Wireshark Primer
with an emphasis on WLAN’s
Gary Hampton
Kentuckiana ISSA Workshop
3/12/2011
Outline








Objective
Types of Sniffers
Wireshark background
802.11 Physical Layer
802.11 MAC Layer
802.11 Security
Capturing basics
Wireless traces

How to’s: tcp stream, statistics, filters, profiles
Objective



Improve your knowledge of Wireshark and
how sniff traffic
Be able to create filters and navigate
Wireshark
Improve your knowledge of the 802.11
protocol and wireless networking
Types of sniffers

Specialty sniffers




Device specific




Cain and Able
Dsniff
Tcpdump/windump
Intrusion detection systems
Modern access points
Microsoft’s Netmon
Commercial grade




Wild Packet’s Omnipeek
NetScout
Wireshark
CACE Pilot (Wireshark interface); Riverbed Technology
Why Wireshark?

Why use Wireshark?



Excellent price $0
Full blown sniffer
Supports multiple file formats:



MS Netmon, Wild Packets, Sun Snoop, Kismet
Sharing traces with other work groups
When to use a commercial sniffer?


When sniffing large amounts of data (e.g. 1GB)
When presenting graphs and documents to upper
level management
Wireshark

Created by Gerald Combs


1998 Ethereal
2006 Cace Technologies “Wireshark”




Purchased by Riverbed Technology 2010
Maintained by a group of developers today
Released under GNU General Public License (GNU GPL)
Free downloads available for Windows, Mac OS X, Linux,
FreeBSD and U3 devices



www.wireshark.org/download.html
Graphical and command versions
Mailing list for new releases

www.wireshark.org/lists
Wireshark Requirements




Any modern 32-bit/64-bit x86 or AMD processor
Minimum 128MB available RAM (more is better
)
75MB available disk space
Network cards


Any Ethernet card supported by Windows
Wireless


Windows – AirPcap adaptors only
Linux – not all, but most Linux drivers will support monitor
mode

http://wireless.kernel.org/en/users/drivers
Uses for Wireshark








Troubleshoot performance issues
Identify device configuration issues
Identify malicious traffic
Perform intrusion detection
Evaluate response times
Baseline bandwidth usage
Identify application protocols and ports
Assess wireless networks
What does it take to be good at
analyzing traces?


Be familiar with the sniffer’s features
Be familiar with networking protocols

Your effectiveness is directly proportional


Research RFC’s, Google, etc.
Know your network and the applications
that utilize it

Baseline
802.11 Physical Layer
802.11b/g/n 2.4GHz band






Microwave ovens
Bluetooth
Wireless cameras
Cordless phones
Other 802.11 devices
Ham radio operators
Chan 10
Chan 4
Chan 9
Chan 3
Chan 8
Chan 2
Chan 7
Chan 1
Chan 6
Chan 11
2462 MHz

Chan 5
2437 MHz

3 non-overlapping
channels in the 2.4GHz
band
CSMA/CA
Unlicensed spectrum
2412 MHz

802.11a/n 5 GHz band

Unlicensed National Information
Infrastructure (U-NII) band


In 2004, the FCC allocated the
5.32 – 5.745 GHz band, providing
12 additional channels


12 non-overlapping channels in
the 5 GHz band
Devices must support IEEE
802.11h Dynamic Frequency
Selection 2 and Transmit Power
Control
Radar usage


Terminal Doppler Weather Radar
(TDWR) operate between5.6 –
5.65 GHz
FCC recommends not using those
channels when within 35km of a
TDWR
Frequency
U-NII lower
band
U-NII middle
band
U-NII upper
band
Channel
Frequency
40
5.200 GHz
36
5.180 GHz
44
5.220 GHz
48
5.240 GHz
52
5.260 GHz
56
5.280 GHz
60
5.300 GHz
64
5.320 GHz
149
5.745 GHz
153
5.765 GHz
157
5.785 GHz
161
5.805 GHz
Spectrum Analyzers



