Wireshark 802.11 Display Filters

Wireshark 802.11 frame type and subtype display filters to quickly sort packet captures.

displayfilter

Management Frames
Control Frames
Data Frames
Association Request
Association Response
Reassociation Request
Reassociation Response
Probe Request
Probe Response
Beacon
ATIM
Disassociation
Authentication
Deauthentication
Action Frames
Block ACK Request
Block ACK
Power Save Poll
Request to Send
Clear to Send
ACK
CFP End
CFP End ACK
Data + CF ACK
Data + CF Poll
Data + CF ACK + CF Poll
Null Data
Null Data + CF ACK
Null Data + CF Poll
Null Data + CF ACK + CF Poll
QoS Data
QoS Data + CF ACK
QoS Data + CF Poll
QoS Data + CF ACK + CF Poll
Null QoS Data
Null QoS Data + CF Poll
Null QoS Data + CF ACK + CF Poll
wlan.fc.type==0
wlan.fc.type==1
wlan.fc.type==2
wlan.fc.type_subtype==0
wlan.fc.type_subtype==1
wlan.fc.type_subtype==2
wlan.fc.type_subtype==3
wlan.fc.type_subtype==4
wlan.fc.type_subtype==5
wlan.fc.type_subtype==8
wlan.fc.type_subtype==9
wlan.fc.type_subtype==10
wlan.fc.type_subtype==11
wlan.fc.type_subtype==12
wlan.fc.type_subtype==13
wlan.fc.type_subtype==24
wlan.fc.type_subtype==25
wlan.fc.type_subtype==26
wlan.fc.type_subtype==27
wlan.fc.type_subtype==28
wlan.fc.type_subtype==29
wlan.fc.type_subtype==30
wlan.fc.type_subtype==31
wlan.fc.type_subtype==33
wlan.fc.type_subtype==34
wlan.fc.type_subtype==35
wlan.fc.type_subtype==36
wlan.fc.type_subtype==37
wlan.fc.type_subtype==38
wlan.fc.type_subtype==39
wlan.fc.type_subtype==40
wlan.fc.type_subtype==41
wlan.fc.type_subtype==42
wlan.fc.type_subtype==43
wlan.fc.type_subtype==44
wlan.fc.type_subtype==46
wlan.fc.type_subtype==47
Advertisements

Cyber Spring Cleaning! Don’t Forget Your Wireless Router!

cleaning-productsAs the weather warms up articles to remind us about cleaning up our devices, online accounts, making backups, and changing passwords are sure to show up, but don’t forget to add your wireless router to this list. Over time the wireless environment may have changed and the number of devices connecting to the network has increased and you have noticed a decrease in the performance. I have listed some items to check to either improve the performance or security of your wireless network.

Upgrade the Router

Electronics age fast and if you’re still running an 802.11g router it is time to upgrade. Look for an 802.11n protocol wireless router or get the latest and greatest 802.11ac router and be ready for the next wave of wireless devices. Either way you’ll notice a performance boost and the router won’t create a bottleneck in the network.

Check for the Latest Firmware

While not as often as Windows or Apple software updates a routers software called firmware does get the occasional update. Firmware could add functionality, patch bugs, or add security features. When you log into the routers management interface look for the firmware section to verify the current version and download any available updates. The firmware update could take several minutes to complete and at some stages you may think nothing is happening, but do not power off or restart the router during the update since this could brick the device!

Move to the 5 GHz Band

This could be more technical than most people can understand, but wireless networks can run in the 2.4 GHz and 5 GHz bands. Most home wireless networks use the 2.4 GHz band and along with wireless networks the 2.4 GHz band has signals from microwaves, cordless telephones, baby monitors, and other home devices making it very crowded. With the 2.4 GHz band being so crowded there are interference issues that can affect performance of the wireless network. Setting up the wireless network in the less used 5 GHz band will result in less interference and better performance.

