Tips for an Information Security Analyst/Pentester career - Episode 6: Wireshark basics (part 2a: hands-on)
Continuing our Wireshark overview, this time we'll see a hands-on example, taken from my Network Forensics class.
I'm going to analyze a network capture performed by my instructor.
My task in the lab was to identify and analyze a rogue wireless access point connected to the college network.
I start calculating a SHA-512 hash on the provided capture file, by saving it to a text file.
We're going to re-hash the capture file once more at the end of our analysis and we'll compare the two hash values.
If the analysis is correct, the two hashes need to match.
A rogue access point called Lone Gunman clearly stands out amidst all Stark State academic hosts present on the network.
Analyzing the related packets with Wireshark, we notice Lone Gunman is indeed an access point and its BSSID (which is the MAC address, for access points), is 00:0D:88:B6:F7:1E, which corresponds to a D-Link device.
The rogue access point supports WEP encryption, as shown by the privacy flag below.
66 frames were transmitted between this rogue access point and the other devices on the network.
The 75% of these were sent by the rogue WAP to the MAC broadcast address
This high number of packets addressed to the MAC broadcast address look suspicious and can be due to an attack against WEP.
In order to crack a WEP password, in fact, a high number of packets needs to be captured and a good way of doing that is to replay ARP requests.
In fact, the attacker could have easily cracked the WEP password, as shown below.
In today's episode, we could perform a much deeper analysis of the network starting from a traffic capture.
In the next episode, we'll delve a little further into that by building on this example.