Wednesday, December 30, 2009

Wireless Sniffing with Wireshark

From the Chapter 6 of a book from Syngress:

-To display only traffic from the client station using the wlan.sa display field name, display filter to return only frames with our station MAC address as the source that are not destined to the broad-cast BSSID.

The display filter now becomes:
wlan.sa eq 00:09:5b:e8:c4:03 and wlan.bssid ne ff:ff:ff:ff:ff:ff

-wlan.bssid eq 00:11:92:6e:cf:00

-We can apply a display filter to identify all packets that includes the SSID “NOWIRE” as shown:
wlan_mgt.tag.interpretation eq "NOWIRE"

-wlan_mgt.tag.interpretation eq "NOWIRE" and !(wlan.bssid eq 00:02:2d:37:4f:89 or wlan.bssid eq 00:40:05:df:93:c6 or wlan.bssid eq 00:40:96:36:80:f0)

-Even when there are no stations participating on the network, an AP will transmit at least ten packets a second to advertise the presence and capabilities of the network.

We can exclude these frames by applying a display filter as shown below:
!(wlan.fc.type eq 0 and wlan.fc.subtype eq 8)
where
wlan.fc.type eq 0 = management frame
wlan.fc.subtype eq 8 = beacon frame
wlan.fc.type eq 2 = data frame

-wlan.fc.protected ne 1 = ideatify all unencrypted frame

Since those management and beacon frames are always unencrypted, we can extend the display filter to identify unencrypted data frames only to get the most effective analysis:
wlan.fc.protected ne 1 and wlan.fc.type eq 2

-We can identify WEP traffic by identifying any frames that include the mandatory WEP Initialization Vector (IV):
wlan.wep.iv

-We can use a display filter to identify this header by filtering on the extended IV field:
wlan.tkip.extiv

-airdecap-ng utility (included in the open-source Aircrack-ng suite of tools) used to rewrite a packet capture that uses the TKIP protocol. Similar to Wireshark’s ability to decrypt WEP traffic, airdecap-ng requires you to have knowledge of either the PSK or the Pairwise Master Key (PMK) in order to decrypt TKIP traffic.

-For airdecap-ng, you can decrypt a TKIP packet capture using the same technique, by specifying the TKIP PMK with the -k parameter or by specifying the PSK with the -p parameter. When decrypting TKIP traffic, you must also specify the network SSID

-Airdecap-ng creates the output file wpapsk-dec.dump, which contains the unencrypted data frames.

airdecap-ng -l -p "dictionary" -e linksys wpask.dump

wlan.sa eq 00:60:1d:1f:c5:18 and wlan.fc.type eq 2

-As a security feature, modern APs using WEP only support open authentication with WEP encryption, because shared key authentication introduces additional vulnerabilities to the network.

-To probe and get all SSID in Prefered Network List
C:\wireshark>tshark -r wireless-rwc-3.cap -nV | grep "SSID parameter set:" | sort | uniq
SSID parameter set: "hhonors"
SSID parameter set: "linksys"
SSID parameter set: "matrix"
SSID parameter set: "rogers"
SSID parameter set: "Rogers"
SSID parameter set: "turbonet"
SSID parameter set: "wldurel"
SSID parameter set: Broadcast

-A display filter to examine only traffic sent to the DS from wireless stations:
wlan.fc.tods eq 1 and wlan.fc.fromds eq 0

wlan.fc.tods eq 1 and wlan.fc.fromds eq 0 and wlan.sa eq 00:13:ce:55:98:ef and arp.opcode eq 1

-From main Wireshark window, we can use the display filter function to display only malformed frames with the following filter:
malformed

-frames that should only be transmitted by an AP (beacons, reassociation response, probe response)

-frames that should only be transmitted by stations (probe request, reassociation request,
association request).

Fuzzing suspection
eg. Individual frames include values that are not reasonable; frame 278 indicates the beacon interval is 42,281 millisecond (msec) (BI=42281), which means the AP is transmitting beacons once every 43.3 seconds, as opposed to the standard convention of 10 times per second. Similarly, frame 472 reports a beacon interval of 18,146, or one beacon every 18.1 seconds.

No comments:

Post a Comment