Section 1 Wireless Packet Captures & Connection Analysis- A Review

Similar documents
Wireshark Hands-On Exercises

Lab Exercise Objective. Requirements. Step 1: Fetch a Trace

Lab VI Capturing and monitoring the network traffic

Configuring the WT-4 for ftp (Infrastructure Mode)

STEP III: Enable the Wireless Network Card. STEP IV: Print out the Printer Settings pages to determine the IP Address

WiFi Security Assessments

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

visual packet analysis

The Wireless Network Road Trip

Wireless LAN Pen-Testing. Part I

Configuring the WT-4 for Upload to a Computer (Infrastructure Mode)

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter with RangeBooster. User Guide WIRELESS WUSB54GR. Model No.

Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Lab Module 3 Network Protocol Analysis with Wireshark

A Division of Cisco Systems, Inc. GHz g. Wireless-G. Access Point with SRX. User Guide WIRELESS WAP54GX. Model No.

VLANs. Application Note

The Wireless LAN (Local Area Network) USB adapter can be operated in one of the two following networking configurations :

Configuring the WT-4 for Upload to a Computer (Infrastructure Mode)

Movie Cube. User s Guide to Wireless Function

IEEE b WLAN PC Card

NWA1120 Series. User s Guide. Quick Start Guide. Wireless LAN Ceiling Mountable PoE Access Point. Default Login Details

WRE2205. User s Guide. Quick Start Guide. Wireless N300 Range Extender. Default Login Details. Version 1.00 Edition 1, 06/2012

Kvaser BlackBird Getting Started Guide

Configuring the WT-4 for Upload to a Computer (Infrastructure Mode)

CONNECTING THE RASPBERRY PI TO A NETWORK

WIRELESS SETUP FOR WINDOWS 7

IEEE A/G Access Point

USER GUIDE Cisco Small Business

Eduroam wireless network Apple Mac OSX 10.5

What s Really Happening on Your Wireless Network Multi-Channel Analysis for WLAN Mobility

NXC5500/2500. Application Note w Management Frame Protection. ZyXEL NXC Application Notes. Version 4.20 Edition 2, 02/2015

N600 WiFi USB Adapter

STEP III: Enable the Wireless Network Card

Wireless Local Area Networks (WLANs)

Eduroam wireless network Apple Mac OSX 10.4

Network Interface Table of Contents

Setting up a WiFi Network (WLAN)

Fibe Internet Connection Hub Reference Guide

Exam Questions SY0-401

Wireless VoIP Phone User s Manual

A6210 WiFi USB Adapter ac USB 3.0 Dual Band User Manual

How To Understand The Power Of A Network On A Microsoft Ipa 2.5 (Ipa) (Ipam) (Networking) 2 (Ipom) 2(2

CSE331: Introduction to Networks and Security. Lecture 6 Fall 2006

How To Connect To A Wireless Network On Your Computer (Wired) Or Ipv) On A Computer (Wireless) On Your Ipv Or Ipa (Wired Or Wireless) On An Ipv (Wired/Wired) On Pc Or Mac

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Eduroam wireless network Windows Vista

EAP N Wall Mount Access Point / WDS AP / Universal Repeater

Introduction to Network Security Lab 1 - Wireshark

6.0. Getting Started Guide

Long-Range 500mW IEEE g Wireless USB Adapter. User's Guide

DV230 Web Based Configuration Troubleshooting Guide

Chapter 2 Quality of Service (QoS)

Securing your Linksys WRT54G

LevelOne WAP User s Manual. 108 Mbps Wireless Access Point

Canon WFT-E1 (A) Wireless File Transmitter. Network Support Guide

Wireless Robust Security Networks: Keeping the Bad Guys Out with i (WPA2)

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

MFC7840W Windows Network Connection Repair Instructions

Wireless N 150 USB Adapter with 10dBi High Gain Antenna. Model # AWLL5055 User s Manual. Rev. 1.0

AirPcap User s Guide. May 2013

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Chapter 2 Configuring Your Wireless Network and Security Settings

