Wireless Packet Captures & Connection Analysis- A...

WLSAT Section 1

01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 1 www.inpnet.org • www.HOTLabs.org

Section 1 Wireless Packet Captures & Connection Analysis- A Review

Many of you will have already used many of these tools, or at least had some experience with them in previous CWNP or vendor Wireless training. To bring everyone ‘up to speed’ we’ve included this section as a review of the various tools and techniques in capturing packets transversing the 802.11 network. We’ll start with some simple packet capture, making filters, and lead onto baselining your wireless network with some ‘standard’ baseline captures. We’ll cover some of the software packages included in your kit: WildPackets Omnipeek Personal, AirDefense Mobile, and Wireshark to start with.

WLSAT Section 1


Lab 1.1: View an Open Authentication packet capture

OmniPeek Personal demonstrates the benefits of a powerful, well-designed network analysis tool and its analysis capabilities. Used to increase the visibility into wireless and wired network traffic on non-commercial networks, OmniPeek Personal allows users to experience how the OmniAnalysis Platform pinpoints and analyzes network problems. OmniPeek Personal provides an introduction to the superior high-level views of WildPackets Expert Analysis which make the identification of network problems simple and quick.

Product Information

Source Wildpackets

Free

www.wildpackets.com

Where, When, Why A protocol analyzer is a capture and analysis tool which gives a pen tester insight into the protocols, stations, access points, and wireless configuration of the network. The purpose of this lab is to review how to perform packet capture and analysis. These concepts are critical to performing wireless penetration testing. A wireless pen tester must know how to use packet capture and analysis tools in order to accurately identify security weaknesses. This lab will familiarize you with how to create capture traffic, use capture and display filters, and view application and MAC layer data.

Usage and Features • Capture traffic and use statistics for Troubleshooting purposes • Identify MAC and IP addresses for spoofing • Data confidentiality attack against unencrypted wireless networks

Where to Go for More Information • www.wildpackets.com

WLSAT Section 1


Lab Part 1 – Analyze 802.11 Trace Files

Step 1. Insert the Ubiquiti Card in the PCMCIA Slot on the side of your WLSAT Laptop. (you can use either the small 2.2dBi or the 5dBi antennas – note the arrow on the bottom pointing to the antenna jack to use)

Step 2. Go to Start à ‘Switch to OmniPeek Personal Driver’.

Step 3. Launch Omnipeek Personal. Start à Wireless Tools à WildPackets OmniPeek Personal.

Step 4. Choose the Ubiquiti ABG PCMCIA WLAN as the adapter to use. Then click OK to continue.

WLSAT Section 1


Step 5. You should see some changing packets if the card is collecting properly with this Dashboard in the lower left corner.

Step 6. Using File à Open à Desktop à Student Files à Trace Files – Omnipeek Captures browse to the Student Files directory containing the Omnipeek trace files.

Step 7. Open the Open System – WEP.apc file.

Step 8. You might need to change the column width settings to have your screen match the screen shot above.

Step 9. Note the frames, who is talking to whom, which are broadcast, which are unicast.

Step 10. What is the MAC Address of the Access Point, the client?

_____________________________

Step 11. Now open another trace file… this time lets try one of the EAP conversations. How about EAP-LEAP-TKIP.apc.

WLSAT Section 1


Step 12. To make this a little easier to see, let’s get rid of all the Acknowledgement frames by building a ‘No ACKs’ Filter.

Step 13. Click on the View à Filters.

Step 14. Now we need to add a new filter by clicking on the Plus Sign.

Step 15. Check the Protocol Filter to then click the Protocols Button open the Protocol Options screen.

WLSAT Section 1


Step 16. Click OK to return – notice the change in the protocol field.

Step 17. Now we need to change from Simple to Advanced in the window. (Upper right of the Insert Filter interface)

Step 18. Give the Filter a Name – No ACKs and click on the Protocol Box then click the Not Button to make your screen match the graphic above. Then Click OK.

Step 19. You should now have a No ACKs filter choice.

Step 20. To apply this filter, click on the little funnel icon, (at the top of the packet windows) and drop down to the No ACKs filter choice.

WLSAT Section 1


Step 21. You should now see a ‘simpler’ view of this packet exchange.

Step 22. We have included a variety of packet exchanges for your perusal. Try opening all of them to see how different processes work at the packet level.

Step 23. Next we’ll see if you can answer some questions after analyzing another trace file. Enjoy!

Step 24. Using File à Open Openauth.apc. Examine the packet capture file.

