Wireshark Primer
Download
Report
Transcript Wireshark Primer
Wireshark Primer
with an emphasis on WLAN’s
Gary Hampton
Kentuckiana ISSA Workshop
3/12/2011
Outline
Objective
Types of Sniffers
Wireshark background
802.11 Physical Layer
802.11 MAC Layer
802.11 Security
Capturing basics
Wireless traces
How to’s: tcp stream, statistics, filters, profiles
Objective
Improve your knowledge of Wireshark and
how sniff traffic
Be able to create filters and navigate
Wireshark
Improve your knowledge of the 802.11
protocol and wireless networking
Types of sniffers
Specialty sniffers
Device specific
Cain and Able
Dsniff
Tcpdump/windump
Intrusion detection systems
Modern access points
Microsoft’s Netmon
Commercial grade
Wild Packet’s Omnipeek
NetScout
Wireshark
CACE Pilot (Wireshark interface); Riverbed Technology
Why Wireshark?
Why use Wireshark?
Excellent price $0
Full blown sniffer
Supports multiple file formats:
MS Netmon, Wild Packets, Sun Snoop, Kismet
Sharing traces with other work groups
When to use a commercial sniffer?
When sniffing large amounts of data (e.g. 1GB)
When presenting graphs and documents to upper
level management
Wireshark
Created by Gerald Combs
1998 Ethereal
2006 Cace Technologies “Wireshark”
Purchased by Riverbed Technology 2010
Maintained by a group of developers today
Released under GNU General Public License (GNU GPL)
Free downloads available for Windows, Mac OS X, Linux,
FreeBSD and U3 devices
www.wireshark.org/download.html
Graphical and command versions
Mailing list for new releases
www.wireshark.org/lists
Wireshark Requirements
Any modern 32-bit/64-bit x86 or AMD processor
Minimum 128MB available RAM (more is better
)
75MB available disk space
Network cards
Any Ethernet card supported by Windows
Wireless
Windows – AirPcap adaptors only
Linux – not all, but most Linux drivers will support monitor
mode
http://wireless.kernel.org/en/users/drivers
Uses for Wireshark
Troubleshoot performance issues
Identify device configuration issues
Identify malicious traffic
Perform intrusion detection
Evaluate response times
Baseline bandwidth usage
Identify application protocols and ports
Assess wireless networks
What does it take to be good at
analyzing traces?
Be familiar with the sniffer’s features
Be familiar with networking protocols
Your effectiveness is directly proportional
Research RFC’s, Google, etc.
Know your network and the applications
that utilize it
Baseline
802.11 Physical Layer
802.11b/g/n 2.4GHz band
Microwave ovens
Bluetooth
Wireless cameras
Cordless phones
Other 802.11 devices
Ham radio operators
Chan 10
Chan 4
Chan 9
Chan 3
Chan 8
Chan 2
Chan 7
Chan 1
Chan 6
Chan 11
2462 MHz
Chan 5
2437 MHz
3 non-overlapping
channels in the 2.4GHz
band
CSMA/CA
Unlicensed spectrum
2412 MHz
802.11a/n 5 GHz band
Unlicensed National Information
Infrastructure (U-NII) band
In 2004, the FCC allocated the
5.32 – 5.745 GHz band, providing
12 additional channels
12 non-overlapping channels in
the 5 GHz band
Devices must support IEEE
802.11h Dynamic Frequency
Selection 2 and Transmit Power
Control
Radar usage
Terminal Doppler Weather Radar
(TDWR) operate between5.6 –
5.65 GHz
FCC recommends not using those
channels when within 35km of a
TDWR
Frequency
U-NII lower
band
U-NII middle
band
U-NII upper
band
