Section 1 Wireless Packet Captures & Connection Analysis- A Review Many of you will have already used many of these tools, or at least had some experience with them in previous CWNP or vendor Wireless training. To bring everyone up to speed we ve included this section as a review of the various tools and techniques in capturing packets transversing the 802.11 network. We ll start with some simple packet capture, making filters, and lead onto baselining your wireless network with some standard baseline captures. We ll cover some of the software packages included in your kit: WildPackets Omnipeek Personal, AirDefense Mobile, and Wireshark to start with. 1/12/11 1 www.inpnet.org www.hotlabs.org
Lab 1.1: View an Open Authentication packet capture OmniPeek Personal demonstrates the benefits of a powerful, welldesigned network analysis tool and its analysis capabilities. Used to increase the visibility into wireless and wired network traffic on non-commercial networks, OmniPeek Personal allows users to experience how the OmniAnalysis Platform pinpoints and analyzes network problems. OmniPeek Personal provides an introduction to the superior high-level views of WildPackets Expert Analysis which make the identification of network problems simple and quick. Product Information Source Wildpackets Free www.wildpackets.com Where, When, Why A protocol analyzer is a capture and analysis tool which gives a pen tester insight into the protocols, stations, access points, and wireless configuration of the network. The purpose of this lab is to review how to perform packet capture and analysis. These concepts are critical to performing wireless penetration testing. A wireless pen tester must know how to use packet capture and analysis tools in order to accurately identify security weaknesses. This lab will familiarize you with how to create capture traffic, use capture and display filters, and view application and MAC layer data. Usage and Features Where to Go for More Information Capture traffic and use statistics for Troubleshooting purposes Identify MAC and IP addresses for spoofing Data confidentiality attack against unencrypted wireless networks www.wildpackets.com 1/12/11 2 www.inpnet.org www.hotlabs.org
Lab Part 1 Analyze 802.11 Trace Files Step 1. Insert the Ubiquiti Card in the PCMCIA Slot on the side of your WLSAT Laptop. (you can use either the small 2.2dBi or the 5dBi antennas note the arrow on the bottom pointing to the antenna jack to use) Step 2. Go to Start à Switch to OmniPeek Personal Driver. Step 3. Step 4. Launch Omnipeek Personal. Start à Wireless Tools à WildPackets OmniPeek Personal. Choose the Ubiquiti ABG PCMCIA WLAN as the adapter to use. Then click OK to continue. 1/12/11 3 www.inpnet.org www.hotlabs.org
Step 5. You should see some changing packets if the card is collecting properly with this Dashboard in the lower left corner. Step 6. Step 7. Using File à Open à Desktop à Student Files à Trace Files Omnipeek Captures browse to the Student Files directory containing the Omnipeek trace files. Open the Open System WEP.apc file. Step 8. Step 9. Step 10. You might need to change the column width settings to have your screen match the screen shot above. Note the frames, who is talking to whom, which are broadcast, which are unicast. What is the MAC Address of the Access Point, the client? Step 11. Now open another trace file this time lets try one of the EAP conversations. How about EAP-LEAP-TKIP.apc. 1/12/11 4 www.inpnet.org www.hotlabs.org
Step 12. Step 13. To make this a little easier to see, let s get rid of all the Acknowledgement frames by building a No ACKs Filter. Click on the View à Filters. Step 14. Now we need to add a new filter by clicking on the Plus Sign. Step 15. Check the Protocol Filter to then click the Protocols Button open the Protocol Options screen. 1/12/11 5 www.inpnet.org www.hotlabs.org
Step 16. Click OK to return notice the change in the protocol field. Step 17. Now we need to change from Simple to Advanced in the window. (Upper right of the Insert Filter interface) Step 18. Step 19. Give the Filter a Name No ACKs and click on the Protocol Box then click the Not Button to make your screen match the graphic above. Then Click OK. You should now have a No ACKs filter choice. Step 20. To apply this filter, click on the little funnel icon, (at the top of the packet windows) and drop down to the No ACKs filter choice. 1/12/11 6 www.inpnet.org www.hotlabs.org
