|
|
By now you have run your favorite passive scanner a few times and have figured out the information that it can find for you. In this section, we will go over the packets that are most interesting to a passive scanner and also to you. Some of these packets probably won't be used for analysis by any scanners, but they can still be useful to know about. For example, no scanner parses DHCP packets for IP information; however, this is useful information if you are looking through a pcap file yourself.
Association Request/Re-association Request Association requests are sent from a client to an AP when it is connecting for the first time. For example, association requests occur when you click a wireless network in Windows and press the Connect button. Re-association requests are sent when a client wants to reconnect to an AP. In real life, the most likely reason for a client to re-associate is because it was deauthenticated or disassociated by a hacker. These packets are very interesting to scanners because they must contain the network's SSID, which is useful to know if you yourself want to connect, but the AP is censoring the SSID in beacon packets.
Beacons Beacon packets have already been talked about extensively. Suffice it to say, beacons may contain the network's SSID and are typically broadcast once every 100 ms by the AP. APs that don't include the SSID in a beacon packet are attempting to avoid detection. Clearly, these are quite useful to scanners, even if the SSID is blanked out.
Probe Requests Probe requests might seem like a strange thing for a passive scanner to track. That's because they are transmitted from clients, not the AP. Nonetheless, most scanners do log them because they can tell you that someone was looking for an AP with that SSID in the area. The idea is that you may want to start looking for the same network, but this is rarely useful.
Probe Responses Probe responses must contain the SSID of the network they came from. This makes them useful for finding networks that are hiding.
Data Packets All data packets contain the BSSID of the AP they are associated with. By monitoring these packets, you can build up a list of connected clients quickly. Scanners also care about data packets when looking for weakly encrypted WEP packets and for other data in the payload portion of the packet.
ARP Traffic If an AP doesn't employ encryption of some sort, then the scanner can discern useful information about the IP range of a network by watching ARP packets.
DHCP Traffic If you happen to catch a DHCP packet, you can immediately discern the network's subnet mask, default gateway, IP range, and probably DNS servers. This information can be very handy to know if you want to connect to the network yourself.
IP Traffic Any IP header will contain the source address of the sender. This address can be used to figure out the range of addresses on the network.
|
|