Decrypting 802.11 packets: Secured 802.11 Environment

While testing secured 802.11 networks we face with a common problem of analyzing the data of the WLAN frames  using a sniffer, as they are encrypted.  Especially if you want to debug some higher layer protocol issues (DHCP, ICMP, ARP etc). 

We have some options to overcome this issue, either using a sniffer (or) using a console (in case of Linux), lets take a quick look at them.

For an End-user/Production Environment:

Most of the wireless capturing tools have support for decryption of the WLAN packets taking the credentials from the user.

Omnipeek: 

In "Tools>Decrypt WLAN packets" we can enter the credentials for each type of security and omnipeek will try to decode all encrypted packets in the trace.

Omnipeek WLAN Decryption Procedure Screenshot

Wireshark:  

In the "Preferences>Protcols>IEEE 802.11" there is an option to enter the Decryption Keys and also to enabled the decryption.

For both the tools, We can enter WEP-Key/WPA-Passphrase/WPA-PSK in the below formats:

   "Key examples:

     01:02:03:04:05 (40/64-bit WEP)    010203040506070809101111213 (104/128-bit WEP)    WPA/WPA2-PSK: Use this calcualtor and paste the psk. 

Wireshark WLAN Decryption Procedure Screenshot

But these decryption techniques are not reliable (especially omnipeek :-) and we need to have that costly license as well)  and can only be useful for post-processing of the packets. Live capture any one??

For a Engineering/Development Environment:

Instead if we have access to the console of the device (of course which runs Linux :-)), we can make use of tcpdump. It should be there in all android phones (at least the ones i have tested have it).

tcpdump:

tcpdump is the back end of wireshark it provides almost all main features of the wireshark. Dont go by the name, it not only supports TCP capturing but all protocols captures supported by wireshark.  As we know that the 802.11 encryption "mostly" (Except if you are using software encryption for some testing/initial development purposes) happens in the HW and tcpdump collects the packet before that all the packets can be seen in plain text even though encryption is enabled. 

For a quick check its good to prefer this, its my favorite way to debug the connection issues/traffic issues/DHCP issues in a secured 802.11 environment.

Usage for an Android Phone/Any Linux Device would be:

tcpdump -i <interface> -s 0 -w <Location to save the capture file, make sure it is writable> 

See tcpdump-man page for details on options.

Eg: 

1. tcpdump -i wlan0 -s 0 -w /data/test.pcap
2. adb pull /data/test.pcap .
3. open the pulled pcap file using wireshark and analyze.*

Note: By default tcpdump captures only 96 bytes of every packet, "-s 0" will set the limit 64K (practically the whole packet)

* If you are an omnipeek maniac  and have a omnipeek Pro and want to analyze these tcpdump captures using omnipeek, there's a new plugin called "Remote TCPDump Adapter Enterprise" where in through SSH it captures the packets using tcpdump but displays in the omnipeek in windows.

Happy Sniffing and Debugging.

Revisions:

1) Thanks to sunil pamula for finding the improper command for PSK keys. Its updated now. 8/11/2013.

Making "history" work on wpa_cli/hostapd_cli: Especially for P2P testing

We all are accustomed to the much neglected but most often used "up arrow" so called "history button" specially in a command line environment like a Linux terminal.

 

Recently was working with wpa_cli for some testing on P2P then observed that on some systems the "history" button works but on some it doesn't, so planned to dig it down and as always best way to understand something is to go through the code.

 

If you look in to the hostap_git there are some common utils in the src/utils folder, there we can see 3 different types of "edit"'s (edit refers to editing and history of command line)

 

• edit_simple ==> Only editing support is available, no history support.

• edit ==> Both editing and history support is available

• edit_readline ==> Uses the standard GNU C library readline for editing and history of commands.

 

 In the makefile the default is edit_simple.

 ifdef CONFIG_READLINE
        OBJS_c += ../src/utils/edit_readline.o
        LIBS_c += -lncurses -lreadline
 else
        ifdef CONFIG_WPA_CLI_EDIT
              OBJS_c += ../src/utils/edit.o
        else
              OBJS_c += ../src/utils/edit_simple.o
         endif 

               endif

So unless you enable the one of the above macros in the ".config" and compile the wpa_supplicant you wont be able to edit or traverse the "history".  out of the edit and readline, readline is much cleaner as it is handled in the library.

 

Same is applicable to hostapd_cli as well. Next time you see "up arrow" not working, recompile the wpa_supplicant with the any of the macro's enabled.