Wireshark Primer with an emphasis on WLAN’s Gary Hampton

Wireshark Primer with an emphasis on WLAN’s Gary Hampton Kentuckiana ISSA Workshop 3/12/2011

Outline Objective Types of Sniffers Wireshark background 802.11 Physical Layer 802.11 MAC Layer 802.11 Security Capturing basics Wireless traces How to’s: tcp stream, statistics, filters, profiles

Objective Improve your knowledge of Wireshark and how sniff traffic Be able to create filters and navigate Wireshark Improve your knowledge of the 802.11 protocol and wireless networking

Types of sniffers Specialty sniffers Device specific Cain and Able Dsniff Tcpdump/windump Intrusion detection systems Modern access points Microsoft’s Netmon Commercial grade Wild Packet’s Omnipeek NetScout Wireshark CACE Pilot (Wireshark interface); Riverbed Technology

Why Wireshark? Why use Wireshark? Excellent price 0 Full blown sniffer Supports multiple file formats: MS Netmon, Wild Packets, Sun Snoop, Kismet Sharing traces with other work groups When to use a commercial sniffer? When sniffing large amounts of data (e.g. 1GB) When presenting graphs and documents to upper level management

Wireshark Created by Gerald Combs 1998 Ethereal 2006 Cace Technologies “Wireshark” Purchased by Riverbed Technology 2010 Maintained by a group of developers today Released under GNU General Public License (GNU GPL) Free downloads available for Windows, Mac OS X, Linux, FreeBSD and U3 devices www.wireshark.org/download.html Graphical and command versions Mailing list for new releases www.wireshark.org/lists

Wireshark Requirements Any modern 32-bit/64-bit x86 or AMD processor Minimum 128MB available RAM (more is better ) 75MB available disk space Network cards Any Ethernet card supported by Windows Wireless Windows – AirPcap adaptors only Linux – not all, but most Linux drivers will support monitor mode http://wireless.kernel.org/en/users/drivers

Uses for Wireshark Troubleshoot performance issues Identify device configuration issues Identify malicious traffic Perform intrusion detection Evaluate response times Baseline bandwidth usage Identify application protocols and ports Assess wireless networks

What does it take to be good at analyzing traces? Be familiar with the sniffer’s features Be familiar with networking protocols Your effectiveness is directly proportional Research RFC’s, Google, etc. Know your network and the applications that utilize it Baseline

802.11 Physical Layer

802.11b/g/n 2.4GHz band Microwave ovens Bluetooth Wireless cameras Cordless phones Other 802.11 devices Ham radio operators Chan 10 Chan 4 Chan 9 Chan 3 Chan 8 Chan 2 Chan 7 Chan 1 Chan 6 Chan 11 2462 MHz Chan 5 2437 MHz 3 non-overlapping channels in the 2.4GHz band CSMA/CA Unlicensed spectrum 2412 MHz

802.11a/n 5 GHz band Unlicensed National Information Infrastructure (U-NII) band U-NII lower band In 2004, the FCC allocated the 5.32 – 5.745 GHz band, providing 12 additional channels 12 non-overlapping channels in the 5 GHz band Frequency Devices must support IEEE 802.11h Dynamic Frequency Selection 2 and Transmit Power Control U-NII middle band Radar usage Terminal Doppler Weather Radar (TDWR) operate between5.6 – 5.65 GHz FCC recommends not using those channels when within 35km of a TDWR U-NII upper band Channel Frequency 40 5.200 GHz 36 5.180 GHz 44 5.220 GHz 48 5.240 GHz 52 5.260 GHz 56 5.280 GHz 60 5.300 GHz 64 5.320 GHz 149 5.745 GHz 153 5.765 GHz 157 5.785 GHz 161 5.805 GHz

Spectrum Analyzers Kismet (not a SA, but can identify AP’s) WIDS/WIPS/modern AP’s Metageek Berkley Varitronics Systems Spectrum XT Cisco Bumblebee Air Magnet Wi-Spy - Chanalzer Spectrum Expert Anritsu/Tektronix/HP/Bird Technologies

