Académique Documents
Professionnel Documents
Culture Documents
Section 1
Wireless Packet Captures & Connection Analysis- A Review
Many of you will have already used many of these tools, or at least had some experience with them in
previous CWNP or vendor Wireless training. To bring everyone ‘up to speed’ we’ve included this
section as a review of the various tools and techniques in capturing packets transversing the 802.11
network.
We’ll start with some simple packet capture, making filters, and lead onto baselining your wireless
network with some ‘standard’ baseline captures. We’ll cover some of the software packages included
in your kit: WildPackets Omnipeek Personal, AirDefense Mobile, and Wireshark to start with.
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 1 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Product Information
Source
Wildpackets
Free
www.wildpackets.com
The purpose of this lab is to review how to perform packet capture and
analysis. These concepts are critical to performing wireless penetration
testing. A wireless pen tester must know how to use packet capture and
analysis tools in order to accurately identify security weaknesses. This lab will
familiarize you with how to create capture traffic, use capture and display
filters, and view application and MAC layer data.
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 2 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Step 1. Insert the Ubiquiti Card in the PCMCIA Slot on the side of your WLSAT Laptop.
(you can use either the small 2.2dBi or the 5dBi antennas – note the arrow on the
bottom pointing to the antenna jack to use)
Step 4. Choose the Ubiquiti ABG PCMCIA WLAN as the adapter to use. Then
click OK to continue.
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 3 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Step 5. You should see some changing packets if the card is collecting properly with this
Dashboard in the lower left corner.
Step 8. You might need to change the column width settings to have your screen match
the screen shot above.
Step 9. Note the frames, who is talking to whom, which are broadcast, which are unicast.
Step 10. What is the MAC Address of the Access Point, the client?
_____________________________
Step 11. Now open another trace file … this time lets try one of the EAP
conversations. How about EAP-LEAP-TKIP.apc .
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 4 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Step 12. To make this a little easier to see, let’s get rid of all the Acknowledgement
frames by building a ‘No ACKs’ Filter.
Step 14. Now we need to add a new filter by clicking on the Plus Sign.
Step 15. Check the Protocol Filter to then click the Protocols Button
open the Protocol Options screen.
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 5 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Step 16. Click OK to return – notice the change in the protocol field.
Step 17. Now we need to change from Simple to Advanced in the window. (Upper right of
the Insert Filter interface)
Step 18. Give the Filter a Name – No ACKs and click on the Protocol Box then click the
Not Button to make your screen match the graphic above. Then Click OK.
Step 20. To apply this filter, click on the little funnel icon , (at the top of the
packet windows) and drop down to the No ACKs filter choice .
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 6 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Step 21. You should now see a ‘simpler’ view of this packet exchange.
Step 22. We have included a variety of packet exchanges for your perusal. Try opening all
of them to see how different processes work at the packet level.
Step 23. Next we’ll see if you can answer some questions after analyzing another trace
file. Enjoy!
Step 24. Using File à Open Openauth.apc . Examine the packet capture file.
_____________________________
Step 26. What is the MAC address of the station? The AP?
_____________________________
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 7 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
_____________________________
_____________________________
_____________________________
_____________________________
Step 31. Is this the first time the client associated to the network? How can you tell?
_____________________________
_____________________________
Step 33. Is there anything to suspect about one of the clients that are connecting to the
AP?
_____________________________
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 8 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Step 4. _____________________________
Step 6. _____________________________
Step 8. _____________________________
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 9 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Step 6. _____________________________
Step 8. _____________________________
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 10 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Step 4. Create a Filter to capture all traffic except beacons. View à Filters then
Add . Set Protocol to 802.11 Beacon , then Advanced to set the ‘Not’.
Step 5. Apply the No Beacons filter (little funnel and choose No Beacons)
Step 8. _____________________________
Step 11. Open a web page on the Nokia N800 and WLSAT laptop.
Step 12. Start a new captures. View the capture. Do you see data only traffic?
_____________________________
Step 13. Create a Filter to capture only voice traffic. Make a Gizmo Project or Googletalk
call between your Nokia and WLSAT laptop.
