wireless packet captures & connection analysis- a...
TRANSCRIPT
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 1 www.inpnet.org • www.HOTLabs.org
Section 1 Wireless Packet Captures & Connection Analysis- A Review
Many of you will have already used many of these tools, or at least had some experience with them in previous CWNP or vendor Wireless training. To bring everyone ‘up to speed’ we’ve included this section as a review of the various tools and techniques in capturing packets transversing the 802.11 network. We’ll start with some simple packet capture, making filters, and lead onto baselining your wireless network with some ‘standard’ baseline captures. We’ll cover some of the software packages included in your kit: WildPackets Omnipeek Personal, AirDefense Mobile, and Wireshark to start with.
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 2 www.inpnet.org • www.HOTLabs.org
Lab 1.1: View an Open Authentication packet capture
OmniPeek Personal demonstrates the benefits of a powerful, well-designed network analysis tool and its analysis capabilities. Used to increase the visibility into wireless and wired network traffic on non-commercial networks, OmniPeek Personal allows users to experience how the OmniAnalysis Platform pinpoints and analyzes network problems. OmniPeek Personal provides an introduction to the superior high-level views of WildPackets Expert Analysis which make the identification of network problems simple and quick.
Product Information
Source Wildpackets
Free
www.wildpackets.com
Where, When, Why A protocol analyzer is a capture and analysis tool which gives a pen tester insight into the protocols, stations, access points, and wireless configuration of the network. The purpose of this lab is to review how to perform packet capture and analysis. These concepts are critical to performing wireless penetration testing. A wireless pen tester must know how to use packet capture and analysis tools in order to accurately identify security weaknesses. This lab will familiarize you with how to create capture traffic, use capture and display filters, and view application and MAC layer data.
Usage and Features • Capture traffic and use statistics for Troubleshooting purposes • Identify MAC and IP addresses for spoofing • Data confidentiality attack against unencrypted wireless networks
Where to Go for More Information • www.wildpackets.com
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 3 www.inpnet.org • www.HOTLabs.org
Lab Part 1 – Analyze 802.11 Trace Files
Step 1. Insert the Ubiquiti Card in the PCMCIA Slot on the side of your WLSAT Laptop. (you can use either the small 2.2dBi or the 5dBi antennas – note the arrow on the bottom pointing to the antenna jack to use)
Step 2. Go to Start à ‘Switch to OmniPeek Personal Driver’.
Step 3. Launch Omnipeek Personal. Start à Wireless Tools à WildPackets OmniPeek Personal.
Step 4. Choose the Ubiquiti ABG PCMCIA WLAN as the adapter to use. Then click OK to continue.
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 4 www.inpnet.org • www.HOTLabs.org
Step 5. You should see some changing packets if the card is collecting properly with this Dashboard in the lower left corner.
Step 6. Using File à Open à Desktop à Student Files à Trace Files – Omnipeek Captures browse to the Student Files directory containing the Omnipeek trace files.
Step 7. Open the Open System – WEP.apc file.
Step 8. You might need to change the column width settings to have your screen match the screen shot above.
Step 9. Note the frames, who is talking to whom, which are broadcast, which are unicast.
Step 10. What is the MAC Address of the Access Point, the client?
_____________________________
Step 11. Now open another trace file… this time lets try one of the EAP conversations. How about EAP-LEAP-TKIP.apc.
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 5 www.inpnet.org • www.HOTLabs.org
Step 12. To make this a little easier to see, let’s get rid of all the Acknowledgement frames by building a ‘No ACKs’ Filter.
Step 13. Click on the View à Filters.
Step 14. Now we need to add a new filter by clicking on the Plus Sign.
Step 15. Check the Protocol Filter to then click the Protocols Button open the Protocol Options screen.
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 6 www.inpnet.org • www.HOTLabs.org
Step 16. Click OK to return – notice the change in the protocol field.
Step 17. Now we need to change from Simple to Advanced in the window. (Upper right of the Insert Filter interface)
Step 18. Give the Filter a Name – No ACKs and click on the Protocol Box then click the Not Button to make your screen match the graphic above. Then Click OK.
Step 19. You should now have a No ACKs filter choice.
Step 20. To apply this filter, click on the little funnel icon, (at the top of the packet windows) and drop down to the No ACKs filter choice.
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 7 www.inpnet.org • www.HOTLabs.org
Step 21. You should now see a ‘simpler’ view of this packet exchange.
Step 22. We have included a variety of packet exchanges for your perusal. Try opening all of them to see how different processes work at the packet level.
Step 23. Next we’ll see if you can answer some questions after analyzing another trace file. Enjoy!
Step 24. Using File à Open Openauth.apc. Examine the packet capture file.
