Packets and Protocols Chapter Six Wireless sniffing with Wireshark

Packets and ProtocolsPackets and Protocols

Chapter SixChapter Six

Wireless sniffing Wireless sniffing with Wiresharkwith Wireshark

Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6

Wireless sniffing has some Wireless sniffing has some challengeschallenges– Sniffing on a hub is easySniffing on a hub is easy

Promiscuous modePromiscuous mode

– Sniffing on a switch is a bit more difficultSniffing on a switch is a bit more difficultPromiscuous modePromiscuous modeSpan portSpan port


For wireless sniffing you mustFor wireless sniffing you must– Know WEP keyKnow WEP key

You can sniff data, but it is useless without the keyYou can sniff data, but it is useless without the key

– Know the correct channelKnow the correct channel You can only capture one channel per NICYou can only capture one channel per NIC

– Be in promiscuous modeBe in promiscuous mode Same with other capture scenariosSame with other capture scenarios

– Plus…your target may move!Plus…your target may move! It may be better to sniff on the wired side of the It may be better to sniff on the wired side of the

network so you can “see” across multiple WAPsnetwork so you can “see” across multiple WAPs



How do you tell which channel to How do you tell which channel to sniff?sniff?

NetStumbler is one tool that you can useNetStumbler is one tool that you can use


Channel scanning or hopping is a Channel scanning or hopping is a method to look for interesting traffic.method to look for interesting traffic.– “Channel hopping will cause you to lose

traffic, because you are rapidly switching channels. If your wireless card is configured to operate on channel 11 and you hop to another channel, you will not be able to “hear” any traffic that is occurring on channel 11 until you return as part of the channel-hopping pattern.”


Range issuesRange issues

What will What will happen to the happen to the data captured data captured by the RED by the RED PC?PC?

RANGE OF SIGNAL

RANGE OF SIGNAL


Note that Note that the closer PC the closer PC has a higher has a higher data ratedata rate

Data rate = 54mb

Data rate = 11mb What will What will happen to the happen to the data captured data captured by the RED by the RED PC?PC?


Channel issuesChannel issues

Channel 6

Channel 11 What will What will happen to the happen to the data captured data captured by the RED by the RED PC?PC?


Different Different modulations modulations can affect your can affect your sniffing sniffing attemptsattempts

802.11a

802.11b What will What will

happen to the happen to the data captured data captured by the RED by the RED PC?PC?


What happens What happens here?here?

802.11a

802.11b Note that when Note that when only one antenna only one antenna is available it will is available it will step down to the step down to the lowest capable lowest capable useruser


Interference and collisionsInterference and collisions– While convenient, wireless Ethernet is a While convenient, wireless Ethernet is a

lousy protocol.lousy protocol.– CSMA/CD causes wireless to work like a CSMA/CD causes wireless to work like a

hubhub“When capturing traffic on a wireless network,

there is no guarantee that you captured 100 percent of the traffic. Some traffic may have become corrupted in transit and rejected by the capture station wireless driver as noise.”


Wireless capture recommendationsWireless capture recommendations– Locate the Capture Station Near the Source

Location, location, location

– Disable Other Nearby Transmitters Minimize interference

– Reduce CPU Utilization While Capturing Let your PC concentrate on doing one thing at a time

– Match Channel Selection Many channels are available

– Match Modulation Type 802.11a? b? g?


Understanding Wireless Card Modes– Managed modeManaged mode

AP Required for two devices to communicateAP Required for two devices to communicate

– Ad-hoc modeAd-hoc modePoint to point – devices share AP Point to point – devices share AP

responsibilitiesresponsibilities

– Master mode Master mode Imitates an APImitates an AP

– Monitor modeMonitor modeaka sniffer modeaka sniffer mode


Linux issues:Linux issues:– Must be in monitor modeMust be in monitor mode– Know your chipset and use the correct Know your chipset and use the correct

driver(s)driver(s)– Use kernel 2.6 whenever possibleUse kernel 2.6 whenever possible


Capturing traffic in LinuxCapturing traffic in Linux– Not covered here; see manual (no time!)Not covered here; see manual (no time!)


AirPcapAirPcap– 33rdrd party driver that enables wireless party driver that enables wireless

capturescapturesObtain the most recent copy and keep it up Obtain the most recent copy and keep it up

to dateto date


While Wireshark, WinPcap, etc will While Wireshark, WinPcap, etc will capture traffic is not truly meant to,capture traffic is not truly meant to,


… …. In other words to do it right you . In other words to do it right you need the right hardware; that is need the right hardware; that is hardware meant for this specific hardware meant for this specific purpose.purpose.