Change the Channel

wifianalyzerWhether you’re wireless network runs in the 2.4 GHz or 5 GHz band things around you may have changed since the original setup and a quick scan of the neighboring networks may show channel interference. Scanning utilities such as InSSIDer or WiFi Analyzer will offer a snapshot of the wireless networks in range along with channel usage. As mentioned the 2.4 GHz band will be very crowded and channels 1, 6, and 11 the most heavily used. The best option is to move the network to the 5 GHz band, but if you stay in the 2.4 GHz band move the network to a non-used channel, but know that interference from adjacent 2.4 GHz channels can still effect performance of the wireless network.

Upgrade to WPA2 Security

If your still using WEP for wireless security it is time to update it to WPA2. WEP was cracked long ago and many utilities to crack WEP are freely available from the internet. When selecting the WPA2 Passphrase don’t use a common dictionary word, your pet’s name, your phone number, keyboard pattern, ect… For the best security a completely random 20 plus character WPA2 passphrase should be used. For further advice on selecting a secure WPA passphrase please read my earlier blog post.

Disable WPS

WiFi Protected Setup (WPS) or push and connect security has a known security flaw and should be disabled in the routers management interface. Even if you’re not using WPS to connect and secure devices to the wireless network it could be enabled by default and needs to be disabled manually.

Change the Passphrase

It is recommended to change personal passwords regularly so include your wireless passphrase to that list and make sure to change it at least once a year. For further advice on selecting a secure WPA passphrase please read my earlier blog post.

Setup a Guest Network

If people come to your house and ask to get on the wireless network it might be time to set up a separate guest network. It is not a good idea to hand out the WPA2 code for the main wireless network to everyone and having the guest network and traffic isolated from the main network is preferred. Many home routers allow multiple networks or enabling the guest network. You can also use a second router for the guest network, but make sure the routers are physically 10 feet apart from each other, and use enough channel separation to eliminate interference. Do assign a simpler WPA2 passphrase on the guest network so you’re not broadcasting an open network that anyone can connect to.

Disable Slower Wireless Protocols

Disabling slower protocols basically disables slower network speeds and can improve performance of the network. If your router and devices support the 802.11n protocol then disabling the 802.11g and 802.11b protocols will keep those devices from connecting and causing the network to communicate at those slower speeds.

Conclusion

So don’t run over to the wireless router with the feather duster or throw it in the dish washer, but if the network seems sluggish or not running as smoothly as it once was there are some things you can do. Check the user’s manual or the router manufactures website for extra help and tips to set up or configure the router. Thanks for reading and post any comments or questions below. I may not be able to answer specific router questions, but I can try to respond with a link or site URL for extra help.

Changing Your MAC Address Using Macchanger

Macchanger is a free utility used to change the MAC address of the network adapter. Macchanger can randomly assign a MAC address or assign a specific MAC address of your choosing.

Usage

There are several instances changing the MAC address is necessary, but I use the utility while pentesting a wireless network with MAC filtering enabled and have to assign an approved MAC address to the wireless adapter.

Install

The Macchanger utility is included with Kali Linux, but to install the application, update it, or verify your using the most up to date version run the following command. In the screen shot that follows the install command confirms that the newest version is already installed.

#apt-get install macchanger

macchangeinstall

Help

Help with Macchanger can be accessed by running the following two commands.

#macchanger --help

#man macchanger

Assign a Random MAC Address

I’m using an Alfa USB wireless adapter and I will run the following commands to verify the adapters interface and the permanent MAC address.

#ifconfig

#ifconfig wlan1

Macchanger can also be used to verify the manufacture burned in MAC address by running the following command.

#macchanger--show wlan1

Change the MAC address using one of the following commands.

#macchanger -r wlan1

#macchanger -A wlan1

Error Message

If you get an error message the MAC address can’t be changed and the adapter is busy take the adapter down and then rerun Macchanger. (Only the OUI portion of the MAC address is shown in the screen shot and the last 3 octets are blocked out)

adapterbusy

#ifconfig wlan1 down 

#macchanger -A wlan1

changemac

Bring the interface back up and verify the MAC address is changed.

#ifconfig wlan1 up 

#macchanger --show wlan1

changemac2

To return the MAC address to the vendor burned in address run the following command. You may have to take the interface down first.

#ifconfig wlan1 down

#macchanger --permanent wlan1

Assign a Specific MAC Address

The following command will assign a specific MAC address.