Anritsu Spectrum Analyzer

Anritsu Spectrum Analyzer Spectrum Analyzer Salt Dome South Direction Ref Level : -30 -29.0 -40 dBm dB / Div : -50 10.0 -60 dB M1: -66.85 dBm @ 2464.662 MHz M2: -74.43 dBm @ 2482.832 MHz dBm -70 -80 -90 -100 -110 -120 M1 2350 CF: 2475.0 MHz RBW: 1 MHz Chan Pwr: 0dBm Date: 03/22/2004 Model: MS2711B 2375 2400 2425 M2 2450 2475 2500 Frequency (2350.0 - 2600.0 MHz) SPAN: 250.0 MHz VBW: 300 kHz Chan Pwr Density: 0dBm/Hz Time: 15:34:39 Serial #: 00245010 2525 2550 2575 2600 Attenuation: 0 dB Detection: Pos. Peak INT BW:2999.9 MHz

802.11 MAC Layer

Frame Comparison 802.3 Frame Preamble Dest. Addr Source Addr Type Field Payload CRC 8 Bytes 6 Bytes 2 Bytes 46-1500 Bytes 2-4 Bytes 6 Bytes 802.11 Frame

802.11 Frame Control Fields Version – specifies the protocol number. Type – Specifies frame type (Mgmt, Control or Data) Subtype – e.g. association, CTS

802.11 Frame Control Fields continued To DS/From DS To DS set - to the wired network From DS set - from the wired network Both bits set - wireless bridge (WDS network) Both bits cleared - ad-hoc network

802.11 Frame Control Fields continued MF – More fragments Retry Pwr – Power mgmt More – More data W – WEP

802.11 Power Management CAM (Continuous awareness mode): Radio never shuts down. Provides best network performance, uses the most battery power PSP 1: Excellent network performance, uses less battery power PSP 2: Great network performance, uses less battery power PSP 3: Good network performance, uses less battery power PSP 4: Adequate network performance, uses less battery power PSP 5: Acceptable network performance, uses the least battery power

802.11 Frame To DS/From DS bits To DS/From DS To DS set - to the wired network From DS set - from the wired network Both bits set - wireless bridge (WDS network) Both bits cleared - ad-hoc network

Address order infrastructure Mode To DS From DS Address 1 Address 2 Address 3 Address 4 Adhoc 0 0 Rx Addr/Dest Addr Tx Addr/Src Addr BSSID N/A Infrastructure 0 1 Rx Addr/Dest Addr Tx Addr/BSSID Src Addr N/A Infrastructure 1 0 BSSID Tx Addr/Src Addr Dest Addr N/A WDS 1 1 Rx Addr Tx Addr Dest Addr Src Addr

802.11 MAC Frames Management Used for connecting and disconnecting from the WLAN. Includes beacons, probes, authentication and association request/responses. Control Used to acknowledge receipt of data (Data-ACK, RTS-CTS-Data-ACK, CTS-Data-ACK). Data The only frames that include an encrypted payload in a WLAN. Encapsulates user data over the WLAN (e.g. IP and ARP traffic).

Client Association Client Access Point Probe Request Probe Response Authentication Request Authentication Challenge Authentication Response Authentication Success? Association Request Association Response

802.11 Security

Encryption and Authentication Options WPA-PSK and WPA2-PSK Used a hierarchy of keys (see the in depth security slides at the end of this presentation for more information) WPA-PSK and WPA2-PSK both use the 4-way handshake to generate the Pair wise Transient Key. Pair wise Master Keys are the same for all systems on the same WPA-PSK or WPA2-PSK network If you capture the 4-way handshake (EAPOL protocol) and know the PSK and SSID, Wireshark can decrypt WPA and WPA2 PSK packets WPA and WPA2 Enterprise Uses 802.1x with EAP (Extensible Authentication Protocol) to authenticate client (supplicant) and access point (authenticator) instead of PSK Uses per user, per session keys; therefore Wireshark and sniffers in general, cannot decrypt packets See security slides at the end of the presentation for more information

Sample WPA 4-way Handshake Supplicant (Client) Authenticator (Access Point) Sends Anounce to start PTK EAPOL (EAP over LAN) Sends Snounce and MIC for frame 2 Sends MIC for frame 3 Sends MIC for frame 4 Confirms the client has the right PTK, PMK and PSK. (Authenticates the client) Authenticates the access point Ready to TX/RX data

Capture basics

Wireshark capture flow Libpcap – link layer interface for capturing on Linux or Unix (tcpdump) WinPcap – Windows port of libpcap AirPcap – link layer interface and network adaptor to capture 802.11 traffic on Windows Graphical Toolkit (GTK) Dissectors-Plugins-Display Filters Core Engine Wireshark capture engine Capture filters WinPcap, AirPcap or libpcap Network Interface Ethernet or Wireless Wiretap Library

Capturing wireless traffic Determine location for sniffer(s) Select the appropriate interface and data capturing options Performance issues Disable, update list of packets in real time Disable network name resolution Reduce # of columns Disclaimer Only capture traffic on networks that you have permission to do so.

