Wireshark

WN Blog 025 – Hidden SSIDs

Hey!

Welcome to our first blog post of 2020! Happy new year to all 🙂

We wanted to kick off this year’s first blog post covering how secure is a Hidden SSID. We have been into a few customer environments recently where they were hiding some of their SSIDs as they believed this was more secure.

Shout out to Mr. Andrew McHale for his explanation as to why we shouldn’t be hiding SSIDs:

“Some clients don’t probe for SSID’s, they rely on Beacons to decide what is available. If you hide the SSID in the Beacon then some clients won’t see SSID to connect to.

Others will try listening to beacons first and only probe if they don’t see the SSID they’re looking for. This wastes time.

On DFS channels the client has to listen for a Beacon or Probe Response before it probes itself. Normally Vocera clients always probe for the specific SSID we have programmed it for. But on DFS channels, to save that probing time, if we hear a Beacon supporting our SSID we will forego probing on that channel. If you hide the beacon we have to apply that extra 15ms for probing and dwelling on that DFS channel.”

To summarise what Andrew was saying there is that we should not be hiding the SSIDs as it can have a negative impact on client roaming & association.

Let’s now do some testing and see how secure it is to hide an SSID & what steps we have to do to be able to find what the hidden SSID name is – if that is even possible of course 😉

For our tests today I will be using my Mist AP41 – connected back to my Mist Cloud dashboard. The SSID we will be trying to find is called “Matts_Hidden_SSID”. I will also be using the WLAN-Pi & Wireshark to capture wireless packets.

Here is how my SSID is configured on My Mist dashboard – we can clearly see the SSID name and that I have selected to hide the SSID.

MiSt 
Monitor 
Ma 
O), Clients 
Access Points 
switches 
Location 
Analytics 
Netw•ork 
Organization 
WIA NINJAS 
< Matts 
Hidden 
SSID 
Matts Hidden 
Labels 
SSID 
Security 
@ WPA-2/PSK with passphrase 
O 
WPA-2/EAP (802.1 X) 
Apply to Access Points 
SSID 
Aps 
Isolation 
AP Labels 
Specific APS 
WLAN Status 
@ Enabled C) Disabled 
Hide 
D No Static IP Devices 
Radio Band 
@ 2.4G and 5G 
O 
2.4G 
Band Steering 
O Enable 
Client Inactivity 
Drop inactive clients after 
Geofence 
O 
Open Access 
More Options 
Fast Roaming 
@ Default 
VLAN 
@ Untagged O 
Guest Portal 
Tagged 
O 
O 
Dynamic 
O 
1800 
O 
O 
O 
seconds 
No portal (go directlyto internet) 
Custom guest portal 
Forward to external portal 
SSO with Identity Provider C) Requires custom firmware 
Bypass guest/external portal in case of exception 
Contact Mist for Firmware 
D Minimum client RSSI (2.4G) O 
D Minimum client RSSI (5G) O 
Block clients having RSSI below the minimum 
Data Rates 
O 
Compatible (allow all connections) 
@ No Legacy (2.4G, no 1 1b) 
O 
High Density (disable all lower rates) 
prohibit peer to peer communication 
Filtering (Wired to Wireless) 
Broadcast/Multicast 
Custom Forwarding 
Custom Forwarding to Etho POE 
SSID Scheduling 
O Enabled @ Disabled 
QoS Priority 
Override QoS 
AirWatch 
O Enabled @ Disabled 
O 
Custom Rates 
WiFi Protocols 
WiFi-6 @ Enabled O 
WLAN Rate Limit 
Cl Limit uplink to 10 
O Limit downlink to 20 
Disabled 
Mbps

Next, let’s take a look at what wireless channels my AP is using in the 5GHz band so I can configure my WLAN-Pi to capture on those channels.

MiSt 
Monitor 
Ma 
O), Clients 
Access Points 
switches 
Location 
Analytics 
Netw•ork 
Organization 
WIA NINJAS 
Radio Management 
-92 darn 
AVG. NOISE 
Distribution 
Current Radio Values 
Name 
FRI, 09:16 AM 
site 
Matt Starling Home 
AVG. # NEIGHBORS 
MAC Address 
2.4 GHz 
5 GHz 
Optimize now 
0.0 0 
AP DENSITY 
AVG. # CO CHANNEL NEIGHBORS 
No. Clients 
Status 
Connected 
Channel 
Channel 
108+1 12 
0.1 
AVG. # APS PER CHANNEL 
Channel Width 
40 MHz 
1.00 
CHANNEL DIST. SCORE 
5 GHz Enabled 
17 dBm 
Channel 
5 GHz Overridden 
Power

We can see in the above image that my AP is using a 40MHz wide channel & occupying channels 108 + 112. So we need to configure my WLAN-Pi to use those channels.

wlanpi@wlanpi: - 
as: w Ianpi 
Using keyboard—interactive authentication . 
Password : 
/ Ill I \ 
Welcome Co Debian Stretch with 
Armhian Linux 4 . I g. 66—sunxi64 
System load: 
Memory usage : 
CPU temp : 
Usage of / : 
0.00 0.00 0.04 
16 * of gg3MB 
330c 
of ISG 
syszem 
Up time: 
I g min 
.2s4.g.232 
sudo apt update 
s udo apt 
install 
Lasc login: Thu occ 3 2019 from 192.168.42.2 
wlanpi@wlanpi : —$ sudo iw wIanO sec channel 108 40MHz 
Usage : 
iw [options] dev sec channel 
[NOHT 1 HT40+lHT40-l 
SMHz 1 10MHz 1 80MHz 
Options : 
— — debug 
enable net link debugging 
wlanpi@wlanpi : —$ sudo iw WI ano sec channel 108 HT40+ 
wlanpi@wlanpi : —$

Now we have configured the WLAN-Pi to capture on those channels, I was ready to start capturing some packets.

Let’s take a look at some of the packets that were starting to come flooding in – I could see my other SSID “WiFi Ninjas” that I had not set to be hidden being broadcasted in the beacon frames but I could see that there was also another SSID coming from my Mist AP but we could not see the hidden SSID – still pretty secure at this point 😉 