#macchanger --mac=aa:bb:cc:11:22:33 wlan1

macspec

Using the Macchanger GUI

If you’re not comfortable running commands there is a Macchanger GUI. A couple of commands will have to be run from the terminal window. One to install the Macchanger GUI application and the second to start the GUI application.

#apt-get install macchanger-gtk

#macchanger-gtk

macchangegtk

After the GUI opens select the options to change the MAC address and click the Change MAC button.

As you can see Macchanger is a great utility to change the MAC address and is simple to use and offers a GUI application as well. Let me know any questions in the comments section below or share any commands you find easier to use with Macchanger, or pass along any other utilities you use to change the MAC address.

Thanks for visiting my blog and happy pentesting!

Security Tips for Your Home Wireless Network

October is National Cyber Security Awareness month and this past October there was no shortage of great security awareness articles and advice being posted including tips to secure your home router and wireless network. The tips listed here are nothing new and it is important to know when configuring your home router no one setting can secure the network. Configuring a combination of settings for multiple layers of security will make the network and router secure.

Selecting a Channel

The first tip isn’t so much about security as it is about performance of the wireless network. If you’re not using an 802.11n router look to upgrade and before setting up the router do a quick scan for the other wireless networks in the area and the channels they are using. A free scanning utility from Metageek called InSSIDer for Home can be used to scan the wireless environment. After scanning the environment more than likely what you will find is the 2.4 GHz band and channels are very crowded and interference from these overlapping networks may affect performance of your network. The 5 GHz band will be less crowded and setting up the network to use a channel in this band should result in less interference from neighboring networks and overall better performance.

Screen Shot Courtesy of the Metageek Web Site

Screen Shot Courtesy of the Metageek Web Site

One trade-off is the 5 GHz network will have a smaller coverage footprint compared to the 2.4 GHz network. In some instances, such as in an apartment or condo complex you may want a smaller coverage area and might even adjust the routers power to a lower level to reduce the area of coverage. Again, taking advantage of the InSSIDer application you can test router placement and powers levels. InSSIDer can report the signal strength to find the best location for the router, and this up front surveying and planning will not only help network performance, but should cut down on the support issues.

WPA2 Encryption

Wireless network transmissions essentially have no borders and anyone within range of those transmissions could potentially capture the network traffic. Encryption of the wireless traffic is crucial and using the latest and greatest encryption standard of WPA2 is recommended. It is important to select a completely random passphrase with a minimum of 20 characters for the WPA2 key. You can read my earlier blog post for the importance of using WPA2 encryption and tips on selecting a secure WPA2 passphrase. 

Never Use WEP Encryption

WEP was the original encryption standard for wireless networks and was proven crackable. Numerous utilities freely available on the internet can crack WEP encryption in minutes!

Change the Admin Password

Many, if not all default SOHO (small office home office) router passwords are widely known, or easily found on the internet with a simple search. You can configure every security setting on the router, but leaving the Admin password as the default or selecting something that is easily guessed will defeat all the security you setup. Someone logging into the router can change any setting you have made or worse yet lock you out of your own router or brick the device.

Disable SSID Broadcast

Disabling the broadcast of the network SSID sounds like a great security option and some people think this will completely hide the network, but this is for from true. Anyone with a little knowledge and the right utilities can scan the airwaves and discover the hidden network SSID, so disabling the SSID broadcast should never be relied on as an end all security setting. Always combine the hidden SSID setting with the other settings mentioned to have strength with multiple security layers.

Disable Management of the Router from a Wireless Client

Force clients to be physically plugged into the router with a network cable to log in to the management interface. This setting will  not allow wireless clients to access the routers management interface to make any configuration or security changes.

Apply Firmware Updates to the Router

Every router has internal software called firmware loaded on it that manages the capabilities of the router. The router vendors occasionally release updates to their firmware to either improve functionality or patch vulnerabilities. Checking every so often for firmware updates will guarantee your router has all the latest features and security patches applied.

Conclusion

As mentioned a layered method of security works best to guarantee your router and wireless network is secure as possible. Someone trying to get access to your network would likely move on to an easier target after discovering the multiple layers of security.