Abstract. Avaya Solution & Interoperability Test Lab

Nokia E90 Communicator Using WLAN

Nokia Siemens Networks. CPEi-lte User Manual

WLAN Authentication and Data Privacy

LevelOne User Manual WPC-0600 N_One Wireless CardBus Adapter

Link Link sys E3000 sys RE1000

Control Panel User Guide

TE100-P21/TEW-P21G Windows 7 Installation Instruction

Configuring Security Solutions

Ubiquiti Networks Inc. INSTANT OUTDOOR HOTSPOT User Manual

Wireless security isn't dead, attacking clients with MSF

Ralink Utility User Guide/PC/MAC

Wireless Broadband Router

Lucent VPN Firewall Security in x Wireless Networks

Table of Contents. Product Overview...4 Package Contents...4 System Requirements... 4 Introduction...5 Features... 7

Apple Airport Extreme Base Station V4.0.8 Firmware: Version 5.4

Step-by-Step Secure Wireless for Home / Small Office and Small Organizations

TECHNICAL NOTE REFERENCE DOCUMENT. Improving Security for Axis Products. Created: 4 October Last updated: 11 October Rev: 1.

How To Secure A Wireless Network With A Wireless Device (Mb8000)

WUA Mbps Wireless USB Network Adapter

Wireless Network Analysis. Complete Network Monitoring and Analysis for a/b/g/n

Configure WorkGroup Bridge on the WAP131 Access Point

Lab Conducting a Network Capture with Wireshark

Wireless N 300 Mini USB Adapter. Model # AWLL6086 User s Manual. Rev. 1.0

INSTALLING THE WIFI DONGLE ON WINDOWS VISTA

A Division of Cisco Systems, Inc. GHz g. Wireless-G. User Guide. Access Point with Power Over Ethernet WIRELESS WAP54GP. Model No.

Design and Implementation Guide. Apple iphone Compatibility

802.11: Use, Misuse and the Need for a Robust Security Toolkit

Observer Analyzer Provides In-Depth Management

Wireless g CF Card User Manual

Beginner s SETUP GUIDE for NANOSTATION-2 as receiver and other Ubiquity devices using AirOS firmware V3.6 (Windows/MacOS)

Installing Windows 95 Drivers and Utilities for the Cisco Aironet 340/350 Series Client Adapters

Access Point Configuration

Intrusion Detection, Packet Sniffing

WiNG 5.x How-To Guide

ENHWI-N n Wireless Router

Golden N Wireless Mini USB Adapter. Model # AWLL6075 User s Manual. Rev. 1.2

Scenario One: YOU CANNOT CONNECT TO THE LIBRARY S WIRELESS NETWORK

Transcription:

Section 1 Wireless Packet Captures & Connection Analysis- A Review Many of you will have already used many of these tools, or at least had some experience with them in previous CWNP or vendor Wireless training. To bring everyone up to speed we ve included this section as a review of the various tools and techniques in capturing packets transversing the 802.11 network. We ll start with some simple packet capture, making filters, and lead onto baselining your wireless network with some standard baseline captures. We ll cover some of the software packages included in your kit: WildPackets Omnipeek Personal, AirDefense Mobile, and Wireshark to start with. 1/12/11 1 www.inpnet.org www.hotlabs.org

Lab 1.1: View an Open Authentication packet capture OmniPeek Personal demonstrates the benefits of a powerful, welldesigned network analysis tool and its analysis capabilities. Used to increase the visibility into wireless and wired network traffic on non-commercial networks, OmniPeek Personal allows users to experience how the OmniAnalysis Platform pinpoints and analyzes network problems. OmniPeek Personal provides an introduction to the superior high-level views of WildPackets Expert Analysis which make the identification of network problems simple and quick. Product Information Source Wildpackets Free www.wildpackets.com Where, When, Why A protocol analyzer is a capture and analysis tool which gives a pen tester insight into the protocols, stations, access points, and wireless configuration of the network. The purpose of this lab is to review how to perform packet capture and analysis. These concepts are critical to performing wireless penetration testing. A wireless pen tester must know how to use packet capture and analysis tools in order to accurately identify security weaknesses. This lab will familiarize you with how to create capture traffic, use capture and display filters, and view application and MAC layer data. Usage and Features Where to Go for More Information Capture traffic and use statistics for Troubleshooting purposes Identify MAC and IP addresses for spoofing Data confidentiality attack against unencrypted wireless networks www.wildpackets.com 1/12/11 2 www.inpnet.org www.hotlabs.org