*SSH remote capture 
File Edit View Go Capture 
651 
8a2.11 
Ila 
dam s.a 
802.11 
802. Ila 
dam 6.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
658 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
670 
802.11 
802. Ila 
Analyze Statistics Telephany 
Wireless Tools 
Help 
Apply a display filter 
Absolute Time 
Expr ession 
Spatial streams 
+ Management Fr ames 
Control Frames Data Frames 
Time as Formatted 
28.160416 
28.570037 
29.184500 
Delta Time 
a. 00BBB8 
a. 102371 
a. 000008 
a. 102480 
a. 102364 
a. 102382 
a. 000020 
a. 102493 
a. oooala 
a. 102333 
a. 102356 
a. 102367 
a. 000008 
a. 102484 
a. 102368 
Frequency 
R SSI 
-26 
- 26 
- 26 
- 28 
- 28 
- 26 
- 26 
- 28 
- 26 
- 26 
- 26 
- 28 
- 26 
- 26 
- 28 
- 28 
- 26 
- 26 
- 28 
-26 
TX Rate 
Data rate (M$s) 
Source 
Destination 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Protocol 
Length 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
Colouring Rule Name 
Beacon 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Beacon 
MCS index I 
ss1D 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
Bandnidth 
PHY type 
Tag 
652 28.262787 
653 28.262795 
654 28.365275 
655 28.365283 
656 28.467647 
657 28.467655 
659 28.570057 
660 28.67255a 
661 28.67256a 
662 28.774893 
663 28.774901 
664 28.877257 
665 28.877265 
666 28.979632 
667 28.97964a 
668 29.082124 
669 29.082132 
554a 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
MHZ 
MHZ 
dam 
dam 
(2872 
6 Mist 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
79:32 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Info 
Beacon 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Beacon 
frame, 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
frame, 
su=3B11, 
SN=3a12, 
SN=3a13, 
SN=3a14, 
SN=3a15, 
SN=3a16, 
SN=3a17, 
SN=3a18, 
SN=3a19, 
sN=3a2a, 
SN=3a21, 
SN=3a22, 
SN=3a23, 
SN=3a24, 
SN=3a25, 
SN=3a26, 
SN=3a27, 
SN=3a28, 
SN=3a29, 
sN=3a3a, 
Frame 653: 
359 bytes 
on 
wire (2872 bits), 
359 bytes 
c a ptu red 
bits ) 
on 
Radiotap Header va, Length 32 
802. II radio information 
IEEE 8B2.II Beacon frame Flags: . 
IEEE 8a2.11 wireless LAN 
Fixed parameters (12 bytes) 
v Tagged parameters (287 bytes) 
ag: SSID parameter set: Boa Boa Boa Boa Boa Boa Boa Boa Boa Boa Boa 
Number: SSID arameter set a 
interface 
Boa Boa Boa Boa Boa Boa 
Tag Iength: 17 
Tag: Supported Rates 6(8), 9, 12(8), 
Tag Number: Supported Rates (I) 
Tag Iength: 8 
18, 
42 
17 
15 
al 
a2 
5e 
24(8), 
36 
2/ 
48, 
54 , 
Su p ported 
Su p ported 
Su p ported 
Su p ported 
Rates . 
Rates : 
Rates : 
Rates : 
Rates : 
• 6(8) (ax8c) 
9 (0x12) 
12(8) (0x98) 
(ax24) 
Su 
rted 
aza 
gala 
aa2a 
aaaa 
aasa 
aasa 
ana 
ana 
gaga 
aaaa 
aaca 
aada 
aaea 
a afa 
3122 
alsa 
3142 
alfa 
[Mbit/ sec) 
• •LG8 $ 
64 
al 
17 
7a 
14 
47 
04 
a2 
al 
32 
17 
al 
al 
al 
2f 
2a 
34 
35 
11 
28 
al 
88 
04 
ff 
dd 
15 
11 
al 
17 
74 
46 
al 
ff 
fa 
79 
17 
34 
57 
al 
32 
11 
04 
al 
ab 
a2 
al 
al 
17 
78 
04 
gf 
18 
24 
al 
02 
17 
64 
le 
al 
al 
16 
04 
27 
2a 
51 
le 
95 
2a 
bf 
00 
17 
ff 
72 
al 
al 
a2 
dd 
12 
17 
68 
2d 
04 
32 
18 
98 
34 
99 
23 
la 
42 
2a 
35 
24 
47 
al 
le 
a2 
04 
42 
43 
79 
48 
2a 
38 
17 
7f 
a2 
al 
32 
sa 
24 
al 
le 
84 
al 
ff 
al 
al 
62

How about if we filter on probe responses only? By using this Wireshark filter: wlan.fc.type_subtype == 0x0005

*SSH remote capture 
File Edit View Go 
152 
8a2.11 
8B2.11a 
dam 6.ø 
8ø2.11 
7øø 
8ø2.11 
8ß2. 
dam 6.ø 
7ß3 
8ø2.11 
dam 6.ø 
7ß5 
8ø2.11 
dam 6.ø 
833 
8ø2.11 
dam 6.ø 
936 
8ø2.11 
dam 6.ø 
964 
8ø2.11 
dam 6.ø 
975 
8ø2.11 
dam 6.ø 
978 
8ø2.11 
dam 6.ø 
98ø 
8ø2.11 
dam 6.ø 
:49.4øgø56 44.78ø149 
8ø2.11 
dam 6.ø 
:49.418688 44.789781 
8ø2.11 
dam 6.ø 
44.8ø4283 
8ø2.11 
dam 6.ø 
:49.443324 44.814417 
8ø2.11 
dam 6.ø 
8ø2.11 
dam 6.ø 
2469 
8ø2.11 
dam 6.ø 
8ø2.11 
dam 6.ø 
2477 
8ø2.11 
6.ø 
8m.11 
8ß2. 
Capture 
= ox0005 
Analyze Statistics Telephony 
Wireless Tools 
Help 
"Ian fc. type_subtype 
Absolute Time 
+ Management Fr ames 
Control Frames 
Da ta Frames 
Time as Formatted 
7.564445 
Delta Time 
a. øøøøøø 
13.7ø56ß2 
8.837292 
ø.ø16123 
ø.ø1ø13ø 
2.9435ø4 
1.64ø69ø 
ø.4356ß3 
ø.øøgsøg 
ø.ø14625 
ø.ø1ß247 
g. 592379 
ø.øøg632 
ø.ø145ß2 
ø.ø1ø134 
4.1ø4218 
1.578936 
ø.ø13265 
ø.ø14984 
a. ø1ß264 
Frequency 
R SSI 
-26 
- 28 
- 26 
- 28 
- 26 
- 26 
- 26 
- 26 
- 26 
- 28 
- 26 
- 26 
- 26 
- 26 
- 26 
- 28 
- 26 
- 26 
- 26 
-28 
TX Rate 
Data rate (Mb's) 
Source 
Destnaton 
Protocol 
Length 
356 
356 
353 
353 
353 
353 
356 
356 
356 
356 
356 
356 
356 
356 
356 
356 
353 
353 
353 
353 
Colouring Rule Name 
MCS index I 
Expr ession 
Spatial streams 
Tag 
5øø 21.27øø47 
2396 48.918635 
1894 ø6 
1899 ø6 
19ß2 ø6 
2474 
2479 
Frame 
: 52 
: 52 
: 52 
: 52 
3ø .1ß7339 
3ø .123462 
3ø.133592 
33. ø77øg6 
34.717786 
35.153389 
35.162898 
35.177523 
35.18777ø 
% .497571 
5ø.51ß836 
5ø.52582ø 
% .536ß84 
554a 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554B 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
d 8m 
dam 
d 8m 
(2824 
54 , 
6 Mist 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
6 Mist 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Le novo 
Len ovo 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
Len ovo 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
Len ovo 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
ss1D 
WiFi Ninjas 
Matts Hidden 
Matts Hidden 
Matts Hidden 
Matts Hidden 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
Matts 
Matts 
Matts 
Matts 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Hidden 
Hidden 
Hidden 
Hidden 
Bandwidth 
SSID 
SSID 
SSID 
SSID 
SSID 
SSID 
SSID 
SSID 
PHY type 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
Info 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
su=2596, 
SN=287ø, 
SN=3ø51, 
SN=3ß52, 
SN=3113, 
SN=3166, 
SN=3175, 
SN=3178, 
SN=3179, 
SN=318ø, 
SN=3426, 
SN=3427, 
SN=3428, 
SN=3429, 
SN=3549, 
SN=3582, 
SN=3583, 
SN=3584, 
SN=3585 , 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
353 bytes 
on 
wire (2824 bits), 
353 bytes 
ca red 
bits ) 
on 
interface 
Radiotap Header vø, Length 32 
8m.11 radio information 
IEEE 8e2.11 Probe Res rise Flags: . 
IEEE 8e2.11 wireless LAN 
Fixed parameters (12 bytes) 
SSID arameter set: Matts Hidden SSID 
Tag Number: SSID parameter set (e) 
Tag length: 17 
SSID: Matts Hidden SSID 
Tag: 
Tag: 
Tag: 
Tag: 
Tag: 
Tag: 
Tag: 
supported Rates 6(a), 9, 12(a), 18, 24(a), 36, 48, 
DS Parameter set: Current Channel: 
CMbit/ sec) 
Country Information: Country Code 63, Environment Any 
Power Constraint: 
T PC Report Transmit Power: 21, Link Margin. 
RSN Information 
Q8SS Load Element 
: measurement Pilot 
8ø2.11e ccA Version 
Transmission 
aaaa 
aala 
aaaa 
aasa 
eese 
aasa 
aa7a 
ane 
aaga 
aaaa 
aaba 
aaca 
aada 
aaea 
a afa 
aløa 
a12a 
a13a 
a14a 
else 
64 
65 
17 
78 
ø4 
6e 
17 
64 
16 
ø4 
27 
213 
11 
95 
213 
bf 
17 
15 
11 
53 
dd 
17 
68 
2d 
ø4 
32 
18 
be 
11 
49 
34 
23 
la 
42 
65 
44 
ø4 
42 
43 
13 
61 
17 
15 
f2 
213 
58 
74 
38 
17 
øø 
7f 
aa 
øø 
74 
84 
ff 
ff 
62 
73 
12 
17 
713 
14 
47 
ff 
ø4 
32 
5b 
98 
al 
ff 
2f 
213 
35 
48 
24 
88 
04 
ff 
aa 
dd 
69 
17 
74 
46 
ff 
79 
64 
48 
ce 
32 
64 
le 
ac 
•Ma tts Hidd 
en SSID 
• acn