For additional security tips be sure to check out the links below. Thanks! Dale

Securing Your Home Network

Security is Your Responsibility When Using Free Wi-Fi

Hotel Customers Want WiFi But Most Ignore the Risks

How Stores Use Your Phone’s WiFi to Track Your Shopping Habits

How to Use Wireshark to Capture, Filter and Inspect Packets

Wireshark 101… a great overview of the product with screenshots and explanations.

Kayle's Blog

Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and display them in human-readable format. Wireshark includes filters, color-coding and other features that let you dig deep into network traffic and inspect individual packets.

This tutorial will get you up to speed with the basics of capturing packets, filtering them and inspecting them. You can use Wireshark to inspect a suspicious program’s network traffic, analyze the traffic flow on your network or troubleshoot network problems.

Getting Wireshark

You can download Wireshark for Windows or Mac OS X from its official website. If you’re using Linux or another UNIX-like system, you’ll probably find Wireshark in its package repositories. For example, if you’re using Ubuntu, you’ll find Wireshark in the Ubuntu Software Center.

Just a quick warning: Many organizations don’t allow Wireshark and similar tools on their networks. Don’t use this tool at work unless you…

View original post 506 more words

Use Ettercap to Search for Computers Running Wireshark

ettercap

Note: For this demo I’m using a lab environment network that is not routed to the internet. I will be using the Ettercap open source network security tool included in the Back|Track 5 R3 Linux security distro. Before attempting to use Ettercap please make sure to read the help and MAN pages (Terminal commands shown next) for a complete description of the program options and switches.

#ettercap --help
#man ettercap

To save the man page to a text file use the following command.

#man ettercap | col -b > Ettercap.txt

For this demo I will use Ettercap to search for network interface cards (NICs) that are in promiscuous mode. Having the NIC in promiscuous mode does allow Wireshark to capture all the traffic it sees on the network.

First, with the Terminal open lets run a quick command to view the available plugins for Ettercap.

#ettercap -P list

ettercaplist

Near the bottom of the list will be the search_promisc plugin. We will use this plugin in the Ettercap command to search for the computers whose NIC are in promiscuous mode.

searchprom

I will use the next command to search for the network interfaces that are in promiscuous mode.

#ettercap -T -i eth0 -P search_promisc //

Here is a quick description of the different switches used in the command.

T is for text mode only.

-i etho selects the network interface to use.

-P search _promisc uses the search promiscuous mode plugin.

// targets all machines on the subnet.

Instead of using the // switch to scan the current subnet a range of IP addresses can be specified.

#ettercap -T -i eth0 -P search_promisc /10.0.0.1-253/

After the scan completes you will see two lists. The first list is the NICs that are not in promiscuous mode, and the second list shows the computers that are in promiscuous mode. (For the first scan I had two computers on the network and neither had their NIC in promiscuous mode)

scan1

After connecting a third computer to the network and starting Wireshark which will put the NIC in promiscuous mode I will rerun the previous Ettercap scan. This time the results will show the IP address of the computer that is running Wireshark in the probably sniffing NICs list.

scan2

If you’re not a command line person and would rather use a graphical interface Ettercap does have GUI option (see screen shot below). In my next blog post I will describe how to run this same search using the Ettercap GUI program.

ettercapgui

Ettercap GUI

Thanks for reading! If you have any comments or questions please post those below.

Use Reaver to Crack WPA/WPA2 Passwords

Premium Accounts 2014

Let’s use Reaver to crack WPA/WPA2 passwords! Through all this journey of cracking passwords (with permission), I learned you need two things: Time and Luck. There is no easy way to get a networks password, unless you actually go and ask for it nicely… but that’s not an option sometimes.

(Note: Consider this post educational, or a proof-of-concept intellectual exercise. The more you know, the better you can protect yourself. Breaking through someone’s Wireless Network is ilegall, use it at your own risk)

There are 2 methods to hack WPA/WPA2:

  1. With Dictionaries: Usually takes plenty of time and if the password is not on the dictionary, you won’t find it.
  2. With Reaver: Uses a vulnerability called Wi-Fi Protected Setup, or WPS. It exists on many routers and can take between 5 and 10 hours to crack.

When we tried using dictionaries and had no luck, we can move on to…

View original post 311 more words