Bottom line…$200.00 and a visit to Bottom line…$200.00 and a visit to www.cacetech.com will solve your troubles!


Capturing Capturing wireless wireless traffic in traffic in WindowsWindows– Same-o Same-o

same-o… same-o… just make just make sure your sure your wireless card wireless card is selected.is selected.


Analyzing Analyzing Wireless TrafficWireless Traffic


In short, when sniffing wireless vs. wired the fields are identicalIn short, when sniffing wireless vs. wired the fields are identical


Dual sniffer scenarios (cont)Dual sniffer scenarios (cont)

1,000 miles`

How do you know which traffic flows belong How do you know which traffic flows belong together when comparing multiple captures?together when comparing multiple captures?


Dual sniffer scenariosDual sniffer scenarios


802.11 Frame header format802.11 Frame header format– More complex than EthernetMore complex than Ethernet

Twice the lengthTwice the lengthThree or four addresses (compared to two Three or four addresses (compared to two

for Ethernetfor EthernetMany more fields in the headerMany more fields in the headerAllows for the appending of other protocols Allows for the appending of other protocols

(QoS, encryption etc.)(QoS, encryption etc.)





In other words there is a plethora of collection In other words there is a plethora of collection optionsoptions


As opposed to Ethernet, using As opposed to Ethernet, using capture filters is advised on wireless capture filters is advised on wireless networks is advised because of the networks is advised because of the sheer volume of traffic generated by sheer volume of traffic generated by wireless connections.wireless connections.– 60 frames just to connect!60 frames just to connect!


Wireless terminologyWireless terminology– An AP is known as a Basic Service Set An AP is known as a Basic Service Set

(BSS)(BSS)A client has a BSSID which is usually the A client has a BSSID which is usually the

wireless MAC addresswireless MAC address


The The MAC/BSSID MAC/BSSID can be can be gathered gathered with the with the ipconfig/allipconfig/all commandcommand


Once you Once you have the have the BSSID you BSSID you can easily can easily filter on that filter on that devicedevice


Since the MAC and BSSID are Since the MAC and BSSID are usuallyusually the the same: same: – The following two commands may be the sameThe following two commands may be the same

wlan.sa eq 00:09:5b:e8:c4:03 wlan.bssid eq 00:09:5b:e8:c4:03

OR – The following commands could capture the

same traffic wlan.sa eq 00:09:5b:e8:c4:03 wlan.bssid eq 00:11:92:6e:cf:00

The moral of the story? Make sure that what you are The moral of the story? Make sure that what you are capturing is what you wanted to capture!capturing is what you wanted to capture!


Wireless sniffer tacticsWireless sniffer tactics– If you know the MAC/BSSID sort on itIf you know the MAC/BSSID sort on it– If you don’t; sort on the APIf you don’t; sort on the AP– If you don’t know the AP or if the user If you don’t know the AP or if the user

roams, sniff on the wired sideroams, sniff on the wired side


Filtering on SSIDFiltering on SSID– wlan_mgt.tag.interpretation eq "NOWIRE"

Even better; use: Even better; use: wlan_mgt.tag.interpretation !eq "NOWIRE“ to look for snoopers


NOTE: You may not be able to NOTE: You may not be able to capture any of the previous info capture any of the previous info without a hardware/software without a hardware/software combination like AirPcapcombination like AirPcap

That said; without capturing such info how will That said; without capturing such info how will you know the health of your wireless network???you know the health of your wireless network???


Data traffic only capturesData traffic only captures– It is a good practice to encrypt your It is a good practice to encrypt your

wireless network and then sniff for wireless network and then sniff for unencrypted (rouge) APsunencrypted (rouge) APs


Hidden SSIDsHidden SSIDs– SSIDs can be set to non-broadcast, while SSIDs can be set to non-broadcast, while

a sniffer cannot tell you the SSIDs it can a sniffer cannot tell you the SSIDs it can detect their presencedetect their presence


Extensible Authentication ProtocolExtensible Authentication Protocol– EAP is used to authenticate users to a EAP is used to authenticate users to a

wireless network via one of several wireless network via one of several meansmeansProtected Extensible Authentication Protocol

(PEAP)Extensible Authentication Protocol with

Transport Layer Security (EAP/TLS)Tunneled Transport Layer Security (TTLS)Lightweight Extensible Authentication

Protocol (LEAP)


The EAP authentication type can be found The EAP authentication type can be found by filtering forby filtering for– eap.type

EAP methods that rely on username and password authentication include PEAP, TTLS and LEAP.

These methods may disclose user identity information (e.g., a username) in plaintext over the wireless network.


