---
title: Interceptación de tráfico WiFi
tags:
- WiFi
- Sniffing
- aireplay
categories: [redes]
excerpt_separator: <!--more-->
---
# Ataque de Interceptación de tráfico WiFi
| Tipo de ataque | CID | Vector de ataque | Técnica de ataque |
|----------------|-----|------------------|----------------------|
| Pasivo | C__ | Wireless signal interception
# Intro
El medio de una LAN 802.11 es el espectro electromagnéico el cual no tiene límite físico como si lo tendría una LAN 802.3 (Ethernet), por tanto, para ganar acceso a este sistema, la LAN 802.11, basta con interceptar la señal de radiofrecuencia colocando una WNIC en modo monitor
# Setup
## Supuestos
*
## Heramientas
* GNU `ip` de iproute2
* GNU `iw`
* Wireshark
* `tshark`
* tcpdump
* Scapy
```bash
IW=$(iw dev | awk 'NR==2 && $1=="Interface" {print $2}')
SMAC=$(iw dev | awk '$1=="addr" {print $2}')
# Varibles:
cat > vars.sh << EOM
IW=$IW
BMAC=FC:34:97:61:34:90 #MAC del BSS
SSID=C0N3J0 #SSID del BSS
SMAC=$SMAC #MAC de la STA atacante
CMAC=60:1d:91:64:f7:aa # MAC del STA cliente del BSS
CH=6 #Canal del BSS"
EOM
source vars.sh
# Cambio de canal
sudo iw dev $IW set channel $CH
# Cambio de MAC:
sudo ifconfig $IW down
sudo macchanger -m $SMAC $IW
sudo ifconfig $IW up
iw dev
```
```bash
nmcli device wifi list | head -2
```
```
IN-USE BSSID SSID MODE CHAN RATE SIGNAL BARS SECURITY
FC:34:97:61:34:90 C0N3J0 Infra 6 54 Mbit/s 100 ▂▄▆█ WEP
```
## Tarjeta en Modo Monitor
```bash=
airmon-ng start $IW
```
***Nota 1***: Con este proceso el nombre de la WNIC cambia por lo que es necesario actualizar la varaible de bash `$IW`.
**Nota 2**: Si se necesitan matar los procesos que utilizan la tarjeta ejecutamos `sudo airmon-ng check kill`
**Nota 3:** Al entrar en el modo monitor se deshabilitan las opciones de red de la tarjeta y es necesario reactivarlas con *modeo managed* de la WNIC.
## Restaurar la WNIC en modo managed
```bash
airmon-ng stop $IW
sudo systemctl restart NetworkManager
```
## USB WNICs con RFMON
| | Nombre | Precio (COP)| Inyección | 802.11 | Doble banda
|-| - | - | - | - | -
|  | TP-LINK TL-WN722N | [$48k](https://articulo.mercadolibre.com.co/MCO-448844964-tp-link-tarjeta-de-red-de-alta-ganancia-150mbps-tl-wn722n-_JM) | Si | n | Solo 2.4Ghz
|  | ALFA Network AWUS036ACS | [$140k](https://www.amazon.com/Network-AWUS036ACS-Wide-Coverage-Dual-Band-High-Sensitivity/dp/B0752CTSGD) | Si | a/b/g/n/ac | Si
| | Alfa AWUS036ACH | [$300k](https://www.amazon.com/ALFA-AWUS036ACH-%E3%80%90Type-C%E3%80%91-Long-Range-Dual-Band/dp/B08SJC78FH)| Si | a/b/g/n/ac | Si
| | Panda PAU09 N600 | [$525k](https://www.amazon.com/Panda-Wireless-PAU09-Adapter-Antennas/dp/B01LY35HGO/) | Si | a/ac/b/g/n | Si
# Wireshark
## Configuración
Configuramos primero nuestra herramienta para análizar tráfico:
1. Lanzamos Wireshark como *root*.
1. Vamos a `Capture > Capture options`, habilitamos el **modo monitor*** para nuestra interfaz Wi-Fi y ya podemos iniciar la captura de tráfico.