Where do I place the sniffer? AP Server A Server B

Sniffing wired traffic Hub Switched networks Hub Port Mirroring/Port Spanning Taps

Sniffing Wireless traffic Promiscuous mode Monitor mode 802.11 adaptor only captures packets of the SSID the adaptor has joined. The driver does not make the adaptor a member of any SSID on the network. All packets of all SSID’s from the currently selected channel are captured. Windows – must use AirPcap from CACE Technologies Linux – most Linux drivers support monitor mode

Wireshark Startup Capture area Files area Online Help

Wireshark Layout Filter toolbar Wireless Toolbar Packet List Packet Details Packet Bytes Status bar

Capture Interfaces

Capture Filters Limit the packets saved while capturing traffic Helpful when capturing traffic on a busy network or focusing on a specific problem Problems: You cannot get the discarded packets back No error checking on syntax like display filters Filter options: Type, Direction, and Protocol Tcp – filters on TCP traffic Ether src 00:A0:F8:12:34:56 – traffic from Ethernet address host www.cnn.com – capture traffic to/from cnn.com

Setting up profiles Wireshark allows you to configure profiles for displaying different uses. E.g. analyzing WLAN traces. Edit- configuration profiles- new enter profile name (e.g. WLAN) Any capture or displayed filters, column changes will be saved under this profile when it is in use

Statistical Analysis Summary Provides summary of sniffer trace: Date, length Capture format Packet and byte counts Time elapsed Capture filters used

Protocol Hierarchy Statistics Displays a list of the types traffic and percentage. Used to identify anomalies and suspect traffic. Example: wpa-induction.pcap Statistics- Protocol Hierarchy

Identifying top talkers Conversations statistics will list pairs of devices that are communication with each other Open trace wlan-ap-problem.pcap Statistics- conversations Select WLAN tab End points is similar, but only shows a single end point or node.

Basic Display Filters Display.field.name operator value Operators eq, Equal ne, ! Not Equal gt, Greater than lt, Less than ge Greater than or Equal to le, Less than or Equal to contains, Contains specified data AND, && OR, Negate, NOT or !

Coloring Rules for traffic Color rules are used to help make reading the traces easier and identify problems. Example Open airodrop-ng2 trace and add the coloring rules: View- coloring rules- new- name and filter expression choose colors: Deauthentication frames Packet retries Wlan.fc.type subtype eq 12 Wlan.fc.retry eq 1 Affects load time for traces

IO Graphs Allows Wireshark to graphical depict traffic flow trends. Used to identify network performance issues TCP round trip time (data – ACK) Open the wlan-signalissue trace Statistics - IO graph Add filter for signal strength Ppi.80211common.dbm.antsignal

Decrypting Frames Wireshark can decrypt WEP, WPA-PSK and WPA2-PSK If using driver, then only WEP can be decrypted Trace must include the 4-way handshake frames to derive PTK to decrypt Open trace wpa-induction Verify 4-way handshake was captured in the trace Apply protocol filter “EAPOL” and select Apply

Decrypting Frames continued Clear the EAPOL filter Edit- preferences- protocols- IEEE 802.11 Enter PSK and SSID in format wpapwd:PSK:SSID Wpa-pwd:Induction:Coherer Check “enable decryption” May have to toggle the “ignore vendor specfic HT elements” and “assume packets have FCS” Select “Apply” and “OK” Open the Protocol Hierarchy Statistics, and note the additional protocols that are listed.

DWEP client unable to connect to the AP Open the tulcsp1 trace file Examine the beacon frame #2 What channel is the AP on? What is the data rate for the beacon? What type of security is in use? Set filter to not show beacons !wlan.fc.type subtype eq 8 Examine the association/authentication process, why does the client not associate? Hint: Look at frames 12 and 15

Example: Slow Response problem w/wireless terminals AP Server A Server B

PS-Poll and round trip response Beacon Time (ms) Access point 0 -100 100 500 600 700 800 Server A/ Server B reply 900 Server A/ Server B reply 1000 Server A/ Server B reply Pkg scan Scanner (BT) scan data RF terminal (802.11b) 1 2 PS poll PSP mode 3 4 5 PS poll PSP mode 6 7 8