Step 25. Which packet starts the authentication process?

_____________________________

Step 26. What is the MAC address of the station? The AP?

_____________________________

Step 27. What is the SSID of the network?

WLSAT Section 1


_____________________________

Step 28. Does the AP support B and G?

_____________________________

Step 29. What channel is the AP on?

_____________________________

Step 30. Was the Authentication successful?

_____________________________

Step 31. Is this the first time the client associated to the network? How can you tell?

_____________________________

Step 32. How many clients are connected to the AP?

_____________________________

Step 33. Is there anything to suspect about one of the clients that are connecting to the AP?

_____________________________

WLSAT Section 1


Lab1.2: View an EAP Authentication packet capture

Step 1. Open Omnipeek personal.

Step 2. Using File à Open eap.apc.

Step 3. When does the eap authentication take place?

Step 4. _____________________________

Step 5. How do you know it is an eap authentication?

Step 6. _____________________________

Step 7. What EAP type is the wireless network using?

Step 8. _____________________________

Step 9. Has the client successfully authenticated?

Step 10. _____________________________

WLSAT Section 1


Lab1.3: View a data transfer packet capture

Step 1. Open Omnipeek personal.

Step 2. Using File à Open data.apc.

Step 3. Examine the packet capture file.

Step 4. View the payload of the packets.

Step 5. What application layer protocol is in use?

Step 6. _____________________________

Step 7. What server is the data being transferred from?

Step 8. _____________________________

Step 9. What is the IP address of the server?

Step 10. _____________________________

Step 11. What web site is the client connecting to?

Step 12. _____________________________

WLSAT Section 1


Lab 1.4: Create an Omnipeek Filter

Step 1. Open Omnipeek Personal.

Step 2. Start a capture on channel 6.

Step 3. Set 802.11 options to Channel 6.

Step 4. Create a Filter to capture all traffic except beacons. View à Filters then Add. Set Protocol to 802.11 Beacon, then Advanced to set the ‘Not’.

Step 5. Apply the No Beacons filter (little funnel and choose No Beacons)

Step 6. Start the Capture. Wait a couple of minutes then Stop.

Step 7. View the capture. Do you see beacons?

Step 8. _____________________________

Step 9. Create a Filter to capture only data traffic.

Step 10. _____________________________

Step 11. Open a web page on the Nokia N800 and WLSAT laptop.

Step 12. Start a new captures. View the capture. Do you see data only traffic?

_____________________________

Step 13. Create a Filter to capture only voice traffic. Make a Gizmo Project or Googletalk call between your Nokia and WLSAT laptop.

Step 14. Start a new capture. View the capture. Do you see voice traffic?

_____________________________

WLSAT Section 1


Step 15. Create a Filter to capture only FTP traffic.

Step 16. Start the FTP server on the WLSAT laptop. Connect to the FTP server from the Nokia N800.

Step 17. Start a new capture View the capture. Do you see FTP traffic?

_____________________________

Step 18. Create a Filter to capture only traffic to a destination network.

Step 19. View the capture. Do you see only traffic to your network?

_____________________________

Step 20. Create a Filter to capture only traffic to a destination host. Try your WLSAT Laptop’s MAC Address.

Step 21. View the capture. Do you see only traffic to your host?

_____________________________

WLSAT Section 1


Lab 1.5: Create a Wireshark Filter

Step 1. Plug in the Airpcap USB device.

Step 2. Open Wireshark – Start à Wireless Tools à Wireshark.

Step 3. Click on Capture à Interfaces.

Step 4. Choose the AirPcap USB adapter and click on Options to set details for this capture.

Step 5. Review the options on this page… then click on Wireless Settings.

Step 6. Select Channel 1 as the channel we’ll be capturing from.

Step 7. Return to the Options page, then click Start button to start your capture.

WLSAT Section 1


Step 8. Note, right now all packets are being shown as they come to the wireless card.

Step 9. Review the notes below on how to make and use Filters in Wireshark.

Step 10. Create a Filter to capture all traffic except beacons.

Step 11. Create a Filter to capture only data traffic.

Step 12. Create a Filter to capture only Data… but NOT NULL Data (going to sleep) packets.

Step 13. Now try some new filters on your own.

NOTE: You can review more on Wireshark from the Laura Chappell Master Library DVD set.

Step 14. Create a Filter to capture only voice traffic.

_____________________________

Step 15. Create a Filter to capture only FTP traffic.

_____________________________

Step 16. Create a Filter to capture only traffic to a destination network.