Channel
Frequency
40
5.200 GHz
36
5.180 GHz
44
5.220 GHz
48
5.240 GHz
52
5.260 GHz
56
5.280 GHz
60
5.300 GHz
64
5.320 GHz
149
5.745 GHz
153
5.765 GHz
157
5.785 GHz
161
5.805 GHz
Spectrum Analyzers
Kismet (not a SA, but can identify AP’s)
WIDS/WIPS/modern AP’s
Metageek
Berkley Varitronics Systems
Spectrum XT
Cisco
Bumblebee
Air Magnet
Wi-Spy - Chanalzer
Spectrum Expert
Anritsu/Tektronix/HP/Bird Technologies
Anritsu Spectrum Analyzer
Anritsu Spectrum Analyzer
S pe c tr um A na lyz e r
Sa l t D o m e So u t h D i r e c t i o n
R ef Level :
-30
-2 9 . 0
-40
dB
dB m
/ D iv :
1 0 .0
dB
M1: -66.85 dB m @ 2464.662 MH z
M2: -74.43 dB m @ 2482.832 MH z
-50
-60
dB m
-70
-80
-90
-100
-110
-120
M 1
2350
C F: 2 4 7 5 .0 M H z
R B W: 1 M Hz
C h a n Pw r : 0 d B m
Da t e : 03/ 22/ 2004
M o d e l : M S2 7 1 1 B
2375
2400
M 2
2425
2450
2475
2500
2525
Fr e q u e n c y ( 2 3 5 0 .0 - 2 6 0 0 .0 MH z )
SPA N : 2 5 0 .0 M H z
VB W: 30 0 kHz
C h a n Pw r D e n si t y : 0 d B m / H z
T im e : 15:34: 39
Se r i a l # : 0 0 2 4 5 0 1 0
2550
2575
2600
At t e nua t i on: 0 dB
D e t e c t i o n : Po s. Pe a k
I N T B W : 2 9 9 9 .9 M H z
802.11 MAC Layer
Frame Comparison
802.3 Frame
Preamble Dest. Addr
Source Addr
Type Field
Payload
CRC
8 Bytes
6 Bytes
2 Bytes
46-1500 Bytes
2-4 Bytes
6 Bytes
802.11 Frame
802.11 Frame Control Fields
Version – specifies the protocol number.
Type – Specifies frame type (Mgmt, Control or
Data)
Subtype – e.g. association, CTS
802.11 Frame Control Fields continued
To DS/From DS
To DS set -> to the wired network
From DS set -> from the wired network
Both bits set -> wireless bridge (WDS network)
Both bits cleared -> ad-hoc network
802.11 Frame Control Fields continued
MF – More fragments
Retry
Pwr – Power mgmt
More – More data
W – WEP
802.11 Power Management
CAM (Continuous awareness mode): Radio never shuts down.
Provides best network performance, uses the most battery power
PSP 1: Excellent network performance, uses less battery power
PSP 2: Great network performance, uses less battery power
PSP 3: Good network performance, uses less battery power
PSP 4: Adequate network performance, uses less battery
power
PSP 5: Acceptable network performance, uses the least battery
power
802.11 Frame To DS/From DS bits
To DS/From DS
To DS set -> to the wired network
From DS set -> from the wired network
Both bits set -> wireless bridge (WDS network)
Both bits cleared -> ad-hoc network
Address order - infrastructure
Mode
To DS
From DS
Address 1
Address 2
Address 3
Address 4
Adhoc
0
0
Rx Addr/Dest Addr
Tx Addr/Src Addr
BSSID
N/A
Infrastructure
0
1
Rx Addr/Dest Addr
Tx Addr/BSSID
Src Addr
N/A
Infrastructure
1
0
BSSID
Tx Addr/Src Addr
Dest Addr
N/A
WDS
1
1
Rx Addr
Tx Addr
Dest Addr
Src Addr
802.11 MAC Frames
Management
Control
Data
Used for connecting and disconnecting from the WLAN.
Includes beacons, probes, authentication and association
request/responses.
Used to acknowledge receipt of data (Data-ACK, RTS-CTSData-ACK, CTS-Data-ACK).
The only frames that include an encrypted payload in a
WLAN. Encapsulates user data over the WLAN (e.g. IP and
ARP traffic).
Client Association
Client
Access Point
Probe Request
Probe Response
Authentication Request
Authentication Challenge
Authentication Response
Authentication Success?
