Upload
rosalyn-gibson
View
242
Download
1
Embed Size (px)
Citation preview
Packets and ProtocolsPackets and Protocols
Chapter SixChapter Six
Wireless sniffing Wireless sniffing with Wiresharkwith Wireshark
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Wireless sniffing has some Wireless sniffing has some challengeschallenges– Sniffing on a hub is easySniffing on a hub is easy
Promiscuous modePromiscuous mode
– Sniffing on a switch is a bit more difficultSniffing on a switch is a bit more difficultPromiscuous modePromiscuous modeSpan portSpan port
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
For wireless sniffing you mustFor wireless sniffing you must– Know WEP keyKnow WEP key
You can sniff data, but it is useless without the keyYou can sniff data, but it is useless without the key
– Know the correct channelKnow the correct channel You can only capture one channel per NICYou can only capture one channel per NIC
– Be in promiscuous modeBe in promiscuous mode Same with other capture scenariosSame with other capture scenarios
– Plus…your target may move!Plus…your target may move! It may be better to sniff on the wired side of the It may be better to sniff on the wired side of the
network so you can “see” across multiple WAPsnetwork so you can “see” across multiple WAPs
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
How do you tell which channel to How do you tell which channel to sniff?sniff?
NetStumbler is one tool that you can useNetStumbler is one tool that you can use
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Channel scanning or hopping is a Channel scanning or hopping is a method to look for interesting traffic.method to look for interesting traffic.– “Channel hopping will cause you to lose
traffic, because you are rapidly switching channels. If your wireless card is configured to operate on channel 11 and you hop to another channel, you will not be able to “hear” any traffic that is occurring on channel 11 until you return as part of the channel-hopping pattern.”
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Range issuesRange issues
What will What will happen to the happen to the data captured data captured by the RED by the RED PC?PC?
RANGE OF SIGNAL
RANGE OF SIGNAL
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Note that Note that the closer PC the closer PC has a higher has a higher data ratedata rate
Data rate = 54mb
Data rate = 11mb What will What will happen to the happen to the data captured data captured by the RED by the RED PC?PC?
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Channel issuesChannel issues
Channel 6
Channel 11 What will What will happen to the happen to the data captured data captured by the RED by the RED PC?PC?
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Different Different modulations modulations can affect your can affect your sniffing sniffing attemptsattempts
802.11a
802.11b What will What will
happen to the happen to the data captured data captured by the RED by the RED PC?PC?
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
What happens What happens here?here?
802.11a
802.11b Note that when Note that when only one antenna only one antenna is available it will is available it will step down to the step down to the lowest capable lowest capable useruser
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Interference and collisionsInterference and collisions– While convenient, wireless Ethernet is a While convenient, wireless Ethernet is a
lousy protocol.lousy protocol.– CSMA/CD causes wireless to work like a CSMA/CD causes wireless to work like a
hubhub“When capturing traffic on a wireless network,
there is no guarantee that you captured 100 percent of the traffic. Some traffic may have become corrupted in transit and rejected by the capture station wireless driver as noise.”
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Wireless capture recommendationsWireless capture recommendations– Locate the Capture Station Near the Source
Location, location, location
– Disable Other Nearby Transmitters Minimize interference
– Reduce CPU Utilization While Capturing Let your PC concentrate on doing one thing at a time
– Match Channel Selection Many channels are available
– Match Modulation Type 802.11a? b? g?
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Understanding Wireless Card Modes– Managed modeManaged mode
AP Required for two devices to communicateAP Required for two devices to communicate
– Ad-hoc modeAd-hoc modePoint to point – devices share AP Point to point – devices share AP
responsibilitiesresponsibilities
– Master mode Master mode Imitates an APImitates an AP
– Monitor modeMonitor modeaka sniffer modeaka sniffer mode
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Linux issues:Linux issues:– Must be in monitor modeMust be in monitor mode– Know your chipset and use the correct Know your chipset and use the correct
driver(s)driver(s)– Use kernel 2.6 whenever possibleUse kernel 2.6 whenever possible
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Capturing traffic in LinuxCapturing traffic in Linux– Not covered here; see manual (no time!)Not covered here; see manual (no time!)
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
AirPcapAirPcap– 33rdrd party driver that enables wireless party driver that enables wireless
capturescapturesObtain the most recent copy and keep it up Obtain the most recent copy and keep it up
to dateto date
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
While Wireshark, WinPcap, etc will While Wireshark, WinPcap, etc will capture traffic is not truly meant to,capture traffic is not truly meant to,
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
… …. In other words to do it right you . In other words to do it right you need the right hardware; that is need the right hardware; that is hardware meant for this specific hardware meant for this specific purpose.purpose.
