1 / 69

Packets and Protocols

Packets and Protocols. Chapter Six Wireless sniffing with Wireshark. Packets and Protocols Chapter 6. Wireless sniffing has some challenges Sniffing on a hub is easy Promiscuous mode Sniffing on a switch is a bit more difficult Promiscuous mode Span port. Packets and Protocols Chapter 6.

chul
Download Presentation

Packets and Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Packets and Protocols Chapter Six Wireless sniffing with Wireshark

  2. Packets and ProtocolsChapter 6 • Wireless sniffing has some challenges • Sniffing on a hub is easy • Promiscuous mode • Sniffing on a switch is a bit more difficult • Promiscuous mode • Span port

  3. Packets and ProtocolsChapter 6 • For wireless sniffing you must • Know WEP key • You can sniff data, but it is useless without the key • Know the correct channel • You can only capture one channel per NIC • Be in promiscuous mode • Same with other capture scenarios • Plus…your target may move! • It may be better to sniff on the wired side of the network so you can “see” across multiple WAPs

  4. Packets and ProtocolsChapter 6

  5. Packets and ProtocolsChapter 6 • How do you tell which channel to sniff? NetStumbler is one tool that you can use

  6. Packets and ProtocolsChapter 6 • Channel scanning or hopping is a method to look for interesting traffic. • “Channel hopping will cause you to lose traffic, because you are rapidly switching channels. If your wireless card is configured to operate on channel 11 and you hop to another channel, you will not be able to “hear” any traffic that is occurring on channel 11 until you return as part of the channel-hopping pattern.”

  7. Packets and ProtocolsChapter 6 • Range issues • What will happen to the data captured by the RED PC?

  8. Packets and ProtocolsChapter 6 • Note that the closer PC has a higher data rate • What will happen to the data captured by the RED PC?

  9. Packets and ProtocolsChapter 6 • Channel issues • What will happen to the data captured by the RED PC?

  10. Packets and ProtocolsChapter 6 • Different modulations can affect your sniffing attempts • What will happen to the data captured by the RED PC?

  11. Packets and ProtocolsChapter 6 • What happens here? • Note that when only one antenna is available it will step down to the lowest capable user

  12. Packets and ProtocolsChapter 6 • Interference and collisions • While convenient, wireless Ethernet is a lousy protocol. • CSMA/CD causes wireless to work like a hub “When capturing traffic on a wireless network, there is no guarantee that you captured 100 percent of the traffic. Some traffic may have become corrupted in transit and rejected by the capture station wireless driver as noise.”

  13. Packets and ProtocolsChapter 6 • Wireless capture recommendations • Locate the Capture Station Near the Source • Location, location, location • Disable Other Nearby Transmitters • Minimize interference • Reduce CPU Utilization While Capturing • Let your PC concentrate on doing one thing at a time • Match Channel Selection • Many channels are available • Match Modulation Type • 802.11a? b? g?

  14. Packets and ProtocolsChapter 6 • Understanding Wireless Card Modes • Managed mode • AP Required for two devices to communicate • Ad-hoc mode • Point to point – devices share AP responsibilities • Master mode • Imitates an AP • Monitor mode • aka sniffer mode

  15. Packets and ProtocolsChapter 6 • Linux issues: • Must be in monitor mode • Know your chipset and use the correct driver(s) • Use kernel 2.6 whenever possible

  16. Packets and ProtocolsChapter 6 • Capturing traffic in Linux • Not covered here; see manual (no time!)

  17. Packets and ProtocolsChapter 6 • AirPcap • 3rd party driver that enables wireless captures • Obtain the most recent copy and keep it up to date

  18. Packets and ProtocolsChapter 6 • While Wireshark, WinPcap, etc will capture traffic is not truly meant to,

  19. Packets and ProtocolsChapter 6 …. In other words to do it right you need the right hardware; that is hardware meant for this specific purpose. Bottom line…$200.00 and a visit to www.cacetech.comwill solve your troubles!

  20. Packets and ProtocolsChapter 6 • Capturing wireless traffic in Windows • Same-o same-o… just make sure your wireless card is selected.

  21. Packets and ProtocolsChapter 6 • Analyzing Wireless Traffic

  22. Packets and ProtocolsChapter 6 In short, when sniffing wireless vs. wired the fields are identical

  23. Packets and ProtocolsChapter 6 • Dual sniffer scenarios (cont) • How do you know which traffic flows belong together when comparing multiple captures?

  24. Packets and ProtocolsChapter 6 • Dual sniffer scenarios

  25. Packets and ProtocolsChapter 6 • 802.11 Frame header format • More complex than Ethernet • Twice the length • Three or four addresses (compared to two for Ethernet • Many more fields in the header • Allows for the appending of other protocols (QoS, encryption etc.)

