Wifi Pcap Analysis
Last updated
Last updated
Leer & oefen AWS Hacking:HackTricks Opleiding AWS Red Team Expert (ARTE) Leer & oefen GCP Hacking: HackTricks Opleiding GCP Red Team Expert (GRTE)
Wanneer jy 'n opname ontvang waarvan die hoofverkeer Wifi is, kan jy begin om al die SSIDs van die opname te ondersoek met Wireless --> WLAN Traffic:
Een van die kolomme van daardie skerm dui aan of enige outentisering binne die pcap gevind is. As dit die geval is, kan jy probeer om dit te Brute force met aircrack-ng
:
For example it will retrieve the WPA passphrase protecting a PSK (pre shared-key), that will be required to decrypt the trafic later.
If you suspect that data is being leaked inside beacons of a Wifi network you can check the beacons of the network using a filter like the following one: wlan contains <NAMEofNETWORK>
, or wlan.ssid == "NAMEofNETWORK"
search inside the filtered packets for suspicious strings.
The following link will be useful to find the machines sending data inside a Wifi Network:
((wlan.ta == e8:de:27:16:70:c9) && !(wlan.fc == 0x8000)) && !(wlan.fc.type_subtype == 0x0005) && !(wlan.fc.type_subtype ==0x0004) && !(wlan.addr==ff:ff:ff:ff:ff:ff) && wlan.fc.type==2
If you already know MAC addresses you can remove them from the output adding checks like this one: && !(wlan.addr==5c:51:88:31:a0:3b)
Once you have detected unknown MAC addresses communicating inside the network you can use filters like the following one: wlan.addr==<MAC address> && (ftp || http || ssh || telnet)
to filter its traffic. Note that ftp/http/ssh/telnet filters are useful if you have decrypted the traffic.
Edit --> Preferences --> Protocols --> IEEE 802.11--> Edit
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)