Friday, June 15, 2007

Getting Tcpreplay and 802.11 to Play Nice

Sometimes you want to be able to replay traffic to analyze it live with different tools in your arsenal. This is not really an issue with standard Ethernet but can prove to be a bit challenging when faced with 802.11 traffic. Let's take a hands on look at what I'm talking about below.

So you captured some wifi data (802.11) with airodump-ng like this, for example:

igs-awilliams@IGSLAP02~> airmon-ng start wlan0

igs-awilliams@IGSLAP02~> airodump-ng -w dump -c 11 wlan0

(Or you captured with Kismet, etc.)

Now you want to go back and pull out passwords, URLs, instant messages and images from your capture file: dump.cap.

igs-awilliams@IGSLAP02~> dsniff -r dump.cap

dsniff: record_init: Invalid argument

And the other fun programs (driftnet, msgsnarf, urlsnarf, etc.) don't read files at all, they only work in real time listening on network interfaces. Driftnet won't even listen on 802.11 interfaces in rfmon mode:

igs-awilliams@IGSLAP02~> driftnet -i wlan0

driftnet: unknown data link type 119

The solution: Use tcpreplay to play back the packets on a network interface so all these interesting programs can work.

Download the latest stable release of tcpreplay (currently tcpreplay-2.3.5.tar.gz) here:

Install from source in the usual fashion:

igs-awilliams@IGSLAP02~> tar xzvf tcpreplay-2.3.5.tar.gz

igs-awilliams@IGSLAP02~> cd tcpreplay-2.3.5

igs-awilliams@IGSLAP02~>tcpreplay-2.3.5 # ./configure

igs-awilliams@IGSLAP02~>tcpreplay-2.3.5 # make

igs-awilliams@IGSLAP02~>tcpreplay-2.3.5 # make install

Another small problem, tcpreplay doesn't understand 802.11 headers:

igs-awilliams@IGSLAP02~> tcpreplay -i lo dump.cap

sending on: lo

validate_l2(): Unsupported datalink type: 802.11 (0x69)

Relax, airdecap-ng can convert the capture to straight Ethernet. Normally you use this program to decrypt encrypted 802.11 data, but you can also use it just to strip the 802.11 headers:

igs-awilliams@IGSLAP02~> airdecap-ng dump.cap

Total number of packets read 256828

Total number of WEP data packets 315

Total number of WPA data packets 0

Number of plaintext data packets 42287

Number of decrypted WEP packets 0

Number of decrypted WPA packets 0

This creates a file named dump-dec.cap. If you need to decrypt the data as well, just include the necessary parameters (for example -e and -w) in the airdecap-ng command.

Now we're going to replay the data on the local loopback Ethernet interface (lo). This gives us an interface to send the data on without actually sending it out over the air or on the local network.

First start your programs to listen on the local interface (in different sessions of course, so you can see the output of each):

igs-awilliams@IGSLAP02~> dsniff -i lo

igs-awilliams@IGSLAP02~> driftnet -i lo

igs-awilliams@IGSLAP02~> urlsnarf -i lo

igs-awilliams@IGSLAP02~> msgsnarf -i lo

Then run tcpreplay (the -R option speeds up the replay):

igs-awilliams@IGSLAP02~> tcpreplay -i lo -R dump-dec.cap

sending on: lo

42287 packets (20751892 bytes) sent in 4.67 seconds

4435909.0 bytes/sec 33.84 megabits/sec 9039 packets/sec

Each sniffer sees the packets as they are replayed on the local interface.

May Your Skill Prevail!

No comments: