; Packets and Protocols
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Packets and Protocols

VIEWS: 3 PAGES: 69

  • pg 1
									Packets and Protocols


        Chapter Six

      Wireless sniffing
      with Wireshark
             Packets and Protocols
                       Chapter 6
 Wirelesssniffing has some
 challenges
  – Sniffing on a hub is easy
     Promiscuous   mode
  – Sniffing on a switch is a bit more
    difficult
     Promiscuous   mode
     Span   port
                 Packets and Protocols
                                Chapter 6
   For wireless sniffing you must
    – Know WEP key
        You   can sniff data, but it is useless without the key
    – Know the correct channel
        You   can only capture one channel per NIC
    – Be in promiscuous mode
        Same    with other capture scenarios
    – Plus…your target may move!
        Itmay be better to sniff on the wired side of the
         network so you can “see” across multiple WAPs
Packets and Protocols
       Chapter 6
          Packets and Protocols
                   Chapter 6
 How do you tell which channel to
  sniff?




   NetStumbler is one tool that you can use
          Packets and Protocols
                      Chapter 6
 Channelscanning or hopping is a
 method to look for interesting traffic.
  – “Channel hopping will cause you to lose
    traffic, because you are rapidly
    switching channels. If your wireless card
    is configured to operate on channel 11
    and you hop to another channel, you
    will not be able to “hear” any traffic that
    is occurring on channel 11 until you
    return as part of the channel-hopping
    pattern.”
           Packets and Protocols
                     Chapter 6
   Range issues


                   RANGE OF SIGNAL




    What will
    happen to                        RANGE OF SIGNAL



    the data
    captured by
    the RED PC?
            Packets and Protocols
                    Chapter 6
    Note that
    the closer PC
    has a higher
    data rate

                     Data rate = 54mb


    What will                          Data rate = 11mb


    happen to
    the data
    captured by
    the RED PC?
          Packets and Protocols
                     Chapter 6
   Channel issues




                       Channel 6



    What will                     Channel 11

    happen to
    the data
    captured by
    the RED PC?
              Packets and Protocols
                      Chapter 6
   Different
    modulations
    can affect your
    sniffing
    attempts

                        802.11a


    What will                    802.11b

    happen to
    the data
    captured by
    the RED PC?
                  Packets and Protocols
                           Chapter 6
   What happens
    here?



                           802.11a




    Note that when                    802.11b

    only one antenna
    is available it will
    step down to the
    lowest capable
    user
          Packets and Protocols
                      Chapter 6
 Interference   and collisions
  – While convenient, wireless Ethernet is a
    lousy protocol.
  – CSMA/CD causes wireless to work like a
    hub
    “When capturing traffic on a wireless
     network, there is no guarantee that you
     captured 100 percent of the traffic. Some
     traffic may have become corrupted in transit
     and rejected by the capture station wireless
     driver as noise.”
              Packets and Protocols
                              Chapter 6
 Wireless      capture recommendations
  – Locate the Capture Station Near the Source
     Location,   location, location
  – Disable Other Nearby Transmitters
     Minimize    interference
  – Reduce CPU Utilization While Capturing
     Let   your PC concentrate on doing one thing at a time
  – Match Channel Selection
     Many    channels are available
  – Match Modulation Type
     802.11a?    b? g?
              Packets and Protocols
                           Chapter 6
 Understanding          Wireless Card Modes
  – Managed mode
     AP   Required for two devices to communicate
  – Ad-hoc mode
          to point – devices share AP
     Point
     responsibilities
  – Master mode
     Imitates   an AP
  – Monitor mode
     aka   sniffer mode
           Packets and Protocols
                    Chapter 6
 Linux   issues:
  – Must be in monitor mode
  – Know your chipset and use the correct
    driver(s)
  – Use kernel 2.6 whenever possible
         Packets and Protocols
                     Chapter 6
 Capturing   traffic in Linux
  – Not covered here; see manual (no
    time!)
            Packets and Protocols
                         Chapter 6
 AirPcap
  – 3rd party driver that enables wireless
    captures
     Obtain   the most recent copy and keep it up
     to date
          Packets and Protocols
                   Chapter 6
 WhileWireshark, WinPcap, etc will
 capture traffic is not truly meant to,
        Packets and Protocols
                 Chapter 6
…. In other words to do it right you
need the right hardware; that is
hardware meant for this specific
purpose.

Bottom line…$200.00 and a visit to
www.cacetech.com will solve your
troubles!
             Packets and Protocols
                      Chapter 6
   Capturing
    wireless
    traffic in
    Windows
    – Same-o
      same-o…
      just make
      sure your
      wireless card
      is selected.
         Packets and Protocols
                    Chapter 6
 Analyzing
 Wireless Traffic
                Packets and Protocols
                                Chapter 6




In short, when sniffing wireless vs. wired the fields are identical
           Packets and Protocols
                      Chapter 6
   Dual sniffer scenarios (cont)




                       1,000 miles      `




   How do you know which traffic flows
    belong together when comparing multiple
    captures?
           Packets and Protocols
                     Chapter 6
 Dual   sniffer scenarios
           Packets and Protocols
                       Chapter 6
 802.11   Frame header format
  – More complex than Ethernet
     Twice  the length
     Three or four addresses (compared to two
      for Ethernet
     Many more fields in the header

     Allows for the appending of other protocols
      (QoS, encryption etc.)
Packets and Protocols
       Chapter 6
Packets and Protocols
       Chapter 6
Packets and Protocols
       Chapter 6
         Packets and Protocols
                       Chapter 6




In other words there is a plethora of collection
                   options
          Packets and Protocols
                    Chapter 6
 Asopposed to Ethernet, using
 capture filters is advised on wireless
 networks is advised because of the
 sheer volume of traffic generated by
 wireless connections.
  – 60 frames just to connect!
          Packets and Protocols
                      Chapter 6
 Wireless   terminology
  – An AP is known as a Basic Service Set
    (BSS)
    A client has a BSSID which is usually the
     wireless MAC address
                   Packets and Protocols
                          Chapter 6
   The
    MAC/BSSID
    can be
    gathered
    with the
    ipconfig/all
    command
                     Packets and Protocols
                            Chapter 6
   Once you
    have the
    BSSID you
    can easily
    filter on that
    device
               Packets and Protocols
                               Chapter 6
   Since the MAC and BSSID are usually the
    same:
    – The following two commands may be the same
         wlan.sa eq 00:09:5b:e8:c4:03
         wlan.bssid eq 00:09:5b:e8:c4:03

                              OR
    – The following commands could capture the
      same traffic
         wlan.sa eq 00:09:5b:e8:c4:03
         wlan.bssid eq 00:11:92:6e:cf:00



    The moral of the story? Make sure that what you are
         capturing is what you wanted to capture!
          Packets and Protocols
                      Chapter 6
 Wireless   sniffer tactics
  – If you know the MAC/BSSID sort on it
  – If you don’t; sort on the AP
  – If you don’t know the AP or if the user
    roams, sniff on the wired side
                 Packets and Protocols
                                Chapter 6
 Filtering        on SSID
    – wlan_mgt.tag.interpretation eq "NOWIRE"




   Even better; use: wlan_mgt.tag.interpretation !eq "NOWIRE“ to
    look for snoopers
              Packets and Protocols
                         Chapter 6
 NOTE:   You may not be able to
    capture any of the previous info
    without a hardware/software
    combination like AirPcap
   That said; without capturing such info how will
    you know the health of your wireless network???
           Packets and Protocols
                     Chapter 6
 Data   traffic only captures
  – It is a good practice to encrypt your
   wireless network and then sniff for
   unencrypted (rouge) APs
           Packets and Protocols
                     Chapter 6
 Hidden   SSIDs
  – SSIDs can be set to non-broadcast,
    while a sniffer cannot tell you the SSIDs
    it can detect their presence
          Packets and Protocols
                         Chapter 6
 Extensible   Authentication Protocol
  – EAP is used to authenticate users to a
    wireless network via one of several
    means
     Protected   Extensible Authentication Protocol
      (PEAP)
     Extensible Authentication Protocol with
      Transport Layer Security (EAP/TLS)
     Tunneled Transport Layer Security (TTLS)
     Lightweight Extensible Authentication
      Protocol (LEAP)
             Packets and Protocols
                      Chapter 6
   The EAP authentication type can be found
    by filtering for
    – eap.type
 EAP methods that rely on username and
  password authentication include PEAP,
  TTLS and LEAP.
 These methods may disclose user identity
  information (e.g., a username) in plaintext
  over the wireless network.
               Packets and Protocols
                      Chapter 6
   In other
    words
    ID
    names
    and
    PWs can
    be
    easily
    sniffed
                  Packets and Protocols
                                   Chapter 6
   Troubleshooting EAP issues can be difficult
    without a sniffer
    – Code 1 - EAP Request
          A value of 1 in the EAP Code field indicates that the EAP
           frame is requesting information from the recipient. This can
           be identity information, encryption negotiation content, or
           a response-to challenge text.
    – Code 2 - EAP Response
          A value of 2 in the EAP Code field indicates that the EAP
           frame is responding to an EAP Request frame.
    – Code 3 - EAP Success
          A value of 3 in the EAP Code field indicates that the
           previous EAP Response was successful. This is primarily
           used as a response to authentication messages.
    – Code 4 - EAP Failure
          A value of 4 in the EAP Code field indicates that the
           previous EAP Response failed authentication.
              Packets and Protocols
                     Chapter 6