Step 25. Which packet starts the authentication process?
_____________________________
Step 26. What is the MAC address of the station? The AP?
_____________________________
Step 27. What is the SSID of the network?
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 8 www.inpnet.org • www.HOTLabs.org
_____________________________
Step 28. Does the AP support B and G?
_____________________________
Step 29. What channel is the AP on?
_____________________________
Step 30. Was the Authentication successful?
_____________________________
Step 31. Is this the first time the client associated to the network? How can you tell?
_____________________________
Step 32. How many clients are connected to the AP?
_____________________________
Step 33. Is there anything to suspect about one of the clients that are connecting to the AP?
_____________________________
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 9 www.inpnet.org • www.HOTLabs.org
Lab1.2: View an EAP Authentication packet capture
Step 1. Open Omnipeek personal.
Step 2. Using File à Open eap.apc.
Step 3. When does the eap authentication take place?
Step 4. _____________________________
Step 5. How do you know it is an eap authentication?
Step 6. _____________________________
Step 7. What EAP type is the wireless network using?
Step 8. _____________________________
Step 9. Has the client successfully authenticated?
Step 10. _____________________________
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 10 www.inpnet.org • www.HOTLabs.org
Lab1.3: View a data transfer packet capture
Step 1. Open Omnipeek personal.
Step 2. Using File à Open data.apc.
Step 3. Examine the packet capture file.
Step 4. View the payload of the packets.
Step 5. What application layer protocol is in use?
Step 6. _____________________________
Step 7. What server is the data being transferred from?
Step 8. _____________________________
Step 9. What is the IP address of the server?
Step 10. _____________________________
Step 11. What web site is the client connecting to?
Step 12. _____________________________
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 11 www.inpnet.org • www.HOTLabs.org
Lab 1.4: Create an Omnipeek Filter
Step 1. Open Omnipeek Personal.
Step 2. Start a capture on channel 6.
Step 3. Set 802.11 options to Channel 6.
Step 4. Create a Filter to capture all traffic except beacons. View à Filters then Add. Set Protocol to 802.11 Beacon, then Advanced to set the ‘Not’.
Step 5. Apply the No Beacons filter (little funnel and choose No Beacons)
Step 6. Start the Capture. Wait a couple of minutes then Stop.
Step 7. View the capture. Do you see beacons?
Step 8. _____________________________
Step 9. Create a Filter to capture only data traffic.
Step 10. _____________________________
Step 11. Open a web page on the Nokia N800 and WLSAT laptop.
Step 12. Start a new captures. View the capture. Do you see data only traffic?
_____________________________
Step 13. Create a Filter to capture only voice traffic. Make a Gizmo Project or Googletalk call between your Nokia and WLSAT laptop.
Step 14. Start a new capture. View the capture. Do you see voice traffic?
_____________________________
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 12 www.inpnet.org • www.HOTLabs.org
Step 15. Create a Filter to capture only FTP traffic.
Step 16. Start the FTP server on the WLSAT laptop. Connect to the FTP server from the Nokia N800.
Step 17. Start a new capture View the capture. Do you see FTP traffic?
_____________________________
Step 18. Create a Filter to capture only traffic to a destination network.
Step 19. View the capture. Do you see only traffic to your network?
_____________________________
Step 20. Create a Filter to capture only traffic to a destination host. Try your WLSAT Laptop’s MAC Address.
Step 21. View the capture. Do you see only traffic to your host?
_____________________________
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 13 www.inpnet.org • www.HOTLabs.org
Lab 1.5: Create a Wireshark Filter
Step 1. Plug in the Airpcap USB device.
Step 2. Open Wireshark – Start à Wireless Tools à Wireshark.
Step 3. Click on Capture à Interfaces.
Step 4. Choose the AirPcap USB adapter and click on Options to set details for this capture.
Step 5. Review the options on this page… then click on Wireless Settings.
Step 6. Select Channel 1 as the channel we’ll be capturing from.
Step 7. Return to the Options page, then click Start button to start your capture.
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 14 www.inpnet.org • www.HOTLabs.org
Step 8. Note, right now all packets are being shown as they come to the wireless card.
Step 9. Review the notes below on how to make and use Filters in Wireshark.
Step 10. Create a Filter to capture all traffic except beacons.
Step 11. Create a Filter to capture only data traffic.
Step 12. Create a Filter to capture only Data… but NOT NULL Data (going to sleep) packets.
Step 13. Now try some new filters on your own.
NOTE: You can review more on Wireshark from the Laura Chappell Master Library DVD set.
Step 14. Create a Filter to capture only voice traffic.
