01 Wireless Packet Captures and Conection Analysis Review.v7

WLSAT Section 1
Section 1
Wireless Packet Captures & Connection Analysis- A Review
Many of you will have already used many of these tools, or at least had some experience with them in
previous CWNP or vendor Wireless training. To bring everyone ‘up to speed’ we’ve included this
section as a review of the various tools and techniques in capturing packets transversing the 802.11
network.
We’ll start with some simple packet capture, making filters, and lead onto baselining your wireless
network with some ‘standard’ baseline captures. We’ll cover some of the software packages included
in your kit: WildPackets Omnipeek Personal, AirDefense Mobile, and Wireshark to start with.
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals
1/12/11 1 www.inpnet.org • www.HOTLabs.org
WLSAT Section 1
Lab 1.1: View an Open Authentication packet capture

OmniPeek Personal demonstrates the benefits of a powerful, well-
designed network analysis tool and its analysis capabilities. Used
to increase the visibility into wireless and wired network traffic on
non-commercial networks, OmniPeek Personal allows users to
experience how the OmniAnalysis Platform pinpoints and analyzes
network problems. OmniPeek Personal provides an introduction to
the superior high-level views of WildPackets Expert Analysis which
make the identification of network problems simple and quick.
Product Information
Source
Wildpackets
Free
www.wildpackets.com
Where, When, Why

A protocol analyzer is a capture and analysis tool which gives a pen tester
insight into the protocols, stations, access points, and wireless configuration of
the network.
The purpose of this lab is to review how to perform packet capture and
analysis. These concepts are critical to performing wireless penetration
testing. A wireless pen tester must know how to use packet capture and
analysis tools in order to accurately identify security weaknesses. This lab will
familiarize you with how to create capture traffic, use capture and display
filters, and view application and MAC layer data.
Usage and Features

• Capture traffic and use statistics for Troubleshooting purposes
• Identify MAC and IP addresses for spoofing
• Data confidentiality attack against unencrypted wireless networks
Where to Go for More Information

• www.wildpackets.com
WLSAT Section 1
Lab Part 1 – Analyze 802.11 Trace Files
Step 1. Insert the Ubiquiti Card in the PCMCIA Slot on the side of your WLSAT Laptop.
(you can use either the small 2.2dBi or the 5dBi antennas – note the arrow on the
bottom pointing to the antenna jack to use)
Step 2. Go to Start à ‘Switch to OmniPeek Personal Driver’ .
Step 3. Launch Omnipeek Personal . Start à Wireless Tools à

WildPackets OmniPeek Personal .
Step 4. Choose the Ubiquiti ABG PCMCIA WLAN as the adapter to use. Then
click OK to continue.
WLSAT Section 1
Step 5. You should see some changing packets if the card is collecting properly with this
Dashboard in the lower left corner.
Step 6. Using File à Open à Desktop à Student Files à Trace

Files – Omnipeek Captures browse to the Student Files directory
containing the Omnipeek trace files.
Step 7. Open the Open System – WEP.apc file.
Step 8. You might need to change the column width settings to have your screen match
the screen shot above.
Step 9. Note the frames, who is talking to whom, which are broadcast, which are unicast.
Step 10. What is the MAC Address of the Access Point, the client?
_____________________________
Step 11. Now open another trace file … this time lets try one of the EAP
conversations. How about EAP-LEAP-TKIP.apc .
WLSAT Section 1
Step 12. To make this a little easier to see, let’s get rid of all the Acknowledgement
frames by building a ‘No ACKs’ Filter.
Step 13. Click on the View à Filters .
Step 14. Now we need to add a new filter by clicking on the Plus Sign.
Step 15. Check the Protocol Filter to then click the Protocols Button
open the Protocol Options screen.
WLSAT Section 1
Step 16. Click OK to return – notice the change in the protocol field.
Step 17. Now we need to change from Simple to Advanced in the window. (Upper right of
the Insert Filter interface)
Step 18. Give the Filter a Name – No ACKs and click on the Protocol Box then click the
Not Button to make your screen match the graphic above. Then Click OK.
Step 19. You should now have a No ACKs filter choice.
Step 20. To apply this filter, click on the little funnel icon , (at the top of the
packet windows) and drop down to the No ACKs filter choice .
WLSAT Section 1
Step 21. You should now see a ‘simpler’ view of this packet exchange.
Step 22. We have included a variety of packet exchanges for your perusal. Try opening all
of them to see how different processes work at the packet level.
Step 23. Next we’ll see if you can answer some questions after analyzing another trace
file. Enjoy!
Step 24. Using File à Open Openauth.apc . Examine the packet capture file.
Step 25. Which packet starts the authentication process?
_____________________________
Step 26. What is the MAC address of the station? The AP?
_____________________________
Step 27. What is the SSID of the network?
WLSAT Section 1
_____________________________
Step 28. Does the AP support B and G?
_____________________________
Step 29. What channel is the AP on?
_____________________________
Step 30. Was the Authentication successful?
_____________________________
Step 31. Is this the first time the client associated to the network? How can you tell?
_____________________________
Step 32. How many clients are connected to the AP?
_____________________________
Step 33. Is there anything to suspect about one of the clients that are connecting to the
AP?
_____________________________
WLSAT Section 1
Lab1.2: View an EAP Authentication packet capture

