hacktricks/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md



<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>


# Check BSSIDs

When you receive a capture whose principal traffic is Wifi using WireShark you can start investigating all the SSIDs of the capture with _Wireless --> WLAN Traffic_:

![](<../../../.gitbook/assets/image (424).png>)

![](<../../../.gitbook/assets/image (425).png>)

## Brute Force

One of the columns of that screen indicates if **any authentication was found inside the pcap**. If that is the case you can try to Brute force it using `aircrack-ng`:

```bash
aircrack-ng -w pwds-file.txt -b <BSSID> file.pcap
```

For example it will retrieve the WPA passphrase protecting a PSK (pre shared-key), that will be required to decrypt the trafic later.

# Data in Beacons / Side Channel

If you suspect that **data is being leaked inside beacons of a Wifi network** you can check the beacons of the network using a filter like the following one: `wlan contains <NAMEofNETWORK>`, or `wlan.ssid == "NAMEofNETWORK"` search inside the filtered packets for suspicious strings.

# Find Unknown MAC Addresses in A Wifi Network

The following link will be useful to find the **machines sending data inside a Wifi Network**:

* `((wlan.ta == e8:de:27:16:70:c9) && !(wlan.fc == 0x8000)) && !(wlan.fc.type_subtype == 0x0005) && !(wlan.fc.type_subtype ==0x0004) && !(wlan.addr==ff:ff:ff:ff:ff:ff) && wlan.fc.type==2`

If you already know **MAC addresses you can remove them from the output** adding checks like this one: `&& !(wlan.addr==5c:51:88:31:a0:3b)`

Once you have detected **unknown MAC** addresses communicating inside the network you can use **filters** like the following one: `wlan.addr==<MAC address> && (ftp || http || ssh || telnet)` to filter its traffic. Note that ftp/http/ssh/telnet filters are useful if you have decrypted the traffic.

# Decrypt Traffic

Edit --> Preferences --> Protocols --> IEEE 802.11--> Edit

![](<../../../.gitbook/assets/image (426).png>)


<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

arte 2024-01-13 22:04:19 +00:00			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-13 22:04:19 +00:00			`Other ways to support HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-13 22:04:19 +00:00			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
a 2024-02-06 03:10:27 +00:00			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).`
arte 2024-01-13 22:04:19 +00:00			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00
			`# Check BSSIDs`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`When you receive a capture whose principal traffic is Wifi using WireShark you can start investigating all the SSIDs of the capture with _Wireless --> WLAN Traffic_:`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`![](<../../../.gitbook/assets/image (424).png>)`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`![](<../../../.gitbook/assets/image (425).png>)`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`## Brute Force`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
			One of the columns of that screen indicates if any authentication was found inside the pcap. If that is the case you can try to Brute force it using `aircrack-ng`:

			```bash
			`aircrack-ng -w pwds-file.txt -b <BSSID> file.pcap`
			```

fix typo 2023-12-03 11:36:45 +00:00			`For example it will retrieve the WPA passphrase protecting a PSK (pre shared-key), that will be required to decrypt the trafic later.`
WPA passphrase add some explanation 2023-12-03 11:35:16 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`# Data in Beacons / Side Channel`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
			If you suspect that data is being leaked inside beacons of a Wifi network you can check the beacons of the network using a filter like the following one: `wlan contains <NAMEofNETWORK>`, or `wlan.ssid == "NAMEofNETWORK"` search inside the filtered packets for suspicious strings.

Update wifi-pcap-analysis.md 2022-09-10 10:20:20 +00:00			`# Find Unknown MAC Addresses in A Wifi Network`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
			`The following link will be useful to find the machines sending data inside a Wifi Network:`

			* `((wlan.ta == e8:de:27:16:70:c9) && !(wlan.fc == 0x8000)) && !(wlan.fc.type_subtype == 0x0005) && !(wlan.fc.type_subtype ==0x0004) && !(wlan.addr==ff:ff:ff:ff:ff:ff) && wlan.fc.type==2`

GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			If you already know MAC addresses you can remove them from the output adding checks like this one: `&& !(wlan.addr==5c:51:88:31:a0:3b)`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			Once you have detected unknown MAC addresses communicating inside the network you can use filters like the following one: `wlan.addr==<MAC address> && (ftp \|\| http \|\| ssh \|\| telnet)` to filter its traffic. Note that ftp/http/ssh/telnet filters are useful if you have decrypted the traffic.
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`# Decrypt Traffic`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`Edit --> Preferences --> Protocols --> IEEE 802.11--> Edit`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`![](<../../../.gitbook/assets/image (426).png>)`
GitBook: [master] 2 pages and 4 assets modified 2021-01-05 11:21:01 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00



Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

arte 2024-01-13 22:04:19 +00:00			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-13 22:04:19 +00:00			`Other ways to support HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-13 22:04:19 +00:00			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
a 2024-02-06 03:10:27 +00:00			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).`
arte 2024-01-13 22:04:19 +00:00			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00