Association Request
Association Response
802.11 Security
Encryption and Authentication
Options
WPA-PSK and WPA2-PSK
Used a hierarchy of keys (see the in depth security slides at the end of
this presentation for more information)
WPA-PSK and WPA2-PSK both use the 4-way handshake to generate
the Pair wise Transient Key.
Pair wise Master Keys are the same for all systems on the same WPAPSK or WPA2-PSK network
If you capture the 4-way handshake (EAPOL protocol) and know the PSK
and SSID, Wireshark can decrypt WPA and WPA2 PSK packets
WPA and WPA2 Enterprise
Uses 802.1x with EAP (Extensible Authentication Protocol) to
authenticate client (supplicant) and access point (authenticator) instead
of PSK
Uses per user, per session keys; therefore Wireshark and sniffers in
general, cannot decrypt packets
See security slides at the end of the presentation for more information
Sample WPA 4-way Handshake
Supplicant
(Client)
Authenticator
(Access Point)
Sends Anounce to start PTK
EAPOL (EAP
over LAN)
Sends Snounce and MIC for frame 2
Confirms the client has the right
PTK, PMK and PSK.
(Authenticates the client)
Sends MIC for frame 3
Authenticates the access point
Sends MIC for frame 4
Ready to TX/RX data
Capture basics
Wireshark capture flow
Libpcap – link layer
interface for capturing on
Linux or Unix (tcpdump)
WinPcap – Windows port
of libpcap
AirPcap – link layer
interface and network
adaptor to capture
802.11 traffic on
Windows
Graphical Toolkit (GTK)
Dissectors-Plugins-Display Filters
Core Engine
Wireshark capture engine
Capture filters
WinPcap, AirPcap or
libpcap
Network Interface
Ethernet or Wireless
Wiretap
Library
Capturing wireless traffic
Determine location for sniffer(s)
Select the appropriate interface and data
capturing options
Performance issues
Disable, update list of packets in real time
Disable network name resolution
Reduce # of columns
Disclaimer
Only capture traffic on networks that you have
permission to do so.
Where do I place the sniffer?
AP
Server A
Server B
Sniffing wired traffic
Hub
Switched networks
Hub
Port Mirroring/Port Spanning
Taps
Sniffing Wireless traffic
Promiscuous mode
Monitor mode
802.11 adaptor only captures packets of the SSID the adaptor
has joined.
The driver does not make the adaptor a member of any SSID on
the network.
All packets of all SSID’s from the currently selected channel are
captured.
Windows – must use AirPcap from CACE Technologies
Linux – most Linux drivers support monitor mode
Wireshark Startup
Capture
area
Files area
Online
Help
Wireshark Layout
Filter toolbar
Wireless Toolbar
Packet List
Packet Details
Packet Bytes
Status bar
Capture Interfaces
Capture Filters
Limit the packets saved while capturing traffic
Helpful when capturing traffic on a busy network
or focusing on a specific problem
Problems:
You cannot get the discarded packets back
No error checking on syntax like display filters
Filter options: Type, Direction, and Protocol
Tcp – filters on TCP traffic
Ether src 00:A0:F8:12:34:56 – traffic from Ethernet
address
host www.cnn.com – capture traffic to/from cnn.com
Setting up profiles
Wireshark allows you to configure profiles
for displaying different uses. E.g.
analyzing WLAN traces.
Edit->configuration profiles->new->enter
profile name (e.g. WLAN)
Any capture or displayed filters, column
changes will be saved under this profile when
it is in use
Statistical Analysis Summary
Provides summary of
sniffer trace:
Date, length
Capture format
Packet and byte
counts
Time elapsed
Capture filters used
Protocol Hierarchy Statistics
Displays a list of the types traffic and
percentage.
Used to identify anomalies and suspect
traffic.
Example: wpa-induction.pcap
Statistics->Protocol Hierarchy
Identifying top talkers
Conversations statistics will list pairs of
devices that are communication with each
other
Open trace wlan-ap-problem.pcap
Statistics->conversations
Select WLAN tab
End points is similar, but only shows a
single end point or node.
Basic Display Filters
Display.field.name operator value
Operators
eq, == Equal
ne, != Not Equal
gt, > Greater than
lt, < Less than
ge >= Greater than or Equal to
le, <= Less than or Equal to
contains, Contains specified data
AND, &&
OR, ||
Negate, NOT or !
