wpa_capture
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
wpa_capture [2008/01/20 23:23] – added example of bad phassphrase darkaudax | wpa_capture [2009/12/15 17:47] – Added additional information regarding identifying valid handshakes darkaudax | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Tutorial: WPA Packet Capture Explained ====== | ====== Tutorial: WPA Packet Capture Explained ====== | ||
- | Version: 1.01 January 20, 2007\\ | + | Version: 1.05 December 15, 2009\\ |
By: darkAudax | By: darkAudax | ||
Line 9: | Line 9: | ||
This is quick and dirty explanation of two sample WPA capture files. The first file (wpa.full.cap) is a capture of a successful wireless client WPA connection to an access point. | This is quick and dirty explanation of two sample WPA capture files. The first file (wpa.full.cap) is a capture of a successful wireless client WPA connection to an access point. | ||
- | To view the capture, use [[http:// | + | This tutorial is a companion to the [[cracking_wpa|How to Crack WPA/WPA2 tutorial]]. |
+ | |||
+ | The [[http:// | ||
+ | |||
+ | To view the capture, use [[http:// | ||
The captures were done using an Ralink RT73 chipset and airodump-ng as the capture program. | The captures were done using an Ralink RT73 chipset and airodump-ng as the capture program. | ||
Line 22: | Line 26: | ||
This is the access point (AP) Beacon. | This is the access point (AP) Beacon. | ||
- | If you look at the " | + | If you look at the " |
+ | {{http:// | ||
==== Packet 2 ==== | ==== Packet 2 ==== | ||
Line 30: | Line 35: | ||
If the AP does not respond to this, you might see the SSID set to the AP SSID. This is what is called a directed Probe Request. | If the AP does not respond to this, you might see the SSID set to the AP SSID. This is what is called a directed Probe Request. | ||
+ | {{http:// | ||
==== Packet 3 ==== | ==== Packet 3 ==== | ||
This is a Probe Response packet. | This is a Probe Response packet. | ||
+ | {{http:// | ||
==== Packets 4, 5 ==== | ==== Packets 4, 5 ==== | ||
- | These are WEP OPEN system | + | These are open authentication |
+ | |||
+ | The client sends an authentication request packet | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | ... and the AP responds with an authentication acceptance packet: | ||
+ | |||
+ | {{http:// | ||
==== Packets 6, 7 ==== | ==== Packets 6, 7 ==== | ||
- | These are the WEP association packets. | + | These are the association packets. Essentially this joins the client to the network. |
+ | The client sends an association request packet ... | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | ... and the AP responds with an association response packet: | ||
+ | |||
+ | {{http:// | ||
==== Packets 8, 9, 10, 11 ==== | ==== Packets 8, 9, 10, 11 ==== | ||
These are the four " | These are the four " | ||
+ | Notice that the AP initiates the four-way handshake by sending the first packet. | ||
+ | |||
+ | There are some other items to point out if you are analyzing a capture looking for a valid capture. | ||
+ | |||
+ | IEEE 802.11 -> Frame Control -> Flags -> DS Status Flag: The direction flags show "FROM DS" or "TO DS" depending on the packet. | ||
+ | |||
+ | Packet 8: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 9: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 10: | ||
+ | |||
+ | {{http:// | ||
- | IEEE 802.11 -> Frame Control -> Flags -> DS Status Flag: The direction flags show "FROM DS" or "FROM DS" depending on the packet. | + | Packet |
+ | {{http:// | ||
==== Packets 12, 13, 14, 15 ==== | ==== Packets 12, 13, 14, 15 ==== | ||
- | These are data packets to/from the wireless client to the LAN via the AP. You can view the TKIP Parameters field to confirm that WPA is used for these packets. | + | These are data packets to/from the wireless client to the LAN via the AP. You can view the TKIP Parameters field to confirm that WPA is used for these packets: |
- | So you should now be able to do the same tests with your cards and see what is different. | + | {{http:// |
+ | So you should now be able to do the same tests with your cards and see what is different. | ||
===== Analysis of a bad passphrase connection attempt ===== | ===== Analysis of a bad passphrase connection attempt ===== | ||
Line 64: | Line 105: | ||
This is the access point (AP) Beacon. | This is the access point (AP) Beacon. | ||
- | If you look at the " | + | If you look at the " |
+ | {{http:// | ||
==== Packet 2 ==== | ==== Packet 2 ==== | ||
Line 72: | Line 114: | ||
If the AP does not respond to this, you might see the SSID set to the AP SSID. This is what is called a directed Probe Request. | If the AP does not respond to this, you might see the SSID set to the AP SSID. This is what is called a directed Probe Request. | ||
+ | {{http:// | ||
==== Packet 3 ==== | ==== Packet 3 ==== | ||
This is a Probe Response packet. | This is a Probe Response packet. | ||
+ | {{http:// | ||
==== Packets 4, 5 ==== | ==== Packets 4, 5 ==== | ||
- | These are WEP OPEN system | + | These are open authentication |
+ | Packet 4: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 5: | ||
+ | |||
+ | {{http:// | ||
==== Packets 6, 7 ==== | ==== Packets 6, 7 ==== | ||
- | These are the WEP association packets. | + | These are the association packets. Essentially this joins the client to the network. |
+ | The client sends an association request packet ... | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | ... and the AP responds with an association response packet. | ||
+ | |||
+ | {{http:// | ||
==== Packets 8, 9 ==== | ==== Packets 8, 9 ==== | ||
Up to this point, you will notice that the packets are identical between a successful and failed connection. | Up to this point, you will notice that the packets are identical between a successful and failed connection. | ||
- | These are the first two of four " | + | These are the first two of four " |
+ | Notice that the AP initiates the four-way handshake by sending the first packet. | ||
+ | |||
+ | Packet 8: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 9: | ||
+ | |||
+ | {{http:// | ||
==== Packets 10, 11, 12, 13, 14, 15 ==== | ==== Packets 10, 11, 12, 13, 14, 15 ==== | ||
These are really just repeats of packets 8 and 9. The AP is giving the wireless client a chance to correctly answer. | These are really just repeats of packets 8 and 9. The AP is giving the wireless client a chance to correctly answer. | ||
+ | Notice that the AP initiates the four-way handshake by sending the first packet. | ||
+ | |||
+ | Packet 10: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 11: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 12: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 13: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 14: | ||
+ | |||
+ | {{http:// | ||
+ | |||
+ | Packet 15: | ||
+ | |||
+ | {{http:// | ||
==== Packet 16 ==== | ==== Packet 16 ==== | ||
- | Since the wireless client never successfully proved it had the correct passphrase, the AP now deauthenticates the client. | + | Since the wireless client never successfully proved it had the correct passphrase, the AP now deauthenticates the client. |
+ | {{http:// | ||
===== Wireshark Usage Tip ===== | ===== Wireshark Usage Tip ===== |
wpa_capture.txt · Last modified: 2018/10/06 02:54 by mister_x