Wireless Security Testing Section One Tutorial

11.1 Setting Up Hardware

We've discussed hardware earlier in the course. Now let's talk about how to set it up and why it's critical, in fact it's probably one of the more critical considerations in wireless penetration testing. Maybe not so much in normal penetration testing, but when you're talking wireless, hardware is a very important consideration. Because you can't use just any wireless card. Normal cards that you would use for typical wireless connections are fine just for those things. But in order to conduct wireless penetration testing, wireless cards have to have a couple of different capabilities. They have to be able to be put into monitor mode, that is, they have to be able to monitor packets and capture traffic This is the same thing as, like, promiscuous mode you've heard of before, probably. They also have to have the ability to inject packets into network traffic. This is important for a couple of different attacks that you'll conduct. Basically pack an injection into a wide variety of things. One of the main things we want it to do is to cause other Stations the wireless access point and clients to react differently. We may want to perform deauthentication attacks on them. We may want to have them generate more traffic so we can capture it and have a better chance of cracking keys for example, so package injection capability is a must for a wireless card. Now, these two capabilities are not necessarily dependent upon who makes the card. It really doesn't matter whether it's a Belkin card or a Linksys card. What matters is the chipset on the card itself. And you can have a wide variety of card manufacturers that use the same chipset. And conversely, you can have tons and tons of chips that's spread out there, over different wireless cards. You may have one model of a wireless card that works fine and another model of the same card does not work because of the different chip that is on it. So, that's really what you look for on a wireless card, the chip set. Some chipsets that we discussed already include the Realtek and Atheros chipsets. One we didn't mention that's great out there is the Ralink chipset. Now, not all versions of these chipsets even work. Some versions of Atheros don't work very well or they may perform different functions. Maybe some of them can only be put in a monitor mode. Maybe some of them can do both, can do monitor and packet injection. Another thing about these cards, is sometimes their functionality is different under Linux versus Windows. The drivers might be there, and the capability might be there to perform these functions under Linux. But because of the way Windows works and the drivers that are implemented for it, they may not perform these functions under Windows. That's typically why we push people really towards penetration testing with Linux distributions because you can do so much more with Linux and the drivers and getting the card to do these things. Now one great site that has a fantastic listing of compatible wireless cards. Is the aircrack-ng site. Now, while aircrack-ng is the probably the most popular tool out there to perform wireless penetration testing and that's the tool we're pretty much going to focus on during the course. You can assume that if the tool is listed on the aircrack site, or if the card is rather. Then it can do monitor mode and packet injection in the site, the listing on the site will tell you that. So if the listing tells you that it can do those things, it's likely that it will also work with other software as well such as Kismet for example. If your card is listed on the site, their crack ng site, you can assume That, based upon its capabilities, it'll work with a wide variety of tools, not just Aircrack-ng. But, that's a great site and it has a great listing for compatible wireless cards. Now Linux comes with two wireless stacks traditionally. We have an older stack that we saw on older distributions of Linux, older kernels, the ieee80211 stack. And this stack was a little bit wonky. It couldn't perform all the different functions without a lot of other software. And some drivers for older cards were written for it that That couldn't do everything you needed it to do. So there was no consolidated functions. It did not work seamlessly between different cards and drivers. It may work well on one and not so well on the other. So a new stack was put on some of the newer kernels, the 2.6 kernel and up I believe. And that's the mack80211 stack. And that's a more integrated wireless stack. It works better with wireless card drivers, especially new ones. The functions are more streamlined, its just a better stack to work with. Some people prefer the older stack based upon the card they're using or the distribution of Linux they're working with. So which stack you use could depend upon your card drivers. Could depend upon the Kernel and OS version, the Linux distribution you're using. Also may affect to the commands you use. Not all commands will work with both stacks. Pretty much they will but some of them there's a little bit of a difference with. So it really depends upon which stack you want to work with but more than likely you're going to work with a mac80211 stack and both stacks come on Backtrack for example. You just may have to change your card drivers out depending upon which one you use. Now some commands that we typically use in either stack to view and configure your wireless cards include the four listed on the screen. And we're going to actually go through those in a later session at the command line I'll show you some of the different options. Let me talk about them just briefly. The Ifconfig command is a general purpose command you need to be familiar with that manages all of your network cards on the system, not just your wireless card, and it can be used to To configure things like your IP address your subnet mask, general configuration options for the cards. Again, it's not wireless specific. What is wireless specific are the other three commands iwconfig, iwlist, and iw. Iwconfig is a general purpose command you can use to check the status of your wireless card. You can also use it to connect to a wireless network manually, if you don't use the gooey. So ifconfig can give you IP addressing information and so forth and help you configure it, but iwconfig is more wireless specific. You can connect to a wireless network putting in the SSID. The encryption key and so forth. Iwlist and iw have different functions that allow you, not only to configure the card, but also do things, like put it into monitor mode, actually scan the network and so forth. Again we'll go through all four of these commands in a later session. But I'm just introducing them to you now so you have an idea of some of the things you'll need to know in terms of fundamentals to manage your wireless cards and setting up your hardware.