Coloring Rules for traffic
Color rules are used to help make reading the traces easier and
identify problems.
Example
Open airodrop-ng2 trace and add the coloring rules:
View->coloring rules->new->name and filter expression->choose
colors:
Deauthentication frames
Packet retries
Wlan.fc.type_subtype eq 12
Wlan.fc.retry eq 1
Affects load time for traces
IO Graphs
Allows Wireshark to
graphical depict traffic flow
trends.
Used to identify network
performance issues
TCP round trip time (data –
ACK)
Open the wlan-signalissue
trace
Statistics ->IO graph
Add filter for signal strength
Ppi.80211common.dbm.antsignal
Decrypting Frames
Wireshark can decrypt WEP, WPA-PSK and WPA2-PSK
If using driver, then only WEP can be decrypted
Trace must include the 4-way handshake frames to derive PTK to decrypt
Open trace wpa-induction
Verify 4-way handshake was captured in the trace
Apply protocol filter “EAPOL” and select Apply
Decrypting Frames continued
Clear the EAPOL filter
Edit->preferences->protocols->IEEE 802.11
Enter PSK and SSID in format wpapwd:PSK:SSID
Wpa-pwd:Induction:Coherer
Check “enable decryption”
May have to toggle the “ignore vendor specfic
HT elements” and “assume packets have FCS”
Select “Apply” and “OK”
Open the Protocol Hierarchy Statistics, and
note the additional protocols that are listed.
DWEP client unable to connect to the AP
Open the tulcsp1 trace file
Examine the beacon frame #2
What channel is the AP on?
What is the data rate for the beacon?
What type of security is in use?
Set filter to not show beacons
!wlan.fc.type_subtype eq 8
Examine the association/authentication process, why
does the client not associate?
Hint: Look at frames 12 and 15
Example:
Slow Response problem w/wireless terminals
AP
Server A
Server B
PS-Poll and round trip response
Beacon
Time
(ms)
Access
point
0
-100
100
500
600
700
800
Server
A/
Server
B reply
900
Server
A/
Server
B reply
1000
Server
A/
Server
B reply
Pkg
scan
Scanner
(BT)
scan
data
RF
terminal
(802.11b)
1
2
PS
poll
PSP
mode
3
4
5
PS
poll
PSP
mode
6
7
8
WLAN Stats
DoS attack with airdrop-ng
Airdrop-ng is configured to deauth ANY
clients associated to AP 00:1F:33:E6:5E:09
Open Airdrop-ng2 trace
Show statistics for WLAN
Statistics->WLAN
View deauth stats
Follow TCP Stream example
Open the trace named ftp.pcap
Examine packet 10, what is the password?
Select a TCP or FTP packet and right click.
Select the Follow TCP Stream option
Recommended reading
www.wireshark.org
Wiki.wireshark.org
Laura Chappell’s Wireshark Network
Analysis
www.chappellu.com
Joshua Wright www.willhackforsushi.com
Ed Skoudis’ www.ethicalhacker.net “skillz”
Thanks!