Step 1. Open Omnipeek personal .
Step 2. Using File à Open eap.apc .
Step 3. When does the eap authentication take place?
Step 4. _____________________________
Step 5. How do you know it is an eap authentication?
Step 6. _____________________________
Step 7. What EAP type is the wireless network using?
Step 8. _____________________________
Step 9. Has the client successfully authenticated?
Step 10. _____________________________
WLSAT Section 1
Lab1.3: View a data transfer packet capture

Step 1. Open Omnipeek personal .
Step 2. Using File à Open data.apc .
Step 3. Examine the packet capture file.
Step 4. View the payload of the packets.
Step 5. What application layer protocol is in use?
Step 6. _____________________________
Step 7. What server is the data being transferred from?
Step 8. _____________________________
Step 9. What is the IP address of the server?
Step 10. _____________________________
Step 11. What web site is the client connecting to?
Step 12. _____________________________
WLSAT Section 1
Lab 1.4: Create an Omnipeek Filter

Step 1. Open Omnipeek Personal .
Step 2. Start a capture on channel 6 .
Step 3. Set 802.11 options to Channel 6.
Step 4. Create a Filter to capture all traffic except beacons. View à Filters then
Add . Set Protocol to 802.11 Beacon , then Advanced to set the ‘Not’.
Step 5. Apply the No Beacons filter (little funnel and choose No Beacons)
Step 6. Start the Capture. Wait a couple of minutes then Stop.
Step 7. View the capture. Do you see beacons?
Step 8. _____________________________
Step 9. Create a Filter to capture only data traffic.
Step 10. _____________________________
Step 11. Open a web page on the Nokia N800 and WLSAT laptop.
Step 12. Start a new captures. View the capture. Do you see data only traffic?
_____________________________
Step 13. Create a Filter to capture only voice traffic. Make a Gizmo Project or Googletalk
call between your Nokia and WLSAT laptop.
Step 14. Start a new capture. View the capture. Do you see voice traffic?
_____________________________
WLSAT Section 1
Step 15. Create a Filter to capture only FTP traffic.
Step 16. Start the FTP server on the WLSAT laptop. Connect to the FTP server from the
Nokia N800.
Step 17. Start a new capture View the capture. Do you see FTP traffic?
_____________________________
Step 18. Create a Filter to capture only traffic to a destination network.
Step 19. View the capture. Do you see only traffic to your network?
_____________________________
Step 20. Create a Filter to capture only traffic to a destination host. Try your WLSAT
Laptop’s MAC Address.
Step 21. View the capture. Do you see only traffic to your host?
_____________________________
WLSAT Section 1
Lab 1.5: Create a Wireshark Filter