Lab Part 1 Analyze 802.11 Trace Files Step 1. Insert the Ubiquiti Card in the PCMCIA Slot on the side of your WLSAT Laptop. (you can use either the small 2.2dBi or the 5dBi antennas note the arrow on the bottom pointing to the antenna jack to use) Step 2. Go to Start à Switch to OmniPeek Personal Driver. Step 3. Step 4. Launch Omnipeek Personal. Start à Wireless Tools à WildPackets OmniPeek Personal. Choose the Ubiquiti ABG PCMCIA WLAN as the adapter to use. Then click OK to continue. 1/12/11 3 www.inpnet.org www.hotlabs.org

Step 5. You should see some changing packets if the card is collecting properly with this Dashboard in the lower left corner. Step 6. Step 7. Using File à Open à Desktop à Student Files à Trace Files Omnipeek Captures browse to the Student Files directory containing the Omnipeek trace files. Open the Open System WEP.apc file. Step 8. Step 9. Step 10. You might need to change the column width settings to have your screen match the screen shot above. Note the frames, who is talking to whom, which are broadcast, which are unicast. What is the MAC Address of the Access Point, the client? Step 11. Now open another trace file this time lets try one of the EAP conversations. How about EAP-LEAP-TKIP.apc. 1/12/11 4 www.inpnet.org www.hotlabs.org

Step 12. Step 13. To make this a little easier to see, let s get rid of all the Acknowledgement frames by building a No ACKs Filter. Click on the View à Filters. Step 14. Now we need to add a new filter by clicking on the Plus Sign. Step 15. Check the Protocol Filter to then click the Protocols Button open the Protocol Options screen. 1/12/11 5 www.inpnet.org www.hotlabs.org

Step 16. Click OK to return notice the change in the protocol field. Step 17. Now we need to change from Simple to Advanced in the window. (Upper right of the Insert Filter interface) Step 18. Step 19. Give the Filter a Name No ACKs and click on the Protocol Box then click the Not Button to make your screen match the graphic above. Then Click OK. You should now have a No ACKs filter choice. Step 20. To apply this filter, click on the little funnel icon, (at the top of the packet windows) and drop down to the No ACKs filter choice. 1/12/11 6 www.inpnet.org www.hotlabs.org

Step 21. You should now see a simpler view of this packet exchange. Step 22. Step 23. Step 24. Step 25. We have included a variety of packet exchanges for your perusal. Try opening all of them to see how different processes work at the packet level. Next we ll see if you can answer some questions after analyzing another trace file. Enjoy! Using File à Open Openauth.apc. Examine the packet capture file. Which packet starts the authentication process? Step 26. What is the MAC address of the station? The AP? Step 27. What is the SSID of the network? 1/12/11 7 www.inpnet.org www.hotlabs.org

Step 28. Does the AP support B and G? Step 29. What channel is the AP on? Step 30. Was the Authentication successful? Step 31. Is this the first time the client associated to the network? How can you tell? Step 32. How many clients are connected to the AP? Step 33. Is there anything to suspect about one of the clients that are connecting to the AP? 1/12/11 8 www.inpnet.org www.hotlabs.org

Lab1.2: View an EAP Authentication packet capture Step 1. Step 2. Step 3. Step 4. Step 5. Step 6. Step 7. Step 8. Step 9. Step 10. Open Omnipeek personal. Using File à Open eap.apc. When does the eap authentication take place? How do you know it is an eap authentication? What EAP type is the wireless network using? Has the client successfully authenticated? 1/12/11 9 www.inpnet.org www.hotlabs.org