_____________________________

Step 17. Create a Filter to capture only traffic to a destination host.

_____________________________

Step 18. How about a filter to capture Access Points with ‘cloaked’ or ‘hidden’ SSIDs? When an Access Point does NOT broadcast SSID, the SSID field contains no data in Beacons and Probe Response packets. But… clients MUST ask for the proper ‘hidden’ SSID in their requests to join the BSA.

NOTE: This filter is wlan.bssid==xx:xx:xx:xx:xx:xx and wlan.fc.type_subtype==0 where the BSSID of the Access Point you are looking for is in the xx’s.

By applying the above filter, we reveal any association requests for the specific BSSID. By clicking IEEE 802.11 Wireless LAN Management Frame à Tagged Parameters à SSID Parameter Set in the packet detail window we can see the SSID requested by the client station, thus revealing the ‘Hidden’ SSID.

WLSAT Section 1


Wireshark Filters for 802.11 Frames

802.11 Header Field

Either Source or Destination Address wlan.addr

Transmitter Address wlan.ta

Source Address wlan.sa

Receiver Address wlan.ra

Destination Address wlan.da

BSSID wlan.bssid

Duration Wlan.duration

Frame Control Subfields

Frame Type wlan.fc.type

Frame Subtype wlan.fc.subtype

ToDS Flag wlan.fc.tods

FromDS Flag wlan.fc.fromds

Retry Flag wlan.fc.retry

Protected Frame (WEP) Flag wlan.fc.wep

Fields can be combined using operators. Wireshark supports a standard set of comparison operators:

== for equality != for inequality

> for greater than >= for greater than or equal to

< for less than <= for less than or equal to

&& Contains || Matches

! Not

An example of a display filter would be wlan.fc.type==1 to match control frames.

To remove all Beacon frames from your trace, you’ll need to write a display filter that matches Beacon frames, and then negate it. Like the example below:

• Filter on type code for management frames with wlan.fc.type==0 • Filter on subtype code for Beacon with wlan.fc.subtype==8

Combine the two, and negate the operation by using the exclamation point for NOT with an expression result of:

! (wlan.fc.type==0 and wlan.fc.subtype==8)

WLSAT Section 1


When assessing a wireless capture with Wireshark, it is common to apply display filters to look for or exclude certain frames based on the IEEE 802.11 frame type and frame subtype files. If you are trying to exclude frames from a capture, it is easy to identify the Type and Subtype filed by navigating the Packet Details windows and use those values for your filter.

Or, you can just use this handy-dandy table we’ve provided below.

Frame Type/Subtype Filter Management Frames wlan.fc.type==0 Association Request wlan.fc.type_subtype==0 Association Response wlan.fc.type_subtype==1 Ressociation Request wlan.fc.type_subtype==2 Ressociation Response wlan.fc.type_subtype==3 Probe Request wlan.fc.type_subtype==4 Probe Response wlan.fc.type_subtype==5 Beacon wlan.fc.type_subtype==8 ATIM wlan.fc.type_subtype==9 Disassociate wlan.fc.type_subtype==10 Authentication wlan.fc.type_subtype==11 Deauthentication wlan.fc.type_subtype==12 Association Request wlan.fc.type_subtype==0 Association Request wlan.fc.type_subtype==0 Control Frames wlan.fc.type==1 Power-Save Poll wlan.fc.type_subtype==26 Request To Send - RTS wlan.fc.type_subtype==27 Clear To Send - CTS wlan.fc.type_subtype==28 Acknowledgement - ACK wlan.fc.type_subtype==29 Data Frmaes wlan.fc.type==2 NULL Data wlan.fc.type_subtype==36

WLSAT Section 1


Here is a great graphical view of Wireshark’s 802.11 Filter names for each part of an 802.11 frame.

WLSAT Section 1


Display Filter Syntax

Hosts/Network ip.addr, ip.scr, ip.dst, eth.addr, eth.src, eth.dst

Ports tcp.port, tcp.srcport, tcp.dstport, udp.port, udp.srcport, udp.dstport

Various Protocols

arp, bootp, dcerpc, dns, eth, ftp, http, icmp, ip, ncp, netbios, ntp, ospf, sip, smtp, snmp, tcp, udp

Examples ip.addr==10.4.2.19

!ip.addr==10.4.15.27

!arp && !bootp

tcp.port==80

eth.dst==00:04:5a:df:80:37

ip.ttl<=5

tcp.flags.reset==1

Keyboard Shortcuts

Tab Move forward between packet windows and screen elements

Shift-Tab Move backwards between packets windows screen elements

Down Move forward to the next packet or detail item

Up Move back to the previous packet or detail item

Ctrl-Down, F8 Move to the next packet, even if the packet list is not the focus.

