Practical Packet Analysis

2
CT4010 Computers and Security
Jordan Allison
Module Learning
Outcomes
On successful completion of this module, students should be able to:
 Demonstrate an understanding of the component parts modern
computer hardware, and how they might serve as sources of digital
evidence.
 Carry out assembly language programming tasks in both low-level
and high level languages.
 Demonstrate an understanding of the components modern computer
networks, and how they might serve as sources of digital evidence.
 Carry out local and wide area network construction projects.
 Develop computer programs that may be used for collecting digital
evidence.
 Understand the security issues associated with networked computer
systems.
Today’s Learning
Outcomes

 To become familiar with different types of

network traffic
 To conduct an investigation of network traffic
Please leave
anonymous
feedback on my
Padlet board

https://padlet.com/jrallison1/iunpyeogu48u
Any questions
from last session?

Last Session: Malware Analysis

This Session

 802.11 Packet Analysis

 Aircrack NG
 Practical Wireless Packet Analysis
802.11 Packet Analysis
802.11 Packet Structure

• Wireless packets have an addition the 802.11 header.

• This is a layer 2 header that contains extra information about the packet and the medium
on which is transmitted.

• There are three types of 802.11 packets:

• Management
• Control
• Data
Management Packets

• These packets are used to establish connectivity between hosts at layer 2.

• Some important subtypes of management packets include:

• Authentication
• Association
• Beacon packets.
Control Packets

• Control packets allow for delivery of management and data packets and are concerned
with congestion management.

• Common subtypes include request-to-send and clear-to-send packets.

Data Packets

• These packets contain actual data and are the only packet type that can be forwarded
from the wireless network to the wired network.

• The type and subtypes of wireless packet determines its structure. So there are several
possible structures.

• We will examine one such structure by looking at a single packet in the file
80211beacon.pcap using Wireshark.
80211beacon.pcap
Wireless Specific Filters

• In wireless network, all traffic generated by wireless clients coexists on shared channels.
A capture of one channel may contain traffic from several clients.

• Filtering traffic for a specific BSS (Basic Service Set) ID

• Filtering Specific Wireless Packet Types

• Force users to authenticate using a username/password

• VPN tunnel between computer and AP

Filtering traffic for a specific BSS ID

• Each WAP in a network has a unique identifier name called Basic Service Set Identifier (BSSID).

• BSSID’s name is sent in every wireless management packet and data packet the access point
(AP)transmits.

• Once you know the name of the BSSID you want to examine, and you want to find a packet that
has been sent from that particular AP.

• Use the BSSID MAC address in your filter to see traffic flowing through the specified AP:

• wlan.bssid.eq 00:11:22:33:44:55:66
Filtering Specific Wireless Packet Types

Filtering based on packet type and subtype:

• wlan.fc.type
• wlan.fc.type_subtype

Examples:
• Management frame: wlan.fc.type eq 0
• Control frame: wlan.fc.type eq 1
• Data frame: wlan.fc.type eq 2
• Beacon: wlan.fc.type_subtype eq 0x08
Filtering a Specific Frequency

• If you want to examine a combination of traffic that includes packets from multiple
channels, it can be useful to filter based on each individual channel.

• Examples:
• Filter a specific frequency: radiotap.channel.freq == 2412
• For additional filters visit: http://wiki.wireshark.org
Wireless Security (A Reminder)

• The biggest concern when deploying and administrating a wireless network is the
security of the data transmitted across it.

• With data available freely in the air, it’s crucial that data be encrypted.

• The original method for securing data transmitted over wireless network was Wired
Equivalent Privacy (WEP).

• To improve security new standards were created:

• Wi-Fi Protected Access (WPA)
• WPA2
Wireshark:
Successful WEP
Authentication

 The file 80211_WEPauth.pcap

contains an example of a successful
connection to a WEP-enabled
wireless network.

 The security on this network is set-up

using a WEP key. This is a key you
must provide to the WAP in order to
authenticate to it and decrypt data
sent from it.
Successful WEP Authentication

• As shown in wireshark, the capture file begin with a challenge from WAP (28:6C:8E:AB:96:16)
to the wireless client (AC:CF:5C:78:6C:9C) in packet 3.

• The purpose of this challenge is to determine if the wireless client has the correct WEP key.

• The challenge is acknowledged with packet 4.

• The wireless client then responds by decrypting the challenge text with the WEP key and
returning it to the WAP.

• The response contains the message that the authentication process was successful.
Wireshark:
Failed WEP
Authentication

 The file 80211_WEPauthfail.pcap

contains an example of a failed
connection to a WEP-enabled
wireless network.
Failed WEP Authentication

• In this example, a user enters his WEP key to connect to a WAP and after several
seconds, the wireless client utility reports that it was unable to connect to the wireless
network.

• This communication begins with the WAP sending challenge text to the wireless cline in
packet 3.

• This is acknowledged in packet 4.

• In packet 5, we see a message telling us that the authentication failed.

Practical Task – Wireshark

WPA uses a very different

authentication mechanism than
WEP, but it still relies on the user to
enter a key into the wireless client
in order to connect to the network.

Open the file 80211-WPAauth.pcap

and investigate the authentication
mechanism and explain this
process.
Aircrack-NG
AirCrack-NG

• Using aircrack-ng, you will assess the security of the Wired Equivalent Privacy (WEP)
security algorithm protocol associated with 802.11 wireless network security.

• Aircrack-ng is a freely available tool that is installed on your Kali Linux VM.

• The official distribution site at http://www.aircrack-ng.org

AirCrack-NG

• The Aircrack-NG suite of tools can perform various testing, assessing and cracking. The
primary programs used in this suite are:
• Aircrack-NG: The primary cracking tool.
• Airplay-NG: Tool for injecting and replaying wireless frames.
• Airmon-NG: Tool to enable and disable wireless interface monitoring
• Airodump-NG: Tool to enable and disable wireless interface monitoring.

• There are many other tools available. However, the above tools are the primary ones used
in relation to capturing packets, injecting frames, and cracking WEP keys and WPA
passphrases.
Practical Task – Cracking WEP

Using a Kali Linux VM with

Aircrack-NG installed, use
Aircrack-NG to crack the
WEP.cap file
More Wireshark
concepts.pcap - Ping Request
IPv4.pcap
IPv6.pcap
link.pcap – Duplicate IP Address detected
fragment.pcap
Practical Task – Wireshark

Complete the Practical Lab: Wireless Packet

Analysis

You will need the following:

• Wireshark
• Wireless.pcap
• Linux VM
Lecture Recap

Today we have covered:

 802.11 Packet Analysis
 Aircrack NG
 Practical Wireless Packet Analysis
Next Session:
o Network Security 5 -
Authentication Methods
Please leave
anonymous
feedback on my
Padlet board

https://padlet.com/jrallison1/iunpyeogu48u
Any questions?