Step 14. Start a new capture. View the capture. Do you see voice traffic?
_____________________________
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 11 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Step 16. Start the FTP server on the WLSAT laptop. Connect to the FTP server from the
Nokia N800.
Step 17. Start a new capture View the capture. Do you see FTP traffic?
_____________________________
Step 19. View the capture. Do you see only traffic to your network?
_____________________________
Step 20. Create a Filter to capture only traffic to a destination host. Try your WLSAT
Laptop’s MAC Address.
Step 21. View the capture. Do you see only traffic to your host?
_____________________________
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 12 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Step 4. Choose the AirPcap USB adapter and click on Options to set details
for this capture.
Step 5. Review the options on this page… then click on Wireless Settings .
Step 7. Return to the Options page, then click Start button to start your capture.
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 13 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Step 8. Note, right now all packets are being shown as they come to the wireless card.
Step 9. Review the notes below on how to make and use Filters in Wireshark.
Step 12. Create a Filter to capture only Data… but NOT NULL Data (going to sleep)
packets.
NOTE: You can review more on Wireshark from the Laura Chappell Master
Library DVD set.
_____________________________
_____________________________
_____________________________
_____________________________
Step 18. How about a filter to capture Access Points with ‘cloaked’ or ‘hidden’ SSIDs?
When an Access Point does NOT broadcast SSID, the SSID field contains no data in
Beacons and Probe Response packets. But… clients MUST ask for the proper
‘hidden’ SSID in their requests to join the BSA.
By applying the above filter, we reveal any association requests for the specific
BSSID. By clicking IEEE 802.11 Wireless LAN Management
Frame à Tagged Parameters à SSID Parameter Set in
the packet detail window we can see the SSID requested by the client station,
thus revealing the ‘Hidden’ SSID.
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 14 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
BSSID wlan.bssid
Duration Wlan.duration
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 15 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Or, you can just use this handy-dandy table we’ve provided below.
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 16 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Here is a great graphical view of Wireshark’s 802.11 Filter names for each part
of an 802.11 frame.
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 17 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Examples ip.addr==10.4.2.19
!ip.addr==10.4.15.27
!arp && !bootp
tcp.port==80
eth.dst==00:04:5a:df:80:37
ip.ttl<=5
tcp.flags.reset==1
Keyboard Shortcuts
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 18 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Lab Part 1 - Capture an Open Authentication exchange between STA and Access
Point
Step 2. Click the Capture à Start Capture or capture options if you want
to modify a current capture.
Step 3. Click on the 802.11 item in the left panel then select channel 1 .
Step 4. Click OK .
Step 6. Connect your wireless STA to your Access Point with your SSID (It should be
pre-configured with No Encryption and on Channel 1).
Step 7. When you have associated, stop the packet capture then review the list of
packets.
Which packet starts the authentication process?
_____________________________
What is the MAC address of the station?
_____________________________
The AP?
_____________________________
Was the Authentication successful?
_____________________________
Why or why not?
_____________________________
Lab Part 2 - Capture Shared Key Authentication exchange between STA and Access
Point
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 19 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Step 2. Connect your wireless STA to the Access Point with the same security settings as
the AP. This means WEP Encryption with Shared Key Authentication.
_____________________________
Was the Authentication successful?
_____________________________
Why or why not?
_____________________________
Step 2. Configure your access point for WPA-PSK with the following parameters:
• Channel 1
• SSID = ap# (where the number is your student number)
• WPA-PSK Authentication passphrase
my wireless network is secure
• Use TKIP for encryption
Step 3. Connect your Nokia N800 wireless client to your access point using the same
security settings as the access point.
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 20 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Step 2. Connect your Nokia n800 wireless client to the classroom AP with SSID
HOTlabs .
Step 3. Browse the web on your Nokia n800 you can choose where.
Step 4. View the capture and identify web site that other students are accessing. What
web site is the client connecting to? List at least 3 here.
_____________________________
_____________________________
_____________________________
Step 5. View the payload of the packets. You should be able to see the websites that are
being accessed.
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 21 www.inpnet.org • www.HOTLabs.org