Jump to content

packet capture confusions


Recommended Posts

I have an internet connected (WiFi) house alarm and I want to link it to smartthings so I can get it to arm / disarm based on rules. I know it's will be possible to hack the physical remote control with an arduino type device to 'press the buttons' and link it in that way but before I go down that line I'd like to see if it is actually something I can do fully online. I know it is unlikely as it should be linking to the server over a secured link but you never know, plus I figure that the process I go though would mean I can also see what data my other IoT devices are sending where.

I am in full control of my network and have separated the IoT devices from my normal machines via a Ubiquiti Router X using VLANs and firewall rules. The WiFi is served by an AP with an IoT specific SSID (both 5Ghz and 2.4Ghz) linked to the IoT VLAN, the device shares the VLAN with lots of other devices both wired and wireless and of course I know the WPA2-PSK passphrase. 

What I'm currently trying to achieve is to capture packets going to and from the WiFi Alarm Hub on my network so I can see all the traffic going to and from the device. Given that I own the network I know this should be relatively easy but I am struggling to actually achieve what I want basically because I have a lot of knowledge missing and I am probably trying to learn too much at the same time (the equivalent of learning to swim by jumping into the North Sea in a storm)... but hey I am wanting to learn. 

I have googled and researched and I've come up with what seems to me to be two potential solutions

  • Get the data (from VLAN?? device??) mirrored to a port on the router and then capture the mirrored data via that port
  • Capture the data from the air and look at the WiFi traffic between the device and the AP

I can't figure out how to achieve the first one (although I'm sure it is possible given the capabilities of the router) so I've moved to the WiFi option, which probably would be the more useful to learn anyway as not every router is quite as capable. I've borrowed a Tetra thinking this would help but I am going round in circles, I first though I should be able to join the same network over WiFi and the capture the decrypted traffic but nothing I've read indicates this is possible. So I'm left with viewing data over WiFi from the outside (monitor mode) and capturing the encrypted traffic packets with the hope of decrypting it later (on the basis I should logically have the key somewhere).

The last step I've tried is running tcpdump on the pineapple tetra from a kali linux terminal (ssh root@ tcpdump -i wlan1mon -U -s 0 -n 'not port 22' -w - | wireshark -k -i -) whilst connected to the Pineapple management AP on the linux machine. I can see packets being captured in wireshark but it appears to be mostly beacons / probes and the occasional data packet based on the final column in wireshark but everything appears to be protocol 802.11 which I'm guessing indicates everything is encrypted

I've attempted to load the decrypt keys into wireshark (Edit > Preferences > IEEE 802.11) based on PSK raw data key from this  https://www.wireshark.org/tools/wpa-psk.html but still all I see in the Wireshark capture is 802.11 so I don't think the decrypt it is working properly. I have connected my phone to the target SSID and browsed the net during the capture but I'm not seeing anything in the wireshark capture, I can't even spot the phone browsing traffic in all the packets being captured so not even sure its working properly

What I Need Help With

I am very new to this level of networking but I am trying to learn

  • Am I heading in the right line?
  • Is tcpdump the right tool for this or is there a better solution?
  • Is there any way I can reduce what is coming in on the packet capture so it just focuses on the SSID or better the device I am interested in?
  • Is there anything I am not doing, that needs to be done to decrypt the data in the capture?
  • Are there alternatives to achieve the capture of packets I want wirelessly that I've not discovered yet?
  • Am I even approaching this in the right way?

An exact line by line solution to achieve what I want would be great but most of all I would like to understand what I am doing and how it works, so even if you aren't able  to give the step by step guide pointers into what I may be doing wrong will be gratefully received.

Link to comment
Share on other sites

13 hours ago, Bigbiz said:

that should get ya going. Once you decrypted packets. You on your own.

Thank you, I presume from this response you think the general approach I'm doing should work then?

I've just followed that using the output of tcpdump from the tetra (ssh root@ tcpdump -i wlan1mon -U -vvv -s 0 -n 'not port 22' -w - | wireshark -k -i-) ran for a while and saved to a pcap file in wireshark however all I get is...

airdecap-ng -p ********* capture/xray.pcap -e e-gamingIT

  • Total number of packets read         49056
  • Total number of WEP data packets         0
  • Total number of WPA data packets      1309
  • Number of plaintext data packets         0
  • Number of decrypted WEP  packets         0
  • Number of corrupted WEP  packets         0
  • Number of decrypted WPA  packets         0

the resulting -dec.pcap file is blank (24bytes),

I noticed in the raw pcap file that the SSID wasn't being captured so I added the bssid mac address as well but still get 0 (it's not an issue with a hyphen in the middle of the SSID is it?, I've tried putting single quotes round the SSID but still the same output just with reduced WPA packets) 

airdecap-ng -p ******** capture/xray.pcap -b aa:bb:cc:dd:ee:ff -e e-gamingIT 

  • Total number of packets read         49056
  • Total number of WEP data packets         0
  • Total number of WPA data packets        12
  • Number of plaintext data packets         0
  • Number of decrypted WEP  packets         0
  • Number of corrupted WEP  packets         0
  • Number of decrypted WPA  packets         0

same blank -dec.pcap file.

The raw capture seems to be flooded with beacons and probes so I am wondering if there something I can do to improve the capture or is it that there is so much data flying about that means the tetra can't grab it all?

Whilst tcpdump is running I get the following:

tcpdump: listening on wlan1mon, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
Got [a number which increases - presumably packets]

Edited by ThatchersHeritage
Link to comment
Share on other sites

Weird that approach may not work then?

Im think two things either you didnt capture enough packets?

Or you seem to have the commandline correct but it says  0 decrypted packets, so not a good approach.

But you only have captured 12 wpa packets, you may need more before the actual encrypted packets pop up on the wire. For now id go with first answer.

Link to comment
Share on other sites

Nope never heard of a vlan. Enough packets could be like letting tcpdump run anywhere from 20 min to an hour.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...