Ooooh not quite so secure anymore is hiding the SSID? 🙂 We can quite clearly see in the SSID parameters the SSID name now! This didn’t take too much effort either did it? There are a few requirements that we need to meet though to be able to see the probe response.

I associated to the SSID whilst capturing the packets but if a client does not associate during your packet capture you won’t see the probe response so you might have to send a de-auth or something like that but that’s for another blog 😉

To summarise then, hiding the SSID is not only not secure, but it can also have a negative impact on roaming – next time I go to a customer site that has the SSID hidden, I will be sending them to this blog 😀

If you are new to Wireshark we did another blog last year on some useful filters which can be found here: https://wifininjas.net/index.php/2019/05/29/wn-blog-002-wireshark-filters/

I also have set up my own custom profiles, using a colour profile, my own custom columns & have added known devices MAC address to name profile so that’s how you can see “Matt_iPhoneX” instead of my MAC address. If you want any help with how to set up your Wireshark like this feel free to give us a shout and we will help you.

Hope you enjoyed the blog post 🙂

x

WN Blog 016 – WiFi Tools

Hey!

I am putting this blog together to cover some of the wireless tools that we use or are highly recommended in the wireless community.

Many of you might already be aware of some of the tools in this blog but there might be some in here that you have not come across before that you could find quite useful.

We will kick things off with the WiFi tool we use the most, which is Ekahau.

Ekahau

If you are a wireless engineer then this is a must-have in your tool bag – we use it for everything – from designing wireless networks to troubleshooting them.

Ekahau is certainly rich in products & features so we will just cover them here quickly:

Ekahau Pro™ Site Survey Tool

“The industry standard tool for designing, analyzing, optimizing and troubleshooting Wi-Fi networks. It combines professional grade features with unprecedented ease of use and features a new, ultra-fast user interface which works on macOS and Windows. Ekahau Pro site survey supports all Wi-Fi access points, thousands of antennas and every Wi-Fi standard including 802.11ax (Wi-Fi 6).”

Ekahau Sidekick®

“All-in-one, precise Wi-Fi diagnostic and measurement device that contains two Wi-Fi radios and a spectrum analyzer used for professional Wi-Fi site surveys and troubleshooting. It delivers 2x faster site surveys, 4-10x faster spectrum analysis (compared to other Wi-Fi spectrum analyzers) and uses seven factory tested antennas which are placed in the optimum orientation to deliver precise and consistent measurement accuracy. It’s plug-and-plan, works with iPad, MacOS and Windows and supports all Wi-Fi standards, including the new 802.11ax (Wi-Fi 6).”

Ekahau Survey™ for iPad

“Ekahau Survey is the first professional grade Wi-Fi site survey tool for iPad. This solution is 70% lighter than using a laptop which helps you keep going all day. It’s intuitive and easy to use which means both Wi-Fi experts and IT professionals can now perform site surveys with ease. It automatically locates all nearby access points and places them on a map and delivers instant post-survey analysis with easy-to-read, beautiful crystal-clear heatmaps.”

Ekahau Capture™

“With Ekahau Capture you no longer have to invest into dedicated and expensive equipment or fallback on complex and unreliable methods to perform packet capture. Easily collect the data you need to conduct advanced troubleshooting and in-depth analysis of tough to diagnose Wi-Fi problems without waiting for a Wi-Fi expert. Ekahau Capture makes it possible for anyone to quickly capture Wi-Fi packets using Ekahau Sidekick.”

Ekahau Cloud™

“Choose a collaboration method that works best for you and your customers and easily switch between offline and cloud modes. Enjoy seamless collaboration between central office and field sites and make project sharing with your entire team simple and easy. Multiple people in the field can now work concurrently on the same project while critical data can be quickly shared with Wi-Fi experts anywhere in the world so they can help troubleshoot tough to solve problems without ever leaving the office.”

Ekahau works on both Windows & Mac.

With Ekahau Connect you can survey on iPad – iOS.

Link to Ekahau website – https://www.ekahau.com

Ekahau does cost money – to get a quote from a reseller in the UK contact Open Reality – https://www.openreality.co.uk/

Twitter

  • @Ekahau
  • @OpenRealityUK

Protocol Analysis Tools

Wireshark

Wireshark

 

“Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark development thrives thanks to the volunteer contributions of networking experts around the globe and is the continuation of a project started by Gerald Combs in 1998.”

Wireshark works on both Windows & Mac.