Wi-Fi Protected Access Overview
Wi-Fi Protected Access
Constraints
Designed as an interim solution to run on existing hardware until
a more robust security standard could be developed
Temporal Key Integrity Protocol (TKIP) for confidentiality and
integrity of wireless traffic
Must be adopted by software upgrade
limited processing capacity with existing AP’s
Based on RC4 encryption, like WEP
TKIP Security Mechanisms
Improves security over WEP within design constraints
Message Integrity Check (MIC) - defeats forgery attempts
IV sequencing - defeats replay attacks
Re-keying - defeats reuse attacks
Key mixing - protects key
Message Integrity Check (MIC)
Michael Protocol
Calculates crypto hash of packet contents
two 32-bit words (64bits)
Sender includes hash in encrypted message
Receiver verifies hash
Michael continued
Michael can only provide 29 bits of security
Attacker can try to guess MIC
due to design constraints (CPU limitations of access points)
2^29 packets to guess MIC
On an 802.11b network it would take approximately 2 minutes
to guess MIC
802.11i Counter Measures
If AP receives more than 2 packets with an invalid MIC within 60
seconds:
AP must deauthenticate all users
AP shutdowns for 60 seconds
IV Sequential Enforcement
Used to defeat replay attacks
TKIP requires sequential IV
AP and clients track IV sequence
transmitted in clear in the field formerly known as WEP IV
16 bit sequence counter (65535 numbers)
TKIP Sequence Counter (TSC) never repeats (keys are rotated and
seq # resets to 0)
Too small IV’s are discarded
Too large IV’s are subjected to other validation tests (MIC, ICV)
Causes problems for QoS
E.g. voice
Example: replay attack
Valid
Valid
Valid
Valid
WEP, no replay protection
Time
Valid Packet
Replay
Replay
packet,
packet,
packet,
packet
Replay
AP
Sniff
WPA TKIP Seq Counter
TSC 39
TSC 41
TSC
TSC
TSC
TSC
Time
TSC 41
39
41
41
41
is OK
> TSC 39, OK
> TSC 41?, Failed
> TSC 41?, Failed
TSC 41
AP
Sniff
Re-keying protection
Key Hierarchy
TKIP uses 3 levels of keys and regular key
rotation
Master keys - highest level
Key Encryption Keys - intermediate
derived from 802.1x or pre-share key for WPA-PSK
protects intermediate keys
protects temporal keys
Temporal keys - lowest level
used to encrypt data
rotated with a packet count frequency
TKIP Keys
PSK - Pre-shared key
PMK - Pair wise Master Key
Passphrase (8 to 63 characters)
derived from PSK or EAP method
PTK - Pair wise Transient Key
Temporal key
Two MIC Keys (RX and TX)
EAPOL Key Encryption Key
EAPOL Key Confirmation Key
WPA-PSK PMK derivation
Pair wise Master Key
Derived using passphrase, ssid and ssid length
The same for all systems on the same WPA-PSK network
PMK for WPA-PSK is 256 bits
Is used to generate the Pair wise Transient Key (PTK) or
intermediate key
PMK = PBKDF2 (passphrase, ssid, ssidlen, 4096, 256)
Hashed 4096 times using hmac-sh1
Pseudo-random # that cannot be reversed
Used to defeat dictionary attacks
WPA PTK derivation
Combines MAC of STA and AP with STA nonce and AP
nonce
nonce
128-bit unique value that is not duplicated for the lifetime of the
transaction.
Not a secret, sent in plain-text
PTK is never sent over the network; both the supplicant
and the authenticator calculate PTK with knowledge of
input data
PTK keys are unique for each pair of stations on the
network
Generates a 512-bit output PRF hash using SHA1
PTK = PRF-512(PMK, “Pair wise Key Expansion”, AA, SPA,
PTK Mapping
PTK is 512 bits or 64 bytes in length
HMAC MIC Key - 1st 16 bytes
EAPOL-KEY KEK - 2nd 16 bytes
protects the data
TX MIC Key
protects the confidentiality of new key updated in future EAPOL-Key
messages
Temporal Encryption key - next 16 bytes
validates the contents of the EAPOL-Key frames
used by transmitting station to calculate hash of the data packet using
Michael
RX MIC Key
used by the receiving station to verify the stored hash that is
transmitted in the data packets.
WPA 4-way Handshake
Supplicant
(Client)
Authenticator
(Access Point)
Sends Anounce to start PTK
EAPOL (EAP
over LAN)
Sends Snounce and MIC for frame 2
Confirms the client has the right
PTK, PMK and PSK.
