Showing posts with label Wi-Fi. Show all posts
Showing posts with label Wi-Fi. Show all posts

Friday, 7 August 2015

Wireshark Wi-Fi traffic sniffing support across Operating Systems

Windows

Promiscuous mode

  • WinPcap supports promiscuous mode but drivers for Wi-Fi NICs usually don't =>  Wireshark using WinPcap can't capture packets from Wi-Fi NIC in promiscuous mode on Windows

Monitor mode

  • WinPcap does not support monitor mode => Wireshark using WinPcap can't capture packets from Wi-Fi NIC in monitor mode on Windows 
  • Acrylic NDIS driver supports monitor mode => Wireshark + AirPcap/WiFi USB card +Acrylic NDIS driver is able to capture packets in monitor mode

Linux

Promiscuous mode

  • libpcap supports promiscuous mode => Wireshark can capture packets from Wi-Fi NIC in promiscuous mode on Unix

Monitor mode

  • libpcap supports monitor mode (on some flavors on Unix) => Wireshark can capture packets from Wi-Fi NIC in monitor mode on Unix

How to capture WiFi traffic using Wireshark on Windows
http://sourceforge.net/projects/libpcap/
http://www.tcpdump.org/
Posted by at No comments:
Labels: , ,

Thursday, 6 August 2015

Promiscuous vs monitor mode of a wireless network interface


Wireless adapter in promiscuous mode:
  • connected to the Access Point (AP)
  • SSID filtering is switched on => it can receive packets only from AP it is associated with (it receives radio packets from all APs but forwards to the upper layers only those from that particular AP)
  • MAC filtering is switched off => it can receive packets destined for any MAC address
  • it can't decrypt packets to/from other nodes in secured (WEP, WPA...) networks 
  • it translates Wi-Fi data frames into wired Ethernet-style frames (IEEE 802.3) so they look like Ethernet frames captured on the LAN interface working in promiscuous mode

Wireless adapter in monitor mode:
  • usually NOT connected to the Access Point (depends on the adapter and its driver) => it does not transmit any packets
  • SSID filtering is switched off => it can receive packets from any AP within its range
  • MAC filtering is switched off => it can receive packets destined for any MAC address
  • it can decrypt packets to/from other nodes in secured networks

It is worth adding the following:
  • monitor mode does not make sense (and so does not exist) for LAN cards 
  • all LAN cards support promiscuous mode
  • not all Wi-Fi cards support promiscuous and monitor mode

Further reading:Promiscuous mode (Wikipedia)
Monitor mode (Wikipedia)
Wireshark - WLAN (IEEE 802.11) capture setup

Posted by at No comments:
Labels: ,

Wednesday, 5 August 2015

How to sniff HTTP traffic on the local Wi-Fi network in 10 steps

We need:

(1) Attacker: Linux machine with two Wi-Fi cards; I am using Kali with internal Atheros and external Alfa (AWUS036NH) WiFi card.
(2) Victim: mobile device; I am using smartphone
(3) Wi-Fi router with set up Wi-Fi network

Steps:

(1) Verify that both Wi-Fi network cards are connected to the same Wi-Fi network:

root@kali:/# iwconfig
wlan1 IEEE 802.11bgn ESSID:"MYWIFINET"
Mode:Managed Frequency:2.457 GHz Access Point: 10:AD:AF:CD:A7:A4
Bit Rate=1 Mb/s Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=70/70 Signal level=-37 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:4 Missed beacon:0

eth0 no wireless extensions.

lo no wireless extensions.

wlan0 IEEE 802.11bgn ESSID:"MYWIFINET"
Mode:Managed Frequency:2.457 GHz Access Point: 10:AD:AF:CD:A7:A4
Bit Rate=65 Mb/s Tx-Power=16 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=64/70 Signal level=-46 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:2 Invalid misc:332 Missed beacon:0


Atheros is wlan0 and Alpha is wlan1:

root@kali:/# ifconfig
eth0 Link encap:Ethernet
...

lo Link encap:Local Loopback
...

wlan0 Link encap:Ethernet HWaddr ac:ba:ad:aa:aa:aa
inet addr:192.168.0.3 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::9eb7:dff:fe04:d2f5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:993402 errors:0 dropped:16671 overruns:0 frame:0
TX packets:1037777 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1231583696 (1.1 GiB) TX bytes:293024209 (279.4 MiB)

wlan1 Link encap:Ethernet HWaddr 00:c0:ca:bb:bb:bb
inet addr:192.168.0.9 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::2c0:caff:fe59:23d0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1164 (1.1 KiB) TX bytes:1882 (1.8 KiB)

(2) Put one of Wi-Fi interfaces into monitor mode:

root@kali:/# airmon-ng start wlan1

Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2539 NetworkManager
2644 wpa_supplicant
3037 dhclient
19213 dhclient
20374 dhclient
Process with PID 20374 (dhclient) is running on interface wlan1
Process with PID 19213 (dhclient) is running on interface wlan0


Interface Chipset Driver

wlan1 Ralink RT2870/3070 rt2800usb - [phy4]
(monitor mode enabled on mon0)
wlan0 Atheros AR9485 ath9k - [phy0]



(3) Go to Wireshark's WPA PSK (Raw Key) Generator page: https://www.wireshark.org/tools/wpa-psk.html
Type in your Wi-Fi network's name and password and click on Generate PSK button.

(4) Start Wireshark. If it is not installed, install it with apt-get install wireshark command.

(5) In Wireshark: go to Capture --> Options and check "Use promiscuous mode on all interfaces"

(6) In Wireshark: go to Edit --> Preferences --> Protocols --> IEEE802.11, check "Enable decryption" option and add generated PSK key as new wpa-psk key in Decryption Keys.

(7) In Wireshark's main dashboard select monitor interface created by airmon-ng; that is mon0 in my case.
Press "Start" button in order to start live capture.

(8) Connect mobile device to Wi-Fi network. Wireshark has to capture handshake packets exchanged between the victim and the router when victim joins Wi-Fi network.

(9) In the browser of the victim's device type in any http address and allow it to load. I typed http://m.bbc.co.uk/weather/2643743 in order to get weather forecast for London from BBC Weather mobile webiste.

(10) Stop Wireshark and search for the HTTP traffic which goes between any IP address which is not the IP address of local Wi-Fi interfaces. In my case that was 192.168.0.5. I could see DNS requests to all services my smartphone uses (Google, Facebook, Whatsapp...) and also DNS query for m.bbc.co.uk, and HTTP GET request that was sent!



Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)