Bottom line…$200.00 and a visit to Bottom line…$200.00 and a visit to www.cacetech.com will solve your troubles!
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Capturing Capturing wireless wireless traffic in traffic in WindowsWindows– Same-o Same-o
same-o… same-o… just make just make sure your sure your wireless card wireless card is selected.is selected.
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Analyzing Analyzing Wireless TrafficWireless Traffic
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
In short, when sniffing wireless vs. wired the fields are identicalIn short, when sniffing wireless vs. wired the fields are identical
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Dual sniffer scenarios (cont)Dual sniffer scenarios (cont)
1,000 miles`
How do you know which traffic flows belong How do you know which traffic flows belong together when comparing multiple captures?together when comparing multiple captures?
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Dual sniffer scenariosDual sniffer scenarios
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
802.11 Frame header format802.11 Frame header format– More complex than EthernetMore complex than Ethernet
Twice the lengthTwice the lengthThree or four addresses (compared to two Three or four addresses (compared to two
for Ethernetfor EthernetMany more fields in the headerMany more fields in the headerAllows for the appending of other protocols Allows for the appending of other protocols
(QoS, encryption etc.)(QoS, encryption etc.)
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
In other words there is a plethora of collection In other words there is a plethora of collection optionsoptions
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
As opposed to Ethernet, using As opposed to Ethernet, using capture filters is advised on wireless capture filters is advised on wireless networks is advised because of the networks is advised because of the sheer volume of traffic generated by sheer volume of traffic generated by wireless connections.wireless connections.– 60 frames just to connect!60 frames just to connect!
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Wireless terminologyWireless terminology– An AP is known as a Basic Service Set An AP is known as a Basic Service Set
(BSS)(BSS)A client has a BSSID which is usually the A client has a BSSID which is usually the
wireless MAC addresswireless MAC address
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
The The MAC/BSSID MAC/BSSID can be can be gathered gathered with the with the ipconfig/allipconfig/all commandcommand
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Once you Once you have the have the BSSID you BSSID you can easily can easily filter on that filter on that devicedevice
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Since the MAC and BSSID are Since the MAC and BSSID are usuallyusually the the same: same: – The following two commands may be the sameThe following two commands may be the same
wlan.sa eq 00:09:5b:e8:c4:03 wlan.bssid eq 00:09:5b:e8:c4:03
OR – The following commands could capture the
same traffic wlan.sa eq 00:09:5b:e8:c4:03 wlan.bssid eq 00:11:92:6e:cf:00
The moral of the story? Make sure that what you are The moral of the story? Make sure that what you are capturing is what you wanted to capture!capturing is what you wanted to capture!
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Wireless sniffer tacticsWireless sniffer tactics– If you know the MAC/BSSID sort on itIf you know the MAC/BSSID sort on it– If you don’t; sort on the APIf you don’t; sort on the AP– If you don’t know the AP or if the user If you don’t know the AP or if the user
roams, sniff on the wired sideroams, sniff on the wired side
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Filtering on SSIDFiltering on SSID– wlan_mgt.tag.interpretation eq "NOWIRE"
Even better; use: Even better; use: wlan_mgt.tag.interpretation !eq "NOWIRE“ to look for snoopers
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
NOTE: You may not be able to NOTE: You may not be able to capture any of the previous info capture any of the previous info without a hardware/software without a hardware/software combination like AirPcapcombination like AirPcap
That said; without capturing such info how will That said; without capturing such info how will you know the health of your wireless network???you know the health of your wireless network???
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Data traffic only capturesData traffic only captures– It is a good practice to encrypt your It is a good practice to encrypt your
wireless network and then sniff for wireless network and then sniff for unencrypted (rouge) APsunencrypted (rouge) APs
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Hidden SSIDsHidden SSIDs– SSIDs can be set to non-broadcast, while SSIDs can be set to non-broadcast, while
a sniffer cannot tell you the SSIDs it can a sniffer cannot tell you the SSIDs it can detect their presencedetect their presence
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Extensible Authentication ProtocolExtensible Authentication Protocol– EAP is used to authenticate users to a EAP is used to authenticate users to a
wireless network via one of several wireless network via one of several meansmeansProtected Extensible Authentication Protocol
(PEAP)Extensible Authentication Protocol with
Transport Layer Security (EAP/TLS)Tunneled Transport Layer Security (TTLS)Lightweight Extensible Authentication
Protocol (LEAP)
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
The EAP authentication type can be found The EAP authentication type can be found by filtering forby filtering for– eap.type
EAP methods that rely on username and password authentication include PEAP, TTLS and LEAP.
These methods may disclose user identity information (e.g., a username) in plaintext over the wireless network.
