Analisis
Sessions BU-5
Rolf Leutert
Consultant & Trainer | Leutert NetServices, Switzerland
SHARKFEST '09
Stanford University
June 15-18, 2009
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
Agenda
• Setting up Wireshark with AirPcap
• Capturing WLAN data
• WLAN Management, Control & Data Frames
• WLAN Frame Formats
• Analyzing:Client can not associate
• Analyzing: Roaming problems
• Analyzing: Throughput issues
• Multiple-Input, Multiple-Output (MIMO)
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
Creating a WLAN profile
3. Verify selected
Profile
2. Select ‚New‘
and enter name
1. Click ‚Edit‘ and
‚Configuration profiles‘
+
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
TheWireless Toolbar
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
The Wireless Toolbar
802.11
Channel number
• Channel number can be changed during capturing
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
The Wireless Toolbar
Show frames
with or without
FCS errors
Decryption in
Wireshark or in
Driver
S HARKFEST '09 | Stanford University | June 15– 18, 2009
Decryption Modes
Wireshark
Display Filter
Decryption
Capture Filter
Decryption
AirPcap Driver
• None: no decryption - use if packets
are not encrypted or if key is not
available
• Wireshark: decryption in Wireshark –
use in combination with display
filtering
• Driver: decryption in AirPcap driver –
use in combination with capture
filtering only
USB
USBDriver
AirPcap Adapter 1
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
The Wireless Toolbar
Include Radio header
to allow filtering on
channel numbers
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
The Wireless Toolbar
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
Decryption Keys
• Wireshark supports decryption of WEP, WPA1 and WPA2 withstatic shared keys:
•
WEP Key formats:
Keys
light *
1234ABCDEF
5 ASCII Character 5x8bit = 40 + 24 bit IV = 64 bit Key
10 HEX Character 10x4bit = 40 + 24 bit IV = 64 bit Key
lightningstar *
13 ASCII Character 13x8bit = 104 + 24 bit IV = 128 bit Key
123456..ABCDEF 26 HEX Character 26x4bit = 104 + 24 bit IV = 128 bit Key
* Wireshark does not support text entries for WEP keys, usea Text-to-HEX
converter like www.swingnote.com/tools/texttohex.php
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
Decryption Keys
• Some clients (like Windows
XP or VISTA) allow WEP key
entries in text (ASCII) format
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
Decryption Keys
•
WPA-PWD (Password)
Key
SSID
thisismypassword
LNSWLAN
8 to63 ASCII character password and SSID
•
WPA-PSK (Pre-shared-key)
1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF
exact 64 long HEX character string
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
Decryption Keys
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
Decryption Keys
• In order to decrypt WPA, you also need to capture the keynegotiation process during connection setup
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
Tuning display for WLAN
Add new columns
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
Tuning display for WLAN
added columns
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
Tuning display for WLAN
Adding new colors
S HARKFEST '09 | StanfordUniversity | June 15 – 18, 2009
Tuning display for WLAN
Different color
per channel
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
Tuning display for WLAN
Different color
per frame type
S HARKFEST '09 | Stanford University | June 15 – 18, 2009
802.11b/g Channel Allocation
Channel 1
Channel 6
Channel 11
2401 2412 2423
2426 2437 2448
2451 2462 2473...
Regístrate para leer el documento completo.