Lab1.3: View a data transfer packet capture Step 1. Step 2. Step 3. Step 4. Step 5. Step 6. Step 7. Step 8. Step 9. Step 10. Step 11. Step 12. Open Omnipeek personal. Using File à Open data.apc. Examine the packet capture file. View the payload of the packets. What application layer protocol is in use? What server is the data being transferred from? What is the IP address of the server? What web site is the client connecting to? 1/12/11 10 www.inpnet.org www.hotlabs.org

Lab 1.4: Create an Omnipeek Filter Step 1. Open Omnipeek Personal. Step 2. Start a capture on channel 6. Step 3. Set 802.11 options to Channel 6. Step 4. Create a Filter to capture all traffic except beacons. View à Filters then Add. Set Protocol to 802.11 Beacon, then Advanced to set the Not. Step 5. Apply the No Beacons filter (little funnel and choose No Beacons) Step 6. Start the Capture. Wait a couple of minutes then Stop. Step 7. Step 8. Step 9. Step 10. Step 11. Step 12. Step 13. Step 14. View the capture. Do you see beacons? Create a Filter to capture only data traffic. Open a web page on the Nokia N800 and WLSAT laptop. Start a new captures. View the capture. Do you see data only traffic? Create a Filter to capture only voice traffic. Make a Gizmo Project or Googletalk call between your Nokia and WLSAT laptop. Start a new capture. View the capture. Do you see voice traffic? 1/12/11 11 www.inpnet.org www.hotlabs.org

Step 15. Step 16. Step 17. Step 18. Step 19. Step 20. Step 21. Create a Filter to capture only FTP traffic. Start the FTP server on the WLSAT laptop. Connect to the FTP server from the Nokia N800. Start a new capture View the capture. Do you see FTP traffic? Create a Filter to capture only traffic to a destination network. View the capture. Do you see only traffic to your network? Create a Filter to capture only traffic to a destination host. Try your WLSAT Laptop s MAC Address. View the capture. Do you see only traffic to your host? 1/12/11 12 www.inpnet.org www.hotlabs.org

Lab 1.5: Create a Wireshark Filter Step 1. Plug in the Airpcap USB device. Step 2. Step 3. Open Wireshark Start à Wireless Tools à Wireshark. Click on Capture à Interfaces. Step 4. Choose the AirPcap USB adapter and click on Options to set details for this capture. Step 5. Review the options on this page then click on Wireless Settings. Step 6. Select Channel 1 as the channel we ll be capturing from. Step 7. Return to the Options page, then click Start button to start your capture. 1/12/11 13 www.inpnet.org www.hotlabs.org

Step 8. Step 9. Step 10. Note, right now all packets are being shown as they come to the wireless card. Review the notes below on how to make and use Filters in Wireshark. Create a Filter to capture all traffic except beacons. Step 11. Create a Filter to capture only data traffic. Step 12. Create a Filter to capture only Data but NOT NULL Data (going to sleep) packets. Step 13. Now try some new filters on your own. NOTE: You can review more on Wireshark from the Laura Chappell Master Library DVD set. Step 14. Create a Filter to capture only voice traffic. Step 15. Create a Filter to capture only FTP traffic. Step 16. Create a Filter to capture only traffic to a destination network. Step 17. Create a Filter to capture only traffic to a destination host. Step 18. How about a filter to capture Access Points with cloaked or hidden SSIDs? When an Access Point does NOT broadcast SSID, the SSID field contains no data in Beacons and Probe Response packets. But clients MUST ask for the proper hidden SSID in their requests to join the BSA. NOTE: This filter is wlan.bssid==xx:xx:xx:xx:xx:xx and wlan.fc.type_subtype==0 where the BSSID of the Access Point you are looking for is in the xx s. By applying the above filter, we reveal any association requests for the specific BSSID. By clicking IEEE 802.11 Wireless LAN Management Frame à Tagged Parameters à SSID Parameter Set in the packet detail window we can see the SSID requested by the client station, thus revealing the Hidden SSID. 1/12/11 14 www.inpnet.org www.hotlabs.org