  26. Packets and ProtocolsChapter 6

  27. Packets and ProtocolsChapter 6

  28. Packets and ProtocolsChapter 6

  29. Packets and ProtocolsChapter 6 In other words there is a plethora of collection options

  30. Packets and ProtocolsChapter 6 • As opposed to Ethernet, using capture filters is advised on wireless networks is advised because of the sheer volume of traffic generated by wireless connections. • 60 frames just to connect!

  31. Packets and ProtocolsChapter 6 • Wireless terminology • An AP is known as a Basic Service Set (BSS) • A client has a BSSID which is usually the wireless MAC address

  32. Packets and ProtocolsChapter 6 • The MAC/BSSID can be gathered with the ipconfig/all command

  33. Packets and ProtocolsChapter 6 • Once you have the BSSID you can easily filter on that device

  34. Packets and ProtocolsChapter 6 • Since the MAC and BSSID are usually the same: • The following two commands may be the same • wlan.sa eq 00:09:5b:e8:c4:03 • wlan.bssid eq 00:09:5b:e8:c4:03 • OR • The following commands could capture the same traffic • wlan.sa eq 00:09:5b:e8:c4:03 • wlan.bssid eq 00:11:92:6e:cf:00 The moral of the story? Make sure that what you are capturing is what you wanted to capture!

  35. Packets and ProtocolsChapter 6 • Wireless sniffer tactics • If you know the MAC/BSSID sort on it • If you don’t; sort on the AP • If you don’t know the AP or if the user roams, sniff on the wired side

  36. Packets and ProtocolsChapter 6 • Filtering on SSID • wlan_mgt.tag.interpretation eq "NOWIRE" • Even better; use: wlan_mgt.tag.interpretation !eq "NOWIRE“ to look for snoopers

  37. Packets and ProtocolsChapter 6 • NOTE: You may not be able to capture any of the previous info without a hardware/software combination like AirPcap • That said; without capturing such info how will you know the health of your wireless network???

  38. Packets and ProtocolsChapter 6 • Data traffic only captures • It is a good practice to encrypt your wireless network and then sniff for unencrypted (rouge) APs

  39. Packets and ProtocolsChapter 6 • Hidden SSIDs • SSIDs can be set to non-broadcast, while a sniffer cannot tell you the SSIDs it can detect their presence

  40. Packets and ProtocolsChapter 6 • Extensible Authentication Protocol • EAP is used to authenticate users to a wireless network via one of several means • Protected Extensible Authentication Protocol (PEAP) • Extensible Authentication Protocol with Transport Layer Security (EAP/TLS) • Tunneled Transport Layer Security (TTLS) • Lightweight Extensible Authentication Protocol (LEAP)

  41. Packets and ProtocolsChapter 6 • The EAP authentication type can be found by filtering for • eap.type • EAP methods that rely on username and password authentication include PEAP, TTLS and LEAP. • These methods may disclose user identity information (e.g., a username) in plaintext over the wireless network.

  42. Packets and ProtocolsChapter 6 • In other words ID names and PWs can be easily sniffed

  43. Packets and ProtocolsChapter 6 • Troubleshooting EAP issues can be difficult without a sniffer • Code 1 - EAP Request • A value of 1 in the EAP Code field indicates that the EAP frame is requesting information from the recipient. This can be identity information, encryption negotiation content, or a response-to challenge text. • Code 2 - EAP Response • A value of 2 in the EAP Code field indicates that the EAP frame is responding to an EAP Request frame. • Code 3 - EAP Success • A value of 3 in the EAP Code field indicates that the previous EAP Response was successful. This is primarily used as a response to authentication messages. • Code 4 - EAP Failure • A value of 4 in the EAP Code field indicates that the previous EAP Response failed authentication.

  44. Packets and ProtocolsChapter 6 • EAP failure code

  45. Packets and ProtocolsChapter 6 • …70 percent of successful attacks against wireless LANs will be due to the misconfiguration of APs and wireless clients. • In other words SECURE YOUR NETWORKS!

  46. Packets and ProtocolsChapter 6 • Identifying WEP security • Most common encryption technique • Also probably the most insecure • TKIP and CCMP are other options • While you cannot decrypt encrypted traffic, you sense it with your sniffer • Once you know this you can build a filter • wlan.tkip.extiv

  47. Packets and ProtocolsChapter 6 • TKIP Present!

  48. Packets and ProtocolsChapter 6 • Identifying IPSec/VPN • isakmp or ah or esp

  49. Packets and ProtocolsChapter 6 • Note that an ICMP Destination Unreachable packet is also returned. This is because Wireshark also decodes the embedded protocol within the ICMP packet, which includes ESP information. • See figure 6-24 on pg 317

  50. Packets and ProtocolsChapter 6 • Adding COLOR to your sniffer output • There is nothing like color to make things stand out

More Related