic for that interface? No. It depends, however, on the specific type of traffic that you want to inspect. If you’re analyzing traffic sent from the machine running Wireshark, Managed mode is fine. However, if you’re trying to capture network traffic that’s not being sent to or from the machine running Wireshark, you will probably have to capture in Monitor mode.

But, not all wireless NICs support monitor mode. Monitor mode is a hardware mode that needs a separate hardware.

How to check if my wireless adapter supports monitor mode?

On windows:

  1. Open your command prompt in administrator mode. (If you don’t know how to do this, check this site at the bottom.
  2. Type netsh, then press enter.
  3. Type “wlan show wirelesscapabilities”; press enter.
  4. The entry ‘Network monitor mode’ will be either show ‘Supported’ or ‘Not supported’.

WiFi Hardware for Monitor and Injection Mode

You have to mostly buy a new WiFi adapter that supports Monitor and Injection mode. We already covered Monitor mode above. We shall cover Injection mode below. Below is a list of suggested WiFi adapters that support monitor and injection mode.

Riverbed Air PCap is another popular brand of wireless USB adapters to capture and analyze 802.11 wireless traffic.

Riverbed Air Pcap is another popular brand of wireless USB adapters to capture and analyze 802.11 wireless traffic.

You can check the full list of ZSecurity’s Best Hacking Wireless Adapters here to buy in your own region.

Injection Mode in Wireless Adapter

Packet injection, often referred to as forging or spoofing packets, is a technique used in computer networking where an attacker inserts crafted packets into an existing data stream. These injected packets are designed to appear as part of the normal communication between network devices, making them difficult to detect. The primary goal of packet injection is to disrupt or intercept the flow of data, allowing the attacker to manipulate the network traffic for various malicious purposes.

Packet injection operates by creating and sending crafted packets into an existing network connection. The process begins with the creation of a raw socket, which allows direct access to the network interface. This is followed by constructing the necessary headers—Ethernet, IP, and TCP or UDP—in memory. The injected data is then assembled with these headers to form a complete packet.

Once the packet is assembled, it undergoes checksum calculations to ensure it appears legitimate. The final step involves sending the packet through the raw socket, making it part of the normal communication stream. This method allows the attacker to manipulate network traffic without detection, as the injected packets mimic legitimate ones.

Network interfaces play a crucial role in this process. By utilizing raw sockets or direct access to network adapter drivers, attackers gain full control over the packet headers, enabling precise manipulation of the data being transmitted. This capability is essential for executing various network attacks effectively.

Attack types that use Packet Injections

Packet injection is frequently employed in denial-of-service (DoS) attacks, where attackers flood a network with malicious packets to overwhelm and disrupt services. By injecting these packets, the attacker can cause significant network congestion, leading to service outages and degraded performance for legitimate users.

Another common use of packet injection is in man-in-the-middle (MitM) attacks. In these scenarios, the attacker intercepts and injects packets into the communication stream between two parties. This allows the attacker to eavesdrop, alter, or even hijack the communication, making it possible to steal sensitive information or inject malicious commands without the knowledge of the communicating parties.

Hope this is useful, thank you.

You may like to read: Intrusion Detection Systems, Encoding in ASCII and UTF, & TCP vs. UDP explained

Source(s):

  1. https://www.twingate.com/blog/glossary/packet%20injection
  2. https://www.hackingloops.com/monitor-mode/
  3. https://community.absolute.com/s/article/Performing-a-Network-Packet-Capture-With-netsh-trace
  4. https://emlogic.no/2024/01/wi-fi-sniffing-with-wireshark/
  5. https://objects.lib.uidaho.edu/etd/pdf/VanGundy_idaho_0089M_10382.pdf
  6. https://wiki.wireshark.org/HowToDecrypt802.11

YOU MIGHT ALSO LIKE

Adding Assets in Unity Games

Adding Assets in your Unity game

If you’re coding games in Unity, then it is a good idea to visit the Unity Asset Store. Unity Assets are high quality game assets…

summer coding courses for kids

Summer Coding Courses for Kids

As we head into the summer in the United States in two months, families and children look out for some time away from schoolwork and…

BOOK A FREE TRIAL