11.2 Verifying Hardware

So, we've set up the hardware. Now, we need to verify it and make sure that it's working correctly, that the drivers are installed properly, and the card is functioning and doing what we expect it to do. Now, we talked about several commands earlier that we can use to do just this. So, let's go ahead and take a look at BackTrack 5 and run some of those commands and make sure that our card is working. All right, in BackTrack 5 we're going to open a terminal, and we're going to run a few commands just to look at how the wireless card's working. The first thing we're going to do Do is run an iof config and this is a general purpose command that looks at all of your interfaces on the system. All the network interfaces that you have whether they're wired or wireless. So we can see that we have Ethan at zero. The loop back address and WN zeros. So we do have a card showing. And that's the first positive step. If we're showing an interface for the card we've installed, that usually means it's working fine. Let's look at a few other things as well. Let's take a look at IW config [BLANK_AUDIO] And we see the extensions again for each card that's attached, but only one will wireless extensions and that's the one that's wlan0. And you can tell it has wireless extensions by the fact that the other two say that they don't, but this one shows that it's an IEEE 882.11bg card. And it shows that it could be connected to an ESS ID. Which it's not right now. Now with the IF config command, you can change IP addresses, subnet mass, and so forth for any interface attached to the computer. Wired or wireless. For IW config, that's where you can actually configure the wireless card to attach to a wireless network. It's a command line for all of you command line junkies out there. You can also do as we saw before connect through week D the gooey interface if you choose to. So you can use item you config to check the status of the card to see if it's connected and to go ahead and connect it if you want. Now let's go ahead and run another command called IW list. And what it gives us, it shows us that we can use this command in various ways. We can specify the interface and we can go ahead and scan. We can set the frequency and the channel of the card if we like, the power and so forth. So there are several different things we can do here. This will allow us to configure the card, but it'll also allow us to do a quick scan. Let's go ahead and do that. [BLANK_AUDIO] This is going to take a moment and it's going to scan out on the airwaves and see what's out there. And we got back several things. We got back kind of a dump of all of the different access points that are in the area and a little bit about them. We've got what kind of software they're using, we've got what kind of WPA version and so forth. So there's a lot of information out there. Here is our VTC Access point that we show. It gives us the channel, the frequency, what kind of encryption it's running and so forth. So the scanning command can basically perform a functional scan really quick and show you that your wireless card is up and working, and it can give you some information. If you like you can type this into a text file for later analysis. Or you can go ahead and start putting it in monitor mode and scanning anyway. Now here's another command, the IW command. And this is a command that came out later. Not all wireless cards and extensions and drivers support this, by the way. It really depends on Whether using the i88802 11 or the Mac 802 11 wireless stack. So we've got a lot of different things this command can do. Again it can set configuration for the card. It can change different options for you. You can put it into monitor mode. You can Change different aspects, frequencies, channels, power, and so forth with it. Now, part of the command set for this command is a list command also, so we say iw list and what it shows. But let me show you something different, don't get these 2 commands confused because they do show you different information. In the iwlist command, we said iwlist, the interface, and scanning. for iw list, this is what we get. All it really shows you is the capabilities of the card itself. What it can do, the frequencies it can use and so forth. So don't get those two commands confused. They're similar, but they don't do the same thing. Typically we'll use the IW command to put the card into monitor mode and to do some other things with it. And throughout the course we may use it a couple of times to do just that. So those are the typical four commands you want to know The basic commands, to make sure your wireless card is installed correctly, configured, and that it functions. And you can perform a quick scan as well with this.

