wpa_capture
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
wpa_capture [2008/01/25 01:17] – added link to wireshark faq entry darkaudax | wpa_capture [2009/09/19 04:09] – "is using is using" changed to "is using" mister_x | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Tutorial: WPA Packet Capture Explained ====== | ====== Tutorial: WPA Packet Capture Explained ====== | ||
- | Version: 1.03 January | + | Version: 1.04 January |
By: darkAudax | By: darkAudax | ||
Line 13: | Line 13: | ||
The [[http:// | The [[http:// | ||
- | To view the capture, use [[http:// | + | To view the capture, use [[http:// |
- | + | ||
The captures were done using an Ralink RT73 chipset and airodump-ng as the capture program. | The captures were done using an Ralink RT73 chipset and airodump-ng as the capture program. | ||
Line 28: | Line 26: | ||
This is the access point (AP) Beacon. | This is the access point (AP) Beacon. | ||
- | If you look at the " | + | If you look at the " |
+ | {{http:// | ||
==== Packet 2 ==== | ==== Packet 2 ==== | ||
Line 36: | Line 35: | ||
If the AP does not respond to this, you might see the SSID set to the AP SSID. This is what is called a directed Probe Request. | If the AP does not respond to this, you might see the SSID set to the AP SSID. This is what is called a directed Probe Request. | ||
+ | {{http:// | ||
==== Packet 3 ==== | ==== Packet 3 ==== | ||
This is a Probe Response packet. | This is a Probe Response packet. | ||
+ | {{http:// | ||
==== Packets 4, 5 ==== | ==== Packets 4, 5 ==== | ||
- | These are WEP OPEN system | + | These are open authentication |
+ | |||
+ | The client sends an authentication request packet | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | ... and the AP responds with an authentication acceptance packet: | ||
+ | |||
+ | {{http:// | ||
==== Packets 6, 7 ==== | ==== Packets 6, 7 ==== | ||
- | These are the WEP association packets. | + | These are the association packets. Essentially this joins the client to the network. |
+ | The client sends an association request packet ... | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | ... and the AP responds with an association response packet: | ||
+ | |||
+ | {{http:// | ||
==== Packets 8, 9, 10, 11 ==== | ==== Packets 8, 9, 10, 11 ==== | ||
Line 56: | Line 72: | ||
IEEE 802.11 -> Frame Control -> Flags -> DS Status Flag: The direction flags show "FROM DS" or "TO DS" depending on the packet. | IEEE 802.11 -> Frame Control -> Flags -> DS Status Flag: The direction flags show "FROM DS" or "TO DS" depending on the packet. | ||
+ | Packet 8: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 9: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 10: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 11: | ||
+ | |||
+ | {{http:// | ||
==== Packets 12, 13, 14, 15 ==== | ==== Packets 12, 13, 14, 15 ==== | ||
- | These are data packets to/from the wireless client to the LAN via the AP. You can view the TKIP Parameters field to confirm that WPA is used for these packets. | + | These are data packets to/from the wireless client to the LAN via the AP. You can view the TKIP Parameters field to confirm that WPA is used for these packets: |
- | So you should now be able to do the same tests with your cards and see what is different. | + | {{http:// |
+ | So you should now be able to do the same tests with your cards and see what is different. | ||
===== Analysis of a bad passphrase connection attempt ===== | ===== Analysis of a bad passphrase connection attempt ===== | ||
Line 71: | Line 103: | ||
This is the access point (AP) Beacon. | This is the access point (AP) Beacon. | ||
- | If you look at the " | + | If you look at the " |
+ | {{http:// | ||
==== Packet 2 ==== | ==== Packet 2 ==== | ||
Line 79: | Line 112: | ||
If the AP does not respond to this, you might see the SSID set to the AP SSID. This is what is called a directed Probe Request. | If the AP does not respond to this, you might see the SSID set to the AP SSID. This is what is called a directed Probe Request. | ||
+ | {{http:// | ||
==== Packet 3 ==== | ==== Packet 3 ==== | ||
This is a Probe Response packet. | This is a Probe Response packet. | ||
+ | {{http:// | ||
==== Packets 4, 5 ==== | ==== Packets 4, 5 ==== | ||
- | These are WEP OPEN system | + | These are open authentication |
+ | Packet 4: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 5: | ||
+ | |||
+ | {{http:// | ||
==== Packets 6, 7 ==== | ==== Packets 6, 7 ==== | ||
- | These are the WEP association packets. | + | These are the association packets. |
+ | |||
+ | The client sends an association request packet | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | ... and the AP responds with an association | ||
+ | {{http:// | ||
==== Packets 8, 9 ==== | ==== Packets 8, 9 ==== | ||
Up to this point, you will notice that the packets are identical between a successful and failed connection. | Up to this point, you will notice that the packets are identical between a successful and failed connection. | ||
- | These are the first two of four " | + | These are the first two of four " |
Notice that the AP initiates the four-way handshake by sending the first packet. | Notice that the AP initiates the four-way handshake by sending the first packet. | ||
+ | Packet 8: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 9: | ||
+ | |||
+ | {{http:// | ||
==== Packets 10, 11, 12, 13, 14, 15 ==== | ==== Packets 10, 11, 12, 13, 14, 15 ==== | ||
Line 105: | Line 161: | ||
Notice that the AP initiates the four-way handshake by sending the first packet. | Notice that the AP initiates the four-way handshake by sending the first packet. | ||
+ | Packet 10: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 11: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 12: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 13: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 14: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 15: | ||
+ | |||
+ | {{http:// | ||
==== Packet 16 ==== | ==== Packet 16 ==== | ||
- | Since the wireless client never successfully proved it had the correct passphrase, the AP now deauthenticates the client. | + | Since the wireless client never successfully proved it had the correct passphrase, the AP now deauthenticates the client. |
+ | {{http:// | ||
===== Wireshark Usage Tip ===== | ===== Wireshark Usage Tip ===== |
wpa_capture.txt · Last modified: 2018/10/06 02:54 by mister_x