Wireshark is a free tool

Wireshark website – https://www.wireshark.org/

Twitter – @WiresharkNews

OmniPeek

OmniPeek

 

Omni Peek is also a protocol analyser and a very nice wireless tool for protocol analysis – but unlike Wireshark this is not a free tool.

Omni Peek Overview:

Real-Time Network Protocol Analyzer

  • Decoding over 1,000 protocols, Omnipeek provides real-time analysis for every type of network segment – 1/10/40/100 Gigabit, 802.11, and voice and video over IP – and for every level of network traffic.

Real-Time Network Protocol Analyzer

  • Intuitive Graphic Displays and Visualization
  • Intuitive Graphic Displays and Visualization
  • Omnipeek network protocol analyzer delivers intuitive visualization and effective forensics for faster resolution of network and application performance issues and security investigations.

Best-In-Class Network Analysis Workflow

  • Widely recognized as the best network analysis workflow in the industry, Omnipeek makes it easy to drill down, look across, compare, discover, and ultimately reduce mean-time-to-resolution (MTTR).

Network Analysis Workflow

  • 3K-top-view
  • Monitor Distributed Networks Remotely
  • Using LiveCapture with Omnipeek extends network monitoring and visibility for troubleshooting of application-level issues at remote sites and branches, WAN links, and data centers.

Easy WiFi Troubleshooting

  • The Omnipeek WiFi adaptor is a USB-connected WLAN device designed for wireless packet capture. The 802.11ac adapter supports 802.11ac capture up to 2 transmit/receive streams (866Mbps wireless traffic) and supports 20MHz, 40MHz, and 80MHz channel operation.

Omnipeek only works on Windows.

Omnipeek Website: https://www.liveaction.com/products/omnipeek-network-protocol-analyzer/

Twitter:  @omnipeek

WinFi

WinFi

 

WinFi Lite is a new networking program and app for Microsoft Windows devices designed to monitor, analyze, and manage wireless networks. The application is available as a Microsoft Store application and as a classic desktop application.

WinFi Lite Overview:

Perfect for quick Wi-Fi troubleshooting. Your dreams of doing Wi-Fi analysis while mobile have come true. WinFi and a Windows 10 tablet of your choice, makes convenient on-the-go analysis.

Familiar element decoding. No steep learning curve. WinFi leverages familiar structure and naming guidelines found in Wireshark.

Networks are analyzed for standards violations and malformed elements. WinFi will let you know if there are inconsistencies. Plus, you can open networks from WinFi directly in Wireshark.

Outstanding grouping, filtering and sorting capabilities. WinFi has powerful and best in class grouping, filtering and sorting capabilities.

Group, filter and sort by any information you want. Set filter and grouping thresholds for signal values, use regular expressions for text searches, and much more.

WiniFi Lite works on Windows only.

There are free & paid versions of this tool.

Twitter: @HelgeKeck

Website: http://www.helge-keck.com/

WiFi Explorer

WiFi Explorer

 

WiFi Explorer gathers configuration and capability information about all the networks it discovers and presents it on an easy-to-use, intuitive user interface. Information includes network name (SSID), BSSID, vendor, country code, channel, band, security configuration, supported data rates, number of streams, and much more.

Additional viewing options in WiFi Explorer Pro let you organize scan results by SSID, access point or access point radio to better visualize multiple networks per access point.

Simple, intuitive user interface

  • WiFi Explorer gathers configuration and capability information about all the networks it discovers and presents it on an easy-to-use, intuitive user interface. Information includes network name (SSID), BSSID, vendor, country code, channel, band, security configuration, supported data rates, number of streams, and much more.

  • Additional viewing options in WiFi Explorer Pro let you organize scan results by SSID, access point or access point radio to better visualize multiple networks per access point.

Resolve Wi-Fi issues

  • With WiFi Explorer, you can find the best channel for your network or determine a better placement for your access point. You can also identify channel conflicts, overlapping or configuration issues that may be affecting the connectivity and performance of your wireless network.

  • Expert information, available in WiFi Explorer Pro, such as per-channel beacon overhead, gives you a general overview of the Wi-Fi environment to better plan your network installation or mitigate existing problems.

Get a full insight into Wi-Fi networks

  • WiFi Explorer has been developed with the support and feedback of Wi-Fi experts. Its ease of use and advanced features, such as the ability to decode network information, access point name discovery or enhanced filtering, give you a full insight into the capabilities and configuration details of wireless networks.

  • Other advanced features include the ability to find and display information about hidden networks, support for external Wi-Fi adapters, Zigbee integration, and much more.

Spectrum Analysis Integration

  • WiFi Explorer Pro’s spectrum analysis integration lets you visualize RF information and correlate it with Wi-Fi data to identify non-802.11 energy sources and better understand the effects of interference and channel utilization on your wireless network. Compatible spectrum analyzers:

  • MetaGeek’s Wi-Spy 2.4x (Version 2) & Wi-Spy DBx
  • Ekahau Spectrum Analyzer
  • RF Explorer Wi-Fi Combo
  • Ubertooth One
  • HackRF One (Experimental)

WiFi Explorer works only on Mac.

There are free & paid versions of this tool.

Download link for WiFi Explorer: Here

Twitter:  @adriangranados 

Wireless Sensors / Packet Capture devices

Kubicon

Kubicon

 

Kubicon system consists of two components- cloud based dashboard and a hardware Wi-Fi sensor which basically mimics end user Wi-Fi  behaviour.

All that needs to be done in order to deploy the solution is to perform configuration on cloud console which is central point of management and reporting and to deploy sensors across desired environment. 

 The solution monitors number of important factors such as Wi-Fi signal quality , bandwidth capacity, network service, web applications, etc. from wireless end user perspective. Additionally it calculates overall Wi-Fi client experience score, based on these values. All metrics are available in real-time on cloud dashboard or on demand in form of reports which in turn can  be exported to multiple easy to read/use formats. Based on the mentioned architecture and  features, we are able to detect current issues and predict possible problems in the future. 

 

 One of the most frequent issues we have experienced in Wi-Fi environments was related to Guest Wi-Fi networks, particularly lack of (proactive) monitoring and analytics of Captive Portals.

 

That’s why we are very proud that we managed to develop comprehensive Wi-Fi captive portal testing and monitoring, with the features such as:

 

  1. Landing page responsiveness
  2. Identification of excessive time taking to load the landing page
  3. Real time Authentication – which helps to identify backend issues during constant client authentication checks

Website: https://kubicon.io/

WLAN-Pi

WLAN-Pi

 

“The WLAN Pi project started in 2016 at WLPC. The goal was to create a portable, ready-to-use device that could function as a network endpoint for measuring network performance and throughput.

Since then, it has been widely embraced in the awesome wireless community and after many contributions, this tiny box has evolved well beyond a network performance testing device.

Today, it can also be used as a remote Wi-Fi scanner, packet capture tool, portable Wi-Fi signal generator and much more! These capabilities assist wireless professionals with designing better wireless networks, troubleshooting issues more quickly, and validating wireless network performance.”