11.3 Monitor Mode pt. 1

Before we actually start scanning the wireless network and capturing traffic, the first thing we do is to put the card in a monitor mode. And this mode is similar to what you probably heard before, the promiscuous mode wired network cards maybe in. Where it can monitor the networking capture all traffic. Regardless of whether it's destined for that network interface or not. So it'll basically sniff the network and capture everything. That's Monitor Mode for wireless network. Now there's several different ways we can do this obviously. In Linux, in particular, there's always several different ways to do anything. One way might be the app itself that you're using. The application or program to put the card in a monitor mode and Kismet, what we've seen before actually in our earlier demonstration of Kismet, actually does that. It goes ahead and puts the card in the monitor mode if it's not all ready. Iwconfig can also put. Cards in the monitor mode, but it can't put all cards there, because of the drivers or maybe you're using the 802.11 stack versus the MAC 802.11 stack. The particular card we're using, iwconfig, will not put it in the monitor mode, but I'm going to show you that anyway so you can see the error that comes up. Iw, that command, can also put a card into monitor mode, and I'll demonstrate it during this first part as well. During our second part of talking about monitor mode, we'll look at airmon-ng and what we need to do to put the card into monitor mode using Tech command. So let's go ahead and take a look at some of the ways we can put a card into monitor mode for wireless scanning. Okay, we're at a terminal prompt in backtrack. And I wanted to show you first when we run IW config by itself, we just get That you can actually see the wireless card there. And we see that the mode is managed right now and that's helpful to know because we'll want to look at this again later. You can also use iw-config for some cards, depending upon the driver and the wireless stack you're using. To put in in a manager mode. And what you do is you simply go iwconfig [BLANK_AUDIO] wlan0 in mode monitor Now I can tell you up front that this command is not going to work with the card we're using, and the wireless stack we're using. But you're going to get an error like this. And that's fine, there are plenty of other ways to go ahead and place the card into monitor mode. One other way we can do it, that we'll use, is using the iw command. And we'll say IW dev for device and then we'll mention the device and we'll say interface, and because we want to add an interface and we'll go ahead and list the name of the interface as mon0 And we want to set the type to monitor. Now that's a little bit of a long command, but it's not too hard to use once you get used to it. And that will put the WLAN0 into monitor mode with another interface. Okay. And how we can check that is to go IW config again. And what we see is a monitor Interface there mon0 in addition to the wlan0 interface. Now we may want to take it out of monitor mode, and that's actually easier to do. We would go iw dev mon0. And then we'd go ahead and say del for delete. And that would take it out. So let's type in iwconfig again and we see that wlan0 is now the only wireless interface that's there, mons0 is gone. Now again as I mentioned before Kismet can also put an interface. Into Monitor Mode as can other applications that do wireless scanning. Now the most popular application that we'll use to put the card into Monitor Mode is of course Airmon-ng. And that's part of the Aircrack Suite. In our next session we'll go ahead and look at how to do that. How to set that up and put the card into Monitor Mode. [BLANK_AUDIO]