(Authenticates the client)
Sends MIC for frame 3
Authenticates the access point
Sends MIC for frame 4
Ready to TX/RX data
Problems with WPA-PSK
Passphrase is susceptible to off-line dictionary attacks
Examples:
coWPAtty
aircrack-ng
Recommendations for implementing WPA-PSK
Use non-common ESSIDs
Used random characters (63 characters in length for passphrase)
Avoid dictionary words or variations of dictionary words (e.g.
pa55word or PaSsWoRd)
WPA2
Supports both TKIP and CCMP (Counter Mode with
Cipher Block Chaining Message Authentication Code
Protocol)
CCMP
Uses same PMK and PTK key hierarchy as TKIP
Uses the same 4-way handshake PTK derivation as TKIP
Based on AES (Advanced Encryption Standard) cipher, not RC4
AES provides for strong encryption
Can not be used with legacy hardware
WPA2 advantages over WPA
WPA2 supports all features of WPA
Uses AES-CCMP for encryption
Provides for faster roaming between access points
Reduces overhead in 4-way handshake
802.1x pre-authentication
Opportunistic key caching support
WLAN Authentication methods
802.1x
IEEE standard for authentication framework for 802
LANs
Originally designed for wired networks
Advantages
1.
Mutual authentication
•
2.
Authentication of both the client and the authenticator/authentication server
•
Protects client from rogue access points
•
Protects network from unauthorized access
Port based access control
•
•
Restricts the access of a device to only authentication traffic
(802.1x/EAP/RADIUS protocols) via a controlled port
Once authenticated, the controlled port is switched to an authorized state
allowing the device to communicate on the network
802.1x
Port Access Control
Authenticator
(access point)
Authentication
Server
Uncontrolled Port
Supplicant
Controlled Port
LAN
EAP
Extensible Authentication Protocol (EAP)
Authentication framework used in wireless networks and Point-toPoint connections
Provides some common functions and a negotiation of the desired
authentication algorithm.
Factors to consider when choosing an EAP
authentication algorithm.
Mutual authentication
Certificate requirements
Options include : none, server only, both client and server
Dynamic Key Generation
Both client and server authenticate each other
Static key versus rotating key
Cost & Management support
Industry Support
Common EAP algorithms
EAP-MD5
1st authentication type created
Not used in WLANs
LEAP (Lightweight Extensible Authentication Protocol)
Does not support dynamic keying
MD5 hash is susceptible to dictionary attacks.
CISCO proprietary EAP method
Provides per user, per session encryption keys
Only supports password authentication. Vulnerable to attacks
from ASLEAP.
EAP-TLS (EAP-Transport Layer Security)
Developed by Microsoft
Requires both client and server certificates
Supports mutual authentication
802.1x with PEAP example
Supplicant
(Client)
Authenticator
(Access Point)
Authentication
Server
EAP Start
EAPOL (EAP over LAN)
Request
Identity
Network access identifier
(user name or computer name)
Identity
AP forwards NAI to RADIUS
server (encap. In RADIUS
request msg)
Identity
Authentication
Server
Certificate
Authentication
Server
Certificate
Encrypted Tunnel Established
Authenticator sends Supplicant
the Broadcast Key encrypted
with the Session Key and the
Key length information
Authentication Server sends
Session Key to Authenticator
Encrypted Data Flow
EAP = PEAP
Radius server responds with its
digital certificate.
Client confirms certificate by
using a preloaded root certificate
EAP Type Comparisons
LEAP
•
•
Yes
•
No
•
No
•
Client/S
erver
•
Server
Only
•
•
No
•
Yes
•
Yes
•
•
•
Costs and
Management
Overhead
•
Low
•
Low
•
High
•
Low/Medi
um
•
•
•
Low
•
High
•
Medium
•
•
•
•
EAP-MD5
•
Mutual
Authentication
•
Certificates
Required
•
No
•
•
Dynamic Key
Generation
•
Industry Support
EAP-TLS
•
EAP-TTLS
•
Yes
•
Yes
•
Yes
High
PEAP
Yes
Server
Only
Yes
Low/Me
dium
High
Security Standards Comparison
Standards
Authentication
Method
Encryption
Standard
Cipher
802.11 Legacy Open system or Shared WEP
802.11a,b,g
Key
RC4
WPA Personal
WPA Passphrase (PSK)
TKIP
RC4
WPA
Enterprise
802.1x
EAP, PEAP, EAP-TLS
TKIP
RC4
WPA2 Personal WPA Passphrase (PSK)
CCMP
TKIP
AES
RC4
WPA2
Enterprise
CCMP
TKIP
AES
RC4
802.1x
EAP, PEAP, EPA-TLS