WLAN Pi | Handheld Edition

What’s included:

  • NanoPi Computer
  • Comfast CF-912AC NIC
  • USB -Micro to USB-C cable
  • USB-C to USB-A Adapter
  • Handheld – custom 3D Printed Case
  • Preloaded with WLAN pi version 1.8.3
  • Assembled and tested
  • Support for WLAN pi team

Websites:

Twitter:

  • @wlanpi
  • @wifinigel
  • @jolla

Net Ally AirCheck G2

AirCheck G2

 

AirCheck G2 offers a one-button AutoTest function that quickly provides a pass/fails indication of Wi-Fi network quality and identifies common problems.

Test the latest Wi-Fi standards (including 802.11ax), with a rugged, handheld, purpose-built wireless tester.

See all networks and devices in your location immediately upon power-up.

View test results, including network availability, connectivity, utilization, throughput, security settings, possible rogues, and interferers.

Automate reporting and enable collaboration with upload and management test results via Link-Live Cloud Service.

Twitter: @NetAlly

Website – https://www.netally.com/products/aircheck/

Metageek – Wi-Spy

Wi-Spy

 

Powerful Dual-Band Spectrum Analysis

Chanalyzer Essential includes Wi-Spy DBx, a powerful dual-band spectrum analyzer that measures WiFi and non-WiFi activity in both the 2.4 GHz and 5 GHz bands. Chanalyzer utilizes radio frequency data from Wi-Spy DBx to provide you with a real-time visual overview of your WiFi network environment.

Locate Sources of Interference

Once you’re able to see interference, the next step is to eliminate it. Unlike the omnidirectional WiFi antenna in your laptop or wireless adapter, a directional antenna is highly focused to pinpoint non-WiFi sources of interference. This allows you to actively seek out and remove loud transmitters from your WiFi environment.

Monitor Channel Saturation and Intermittent Interferers

By graphing every access point within reach and pairing it with the raw RF information provided by Wi-Spy, Chanalyzer provides you with all the information you need to monitor and manage saturated channels. The built-in recording feature even allows you to track the most frustrating WiFi problem – intermittent interference – and come up with a plan to eliminate it for good.

Twitter: @metageek

Website: https://www.metageek.com/products/wi-spy/

Mobile devices

iOS


WiFi diagnostics with Apple iOS13:

WiFi Diagnostics

 

We found this through Dan Jones so thank you to Dan! His twitter is: @UKDanJones

You need to install the developer profile from here:  https://developer.apple.com/bug-reporting/profiles-and-logs/

  • Scroll to bottom
  • Find Wi-Fi for iOS
  • log in “as a developer” but you can use your usual Apple account
  • Once you’ve loaded the profile you connect to an SSID, click the ‘i’ icon next to it & choose Diagnostics.

This profile gives you access to previously hidden/inaccessible menus & functions in your iOS.

  • BSSID
    • Identifies the Access Point the iPhone is currently connected to
  • Channel
    • Tells you on which channel the Access Point operates and with which channel width (e.g. 80 MHz)
  • Signal Strength
    • Signal Strength (RSSI in dBm) with color indication and written indicator (e.g. Strong, Moderate, Weak)
    • Below you’ll see an indication of how the channel utilization is being rated/seen
  • Security
    • Information on how the wireless network is secured e.g. „WPA3 Personal“
  • Captive
    • Information if you go through a Captive Portal to connect to the network
  • Deployment
    • Information if the Wireless LAN operates with multiple Access Points (Multi AP) or a single AP (Single AP)
  • Motion
    • Stationary (the iPhone doesn’t move e.g. stationary on the desk)
    • Moving (the iPhone is being held in hand)
    • Walking (the iPhone moves with walking speed)
    • Running (the iPhone moves with running speed (also happens if you jump with the device))

Connectivity

  • Gateway
    • Information on how much time it takes to get to your Gateway
  • Internet
    • Information on how much time it takes to get to the internet (apple.com)

Coexistence

  • AWDL Mode
    • AWDL stands for Apple Wireless Direct Link“ and is used for AirDrop
    • Active or Inactive
  • Bluetooth
    • Idle
  • Scan
    • Active or Inactive
    • Directly below you’ll find an indication which application triggered the last scan e.g. location and when this happened

Website: https://dokuwiki.alu4u.com/doku.php?id=stellar-wireless-apple-ios-ios13-wireless-diagnostics

Airport Utility

This is a great app on iOS to show you the RSSI from the device perspective but once you have installed the application you need to go into the settings and enable the WiFi scanner:

Airport Utility Settings

Example of the information we can see using Airport Utility: 

Airport Utility

Android

Aruba utilities

Aruba Utilities

 

Aruba Utilities includes a number of tools useful for characterizing and troubleshooting wireless LANs from Aruba Networks. Some tools work with any WLAN, others are clients for Aruba’s AirWave management system, Analytics & Location Engine (ALE) and Mobility Controllers.

Aruba Utilities includes:

• A Wi-Fi Monitor showing the Wi-Fi environment, including the current access point, dynamic signal strength and RSSI measurements, other access points audible to the device and handover events.

• A Telnet/SSH client that works with Aruba mobility controllers, allowing network configuration and monitoring from a mobile platform.

• An AirWave client that downloads the floorplan image and AP details from the network’s AirWave WLAN management system. See where APs are located relative to your position, and touch AP icons for details of current loading, channels and power.

• The AirWave client also offers a locally-generated estimated heatmap and a site survey function that links actual coverage measurements to locations on the floorplan.

• Device information (Wi-Fi, IP, DHCP, cellular status) is displayed along with an implementation of the Airwave Management Client (AMC) that reports device information and scanned APs to your AirWave WLAN management system.

• A Bluetooth Low Energy (BLE) scanner reports nearby iBeacons and other BLE devices with UUID, index values and signal strength measurements.

• Android versions of iPerf, Ping, DNS and mDNS offer network test functionality.

• Measurements are written to a plain-text log file and various csv report files that can be emailed for use later.

WiFi Manager

WiFiMan

 

WiFi Manager is ideal for analyzing nearby Wi-Fi networks and Bluetooth LE devices, device discovery, and network speedtests. These features are conveniently accessed through the sleekly designed UI created by Ubiquiti Networks. WiFiman contains no ads and is free of charge.

WiFiman helps you locate a less crowded channel for your Wi-Fi Access Point. It lists nearby Wi-Fi channels and Bluetooth LE devices and shows you the details of those channels.

With the app, you can easily list and analyze devices connected to your current network. WiFiman scans the whole network subnet and shows you all of the available devices with the applicable details, using Bonjour, SNMP, NetBIOS, and UBNT discovery protocols.

Another core feature is the network speed test. You can test the speed of your internet connection and save the results for later comparison – or quickly share the results.

Revolution WiFi

Capacity Planner

‘How Many APs Do I Need?’

No more guessing based on device counts
or rule-of-thumb cell sizing
 

 
wificlientweb



Quickly Analyze ‘What-If’ Scenarios

Determine the best design for your network by adjusting AP and client device types, channel width, client mix, and applications on-the-fly
 

 
analysis-graphs.png

Capacity Analysis (new in version 2.0!)

