Lately I have been trying to analyze wifi traffic over my own test router.
I looked on the wireshark website on how to do this and setup my own testing network.
my network:
-dd-wrt router with WPA2 personal mixed security using tkip+aes.
-kali linux capture machine with wireshark 1.8.5
-android phone for producing traffic
I then put the wireless interface of my kali laptop into monitor mode user airmon-ng
airmon-ng start wlan0
To check if the created monitor interface(mon0) worked I would use airodump-ng.
When I knew that my monitor interface was working, I started up Wireshark.
I selected mon0 as capture interface and pressed options. In Capture options I put the mac adress of my router, which I got through airodump-ng, in the capture filter area.
I then would take care of the packet decryption that would be needed for me to see the actual data. I went to the following webpage:
http://wiki.wireshark.org/HowToDecrypt802.11
I followed the instructions there.(Only the way I need to put in the decryption keys is different than the key#1 system that is described on the page. I get a new window in which I need to select a security method wep,wpa-pwd or wpa-psk and input the key).
I used the wireshark wpa psk generator tool to get the right pre-shared key.
http://www.wireshark.org/tools/wpa-psk.html
Essid: "testnet"
Password: "wachtwoord"
psk: 33fe484e651381b15859e539279f2991c0f5e5e751ef17f82104d4ad528718ca
I put in 2 new keys. One being wpa-pwd with wachtwoord as its value. The second being wpa-psk with the psk mentioned above as its value.
I applied all the settings, and checked the enable decryption checkbox.
So I clicked the start capture button and saw a whole bunch of beacon frames rolling in.
I associated my android phone with the AP so I knew I capture the eapol packets(I checked this using the filter and I had all 4 packets).
After filtering with "data", I saw that I didn't capture any data packets.
I then expected to see the actual traffic, but this was not the case.
airdecap-ng did not see any WPA packets in the capture file.
My only theory left after hours of puzzeling is lack of driver support.
Please tell me what I am doing wrong?
Thank you!
tl;dr:
My computer does not capture 802.11 wpa2 data packets, and I can't figure out why.
Have you checked if you can capture Wifi frames in OPEN/NONE security? If it doesn't work with OPEN/NONE, then you need to fix the setup before being able to capture WPA2/AES traffic.
Steps I used to check Wifi capture setup:
- Configure AP as OPEN/NONE (open authentication, no encryption).
- Add monitor interface:
$ sudo iw phy phy0 interface add moni0 type monitor
$ sudo ifconfig moni0 up
Set channel of properly (same between the AP and the laptop). Avoid popular ch1,6,11 (use channel 7, for example) to reduce the amount of captured traffic.
Some wireless cards do not support monitor mode very well, so it may also be worth to avoid 802.11n, use 802.11b/g only.
Related
My employer has asked me to prepare for testing several thousand Chromebooks (mix of models/manufacturers) to refurb/flip. This may be a recurring thing.
Most or all of these will be old enough that CCD will not be available. I'd like to connect a widget such as a Raspberry Pi to the USB and have it automate testing as much as possible.
I know I can use keyboard emulation to inject commands, but I'd like to get a crosh session running over USB so that I can read info from the DUT besides just controlling it.
Google shows bazillions of returns about using a Chromebook as an ssh terminal but what I'm looking for is the opposite. I'm prepared for the answer to be a simple "no" but I'm concerned because I can't find that anyone else has asked this question. I don't think I'm that creative, so I suspect my Goog-fu is weak.
The answer appears to be "no". However I solved it another way; using "gadget mode" I have a Raspberry Pi ZW enumerate as a keyboard and a serial port. I put the Chromebook into Developer mode, open a developer shell with ctrl/alt/F2, or on a PC/linux or Mac system open a terminal window and type "sudo su" (these have to be done manually). Then I have the RPi issue this bash command to identify the serial port "in the blind":
SERPORT=/dev/serial/by-id/$(ls /dev/serial/by-id) # Chromebook or PC/linux
(or)
SERPORT=$(ls /dev/cu.usbmodem*) # Mac
Now I can have the RPi inject commands via the keyboard, put ">$SERPORT" on the end of each command, and the output comes in the RPi gadget serial port. The RPi then packages the data and forwards it over WiFi to our CRM. It's working nicely for Chromebooks, PCs booted into linux, Mac desktops and Macbooks.
