Wireless Packet Analysis – CompTIA Security+ SY0-401: 3.4

There’s a wealth of data hidden in the packets that traverse our wireless networks. In this video, you’ll learn how easy it is to perform wireless packet analysis and what you can do to protect yourself on a wireless network.

<< Previous Video: Wireless IV AttacksNext: Near Field Communication >>

One of the challenges you have on any network, whether it is a wired network or your wireless network, is that if somebody can get a packet capture from what you’re doing then you’ll be able to see a lot of what’s going on. Everything going back and forth is in those packets. And that’s why you’ll find that a lot of security professionals go even overboard to make sure nobody’s able to see what’s inside of that data that’s going back and forth. Unfortunately, a lot of what we do day to day is absolutely in the clear.

There’s really not as much encryption going on over the network as you might think or you might hope. So it’s very, very simple now when you connect to a network, especially a wireless network, to see an amazing amount of information. If you’re in a wired network, it becomes a little bit more difficult to capture. You have to be in a physical place, you have to tap into the network in some way, you have to see what’s going on. So it becomes a little more difficult, you have to have exactly the right location on a wired network. On a wireless network, however, wide open. You can do a lot on a wireless network to see what’s happening.

This module and the CompTIA exam requirements is called wireless network sniffing. But just so you’re aware, the term sniffer is a registered trademark. So it’s a term that we have we have really co-opted in the security– in the network analysis realm. A more generic term would be network analysis, and that’s why you’ll see whenever I’m working with different devices I’m not using a sniffer, I’m using a network analyzer– just so you’re aware of exactly the type of technology in play. Capturing information over a wireless network is painfully easy. It’s so simple to see every bit of traffic going on over that wireless network. Especially if you’re sitting very, very close to the access point on that wireless network.

Your device– your wireless card, your wireless adapter, your laptop computer– can hear everything going on in and in normal operation it only acts on the information that’s sent to your machine but because wireless is such a broadcast mechanism, every device on the wireless network can hear everything that’s going on. This makes it very, very easy to set your card up in such a way that allows it to see everything going back and forth over the network. One of the challenges you have, if you are trying to analyze network traffic, is you have to make sure that your network card does not send information at the same time. On these wireless devices, if I’m broadcasting I’m essentially overloading my local receiver. So when you start up a number of different manufacturer’s software to be able to capture they’re using a special driver that turns off the transmission feature so it’s able to capture and hear as much as possible.

Sometimes your network drivers will not capture wireless information. They simply are not configured, or have the right chipsets, to be able to do that. So as you’re looking through software that allows you to capture from a wireless network, that software will tell you exactly the type of wireless card or exactly the type of wireless chipset that’s required. In fact the manufacture of the software may be providing you with their own type of network driver for that card because they’re able to turn on that feature where your normal driver does not have access to do that.

Sometimes you get a driver or a combination of software that kind of puts you in the middle. You can’t see the wireless communication, the wireless protocol going on, but you can see the ethernet data that comes out of the wireless traffic. So that might be enough for you to be able to see what’s going on but if you’re trying to figure out channel information, encryption information, and other things going over the wireless network you need to make sure that you can capture the entire wireless packet. Otherwise you’re just going to see the data once it’s come off of the wireless network.

And of course you can try this yourself. You can go out to wireshark.org, that is probably the world’s most popular network analysis software at this point, and download that. Load it yourself. Try it with your access point. Try it with your wireless network cards. There’s also some documentation on the wireshark website that can get you started and tell you how you can optimally configure your wireshark configuration and your hardware to be able to gather as much information from the wireless network. It is amazing how much detail you can really pull out of a wireless network.

This is wireshark. Even see the different interfaces on my computer. There’s one that even shows it’s the wireless adapter on my computer. I’m just going to click that. And we’re going to start seeing the wireless information go back and forth over my wireless network. I’m not really sending a lot of data over that connection right now but look how simple that was. I load up my software, I say go start capturing traffic, and it starts pulling in that traffic and showing all the information going over that wireless network. If you’re sitting in a coffee shop, if you’re sitting out at work, if you’re sitting at a conference, especially in places where they are open access points, now you’re able to see a lot of in the clear traffic going back and forth over this wireless network. And that becomes an enormous concern from a security perspective. So it becomes important also to know how you can prevent people from seeing this traffic going on over these open access points.

The first thing you can do is make sure that the data on your wireless network is encrypted. Even if you have someone with a packet analyzer that’s capturing all the traffic flowing through the air, the only thing they’ll be able to make out is a bunch of encrypted data within those packets. And if you’re doing WPA2 or WPA, that data is pretty well encrypted, it’s going to be very, very hard for them to determine the key and be able to get into that information. We talked in a previous module about how WEP is a very, very bad way to encrypt data. In fact your access point may not even have the option these days to allow WEP, it’s just something that if you see a legacy access point that’s using WEP you should avoid trusting that as a way to protect your information.

You also can use encryption. Make sure that you go to a website and you login on their HTTPS page. Whether this is Google mail or Yahoo mail or whatever website. Any time you’re transferring information, you’re adding a user-name and password, you’re looking at sensitive data, you want to be sure you’re on an encrypted web server. And of course one of your options is to create an entire encrypted tunnel through that wireless network to an end point somewhere else on the internet and send all of your traffic over that encrypted tunnel. That ensures that whether you’re going to an encrypted web server or web server where information would normally be sent in the clear, you’re encrypting that up, sending it through the tunnel. You would have to be on the other side of the tunnel termination point to even see any of that information. And at that point you’re probably through the wireless network and somewhere else down on the line in the internet.

Some people also take advantage of some virtual tunnel networks like Tor, which stands for the onion router. Or they may be using something like Ultrasurf, which is a very, very easy to use encrypted proxy where you can send information back and forth. In any of these environments there are advantages and disadvantages to doing any of those, so you want to be sure that if you’re using a VPN connection or you’re using an encrypted proxy that you trust what’s really going on on the other end of that communication. Because ultimately your data will come off of that encrypted tunnel, and the some of that will certainly be in the clear.