Visualize capacity utilization and the impact caused by client devices with varying capabilities. Data is shown by:

  • Protocol version

  • Frequency band

  • Application type (data, voip/real-time)

  • Spatial streams

  • Channel width

 

 
mesh-performance.png

Mesh Network Planning


Plan 5 GHz single-channel mesh networks to determine how many root nodes are necessary to meet capacity requirements and the per-hop mesh network performance. Use an existing client capacity plan or manually configure mesh network capacity requirements.

 
wlanlifecycle




Multiple Uses

Use the Capacity Planner for predictive WLAN design, Wi-Fi training and education, RFP proposals, project scoping, and creating a bill of materials (BOM)

 

Airtime vs Association

Forecast WLAN capacity based on
either client airtime demand or association limits per-AP radio

contention
 
iterativedesign


Iterative Design Approach

Use Capacity Planner in conjunction with RF planning tools in an iterative approach to derive a design that meets both coverage and capacity requirements

 

 

Website: https://www.revolutionwifi.net/capacity-planner 

Twitter: @revolutionwifi

 

#######################################################################################################

That’s all the WiFi Tools for now that we are going to cover – if you use any WiFi Tools that we have not included in this blog post please leave a comment or reach out to us and we will update the post to include!

🙂

WN Blog 012 – Can You Crack 802.1X WPA2-Enterprise Wireless Data?

One of our clients has recently approached me with concerns about their new WiFi network that we were planning to put in. They were coming from a wired-only environment and were not sure if introducing EAP-TLS based corporate wireless was a good and safe idea. Additionally, while preparing for my CWAP exam I heard in one of the course videos that “you can’t decrypt 802.1x EAP, as there is no known key that we can enter to start 4-way handshake”. But is it really the case?

I will answer this question by first touching on the 802.1X EAP authentication framework recap that will help us understand conditions that must be met, and steps taken to decrypt WPA2-Enterprise data.

All modern EAP variations are using strong CCMP encryption. Instead of attacking it, we will focus on capturing RADIUS packets on the wire and extract a PMK from this transaction. We will then capture 4-way handshake to get Anonce and Snonce and use it together with PMK, Supplicant MAC and Authenticator MAC to derive PTK (Wireshark can do it for us) used to decrypt our wireless session.

802.1X EAP Recap

IEEE 802.1X is a standard for Network Access Control. It provides authentication (making sure that something is what it claims to be) mechanism to devices wishing to connect to a LAN or WLAN. 802.1X defines the encapsulation of the Extensive Authentication Protocol (EAP) over IEEE 802, that is known as EAP over LAN (EAPOL). 802.1X defines 3 roles: Supplicant (client), Authenticator/NAS (AP) and Authentication Server (RADIUS). Successful EAP transaction starts a process of 802.11 Security Keys Generation, that I tried to visualise in a diagram below, together with 802.11 Open Authentication, 802.11 Association, Tunnelled EAP Authentication and a 4-Way Handshake, collectively being part of an 802.1X standard.                   

802.1X EAP and 802.11 Security Keys Generation Process
802.1X EAP and 802.11 Security Keys Generation Process

Conditions

The following conditions must be met to decrypt 802.1X EAP encrypted captures:

1. RADIUS key must be known

  • Brute force against the RADIUS capture is an option but strong RADIUS key would make it unpractical. Make sure the key is strong!
  • Social engineering attack – get network engineer’s contact details and ask him/her about a RADIUS key saying you’re from NOC tshooting an issue or a contractor working on upgrading RADIUS server and see what happens. Make sure staff is trained how to handle social engineering attacks and that their contact details like phones, mails and positions within the company are well secured!
  • Access to RADIUS server – some mainstream RADIUS servers (MS NPS, FreeRADIUS) store the key unencrypted in a file. Cisco ISE can show you password when you’re logged in. Make sure access to the RADIUS servers and logon credentials are properly secured!

2. Wireless capture of the session that we want to decrypt must be taken

  • Session must include 4-way handshake, so must include both packets coming from the client and AP, meaning that the potential attacker would need to be physically close to both. 

3. Wired capture of RADIUS authentication must be taken

  • Capture of RADIUS authentication on the wire is essential, as PMK is never sent over the wireless, so it can’t be eavesdropped. We’ll extract it from RADIUS wired captures.
  • Capturing RADIUS traffic would require physical access to the LAN to plug a collector into or access to the network infra to configure SPAN. Make sure that the admin access to the network equipment is secure and that all infrastructure is physically locked!

Lab Environment

Here is the lab setup and capture locations (both wired and wireless):

  • Wireless Captures: Cisco AP in sniffer mode placed between my wireless test client and client serving AP, configured to send captures to my Windows Server VM running Wireshark.
  • Wired Captures: Cisco switch with SPAN monitoring session and port facing my ESXi server (with Cisco ISE RADIUS VM running there) being a SPAN source and switch port facing my laptop being a SPAN destination.
Lab Network Diagram
Lab Network Diagram

Steps

Here is a high-level summary of what we need to do to decrypt our WPA2-Enterprise wireless session:

  • Extract PMK with wired RADIUS captures; use RADIUS Shared Secret, Request Authenticator from the final Access-Request RADIUS frame and MS-MPPE-Recv-Key from the RADIUS Access-Accept frame.
  • Capture 4-Way Handshake with wireless captures.
  • Use extracted PMK and 4-Way Handshake to derive PTK with Wireshark and use it to decrypt user data.

Note: PTK is valid only for the duration of a single session. Session timeout, new association or re-association (roaming) would require to derive new PTK!

Assuming all conditions are met, let’s crack on!

1. Obtain RADIUS key

  • Since I’m using ISE, here is where I would look to get it:
RADIUS key configured in Cisco ISE
RADIUS key configured in Cisco ISE

2. Start capturing wireless traffic of interest

  • Position capturing device so it can capture both wireless client and AP traffic.

3. Start capturing wired RADIUS traffic between the Authentication Server and the Authenticator

  • Ensure to capture full RADIUS exchange for the wireless device authentication.

4. Connect wireless device to the EAP SSID

  • If it’s your test device, disconnect and then connect again.
  • If it’s not your test device, you could try to force the device to re-connect by sending a de-auth; SSID must not use management frames protection mechanism, and they usually don’t for compatibility reasons.