Step 1. Plug in the Airpcap USB device.
Step 2. Open Wireshark – Start à Wireless Tools à Wireshark .
Step 3. Click on Capture à Interfaces .
Step 4. Choose the AirPcap USB adapter and click on Options to set details
for this capture.
Step 5. Review the options on this page… then click on Wireless Settings .
Step 6. Select Channel 1 as the channel we’ll be capturing from.
Step 7. Return to the Options page, then click Start button to start your capture.
WLSAT Section 1
Step 8. Note, right now all packets are being shown as they come to the wireless card.
Step 9. Review the notes below on how to make and use Filters in Wireshark.
Step 10. Create a Filter to capture all traffic except beacons.
Step 11. Create a Filter to capture only data traffic.
Step 12. Create a Filter to capture only Data… but NOT NULL Data (going to sleep)
packets.
Step 13. Now try some new filters on your own.
NOTE: You can review more on Wireshark from the Laura Chappell Master
Library DVD set.
Step 14. Create a Filter to capture only voice traffic.
_____________________________
Step 15. Create a Filter to capture only FTP traffic.
_____________________________
Step 16. Create a Filter to capture only traffic to a destination network.
_____________________________
Step 17. Create a Filter to capture only traffic to a destination host.
_____________________________
Step 18. How about a filter to capture Access Points with ‘cloaked’ or ‘hidden’ SSIDs?
When an Access Point does NOT broadcast SSID, the SSID field contains no data in
Beacons and Probe Response packets. But… clients MUST ask for the proper
‘hidden’ SSID in their requests to join the BSA.
NOTE: This filter is wlan.bssid== xx:xx:xx:xx:xx:xx and

wlan.fc.type_subtype==0 where the BSSID of the Access Point you
are looking for is in the xx’s.
By applying the above filter, we reveal any association requests for the specific
BSSID. By clicking IEEE 802.11 Wireless LAN Management
Frame à Tagged Parameters à SSID Parameter Set in
the packet detail window we can see the SSID requested by the client station,
thus revealing the ‘Hidden’ SSID.
WLSAT Section 1
Wireshark Filters for 802.11 Frames
802.11 Header Field

Either Source or Destination Address wlan.addr
Transmitter Address wlan.ta
Source Address wlan.sa

Receiver Address wlan.ra
Destination Address wlan.da
BSSID wlan.bssid
Duration Wlan.duration
Frame Control Subfields

Frame Type wlan.fc.type
Frame Subtype wlan.fc.subt
ype
ToDS Flag wlan.fc.tods
FromDS Flag wlan.fc.from

ds
Retry Flag wlan.fc.retr
y
Protected Frame (WEP) Flag wlan.fc.wep
Fields can be combined using operators. Wireshark supports a standard set of

comparison operators:
== for equality != for inequality
> for greater than >= for greater than or equal to
< for less than <= for less than or equal to
&& Contains || Matches
! Not
An example of a display filter would be wlan.fc.type==1 to match control

frames.
To remove all Beacon frames from your trace, you’ll need to write a display
filter that matches Beacon frames, and then negate it. Like the example
below:
• Filter on type code for management frames with wlan.fc.type==0
• Filter on subtype code for Beacon with wlan.fc.subtype==8
Combine the two, and negate the operation by using the exclamation point for
NOT with an expression result of:
! (wlan.fc.type==0 and wlan.fc.subtype==8)
WLSAT Section 1
When assessing a wireless capture with Wireshark, it is common to apply

display filters to look for or exclude certain frames based on the IEEE 802.11
frame type and frame subtype files. If you are trying to exclude frames from a
capture, it is easy to identify the Type and Subtype filed by navigating the
Packet Details windows and use those values for your filter.
Or, you can just use this handy-dandy table we’ve provided below.
Frame Type/Subtype Filter

Management Frames wlan.fc.type==0
Association Request wlan.fc.type_subtype==0
Association Response wlan.fc.type_subtype==1
Ressociation Request wlan.fc.type_subtype==2
Ressociation Response wlan.fc.type_subtype==3
Probe Request wlan.fc.type_subtype==4
Probe Response wlan.fc.type_subtype==5
Beacon wlan.fc.type_subtype==8
ATIM wlan.fc.type_subtype==9
Disassociate wlan.fc.type_subtype==10
Authentication wlan.fc.type_subtype==11
Deauthentication wlan.fc.type_subtype==12
Control Frames wlan.fc.type==1
Power-Save Poll wlan.fc.type_subtype==26
Request To Send - RTS wlan.fc.type_subtype==27
Clear To Send - CTS wlan.fc.type_subtype==28
Acknowledgement - ACK wlan.fc.type_subtype==29
Data Frmaes wlan.fc.type==2
NULL Data wlan.fc.type_subtype==36
WLSAT Section 1
Here is a great graphical view of Wireshark’s 802.11 Filter names for each part
of an 802.11 frame.
WLSAT Section 1
Display Filter Syntax
Hosts/Network ip.addr, ip.scr, ip.dst, eth.addr, eth.src, eth.dst