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
In other In other words words ID ID names names and and PWs can PWs can be be easily easily sniffedsniffed
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Troubleshooting EAP issues can be difficult Troubleshooting EAP issues can be difficult without a snifferwithout a sniffer– Code 1 - EAP Request
A value of 1 in the EAP Code field indicates that the EAP frame is requesting information from the recipient. This can be identity information, encryption negotiation content, or a response-to challenge text.
– Code 2 - EAP Response A value of 2 in the EAP Code field indicates that the EAP
frame is responding to an EAP Request frame.– Code 3 - EAP Success
A value of 3 in the EAP Code field indicates that the previous EAP Response was successful. This is primarily used as a response to authentication messages.
– Code 4 - EAP Failure A value of 4 in the EAP Code field indicates that the
previous EAP Response failed authentication.
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
EAP failure EAP failure codecode
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
……70 percent of successful attacks against wireless LANs will be due to the misconfiguration of APs and wireless clients.
In other words SECURE YOUR NETWORKS!
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Identifying WEP securityIdentifying WEP security– Most common encryption techniqueMost common encryption technique
Also probably the most insecureAlso probably the most insecure
– TKIP and CCMP are other optionsTKIP and CCMP are other options– While you cannot decrypt encrypted While you cannot decrypt encrypted
traffic, you sense it with your sniffertraffic, you sense it with your snifferOnce you know this you can build a filterOnce you know this you can build a filter
– wlan.tkip.extiv
TKIP TKIP Present!Present!
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Identifying IPSec/VPN– isakmp or ah
or esp
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Note that an ICMP Destination Unreachable packet is also returned. This is because Wireshark also decodes the embedded protocol within the ICMP packet, which includes ESP information.
See figure 6-24 on pg 317
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Adding Adding CCOOLLOORR to your sniffer output to your sniffer output– There is nothing like color to make There is nothing like color to make
things stand outthings stand out
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Which is HTTP? ARP? IPX? Etc…Which is HTTP? ARP? IPX? Etc…
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Colorize Colorize toggle toggle switchswitch
Customize Customize colorizationcolorization
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Editing Editing color color rulesrules
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Creating a new coloring ruleCreating a new coloring rule
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
The “colorful” resultsThe “colorful” results
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Marking From DS and To DS– Remember traffic is marked if coming
from the WAP (Distribution System) or to the DS
In other words you can filter on this as wellwlan.fc.fromds eq 0 and wlan.fc.tods eq 1
– As the book recommends…this is an excellent use of color filters
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Other uses:Other uses:– Marking retries:Marking retries:
wlan.fc.retry eq 1
– Marking cross channel interference:!(wlan.bssid eq 00:0f:66:e3:e4:03 or
wlan.bssid eq 00:0f:66:e3:25:92) and !wlan.fc.type eq 1
(Assuming you know the MACs of the surrounding units)
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Adding columns to the displayAdding columns to the display– There are dozens of items you can add There are dozens of items you can add
to the Wireshark displayto the Wireshark displayEdit -> Preferences -> ColumnsEdit -> Preferences -> Columns
– Note that a re-start is required!Note that a re-start is required!
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Note that Note that Delta Delta time has time has been been addedadded
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Encrypted networks can be impossible to Encrypted networks can be impossible to decrypt - - unless you have the keydecrypt - - unless you have the key– Wireshark Wireshark automaticallyautomatically decrypts all WEP info decrypts all WEP info
if the key is known (not if the key is known (not TKIP or CCMP)
“When configured with the appropriate WEP key, Wireshark can automatically decrypt WEP-encrypted data and dissect the plaintext contents of these frames. This allows you to use display filters, coloring rules, and all other Wireshark features on the decrypted frame contents.”
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Up to 64 Up to 64 keys can keys can be addedbe added
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
For decrypting TKIP other tools existFor decrypting TKIP other tools exist– airdecap-ng
airdecap-ng is an open source tool that you can use to decrypt TKIP packets
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Practical examples for real world Practical examples for real world wireless captureswireless captures
Identifying a Station’s Channel– Refer to capture file Refer to capture file wireless-rwc-1.cap– Do the exercise on pg 327
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Wireless Connection Failures– Do the exercise on pg 329
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Wireless Network Probing– Do the exercise on pg 337
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
EAP Authentication Account Sharing– Do the exercise on pg 341
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
IEEE 802.11 DoS Attacks– Do the exercise on pg 344
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
IEEE 802.11 Spoofing Attacks– Do the exercise on pg 348
Packets and ProtocolsPackets and ProtocolsChapter 6Chapter 6
Malformed Traffic Analysis– Do the exercise on pg 357