Step 21. You should now see a simpler view of this packet exchange. Step 22. Step 23. Step 24. Step 25. We have included a variety of packet exchanges for your perusal. Try opening all of them to see how different processes work at the packet level. Next we ll see if you can answer some questions after analyzing another trace file. Enjoy! Using File à Open Openauth.apc. Examine the packet capture file. Which packet starts the authentication process? Step 26. What is the MAC address of the station? The AP? Step 27. What is the SSID of the network? 1/12/11 7 www.inpnet.org www.hotlabs.org
Step 28. Does the AP support B and G? Step 29. What channel is the AP on? Step 30. Was the Authentication successful? Step 31. Is this the first time the client associated to the network? How can you tell? Step 32. How many clients are connected to the AP? Step 33. Is there anything to suspect about one of the clients that are connecting to the AP? 1/12/11 8 www.inpnet.org www.hotlabs.org
Lab1.2: View an EAP Authentication packet capture Step 1. Step 2. Step 3. Step 4. Step 5. Step 6. Step 7. Step 8. Step 9. Step 10. Open Omnipeek personal. Using File à Open eap.apc. When does the eap authentication take place? How do you know it is an eap authentication? What EAP type is the wireless network using? Has the client successfully authenticated? 1/12/11 9 www.inpnet.org www.hotlabs.org
Lab1.3: View a data transfer packet capture Step 1. Step 2. Step 3. Step 4. Step 5. Step 6. Step 7. Step 8. Step 9. Step 10. Step 11. Step 12. Open Omnipeek personal. Using File à Open data.apc. Examine the packet capture file. View the payload of the packets. What application layer protocol is in use? What server is the data being transferred from? What is the IP address of the server? What web site is the client connecting to? 1/12/11 10 www.inpnet.org www.hotlabs.org
Lab 1.4: Create an Omnipeek Filter Step 1. Open Omnipeek Personal. Step 2. Start a capture on channel 6. Step 3. Set 802.11 options to Channel 6. Step 4. Create a Filter to capture all traffic except beacons. View à Filters then Add. Set Protocol to 802.11 Beacon, then Advanced to set the Not. Step 5. Apply the No Beacons filter (little funnel and choose No Beacons) Step 6. Start the Capture. Wait a couple of minutes then Stop. Step 7. Step 8. Step 9. Step 10. Step 11. Step 12. Step 13. Step 14. View the capture. Do you see beacons? Create a Filter to capture only data traffic. Open a web page on the Nokia N800 and WLSAT laptop. Start a new captures. View the capture. Do you see data only traffic? Create a Filter to capture only voice traffic. Make a Gizmo Project or Googletalk call between your Nokia and WLSAT laptop. Start a new capture. View the capture. Do you see voice traffic? 1/12/11 11 www.inpnet.org www.hotlabs.org
Step 15. Step 16. Step 17. Step 18. Step 19. Step 20. Step 21. Create a Filter to capture only FTP traffic. Start the FTP server on the WLSAT laptop. Connect to the FTP server from the Nokia N800. Start a new capture View the capture. Do you see FTP traffic? Create a Filter to capture only traffic to a destination network. View the capture. Do you see only traffic to your network? Create a Filter to capture only traffic to a destination host. Try your WLSAT Laptop s MAC Address. View the capture. Do you see only traffic to your host? 1/12/11 12 www.inpnet.org www.hotlabs.org
Lab 1.5: Create a Wireshark Filter Step 1. Plug in the Airpcap USB device. Step 2. Step 3. Open Wireshark Start à Wireless Tools à Wireshark. Click on Capture à Interfaces. Step 4. Choose the AirPcap USB adapter and click on Options to set details for this capture. Step 5. Review the options on this page then click on Wireless Settings. Step 6. Select Channel 1 as the channel we ll be capturing from. Step 7. Return to the Options page, then click Start button to start your capture. 1/12/11 13 www.inpnet.org www.hotlabs.org
