1. Wireshark Primer with an emphasis on WLAN’s
Gary Hampton
Kentuckiana ISSA Workshop 3/12/2011

2. Outline Objective Types of Sniffers Wireshark background
Physical Layer
MAC Layer
Security
Capturing basics
Wireless traces
How to’s: tcp stream, statistics, filters, profiles

3. Objective Improve your knowledge of Wireshark and how sniff traffic
Be able to create filters and navigate Wireshark
Improve your knowledge of the protocol and wireless networking

4. Types of sniffers Specialty sniffers Device specific Commercial grade
Cain and Able
Dsniff
Tcpdump/windump
Device specific
Intrusion detection systems
Modern access points
Microsoft’s Netmon
Commercial grade
Wild Packet’s Omnipeek
NetScout
Wireshark
CACE Pilot (Wireshark interface); Riverbed Technology

5. Why Wireshark? Why use Wireshark? When to use a commercial sniffer?
Excellent price $0
Full blown sniffer
Supports multiple file formats:
MS Netmon, Wild Packets, Sun Snoop, Kismet
Sharing traces with other work groups
When to use a commercial sniffer?
When sniffing large amounts of data (e.g. 1GB)
When presenting graphs and documents to upper level management

6. Wireshark Created by Gerald Combs
1998 Ethereal
2006 Cace Technologies “Wireshark”
Purchased by Riverbed Technology 2010
Maintained by a group of developers today
Released under GNU General Public License (GNU GPL)
Free downloads available for Windows, Mac OS X, Linux, FreeBSD and U3 devices
Graphical and command versions
Mailing list for new releases

7. Wireshark Requirements
Any modern 32-bit/64-bit x86 or AMD processor
Minimum 128MB available RAM (more is better )
75MB available disk space
Network cards
Any Ethernet card supported by Windows
Wireless
Windows – AirPcap adaptors only
Linux – not all, but most Linux drivers will support monitor mode

8. Uses for Wireshark Troubleshoot performance issues
Identify device configuration issues
Identify malicious traffic
Perform intrusion detection
Evaluate response times
Baseline bandwidth usage
Identify application protocols and ports
Assess wireless networks

9. What does it take to be good at analyzing traces?
Be familiar with the sniffer’s features
Be familiar with networking protocols
Your effectiveness is directly proportional
Research RFC’s, Google, etc.
Know your network and the applications that utilize it
Baseline

10. Physical Layer

11. 802.11b/g/n 2.4GHz band 3 non-overlapping channels in the 2.4GHz band
CSMA/CA
Unlicensed spectrum
Microwave ovens
Bluetooth
Wireless cameras
Cordless phones
Other devices
Ham radio operators

12. 802.11a/n 5 GHz band
Unlicensed National Information Infrastructure (U-NII) band
12 non-overlapping channels in the 5 GHz band
In 2004, the FCC allocated the 5.32 – GHz band, providing 12 additional channels
Devices must support IEEE h Dynamic Frequency Selection 2 and Transmit Power Control
Radar usage
Terminal Doppler Weather Radar (TDWR) operate between5.6 – 5.65 GHz
FCC recommends not using those channels when within 35km of a TDWR
Frequency
Channel
U-NII lower band 40
5.200 GHz 36
5.180 GHz 44
5.220 GHz 48
5.240 GHz
U-NII middle band 52
5.260 GHz 56
5.280 GHz 60
5.300 GHz 64
5.320 GHz
U-NII upper band
149
5.745 GHz
153
5.765 GHz
157
5.785 GHz
161
5.805 GHz

13. Spectrum Analyzers Kismet (not a SA, but can identify AP’s)
WIDS/WIPS/modern AP’s
Metageek
Wi-Spy - Chanalzer
Berkley Varitronics Systems
Bumblebee
Air Magnet
Spectrum XT
Cisco
Spectrum Expert
Anritsu/Tektronix/HP/Bird Technologies