11.4 Monitor Mode pt. 2

In the second part of our discussion on Monitor Mode, we're going to look at using airmon-ng part of the air quack ng suite to put the card into monitor mode so we can start scanning and capturing traffic. Now earlier we looked at how to do it. With Kismet as well as IW. So now we're going to use the command that we'll probably use most often during the course. And that's airmon-ng. Let's go ahead and take a look. [BLANK_AUDIO] We're back in backtrack. And we're going to go ahead and type in airmon. Ng by itself. And by itself it gives us the interfaces that are out there that Airmon-ng can use. And right now we have one interface, wlan0, and it's using the Realtek driver. And we're going to go ahead and put that into monitor mode. But there's a few things we want to look at first. Before we do anything, let's look at. airmon-ng's help. So you can see how many options are out there. When looking at airmon-ng, you can see that it can do several things. It can start Start monitoring mode on interface. You can also stop monitoring mode on an interface. It'll also check and see if there are any processes out there that may interfere with the operation of the monitoring mode Mode. You might specify the interface and you can also specify the channel or frequency. Now, before we put the card in the monitor mode, let's run a check, to see what processes are out there that may interfere with the operation of the card. So we would go airmon-ng, and we want to say check. And there are three processes, or rather, two processes out there that may interfere with the card's operation while in monitor mode, and these really are the DH clients. When the interface is a DHCP client and expecting to get an IP address, some of these processes can interfere with the card. What we would do now then, is we could go ahead and run it and take our chances or we could go ahead and kill those processes. Now we could do the kill-9 command and the PID and kill it. But airmon-ng has a built-in way that it doesn't mention in the help that you can do this. So, let's go back to airmon-ng check and if we add kill after it. We'll go ahead and kill those processes right there, check and kill them. Again, you could just use the old kill command for the process ID and do it as well, up to you. Now that we've killed those processes, now we want to go ahead and start the monitoring mode on WLAN0, and how we do this. As we say airmon-ng, start, and wlan0. And it starts it up, and we get a little note record says monitor mode enabled on mon0. Now how do we check this? Iwconfig of course. That'll tell us that we have a monitor zero interface there. Now occasionally you may want to stop this monitoring interface and connect to a normal wireless network, or you may want to stop it if you have issues or change programs. So sometimes it's a good idea to do that. So how you stop it is just as easy as starting it. So you would go, airmon-ng and then you'd say stop. And you wouldn't say wlan0, as you did before when you started. You'd actually stop the mon0 interface. So once you do that, it tells you that it's removed the mon0 interface. So Airmon-ng is very easy to use. And you'll see us use it throughout the rest of the course to put our wireless card into Monitor Mode to start scanning and capturing traffic. [BLANK_AUDIO]

11.5 Scanning

Before you actually start capturing traffic on wireless networks, it's a good idea to perform passive reconnaissance on them. And a good way to do that, is to scan just the area wireless networks you have around you, because you can actually get some pretty good information from them. That way when you do your traffic captures, you can target specific networks or wireless access points. Now there's a couple of different tools available to accomplish this. And keep in mind that the Aircrack-ng suite can also do this for you. I'm just trying to give you some options in case you want to try different tools. So the two tools we're going to look at right now are tools we've discussed previously, iwlist and iw dev. I'll show you how to scan for wireless networks using those two tools. We're in backtrack now at our terminal. And one thing I want you to notice, I did an iwconfig, is that we no longer have a WLAN0. We have a WLAN1. Sometimes that will happen if you switch USB ports. With a USB wireless device. So, just to let you know, there's no panic. It's really the same device. Now it's just called wlan1 instead of wlan0, and you have to reference that way. Now that we've ran iwconfig to make sure that we have a properly configured wireless device. Let's go ahead and scan with that device. Now if just said iwlist wlan0 or wlan1 rather in this case. Scanning. You'd get a lot of information come by the screen really quick, and unfortunately wouldn't be formatted well. So what you might want to do is send this to a text file for later reference. And what I might do is go scan1.txt, tack that on the end there, and it'll pipe it to that file. And the reason you want to do this is actually to document everything that you're doing and to go back and reference later if you need to. Let's use gedit really quick. To look at this text file. [BLANK_AUDIO] And what you want to do we have all the information here that we got from the screen. It's a little bit better Formatted but what I want to do is look for the vtc. Wireless access point that I know is out there to show you some information. So we have the vtc access point that it's picked up with the address, the channel. Which is channel three frequency We know the encryption key is on, so we do have encryption. And we have the ESS ID of VTC. So that's the right one. And we can get some information from this. We'll also get information on every other one out there too. Now one thing I want to show you is the difference between the VTC one and another one. One. If we look up here, we see that the encryption key is on, but it doesn't really give us any information. Down here there is another one, another wireless access point that's near me, texaspride, and it shows that it's WPA2. So that's kind of how you can tell That VTC is using WEP, because it doesn't specify TKIP or CCMP, preshared key and so forth. So, that's kind of an indicator right there that VTC is probably using WEP. Let's go ahead and kill this. And what I want to do also is run a scan with iwdev, and we want to go iw Dev and we want to say, wlan1 scan. BLANK_AUDIO] And again, if we just try to do this like this, we're going to get a lot of information out the screen. So let's go ahead and pipe this to a file also, let's say, let's send this to scan 2 and send it there and then G edit it again. Now you can look at this in any text editor you like, G edit just happens to be convenient for me. And it's on Backtrack and it's easy to read. [BLANK_AUDIO] [00:03:53] Now one thing you'll see is that there is pretty much some of the same information, but there's also some different information on here. Let's do a search on VTC again. [BLANK_AUDIO] And we get a little bit more information, some more detailed information, in fact. We still see that SSID is VTC channel three, and we get the supported data rates on here. 54 tells us that it's pretty much a G. Router, wireless router. But one cool thing about doing it this way is there's some other information you can get that may help you. And we know that it's using Wi-Fi protected setup, at least it's capable of it. Now here is something interesting. We get the manufacturer of Linksys and the model of the wireless router. This can be helpful if we're trying to explore any weaknesses that the wireless router may have, any weaknesses in firmware configuration that we could exploit later. So now we actually have the model number of the wireless router. And there's a lot of information down here that we can get that a lot of technical information that tells you Its transmission and reception capabilities and so forth. So just keep that in mind that you can get a lot of information from those two scanning commands. And since we know now that BTC is on channel three That can help us narrow it down to how we capture traffic from it. We don't have to scan the entire, you know, 11 channels. We can just scan on channel three and capture that particular traffic. So we can go ahead and get out of here and back to our command prompt. And that basically is how to scan with iw lists and iw.