Step 8. Step 9. Step 10. Note, right now all packets are being shown as they come to the wireless card. Review the notes below on how to make and use Filters in Wireshark. Create a Filter to capture all traffic except beacons. Step 11. Create a Filter to capture only data traffic. Step 12. Create a Filter to capture only Data but NOT NULL Data (going to sleep) packets. Step 13. Now try some new filters on your own. NOTE: You can review more on Wireshark from the Laura Chappell Master Library DVD set. Step 14. Create a Filter to capture only voice traffic. Step 15. Create a Filter to capture only FTP traffic. Step 16. Create a Filter to capture only traffic to a destination network. Step 17. Create a Filter to capture only traffic to a destination host. Step 18. How about a filter to capture Access Points with cloaked or hidden SSIDs? When an Access Point does NOT broadcast SSID, the SSID field contains no data in Beacons and Probe Response packets. But clients MUST ask for the proper hidden SSID in their requests to join the BSA. NOTE: This filter is wlan.bssid==xx:xx:xx:xx:xx:xx and wlan.fc.type_subtype==0 where the BSSID of the Access Point you are looking for is in the xx s. By applying the above filter, we reveal any association requests for the specific BSSID. By clicking IEEE 802.11 Wireless LAN Management Frame à Tagged Parameters à SSID Parameter Set in the packet detail window we can see the SSID requested by the client station, thus revealing the Hidden SSID. 1/12/11 14 www.inpnet.org www.hotlabs.org
Wireshark Filters for 802.11 Frames 802.11 Header Field Either Source or Destination Address Transmitter Address Source Address Receiver Address Destination Address BSSID Duration wlan.addr wlan.ta wlan.sa wlan.ra wlan.da wlan.bssid Wlan.duration Frame Control Subfields Frame Type Frame Subtype ToDS Flag FromDS Flag Retry Flag Protected Frame (WEP) Flag wlan.fc.type wlan.fc.subt ype wlan.fc.tods wlan.fc.from ds wlan.fc.retr y wlan.fc.wep Fields can be combined using operators. Wireshark supports a standard set of comparison operators: == for equality!= for inequality > for greater than >= for greater than or equal to < for less than <= for less than or equal to && Contains Matches! Not An example of a display filter would be wlan.fc.type==1 to match control frames. To remove all Beacon frames from your trace, you ll need to write a display filter that matches Beacon frames, and then negate it. Like the example below: Filter on type code for management frames with wlan.fc.type==0 Filter on subtype code for Beacon with wlan.fc.subtype==8 Combine the two, and negate the operation by using the exclamation point for NOT with an expression result of:! (wlan.fc.type==0 and wlan.fc.subtype==8) 1/12/11 15 www.inpnet.org www.hotlabs.org
When assessing a wireless capture with Wireshark, it is common to apply display filters to look for or exclude certain frames based on the IEEE 802.11 frame type and frame subtype files. If you are trying to exclude frames from a capture, it is easy to identify the Type and Subtype filed by navigating the Packet Details windows and use those values for your filter. Or, you can just use this handy-dandy table we ve provided below. Frame Type/Subtype Management Frames Association Request Association Response Ressociation Request Ressociation Response Probe Request Probe Response Beacon ATIM Disassociate Authentication Deauthentication Association Request Association Request Control Frames Power-Save Poll Request To Send - RTS Clear To Send - CTS Acknowledgement - ACK Data Frmaes NULL Data Filter wlan.fc.type==0 wlan.fc.type_subtype==0 wlan.fc.type_subtype==1 wlan.fc.type_subtype==2 wlan.fc.type_subtype==3 wlan.fc.type_subtype==4 wlan.fc.type_subtype==5 wlan.fc.type_subtype==8 wlan.fc.type_subtype==9 wlan.fc.type_subtype==10 wlan.fc.type_subtype==11 wlan.fc.type_subtype==12 wlan.fc.type_subtype==0 wlan.fc.type_subtype==0 wlan.fc.type==1 wlan.fc.type_subtype==26 wlan.fc.type_subtype==27 wlan.fc.type_subtype==28 wlan.fc.type_subtype==29 wlan.fc.type==2 wlan.fc.type_subtype==36 1/12/11 16 www.inpnet.org www.hotlabs.org
Here is a great graphical view of Wireshark s 802.11 Filter names for each part of an 802.11 frame. 1/12/11 17 www.inpnet.org www.hotlabs.org
