Packets and Protocols - St. Clair County Community College
Download
Report
Transcript Packets and Protocols - St. Clair County Community College
Packets and Protocols
Chapter Six
Wireless sniffing
with Wireshark
Packets and Protocols
Chapter 6
Wireless
sniffing has some
challenges
– Sniffing on a hub is easy
Promiscuous
mode
– Sniffing on a switch is a bit more
difficult
Promiscuous
Span
port
mode
Packets and Protocols
Chapter 6
For wireless sniffing you must
– Know WEP key
You
can sniff data, but it is useless without the key
– Know the correct channel
You
can only capture one channel per NIC
– Be in promiscuous mode
Same
with other capture scenarios
– Plus…your target may move!
It
may be better to sniff on the wired side of the
network so you can “see” across multiple WAPs
Packets and Protocols
Chapter 6
Packets and Protocols
Chapter 6
How do you tell which channel to
sniff?
NetStumbler is one tool that you can use
Packets and Protocols
Chapter 6
Channel
scanning or hopping is a
method to look for interesting traffic.
– “Channel hopping will cause you to lose
traffic, because you are rapidly
switching channels. If your wireless card
is configured to operate on channel 11
and you hop to another channel, you
will not be able to “hear” any traffic that
is occurring on channel 11 until you
return as part of the channel-hopping
pattern.”
Packets and Protocols
Chapter 6
Range issues
RANGE OF SIGNAL
What will
happen to
the data
captured by
the RED PC?
RANGE OF SIGNAL
Packets and Protocols
Chapter 6
Note that
the closer PC
has a higher
data rate
Data rate = 54mb
What will
happen to
the data
captured by
the RED PC?
Data rate = 11mb
Packets and Protocols
Chapter 6
Channel issues
Channel 6
What will
happen to
the data
captured by
the RED PC?
Channel 11
Packets and Protocols
Chapter 6
Different
modulations
can affect your
sniffing
attempts
802.11a
What will
happen to
the data
captured by
the RED PC?
802.11b
Packets and Protocols
Chapter 6
What happens
here?
802.11a
Note that when
only one antenna
is available it will
step down to the
lowest capable
user
802.11b
Packets and Protocols
Chapter 6
Interference
and collisions
– While convenient, wireless Ethernet is a
lousy protocol.
– CSMA/CD causes wireless to work like a
hub
“When capturing traffic on a wireless network,
there is no guarantee that you captured 100
percent of the traffic. Some traffic may have
become corrupted in transit and rejected by
the capture station wireless driver as noise.”
Packets and Protocols
Chapter 6
Wireless
capture recommendations
– Locate the Capture Station Near the Source
Location,
location, location
– Disable Other Nearby Transmitters
Minimize
interference
– Reduce CPU Utilization While Capturing
Let
your PC concentrate on doing one thing at a time
– Match Channel Selection
Many
channels are available
– Match Modulation Type
802.11a?
b? g?
Packets and Protocols
Chapter 6
Understanding
Wireless Card Modes
– Managed mode
AP
Required for two devices to communicate
– Ad-hoc mode
Point
to point – devices share AP
responsibilities
– Master mode
Imitates
an AP
– Monitor mode
aka
sniffer mode
Packets and Protocols
Chapter 6
Linux
issues:
– Must be in monitor mode
– Know your chipset and use the correct
driver(s)
– Use kernel 2.6 whenever possible
Packets and Protocols
Chapter 6
Capturing
traffic in Linux
– Not covered here; see manual (no
time!)
Packets and Protocols
Chapter 6
AirPcap
– 3rd party driver that enables wireless
captures
Obtain
to date
the most recent copy and keep it up
Packets and Protocols
Chapter 6
While
Wireshark, WinPcap, etc will
capture traffic is not truly meant to,
Packets and Protocols
Chapter 6
…. In other words to do it right you
need the right hardware; that is
hardware meant for this specific
purpose.
Bottom line…$200.00 and a visit to
www.cacetech.com will solve your
troubles!
Packets and Protocols
Chapter 6
Capturing
wireless
traffic in
Windows
– Same-o
same-o…
just make
sure your
wireless card
is selected.