Wireshark Filters for 802.11 Frames 802.11 Header Field Either Source or Destination Address Transmitter Address Source Address Receiver Address Destination Address BSSID Duration wlan.addr wlan.ta wlan.sa wlan.ra wlan.da wlan.bssid Wlan.duration Frame Control Subfields Frame Type Frame Subtype ToDS Flag FromDS Flag Retry Flag Protected Frame (WEP) Flag wlan.fc.type wlan.fc.subt ype wlan.fc.tods wlan.fc.from ds wlan.fc.retr y wlan.fc.wep Fields can be combined using operators. Wireshark supports a standard set of comparison operators: == for equality!= for inequality > for greater than >= for greater than or equal to < for less than <= for less than or equal to && Contains Matches! Not An example of a display filter would be wlan.fc.type==1 to match control frames. To remove all Beacon frames from your trace, you ll need to write a display filter that matches Beacon frames, and then negate it. Like the example below: Filter on type code for management frames with wlan.fc.type==0 Filter on subtype code for Beacon with wlan.fc.subtype==8 Combine the two, and negate the operation by using the exclamation point for NOT with an expression result of:! (wlan.fc.type==0 and wlan.fc.subtype==8) 1/12/11 15 www.inpnet.org www.hotlabs.org

When assessing a wireless capture with Wireshark, it is common to apply display filters to look for or exclude certain frames based on the IEEE 802.11 frame type and frame subtype files. If you are trying to exclude frames from a capture, it is easy to identify the Type and Subtype filed by navigating the Packet Details windows and use those values for your filter. Or, you can just use this handy-dandy table we ve provided below. Frame Type/Subtype Management Frames Association Request Association Response Ressociation Request Ressociation Response Probe Request Probe Response Beacon ATIM Disassociate Authentication Deauthentication Association Request Association Request Control Frames Power-Save Poll Request To Send - RTS Clear To Send - CTS Acknowledgement - ACK Data Frmaes NULL Data Filter wlan.fc.type==0 wlan.fc.type_subtype==0 wlan.fc.type_subtype==1 wlan.fc.type_subtype==2 wlan.fc.type_subtype==3 wlan.fc.type_subtype==4 wlan.fc.type_subtype==5 wlan.fc.type_subtype==8 wlan.fc.type_subtype==9 wlan.fc.type_subtype==10 wlan.fc.type_subtype==11 wlan.fc.type_subtype==12 wlan.fc.type_subtype==0 wlan.fc.type_subtype==0 wlan.fc.type==1 wlan.fc.type_subtype==26 wlan.fc.type_subtype==27 wlan.fc.type_subtype==28 wlan.fc.type_subtype==29 wlan.fc.type==2 wlan.fc.type_subtype==36 1/12/11 16 www.inpnet.org www.hotlabs.org

Here is a great graphical view of Wireshark s 802.11 Filter names for each part of an 802.11 frame. 1/12/11 17 www.inpnet.org www.hotlabs.org