Display Filter Syntax Hosts/Network Ports Various Protocols ip.addr, ip.scr, ip.dst, eth.addr, eth.src, eth.dst tcp.port, tcp.srcport, tcp.dstport, udp.port, udp.srcport, udp.dstport arp, bootp, dcerpc, dns, eth, ftp, http, icmp, ip, ncp, netbios, ntp, ospf, sip, smtp, snmp, tcp, udp Examples ip.addr==10.4.2.19!ip.addr==10.4.15.27!arp &&!bootp tcp.port==80 eth.dst==00:04:5a:df:80:37 ip.ttl<=5 tcp.flags.reset==1 Keyboard Shortcuts Tab Shift-Tab Down Up Ctrl-Down, F8 Ctrl-Up, F7 Left Right Backspace Return, Enter Ctrl-M Ctrl-N Ctrl-T Ctrl-Plus Ctrl-Minus Move forward between packet windows and screen elements Move backwards between packets windows screen elements Move forward to the next packet or detail item Move back to the previous packet or detail item Move to the next packet, even if the packet list is not the focus. Move to the previous packet, even if the pack list is not the focus. Closes the selected tree item in the packet detail window or move to the parent node if already closed. Expands the selected tree item in the packet detail window (does not expand the subtree) Move to the parent node in the packet detail window Toggles expansion of the selected tree item in the packet detail window Mark a packet Go to the next market packet Set time reference Zoom in (increase font size) Ctrl-Equal Zoom to 100% Zoom out (decrease font size) 1/12/11 18 www.inpnet.org www.hotlabs.org
Lab 1.6: Create baseline captures Open No WEP Open WEP Open WEP w/radius WPA Radius Shared Key WEP WPA PSK Roaming connection Beacon Probe Request Probe Response Lab Part 1 - Capture an Open Authentication exchange between STA and Access Point Step 1. Step 2. Open Omnipeek Personal Start à Wireless Tools à Wildpackets Omnipeek Personal. Click the Capture à Start Capture or capture options if you want to modify a current capture. Step 3. Click on the 802.11 item in the left panel then select channel 1. Step 4. Step 5. Step 6. Step 7. Step 8. Click OK. Click Start Capture. Connect your wireless STA to your Access Point with your SSID (It should be pre-configured with No Encryption and on Channel 1). When you have associated, stop the packet capture then review the list of packets. Which packet starts the authentication process? What is the MAC address of the station? The AP? Was the Authentication successful? Why or why not? Save the file as baseline_openauth. Lab Part 2 - Capture Shared Key Authentication exchange between STA and Access Point Step 1. Change the AP configuration to Shared Key Authentication and type a WEP key of 1111111111. 1/12/11 19 www.inpnet.org www.hotlabs.org
Step 2. Step 3. Connect your wireless STA to the Access Point with the same security settings as the AP. This means WEP Encryption with Shared Key Authentication. Review the list of packets. Which packet starts the authentication process? Was the Authentication successful? Why or why not? Step 4. Step 5. Select the file à choose save all packets. Save the file as baseline_sharedkeyauth Lab Part 3 - Capture a WPA-PSK Authentication Step 1. Open Omnipeek personal and start a capture on channel 1. Step 2. Step 3. Step 4. Step 5. Step 6. Step 7. Step 8. Configure your access point for WPA-PSK with the following parameters: Channel 1 SSID = ap# (where the number is your student number) WPA-PSK Authentication passphrase my wireless network is secure Use TKIP for encryption Connect your Nokia N800 wireless client to your access point using the same security settings as the access point. Examine the packet capture file. Which packet starts the authentication process? What is the MAC address of the station? The AP? Was the Authentication successful? Save the file as baseline_wpa-psk-auth. Lab Part 4 - Capture web access traffic Step 1. Open Omnipeek personal and capture on channel 6. 1/12/11 20 www.inpnet.org www.hotlabs.org
Step 2. Step 3. Step 4. Connect your Nokia n800 wireless client to the classroom AP with SSID HOTlabs. Browse the web on your Nokia n800 you can choose where. View the capture and identify web site that other students are accessing. What web site is the client connecting to? List at least 3 here. Step 5. Step 6. Step 7. Step 8. View the payload of the packets. You should be able to see the websites that are being accessed. What application layer protocol is in use? What server is the data being transferred from? What is the IP address of the server? Step 9. Save the file as baseline_web-traffic. What you learned in this Lab: In this Lab you learned to use Wireless Sniffers / Protocol Analyzers to: 1. Capture data, voice and video traffic 2. Analyze connections between stations and access points 3. Review prerequisite knowledge and ensure you are familiar with how to capture, filter, and analyze wireless traffic 1/12/11 21 www.inpnet.org www.hotlabs.org