User Tools

Site Tools


wpa_capture

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
wpa_capture [2008/01/25 01:17] – added link to wireshark faq entry darkaudaxwpa_capture [2009/09/19 04:09] – "is using is using" changed to "is using" mister_x
Line 1: Line 1:
 ====== Tutorial: WPA Packet Capture Explained ====== ====== Tutorial: WPA Packet Capture Explained ======
-Version: 1.03 January 24, 2007\\+Version: 1.04 January 26, 2007\\
 By: darkAudax By: darkAudax
  
Line 13: Line 13:
 The [[http://aircrack-ng.org|Wiki]] links page has a [[links#wpa_wpa2_information|WPA/WPA2 section]].  The best document describing WPA is [[http://www.hsc.fr/ressources/articles/hakin9_wifi/index.html.en|Wi-Fi Security - WEP, WPA and WPA2]].  This is the [[http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf|link]] to download the PDF directly. The [[http://aircrack-ng.org|Wiki]] links page has a [[links#wpa_wpa2_information|WPA/WPA2 section]].  The best document describing WPA is [[http://www.hsc.fr/ressources/articles/hakin9_wifi/index.html.en|Wi-Fi Security - WEP, WPA and WPA2]].  This is the [[http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf|link]] to download the PDF directly.
  
-To view the capture, use [[http://www.wireshark.org/|Wireshark]] to open it then "View" then "Expand All" This shows all the sections and fields expanded.  You will need to scroll through the fields for each packet to locate the ones mentioned.  See this [[http://aircrack-ng.org/doku.php?id=faq#can_i_use_wireshark_ethereal_to_capture_802.11_packets|FAQ entry]] to learn how to use Wireshark. +To view the capture, use [[http://www.wireshark.org/|Wireshark]] to open it then "View" then "Expand All" This shows all the sections and fields expanded.  You will need to scroll through the fields for each packet to locate the ones mentioned.  See this [[faq#can_i_use_wireshark_ethereal_to_capture_802.11_packets|FAQ entry]] to learn how to use Wireshark.
- +
  
 The captures were done using an Ralink RT73 chipset and airodump-ng as the capture program. The captures were done using an Ralink RT73 chipset and airodump-ng as the capture program.
Line 28: Line 26:
 This is the access point (AP) Beacon.  It announces the presence and capabilities of the AP. This is the access point (AP) Beacon.  It announces the presence and capabilities of the AP.
  
-If you look at the "Vendor Specific" attributes, you can see the WPA attributes.+If you look at the "Vendor Specific" attributes, you can see the WPA attributes:
  
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_1.png}}
  
 ==== Packet 2 ==== ==== Packet 2 ====
Line 36: Line 35:
 If the AP does not respond to this, you might see the SSID set to the AP SSID.  This is what is called a directed Probe Request.  The packet capture does not include an example of this. If the AP does not respond to this, you might see the SSID set to the AP SSID.  This is what is called a directed Probe Request.  The packet capture does not include an example of this.
  
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_2.png}}
  
 ==== Packet 3 ==== ==== Packet 3 ====
 This is a Probe Response packet.   This is the AP responding to the client.  It has a source MAC of the BSSID and a destination MAC of the client.  The packet informs the client about what capabilities it supports such as transmission speeds plus other relevant capabilities. This is a Probe Response packet.   This is the AP responding to the client.  It has a source MAC of the BSSID and a destination MAC of the client.  The packet informs the client about what capabilities it supports such as transmission speeds plus other relevant capabilities.
  
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_3.png}}
  
 ==== Packets 4, 5 ==== ==== Packets 4, 5 ====
-These are WEP OPEN system authentication packets.  The client sends an authentication request packet and the AP responds with an authentication acceptance packet.+These are open authentication system packets. 
 + 
 +The client sends an authentication request packet ...: 
 + 
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_4.png}} 
 + 
 +... and the AP responds with an authentication acceptance packet
 + 
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_5.png}}
  
  
 ==== Packets 6, 7 ==== ==== Packets 6, 7 ====
-These are the WEP association packets.  The client sends an association request packet and the AP responds with an association acceptance packet.  Essentially this joins the client to the network.+These are the association packets. Essentially this joins the client to the network.
  
 +The client sends an association request packet ... 
 +
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_6.png}}
 +
 +... and the AP responds with an association response packet:
 +
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_7.png}}
  
 ==== Packets 8, 9, 10, 11 ==== ==== Packets 8, 9, 10, 11 ====
Line 56: Line 72:
 IEEE 802.11 -> Frame Control -> Flags -> DS Status Flag: The direction flags show "FROM DS" or "TO DS" depending on the packet.  Meaning coming from the AP or going to it. IEEE 802.11 -> Frame Control -> Flags -> DS Status Flag: The direction flags show "FROM DS" or "TO DS" depending on the packet.  Meaning coming from the AP or going to it.
  