11.6 Capturing Traffic pt. 1

Before we start attacking wireless access points, their networks, and their clients, we actually have to get some good data to do this with. In order to crack WEP and WPA We have to capture traffic, sometimes a lot of traffic. Now how do we do this? We use airodump-ng or Kismet, because those are the de-facto programs we typically use in Linux And BackTrack to capture traffic. Now we've already taken a look at Kismet and saw how it captured traffic. Let's go ahead and take a look at Airodump-ng. We'll look at Airodump-ng capturing live traffic and then later we'll send that traffic to a file and look at in something like WireShark for example so we can analyze it. So let's take a look at Airodump-ng and how it captures traffic now. Okay we're back in backtrack. And as you can see I've ran an IW config showing our WLAN1 interface. And what I want to do is run airmon-ng. Make sure nothing's up there. Nope everything is fine. Now I'm going to run airmon and start. Wlan1 into monitor mode. But one thing I'm going to do is specify a channel. Now we saw in our earlier scans, where the VTC access point is using channel three. So we can specify channel Down three for M monitor monitor on that way when we capture traffic that's the channel we'll focus on. [BLANK_AUDIO] Okay we got monitor mode going. Now let's look at Airodump. Now before we look at Airodump I want to show you some of the options you can use when you capture traffic with Airodump. We got a lot of different options available to us. We can build a traffic by wide variety of things. We can save traffic by initialization vectors only, we can use GPS. There's a lot of different options and configuration. Switches that we can use with this. We can filter APs by the encryption type, by the BSSIDs and so forth. So there's a lot of different things we can do with Airodump, and you're only limited by your imagination, and how you want your capture files to look. So let's go ahead and start a capture. I'm just going to start a simple live capture. [BLANK_AUDIO] And we're going to make sure it's on monitor zero and I want to specify the channel once again. And we do this by saying dash C and then channel three because that's the channel we're monitoring On. [BLANK_AUDIO] Let's add the -ng on there just for good measure. [BLANK_AUDIO] Okay, now we see that we're collecting some traffic here. Now we're going to have to expand our window out a little bit so you can see everything. [BLANK_AUDIO] And let's scroll over a bit. [BLANK_AUDIO] Now what we see up top Is channel three, and the time we've been scanning it, and it'll date and time stamp the scan as well. We see the BSSID set we're seeing on channel three, their power. We also are getting their beacons pretty fast. We see the amount of data we collected, the channel they're residing on, and we see how much Bandwidth is available on the access point. And these are obviously 802.11gs because they have 54 megabits specified. Now we also see the encryption type, which is WEP in VTC's case and the cypher as well. Other ones that we see in channels near here because we're not just getting channel three obviously We're getting channels one, two, and six because there is some channel overlap with frequencies. But we're seeing WEP, or VTC. For the other ones we see WPA2 CCMP preshared key. On these other ESSIDs available to us. We see a thunderbird, a Netgear, and texaspride one. Now below us, we see the different Clients that have attached themselves or associated themselves with the different access points. Some of them are not associated, they're just sending out probes to talk to different access points to see what's out there. And you can see the probe coming from the client right down there. And in some cases you do have where Some clients have associated themselves with different access points. Now, we'll be able to get a lot more information when we actually look at the capture itself later. Let's go ahead now, and send the capture file2 for later analysis in War Shark. And there's not much to this, all we do is say. Airodump [BLANK_AUDIO] -ng. And mon0. And we might specify channel 3. And we also want to put a -w, and specify the capture file. That means right to a capture file. So we'll say something like test underscore cap and that'll be our capture file. So we send that and we still get the live capture but we're also sending it to a file at the same time and we're not going to look at the capture at this moment. We'll look at it in our next session and we'll see how it looks in both Wireshark. And we'll look at and see some of the details for the capture itself. So that's capturing using aero dump, it's not very difficult and you can see why we brought here things but you're not seeing the detail down that you need to see. So really aero dump is not use for analysis. It's use simply to capture the traffic. You'll analyze it later in something like war shark.