Edit:
The company I work for has actually turned this into a product and so I'm not sure how much detail I should share, but...
I learned my way around gadget mode on the RPi from this link. There are examples for setting up a keyboard and a serial port. Using the templates in that link, I made a device called /dev/hidg0 which emits keyboard scancodes from the RPi to the Chromebook. I also made a device called /dev/ttyGS0 which the Chromebook sees as a serial port.
So I send keystrokes with some python like:
with open("/dev/hidg0","bw") as hid:
hid.write(blah)
and then have the Chromebook send text to the serial port, which I then read by looking at /dev/ttyGS0
Hopefully this will be enough to get you started. I found the isticktoit link very helpful.
I'm trying to write a simple C code with WinPcap to broadcast a beacon packet and capture it in all nearby WiFi units. The code I'm using is very similar to the ones available at WinPcap[1].
The code runs fine if I create an ad-hoc network connection and join all the computers into it. However, this process of creating and joining to an ad-hoc network is cumbersome. It would be much better if, regardless of what network each computer is in, the beacon packets would be broadcasted and captured once the code is running.
As simple as this problem might sound, after some searching it seems that this is not possible to be done on windows (unless re-writing drivers or maybe the kernel):
Raw WiFi Packets with WinPcap[2]
Sending packets without network connection[3]
Does winpcap/libpcap allow me to send raw wireless packets?[4]
Basically, it would be necessary to use the WiFi in monitor mode, which is not supported in Windows[5]. Therefore, if the computers are not in the same network connection, the packets will be discarded.
1st Issue
I'm still intriguing, beacon and probe request packets are a normal traffic across the network. How they could be being sent and received constantly but the user is not allowed to write a program to do so? How to reconcile that?
2nd Issue
Does anyone has experience with Managed Wifi API[6]? I've heard that it might help.
3rd Issue
Acrylic WiFi[7] claims to have developed a NDIS driver which support monitor mode under Windows. Does anyone has experience with this software? Is it possible to integrate with C codes?
4th Issue
Is it possible to code such Wifi beacon on Linux? and on Android?
www.winpcap.org/docs/docs_412/html/main.html
stackoverflow.com/questions/34454592/raw-wifi-packets-with-winpcap/34461313?noredirect=1#comment56674673_34461313
stackoverflow.com/questions/25631060/sending-packets-without-network-connection-wireless-adapter
stackoverflow.com/questions/7946497/does-winpcap-libpcap-allow-me-to-send-raw-wireless-packets
en.wikipedia.org/wiki/Monitor_mode#Operating_system_support
managedwifi.codeplex.com/
www.acrylicwifi.com/
Couple questions I will try to answer. Mgmt and Ctrl packets are used for running a wifi network and don't contain data, I would not call these normal packets. Windows used to(I think still does) convert data packets into ethernet frames and pass it up the stack. Beacon and Probe Req pkts are not necessary for TCP/IP stack to work, ie. web browsers don't need beacon frames to get your web page. Most OS's need minimal info from mgmt/ctrl pkts to help a user interact with a wifi adapter, most mgmt/ctrl pkts only are useful to the driver(and low level os components) to figure how to interact with the network. This way the wifi adapters look and act like ethernet adapters to high level os components.
Never had any experience with Managed Wifi API or Acrylic, so can't give you any feedback.
Most analyzers that capture and send packets do it in 2-3 separate modes mainly because of hardware. Wifi adapters can be in listen mode(promiscuous mode and/or monitor mode) or adapter mode. To capture network traffic you need to listen and not send, ie. if someone sends a pkt while you are sending you miss that traffic. In order to capture(or send) traffic you will need a custom NDIS driver in windows, on linux many of them already do. Checkout wireshark or tshark, they use winpcap to capture pkts in windows and there are some adapters they recommend to use to capture pkts.
