Packet capture

With or without cables, sometimes you need to take a closer look to what happens with your traffic. Here Packet capture will give you an insight view of whats going on. From using USB adapters with several wireless NIC’s, together with packet capture SW (If roaming issues need to be investigated) to newer devices with built-in packet capture capabilities like Netally (one channel), Ekahau (up to 4 channels simoustanely) etc. Also most newer Wireless installations offer the possibility to do packet capture directly on Access Points. You usually end up with a pcap (packet capture) file which can be opened in programs like tcpdump, wireshark etc.

List of some great wireshark WLAN filters, that can be used to look in to specific packets:

fdsf

(The correct filter for showing a specific SSID: wlan.ssid == ( wlan.ssid == “Roholt”)

Let’s begin with the basic of a 802.11 Association Process. There are three states:

  • Not authenticated or associated
  • Authenticated but not associated
  • Authenticated and associated
    • Data transfer can begin

The following exchange of management frames will occur, in order to reach the “authenticated and associated” state:

Beacons: Access points continuously send out beacon frames, which are picked up by nearby WLAN clients, advertising their SSIDs and data rates.

Probe Request: The client broadcasts probe request frames on every channel, to all APs. Probe requests advertise the mobile stations supported data rates and 802.11 capabilities such as 802.11n.

Probe Response: Access points within range respond with a probe response frame, advertising the SSID, supported data rates, encryption types if required, and other 802.11 capabilities of the AP.

Authentication Request: The client decides which AP is the best for access (based on compatibility with received probe responses) and sends an authentication request to the AP it deems best to connect to.

Authentication Reply: The access point sends an authentication reply, inviting the client to authenticate to the SSID.

Association Request: Upon successful authentication, the client sends an association request frame to the access point.

Association Response: The access point will reply with an association response with a success message, granting network access to the client

If PSK, 4-way handshake starts immediately after above. If 802.1x/EAP, then 4-way handshake starts when EAP authentication has finished (see EAP authentication).

EAPOL 4-way handshake: EAPOL stands for Extensible Authentication Protocol (EAP) over LAN. It is described as a 4-way handshake. The 4-way handshake is used in PSK (WPA-Personal) or 802.1x (WPA2-Enterprise) configured SSIDs. It is a process of exchanging 4 packets between an access point and a wireless client. This process is responsible for generating encryption keys which can be used to encrypt data over the wireless medium. The key exchange process happens after a client is authenticated and associated. After the completion of key exchange, the control frames will take over. 

In message 1, the access point sends an EAPOL-Key frame to the client, containing the its ANonce which will be used to generate a PTK. This frame also contains other fields in the information element describing the type of encryption that is being used, such as AES cipher.

In message 2, the client sends its EAPOL-Key frame to the access point. This frame contains the SNonce, RSN Element, and the MIC (Message Integrity Code), allowing the client to derive a PTK from the SNonce and ANonce.

Message 3 (which is sent by the access point) contains an ANonce, RSN Element, and a MIC. What’s important about message 3 is the transportation of the Group Temporal Key (GTK) which is used to protect broadcast and multicast frames.

Message 4 is sent by the client which and contains a MIC. It is the final frame from the 4-Way Handshake. This final message notifies the access point of whether the temporal keys were installed successfully or not. This can be identified by the subfields of Key MIC: Set and Secure: Set.

Se this great explanation: https://networklessons.com/wireless/wpa-and-wpa2-4-way-handshake

EAP authentication (EAP-TLS)

  1. Client-side certificates issued to supplicants by PKI, Public server-side certificate issued to supplicants out-of-band
    • The supplicant and the authentication server begin by saying “hello” and prepare their certificates for authentication to establish a trusted connection.
  2. Establish 802.11 Data Link
    • The supplicant establishes a connection to the authenticator. This will allow for a secure exchange of information between the two parties.
  3. EAPoL Start
    • EAPoL (Extensible Authentication Protocol over LAN) indicates that information can be exchanged between all three parties over a secured LAN channel. Additionally, this is where the authentication method is determined – in this case, EAP-TLS.
  4. Identity Section
    • 4a. Identity Request
      • The supplicant requests the identity of the authenticator to ensure it is sending the client certificate to the correct place.
    • 4b. Identity (anonymous) Response
      • The authenticator requests that the supplicant identify itself.
  5. RADIUS Access Request (anonymous)
    • The information that identifies the supplicant and authenticator is sent to the RADIUS to confirm their identity and allow for authenticating information to be sent.
    • 5a. Server Certificate
      • The RADIUS sends its server certificate to confirm its identity through server certificate validation
    • 5b. Client Certificate
      • The supplicant validates the identity of the authentication server certificate. After validation, the supplicant sends its client certificate.
  6. RADIUS Access (or Reject)
    • The RADIUS authentication server receives the client certificate and authenticates its identity as an approved network user. Depending on the user’s certificate, the RADIUS sends an Access or Reject message to the authenticator.
  7. EAP Success (or Failure)
    • Based on the RADIUS Access or Reject message, the authenticator sends a Success or Failure message to the supplicant to indicate whether they have been approved or denied network access. If the message is Success, the switch port is opened for direct network communication between the supplicant and authentication server.

Wireshark examples:

  • Here i use a filter to see clients with below -90dBm

Here a filter that include my MAC address and Association Requests:

Example of specific MAC AND specific SSID ((wlan.ssid == “Roholt”) && (wlan.addr == 62:CD:67:F0:60:FC))