11.7 Capturing Traffic pt. 2

Now we've used error dump NG to capture traffic, I want to show you how to use Wireshark as well. Now you might think because Wireshark's a GUI that hey, why don't I just use that instead so I don't have to remember all the commands for error dump. Now you could do that, but you're going to get a lot of information in Wireshark. Airodump can actually limit and filter the information you get into the capture file. So most people will use Airodump to capture the traffic itself and then analyze it later in Wireshark. Now, you can use Wireshark during a live capture, and that's okay. But you're going to see a lot of information and it may not be as filtered as you would like. It really depends upon what you're looking for and how you want to use it. Let's go ahead and use Wire Shark now to capture some traffic. okay we're back in back track of course, and IW config shows us with WLAN 1 up and I've already put the card into monitor mode. Now What we want to do is go to WireShark. Which is very easy to do. And what we want to do is choose the correct interface. And in this case, we're going to choose, MON0 because it is in monitor mode. Choosing WLAN1 will not get us what we want to see. So let's go to start, and we're going to get a ton of traffic here. Now some things that we'll point out right now that you'll be able to see include the protocol which is 802.11 because we are basically capturing traffic at the layer two level which is where 802.11 traffic is. The layer two, the OSI model. We see our number and that's really just a reference number for the particular frame we've captured. We see a time index and these are relative time indexes to the start of the capture and the end of the capture. You can go and then configure this for actual time date stamps but it may or may not be of use to you why you're actually capturing traffic. That might be useful later when you intend to go and look at the traffic. And try to put together a timeframe if you're doing some sort of forensic analysis, for example. Here is your source, your source is going to have the MAC address. Notice there are no IP addresses here because we are, again, are capturing layer two information. Now in cases where wire shark can figure it out, we have the first part of the MAC address, which is the manufacturer's Unique ID there already put in here for us. So we know that we see some Apple, some Cisco, and some Belkin cards out there. The remainder of that address is the unique hardware address for the wireless card itself. Now in this column we have broadcast, or destination information rather, and most of it is going to be broadcast. Some of it is sent back and forth to particular devices. Protocol obviously 802.11, the length of the frame itself, and if we scroll over a little bit, the type of frame that it is. Now if we wanted to try to snag one of these really quick, we could take a quick look at it. But most of the time you're really going to want to look at this later after your traffic capture has been stopped. Just like when we saw airodump. It's very difficult to get an idea of what's going on while you're watching it live being captured. And airodump doesn't give you the level of detail that Wireshark does obviously. You just see the numbers change pretty much with airodump. But it's collecting these packets And its you know, its obviously collecting everything you're just not being displayed with everything. Even in Airdump you don't analyze base upon what you seeing live on the screen. Now, if there's a particular thing you're looking for you may watch for it in WireShark or Airdump just to see When a client comes on and off the network and so forth but typically you're not going to do that. So that's collecting traffic in Wireshark and there are advantages, again, to using either Wireshark or Airodump. On Airodump you have much more filtering options. You can also filter in Wireshark but your filtering captures that your, your, collecting live. Or your filtering captures down to something you can see. Whereas AiroDump can collect the captures of only the information you want at the time. So either way is good, you can use the gooey, or you can use AiroDump as well, but either way, you're probably not going to do analysis. In airodump you're probably going to do that in WireShark more than likely. So we've seen some good traffic here collected. And in later sessions we'll actually look at some captured files, and break this traffic down to see what it looks like. Something that will you know call traffic analysis basically. So that's capturing traffic in Wireshark and previously we looked at aerodumps and now you know how to capture traffic from a wireless network. [BLANK_AUDIO]