14. Anritsu Spectrum Analyzer

15. Anritsu Spectrum Analyzer

16. MAC Layer

17. Frame Comparison 802.3 Frame 802.11 Frame Preamble Dest. Addr
Source Addr
Type Field
Payload
CRC
8 Bytes
6 Bytes
2 Bytes
Bytes
2-4 Bytes
Frame

18. 802.11 Frame Control Fields Version – specifies the protocol number.
Type – Specifies frame type (Mgmt, Control or Data)
Subtype – e.g. association, CTS

19. 802.11 Frame Control Fields continued
To DS/From DS
To DS set -> to the wired network
From DS set -> from the wired network
Both bits set -> wireless bridge (WDS network)
Both bits cleared -> ad-hoc network

20. 802.11 Frame Control Fields continued
MF – More fragments
Retry
Pwr – Power mgmt
More – More data
W – WEP

21. Power Management
CAM (Continuous awareness mode): Radio never shuts down. Provides best network performance, uses the most battery power
PSP 1: Excellent network performance, uses less battery power
PSP 2: Great network performance, uses less battery power
PSP 3: Good network performance, uses less battery power
PSP 4: Adequate network performance, uses less battery power
PSP 5: Acceptable network performance, uses the least battery power

22. 802.11 Frame To DS/From DS bits
To DS set -> to the wired network
From DS set -> from the wired network
Both bits set -> wireless bridge (WDS network)
Both bits cleared -> ad-hoc network

23. Address order - infrastructure
Mode
To DS
From DS
Address 1
Address 2
Address 3
Address 4
Adhoc
Rx Addr/Dest Addr
Tx Addr/Src Addr
BSSID
N/A
Infrastructure 1
Tx Addr/BSSID
Src Addr
Dest Addr
WDS
Rx Addr
Tx Addr

24. MAC Frames
Management Used for connecting and disconnecting from the WLAN. Includes beacons, probes, authentication and association request/responses.
Control Used to acknowledge receipt of data (Data-ACK, RTS-CTS-Data-ACK, CTS-Data-ACK).
Data The only frames that include an encrypted payload in a WLAN. Encapsulates user data over the WLAN (e.g. IP and ARP traffic).

25. Client Association

26. Security

27. Encryption and Authentication Options
WPA-PSK and WPA2-PSK
Used a hierarchy of keys (see the in depth security slides at the end of this presentation for more information)
WPA-PSK and WPA2-PSK both use the 4-way handshake to generate the Pair wise Transient Key.
Pair wise Master Keys are the same for all systems on the same WPA-PSK or WPA2-PSK network
If you capture the 4-way handshake (EAPOL protocol) and know the PSK and SSID, Wireshark can decrypt WPA and WPA2 PSK packets
WPA and WPA2 Enterprise
Uses 802.1x with EAP (Extensible Authentication Protocol) to authenticate client (supplicant) and access point (authenticator) instead of PSK
Uses per user, per session keys; therefore Wireshark and sniffers in general, cannot decrypt packets
See security slides at the end of the presentation for more information

28. Sample WPA 4-way Handshake

29. Capture basics

30. Wireshark capture flow
Libpcap – link layer interface for capturing on Linux or Unix (tcpdump)
WinPcap – Windows port of libpcap
AirPcap – link layer interface and network adaptor to capture traffic on Windows

31. Capturing wireless traffic
Determine location for sniffer(s)
Select the appropriate interface and data capturing options
Performance issues
Disable, update list of packets in real time
Disable network name resolution
Reduce # of columns
Disclaimer
Only capture traffic on networks that you have permission to do so.