Ctrl-Up, F7 Move to the previous packet, even if the pack list is not the focus.

Left Closes the selected tree item in the packet detail window or move to the parent node if already closed.

Right Expands the selected tree item in the packet detail window (does not expand the subtree)

Backspace Move to the parent node in the packet detail window

Return, Enter Toggles expansion of the selected tree item in the packet detail window

Ctrl-M Mark a packet

Ctrl-N Go to the next market packet

Ctrl-T Set time reference

Ctrl-Plus Zoom in (increase font size)

Ctrl-Minus Zoom out (decrease font size)

Ctrl-Equal Zoom to 100%

WLSAT Section 1


Lab 1.6: Create baseline captures

Open – No WEP Shared Key – WEP Open – WEP WPA – PSK Open – WEP – w/Radius Roaming connection WPA – Radius Beacon – Probe Request – Probe Response Lab Part 1 - Capture an Open Authentication exchange between STA and Access Point

Step 1. Open Omnipeek Personal – Start à Wireless Tools à Wildpackets Omnipeek Personal.

Step 2. Click the Capture à Start Capture or capture options if you want to modify a current capture.

Step 3. Click on the 802.11 item in the left panel then select channel 1.

Step 4. Click OK.

Step 5. Click Start Capture.

Step 6. Connect your wireless STA to your Access Point with your SSID (It should be pre-configured with No Encryption and on Channel 1).

Step 7. When you have associated, stop the packet capture then review the list of packets.

Which packet starts the authentication process?

_____________________________

What is the MAC address of the station?

_____________________________

The AP?

_____________________________

Was the Authentication successful?

_____________________________

Why or why not?

_____________________________

Step 8. Save the file as baseline_Openauth.

Lab Part 2 - Capture Shared Key Authentication exchange between STA and Access Point

Step 1. Change the AP configuration to Shared Key Authentication and type a WEP key of 1111111111.

WLSAT Section 1


Step 2. Connect your wireless STA to the Access Point with the same security settings as the AP. This means WEP Encryption with Shared Key Authentication.

Step 3. Review the list of packets.

Which packet starts the authentication process?

_____________________________

Was the Authentication successful?

_____________________________

Why or why not?

_____________________________

Step 4. Select the file à choose save all packets.

Step 5. Save the file as baseline_SharedKeyAuth

Lab Part 3 - Capture a WPA-PSK Authentication

Step 1. Open Omnipeek personal and start a capture on channel 1.

Step 2. Configure your access point for WPA-PSK with the following parameters:

• Channel 1 • SSID = ap# (where the number is your student number) • WPA-PSK Authentication passphrase my wireless network is secure • Use TKIP for encryption

Step 3. Connect your Nokia N800 wireless client to your access point using the same security settings as the access point.

Step 4. Examine the packet capture file.

Step 5. Which packet starts the authentication process?

_____________________________

Step 6. What is the MAC address of the station? The AP?

_____________________________

Step 7. Was the Authentication successful?

_____________________________

Step 8. Save the file as baseline_WPA-PSK-Auth.

Lab Part 4 - Capture web access traffic

Step 1. Open Omnipeek personal and capture on channel 6.

WLSAT Section 1


Step 2. Connect your Nokia n800 wireless client to the classroom AP with SSID HOTlabs.

Step 3. Browse the web on your Nokia n800 you can choose where.

Step 4. View the capture and identify web site that other students are accessing. What web site is the client connecting to? List at least 3 here.

_____________________________

_____________________________

_____________________________

Step 5. View the payload of the packets. You should be able to see the websites that are being accessed.

Step 6. What application layer protocol is in use?

_____________________________

Step 7. What server is the data being transferred from?

_____________________________

Step 8. What is the IP address of the server?

_____________________________

Step 9. Save the file as baseline_Web-Traffic.

What you learned in this Lab: In this Lab you learned to use Wireless Sniffers / Protocol Analyzers to:

1. Capture data, voice and video traffic

2. Analyze connections between stations and access points

3. Review prerequisite knowledge and ensure you are familiar with how to capture, filter, and analyze wireless traffic

Wireless Packet Captures & Connection Analysis- A...

Documents

Transcript of Wireless Packet Captures & Connection Analysis- A...