User Tools

Site Tools


wpa_capture

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Last revisionBoth sides next revision
wpa_capture [2008/01/26 17:36] – Added pictures + some small fixes mister_xwpa_capture [2014/09/05 02:50] – Fixed typo mister_x
Line 1: Line 1:
 ====== Tutorial: WPA Packet Capture Explained ====== ====== Tutorial: WPA Packet Capture Explained ======
-Version: 1.03 January 242007\\+Version: 1.05 December 152009\\
 By: darkAudax By: darkAudax
  
Line 13: Line 13:
 The [[http://aircrack-ng.org|Wiki]] links page has a [[links#wpa_wpa2_information|WPA/WPA2 section]].  The best document describing WPA is [[http://www.hsc.fr/ressources/articles/hakin9_wifi/index.html.en|Wi-Fi Security - WEP, WPA and WPA2]].  This is the [[http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf|link]] to download the PDF directly. The [[http://aircrack-ng.org|Wiki]] links page has a [[links#wpa_wpa2_information|WPA/WPA2 section]].  The best document describing WPA is [[http://www.hsc.fr/ressources/articles/hakin9_wifi/index.html.en|Wi-Fi Security - WEP, WPA and WPA2]].  This is the [[http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf|link]] to download the PDF directly.
  
-To view the capture, use [[http://www.wireshark.org/|Wireshark]] to open it then "View" then "Expand All" This shows all the sections and fields expanded.  You will need to scroll through the fields for each packet to locate the ones mentioned.  See this [[http://aircrack-ng.org/doku.php?id=faq#can_i_use_wireshark_ethereal_to_capture_802.11_packets|FAQ entry]] to learn how to use Wireshark.+To view the capture, use [[http://www.wireshark.org/|Wireshark]] to open it then "View" then "Expand All" This shows all the sections and fields expanded.  You will need to scroll through the fields for each packet to locate the ones mentioned.  See this [[faq#can_i_use_wireshark_ethereal_to_capture_802.11_packets|FAQ entry]] to learn how to use Wireshark.
  
 The captures were done using an Ralink RT73 chipset and airodump-ng as the capture program. The captures were done using an Ralink RT73 chipset and airodump-ng as the capture program.
Line 69: Line 69:
  
 Notice that the AP initiates the four-way handshake by sending the first packet.  The first pair of packets has a "replay counter" value of 1.  The second pair has a "replay counter" value of 2.  Packets with the same "replay counter" value are matching sets.  If you have only one packet for a specific "replay counter" value then you are missing it from the capture and packet you do have cannot be used by aircrack-ng.  That is why sometimes you have four EAPOL packets in your capture but aircrack-ng still says there are "0" handshakes.  You must have matching pairs. Notice that the AP initiates the four-way handshake by sending the first packet.  The first pair of packets has a "replay counter" value of 1.  The second pair has a "replay counter" value of 2.  Packets with the same "replay counter" value are matching sets.  If you have only one packet for a specific "replay counter" value then you are missing it from the capture and packet you do have cannot be used by aircrack-ng.  That is why sometimes you have four EAPOL packets in your capture but aircrack-ng still says there are "0" handshakes.  You must have matching pairs.
 +
 +There are some other items to point out if you are analyzing a capture looking for a valid capture.  EAPOL packets 1 and 3 should have the same nonce value.  If they don't, then they are not part of the matching set.  Aircrack-ng also requires a valid beacon.  Ensure this beacon is part of the same packet sequence numbers.  For example, if the beacon packet sequence number is higher then the EAPOL packet sequence numbers from the AP, the handshake will be ignored.  This is because the aircrack-ng "resets" handshake sets when association packets and similar are seen.
  
 IEEE 802.11 -> Frame Control -> Flags -> DS Status Flag: The direction flags show "FROM DS" or "TO DS" depending on the packet.  Meaning coming from the AP or going to it. IEEE 802.11 -> Frame Control -> Flags -> DS Status Flag: The direction flags show "FROM DS" or "TO DS" depending on the packet.  Meaning coming from the AP or going to it.
Line 144: Line 146:
 Up to this point, you will notice that the packets are identical between a successful and failed connection. Up to this point, you will notice that the packets are identical between a successful and failed connection.
  
-These are the first two of four "handshake" WPA packets.  The AP sends out a packet with information that it expects the wireless client to send back properly encrypted with passphrase.  Since the wireless client is using is using the wrong passphrase, it is incorrect.  +These are the first two of four "handshake" WPA packets.  The AP sends out a packet with information that it expects the wireless client to send back properly encrypted with passphrase.  Since the wireless client is using the wrong passphrase, it is incorrect.  
  
 Notice that the AP initiates the four-way handshake by sending the first packet.  Notice that the AP initiates the four-way handshake by sending the first packet. 
wpa_capture.txt · Last modified: 2018/10/06 02:54 by mister_x