As with a wired network, you can use network sniffers like Wireshark to obtain wireless transmissions that traverse the air. Your wireless network interface will receive transmissions when activated, and by default will pick up on any transmissions that are bound for the interface's MAC address. To enhance the effectiveness of your wireless sniffing efforts, you should place your interface in promiscuous mode. Promiscuous mode ensures that the interface will allow every transmitted frame through, even if that frame is not bound for the interface's MAC address. Therefore, you'll be able to capture all wireless traffic within range.

By sniffing traffic, you may be able to eavesdrop on communications between client and AP. This is much more likely to be the case in public, open Wi-Fi networks that don't incorporate encryption. Those that do incorporate encryption will make your eavesdropping efforts much more difficult, as the traffic you'll receive on the interface will be indecipherable without the proper authentication and decryption key. Nevertheless, even in encrypted modes, certain information in a transmission is transmitted in cleartext—a client's MAC address, for example. You can use this to your advantage in spoofing attacks.

Even in environments that use WPA/WPA2, you can initiate a deauthentication attack to capture the four-way TKIP handshake in a Wi-Fi connection. The disconnected client must initiate the four-way handshake again in order to reconnect to the AP. You can capture the pre-shared key (PSK) that is exchanged in this handshake and then perform a cracking attempt on it.

You can use airodump-ng to sniff for the handshake:

airodump-ng -c <channel> --bssid <MAC address> -w capture wlan0

Then use the aireplay-ng command mentioned previously to perform the deauthentication.

WiFi security auditing tools suite. Contribute to aircrack-ng/aircrack-ng development by creating an account on GitHub.