 +Packet 8:
 +
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_8.png}}
 +
 +Packet 9:
 +
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_9.png}}
 +
 +Packet 10:
 +
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_10.png}}
 +
 +Packet 11:
 +
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_11.png}}
  
 ==== Packets 12, 13, 14, 15 ==== ==== Packets 12, 13, 14, 15 ====
  
-These are data packets to/from the wireless client to the LAN via the AP.  You can view the TKIP Parameters field to confirm that WPA is used for these packets.+These are data packets to/from the wireless client to the LAN via the AP.  You can view the TKIP Parameters field to confirm that WPA is used for these packets:
  
-So you should now be able to do the same tests with your cards and see what is different +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_12.png}}
  
  
 +So you should now be able to do the same tests with your cards and see what is different.
  
 ===== Analysis of a bad passphrase connection attempt ===== ===== Analysis of a bad passphrase connection attempt =====
Line 71: Line 103:
 This is the access point (AP) Beacon.  It announces the presence and capabilities of the AP. This is the access point (AP) Beacon.  It announces the presence and capabilities of the AP.
  
-If you look at the "Vendor Specific" attributes, you can see the WPA attributes.+If you look at the "Vendor Specific" attributes, you can see the WPA attributes:
  
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_bad_1.png}}
  
 ==== Packet 2 ==== ==== Packet 2 ====
Line 79: Line 112:
 If the AP does not respond to this, you might see the SSID set to the AP SSID.  This is what is called a directed Probe Request.  The packet capture does not include an example of this. If the AP does not respond to this, you might see the SSID set to the AP SSID.  This is what is called a directed Probe Request.  The packet capture does not include an example of this.
  
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_bad_2.png}}
  
 ==== Packet 3 ==== ==== Packet 3 ====
 This is a Probe Response packet.   This is the AP responding to the client.  It has a source MAC of the BSSID and a destination MAC of the client.  The packet informs the client about what capabilities it supports such as transmission speeds plus other relevant capabilities. This is a Probe Response packet.   This is the AP responding to the client.  It has a source MAC of the BSSID and a destination MAC of the client.  The packet informs the client about what capabilities it supports such as transmission speeds plus other relevant capabilities.
  
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_bad_3.png}}
  
 ==== Packets 4, 5 ==== ==== Packets 4, 5 ====
-These are WEP OPEN system authentication packets.  The client sends an authentication request packet and the AP responds with an authentication acceptance packet.+These are open authentication system packets.  The client sends an authentication request packet and the AP responds with an authentication acceptance packet.
  
 +Packet 4:
 +
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_bad_4.png}}
 +
 +Packet 5:
 +
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_bad_5.png}}
  
 ==== Packets 6, 7 ==== ==== Packets 6, 7 ====
-These are the WEP association packets.  The client sends an association request packet and the AP responds with an association acceptance packet.  Essentially this joins the client to the network.+These are the association packets. Essentially this joins the client to the network. 
 + 
 +The client sends an association request packet ...  
 + 
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_bad_6.png}} 
 + 
 +... and the AP responds with an association response packet. 
  
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_bad_7.png}}
  
 ==== Packets 8, 9 ==== ==== Packets 8, 9 ====
 Up to this point, you will notice that the packets are identical between a successful and failed connection. Up to this point, you will notice that the packets are identical between a successful and failed connection.
  
-These are the first two of four "handshake" WPA packets.  The AP sends out a packet with information that it expects the wireless client to send back properly encrypted with passphrase.  Since the wireless client is using is using the wrong passphrase, it is incorrect.  +These are the first two of four "handshake" WPA packets.  The AP sends out a packet with information that it expects the wireless client to send back properly encrypted with passphrase.  Since the wireless client is using the wrong passphrase, it is incorrect.  
  
 Notice that the AP initiates the four-way handshake by sending the first packet.  Notice that the AP initiates the four-way handshake by sending the first packet. 
  
 +Packet 8:
 +
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_bad_8.png}}
 +
 +Packet 9:
 +
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_bad_9.png}}
  
 ==== Packets 10, 11, 12, 13, 14, 15 ==== ==== Packets 10, 11, 12, 13, 14, 15 ====
Line 105: Line 161:
 Notice that the AP initiates the four-way handshake by sending the first packet.  Each pair has successive "replay counter" values. Notice that the AP initiates the four-way handshake by sending the first packet.  Each pair has successive "replay counter" values.
  
 +Packet 10:
 +
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_bad_10.png}}
 +
 +Packet 11:
 +
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_bad_11.png}}
 +
 +Packet 12:
 +
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_bad_12.png}}
 +
 +Packet 13:
 +
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_bad_13.png}}
 +
 +Packet 14:
 +
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_bad_14.png}}
 +
 +Packet 15:
 +
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_bad_15.png}}
  
 ==== Packet 16 ==== ==== Packet 16 ====
-Since the wireless client never successfully proved it had the correct passphrase, the AP now deauthenticates the client.  Effectively throwinng it off the AP.+Since the wireless client never successfully proved it had the correct passphrase, the AP now deauthenticates the client.  Effectively throwing it off the AP:
  
 +{{http://pictures.aircrack-ng.org/tuto/wpa_analysis/wpa_bad_16.png}}
  
 ===== Wireshark Usage Tip ===== ===== Wireshark Usage Tip =====
wpa_capture.txt · Last modified: 2018/10/06 02:54 by mister_x