hacktricks/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md



{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}


# Check BSSIDs

When you receive a capture whose principal traffic is Wifi using WireShark you can start investigating all the SSIDs of the capture with _Wireless --> WLAN Traffic_:

![](<../../../.gitbook/assets/image (424).png>)

![](<../../../.gitbook/assets/image (425).png>)

## Brute Force

One of the columns of that screen indicates if **any authentication was found inside the pcap**. If that is the case you can try to Brute force it using `aircrack-ng`:

```bash
aircrack-ng -w pwds-file.txt -b <BSSID> file.pcap
```

For example it will retrieve the WPA passphrase protecting a PSK (pre shared-key), that will be required to decrypt the trafic later.

# Data in Beacons / Side Channel

If you suspect that **data is being leaked inside beacons of a Wifi network** you can check the beacons of the network using a filter like the following one: `wlan contains <NAMEofNETWORK>`, or `wlan.ssid == "NAMEofNETWORK"` search inside the filtered packets for suspicious strings.

# Find Unknown MAC Addresses in A Wifi Network

The following link will be useful to find the **machines sending data inside a Wifi Network**:

* `((wlan.ta == e8:de:27:16:70:c9) && !(wlan.fc == 0x8000)) && !(wlan.fc.type_subtype == 0x0005) && !(wlan.fc.type_subtype ==0x0004) && !(wlan.addr==ff:ff:ff:ff:ff:ff) && wlan.fc.type==2`

If you already know **MAC addresses you can remove them from the output** adding checks like this one: `&& !(wlan.addr==5c:51:88:31:a0:3b)`

Once you have detected **unknown MAC** addresses communicating inside the network you can use **filters** like the following one: `wlan.addr==<MAC address> && (ftp || http || ssh || telnet)` to filter its traffic. Note that ftp/http/ssh/telnet filters are useful if you have decrypted the traffic.

# Decrypt Traffic

Edit --> Preferences --> Protocols --> IEEE 802.11--> Edit

![](<../../../.gitbook/assets/image (426).png>)


{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-18 16:21:56 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-18 16:21:56 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-18 16:21:56 +00:00			`<summary>Support HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-18 16:21:56 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
a 2024-07-18 16:21:56 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00
			`# Check BSSIDs`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`When you receive a capture whose principal traffic is Wifi using WireShark you can start investigating all the SSIDs of the capture with _Wireless --> WLAN Traffic_:`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`![](<../../../.gitbook/assets/image (424).png>)`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`![](<../../../.gitbook/assets/image (425).png>)`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`## Brute Force`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
			One of the columns of that screen indicates if any authentication was found inside the pcap. If that is the case you can try to Brute force it using `aircrack-ng`:

			```bash
			`aircrack-ng -w pwds-file.txt -b <BSSID> file.pcap`
			```

fix typo 2023-12-03 11:36:45 +00:00			`For example it will retrieve the WPA passphrase protecting a PSK (pre shared-key), that will be required to decrypt the trafic later.`
WPA passphrase add some explanation 2023-12-03 11:35:16 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`# Data in Beacons / Side Channel`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
			If you suspect that data is being leaked inside beacons of a Wifi network you can check the beacons of the network using a filter like the following one: `wlan contains <NAMEofNETWORK>`, or `wlan.ssid == "NAMEofNETWORK"` search inside the filtered packets for suspicious strings.

Update wifi-pcap-analysis.md 2022-09-10 10:20:20 +00:00			`# Find Unknown MAC Addresses in A Wifi Network`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
			`The following link will be useful to find the machines sending data inside a Wifi Network:`

			* `((wlan.ta == e8:de:27:16:70:c9) && !(wlan.fc == 0x8000)) && !(wlan.fc.type_subtype == 0x0005) && !(wlan.fc.type_subtype ==0x0004) && !(wlan.addr==ff:ff:ff:ff:ff:ff) && wlan.fc.type==2`

GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			If you already know MAC addresses you can remove them from the output adding checks like this one: `&& !(wlan.addr==5c:51:88:31:a0:3b)`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			Once you have detected unknown MAC addresses communicating inside the network you can use filters like the following one: `wlan.addr==<MAC address> && (ftp \|\| http \|\| ssh \|\| telnet)` to filter its traffic. Note that ftp/http/ssh/telnet filters are useful if you have decrypted the traffic.
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`# Decrypt Traffic`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`Edit --> Preferences --> Protocols --> IEEE 802.11--> Edit`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`![](<../../../.gitbook/assets/image (426).png>)`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00



a 2024-07-18 16:21:56 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-18 16:21:56 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-18 16:21:56 +00:00			`<summary>Support HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-18 16:21:56 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
a 2024-07-18 16:21:56 +00:00			`{% endhint %}`
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00