11.8 Viewing Traffic Captures pt. 1

Now we're at the point where we want to actually view some traffic captures that we've been taking over the last couple of sessions. Now, the wireless traffic captures that we'll see allow us to view frames from 802.11 networks that happen at Layer 2 of the OSI model. Now this is important for you to know, because you're going to see a lot of things. That may not make sense if you're used to seeing traffic from higher level layers in the model, such as DHCP, TCP, and so forth. You may still see some of that but we're really focusing on the frames at Layer 2. Typically you don't see upper layer protocols and data from those layers until authentication and association with the wireless access point have been achieved And after you get an IP address and you're talking on the network. And we're going to actually try to see how the wireless frames look before that happens. Now there are several types of frames that we'll talk about and look at and some that should be examined when you're doing traffic analysis to see if you can get data from the network, to glean data from the network that you can use. To crack WEP keys and WPA keys and just do reconnaissance on the network and so forth. Now keep in mind, this is a very short sweet to the point surface view of viewing traffic captures. We're not going to make you experts, there's a lot to know. So we're just going to cover just a few of the finer points. Of wireless traffic, the frames and so forth. But we're not going to go too deep on any one thing. I would definitely encourage you to study in-depth on traffic captures and how to analyze and interpret them when you have the moment to do so, because it's going to be very important to you as you become a wireless penetration tester. Having said that, let's go look at a few Types of frames. The first thing we have is a beacon frame, and you'll see tons and tons of these in your capture because they're sent by an AP out many, many times per second, maybe ten frames a second or so. And what they are used for Is to keep the entire the entire wireless network that the AP controls, timed and synchronized together. So you'll see these big conframes go out continuously almost. You'll see a lot of them. And we'll take a look at making frames in the next session when we actually view this packy captures. Now probes are sent by clients to scan for APs or in the case of ad hoc networks other clients That they can join with. You have probe request frames that are sent by the clients, or also called stations. And they're sent to AP's or other stations. Then you have the probe responses that are sent out as replies back from the AP's. And once again, in the case of networks, these probe responses are also sent by other clients back to the requesting client. You also have authentication frames, and this is very important because you'll want to look at these when you're analyzing traffic. These are used to negotiate authentication with both open and shared key systems. So if you're negotiating with WEP or WPA, you'll see authentication frames and you're looking for those. There's also deauthentication frames, and you'll see those when the client is deauthenticated from the access point for various reason. Maybe the authentication is no good any more, maybe the key has changed. Changed, there's various reason codes that you can look in the frame, the authentication frame, and see what the reason is. Now we also have association frames. After a client is associated with the wireless access point, or rather, after it's authenticated with the wireless access point, they associate. And that makes them join the wireless network. Again, you have two types of association frames. You have a request and response. And obviously the association request comes from the client to the access point. The association response comes from the access point back to the client. You also have something called dissociation frames. And these are set when a client leaves a wireless network. Maybe it goes to another wireless network. Maybe it's during shut down of the client, and so forth. But you'll also see those when it leaves Use the wireless network. There are plenty other frames out there that we can discuss and look at. Some of them we won't even mention. But, another important one is the data frame, and there are various types of data frames that have different information in them. This is typically where you might see some of the upper layer protocols that you're used to seeing, things like DCP. TCP IP connections and so forth. So it contains the upper layer, layer three through layer seven in other words, data only after authentication and association with an access point. Some other types of frames that we probably won't talk about but we may see in the traffic capture are null frames, QoS frames and so forth. Again there's lots of different frame types out there, some we haven't discussed and some we don't need to for our purposes during this course. But if you get heavy into traffic analysis, you'll want to know how these work. [BLANK_AUDIO]

