LabEx
Log InJoin Free

Scan for Wi-Fi Networks using airodump-ng

Beginner
Practice Now

Introduction

Welcome to this lab on scanning for Wi-Fi networks using airodump-ng. airodump-ng is a core component of the Aircrack-ng suite, a set of tools for auditing wireless networks. Its primary function is to capture 802.11 frames, allowing you to see all the Wi-Fi access points and connected clients within range.

Before airodump-ng can be used, a wireless network interface card must be placed into "monitor mode," which allows it to listen to all wireless traffic on a specific channel, not just traffic addressed to it. For this lab, we have prepared a simulated environment with an interface already in monitor mode, so you can focus directly on using the tool.

In this lab, you will learn how to perform a general scan, interpret the results, focus your scan on specific bands and targets, and save the captured data for future analysis.

Start a General Scan on the Monitor Interface

In this step, you will start a basic scan to discover all nearby Wi-Fi networks. The fundamental command for this is airodump-ng followed by the name of your network interface in monitor mode.

In our simulated environment, the monitor mode interface is named wlan0mon.

Execute the following command in your terminal to begin scanning:

airodump-ng wlan0mon

You will see a live display of detected Wi-Fi networks. The tool will continuously scan and update this list. In a real scenario, you would press Ctrl+C to stop the scan. For this lab, the command will display the output and exit automatically.

Your output will look similar to this:

 CH  9 ][ Elapsed: 1 min ][ 2023-10-27 10:10 ][ WPA handshake: 1A:2B:3C:4D:5E:6F

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 1A:2B:3C:4D:5E:6F  -45       24        8    0   6  540  WPA2 CCMP   PSK  MyHomeWiFi
 88:77:66:55:44:33  -67       12        3    0  11  300  WPA2 CCMP   PSK  CoffeeShop
 AA:BB:CC:DD:EE:FF  -78        8        1    0  36  866  WPA3 SAE    PSK  SecureNet-5G
 11:22:33:44:55:66  -82        5        0    0   6  54   WPA  TKIP    PSK  OldRouter

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe

 1A:2B:3C:4D:5E:6F  00:11:22:33:44:55  -50    0 - 1      0        15  MyHomeWiFi

This output is divided into two main parts. The top part lists the detected Access Points (APs), and the bottom part lists the detected clients (Stations) and which AP they are connected to.

Interpret the airodump-ng Output Columns

In this step, we will break down the output from the previous scan to understand what each column means. This knowledge is crucial for effective wireless analysis. This is an informational step, and no commands are needed.

Access Point Section (Top)

This section provides details about the wireless routers or Access Points.

  • BSSID: The MAC address of the Access Point. This is its unique hardware identifier.
  • PWR: The signal strength of the network as seen by your device. A lower negative number (e.g., -45) means a stronger signal than a higher negative number (e.g., -82).
  • Beacons: The number of announcement packets sent by the AP. These packets advertise the network's presence.
  • #Data: The number of captured data packets.
  • CH: The channel the AP is operating on (e.g., 1, 6, 11 for 2.4GHz).
  • MB: The maximum speed supported by the AP in Mbit/s.
  • ENC: The encryption standard used (e.g., WPA, WPA2, WPA3, WEP).
  • CIPHER: The specific encryption cipher used (e.g., CCMP, TKIP).
  • AUTH: The authentication protocol used (e.g., PSK for Pre-Shared Key, MGT for enterprise).
  • ESSID: The public name of the Wi-Fi network, also known as the SSID.

Client Section (Bottom)

This section lists clients (like laptops and phones) that are connected to the APs.

  • BSSID: The MAC address of the AP the client is associated with.
  • STATION: The MAC address of the client device.
  • PWR: The signal strength of the client as seen by your device.
  • Rate: The transmission and reception rate between the client and the AP.
  • Lost: The number of packets lost in communication.
  • Frames: The number of data frames sent by the client.
  • Probe: If a client is not associated, this column may show the ESSIDs it is trying to connect to.