_____________________________
Step 15. Create a Filter to capture only FTP traffic.
_____________________________
Step 16. Create a Filter to capture only traffic to a destination network.
_____________________________
Step 17. Create a Filter to capture only traffic to a destination host.
_____________________________
Step 18. How about a filter to capture Access Points with ‘cloaked’ or ‘hidden’ SSIDs? When an Access Point does NOT broadcast SSID, the SSID field contains no data in Beacons and Probe Response packets. But… clients MUST ask for the proper ‘hidden’ SSID in their requests to join the BSA.
NOTE: This filter is wlan.bssid==xx:xx:xx:xx:xx:xx and wlan.fc.type_subtype==0 where the BSSID of the Access Point you are looking for is in the xx’s.
By applying the above filter, we reveal any association requests for the specific BSSID. By clicking IEEE 802.11 Wireless LAN Management Frame à Tagged Parameters à SSID Parameter Set in the packet detail window we can see the SSID requested by the client station, thus revealing the ‘Hidden’ SSID.
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 15 www.inpnet.org • www.HOTLabs.org
Wireshark Filters for 802.11 Frames
802.11 Header Field
Either Source or Destination Address wlan.addr
Transmitter Address wlan.ta
Source Address wlan.sa
Receiver Address wlan.ra
Destination Address wlan.da
BSSID wlan.bssid
Duration Wlan.duration
Frame Control Subfields
Frame Type wlan.fc.type
Frame Subtype wlan.fc.subtype
ToDS Flag wlan.fc.tods
FromDS Flag wlan.fc.fromds
Retry Flag wlan.fc.retry
Protected Frame (WEP) Flag wlan.fc.wep
Fields can be combined using operators. Wireshark supports a standard set of comparison operators:
== for equality != for inequality
> for greater than >= for greater than or equal to
< for less than <= for less than or equal to
&& Contains || Matches
! Not
An example of a display filter would be wlan.fc.type==1 to match control frames.
To remove all Beacon frames from your trace, you’ll need to write a display filter that matches Beacon frames, and then negate it. Like the example below:
• Filter on type code for management frames with wlan.fc.type==0 • Filter on subtype code for Beacon with wlan.fc.subtype==8
Combine the two, and negate the operation by using the exclamation point for NOT with an expression result of:
! (wlan.fc.type==0 and wlan.fc.subtype==8)
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 16 www.inpnet.org • www.HOTLabs.org
When assessing a wireless capture with Wireshark, it is common to apply display filters to look for or exclude certain frames based on the IEEE 802.11 frame type and frame subtype files. If you are trying to exclude frames from a capture, it is easy to identify the Type and Subtype filed by navigating the Packet Details windows and use those values for your filter.
Or, you can just use this handy-dandy table we’ve provided below.
Frame Type/Subtype Filter Management Frames wlan.fc.type==0 Association Request wlan.fc.type_subtype==0 Association Response wlan.fc.type_subtype==1 Ressociation Request wlan.fc.type_subtype==2 Ressociation Response wlan.fc.type_subtype==3 Probe Request wlan.fc.type_subtype==4 Probe Response wlan.fc.type_subtype==5 Beacon wlan.fc.type_subtype==8 ATIM wlan.fc.type_subtype==9 Disassociate wlan.fc.type_subtype==10 Authentication wlan.fc.type_subtype==11 Deauthentication wlan.fc.type_subtype==12 Association Request wlan.fc.type_subtype==0 Association Request wlan.fc.type_subtype==0 Control Frames wlan.fc.type==1 Power-Save Poll wlan.fc.type_subtype==26 Request To Send - RTS wlan.fc.type_subtype==27 Clear To Send - CTS wlan.fc.type_subtype==28 Acknowledgement - ACK wlan.fc.type_subtype==29 Data Frmaes wlan.fc.type==2 NULL Data wlan.fc.type_subtype==36
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 17 www.inpnet.org • www.HOTLabs.org
Here is a great graphical view of Wireshark’s 802.11 Filter names for each part of an 802.11 frame.
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 18 www.inpnet.org • www.HOTLabs.org
Display Filter Syntax
Hosts/Network ip.addr, ip.scr, ip.dst, eth.addr, eth.src, eth.dst
Ports tcp.port, tcp.srcport, tcp.dstport, udp.port, udp.srcport, udp.dstport
Various Protocols
arp, bootp, dcerpc, dns, eth, ftp, http, icmp, ip, ncp, netbios, ntp, ospf, sip, smtp, snmp, tcp, udp
Examples ip.addr==10.4.2.19
!ip.addr==10.4.15.27
!arp && !bootp
tcp.port==80
eth.dst==00:04:5a:df:80:37
ip.ttl<=5
tcp.flags.reset==1
Keyboard Shortcuts
Tab Move forward between packet windows and screen elements
Shift-Tab Move backwards between packets windows screen elements
Down Move forward to the next packet or detail item
Up Move back to the previous packet or detail item
Ctrl-Down, F8 Move to the next packet, even if the packet list is not the focus.