\* :warning: Si la WNIC está siendo utilizada por otros procesos pueden haber conflictos, en dicho caso puedes ejecutar el comando `sudo airmon-ng check kill`. [Leer más](https://wiki.wireshark.org/CaptureSetup/WLAN#turning-on-monitor-mode).
En teoría tambien podemos utilizar el siguiente comando antes de lanzar Wireshark
```bash=
sudo ip link set $IW down
sudo iw $IW set monitor none
sudo ip link set $IW up
sudo iw dev $IW set channel $CH
iw $IW info
```
:warning: Si necesitas trabajar con las herramientas de *aircrack-ng* es preferible poner la WNIC en modo monitor con `airmon-ng`.
En la captura de pantalla podemos ver una trama de gestión del subtipo Beacon.
Estos son algunos filtros de Wireshark para 802.11:
* `wlan.fc.type_subtype`: Tipo y subtipo de trama WiFi.
* `wlan.addr`: Filtra por la dirección MAC especificada.
* `wlan.bssid`: Dirección la BS.
```bash=
IW=wlp2s0
BMAC=fc:34:97:61:34:90
CMAC=60:1d:91:64:f7:aa
CH=6
```
```bash
sudo iw dev $IW set channel $CH
```
```shell
sudo wireshark -i $IW -y IEEE802_11_RADIO -I
```
## Conflictos
> Error: The network adapter on which the capture was being done is no longer running;the capture has stopped.
```bash
sudo airmon-ng check
```
```=
Found 4 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode
PID Name
1166 avahi-daemon
1171 NetworkManager
1209 wpa_supplicant
1217 avahi-daemon
```
```bash=
F1="wlan.bssid == $BMAC && \
wlan.da == ff:ff:ff:ff:ff:ff && \
wlan.sa == $CMAC"
F2="wlan.addr==$BMAC"
```
## TShark
```bash
sudo tshark -i $IW -y IEEE802_11_RADIO -I -Y $F1
```
## Descrifrado
Habilitar decciframiento en Wireshark con llave WEP en hexadecimal, por ejemplo $33705_{ASCII}=3333373035_{16}$
Acá podemos ver los paquetes ARP
# Scapy
Código de Scapy `enviarBeacon.py`
```python=
#!/usr/bin/env python3
import sys
from scapy.all import *
if len(sys.argv) != 4:
print("Usage: %s <SMAC> <SSID> <WNIC>" % sys.argv[0])
sys.exit(1)
SMAC = sys.argv[1].lower()
ssid = sys.argv[2].lower()
iface = sys.argv[3].lower()
dot11 = Dot11(
type=0,
subtype=8,
addr1="ff:ff:ff:ff:ff:ff",
addr2=SMAC,
addr3=SMAC)
beacon = Dot11Beacon()
essid = Dot11Elt(ID="SSID", info=ssid, len=len(ssid))
frame = RadioTap()/dot11/beacon/essid
frame.show()
sendp(frame, inter=0.1, iface=iface, loop=1)
```
Ejecución:
```shell
sudo python3 enviarBeacon.py $SMAC "MySSID" $IW
```
```
###[ RadioTap ]###
version = 0
pad = 0
len = None
present = None
notdecoded= ''
###[ 802.11 ]###
subtype = Beacon
type = Management
proto = 0
FCfield =
ID = 0
addr1 = ff:ff:ff:ff:ff:ff (RA=DA)
addr2 = c0:2e:70:b1:42:c0 (TA=SA)
addr3 = c0:2e:70:b1:42:c0 (BSSID/STA)
SC = 0
###[ 802.11 Beacon ]###
timestamp = 0
beacon_interval= 100
cap =
###[ 802.11 Information Element ]###
ID = SSID
len = 6
info = 'myssid'
..........................
