As we all know, in public places, unencrypted Wifi connection is insecure, because anyone who has the opportunity to see the data they access to the Internet. This article is to demonstrate such a scenario.
At first glance, the article title, is not it a little longer? This is because the special nature of the 802.11 wireless protocol, so I had to add a lot to the attributive title. First let me elaborate particularity: In general, wireless card to work at Client mode. In this mode, when the wireless network card driver receiving the wireless Frame, 802.11 wireless protocol header which will release the head and replaced with an Ethernet protocol, then the network protocol stack to Frame. When the other network components (including the Wireshark) Frame extracted from a network protocol stack, which can be treated in a manner indistinguishable Ethernet Frame to Frame handling radio. Readers can use Wireshark try to catch Frame on the wireless network card, to see if with 802.11 protocol header, as shown below:
But this has a limit, a lot of restrictions: wireless card to work in Client mode, Wireless Frame will only accept card sent to this site, but do not send their discarded Wireless Frame. Therefore, although the room full of Wifi signal, run Wireshark host (hereinafter abbreviated HOST) Frame see only a very small fraction ---- only see a conventional data exchanges between the HOST and the connected AP other host of wireless Frame for hOST terms are not visible.
To overcome this limitation, you need the card to switch to Monitor mode from Client mode. However, not all cards support this mode; not all OS support this switch. As far as I know, Linux (especially Kali Linux), you can use aircrack-ng suite mode switch, I have an ALFA network card can support Monitor mode. And there is no similar Windows packages, available network card pitiful, only AirPcap a (expensive! And discontinued in 2017, however, you can buy knockoff on Taobao). Based on (the cottage) AirPcap network card, wireless Frame grab other hosts. Next began.
. Step1 target AP selected from a number of the AP:
You can use Windows built-in wireless management tool, you can also choose other tools, such as inSSIDer (and Airpcap as it is MetaGeek products):
But windows of wireless information management tools and not very comprehensive, please note that the network channel, shown in the figure is Channel 1. You may know 2.4GWifi support 20MHz bandwidth and 40MHz bandwidth according to the figure below shows, you may feel with the AP that Channel 1 20MHz. AP actually used Channel 1 + 5 40MHz. inSSIDer given relatively comprehensive information provided in addition to Channel AP, also provide an attenuation (Radio Signal figure: -17dBm) a wireless signal, according to the AP can calculate the target distance with HOST (the greater the distance, or the barrier the more material, the larger the absolute value of the radio signal the signal attenuation on FIG -17dBm, small attenuation, because the wireless router in my hand. I found found several times, separated by a wall, at -87dBm signal attenuation and between -100dBm).
Step2.Wireshark wireless set capture parameters:
Ethernet Frame just like the previous analysis, capture card interfaces to be selected as first choice AirPcap Frame capture wireless interfaces (AirPcap USB wireless capture adapter nr figure 00):
In order to capture the radio Frame, need to Channel inSSIDer given SSID information, the wireless parameters set toolbar (by default, do not show the toolbar Wireshark, by checking the "View" - "Wireless Toolbar" make Wireshark is displayed on the screen). Without the correct settings Channel parameters, you can not capture the needs of wireless Frame!
设置无线工具栏的参数前需要解释2.4G无线信号中20MHz/40MHz通道的概念。对于2.4G Wifi,一共有11个通道(有些路由能提供13个通道),每个通道提供20MHz的带宽,通道之间中心频率的间隔是5MHz(如,Ch1和Ch2之间的间隔是5MHz,Ch2和Ch3之间间隔是5MHz)。由于每个通道提供20MHz的带宽,而通道之间的间隔才5MHz,因此各个通道之间存在重叠部分,如下图:
读者可以把每个通道想象成一个矩形,每个矩形的宽为20cm。第一个矩形宽的中垂线标记为Ch1,第二个矩形宽的中垂线标记为Ch2,Ch1和Ch2中垂线之间间隔为5cm,以此类推。Ch3的左边长正好位于Ch1,Ch3的右边长位于Ch5。回到2.4G Wifi的通道上,Channel 1是指通道1的中心频率是2.412GHZ,通道的两个边缘占据了Ch -1和Ch 3的中心--其中心频率分别为2.402GHz和2.422GHz;同理Channel5 是指Ch5的中心频率是2.432GHz,Ch5的边缘占据了Ch 3和Ch 7的中心)。
部分路由为了增加带宽,将2个通道合并在一起,形成40MHz的带宽,如Channel 1+5就是一个40MHz的通道,它占用了Ch -1到Ch 7。Channel 11-7也是一个40MHz的通道,它占用了Ch 5到Ch 13。由于40MHz带宽使用了2个通道,就存在主次通道,主通道用来传输控制/管理信号,次通道用来传输数据信号。Channel 1+5中 Channel 1是主通道,Channel 5是次通道。另外,会用Channel 1,HT 40+ 指代在Ch 1通道上向上合并Ch 5,形成40MHz带宽;或者Channel 11, HT 40- 指代在Ch11上合并Ch7,形成40MHz带宽。
有了上述预备知识,我们来设置Wireshark无线参数。根据inSSIDer给出的AP的信息,我们知道SSID TP-Link_EE1F使用Ch 1+5合成40MHz带宽,最终设置如下:
Step3.安静的等待无线Frame出现:
现在,我用手机连接TP-Link_EE1F,并登入TP-Link路由管理页面tplogin.cn,同时在HOST上静静的捕获这一过程。
登陆后,路由管理页面上显示了我手机的IP/MAC。回到Wireshark,停止捕获,开始搜索http相关的流量:
嗯,还真不少...貌似TP-Link路由管理页面没有加密,我能读到不少内容,比如,手机登入时,请求了2张图片:
这么看来,公共场所非加密的AP还真不能随便连接,鬼知道边上坐的人在干啥。