Kismet (not a SA, but can identify AP’s)
WIDS/WIPS/modern AP’s
Metageek


Berkley Varitronics Systems


Spectrum XT
Cisco


Bumblebee
Air Magnet


Wi-Spy - Chanalzer
Spectrum Expert
Anritsu/Tektronix/HP/Bird Technologies
Anritsu Spectrum Analyzer
Anritsu Spectrum Analyzer
S pe c tr um A na lyz e r
Sa l t D o m e So u t h D i r e c t i o n
R ef Level :
-30
-2 9 . 0
-40
dB
dB m
/ D iv :
1 0 .0
dB
M1: -66.85 dB m @ 2464.662 MH z
M2: -74.43 dB m @ 2482.832 MH z
-50
-60
dB m
-70
-80
-90
-100
-110
-120
M 1
2350
C F: 2 4 7 5 .0 M H z
R B W: 1 M Hz
C h a n Pw r : 0 d B m
Da t e : 03/ 22/ 2004
M o d e l : M S2 7 1 1 B
2375
2400
M 2
2425
2450
2475
2500
2525
Fr e q u e n c y ( 2 3 5 0 .0 - 2 6 0 0 .0 MH z )
SPA N : 2 5 0 .0 M H z
VB W: 30 0 kHz
C h a n Pw r D e n si t y : 0 d B m / H z
T im e : 15:34: 39
Se r i a l # : 0 0 2 4 5 0 1 0
2550
2575
2600
At t e nua t i on: 0 dB
D e t e c t i o n : Po s. Pe a k
I N T B W : 2 9 9 9 .9 M H z
802.11 MAC Layer
Frame Comparison
802.3 Frame
Preamble Dest. Addr
Source Addr
Type Field
Payload
CRC
8 Bytes
6 Bytes
2 Bytes
46-1500 Bytes
2-4 Bytes
6 Bytes
802.11 Frame
802.11 Frame Control Fields



Version – specifies the protocol number.
Type – Specifies frame type (Mgmt, Control or
Data)
Subtype – e.g. association, CTS
802.11 Frame Control Fields continued

To DS/From DS




To DS set -> to the wired network
From DS set -> from the wired network
Both bits set -> wireless bridge (WDS network)
Both bits cleared -> ad-hoc network
802.11 Frame Control Fields continued





MF – More fragments
Retry
Pwr – Power mgmt
More – More data
W – WEP
802.11 Power Management

CAM (Continuous awareness mode): Radio never shuts down.
Provides best network performance, uses the most battery power

PSP 1: Excellent network performance, uses less battery power

PSP 2: Great network performance, uses less battery power



PSP 3: Good network performance, uses less battery power
PSP 4: Adequate network performance, uses less battery
power
PSP 5: Acceptable network performance, uses the least battery
power
802.11 Frame To DS/From DS bits

To DS/From DS




To DS set -> to the wired network
From DS set -> from the wired network
Both bits set -> wireless bridge (WDS network)
Both bits cleared -> ad-hoc network
Address order - infrastructure
Mode
To DS
From DS
Address 1
Address 2
Address 3
Address 4
Adhoc
0
0
Rx Addr/Dest Addr
Tx Addr/Src Addr
BSSID
N/A
Infrastructure
0
1
Rx Addr/Dest Addr
Tx Addr/BSSID
Src Addr
N/A
Infrastructure
1
0
BSSID
Tx Addr/Src Addr
Dest Addr
N/A
WDS
1
1
Rx Addr
Tx Addr
Dest Addr
Src Addr
802.11 MAC Frames

Management

Control

Data
Used for connecting and disconnecting from the WLAN.
Includes beacons, probes, authentication and association
request/responses.
Used to acknowledge receipt of data (Data-ACK, RTS-CTSData-ACK, CTS-Data-ACK).
The only frames that include an encrypted payload in a
WLAN. Encapsulates user data over the WLAN (e.g. IP and
ARP traffic).
Client Association
Client
Access Point
Probe Request
Probe Response
Authentication Request
Authentication Challenge
Authentication Response
Authentication Success?
Association Request
Association Response
802.11 Security
Encryption and Authentication
Options