Ports tcp.port, tcp.srcport, tcp.dstport, udp.port, udp.srcport,
udp.dstport
Various arp, bootp, dcerpc, dns, eth, ftp, http, icmp, ip, ncp,
Protocols netbios, ntp, ospf, sip, smtp, snmp, tcp, udp
Examples ip.addr==10.4.2.19
!ip.addr==10.4.15.27
!arp && !bootp
tcp.port==80
eth.dst==00:04:5a:df:80:37
ip.ttl<=5
tcp.flags.reset==1
Keyboard Shortcuts
Tab Move forward between packet windows and screen

elements
Shift-Tab Move backwards between packets windows screen
elements
Down Move forward to the next packet or detail item
Up Move back to the previous packet or detail item
Ctrl-Down, F8 Move to the next packet, even if the packet list is not the
focus.
Ctrl-Up, F7 Move to the previous packet, even if the pack list is not
the focus.
Left Closes the selected tree item in the packet detail window
or move to the parent node if already closed.
Right Expands the selected tree item in the packet detail
window (does not expand the subtree)
Backspace Move to the parent node in the packet detail window
Return, Enter Toggles expansion of the selected tree item in the packet
detail window
Ctrl-M Mark a packet
Ctrl-N Go to the next market packet
Ctrl-T Set time reference
Ctrl-Plus Zoom in (increase font size)
Ctrl-Minus Zoom out (decrease font size)
Ctrl-Equal Zoom to 100%
WLSAT Section 1
Lab 1.6: Create baseline captures

Open – No WEP Shared Key – WEP
Open – WEP WPA – PSK
Open – WEP – w/Radius Roaming connection
WPA – Radius Beacon – Probe Request – Probe Response
Lab Part 1 - Capture an Open Authentication exchange between STA and Access
Point
Step 1. Open Omnipeek Personal – Start à Wireless Tools à

Wildpackets Omnipeek Personal .
Step 2. Click the Capture à Start Capture or capture options if you want
to modify a current capture.
Step 3. Click on the 802.11 item in the left panel then select channel 1 .
Step 4. Click OK .
Step 5. Click Start Capture .
Step 6. Connect your wireless STA to your Access Point with your SSID (It should be
pre-configured with No Encryption and on Channel 1).
Step 7. When you have associated, stop the packet capture then review the list of
packets.
Which packet starts the authentication process?
_____________________________
What is the MAC address of the station?
_____________________________
The AP?
_____________________________
Was the Authentication successful?
_____________________________
Why or why not?
_____________________________
Step 8. Save the file as baseline_Openauth .
Lab Part 2 - Capture Shared Key Authentication exchange between STA and Access
Point
Step 1. Change the AP configuration to Shared Key Authentication and type

a WEP key of 1111111111 .
WLSAT Section 1
Step 2. Connect your wireless STA to the Access Point with the same security settings as
the AP. This means WEP Encryption with Shared Key Authentication.
Step 3. Review the list of packets.

Which packet starts the authentication process?
_____________________________
Was the Authentication successful?
_____________________________
Why or why not?
_____________________________
Step 4. Select the file à choose save all packets .
Step 5. Save the file as baseline_SharedKeyAuth
Lab Part 3 - Capture a WPA-PSK Authentication

Step 1. Open Omnipeek personal and start a capture on channel 1 .
Step 2. Configure your access point for WPA-PSK with the following parameters:
• Channel 1
• SSID = ap# (where the number is your student number)
• WPA-PSK Authentication passphrase
my wireless network is secure
• Use TKIP for encryption
Step 3. Connect your Nokia N800 wireless client to your access point using the same
security settings as the access point.
Step 4. Examine the packet capture file.
Step 5. Which packet starts the authentication process?

