Wireless IP Network Analysis Using Wireshark

Course Duration

5 Days

Audience

Employees of federal, state and local governments; and businesses working with the government.

Prerequisites

Familiarity with TCP/IP networking, Wi-Fi fundamentals, and network infrastructure devices such as switches, routers, etc.

Course Description

In this hands-on course, you will receive in-depth training on Wireshark® and WiFi communications analysis. You will develop the skills to capture, decrypt and analyze wireless packets. The student will walk away with a set of analysis techniques focusing on the use of vendor-neutral, open source tools.

Course Outline

Wireshark

• Perform unattended captures with auto-stop conditions
• Apply a decryption key to reveal upper layer protocols for analysis Verify the key decrypted traffic
• Troubleshooting steps if decryption is unsuccessful
• Capture and Display filter syntax
• Statistics and graphs
• Filter on addresses, protocols, fields or traffic characteristics
• Filter on keywords using wildcards and regular expressions
• Reassemble and extract files from captured traffic
• Dissect and fix malformed packets

Command Line Tools

• Aircrack-ng Suite Switch the capture adapter into monitor mode with Airmon-ng
• Capture with Airodump-ng
• Crack WPA/WPA2 passphrase keys with Aircrack-ng
• Inject packets with Aireplay-ng
• Capinfos
• Dumpcap
• Editcap
• Mergecap How to merge pcaps of a similar file type; cap, pcap, pcappi, pcapng, and kismet
• Reodercap Reordering EAPOL handshakes
• Tcpdump Filter on large pcaps
• Tshark Streamline analysis especially for large pcaps
• Traffic analysis to perform network mapping of access points of interest and associated clients given a large pcap
• Extracting packets for specific MAC/BSSID/SSID/etc to a smaller file for analysis
• Nmap

802.11 Capture and Analysis

• 802.11 Operation Modes Device-to-Device (Adhoc) Communication
• Basic Service Set (BSS)
• Basic Service Set Identifier (BSSID)
• Extended Basic Service Set (ESSID)
• 802.11 MAC Layer Frame Types Management
• Control
• Data
• 802.11 MAC Layer Frame Formats Frame Control
• To/From DS
• Addresses
• Filter random MAC addresses
• 802.11 Address Types Transmitter vs. Source Address
• Receiver vs Destination Address
• 802.11 Operation and Frame Exchanges Beacons
• Probe Request/Response
• Authentication/ACK
• Association Request/Response

802.11 Security

• WLAN Discovery Techniques Use Wireshark WLAN Statistics to correlate MACs to BSSIDs, and BSSIDs to SSIDs
• How certain traffic appears coming across the network De-authing repeatedly
• Nmap scans
• 802.11 Authentication and Key Exchange 802.1X/EAP exchanges Pre-Shared Key authentication
• Four-way handshake
• Group key exchange
• Compare encrypted vs decrypted traffic – What can be gained from each

Decrypted Protocol Analysis

• Understanding the value of: User agent strings
• Port numbers
• Public vs private addresses
• Understanding what can be gained from: ARP & ARP Requests
• DHCP
• HTTP

Hardware used in class: