.

Capture WEP and WPA association / authentication traffic

<<

Ignatius

Jr. Member
Jr. Member

Posts: 91

Joined: Sun Mar 22, 2009 9:51 am

Post Sun Sep 27, 2009 1:25 pm

Capture WEP and WPA association / authentication traffic

I'm interested in capturing my own WEP and WPA association and authentication traffic so I can study and then understand it.  I set up two laptops, one running BT3 live CD and the other Windows XP with a Netgear WG511T PCMCIA wireless card.

I managed to get the capturing laptop configured and authenticated to my wireless router (WPA).  I also got my second laptop authenticated but didn't see any of the association/authentication packets when I ran Wireshark in BT3.  I set the capturing laptop wireless in promiscuous mode.  This is Intel PRO/Wireless 2200BG.

I ran the test again but didn't authenticate my capturing laptop first.  It didn't make any difference as I didn't see any traffic when the second laptop authenticated.

Finally, I captured traffic when the capturing laptop authenticated.  All I saw were a series of EAPOL frames.  There were no beacons, probes or frames containing the SSID.  I have seen a pcap file of the authentication process so I know that these additional frames should be present.

I just wonder if my Intel Wireless card isn't playing nicely with Wireshark.  Any tips?  I hasten to add that this is for my own education, rather than illicit activity in a coffee shop (etc.)!
Last edited by Ignatius on Sun Sep 27, 2009 1:30 pm, edited 1 time in total.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sun Sep 27, 2009 9:31 pm

Re: Capture WEP and WPA association / authentication traffic

I am making some assumptions because I am not quite clear as to what is connected to what in your configuration.  I am assuming that the Intel 2200 BG is card is in the laptop that is running BT3.  You are trying to capture authentication traffic from the Windows box to the AP from the BT3 box.  If this is incorrect, please let us know. 

It could be a driver issue with the Intel cards related to promiscuous mode.  I have had nothing but trouble with them. I would try using BT4 Pre Release.  I have much better results with wireless in BT4 than BT3.  Which driver is the card using?  (lspci -k and look for the kernel module). 
~~~~~~~~~~~~~~
Ketchup
<<

Ignatius

Jr. Member
Jr. Member

Posts: 91

Joined: Sun Mar 22, 2009 9:51 am

Post Mon Sep 28, 2009 5:02 am

Re: Capture WEP and WPA association / authentication traffic

Thank you for the guidance.  Your interpretation of the configuration is correct.

I ran lspci -k in BT3 and got the following:

  Code:
bt ~ # lspci -k
lspci: invalid option -- k
Usage: lspci [<switches>]


so I tried lspci -v and got the following related to the ethernet and wireless:
  Code:
02:08.0 Ethernet controller: Intel Corporation 82801DB PRO/100 VE (MOB) Ethernet Controller (rev 83)
        Subsystem: Sony Corporation Unknown device 8140
        Flags: bus master, medium devsel, latency 66, IRQ 9
        Memory at d0200000 (32-bit, non-prefetchable) [size=4K]
        I/O ports at 4000 [size=64]
        Capabilities: [dc] Power Management version 2

02:0b.0 Network controller: Intel Corporation PRO/Wireless 2200BG Network Connection (rev 05)
        Subsystem: Intel Corporation Unknown device 2753
        Flags: bus master, medium devsel, latency 64, IRQ 9
        Memory at d0201000 (32-bit, non-prefetchable) [size=4K]
        Capabilities: [dc] Power Management version 2


I couldn't see anything relating to kernel module or drivers though.

I'll see if I can get BT4 to work.  I suppose my alternative is to get a USB or PCMCIA wireless card which will work.  I'm based in the UK so would prefer to get something here, rather than have to order from the US (with additional shipping charges).
Last edited by Ignatius on Mon Sep 28, 2009 5:03 am, edited 1 time in total.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Sep 28, 2009 7:31 am

Re: Capture WEP and WPA association / authentication traffic

Try lspci -vv.  I don't remember what the correct switch is in BT3 version Linux.  You can also run lscpi --help | grep -i kernel to see if anything comes up on the appropriate switch.

Can you switch it up and boot the laptop with the PCMCIA wireless card from the BT3 disc?  If you can capture traffic there, you know it has something to do with the driver or the card. 
~~~~~~~~~~~~~~
Ketchup
<<

Ignatius

Jr. Member
Jr. Member

Posts: 91

Joined: Sun Mar 22, 2009 9:51 am

Post Mon Sep 28, 2009 8:51 am

Re: Capture WEP and WPA association / authentication traffic

I wondered if the -k switch was used in other versions ... I've managed to get BT4 working and the lspci -k output is:

  Code:
02:08.0 Ethernet controller: Intel Corporation 82801DB PRO/100 VE (MOB) Ethernet Controller (rev 83)
        Kernel driver in use: e100
02:0b.0 Network controller: Intel Corporation PRO/Wireless 2200BG [Calexico2] Network Connection (rev 05)
        Kernel driver in use: ipw2200
        Kernel modules: ipw2200


I'm not even able to get connected to my wireless (WPA) card connected now though!  I'll get back into BT3, copy the entire wpa_supplicant.conf file and try that in BT4.