32. Where do I place the sniffer?

33. Sniffing wired traffic
Hub
Switched networks
Port Mirroring/Port Spanning
Taps

34. Sniffing Wireless traffic
Promiscuous mode
adaptor only captures packets of the SSID the adaptor has joined.
Monitor mode
The driver does not make the adaptor a member of any SSID on the network.
All packets of all SSID’s from the currently selected channel are captured.
Windows – must use AirPcap from CACE Technologies
Linux – most Linux drivers support monitor mode \

35. Wireshark Startup
Capture
area
Files area
Online
Help

36. Wireshark Layout Filter toolbar Wireless Toolbar Packet List
Packet Details
Packet Bytes
Status bar

37. Capture Interfaces

38. Capture Filters Limit the packets saved while capturing traffic
Helpful when capturing traffic on a busy network or focusing on a specific problem
Problems:
You cannot get the discarded packets back
No error checking on syntax like display filters
Filter options: Type, Direction, and Protocol
Tcp – filters on TCP traffic
Ether src 00:A0:F8:12:34:56 – traffic from Ethernet address
host – capture traffic to/from cnn.com

39. Setting up profiles
Wireshark allows you to configure profiles for displaying different uses. E.g. analyzing WLAN traces.
Edit->configuration profiles->new->enter profile name (e.g. WLAN)
Any capture or displayed filters, column changes will be saved under this profile when it is in use

40. Statistical Analysis Summary
Provides summary of sniffer trace:
Date, length
Capture format
Packet and byte counts
Time elapsed
Capture filters used

41. Protocol Hierarchy Statistics
Displays a list of the types traffic and percentage.
Used to identify anomalies and suspect traffic.
Example: wpa-induction.pcap
Statistics->Protocol Hierarchy

42. Identifying top talkers
Conversations statistics will list pairs of devices that are communication with each other
Open trace wlan-ap-problem.pcap
Statistics->conversations
Select WLAN tab
End points is similar, but only shows a single end point or node.

43. Basic Display Filters Display.field.name operator value Operators
eq, == Equal
ne, != Not Equal
gt, > Greater than
lt, < Less than
ge >= Greater than or Equal to
le, <= Less than or Equal to
contains, Contains specified data
AND, &&
OR, ||
Negate, NOT or !

44. Coloring Rules for traffic
Color rules are used to help make reading the traces easier and identify problems.
Example
Open airodrop-ng2 trace and add the coloring rules:
View->coloring rules->new->name and filter expression->choose colors:
Deauthentication frames
Wlan.fc.type_subtype eq 12
Packet retries
Wlan.fc.retry eq 1
Affects load time for traces

45. IO Graphs Allows Wireshark to graphical depict traffic flow trends.
Used to identify network performance issues
TCP round trip time (data – ACK)
Open the wlan-signalissue trace
Statistics ->IO graph
Add filter for signal strength
Ppi common.dbm.antsignal

46. Decrypting Frames Wireshark can decrypt WEP, WPA-PSK and WPA2-PSK
If using driver, then only WEP can be decrypted
Trace must include the 4-way handshake frames to derive PTK to decrypt
Open trace wpa-induction
Verify 4-way handshake was captured in the trace
Apply protocol filter “EAPOL” and select Apply

47. Decrypting Frames continued
Clear the EAPOL filter
Edit->preferences->protocols->IEEE
Enter PSK and SSID in format wpa-pwd:PSK:SSID
Wpa-pwd:Induction:Coherer
Check “enable decryption”
May have to toggle the “ignore vendor specfic HT elements” and “assume packets have FCS”
Select “Apply” and “OK”
Open the Protocol Hierarchy Statistics, and note the additional protocols that are listed.

48. DWEP client unable to connect to the AP
Open the tulcsp1 trace file
Examine the beacon frame #2
What channel is the AP on?
What is the data rate for the beacon?
What type of security is in use?
Set filter to not show beacons
!wlan.fc.type_subtype eq 8
Examine the association/authentication process, why does the client not associate?
Hint: Look at frames 12 and 15

49. Example: Slow Response problem w/wireless terminals

50. PS-Poll and round trip response

51. WLAN Stats DoS attack with airdrop-ng
Airdrop-ng is configured to deauth ANY clients associated to AP 00:1F:33:E6:5E:09
Open Airdrop-ng2 trace
Show statistics for WLAN
Statistics->WLAN
View deauth stats

52. Follow TCP Stream example
Open the trace named ftp.pcap
Examine packet 10, what is the password?
Select a TCP or FTP packet and right click.
Select the Follow TCP Stream option