WPA-PSK and WPA2-PSK



Used a hierarchy of keys (see the in depth security slides at the end of
this presentation for more information)
WPA-PSK and WPA2-PSK both use the 4-way handshake to generate
the Pair wise Transient Key.
Pair wise Master Keys are the same for all systems on the same WPAPSK or WPA2-PSK network


If you capture the 4-way handshake (EAPOL protocol) and know the PSK
and SSID, Wireshark can decrypt WPA and WPA2 PSK packets
WPA and WPA2 Enterprise



Uses 802.1x with EAP (Extensible Authentication Protocol) to
authenticate client (supplicant) and access point (authenticator) instead
of PSK
Uses per user, per session keys; therefore Wireshark and sniffers in
general, cannot decrypt packets
See security slides at the end of the presentation for more information
Sample WPA 4-way Handshake
Supplicant
(Client)
Authenticator
(Access Point)
Sends Anounce to start PTK
EAPOL (EAP
over LAN)
Sends Snounce and MIC for frame 2
Confirms the client has the right
PTK, PMK and PSK.
(Authenticates the client)
Sends MIC for frame 3
Authenticates the access point
Sends MIC for frame 4
Ready to TX/RX data
Capture basics
Wireshark capture flow



Libpcap – link layer
interface for capturing on
Linux or Unix (tcpdump)
WinPcap – Windows port
of libpcap
AirPcap – link layer
interface and network
adaptor to capture
802.11 traffic on
Windows
Graphical Toolkit (GTK)
Dissectors-Plugins-Display Filters
Core Engine
Wireshark capture engine
Capture filters
WinPcap, AirPcap or
libpcap
Network Interface
Ethernet or Wireless
Wiretap
Library
Capturing wireless traffic



Determine location for sniffer(s)
Select the appropriate interface and data
capturing options
Performance issues




Disable, update list of packets in real time
Disable network name resolution
Reduce # of columns
Disclaimer

Only capture traffic on networks that you have
permission to do so.
Where do I place the sniffer?
AP
Server A
Server B
Sniffing wired traffic


Hub
Switched networks



Hub
Port Mirroring/Port Spanning
Taps
Sniffing Wireless traffic

Promiscuous mode


Monitor mode




802.11 adaptor only captures packets of the SSID the adaptor
has joined.
The driver does not make the adaptor a member of any SSID on
the network.
All packets of all SSID’s from the currently selected channel are
captured.
Windows – must use AirPcap from CACE Technologies
Linux – most Linux drivers support monitor mode
Wireshark Startup
Capture
area
Files area
Online
Help
Wireshark Layout
Filter toolbar
Wireless Toolbar
Packet List
Packet Details
Packet Bytes
Status bar
Capture Interfaces
Capture Filters



Limit the packets saved while capturing traffic
Helpful when capturing traffic on a busy network
or focusing on a specific problem
Problems:



You cannot get the discarded packets back
No error checking on syntax like display filters
Filter options: Type, Direction, and Protocol



Tcp – filters on TCP traffic
Ether src 00:A0:F8:12:34:56 – traffic from Ethernet
address
host www.cnn.com – capture traffic to/from cnn.com
Setting up profiles


Wireshark allows you to configure profiles
for displaying different uses. E.g.
analyzing WLAN traces.
Edit->configuration profiles->new->enter
profile name (e.g. WLAN)

Any capture or displayed filters, column
changes will be saved under this profile when
it is in use
Statistical Analysis Summary
Provides summary of
sniffer trace:





Date, length
Capture format
Packet and byte
counts
Time elapsed
Capture filters used
Protocol Hierarchy Statistics



Displays a list of the types traffic and
percentage.
Used to identify anomalies and suspect
traffic.
Example: wpa-induction.pcap

Statistics->Protocol Hierarchy
Identifying top talkers



Conversations statistics will list pairs of
devices that are communication with each
other
Open trace wlan-ap-problem.pcap
Statistics->conversations


Select WLAN tab
End points is similar, but only shows a
single end point or node.
Basic Display Filters


Display.field.name operator value
Operators










eq, == Equal
ne, != Not Equal
gt, > Greater than
lt, < Less than
ge >= Greater than or Equal to
le, <= Less than or Equal to
contains, Contains specified data
AND, &&
OR, ||
Negate, NOT or !
Coloring Rules for traffic

Color rules are used to help make reading the traces easier and
identify problems.