   EAP failure
    code
        Packets and Protocols
                  Chapter 6
 …70 percent of successful attacks
 against wireless LANs will be due to
 the misconfiguration of APs and
 wireless clients.

   other words SECURE YOUR
 In
 NETWORKS!
             Packets and Protocols
                           Chapter 6
 Identifying    WEP security
  – Most common encryption technique
     Also   probably the most insecure
  – TKIP and CCMP are other options
  – While you cannot decrypt encrypted
    traffic, you sense it with your sniffer
     Once   you know this you can build a filter
       – wlan.tkip.extiv
            Packets and Protocols
                 Chapter 6
 TKIP
 Present!
                  Packets and Protocols
                         Chapter 6
   Identifying
    IPSec/VPN
    – isakmp or ah
      or esp
                Packets and Protocols
                              Chapter 6
   See figure 6-24 on
    pg 317




   Note that an ICMP Destination Unreachable packet is also
    returned. This is because Wireshark also decodes the
    embedded protocol within the ICMP packet, which includes
    ESP information.
           Packets and Protocols
                     Chapter 6
 Adding   COLOR to your sniffer output
  – There is nothing like color to make
    things stand out
           Packets and Protocols
                   Chapter 6




 Which   is HTTP? ARP? IPX? Etc…
                   Packets and Protocols
                          Chapter 6

   Colorize
    toggle
    switch



   Customize
    colorization
            Packets and Protocols
                   Chapter 6
 Editing
 color
 rules
         Packets and Protocols
                     Chapter 6




 Creating   a new coloring rule
            Packets and Protocols
                      Chapter 6




 The   “colorful” results
           Packets and Protocols
                       Chapter 6
 Marking   From DS and To DS
  – Remember traffic is marked if coming
    from the WAP (Distribution System) or
    to the DS
     In other words you can filter on this as well
     wlan.fc.fromds eq 0 and wlan.fc.tods eq 1

  – As the book recommends…this is an
    excellent use of color filters
           Packets and Protocols
                         Chapter 6
 Other   uses:
  – Marking retries:
     wlan.fc.retry   eq 1
  – Marking cross channel interference:
     !(wlan.bssideq 00:0f:66:e3:e4:03 or
     wlan.bssid eq 00:0f:66:e3:25:92) and
     !wlan.fc.type eq 1
       (Assuming you know the MACs of the surrounding
         units)
             Packets and Protocols
                        Chapter 6
 Adding     columns to the display
  – There are dozens of items you can add
    to the Wireshark display
     Edit   -> Preferences -> Columns
  – Note that a re-start is required!
Packets and Protocols
       Chapter 6
                      Note that
                       Delta
                       time has
                       been
                       added
                 Packets and Protocols
                                Chapter 6
   Encrypted networks can be impossible to
    decrypt - - unless you have the key
     – Wireshark automatically decrypts all WEP info
       if the key is known (not TKIP or CCMP)

    “When configured with the appropriate WEP key, Wireshark
     can automatically decrypt WEP-encrypted data and dissect
     the plaintext contents of these frames. This allows you to
     use display filters, coloring rules, and all other Wireshark
     features on the decrypted frame contents.”
       Packets and Protocols
              Chapter 6

 Upto 64
 keys can
 be added
            Packets and Protocols
                     Chapter 6
 For   decrypting TKIP other tools exist
  – airdecap-ng


 airdecap-ngis an open source tool
 that you can use to decrypt TKIP
 packets
           Packets and Protocols
                     Chapter 6
Practical examples for real world
  wireless captures

 Identifying   a Station’s Channel
  – Refer to capture file wireless-rwc-1.cap
  – Do the exercise on pg 327
          Packets and Protocols
                    Chapter 6
 Wireless   Connection Failures
  – Do the exercise on pg 329
          Packets and Protocols
                    Chapter 6
 Wireless   Network Probing
  – Do the exercise on pg 337
           Packets and Protocols
                    Chapter 6
 EAP   Authentication Account Sharing
  – Do the exercise on pg 341
           Packets and Protocols
                    Chapter 6
 IEEE   802.11 DoS Attacks
  – Do the exercise on pg 344
           Packets and Protocols
                    Chapter 6
 IEEE   802.11 Spoofing Attacks
  – Do the exercise on pg 348
          Packets and Protocols
                    Chapter 6
 Malformed   Traffic Analysis
  – Do the exercise on pg 357

								
To top