WLAN Stats DoS attack with airdrop-ng Airdrop-ng is configured to deauth ANY clients associated to AP 00:1F:33:E6:5E:09 Open Airdrop-ng2 trace Show statistics for WLAN Statistics- WLAN View deauth stats

Follow TCP Stream example Open the trace named ftp.pcap Examine packet 10, what is the password? Select a TCP or FTP packet and right click. Select the Follow TCP Stream option

Recommended reading www.wireshark.org Wiki.wireshark.org Laura Chappell’s Wireshark Network Analysis www.chappellu.com Joshua Wright www.willhackforsushi.com Ed Skoudis’ www.ethicalhacker.net “skillz”

Thanks!

Wi-Fi Protected Access Overview Wi-Fi Protected Access Constraints Designed as an interim solution to run on existing hardware until a more robust security standard could be developed Temporal Key Integrity Protocol (TKIP) for confidentiality and integrity of wireless traffic Must be adopted by software upgrade limited processing capacity with existing AP’s Based on RC4 encryption, like WEP

TKIP Security Mechanisms Improves security over WEP within design constraints Message Integrity Check (MIC) - defeats forgery attempts IV sequencing - defeats replay attacks Re-keying - defeats reuse attacks Key mixing - protects key

Message Integrity Check (MIC) Michael Protocol Calculates crypto hash of packet contents two 32-bit words (64bits) Sender includes hash in encrypted message Receiver verifies hash

Michael continued Michael can only provide 29 bits of security Attacker can try to guess MIC due to design constraints (CPU limitations of access points) 2 29 packets to guess MIC On an 802.11b network it would take approximately 2 minutes to guess MIC 802.11i Counter Measures If AP receives more than 2 packets with an invalid MIC within 60 seconds: AP must deauthenticate all users AP shutdowns for 60 seconds

IV Sequential Enforcement Used to defeat replay attacks TKIP requires sequential IV AP and clients track IV sequence transmitted in clear in the field formerly known as WEP IV 16 bit sequence counter (65535 numbers) TKIP Sequence Counter (TSC) never repeats (keys are rotated and seq # resets to 0) Too small IV’s are discarded Too large IV’s are subjected to other validation tests (MIC, ICV) Causes problems for QoS E.g. voice

Example: replay attack Valid packet, Valid packet, Valid packet, Valid packet WEP, no replay protection Time Valid Packet Replay Replay Replay AP Sniff WPA TKIP Seq Counter TSC 39 TSC 41 TSC 39 is OK TSC 41 TSC 39, OK TSC 41 TSC 41?, Failed TSC 41 TSC 41?, Failed Time TSC 41 TSC 41 AP Sniff

Re-keying protection Key Hierarchy TKIP uses 3 levels of keys and regular key rotation Master keys - highest level Key Encryption Keys - intermediate derived from 802.1x or pre-share key for WPA-PSK protects intermediate keys protects temporal keys Temporal keys - lowest level used to encrypt data rotated with a packet count frequency

TKIP Keys PSK - Pre-shared key PMK - Pair wise Master Key Passphrase (8 to 63 characters) derived from PSK or EAP method PTK - Pair wise Transient Key Temporal key Two MIC Keys (RX and TX) EAPOL Key Encryption Key EAPOL Key Confirmation Key

WPA-PSK PMK derivation Pair wise Master Key Derived using passphrase, ssid and ssid length The same for all systems on the same WPA-PSK network PMK for WPA-PSK is 256 bits Is used to generate the Pair wise Transient Key (PTK) or intermediate key PMK PBKDF2 (passphrase, ssid, ssidlen, 4096, 256) Hashed 4096 times using hmac-sh1 Pseudo-random # that cannot be reversed Used to defeat dictionary attacks

WPA PTK derivation Combines MAC of STA and AP with STA nonce and AP nonce nonce 128-bit unique value that is not duplicated for the lifetime of the transaction. Not a secret, sent in plain-text PTK is never sent over the network; both the supplicant and the authenticator calculate PTK with knowledge of input data PTK keys are unique for each pair of stations on the network Generates a 512-bit output PRF hash using SHA1 PTK PRF-512(PMK, “Pair wise Key Expansion”, AA, SPA, ANOUNCE, SNOUNCE)

PTK Mapping PTK is 512 bits or 64 bytes in length HMAC MIC Key - 1st 16 bytes EAPOL-KEY KEK - 2nd 16 bytes protects the data TX MIC Key protects the confidentiality of new key updated in future EAPOL-Key messages Temporal Encryption key - next 16 bytes validates the contents of the EAPOL-Key frames used by transmitting station to calculate hash of the data packet using Michael RX MIC Key used by the receiving station to verify the stored hash that is transmitted in the data packets.