5. Obtain Authenticator from the last Access-Request packet in wired RADIUS capture

  • Go to RADIUS Protocol > Authenticator.
  • Here it’s 00:0d:42:73:f6:19:5c:d3:88:73:cf:b3:2c:76:5d:16 (you can copy value in hex straight from the capture).
Authenticator value from Access-Request wired RADIUS capture
Authenticator value from Access-Request wired RADIUS capture

6. Obtain MS-MPPE-Recv-Key from the Access-Accept packet in wired RADIUS capture

  • Go to RADIUS Protocol > Attribute Value Pairs > AVP: t=Vendor Specific (last one)
  • Here it’s cf:6f:b5:06:da:57:b1:9c:e4:6d:76:af:93:51:59:7e:2c:f8:cd:79:c6:2b:e1:a5:4f:ab:28:bd:ed:d3:81:d3:a9:57:dd:74:f8:d1:41:b8:ec:50:ea:d7:27:75:85:d3:1e:d3
MS-MPPE-Recv-Key value from Access-Accept wired RADIUS capture
MS-MPPE-Recv-Key value from Access-Accept wired RADIUS capture

7. Compile PMKextract code, that we will use to extract PMK

  • I used Visual Studio in Windows to build the code mentioned earlier. There are also Python versions of similar code available but since I’ve already had Visual and it worked, I focused on this approach.
  • Create a new C++ project/file in Visual and paste this code:
#include <stdio.h>
#include <stdlib.h>
#define WIN32_LEAN_AND_MEAN
#include <windows.h>

#define _WIN32_WINNT 0x0400
#include <wincrypt.h>

typedef unsigned int u32;
typedef unsigned char u8;

//
// This debugging function can be found in wpa_debug.c from the hostap package
//
//extern void wpa_hexdump_key(int level, const char *title, const u8 *buf, size_t len);

#define os_malloc(s) malloc((s))
#define os_free(p) free((p))
#define os_memcpy(d, s, n) memcpy((d), (s), (n))
#define MD5_MAC_LEN 16

static void cryptoapi_report_error(const char *msg)
{
 char *s, *pos;
 DWORD err = GetLastError();

 if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
     FORMAT_MESSAGE_FROM_SYSTEM,
     NULL, err, 0, (LPTSTR) &s, 0, NULL) == 0) {
   printf("CryptoAPI: %s: %d", msg, (int) err);
 }

 pos = s;
 while (*pos) {
  if (*pos == '\n' || *pos == '\r') {
   *pos = '\0';
   break;
  }
  pos++;
 }

 printf("CryptoAPI: %s: %d: (%s)", msg, (int) err, s);
 LocalFree(s);
}

int cryptoapi_hash_vector(ALG_ID alg, size_t hash_len, size_t num_elem,
     const u8 *addr[], const size_t *len, u8 *mac)
{
 HCRYPTPROV prov;
 HCRYPTHASH hash;
 size_t i;
 DWORD hlen;
 int ret = 0;

 if (!CryptAcquireContext(&prov, NULL, NULL, PROV_RSA_FULL, 0)) {
  cryptoapi_report_error("CryptAcquireContext");
  return -1;
 }

 if (!CryptCreateHash(prov, alg, 0, 0, &hash)) {
  cryptoapi_report_error("CryptCreateHash");
  CryptReleaseContext(prov, 0);
  return -1;
 }

 for (i = 0; i < num_elem; i++) {
  if (!CryptHashData(hash, (BYTE *) addr[i], len[i], 0)) {
   cryptoapi_report_error("CryptHashData");
   CryptDestroyHash(hash);
   CryptReleaseContext(prov, 0);
  }
 }

 hlen = hash_len;
 if (!CryptGetHashParam(hash, HP_HASHVAL, mac, &hlen, 0)) {
  cryptoapi_report_error("CryptGetHashParam");
  ret = -1;
 }

 CryptDestroyHash(hash);
 CryptReleaseContext(prov, 0);

 return ret;
}

int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
{
 return cryptoapi_hash_vector(CALG_MD5, 16, num_elem, addr, len, mac);
}

static u8 * decrypt_ms_key(const u8 *key, size_t len,
      const u8 *req_authenticator,
      const u8 *secret, size_t secret_len, size_t *reslen)
{
 u8 *plain, *ppos, *res;
 const u8 *pos;
 size_t left, plen;
 u8 hash[MD5_MAC_LEN];
 int i, first = 1;
 const u8 *addr[3];
 size_t elen[3];

//wpa_hexdump_key(1, "key", key, len);
//wpa_hexdump_key(1, "secret", key, len);
//wpa_hexdump_key(1, "auth", req_authenticator, MD5_MAC_LEN);

 /* key: 16-bit salt followed by encrypted key info */

 if (len < 2 + 16)
  return NULL;

 pos = key + 2;
 left = len - 2;
 if (left % 16) {
  printf("Invalid ms key len %lu\n", (unsigned long) left);
  return NULL;
 }

 plen = left;
 ppos = plain = (u8*)os_malloc(plen);
 if (plain == NULL)
  return NULL;
 plain[0] = 0;

 while (left > 0) {
  addr[0] = secret;
  elen[0] = secret_len;
  if (first) {
   addr[1] = req_authenticator;
   elen[1] = MD5_MAC_LEN;
   addr[2] = key;
   elen[2] = 2; /* Salt */
  } else {
   addr[1] = pos - MD5_MAC_LEN;
   elen[1] = MD5_MAC_LEN;
  }
  md5_vector(first ? 3 : 2, addr, elen, hash);
  first = 0;

  for (i = 0; i < MD5_MAC_LEN; i++)
   *ppos++ = *pos++ ^ hash[i];
  left -= MD5_MAC_LEN;
 }

 if (plain[0] == 0 || plain[0] > plen - 1) {
  printf("Failed to decrypt MPPE key\n");
  os_free(plain);
  return NULL;
 }

 res = (u8*)os_malloc(plain[0]);
 if (res == NULL) {
  os_free(plain);
  return NULL;
 }
 os_memcpy(res, plain + 1, plain[0]);
 if (reslen)
  *reslen = plain[0];
 os_free(plain);
 return res;
}

void processTokens(char*  authenticator,
       u8*   processedAuthenticator,
       char*  recvKey,
       u8*   processedRecvKey )
{
 // Handle authenticator
 char* ptr = strtok( authenticator, ":");
 int i = 0;
 while( ptr )
 {
  processedAuthenticator[i++] = ( u8 ) strtoul( ptr, NULL, 16 );
  ptr = strtok( NULL, ":");
 }

 // Handle key
 ptr = strtok( recvKey, ":");
 i = 0;
 while( ptr )
 {
  processedRecvKey[i++] = ( u8 ) strtoul( ptr, NULL, 16 );
  ptr = strtok( NULL, ":");
 }
}

void dumpPmk( const u8*  pmk )
{
 printf( "PMK is:\n" );
 for( int i = 0; i < 32; i++ )
  printf( "%02x", pmk[i] );
 printf( "\n" );
}

int main(int argc, char*argv[])
{
 if( argc != 4 )
 {
  printf( "Usage: %s secret authenticator recv-key", argv[0] );
  return( 1 );
 }

 if( strlen( argv[2] ) != 47 )
 {
  printf( "Bad authenticator length" );
  return( 1 );
 }

 if( strlen( argv[3] ) != 149 )
 {
  printf( "Bad recv-key length" );
  return( 1 );
 }

 u8 processedAuthenticator[16];
 u8 processedRecvKey[50];
 u8* pmk;
 u32 pmklen = 0;

 processTokens(argv[2], processedAuthenticator, argv[3], processedRecvKey );

 pmk = decrypt_ms_key(processedRecvKey, 50,
      processedAuthenticator,
      (u8*)argv[1], strlen(argv[1]), &pmklen);

 dumpPmk( pmk );

 os_free(pmk);

 return(1);
}
  • Save .cpp file. I saved it as “PMKextract.cpp”:
 Adding PMKextract.cpp to the Solution Explorer
Adding PMKextract.cpp to the Solution Explorer
  • If you try to build it now, you’d probably see the error:
Unsafe function or variable warning
Unsafe function or variable warning
  • To allow project to build successfully, add _CRT_SECURE_NO_WARNINGS under Project -> Properties -> C/C++ -> Preprocessor -> Preprocessor Definitions:
Allow project built by modifying Preprocessor Definitions
Allow project built by modifying Preprocessor Definitions
  • Build > Build project should now be successful:
Successful build of the PMK extracting code
Successful build of the PMK extracting code

I then copied compiled ‘Project1.exe’ file to C:\Geekwifi and renamed it to ‘PMKextract.exe’.