53. Recommended reading www.wireshark.org Wiki.wireshark.org
Laura Chappell’s Wireshark Network Analysis
Joshua Wright
Ed Skoudis’ “skillz”

54. Thanks!

55. Wi-Fi Protected Access Overview
Designed as an interim solution to run on existing hardware until a more robust security standard could be developed
Temporal Key Integrity Protocol (TKIP) for confidentiality and integrity of wireless traffic
Constraints
Must be adopted by software upgrade
limited processing capacity with existing AP’s
Based on RC4 encryption, like WEP

56. TKIP Security Mechanisms
Improves security over WEP within design constraints
Message Integrity Check (MIC) - defeats forgery attempts
IV sequencing - defeats replay attacks
Re-keying - defeats reuse attacks
Key mixing - protects key

57. Message Integrity Check (MIC)
Michael Protocol
Calculates crypto hash of packet contents
two 32-bit words (64bits)
Sender includes hash in encrypted message
Receiver verifies hash
If hacker attempts to modify the packet in transit, the change will crate a different calculated MIC hash then the stored hash value (attacker does not know the 64 bit MIC key and are unable to recalculate a valid hash)

58. Michael continued Michael can only provide 29 bits of security
due to design constraints (CPU limitations of access points)
Attacker can try to guess MIC
2^29 packets to guess MIC
On an b network it would take approximately 2 minutes to guess MIC
802.11i Counter Measures
If AP receives more than 2 packets with an invalid MIC within 60 seconds:
AP must deauthenticate all users
AP shutdowns for 60 seconds

59. IV Sequential Enforcement
Used to defeat replay attacks
TKIP requires sequential IV
transmitted in clear in the field formerly known as WEP IV
16 bit sequence counter (65535 numbers)
TKIP Sequence Counter (TSC) never repeats (keys are rotated and seq # resets to 0)
AP and clients track IV sequence
Too small IV’s are discarded
Too large IV’s are subjected to other validation tests (MIC, ICV)
Causes problems for QoS
E.g. voice

60. Example: replay attack

61. Re-keying protection Key Hierarchy
TKIP uses 3 levels of keys and regular key rotation
Master keys - highest level
derived from 802.1x or pre-share key for WPA-PSK
protects intermediate keys
Key Encryption Keys - intermediate
protects temporal keys
Temporal keys - lowest level
used to encrypt data
rotated with a packet count frequency

62. TKIP Keys PSK - Pre-shared key PMK - Pair wise Master Key
Passphrase (8 to 63 characters)
PMK - Pair wise Master Key
derived from PSK or EAP method
PTK - Pair wise Transient Key
Temporal key
Two MIC Keys (RX and TX)
EAPOL Key Encryption Key
EAPOL Key Confirmation Key

63. WPA-PSK PMK derivation
Pair wise Master Key
Derived using passphrase, ssid and ssid length
The same for all systems on the same WPA-PSK network
PMK for WPA-PSK is 256 bits
Is used to generate the Pair wise Transient Key (PTK) or intermediate key
PMK = PBKDF2 (passphrase, ssid, ssidlen, 4096, 256)
Hashed 4096 times using hmac-sh1
Pseudo-random # that cannot be reversed
Used to defeat dictionary attacks
Since the PSK could be a weak key, it is not used to derive the intermediate key
8192 hashing values, it is done twice

64. WPA PTK derivation
Combines MAC of STA and AP with STA nonce and AP nonce
nonce -
128-bit unique value that is not duplicated for the lifetime of the transaction.
Not a secret, sent in plain-text
PTK is never sent over the network; both the supplicant and the authenticator calculate PTK with knowledge of input data
PTK keys are unique for each pair of stations on the network
Generates a 512-bit output PRF hash using SHA1
PTK = PRF-512(PMK, “Pair wise Key Expansion”, AA, SPA, ANOUNCE, SNOUNCE)