Example



Open airodrop-ng2 trace and add the coloring rules:
View->coloring rules->new->name and filter expression->choose
colors:
Deauthentication frames


Packet retries


Wlan.fc.type_subtype eq 12
Wlan.fc.retry eq 1
Affects load time for traces
IO Graphs






Allows Wireshark to
graphical depict traffic flow
trends.
Used to identify network
performance issues
TCP round trip time (data –
ACK)
Open the wlan-signalissue
trace
Statistics ->IO graph
Add filter for signal strength

Ppi.80211common.dbm.antsignal
Decrypting Frames

Wireshark can decrypt WEP, WPA-PSK and WPA2-PSK



If using driver, then only WEP can be decrypted
Trace must include the 4-way handshake frames to derive PTK to decrypt
Open trace wpa-induction

Verify 4-way handshake was captured in the trace

Apply protocol filter “EAPOL” and select Apply
Decrypting Frames continued



Clear the EAPOL filter
Edit->preferences->protocols->IEEE 802.11
Enter PSK and SSID in format wpapwd:PSK:SSID





Wpa-pwd:Induction:Coherer
Check “enable decryption”
May have to toggle the “ignore vendor specfic
HT elements” and “assume packets have FCS”
Select “Apply” and “OK”
Open the Protocol Hierarchy Statistics, and
note the additional protocols that are listed.
DWEP client unable to connect to the AP

Open the tulcsp1 trace file





Examine the beacon frame #2
What channel is the AP on?
What is the data rate for the beacon?
What type of security is in use?
Set filter to not show beacons


!wlan.fc.type_subtype eq 8
Examine the association/authentication process, why
does the client not associate?

Hint: Look at frames 12 and 15
Example:
Slow Response problem w/wireless terminals
AP
Server A
Server B
PS-Poll and round trip response
Beacon
Time
(ms)
Access
point
0
-100
100
500
600
700
800
Server
A/
Server
B reply
900
Server
A/
Server
B reply
1000
Server
A/
Server
B reply
Pkg
scan
Scanner
(BT)
scan
data
RF
terminal
(802.11b)
1
2
PS
poll
PSP
mode
3
4
5
PS
poll
PSP
mode
6
7
8
WLAN Stats
DoS attack with airdrop-ng



Airdrop-ng is configured to deauth ANY
clients associated to AP 00:1F:33:E6:5E:09
Open Airdrop-ng2 trace
Show statistics for WLAN


Statistics->WLAN
View deauth stats
Follow TCP Stream example



Open the trace named ftp.pcap
Examine packet 10, what is the password?
Select a TCP or FTP packet and right click.

Select the Follow TCP Stream option
Recommended reading



www.wireshark.org
Wiki.wireshark.org
Laura Chappell’s Wireshark Network
Analysis



www.chappellu.com
Joshua Wright www.willhackforsushi.com
Ed Skoudis’ www.ethicalhacker.net “skillz”
Thanks!
Wi-Fi Protected Access Overview

Wi-Fi Protected Access



Constraints



Designed as an interim solution to run on existing hardware until
a more robust security standard could be developed
Temporal Key Integrity Protocol (TKIP) for confidentiality and
integrity of wireless traffic
Must be adopted by software upgrade
limited processing capacity with existing AP’s
Based on RC4 encryption, like WEP
TKIP Security Mechanisms

Improves security over WEP within design constraints




Message Integrity Check (MIC) - defeats forgery attempts
IV sequencing - defeats replay attacks
Re-keying - defeats reuse attacks
Key mixing - protects key
Message Integrity Check (MIC)

Michael Protocol

Calculates crypto hash of packet contents



two 32-bit words (64bits)
Sender includes hash in encrypted message
Receiver verifies hash
Michael continued

Michael can only provide 29 bits of security


Attacker can try to guess MIC



due to design constraints (CPU limitations of access points)
2^29 packets to guess MIC
On an 802.11b network it would take approximately 2 minutes
to guess MIC
802.11i Counter Measures

If AP receives more than 2 packets with an invalid MIC within 60
seconds:


AP must deauthenticate all users
AP shutdowns for 60 seconds
IV Sequential Enforcement

Used to defeat replay attacks

TKIP requires sequential IV




AP and clients track IV sequence



transmitted in clear in the field formerly known as WEP IV
16 bit sequence counter (65535 numbers)
TKIP Sequence Counter (TSC) never repeats (keys are rotated and
seq # resets to 0)
Too small IV’s are discarded
Too large IV’s are subjected to other validation tests (MIC, ICV)
Causes problems for QoS

E.g. voice
Example: replay attack
Valid
Valid
Valid
Valid
WEP, no replay protection
Time
Valid Packet
Replay
Replay
packet,
packet,
packet,
packet
Replay
AP
Sniff
WPA TKIP Seq Counter
TSC 39
TSC 41
TSC
TSC
TSC
TSC
Time
TSC 41
39
41
41
41
is OK
> TSC 39, OK
> TSC 41?, Failed
> TSC 41?, Failed
TSC 41
AP
Sniff
Re-keying protection
Key Hierarchy

TKIP uses 3 levels of keys and regular key
rotation

Master keys - highest level



Key Encryption Keys - intermediate


derived from 802.1x or pre-share key for WPA-PSK
protects intermediate keys
protects temporal keys
Temporal keys - lowest level


used to encrypt data
rotated with a packet count frequency
TKIP Keys

PSK - Pre-shared key


PMK - Pair wise Master Key


Passphrase (8 to 63 characters)
derived from PSK or EAP method
PTK - Pair wise Transient Key




Temporal key
Two MIC Keys (RX and TX)
EAPOL Key Encryption Key
EAPOL Key Confirmation Key
WPA-PSK PMK derivation

Pair wise Master Key





Derived using passphrase, ssid and ssid length
The same for all systems on the same WPA-PSK network
PMK for WPA-PSK is 256 bits
Is used to generate the Pair wise Transient Key (PTK) or
intermediate key
PMK = PBKDF2 (passphrase, ssid, ssidlen, 4096, 256)



Hashed 4096 times using hmac-sh1
Pseudo-random # that cannot be reversed
Used to defeat dictionary attacks
WPA PTK derivation


Combines MAC of STA and AP with STA nonce and AP
nonce
nonce 




128-bit unique value that is not duplicated for the lifetime of the
transaction.
Not a secret, sent in plain-text
PTK is never sent over the network; both the supplicant
and the authenticator calculate PTK with knowledge of
input data
PTK keys are unique for each pair of stations on the
network
Generates a 512-bit output PRF hash using SHA1

PTK = PRF-512(PMK, “Pair wise Key Expansion”, AA, SPA,
PTK Mapping


PTK is 512 bits or 64 bytes in length
HMAC MIC Key - 1st 16 bytes


EAPOL-KEY KEK - 2nd 16 bytes


protects the data
TX MIC Key


protects the confidentiality of new key updated in future EAPOL-Key
messages
Temporal Encryption key - next 16 bytes


validates the contents of the EAPOL-Key frames
used by transmitting station to calculate hash of the data packet using
Michael
RX MIC Key

used by the receiving station to verify the stored hash that is
transmitted in the data packets.
WPA 4-way Handshake
Supplicant
(Client)
Authenticator
(Access Point)
Sends Anounce to start PTK
EAPOL (EAP
over LAN)
Sends Snounce and MIC for frame 2
Confirms the client has the right
PTK, PMK and PSK.
(Authenticates the client)
Sends MIC for frame 3
Authenticates the access point
Sends MIC for frame 4
Ready to TX/RX data
Problems with WPA-PSK

Passphrase is susceptible to off-line dictionary attacks

Examples:



coWPAtty
aircrack-ng
Recommendations for implementing WPA-PSK



Use non-common ESSIDs
Used random characters (63 characters in length for passphrase)
Avoid dictionary words or variations of dictionary words (e.g.
pa55word or PaSsWoRd)
WPA2

Supports both TKIP and CCMP (Counter Mode with
Cipher Block Chaining Message Authentication Code
Protocol)