8. Extract PMK

  • Navigate to the location of your PMKextract.exe file. It takes all required attributes as shown:
PMKextract usage
PMKextract usage
  • Get the PMK:
Extracting PMK using all values that we gathered: RADIUS secret, authenticator and Recv-Key
Extracting PMK using all values that we gathered: RADIUS secret, authenticator and Recv-Key

9. Specify decryption key in wireless captures in Wireshark

  • Finally, open wireless captures and use our extracted PMK as a wpa-psk key.
Provide Wireshark with extracted PMK in ‘Edit > Preferences > Protocols > IEEE 802.11 > Decryption keys > Edit’
Provide Wireshark with extracted PMK in ‘Edit > Preferences > Protocols > IEEE 802.11 > Decryption keys > Edit’

10. Enjoy decrypted wireless captures!

  • We can see all the usual stuff – probes, authentication and association requests and responses, EAP process with EAP Success at the end, 4-way handshake and then decrypted data. Happy days!
Decrypted 802.1X WPA2-Enterprise session
Decrypted 802.1X WPA2-Enterprise session

Conclusion

Properly configured and physically secured WPA2-Enterptise wireless network, especially where client and server certs are involved, is still considered highly secure. Specific conditions must be met to decrypt 802.1X EAP wireless session captures, where RADIUS key must be known, and the attacker would have to be able to capture RADIUS conversation on the wire and 4-Way Handshake on wireless to make it possible. Additionally, decrypting WPA2-Enterprise session does not necessarily mean we could eavesdrop on the meaningful user data, as it might be encrypted on a data level, i.e. using TLS or SSL, that do not rely on WiFi infrastructure encryption.

Literature

WN Blog 002 – Wireshark Filters

Both Mac & Matt are currently studying for their final CWNP exam – CWAP! And have been making notes and tips along the way so we wanted to share some with you guys.

A lot of these Wireshark filters below we got from the guys over at CTS but we have added a few more that we have found useful and we will keep adding along the way of our journey!

Basic filter:

  • wlan.addr == 00:11:22:33:44:55 (Mac address)

Filter on only authentication:

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x000b

Filter on only association request:

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0000

Filter on only association response:

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0001

Filter on only probe request:

  • wlan.addr == 00:11:22:33:44:55 (Mac address)&& wlan.fc.type_subtype == 0x0004

Filter on only probe response: 

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0005

4 way handshake filter:

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && eapol

Filter by SSID:

  • wlan_mgmt.SSID == “SSID”

Filter by AP:

  • wlan.bssid == “AP MAC Address”

Power Management:

  • wlan.fc.pwrmgt == 1 (or 0)

Retransmissions:

  • Retransmissions: wlan.fc.retry==1
  • Retries to DS: wlan.fc.retry==1 && wlan.fc.tods==1
  • Retries from DS: wlan.fc.retry==1 && wlan.fc.fromds==1

Filter Addresses:

  • MAC Address: wlan.addr == 00:11:22:33:44:55 (Mac address)
  • Transmitter address: wlan.ta == 00:11:22:33:44:55 (Mac address)
  • Receiver address: wlan.ra == 00:11:22:33:44:55 (Mac address)
  • Source address: wlan.sa == 00:11:22:33:44:55 (Mac address)
  • Destination address: wlan.da == 00:11:22:33:44:55 (Mac address)

802.11 Management Frames:

  • All management frames: wlan.fc.type == 0
  • Association request: wlan.fc.type_subtype == 0
  • Association response: wlan.fc.type_subtype == 1
  • Re-association request: wlan.fc.type_subtype == 2
  • Re-association response: wlan.fc.type_subtype == 3
  • Probe request: wlan.fc.type_subtype == 4
  • Probe response: wlan.fc.type_subtype == 5
  • Beacons: wlan.fc.type_subtype == 8
  • ATIMs: wlan.fc.type_subtype == 9
  • Disassociations: wlan.fc.type_subtype == 10
  • Authentications: wlan.fc.type_subtype == 11
  • De-authentications: wlan.fc.type_subtype == 12
  • Actions: wlan.fc.type_subtype == 13

802.11 Control Frames:

  • All control frames: wlan.fc.type == 1
  • Block ack requests: wlan.fc.type_subtype == 24
  • Block ACKs: wlan.fc.type_subtype == 25
  • PS-Polls: wlan.fc.type_subtype == 26
  • Ready to Sends: wlan.fc.type_subtype == 27
  • Clear to sends: wlan.fc.type_subtype == 28
  • ACKs: wlan.fc.type_subtype == 29
  • CF-Ends: wlan.fc.type_subtype == 30
  • CF-Ends/CF-ACKs: wlan.fc.type_subtype == 31

802.11 Data Frames:

  •  All Data frames: wlan.fc.type == 2
  • Data: wlan.fc.type_subtype == 32
  • Data + CF-ACK: wlan.fc.type_subtype == 33
  • Data + CF-Poll: wlan.fc.type_subtype == 34
  • Data + CF-ACK+CF-Poll: wlan.fc.type_subtype == 35
  • Null: wlan.fc.type_subtype == 36
  • CF-ACK: wlan.fc.type_subtype == 37
  • CF-Poll: wlan.fc.type_subtype == 38
  • CF-ACK + CF-Poll: wlan.fc.type_subtype == 39
  • QoS data: wlan.fc.type_subtype == 40
  • QoS data + CF-ACK: wlan.fc.type_subtype == 41
  • QoS data + CF-Poll: wlan.fc.type_subtype == 42
  • QoS data + CF-ACK+CF-Poll: wlan.fc.type_subtype == 43
  • QoS Null: wlan.fc.type_subtype == 44
  • Qos CF-Poll: wlan.fc.type_subtype == 46
  • QoS CF-ACK+CF-Poll: wlan.fc.type_subtype == 47

Radio Tap Header Information:

  • Specific Channel: radiotap.channel.freq == 5240 (frequency)
  • Specific data rate: radiotap.datarate == 6 (rate in mbps)
  • RSSI: radiotap.dbm_antsignal == -60 (rate in dbm)

Please feel free to comment if any of you guys have some other common useful filters that you use and can share with us ! 🙂