690 likes | 925 Vues
Packets and Protocols. Chapter Six Wireless sniffing with Wireshark. Packets and Protocols Chapter 6. Wireless sniffing has some challenges Sniffing on a hub is easy Promiscuous mode Sniffing on a switch is a bit more difficult Promiscuous mode Span port. Packets and Protocols Chapter 6.
E N D
Packets and Protocols Chapter Six Wireless sniffing with Wireshark
Packets and ProtocolsChapter 6 • Wireless sniffing has some challenges • Sniffing on a hub is easy • Promiscuous mode • Sniffing on a switch is a bit more difficult • Promiscuous mode • Span port
Packets and ProtocolsChapter 6 • For wireless sniffing you must • Know WEP key • You can sniff data, but it is useless without the key • Know the correct channel • You can only capture one channel per NIC • Be in promiscuous mode • Same with other capture scenarios • Plus…your target may move! • It may be better to sniff on the wired side of the network so you can “see” across multiple WAPs
Packets and ProtocolsChapter 6 • How do you tell which channel to sniff? NetStumbler is one tool that you can use
Packets and ProtocolsChapter 6 • Channel scanning or hopping is a method to look for interesting traffic. • “Channel hopping will cause you to lose traffic, because you are rapidly switching channels. If your wireless card is configured to operate on channel 11 and you hop to another channel, you will not be able to “hear” any traffic that is occurring on channel 11 until you return as part of the channel-hopping pattern.”
Packets and ProtocolsChapter 6 • Range issues • What will happen to the data captured by the RED PC?
Packets and ProtocolsChapter 6 • Note that the closer PC has a higher data rate • What will happen to the data captured by the RED PC?
Packets and ProtocolsChapter 6 • Channel issues • What will happen to the data captured by the RED PC?
Packets and ProtocolsChapter 6 • Different modulations can affect your sniffing attempts • What will happen to the data captured by the RED PC?
Packets and ProtocolsChapter 6 • What happens here? • Note that when only one antenna is available it will step down to the lowest capable user
Packets and ProtocolsChapter 6 • Interference and collisions • While convenient, wireless Ethernet is a lousy protocol. • CSMA/CD causes wireless to work like a hub “When capturing traffic on a wireless network, there is no guarantee that you captured 100 percent of the traffic. Some traffic may have become corrupted in transit and rejected by the capture station wireless driver as noise.”
Packets and ProtocolsChapter 6 • Wireless capture recommendations • Locate the Capture Station Near the Source • Location, location, location • Disable Other Nearby Transmitters • Minimize interference • Reduce CPU Utilization While Capturing • Let your PC concentrate on doing one thing at a time • Match Channel Selection • Many channels are available • Match Modulation Type • 802.11a? b? g?
Packets and ProtocolsChapter 6 • Understanding Wireless Card Modes • Managed mode • AP Required for two devices to communicate • Ad-hoc mode • Point to point – devices share AP responsibilities • Master mode • Imitates an AP • Monitor mode • aka sniffer mode
Packets and ProtocolsChapter 6 • Linux issues: • Must be in monitor mode • Know your chipset and use the correct driver(s) • Use kernel 2.6 whenever possible
Packets and ProtocolsChapter 6 • Capturing traffic in Linux • Not covered here; see manual (no time!)
Packets and ProtocolsChapter 6 • AirPcap • 3rd party driver that enables wireless captures • Obtain the most recent copy and keep it up to date
Packets and ProtocolsChapter 6 • While Wireshark, WinPcap, etc will capture traffic is not truly meant to,
Packets and ProtocolsChapter 6 …. In other words to do it right you need the right hardware; that is hardware meant for this specific purpose. Bottom line…$200.00 and a visit to www.cacetech.comwill solve your troubles!
Packets and ProtocolsChapter 6 • Capturing wireless traffic in Windows • Same-o same-o… just make sure your wireless card is selected.
Packets and ProtocolsChapter 6 • Analyzing Wireless Traffic
Packets and ProtocolsChapter 6 In short, when sniffing wireless vs. wired the fields are identical
Packets and ProtocolsChapter 6 • Dual sniffer scenarios (cont) • How do you know which traffic flows belong together when comparing multiple captures?
Packets and ProtocolsChapter 6 • Dual sniffer scenarios
Packets and ProtocolsChapter 6 • 802.11 Frame header format • More complex than Ethernet • Twice the length • Three or four addresses (compared to two for Ethernet • Many more fields in the header • Allows for the appending of other protocols (QoS, encryption etc.)
