Showing posts with label sniffing. Show all posts
Showing posts with label sniffing. Show all posts

Saturday, March 16, 2013

Decrypting 802.11 packets: Secured 802.11 Environment

While testing secured 802.11 networks we face with a common problem of analyzing the data of the WLAN frames  using a sniffer, as they are encrypted.  Especially if you want to debug some higher layer protocol issues (DHCP, ICMP, ARP etc). 

We have some options to overcome this issue, either using a sniffer (or) using a console (in case of Linux), lets take a quick look at them.

For an End-user/Production Environment:


Most of the wireless capturing tools have support for decryption of the WLAN packets taking the credentials from the user.


Omnipeek: 

In "Tools>Decrypt WLAN packets" we can enter the credentials for each type of security and omnipeek will try to decode all encrypted packets in the trace.

Omnipeek WLAN Decryption Procedure Screenshot


Wireshark:  

In the "Preferences>Protcols>IEEE 802.11" there is an option to enter the Decryption Keys and also to enabled the decryption.

For both the tools, We can enter WEP-Key/WPA-Passphrase/WPA-PSK in the below formats:

   "Key examples:
     01:02:03:04:05 (40/64-bit WEP)    010203040506070809101111213 (104/128-bit WEP)    WPA/WPA2-PSK: Use this calcualtor and paste the psk. 
Wireshark WLAN Decryption Procedure Screenshot

But these decryption techniques are not reliable (especially omnipeek :-) and we need to have that costly license as well)  and can only be useful for post-processing of the packets. Live capture any one??


For a Engineering/Development Environment:


Instead if we have access to the console of the device (of course which runs Linux :-)), we can make use of tcpdump. It should be there in all android phones (at least the ones i have tested have it).


tcpdump:

tcpdump is the back end of wireshark it provides almost all main features of the wireshark. Dont go by the name, it not only supports TCP capturing but all protocols captures supported by wireshark.  As we know that the 802.11 encryption "mostly" (Except if you are using software encryption for some testing/initial development purposes) happens in the HW and tcpdump collects the packet before that all the packets can be seen in plain text even though encryption is enabled. 


For a quick check its good to prefer this, its my favorite way to debug the connection issues/traffic issues/DHCP issues in a secured 802.11 environment.


Usage for an Android Phone/Any Linux Device would be:


tcpdump -i <interface> -s 0 -w <Location to save the capture file, make sure it is writable> 

See tcpdump-man page for details on options.


Eg: 

  1. tcpdump -i wlan0 -s 0 -w /data/test.pcap
  2. adb pull /data/test.pcap .
  3. open the pulled pcap file using wireshark and analyze.*

Note: By default tcpdump captures only 96 bytes of every packet, "-s 0" will set the limit 64K (practically the whole packet)


* If you are an omnipeek maniac  and have a omnipeek Pro and want to analyze these tcpdump captures using omnipeek, there's a new plugin called "Remote TCPDump Adapter Enterprise" where in through SSH it captures the packets using tcpdump but displays in the omnipeek in windows.

Happy Sniffing and Debugging.

Revisions:

1) Thanks to sunil pamula for finding the improper command for PSK keys. Its updated now. 8/11/2013.


Wednesday, February 27, 2013

An Introduction to Wireless Sniffing and Dissection

Lets try to understand and learn how sniffing wireless networks work and how to configure it in different platforms like Windows and Linux.


Our primary concentration will be Omnipeek and Wireshark the 2 most used Packet Capture and Analysis Tools predominant in wireless LAN industry.

  1. Sniffing Wireless in Windows
  2. Sniffing Wireless in Linux
  3. Sniffing through Multiple Interfaces
  4. Monitor Vs. Promiscuous Mode (Coming Soon)
  5. Automate Sniffing Process (Coming Soon)