Unfortunately, the older laptop (the one with the PCMCIA card) won't run BT.  It was designed for W98 (yes, that old) and has 128MB RAM.  I'll try the PCMCIA card in the newer laptop though to see if it will pick up traffic from my wireless router.

BTW, do you have any recommendations for wireless cards (USB or PCMCIA) which will "play" with BT without any hassle?  I'm keen to capture the traffic so I can understand the authentication process.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Sep 28, 2009 10:24 am

Re: Capture WEP and WPA association / authentication traffic

Here is a list of wireless cards that are supported by BT and any associated issues.  I use a Belkin USB stick that supports injection.  Like just about anything there are only a few supported versions, and some work better than others.  I bought mine because it cost me $25 US. 

http://backtrack.offensive-security.com/index.php/HCL:Wireless

The card appears to be using the correct driver, ipw2200.  I think that the wpa supplicant file should help with the association issue.  However, you don't have to associate to capture wireless traffic.  Have you tried running Wireshark yet on BT4?  Do you get anything?
~~~~~~~~~~~~~~
Ketchup
<<

Ignatius

Jr. Member
Jr. Member

Posts: 91

Joined: Sun Mar 22, 2009 9:51 am

Post Mon Sep 28, 2009 4:07 pm

Re: Capture WEP and WPA association / authentication traffic

Having got BT4 working, I tried connecting to my wireless router and could when I used the connection manager so it appears that the driver is correct but I still need to get the wpa_supplicant.conf file sorted.  I set up the second laptop and got it to associate too but nothing was picked up by Wireshark.  This is despite whether it was associated or not and whether it was in promiscuous mode or not.

I'll look into getting a second card from the list that you linked.  I just wonder if it's a problem of my configuration of Wireshark so I might ask on their forum.  I ran Kismet in BT3 (whilst not associated) and it picked up my home network, as expected, without any problems.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Sep 28, 2009 4:48 pm

Re: Capture WEP and WPA association / authentication traffic

Hmm, this is a strange one.  Try tcpdump instead of wireshark to see if there are any issues with the software config.  You can also run airmon-ng to start the wifi card in promiscuous mode to make sure it is actually going into the mode. 
~~~~~~~~~~~~~~
Ketchup
<<

Ignatius

Jr. Member
Jr. Member

Posts: 91

Joined: Sun Mar 22, 2009 9:51 am

Post Sun Oct 11, 2009 1:18 pm

Re: Capture WEP and WPA association / authentication traffic

UPDATE (and sorry for not feeding back earlier!):

I've been pulling my hair out.  I managed to get a second Netgear WG511T PCMCIA card and all the research that I did led me to believe that it *should* work to collect management frames.  I looked into airmon-ng and issued:

ifconfig wlan0 down
airmon-ng start wlan0

which created a new entry in ifconfig -a (mon0)

I started Wireshark and collected using mon0.  Lo and behold, there were beacons and probes!  I switched back to my original WG511T card and it didn't work so I guess it's been a combination of a faulty card and the lack of my using airmon-ng.  Before you (Ketchup) mentioned this, I assumed that I could change the mode of the card from within Wireshark.

As a non-Linux user, it's been a steep learning curve ... but one which has made me more determined to learn more!
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Sun Oct 11, 2009 1:51 pm

Re: Capture WEP and WPA association / authentication traffic

WG511t works fine in backtrack. You can inject packets with it, I am using it and it is very good.

The better way to do it is to start airmon on the specific channel of your net

airmon-ng start wlan0 x (x is the channel)

In order to collect packets you should type:

airodump-ng -c x (x is the channel) --bssid AP_MAC -w name_capture_file mon0

-c and --bssid are optional, but like this you'll only capture the traffic for your ip.

This command will generate a file with the extension cap, wich you can open with wireshark. For more if type airodump-ng --help  ;)

About your old laptop, here is a list with the compatible laptops for backtrack 3:

http://backtrack.offensive-security.com ... CL:Laptops
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

Ignatius

Jr. Member
Jr. Member

Posts: 91

Joined: Sun Mar 22, 2009 9:51 am

Post Mon Oct 12, 2009 9:06 am

Re: Capture WEP and WPA association / authentication traffic

Thanks alucian.  I'm using a live BT4 CD and I'm considering using an old laptop (within the HCL) to load BT4.  I know that I can take an image to restore the laptop should I make any major configuration errors.  I'm pleased that I have a card and appropriate commands which will allow me to collect the traffic that I'll need to learn about the association and authentication process.

Return to Wireless

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software