In other In other words words ID ID names names and and PWs can PWs can be be easily easily sniffedsniffed


Troubleshooting EAP issues can be difficult Troubleshooting EAP issues can be difficult without a snifferwithout a sniffer– Code 1 - EAP Request

A value of 1 in the EAP Code field indicates that the EAP frame is requesting information from the recipient. This can be identity information, encryption negotiation content, or a response-to challenge text.

– Code 2 - EAP Response A value of 2 in the EAP Code field indicates that the EAP

frame is responding to an EAP Request frame.– Code 3 - EAP Success

A value of 3 in the EAP Code field indicates that the previous EAP Response was successful. This is primarily used as a response to authentication messages.

– Code 4 - EAP Failure A value of 4 in the EAP Code field indicates that the

previous EAP Response failed authentication.


EAP failure EAP failure codecode


……70 percent of successful attacks against wireless LANs will be due to the misconfiguration of APs and wireless clients.

In other words SECURE YOUR NETWORKS!


Identifying WEP securityIdentifying WEP security– Most common encryption techniqueMost common encryption technique

Also probably the most insecureAlso probably the most insecure

– TKIP and CCMP are other optionsTKIP and CCMP are other options– While you cannot decrypt encrypted While you cannot decrypt encrypted

traffic, you sense it with your sniffertraffic, you sense it with your snifferOnce you know this you can build a filterOnce you know this you can build a filter

– wlan.tkip.extiv

TKIP TKIP Present!Present!



Identifying IPSec/VPN– isakmp or ah

or esp


Note that an ICMP Destination Unreachable packet is also returned. This is because Wireshark also decodes the embedded protocol within the ICMP packet, which includes ESP information.

See figure 6-24 on pg 317


Adding Adding CCOOLLOORR to your sniffer output to your sniffer output– There is nothing like color to make There is nothing like color to make

things stand outthings stand out


Which is HTTP? ARP? IPX? Etc…Which is HTTP? ARP? IPX? Etc…


Colorize Colorize toggle toggle switchswitch

Customize Customize colorizationcolorization


Editing Editing color color rulesrules


Creating a new coloring ruleCreating a new coloring rule


The “colorful” resultsThe “colorful” results


Marking From DS and To DS– Remember traffic is marked if coming

from the WAP (Distribution System) or to the DS

In other words you can filter on this as wellwlan.fc.fromds eq 0 and wlan.fc.tods eq 1

– As the book recommends…this is an excellent use of color filters


Other uses:Other uses:– Marking retries:Marking retries:

wlan.fc.retry eq 1

– Marking cross channel interference:!(wlan.bssid eq 00:0f:66:e3:e4:03 or

wlan.bssid eq 00:0f:66:e3:25:92) and !wlan.fc.type eq 1

(Assuming you know the MACs of the surrounding units)


Adding columns to the displayAdding columns to the display– There are dozens of items you can add There are dozens of items you can add

to the Wireshark displayto the Wireshark displayEdit -> Preferences -> ColumnsEdit -> Preferences -> Columns

– Note that a re-start is required!Note that a re-start is required!


Note that Note that Delta Delta time has time has been been addedadded


Encrypted networks can be impossible to Encrypted networks can be impossible to decrypt - - unless you have the keydecrypt - - unless you have the key– Wireshark Wireshark automaticallyautomatically decrypts all WEP info decrypts all WEP info

if the key is known (not if the key is known (not TKIP or CCMP)

“When configured with the appropriate WEP key, Wireshark can automatically decrypt WEP-encrypted data and dissect the plaintext contents of these frames. This allows you to use display filters, coloring rules, and all other Wireshark features on the decrypted frame contents.”


Up to 64 Up to 64 keys can keys can be addedbe added


For decrypting TKIP other tools existFor decrypting TKIP other tools exist– airdecap-ng

airdecap-ng is an open source tool that you can use to decrypt TKIP packets


Practical examples for real world Practical examples for real world wireless captureswireless captures

Identifying a Station’s Channel– Refer to capture file Refer to capture file wireless-rwc-1.cap– Do the exercise on pg 327


Wireless Connection Failures– Do the exercise on pg 329


Wireless Network Probing– Do the exercise on pg 337


EAP Authentication Account Sharing– Do the exercise on pg 341


IEEE 802.11 DoS Attacks– Do the exercise on pg 344


IEEE 802.11 Spoofing Attacks– Do the exercise on pg 348


Malformed Traffic Analysis– Do the exercise on pg 357

Documents

Packets and Protocols Chapter Six Wireless sniffing with Wireshark