Packets and Protocols
Chapter 6
Analyzing
Wireless Traffic
Packets and Protocols
Chapter 6
In short, when sniffing wireless vs. wired the fields are identical
Packets and Protocols
Chapter 6
Dual sniffer scenarios (cont)
1,000 miles
`
How do you know which traffic flows
belong together when comparing multiple
captures?
Packets and Protocols
Chapter 6
Dual
sniffer scenarios
Packets and Protocols
Chapter 6
802.11
Frame header format
– More complex than Ethernet
Twice
the length
Three or four addresses (compared to two
for Ethernet
Many more fields in the header
Allows for the appending of other protocols
(QoS, encryption etc.)
Packets and Protocols
Chapter 6
Packets and Protocols
Chapter 6
Packets and Protocols
Chapter 6
Packets and Protocols
Chapter 6
In other words there is a plethora of collection
options
Packets and Protocols
Chapter 6
As
opposed to Ethernet, using
capture filters is advised on wireless
networks is advised because of the
sheer volume of traffic generated by
wireless connections.
– 60 frames just to connect!
Packets and Protocols
Chapter 6
Wireless
terminology
– An AP is known as a Basic Service Set
(BSS)
A
client has a BSSID which is usually the
wireless MAC address
Packets and Protocols
Chapter 6
The
MAC/BSSID
can be
gathered
with the
ipconfig/all
command
Packets and Protocols
Chapter 6
Once you
have the
BSSID you
can easily
filter on that
device
Packets and Protocols
Chapter 6
Since the MAC and BSSID are usually the
same:
– The following two commands may be the same
wlan.sa
eq 00:09:5b:e8:c4:03
wlan.bssid eq 00:09:5b:e8:c4:03
OR
– The following commands could capture the
same traffic
wlan.sa
eq 00:09:5b:e8:c4:03
wlan.bssid eq 00:11:92:6e:cf:00
The moral of the story? Make sure that what you are
capturing is what you wanted to capture!
Packets and Protocols
Chapter 6
Wireless
sniffer tactics
– If you know the MAC/BSSID sort on it
– If you don’t; sort on the AP
– If you don’t know the AP or if the user
roams, sniff on the wired side
Packets and Protocols
Chapter 6
Filtering
on SSID
– wlan_mgt.tag.interpretation eq "NOWIRE"
Even better; use: wlan_mgt.tag.interpretation !eq "NOWIRE“ to
look for snoopers
Packets and Protocols
Chapter 6
NOTE:
You may not be able to
capture any of the previous info
without a hardware/software
combination like AirPcap
That said; without capturing such info how will
you know the health of your wireless network???
Packets and Protocols
Chapter 6
Data
traffic only captures
– It is a good practice to encrypt your
wireless network and then sniff for
unencrypted (rouge) APs
Packets and Protocols
Chapter 6
Hidden
SSIDs
– SSIDs can be set to non-broadcast,
while a sniffer cannot tell you the SSIDs
it can detect their presence
Packets and Protocols
Chapter 6
Extensible
Authentication Protocol
– EAP is used to authenticate users to a
wireless network via one of several
means
Protected
Extensible Authentication Protocol
(PEAP)
Extensible Authentication Protocol with
Transport Layer Security (EAP/TLS)
Tunneled Transport Layer Security (TTLS)
Lightweight Extensible Authentication
Protocol (LEAP)
Packets and Protocols
Chapter 6
The EAP authentication type can be found
by filtering for
– eap.type
EAP methods that rely on username and
password authentication include PEAP,
TTLS and LEAP.
These methods may disclose user identity
information (e.g., a username) in plaintext
over the wireless network.
Packets and Protocols
Chapter 6
In other
words
ID
names
and
PWs can
be
easily
sniffed
Packets and Protocols
Chapter 6
Troubleshooting EAP issues can be difficult
without a sniffer
– Code 1 - EAP Request
A value of 1 in the EAP Code field indicates that the EAP
frame is requesting information from the recipient. This can
be identity information, encryption negotiation content, or
a response-to challenge text.
– Code 2 - EAP Response
A value of 2 in the EAP Code field indicates that the EAP
frame is responding to an EAP Request frame.
