Hacking Book | Free Online Hacking Learning


bt5 + wireshark play wifi capture and man in the middle attack

Posted by patinella at 2020-04-16

Foreword: first of all, this article is not written by me. It is written by a security expert of deepanshu Kapoor. I watched and played at the beginning, but I was moved by the carefulness and patience of the foreigner. The whole process was very simple, but the foreigner divided many steps to explain. Each step has a diagram and explanation, even the parameters of the command have to be explained Once. I have to admire the spirit of sharing and dedication of foreigners, so I also learn to contribute and translate it into Chinese for you to see. I try to keep the original, and forgive me if there is something inappropriate. After all, I am not a professional translator. (for those interested in the original PDF document, I will send it to you)

BT5 + Wireshark play WiFi packet capture and session injection (man in the middle attack)


The main idea is to attack the users connected to the forged WiFi by forging the same name WiFi access point and sending ARP packets. Once a forged access point with the same name as the original WiFi is established, the user will be disconnected from the original link and connected to the forged access point you established. Therefore, all communication channels will flow through my system. At that time, we will usually get all details / credit status / information of the user by session injection.

Necessary artifact:

Step one:

Open the terminal of BT5 and input "iwconfig" to check the wireless network card.

Description: iwconfig is similar to ifconfig, but it is used for wireless network. It is often used to set the parameters of the wireless network card.

The second step:

Enter "airport ng start WLAN 0" to open the wireless network card.

Note: this command can be used to keep the wireless network card in the listening state. It can also be used to recover from listening mode to management mode. Enter "airmon ng" without parameters to display the status of the network card.

WLAN 0 refers to WiFi network card.

WLAN is a wireless LAN, 0 is your network card number.

The third step:

After the network card has started listening mode, enter "airdump ng mon0" to start packet capturing.

Description: airdump ng can be used to catch the original frame data packet of 802.11, especially suitable for collecting the initialization vector of WEP for airtrack ng cracking. Airdump ng can also be used to record the coordinates of the access points found.

In monitor mode, mon0 means the same as WLAN 0.

Once you set WLAN 0 to monitor mode, WLAN 0 will change to mon 0.

The fourth step:

Set the channel ID displayed in airdump ng as follows:


Note: the parameter "channel" is used to select a separate special channel.

The fifth step:

Now start to build your fake router with the following command:

Description: airbase ng is a multi-purpose tool, which can attack the clients of AP (access point). The main idea is to drive the clients to connect to the forged AP, not to prevent the clients from connecting to the real AP.

"- E + SSID" specifies the SSID name of the forged AP.

The sixth step:

Now it's time to "bridge" all networks. The command is as follows:

The middleman is < interface name >. In fact, the author wants to say that the bridge built by the at0 network card is a middleman, and the attack is completed here. Note to translator)


Brctl is used to establish a bridge network between two network cards.

Addbr is the object used to add a bridge. Use < name > to specify the name of the bridge.

Addif adds a network card to the bridge that has been created with addbr, and the following parameters use the name of the network card you want to add.

The seventh step:

Now create a new network card configuration. The command is as follows:

Needless to say, ifconfig is used to configure network card, which is often used by everyone.

The eighth step:

Now we can start the bridge we used to do man in the middle attack! The command is as follows:

Note: the configured bridge can be enabled using ifconfig.

The ninth step:

Now use the following command to send the authentication packet to the router,

Description: aireplay ng is used to inject frame data.

-A specifies the BSSID of the victim.

94:44:52: Da: b4:28 this is the BSSID of the attacker.

The tenth step:

Now start to assign the IP address to the attacker. The command is as follows:


IP is assigned using a protocol similar to DHCP.

Step 11:

Now you can see if a client has been connected, and some words will be displayed in the command terminal in step 5.

Step 12:

On Wireshark, command: "Wireshark &"

Wireshark is a network protocol packet capturing analyzer.

Step 13:

Select network card and click start

Step 14:

Enter "HTTP contains post" to filter it, and then you can see all the captured packets.


Username – john 

Password – 1234