11.9 Viewing Traffic Captures pt. 2

Now that we've talked about the different kinds of 802.11 frames that we can see during a traffic capture. Let's go ahead and take a look at such a capture. Now capture files we should look at using a network protocol analyzer. And the best one, as we mentioned, is probably Wireshark. Although you can look at it in a wide number of different software. And you can also get traffic captures from a number of sources. Tcpdump. Kismet we've already looked at, and obviously airodump-ng. You don't typically want to look at those captures while they're live and running, because they're not going to make a lot of sense to you, unless you're looking for something very specific and know it when you see it. Now let's go ahead and look at a traffic capture in Wireshark. Okay, we're back in Wire Shark here. And a couple of things I want to show you, that we discussed. We'll talk about some of the frames that we discussed earlier. First one is a beacon frame, and as you can see in this pane, we have the traffic itself. And then we have the breakdown of the traffic in the middle pane here, and then finally at the last pane we have the data. So it pretty much looks the same as it would in a wired network capture except you're looking at the lower level protocols versus the higher level ones. So if you take a look at what's in this beacon frame, you can drill down a little bit into it. And you can see it's a management frame obviously. It talks about the different information that characterizes the access point. Transmitter's an AP, transmitter belongs to basic service set, and here's one that's important. The privacy bit is set to one so that you can tell that it's doing WIP obviously. So there's other things you can look at as well if you drill down here a little bit. You can look at the SSID parameter, which is set to VTC. And there's a whole host of information here that once you get very familiar. With looking at these packet captures you'll want to take a look at. Right here are the supported rates and you can see right here we have 54, it indicates the highest data rate and that will tell you that it's an 802.11g access point. Channel 3, obviously. And so you have some information out here that's actually pretty good. And if you look kind of through here, you can see, A little bit more information about the axis point and some of the clients that may connect to it. Another one that we need to look at is a probe request response and we have one right here and this is what the client would actually send out is a probe request. So you can take a look at this and kind of look through here and see what the client might send out. And we might see it targeted as to the SSID VTC and different information about the supported data rates, obviously. [BLANK_AUDIO] And some other parameters here. So not definitely a lot located in the Probe Request, let's look at the Probe Response. And a lot of the same thing. The first talked about the data rates and so forth that the client can support. The probe response talks about what the actual AP can support. If you look through here you'll see that again WEP is mentioned and so forth. A lot of the same information that's what's in the beacon frame, to be honest with you. There's some cool information in there if you need it. A lot of technical information about what kind of rates and so forth the axis point supports whats kinds on encryption and so forth. Now I probably much more important frame for our purposes are the authentication frames and we have an authentication frame here. That we'll look at. And, that's typically the first frame sent when a client wants to connect to a wireless network. So you see that there is some information here that's actually pretty good. We see Authentication Algorithm: Open System. So that means that the VTC access point is using open versus shared. Open means that any client can authenticate to it and then once it starts passing data, it will encrypt if whip is enabled using whip. If it's shared, then the authentication itself has to be encrypted. So there has to be an authentication if it's shared. If it's not shared, if it's open There's no authentication just the data's encrypted. So any access point can be authenticated from any client. So that's interesting to know. Then you have acknowledgement frames through here. Throughout the entire conversation, whenever a frame is set, there's always an acknowledgement. Here's another authentication frame here. And you have your source and destination addresses, obviously. And you can go down through here see this an open system once again and some interesting through here. [BLANK_AUDIO] Wait, look down through here, also we'll see association requests and we get a lot of information from it as well. It talks about supporting whip and whether it's an AP or not, the channel, modulation, and so forth. So you've got a lot of different information here. [BLANK_AUDIO] So it's some interesting stuff. One thing about the authentication is probably good to look at. Let's take a look at [BLANK_AUDIO] Frame information down here. And we get some information on the algorithm, as I said, open and so forth. So you get some good stuff. Now if we go on down here, there's some other types of Frames as well, that we can look at. There's no functions, obviously. That typically is used when a client goes into power saving mode, for example. Now let's look at a data frame for just a second. And this is one thing I wanted to point out. Look down here and look at this and you'll see that this data frame is encrypted. Now look at what you see here, WEP parameters, Initialization vectors, Key Indexes and WEP ICV. These are what we're after when we want to collect enough data to crack WEP. This is the keys to the kingdom right here, this is part of it. It's not everything, but it's part of it. We want to collect enough of these types of packets. To be able to crack web, and we'll go onto web cracking later, but this is something we're after right here. So watch for these data frames that have this in there. So that's just essentially a quick down and dirty view of a packet capture, or traffic capture rather for wireless communication between client and wireless access point.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*