Strip WPA Capture File Down To EAPOL Packets Based On BSSID Instead Of ESSID
Posted by alex in Security at 1:53 PMIn the past we have written a couple articles on using tshark to strip WPA capture files down to a specific ESSID or SSID but in some cases it can be more useful to strip the capture down by BSSID or MAC address of the WAP. Isolating packets by BSSID or WAP MAC address is useful in a scenario where a wireless deployment has numerous WAP’s and you have captured a specific SSID’s traffic from more than one WAP. Below is information on how to strip down a capture file based on BSSID and information on capture size before stripping the file down.
Strip WPA Packet Capture By ESSID Using tshark:
[root@dev ~]# tshark -r somecapture.cap -R "eapol || wlan_mgt.tag.interpretation eq SOMESSID" -w SOMESSID-STRIPPED.cap Running as user "root" and group "root". This could be dangerous.
As you can see above tshark is used to strip the original capture file (named somecapture.cap in this example) by specifying EAPOL packets, the SSID of SOMESSID, and then outputs the specified packets to SOMESSID-STRIPPED.cap. Now if you run aircrack-ng on the stripped down capture file you will see where there can be an issue because of multiple WAP’s using the same SSID.
Aircrack-ng Output Of The Stripped Down WPA Capture File:
[root@dev ~]# aircrack-ng SOMESSID-STRIPPED.cap Opening SOMESSID-STRIPPED.cap Read 6822 packets. # BSSID ESSID Encryption 1 0B:D9:98:5A:77:CC SOMESSID No data - WEP or WPA 2 6E:08:04:6E:EE:55 SOMESSID WPA (1 handshake) 3 00:1B:11:2A:BB:27 EAPOL+None (0.0.0.0) Index number of target network ? Quitting aircrack-ng... [root@dev ~]#
Again the issue is the fact that there are two WAP’s using the same SSID so when using something like oclHashcat to process the capture file in a dictionary attack scenario it will attempt to use the EAPOL packets from the SSID of SOMESSID and BSSID of 0B:D9:98:5A:77:CC which doesn’t have a valid WPA capture and will fail. We really want to run the dictionary attack against the SSID of SOMESSID and BSSID of 6E:08:04:6E:EE:55 so instead of stripping the capture file using the above tshark command we should instead use the below command which isolates EAPOL packets based on BSSID and not SSID.
Strip WPA Packet Capture By ESSID Using tshark:
[root@dev ~]# tshark -r SOMESSID-STRIPPED.cap -R "eapol || wlan.bssid eq 6E:08:04:6E:EE:55" -w SOMESSID-STRIPPED2.cap Running as user "root" and group "root". This could be dangerous. [root@dev ~]#
Now when running aircrack-ng against the stripped down capture there will only be a single set of EAPOL packets from the SSID we want to process a dictionary password attack against using something like oclHashcat as shown in the below example output from aircrack-ng.
Aircrack-ng Output Of The Stripped Down By BSSID WPA Capture File:
[root@dev ~]# aircrack-ng SOMESSID-STRIPPED.cap Opening SOMESSID-STRIPPED.cap Read 2205 packets. # BSSID ESSID Encryption 1 6E:08:04:6E:EE:55 SOMESSID WPA (1 handshake) 2 00:1B:11:2A:BB:27 EAPOL+None (0.0.0.0) Index number of target network ? Quitting aircrack-ng... [root@dev ~]#
After stripping the capture down using BSSID the proper network now will come first and process properly when using tools such as oclHashcat, etc.
For more Wireshark filters that can be used click here.
|
|
||||||||
|
|
||||||||
Related posts:
- Scramble the BSSID in a Wireless Capture to Keep Your Self Anonymous I have had lots of people email me and ask...
- Tshark: Strip WPA Wireless Captures by ESSID with Tshark A while ago I wrote a short tutorial on how...
- Capture Skype VoIP Call Packets On Your Windows XP Computer Using Wireshark There are various reasons why you may want to log the...
- View Wireless Authentication Type Using Wireshark In Network Capture: PSK, WPA It is possible to crack WPA/WPA2 wireless network credentials using...
- How to extract WPA handshake from large capture files Sometimes you have a very large capture file and would...
Entries (RSS)