Packets and ProtocolsChapter 6 In other words there is a plethora of collection options
Packets and ProtocolsChapter 6 • As opposed to Ethernet, using capture filters is advised on wireless networks is advised because of the sheer volume of traffic generated by wireless connections. • 60 frames just to connect!
Packets and ProtocolsChapter 6 • Wireless terminology • An AP is known as a Basic Service Set (BSS) • A client has a BSSID which is usually the wireless MAC address
Packets and ProtocolsChapter 6 • The MAC/BSSID can be gathered with the ipconfig/all command
Packets and ProtocolsChapter 6 • Once you have the BSSID you can easily filter on that device
Packets and ProtocolsChapter 6 • Since the MAC and BSSID are usually the same: • The following two commands may be the same • wlan.sa eq 00:09:5b:e8:c4:03 • wlan.bssid eq 00:09:5b:e8:c4:03 • OR • The following commands could capture the same traffic • wlan.sa eq 00:09:5b:e8:c4:03 • wlan.bssid eq 00:11:92:6e:cf:00 The moral of the story? Make sure that what you are capturing is what you wanted to capture!
Packets and ProtocolsChapter 6 • Wireless sniffer tactics • If you know the MAC/BSSID sort on it • If you don’t; sort on the AP • If you don’t know the AP or if the user roams, sniff on the wired side
Packets and ProtocolsChapter 6 • Filtering on SSID • wlan_mgt.tag.interpretation eq "NOWIRE" • Even better; use: wlan_mgt.tag.interpretation !eq "NOWIRE“ to look for snoopers
Packets and ProtocolsChapter 6 • NOTE: You may not be able to capture any of the previous info without a hardware/software combination like AirPcap • That said; without capturing such info how will you know the health of your wireless network???
Packets and ProtocolsChapter 6 • Data traffic only captures • It is a good practice to encrypt your wireless network and then sniff for unencrypted (rouge) APs
Packets and ProtocolsChapter 6 • Hidden SSIDs • SSIDs can be set to non-broadcast, while a sniffer cannot tell you the SSIDs it can detect their presence
Packets and ProtocolsChapter 6 • Extensible Authentication Protocol • EAP is used to authenticate users to a wireless network via one of several means • Protected Extensible Authentication Protocol (PEAP) • Extensible Authentication Protocol with Transport Layer Security (EAP/TLS) • Tunneled Transport Layer Security (TTLS) • Lightweight Extensible Authentication Protocol (LEAP)
Packets and ProtocolsChapter 6 • The EAP authentication type can be found by filtering for • eap.type • EAP methods that rely on username and password authentication include PEAP, TTLS and LEAP. • These methods may disclose user identity information (e.g., a username) in plaintext over the wireless network.
Packets and ProtocolsChapter 6 • In other words ID names and PWs can be easily sniffed
Packets and ProtocolsChapter 6 • Troubleshooting EAP issues can be difficult without a sniffer • Code 1 - EAP Request • A value of 1 in the EAP Code field indicates that the EAP frame is requesting information from the recipient. This can be identity information, encryption negotiation content, or a response-to challenge text. • Code 2 - EAP Response • A value of 2 in the EAP Code field indicates that the EAP frame is responding to an EAP Request frame. • Code 3 - EAP Success • A value of 3 in the EAP Code field indicates that the previous EAP Response was successful. This is primarily used as a response to authentication messages. • Code 4 - EAP Failure • A value of 4 in the EAP Code field indicates that the previous EAP Response failed authentication.
Packets and ProtocolsChapter 6 • EAP failure code
Packets and ProtocolsChapter 6 • …70 percent of successful attacks against wireless LANs will be due to the misconfiguration of APs and wireless clients. • In other words SECURE YOUR NETWORKS!
Packets and ProtocolsChapter 6 • Identifying WEP security • Most common encryption technique • Also probably the most insecure • TKIP and CCMP are other options • While you cannot decrypt encrypted traffic, you sense it with your sniffer • Once you know this you can build a filter • wlan.tkip.extiv
Packets and ProtocolsChapter 6 • TKIP Present!
Packets and ProtocolsChapter 6 • Identifying IPSec/VPN • isakmp or ah or esp
Packets and ProtocolsChapter 6 • Note that an ICMP Destination Unreachable packet is also returned. This is because Wireshark also decodes the embedded protocol within the ICMP packet, which includes ESP information. • See figure 6-24 on pg 317
Packets and ProtocolsChapter 6 • Adding COLOR to your sniffer output • There is nothing like color to make things stand out