From charlesreid1

Overview of Wifi Networks

Let's talk for a moment about how wifi networks work.

Basic Wifi Network Architecture

The basic architecture is a single gateway node on a local wireless network, with multiple clients connected through wireless connections. As the clients generate web/other traffic, that traffic is passed between the router and the client in the form of packets. Each packet is transmitted as a radio signal. The packets have a header, which (like the envelope of a letter) contains publicly-readable routing information. The packets also have a payload, which is encrypted (more on that in a moment).

What Eavesdroppers Can See

TLDR: Layer 1 and Layer 2 are completely visible to an eavesdropper

If I were a nefarious eavesdropper and I moved in next door, I would be perfectly capable of using a radio antenna to see all of those packets being transmitted. I could read the headers, which contain publicly-readable routing information, and get MAC addresses of nearby devices and a picture of which devices are talking to which.

This is quite a bit of information - MAC addresses are tied to manufacturers, equipment can be used to triangulate positions, and you can get a very clear picture of which clients are talking to which devices and where simply by using publicly-broadcast information.

This information is obtained by putting the wireless card into "monitor mode." Normally, when a wireless card receives a packet, a microprocessor on board the network card determines whether the packet is intended for the host machine, or for someone else. If intended for someone else, it throws away the packet and the CPU never sees it. In monitor mode, no packets are thrown away, so the wireless card is constantly passing packets it sees on to the CPU, which can then process the packet and aggregate data about wireless network traffic.

What Eavesdroppers Cannot See

TLDR: Layer 3 and up are completely invisible to an eavesdropper

However, an eavesdropper listening to those packets does not get any information about network schema, IP addresses, port numbers, protocols, and so on. All of that information is contained in the packet payload, which is encrypted. Only clients on a particular wireless network, who have the correct WPA passphrase, are able to decrypt packet traffic for that network and see which IP address/port/etc traffic is intended for.

Obtaining this information would require an attacker to move from Layer 1 and Layer 2 (physical device and MAC addresses) to Layer 3 and Layer 4 (Network and Transport protcols). And that requires the eavesdropper to actually join the network. (Hence the way an attack chain works is by starting from physical layers and working on up through the OSI layers.)

What Network Neighbors Can See

TLDR: Layer 1 and Layer 2 are completely visible to a network neighbor. Layer 3 is partially visible.

Now, suppose the nefarious eavesdropper is not a stranger who moves in next door, but your coworker in the next cubicle over. How is information on a wifi network protected among the clients on that network?

When a router broadcasts packets, the packets contain header information about the destination of that packet. Those packets are broadcast publicly, so everyone can see them, and wireless cards are simply expected to drop packets that are not intended for them. Just as a wifi card will drop any packets coming from wifi networks it is not associated with, a wifi card will also drop any packets coming from the AP that aren't intended for it.

In theory, then, the nefarious coworker who is a network neighbor can either receive and process packets between you and the AP, but with encrypted payloads; or they can receive packets with unencrypted payloads, but their network cards will drop the packets.

What Network Neighbors Can't See

TLDR: Layer 3 is partially visible, but error-prone. Requires good equipment.

Your nefarious coworker, who is also a network neighbor, has a wifi card and is attempting to eavesdrop on your traffic. In theory, the coworker should not be able to see any frames passing between you and the AP - the network card will drop any packets not intended for it.

Theoretically, though, it should be possible to turn on a pseudo "monitor mode" for receiving all frames for all clients on a local network. After all, if you've got the network key, that traffic should be passing by in the clear.

Monitoring packets at Layer 3, however, is not as simple as monitoring packets at Layer 1 and 2. At higher layers, there are additional layers of encapsulation and encryption, and contents and order of packets becomes more important. Missing or garbled packets can be problematic, and if you're eavesdropping, there's no way to ask the AP to re-transmit packets or data that you missed, as only the client can do that.

What Network Neighbors Shouldn't But Could Easily See

TLDR: Layer 3 is partially visible. Requires good equipment.

To truly eavesdrop on someone else on the same network, an attacker either needs to carry out the attack at Layer 3 and 4 (e.g., a network-level ARP spoofing attack) or an interface that can fetch raw 802.11 frames, and do the best it can to decode them.

On modern linux systems, and cf80211-based drivers, the 802.11 network card is presented as a wiphy. This is not a network interface, and will not allow you to capture frames - it is a virtual network interface (vif) container. Each different part can assume different modes (managed station, AP, IBSS station, mesh point). usually there is one vif container per network card/per wiphy, but additional vifs may be present.

A monitor vif, which is one type of vif, is a network interface that is an 802.11-with-radiotap device. It will receive as much of the 802.11 frames as it can from the wifi card, and provide those packets to the CPU/kernel. These interfaces allow receiving frames from other stations associated with the same AP. (It can also allow capturing frames from other APs.)

Most linux drivers should support monitor vifs. If the driver does it not is probably because the network card is a full MAC wifi interface, and does not provide the vif functionality.

Why You ARP Spoof on Wifi

Let's summarize.

The motivating question here is: why do you need to ARP spoof on a wifi network? If you and the sheep are both on the same network, and you're both on wifi, and all packets are being broadcast by the AP, why can't you just read all the sheep's traffic in the clear?

The reason you need to ARP spoof is because it is the only reliable way of tapping/controlling the communication channel. Normally, 802.11 frames from the AP not intended for you are dropped. While you can disable that behavior, it's also more difficult to process 802.11 frames at Layer 3 without controlling the communication channel (noise/error/etc).

Vacuuming up raw 802.11 frames to eavesdrop on network neighbors is possible, but will lead to information loss. It is not as effective as a true MITM attack at Layer 3.