65. PTK Mapping PTK is 512 bits or 64 bytes in length
HMAC MIC Key - 1st 16 bytes
validates the contents of the EAPOL-Key frames
EAPOL-KEY KEK - 2nd 16 bytes
protects the confidentiality of new key updated in future EAPOL-Key messages
Temporal Encryption key - next 16 bytes
protects the data
TX MIC Key
used by transmitting station to calculate hash of the data packet using Michael
RX MIC Key
used by the receiving station to verify the stored hash that is transmitted in the data packets.
EAPOL-Key KEK is used 4 times before it is changed (2x for MC, and 2x for unicast)

66. WPA 4-way Handshake

67. Problems with WPA-PSK
Passphrase is susceptible to off-line dictionary attacks
Examples:
coWPAtty
aircrack-ng
Recommendations for implementing WPA-PSK
Use non-common ESSIDs
Used random characters (63 characters in length for passphrase)
Avoid dictionary words or variations of dictionary words (e.g. pa55word or PaSsWoRd)

68. WPA2
Supports both TKIP and CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
CCMP
Uses same PMK and PTK key hierarchy as TKIP
Uses the same 4-way handshake PTK derivation as TKIP
Based on AES (Advanced Encryption Standard) cipher, not RC4
AES provides for strong encryption
Can not be used with legacy hardware

69. WPA2 advantages over WPA
WPA2 supports all features of WPA
Uses AES-CCMP for encryption
Provides for faster roaming between access points
Reduces overhead in 4-way handshake
802.1x pre-authentication
Opportunistic key caching support
Faster Roaming
Reduction in overhead because TKIP performs handshake twice (once for unicast and once for broadcast)
If a station is authenticated, then it can exchange 802.1x credentials and derive a new PMK. This allows the station to roam more quickly, by eliminating the need to exchange EAP credentials over the air when roaming (as opposed to when the station first connects to the AP)

70. WLAN Authentication methods

71. 802.1x IEEE standard for authentication framework for 802 LANs
Originally designed for wired networks
Advantages
Mutual authentication
Authentication of both the client and the authenticator/authentication server
Protects client from rogue access points
Protects network from unauthorized access
Port based access control
Restricts the access of a device to only authentication traffic (802.1x/EAP/RADIUS protocols) via a controlled port
Once authenticated, the controlled port is switched to an authorized state allowing the device to communicate on the network

72. 802.1x Port Access Control

73. EAP Extensible Authentication Protocol (EAP)
Authentication framework used in wireless networks and Point-to-Point connections
Provides some common functions and a negotiation of the desired authentication algorithm.
Factors to consider when choosing an EAP authentication algorithm.
Mutual authentication
Both client and server authenticate each other
Certificate requirements
Options include : none, server only, both client and server
Dynamic Key Generation
Static key versus rotating key
Cost & Management support
Industry Support

74. Common EAP algorithms EAP-MD5
1st authentication type created
Not used in WLANs
Does not support dynamic keying
MD5 hash is susceptible to dictionary attacks.
LEAP (Lightweight Extensible Authentication Protocol)
CISCO proprietary EAP method
Provides per user, per session encryption keys
Only supports password authentication. Vulnerable to attacks from ASLEAP.
EAP-TLS (EAP-Transport Layer Security)
Developed by Microsoft
Requires both client and server certificates
Supports mutual authentication

75. 802.1x with PEAP example

76. EAP Type Comparisons No Yes Yes Yes Yes No No Client/Server
EAP-MD5
LEAP
EAP-TLS
EAP-TTLS
PEAP
Mutual Authentication No
Yes
Yes
Yes
Yes
Certificates Required No No
Client/Server
Server Only
Server Only
Dynamic Key Generation No
Yes
Yes
Yes
Yes
Costs and Management Overhead
Low
Low
High
Low/Medium
Low/Medium
Industry Support
Low
High
Medium
High
High

77. Security Standards Comparison
Authentication Method
Encryption Standard
Cipher
Legacy a,b,g
Open system or Shared Key
WEP
RC4
WPA Personal
WPA Passphrase (PSK)
TKIP
WPA Enterprise
802.1x
EAP, PEAP, EAP-TLS
WPA2 Personal
CCMP
AES
WPA2 Enterprise
EAP, PEAP, EPA-TLS