CCMP





Uses same PMK and PTK key hierarchy as TKIP
Uses the same 4-way handshake PTK derivation as TKIP
Based on AES (Advanced Encryption Standard) cipher, not RC4
AES provides for strong encryption
Can not be used with legacy hardware
WPA2 advantages over WPA



WPA2 supports all features of WPA
Uses AES-CCMP for encryption
Provides for faster roaming between access points



Reduces overhead in 4-way handshake
802.1x pre-authentication
Opportunistic key caching support
WLAN Authentication methods
802.1x



IEEE standard for authentication framework for 802
LANs
Originally designed for wired networks
Advantages
1.
Mutual authentication
•
2.
Authentication of both the client and the authenticator/authentication server
•
Protects client from rogue access points
•
Protects network from unauthorized access
Port based access control
•
•
Restricts the access of a device to only authentication traffic
(802.1x/EAP/RADIUS protocols) via a controlled port
Once authenticated, the controlled port is switched to an authorized state
allowing the device to communicate on the network
802.1x
Port Access Control
Authenticator
(access point)
Authentication
Server
Uncontrolled Port
Supplicant
Controlled Port
LAN
EAP

Extensible Authentication Protocol (EAP)



Authentication framework used in wireless networks and Point-toPoint connections
Provides some common functions and a negotiation of the desired
authentication algorithm.
Factors to consider when choosing an EAP
authentication algorithm.

Mutual authentication


Certificate requirements



Options include : none, server only, both client and server
Dynamic Key Generation


Both client and server authenticate each other
Static key versus rotating key
Cost & Management support
Industry Support
Common EAP algorithms

EAP-MD5


1st authentication type created
Not used in WLANs



LEAP (Lightweight Extensible Authentication Protocol)




Does not support dynamic keying
MD5 hash is susceptible to dictionary attacks.
CISCO proprietary EAP method
Provides per user, per session encryption keys
Only supports password authentication. Vulnerable to attacks
from ASLEAP.
EAP-TLS (EAP-Transport Layer Security)



Developed by Microsoft
Requires both client and server certificates
Supports mutual authentication
802.1x with PEAP example
Supplicant
(Client)
Authenticator
(Access Point)
Authentication
Server
EAP Start
EAPOL (EAP over LAN)
Request
Identity
Network access identifier
(user name or computer name)
Identity
AP forwards NAI to RADIUS
server (encap. In RADIUS
request msg)
Identity
Authentication
Server
Certificate
Authentication
Server
Certificate
Encrypted Tunnel Established
Authenticator sends Supplicant
the Broadcast Key encrypted
with the Session Key and the
Key length information
Authentication Server sends
Session Key to Authenticator
Encrypted Data Flow
EAP = PEAP
Radius server responds with its
digital certificate.
Client confirms certificate by
using a preloaded root certificate
EAP Type Comparisons
LEAP
•
•
Yes
•
No
•
No
•
Client/S
erver
•
Server
Only
•
•
No
•
Yes
•
Yes
•
•
•
Costs and
Management
Overhead
•
Low
•
Low
•
High
•
Low/Medi
um
•
•
•
Low
•
High
•
Medium
•
•
•
•
EAP-MD5
•
Mutual
Authentication
•
Certificates
Required
•
No
•
•
Dynamic Key
Generation
•
Industry Support
EAP-TLS
•
EAP-TTLS
•
Yes
•
Yes
•
Yes
High
PEAP
Yes
Server
Only
Yes
Low/Me
dium
High
Security Standards Comparison
Standards
Authentication
Method
Encryption
Standard
Cipher
802.11 Legacy Open system or Shared WEP
802.11a,b,g
Key
RC4
WPA Personal
WPA Passphrase (PSK)
TKIP
RC4
WPA
Enterprise
802.1x
EAP, PEAP, EAP-TLS
TKIP
RC4
WPA2 Personal WPA Passphrase (PSK)
CCMP
TKIP
AES
RC4
WPA2
Enterprise
CCMP
TKIP
AES
RC4
802.1x
EAP, PEAP, EPA-TLS