```
Tráfico:
```
207 5.821654281 c0:2e:70:b1:42:c0 → Broadcast 802.11 52 Beacon frame, SN=0, FN=0, Flags=........, BI=100, SSID=myssid
211 5.923752960 c0:2e:70:b1:42:c0 → Broadcast 802.11 52 Beacon frame, SN=0, FN=0, Flags=........, BI=100, SSID=myssid
215 6.025971131 c0:2e:70:b1:42:c0 → Broadcast 802.11 52 Beacon frame, SN=0, FN=0, Flags=........, BI=100, SSID=myssid
220 6.132264555 c0:2e:70:b1:42:c0 → Broadcast 802.11 52 Beacon frame, SN=0, FN=0, Flags=........, BI=100, SSID=myssid
224 6.235596098 c0:2e:70:b1:42:c0 → Broadcast 802.11 52 Beacon frame, SN=0, FN=0, Flags=........, BI=100, SSID=myssid
229 6.338725728 c0:2e:70:b1:42:c0 → Broadcast 802.11 52 Beacon frame, SN=0, FN=0, Flags=........, BI=100, SSID=myssid
236 6.442468050 c0:2e:70:b1:42:c0 → Broadcast 802.11 52 Beacon frame, SN=0, FN=0, Flags=........, BI=100, SSID=myssid
```
# TCPdump
# Airdump-ng
> Airodump-ng is used for packet capture, capturing raw 802.11 frames. It is particularly suitable for collecting WEP IVs (Initialization Vector) or WPA handshakes for the intent of using them with aircrack-ng.
> https://www.aircrack-ng.org/doku.php?id=airodump-ng
```bash=1
sudo airodump-ng --channel $CH --bssid $BMAC $IW
```
Así se ve la interfaz CLI:
```=2
CH 6 ][ Elapsed: 14 mins ][ 2023-04-03 00:05
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
FC:34:97:61:34:90 -6 67 7307 156 0 6 54e WEP WEP C0N3J0
BSSID STATION PWR Rate Lost Frames Notes Probes
FC:34:97:61:34:90 76:B9:16:A6:B5:6C -41 0 - 1e 0 1404
```
* **BSSID** MAC address of the access point. In the Client section, a BSSID of “(not associated)” means that the client is not associated with any AP. In this unassociated state, it is searching for an AP to connect with.
* **PWR**: Signal level reported by the Wi-Fi adapter. Its signification depends on the driver, but as you get closer to the AP or the station, the signal gets higher. It usually is the [RSSI](https://en.wikipedia.org/wiki/Received_signal_strength_indication "https://en.wikipedia.org/wiki/Received_signal_strength_indication").
* **CH** Channel number (taken from beacon packets).
En la primera linea de texto vemos un encabezado con el canal actual
```=3
CH 6 ][ Elapsed: 14 mins ][ 2023-04-03 00:05
```
En la primera sección, vemos las BSSs
```=5
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
FC:34:97:61:34:90 -6 67 7307 156 0 6 54e WEP WEP C0N3J0
```
* **RXQ** Receive Quality as measured by the percentage of packets (management and data frames) successfully received over the last 10 seconds.
* **Beacons** Number of announcements packets sent by the AP.
* **\# Data** Number of captured data packets (**if WEP, unique IV count**), including data broadcast packets.
* **#/s** Number of data packets per second measure over the last 10 seconds.
* **MB** Maximum speed supported by the AP.
* **ENC** Encryption algorithm in use.
* OPN = no encryption,
* “WEP?” = WEP or higher (not enough data to choose between WEP and WPA/WPA2),
* WEP (without the question mark) indicates static or dynamic WEP,
* WPA, WPA2 or WPA3 if TKIP or CCMP is present (WPA3 with TKIP allows WPA or WPA2 association, pure WPA3 only allows CCMP).
* OWE is for Opportunistic Wireless Encryption, aka Enhanced Open.
* **CIPHER** The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. Not mandatory, but TKIP is typically used with WPA and CCMP is typically used with WPA2. WEP40 is displayed when the key index is greater then 0. The standard states that the index can be 0-3 for 40bit and should be 0 for 104 bit.