_____________________________
Step 6. What is the MAC address of the station? The AP?

_____________________________
Step 7. Was the Authentication successful?

_____________________________
Step 8. Save the file as baseline_WPA-PSK-Auth .
Lab Part 4 - Capture web access traffic

Step 1. Open Omnipeek personal and capture on channel 6 .
WLSAT Section 1
Step 2. Connect your Nokia n800 wireless client to the classroom AP with SSID
HOTlabs .
Step 3. Browse the web on your Nokia n800 you can choose where.
Step 4. View the capture and identify web site that other students are accessing. What
web site is the client connecting to? List at least 3 here.
_____________________________
_____________________________
_____________________________
Step 5. View the payload of the packets. You should be able to see the websites that are
being accessed.
Step 6. What application layer protocol is in use?

_____________________________
Step 7. What server is the data being transferred from?

_____________________________
Step 8. What is the IP address of the server?

_____________________________
Step 9. Save the file as baseline_Web-Traffic .
What you learned in this Lab:

In this Lab you learned to use Wireless Sniffers / Protocol Analyzers to:
1. Capture data, voice and video traffic
2. Analyze connections between stations and access points
3. Review prerequisite knowledge and ensure you are familiar with how to
capture, filter, and analyze wireless traffic

01 Wireless Packet Captures and Conection Analysis Review.v7

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

01 Wireless Packet Captures and Conection Analysis Review.v7

Transféré par

Droits d'auteur :

Formats disponibles

WLSAT Section 1

Lab 1.1: View an Open Authentication packet capture

Where, When, Why

Usage and Features

Where to Go for More Information

Lab Part 1 – Analyze 802.11 Trace Files

Step 2. Go to Start à ‘Switch to OmniPeek Personal Driver’ .

Step 3. Launch Omnipeek Personal . Start à Wireless Tools à

Step 6. Using File à Open à Desktop à Student Files à Trace

Step 7. Open the Open System – WEP.apc file.

Step 13. Click on the View à Filters .

Step 19. You should now have a No ACKs filter choice.

Step 25. Which packet starts the authentication process?

Step 27. What is the SSID of the network?

Step 28. Does the AP support B and G?

Step 29. What channel is the AP on?

Step 30. Was the Authentication successful?

Step 32. How many clients are connected to the AP?

Lab1.2: View an EAP Authentication packet capture

Step 2. Using File à Open eap.apc .

Step 3. When does the eap authentication take place?

Step 5. How do you know it is an eap authentication?

Step 7. What EAP type is the wireless network using?

Step 9. Has the client successfully authenticated?

Step 10. _____________________________

Lab1.3: View a data transfer packet capture

Step 2. Using File à Open data.apc .

Step 3. Examine the packet capture file.

Step 4. View the payload of the packets.

Step 5. What application layer protocol is in use?

Step 7. What server is the data being transferred from?

Step 9. What is the IP address of the server?

Step 10. _____________________________

Step 11. What web site is the client connecting to?

Step 12. _____________________________

Lab 1.4: Create an Omnipeek Filter

Step 2. Start a capture on channel 6 .

Step 3. Set 802.11 options to Channel 6.

Step 6. Start the Capture. Wait a couple of minutes then Stop.

Step 7. View the capture. Do you see beacons?

Step 9. Create a Filter to capture only data traffic.

Step 10. _____________________________

Step 15. Create a Filter to capture only FTP traffic.

Step 18. Create a Filter to capture only traffic to a destination network.

Lab 1.5: Create a Wireshark Filter

Step 2. Open Wireshark – Start à Wireless Tools à Wireshark .

Step 3. Click on Capture à Interfaces .

Step 6. Select Channel 1 as the channel we’ll be capturing from.

Step 10. Create a Filter to capture all traffic except beacons.

Step 11. Create a Filter to capture only data traffic.

Step 13. Now try some new filters on your own.

Step 14. Create a Filter to capture only voice traffic.

Step 15. Create a Filter to capture only FTP traffic.

Step 16. Create a Filter to capture only traffic to a destination network.

Step 17. Create a Filter to capture only traffic to a destination host.

NOTE: This filter is wlan.bssid== xx:xx:xx:xx:xx:xx and

Wireshark Filters for 802.11 Frames

802.11 Header Field

Transmitter Address wlan.ta

Source Address wlan.sa

Destination Address wlan.da

Frame Control Subfields

FromDS Flag wlan.fc.from