WPA 4-way Handshake Supplicant (Client) Authenticator (Access Point) Sends Anounce to start PTK EAPOL (EAP over LAN) Sends Snounce and MIC for frame 2 Sends MIC for frame 3 Sends MIC for frame 4 Confirms the client has the right PTK, PMK and PSK. (Authenticates the client) Authenticates the access point Ready to TX/RX data

Problems with WPA-PSK Passphrase is susceptible to off-line dictionary attacks Examples: coWPAtty aircrack-ng Recommendations for implementing WPA-PSK Use non-common ESSIDs Used random characters (63 characters in length for passphrase) Avoid dictionary words or variations of dictionary words (e.g. pa55word or PaSsWoRd)

WPA2 Supports both TKIP and CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) CCMP Uses same PMK and PTK key hierarchy as TKIP Uses the same 4-way handshake PTK derivation as TKIP Based on AES (Advanced Encryption Standard) cipher, not RC4 AES provides for strong encryption Can not be used with legacy hardware

WPA2 advantages over WPA WPA2 supports all features of WPA Uses AES-CCMP for encryption Provides for faster roaming between access points Reduces overhead in 4-way handshake 802.1x pre-authentication Opportunistic key caching support

WLAN Authentication methods

802.1x IEEE standard for authentication framework for 802 LANs Originally designed for wired networks Advantages 1. Mutual authentication 2. Authentication of both the client and the authenticator/authentication server Protects client from rogue access points Protects network from unauthorized access Port based access control Restricts the access of a device to only authentication traffic (802.1x/EAP/RADIUS protocols) via a controlled port Once authenticated, the controlled port is switched to an authorized state allowing the device to communicate on the network

802.1x Port Access Control Authenticator (access point) Authentication Server Uncontrolled Port Supplicant Controlled Port LAN

EAP Extensible Authentication Protocol (EAP) Authentication framework used in wireless networks and Point-to-Point connections Provides some common functions and a negotiation of the desired authentication algorithm. Factors to consider when choosing an EAP authentication algorithm. Mutual authentication Certificate requirements Options include : none, server only, both client and server Dynamic Key Generation Both client and server authenticate each other Static key versus rotating key Cost & Management support Industry Support

Common EAP algorithms EAP-MD5 1st authentication type created Not used in WLANs LEAP (Lightweight Extensible Authentication Protocol) Does not support dynamic keying MD5 hash is susceptible to dictionary attacks. CISCO proprietary EAP method Provides per user, per session encryption keys Only supports password authentication. Vulnerable to attacks from ASLEAP. EAP-TLS (EAP-Transport Layer Security) Developed by Microsoft Requires both client and server certificates Supports mutual authentication

802.1x with PEAP example Supplicant (Client) Authenticator (Access Point) Authentication Server EAP Start EAPOL (EAP over LAN) Request Identity Network access identifier (user name or computer name) Identity AP forwards NAI to RADIUS server (encap. In RADIUS request msg) Identity Authentication Server Certificate Authentication Server Certificate Encrypted Tunnel Established Authenticator sends Supplicant the Broadcast Key encrypted with the Session Key and the Key length information Authentication Server sends Session Key to Authenticator Encrypted Data Flow EAP PEAP Radius server responds with its digital certificate. Client confirms certificate by using a preloaded root certificate

EAP Type Comparisons EAP-MD5 LEAP EAP-TLS EAP-TTLS PEAP Mutual No Yes Yes Yes Yes No No Client/ Server Server Dynamic Key Generation No Yes Yes Yes Yes Costs and Management Overhead Low Low High Low/ Low/ Industry Low High Medium High High Authentication Certificates Required Support Server Only Medium Only Mediu m

Security Standards Comparison Standards Authentication Method Encryptio n Standard Cipher 802.11 Legacy 802.11a,b,g Open system or Shared Key WEP RC4 WPA Personal WPA Passphrase (PSK) TKIP RC4 WPA Enterprise 802.1x EAP, PEAP, EAP-TLS TKIP RC4 WPA2 Personal WPA Passphrase (PSK) CCMP TKIP AES RC4 WPA2 802.1x CCMP AES