Display Filter Syntax Hosts/Network Ports Various Protocols ip.addr, ip.scr, ip.dst, eth.addr, eth.src, eth.dst tcp.port, tcp.srcport, tcp.dstport, udp.port, udp.srcport, udp.dstport arp, bootp, dcerpc, dns, eth, ftp, http, icmp, ip, ncp, netbios, ntp, ospf, sip, smtp, snmp, tcp, udp Examples ip.addr==10.4.2.19!ip.addr==10.4.15.27!arp &&!bootp tcp.port==80 eth.dst==00:04:5a:df:80:37 ip.ttl<=5 tcp.flags.reset==1 Keyboard Shortcuts Tab Shift-Tab Down Up Ctrl-Down, F8 Ctrl-Up, F7 Left Right Backspace Return, Enter Ctrl-M Ctrl-N Ctrl-T Ctrl-Plus Ctrl-Minus Move forward between packet windows and screen elements Move backwards between packets windows screen elements Move forward to the next packet or detail item Move back to the previous packet or detail item Move to the next packet, even if the packet list is not the focus. Move to the previous packet, even if the pack list is not the focus. Closes the selected tree item in the packet detail window or move to the parent node if already closed. Expands the selected tree item in the packet detail window (does not expand the subtree) Move to the parent node in the packet detail window Toggles expansion of the selected tree item in the packet detail window Mark a packet Go to the next market packet Set time reference Zoom in (increase font size) Ctrl-Equal Zoom to 100% Zoom out (decrease font size) 1/12/11 18 www.inpnet.org www.hotlabs.org

Lab 1.6: Create baseline captures Open No WEP Open WEP Open WEP w/radius WPA Radius Shared Key WEP WPA PSK Roaming connection Beacon Probe Request Probe Response Lab Part 1 - Capture an Open Authentication exchange between STA and Access Point Step 1. Step 2. Open Omnipeek Personal Start à Wireless Tools à Wildpackets Omnipeek Personal. Click the Capture à Start Capture or capture options if you want to modify a current capture. Step 3. Click on the 802.11 item in the left panel then select channel 1. Step 4. Step 5. Step 6. Step 7. Step 8. Click OK. Click Start Capture. Connect your wireless STA to your Access Point with your SSID (It should be pre-configured with No Encryption and on Channel 1). When you have associated, stop the packet capture then review the list of packets. Which packet starts the authentication process? What is the MAC address of the station? The AP? Was the Authentication successful? Why or why not? Save the file as baseline_openauth. Lab Part 2 - Capture Shared Key Authentication exchange between STA and Access Point Step 1. Change the AP configuration to Shared Key Authentication and type a WEP key of 1111111111. 1/12/11 19 www.inpnet.org www.hotlabs.org

Step 2. Step 3. Connect your wireless STA to the Access Point with the same security settings as the AP. This means WEP Encryption with Shared Key Authentication. Review the list of packets. Which packet starts the authentication process? Was the Authentication successful? Why or why not? Step 4. Step 5. Select the file à choose save all packets. Save the file as baseline_sharedkeyauth Lab Part 3 - Capture a WPA-PSK Authentication Step 1. Open Omnipeek personal and start a capture on channel 1. Step 2. Step 3. Step 4. Step 5. Step 6. Step 7. Step 8. Configure your access point for WPA-PSK with the following parameters: Channel 1 SSID = ap# (where the number is your student number) WPA-PSK Authentication passphrase my wireless network is secure Use TKIP for encryption Connect your Nokia N800 wireless client to your access point using the same security settings as the access point. Examine the packet capture file. Which packet starts the authentication process? What is the MAC address of the station? The AP? Was the Authentication successful? Save the file as baseline_wpa-psk-auth. Lab Part 4 - Capture web access traffic Step 1. Open Omnipeek personal and capture on channel 6. 1/12/11 20 www.inpnet.org www.hotlabs.org

Step 2. Step 3. Step 4. Connect your Nokia n800 wireless client to the classroom AP with SSID HOTlabs. Browse the web on your Nokia n800 you can choose where. View the capture and identify web site that other students are accessing. What web site is the client connecting to? List at least 3 here. Step 5. Step 6. Step 7. Step 8. View the payload of the packets. You should be able to see the websites that are being accessed. What application layer protocol is in use? What server is the data being transferred from? What is the IP address of the server? Step 9. Save the file as baseline_web-traffic. What you learned in this Lab: In this Lab you learned to use Wireless Sniffers / Protocol Analyzers to: 1. Capture data, voice and video traffic 2. Analyze connections between stations and access points 3. Review prerequisite knowledge and ensure you are familiar with how to capture, filter, and analyze wireless traffic 1/12/11 21 www.inpnet.org www.hotlabs.org

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information