Ctrl-Up, F7 Move to the previous packet, even if the pack list is not the focus.
Left Closes the selected tree item in the packet detail window or move to the parent node if already closed.
Right Expands the selected tree item in the packet detail window (does not expand the subtree)
Backspace Move to the parent node in the packet detail window
Return, Enter Toggles expansion of the selected tree item in the packet detail window
Ctrl-M Mark a packet
Ctrl-N Go to the next market packet
Ctrl-T Set time reference
Ctrl-Plus Zoom in (increase font size)
Ctrl-Minus Zoom out (decrease font size)
Ctrl-Equal Zoom to 100%
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 19 www.inpnet.org • www.HOTLabs.org
Lab 1.6: Create baseline captures
Open – No WEP Shared Key – WEP Open – WEP WPA – PSK Open – WEP – w/Radius Roaming connection WPA – Radius Beacon – Probe Request – Probe Response Lab Part 1 - Capture an Open Authentication exchange between STA and Access Point
Step 1. Open Omnipeek Personal – Start à Wireless Tools à Wildpackets Omnipeek Personal.
Step 2. Click the Capture à Start Capture or capture options if you want to modify a current capture.
Step 3. Click on the 802.11 item in the left panel then select channel 1.
Step 4. Click OK.
Step 5. Click Start Capture.
Step 6. Connect your wireless STA to your Access Point with your SSID (It should be pre-configured with No Encryption and on Channel 1).
Step 7. When you have associated, stop the packet capture then review the list of packets.
Which packet starts the authentication process?
_____________________________
What is the MAC address of the station?
_____________________________
The AP?
_____________________________
Was the Authentication successful?
_____________________________
Why or why not?
_____________________________
Step 8. Save the file as baseline_Openauth.
Lab Part 2 - Capture Shared Key Authentication exchange between STA and Access Point
Step 1. Change the AP configuration to Shared Key Authentication and type a WEP key of 1111111111.
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 20 www.inpnet.org • www.HOTLabs.org
Step 2. Connect your wireless STA to the Access Point with the same security settings as the AP. This means WEP Encryption with Shared Key Authentication.
Step 3. Review the list of packets.
Which packet starts the authentication process?
_____________________________
Was the Authentication successful?
_____________________________
Why or why not?
_____________________________
Step 4. Select the file à choose save all packets.
Step 5. Save the file as baseline_SharedKeyAuth
Lab Part 3 - Capture a WPA-PSK Authentication
Step 1. Open Omnipeek personal and start a capture on channel 1.
Step 2. Configure your access point for WPA-PSK with the following parameters:
• Channel 1 • SSID = ap# (where the number is your student number) • WPA-PSK Authentication passphrase my wireless network is secure • Use TKIP for encryption
Step 3. Connect your Nokia N800 wireless client to your access point using the same security settings as the access point.
Step 4. Examine the packet capture file.
Step 5. Which packet starts the authentication process?
_____________________________
Step 6. What is the MAC address of the station? The AP?
_____________________________
Step 7. Was the Authentication successful?
_____________________________
Step 8. Save the file as baseline_WPA-PSK-Auth.
Lab Part 4 - Capture web access traffic
Step 1. Open Omnipeek personal and capture on channel 6.
WLSAT Section 1
01 - Wireless Packet Captures & Connection Analysis Review.v7 © 2006 Institute for Network Professionals 1/12/11 21 www.inpnet.org • www.HOTLabs.org
Step 2. Connect your Nokia n800 wireless client to the classroom AP with SSID HOTlabs.
Step 3. Browse the web on your Nokia n800 you can choose where.
Step 4. View the capture and identify web site that other students are accessing. What web site is the client connecting to? List at least 3 here.
_____________________________
_____________________________
_____________________________
Step 5. View the payload of the packets. You should be able to see the websites that are being accessed.
Step 6. What application layer protocol is in use?
_____________________________
Step 7. What server is the data being transferred from?
_____________________________
Step 8. What is the IP address of the server?
_____________________________
Step 9. Save the file as baseline_Web-Traffic.
What you learned in this Lab: In this Lab you learned to use Wireless Sniffers / Protocol Analyzers to:
1. Capture data, voice and video traffic
2. Analyze connections between stations and access points
3. Review prerequisite knowledge and ensure you are familiar with how to capture, filter, and analyze wireless traffic