Understanding these fields allows you to quickly assess the security posture and activity of the networks around you.

Focus the Scan on a Specific Band using --band

By default, airodump-ng hops between all supported channels on both the 2.4GHz and 5GHz frequency bands. This can be inefficient if you are only interested in networks on a specific band.

You can use the --band flag to tell airodump-ng which bands to scan. The common options are:

  • a: Scan 5GHz channels.
  • b: Scan 2.4GHz channels (specifically 802.11b rates).
  • g: Scan all 2.4GHz channels (802.11b/g rates).

Let's run a scan that focuses only on the 5GHz band.

airodump-ng --band a wlan0mon

The output will now only show networks operating in the 5GHz spectrum. Notice that the channels listed are higher (e.g., 36, 40, 44).

 CH 36 ][ Elapsed: 30 s ][ 2023-10-27 10:15 ][ BSSID: AA:BB:CC:DD:EE:FF

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 AA:BB:CC:DD:EE:FF  -78       15        5    0  36  866  WPA3 SAE    PSK  SecureNet-5G
 99:88:77:66:55:44  -55       10        2    0  40  1200 WPA2 CCMP   PSK  Office-5G

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe

This technique is useful for reducing noise and concentrating capture efforts on a specific type of network.

Identify a Target BSSID and Channel

Once you have identified an interesting network from your general scan, you can focus airodump-ng exclusively on that network. This is essential for more advanced attacks or deep packet analysis, as it stops the scanner from hopping to other channels and ensures you capture all traffic from your target.

To do this, you use the --bssid and --channel flags.

Let's target the MyHomeWiFi network from our first scan. Looking back at that output, we can see its details:

  • BSSID: 1A:2B:3C:4D:5E:6F
  • Channel: 6

Now, run the following command to lock the scan onto this specific access point:

airodump-ng --bssid 1A:2B:3C:4D:5E:6F --channel 6 wlan0mon

When you run this command, airodump-ng will stop channel hopping and listen only on channel 6. The output will be filtered to show only the specified BSSID and any clients connected to it. This dramatically improves the efficiency and reliability of capturing data for a single target.

(Note: In our simulation, the output will look the same as the general scan, but in a real-world scenario, the display would be filtered as described.)

Save Scan Results to a File using the -w Flag

Viewing live data is useful, but often you'll need to save the captured traffic for later, offline analysis or for use with other tools like aircrack-ng (for cracking passwords) or Wireshark (for deep packet inspection).

The -w (or --write) flag tells airodump-ng to save the captured data to a file. You provide a prefix, and airodump-ng will create several files with different extensions (.cap, .csv, .kismet.csv, etc.).

Let's run a scan and save the results with the prefix scan_results.

airodump-ng -w scan_results wlan0mon

After the command runs, list the files in your current directory to see what was created.

ls -l

You should see new files, including scan_results-01.csv. airodump-ng automatically adds a number to the filename to prevent overwriting previous captures.

-rw-r--r-- 1 labex labex 512 Oct 27 10:20 scan_results-01.csv
...

The .csv file contains a comma-separated version of the output you saw on the screen, which is easy to parse with scripts or import into spreadsheets. Let's view its content:

cat scan_results-01.csv

The output will be the text-based data from the scan, formatted for easy machine reading. Saving scan data is a critical step in any professional wireless audit.

Summary

In this lab, you learned the fundamental operations of airodump-ng for wireless network discovery. These skills are the first step in any Wi-Fi security assessment.

You have successfully practiced:

  • Starting a general scan on a monitor interface (airodump-ng wlan0mon).
  • Interpreting the detailed output, including BSSIDs, power levels, encryption types, and connected clients.
  • Focusing scans on specific frequency bands using the --band flag.
  • Targeting a specific access point for detailed analysis using --bssid and --channel.
  • Saving scan results to a file for later analysis using the -w flag.

Mastering these commands provides a solid foundation for moving on to more advanced wireless penetration testing techniques.