– Code 3 - EAP Success
A value of 3 in the EAP Code field indicates that the
previous EAP Response was successful. This is primarily
used as a response to authentication messages.
– Code 4 - EAP Failure
A value of 4 in the EAP Code field indicates that the
previous EAP Response failed authentication.
Packets and Protocols
Chapter 6
EAP failure
code
Packets and Protocols
Chapter 6
…70
percent of successful attacks
against wireless LANs will be due to
the misconfiguration of APs and
wireless clients.
In
other words SECURE YOUR
NETWORKS!
Packets and Protocols
Chapter 6
Identifying
WEP security
– Most common encryption technique
Also
probably the most insecure
– TKIP and CCMP are other options
– While you cannot decrypt encrypted
traffic, you sense it with your sniffer
Once
you know this you can build a filter
– wlan.tkip.extiv
Packets and Protocols
Chapter 6
TKIP
Present!
Packets and Protocols
Chapter 6
Identifying
IPSec/VPN
– isakmp or ah
or esp
Packets and Protocols
Chapter 6
See figure 6-24 on
pg 317
Note that an ICMP Destination Unreachable packet is also
returned. This is because Wireshark also decodes the
embedded protocol within the ICMP packet, which includes
ESP information.
Packets and Protocols
Chapter 6
Adding
COLOR to your sniffer output
– There is nothing like color to make
things stand out
Packets and Protocols
Chapter 6
Which
is HTTP? ARP? IPX? Etc…
Packets and Protocols
Chapter 6
Colorize
toggle
switch
Customize
colorization
Packets and Protocols
Chapter 6
Editing
color
rules
Packets and Protocols
Chapter 6
Creating
a new coloring rule
Packets and Protocols
Chapter 6
The
“colorful” results
Packets and Protocols
Chapter 6
Marking
From DS and To DS
– Remember traffic is marked if coming
from the WAP (Distribution System) or
to the DS
In
other words you can filter on this as well
wlan.fc.fromds eq 0 and wlan.fc.tods eq 1
– As the book recommends…this is an
excellent use of color filters
Packets and Protocols
Chapter 6
Other
uses:
– Marking retries:
wlan.fc.retry
eq 1
– Marking cross channel interference:
!(wlan.bssid
eq 00:0f:66:e3:e4:03 or
wlan.bssid eq 00:0f:66:e3:25:92) and
!wlan.fc.type eq 1
(Assuming you know the MACs of the surrounding
units)
Packets and Protocols
Chapter 6
Adding
columns to the display
– There are dozens of items you can add
to the Wireshark display
Edit
-> Preferences -> Columns
– Note that a re-start is required!
Packets and Protocols
Chapter 6
Note that
Delta
time has
been
added
Packets and Protocols
Chapter 6
Encrypted networks can be impossible to
decrypt - - unless you have the key
– Wireshark automatically decrypts all WEP info
if the key is known (not TKIP or CCMP)
“When configured with the appropriate WEP key, Wireshark
can automatically decrypt WEP-encrypted data and dissect
the plaintext contents of these frames. This allows you to
use display filters, coloring rules, and all other Wireshark
features on the decrypted frame contents.”
Packets and Protocols
Chapter 6
Up
to 64
keys can
be added
Packets and Protocols
Chapter 6
For
decrypting TKIP other tools exist
– airdecap-ng
airdecap-ng
is an open source tool
that you can use to decrypt TKIP
packets
Packets and Protocols
Chapter 6
Practical examples for real world
wireless captures
Identifying
a Station’s Channel
– Refer to capture file wireless-rwc-1.cap
– Do the exercise on pg 327
Packets and Protocols
Chapter 6
Wireless
Connection Failures
– Do the exercise on pg 329
Packets and Protocols
Chapter 6
Wireless
Network Probing
– Do the exercise on pg 337
Packets and Protocols
Chapter 6
EAP
Authentication Account Sharing
– Do the exercise on pg 341
Packets and Protocols
Chapter 6
IEEE
802.11 DoS Attacks
– Do the exercise on pg 344
Packets and Protocols
Chapter 6
IEEE
802.11 Spoofing Attacks
– Do the exercise on pg 348
Packets and Protocols
Chapter 6
Malformed
Traffic Analysis
– Do the exercise on pg 357