Yes it is possible to send a beacon on linux, ie. Aireplay. I know its possible to capture traffic on Android but you it needs to have rooted or custom firmware, which I would believe also means you can send custom pkts. If you are simply trying to send a pkt it might be easier to capture some traffic in tshark or wireshark and use something like aireplay to resend that traffic. You could also edit the packet with a hex editor to tune it to what you need.
I am able to capture only the packets routed through my NIC, but I want to sniff all the packets from other PC(s) connected to the same local wireless network. I am using Wireshark, but it cannot sniff the packets from the remote IP(s) connected to the same local network (created by a wireless router).
You haven't provided much detail about your capture setup - in particular what OS your capture PC is running or what hardware you have. The best advice I can give you to start with is to visit the Wireshark WLAN (IEEE 802.11) capture setup wiki page and carefully read its contents, particularly those sections that best relate to your system. At the very least, you will need to be able to place your wireless NIC into monitor mode, and the method by which you do that is OS dependent, so do visit that wiki page for more details.
If you happen to be running Windows and you are unable to place your NIC into monitor mode using Wireshark or you don't have an adaptor (such as an Airpcap adaptor) capable of capturing the traffic, or npcap doesn't work for you, then you might want to try other tools besides Wireshark, such as Microsoft's Network Monitor or their newer Message Analyzer capture tools.
Lastly, if nothing else works, then you might want to visit the Wireshark Tools wiki page to try to find other potential tools that might work for you in your particular capture environment.
You can use the Cain and Abel sniffing tool. It is very easy one. You can sniff packets by Cain and Abel and log them using WireShark.
You can download it from https://web.archive.org/web/20190603235413/http://www.oxid.it/cain.html
I have a headless raspberry pi with a wifi dongle and I want to use wifi two ways.
1) To make the rPI a wireless access point when there is no local wifi access point so I can connect to the rPI from my iPhone.
2) When wifi is available use the wifi dongle to do normal connection to the internet.
I think I know how to do each of these individually. It wasn't easy but I now have it connecting to my local wifi at home.
I see references to using hostapd and dnsmasq with wifi to make a local access point but they mostly assume internet connection comes from ethernet.
I'll be studying these in more detail. However I don't even know if the end goal of using the same configuration to fill both needs with one wifi dongle is even possible.
Obviously I can create two sets of config files and a script to swap them as needed but that only works if I have a connection already so I can log in.
If I add a jumper or switch to the rPI GPIO interface I could run the configuration script at startup and let it read the switch.
I might try to make the script look for an existing wifi link and go to access point mode if it doesn't find one it can access.
This would probably be a steep learning curve for me but I could probably figure it out eventually.
What I am trying to figure out now is whether I can avoid these potentially complex solutions by creating a single configuration that does both. Is a single wifi dongle sharable between these functions?
Note: I don't need it to do both at the same time. I just need the decision to be automated so it happens automatically during boot.
It is possible, although tricky to get right. (For example, what happens if you boot up, don't see an existing network for a second due to interference, then wrongly create your own network?)
Take a look at the "iwlist" command. It can scan and tell you what SSIDs (base stations) it sees. Then you can use 'grep' to see if your home network is on the list, and use that as your decision.
in my college lab all the PCs are connected via LAN by L2 switch. i want to capture the http data packets by wireshark but it is only showing the interface of my own PC. so how can i capture the packets of other PCs.
can somebody tell me working of wireshark?
It is in the nature of switches that you will only see either broadcast packets or traffic that has your MAC address as a destination, that is one of the crucial differences between a switch and a hub.
It is possible for most switches to be configured to copy traffic from one port to another, this is commonly done for monitoring purposes, but that has to be done via administrative access to the device.
You can manipulate the switch's behavior by means of ARP-Spoofing. But be cautious! Doing so might be seen as a criminal act.
So be sure that you're allowed to do so in the lab, sometimes that's OK if it serves the educational purpose. Ask your supervisor or the school's administrator.
My weapon of choice for such things is Ettercap.
A far less intrusive approach would be to use one of your own switches and configure it to forward all traffic. Then you can connect one port as an uplink to the lab's switch, one port to the device under test and one port to your machine running wireshark. (I would recommend using tcpdump for capturing, though.) If you don't have a manageable switch at hand, you can also use a router running OpenWRT.