* **AUTH** The authentication protocol used:
* MGT (WPA/WPA2 using a separate authentication server)
* SKA (shared key for WEP),
* PSK (pre-shared key for WPA/WPA2)
* OPN (open for WEP).
* **ESSID** Shows the wireless network name. The so-called “SSID”, which can be empty if SSID hiding is activated. In this case, airodump-ng will try to recover the SSID from probe responses and association requests.
En la segunda sección, **sección cliente** vemos los enlaces enter STAs y BSSs
```=9
BSSID STATION PWR Rate Lost Frames Notes Probes
FC:34:97:61:34:90 76:B9:16:A6:B5:6C -41 0 - 1e 0 1404
```
* **STATION** MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of “(not associated)”.
* **Rate** Station's receive rate, followed by transmit rate. Displays “e” following each rate if the network has QoS enabled.
* **Lost** The number of data packets lost over the last 10 seconds based on the sequence number. See note below for a more detailed explanation.
* **Packets** The number of data packets sent by the client.
* **Notes** Additional information about the client, such as captured EAPOL or PMKID.
* **Probes** The ESSIDs probed by the client. These are the networks the client is trying to connect to if it is not currently connected.
# Capturar la SSIDs que los dipositivos recuerdos
:warning: falta
# Referencias
[1] Airodump-ng https://www.aircrack-ng.org/doku.php?id=airodump-ng
# Anexo
## Filtros de Wireshark para tramas 802.11
| Trama | Tipo | AND | Subtipo |
|-------------------------|-------------------|----|-----------------------|
| Association Request | wlan.fc.type == 0 | && | wlan.fc.subtype == 0 |
| Association Response | wlan.fc.type == 0 | && | wlan.fc.subtype == 1 |
| Reassociation Request | wlan.fc.type == 0 | && | wlan.fc.subtype == 2 |
| Reassociation Response | wlan.fc.type == 0 | && | wlan.fc.subtype == 3 |
| Probe Request | wlan.fc.type == 0 | && | wlan.fc.subtype == 4 |
| Probe Response | wlan.fc.type == 0 | && | wlan.fc.subtype == 6 |
| Beacon | wlan.fc.type == 0 | && | wlan.fc.subtype == 8 |
| Disassociation | wlan.fc.type == 0 | && | wlan.fc.subtype == 10 |
| Authentication | wlan.fc.type == 0 | && | wlan.fc.subtype == 11 |
| Deauthentication | wlan.fc.type == 0 | && | wlan.fc.subtype == 12 |
| Action | wlan.fc.type == 0 | && | wlan.fc.subtype == 13 |
| Block Ack Request | wlan.fc.type == 1 | && | wlan.fc.subtype == 8 |
| Block Ack | wlan.fc.type == 1 | && | wlan.fc.subtype == 9 |
| Power Save Poll | wlan.fc.type == 1 | && | wlan.fc.subtype == 10 |
| Request to Send | wlan.fc.type == 1 | && | wlan.fc.subtype == 11 |
| Clear to Send | wlan.fc.type == 1 | && | wlan.fc.subtype == 12 |
| Acknowledgement | wlan.fc.type == 1 | && | wlan.fc.subtype == 13 |
| Data | wlan.fc.type == 2 | && | wlan.fc.subtype == 0 |
| Data + CF-ACK | wlan.fc.type == 2 | && | wlan.fc.subtype == 1 |
| Data + CF-Poll | wlan.fc.type == 2 | && | wlan.fc.subtype == 2 |
| Data + CF-ACK + CF-Poll | wlan.fc.type == 2 | && | wlan.fc.subtype == 3 |
| Null | wlan.fc.type == 2 | && | wlan.fc.subtype == 4 |
| CF-ACK | wlan.fc.type == 2 | && | wlan.fc.subtype == 5 |
| CF-Poll | wlan.fc.type == 2 | && | wlan.fc.subtype == 6 |
| CF-ACK + CF-Poll | wlan.fc.type == 3 | && | wlan.fc.subtype == 7 |
Sign in with Wallet
Connect another wallet