f-log

just another web log

29 Jul 2014:
Microsoft Network Monitor WPA2 packets cannot be decrypted
Continuing my decrypting of WPA2 packet captures Raspberry Pi WPA2 capture and decryption.

Wireshark refuses to decrypt with my pass phrase, lets try the command line version "TShark" that comes with the install of Wireshark.

This is using the Wireshark WPA encrypted Induction sample file from "How to Decrypt 802.11
"c:\Program Files\Wireshark\tshark.exe" -nr input\wpa-Induction.pcap -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-pwd\",\"Induction:Coherer\"" -2 -R "http"
1 10.527211 10.10.10.20 -> 239.255.255.250 SSDP 201 M-SEARCH * HTTP/1.1
2 10.527233 10.10.10.20 -> 239.255.255.250 SSDP 237 M-SEARCH * HTTP/1.1
3 10.528237 10.10.10.20 -> 239.255.255.250 SSDP 232 M-SEARCH * HTTP/1.1
4 13.405660 192.168.0.50 -> 66.230.200.100 HTTP 699 GET /wiki/Landshark HTTP/1.1
5 14.390505 192.168.0.50 -> 66.230.200.228 HTTP 630 GET /fundraising/2006/meter.png HTTP/1.1
6 14.496485 66.230.200.228 -> 192.168.0.50 HTTP 510 HTTP/1.0 200 OK (PNG)
7 26.219523 192.168.0.50 -> 209.188.21.206 HTTP 707 GET /75/75djaws2.phtml HTTP/1.1
8 26.310502 209.188.21.206 -> 192.168.0.50 HTTP 1576 [TCP Previous segment not captured] Continuation or non-HTTP traffic
9 26.346504 209.188.21.206 -> 192.168.0.50 HTTP 651 [TCP Previous segment not captured] Continuation or non-HTTP traffic
10 26.571516 192.168.0.50 -> 209.188.21.206 HTTP 583 [TCP ACKed unseen segment] GET /style.css HTTP/1.1
11 26.618552 209.188.21.206 -> 192.168.0.50 HTTP 869 HTTP/1.1 200 OK (text/css)
12 26.719455 192.168.0.50 -> 209.188.21.206 HTTP 588 GET /75/space2.gif HTTP/1.1
13 26.772424 209.188.21.206 -> 192.168.0.50 HTTP 1151 HTTP/1.1 200 OK (GIF89a) (GIF89a) (image/gif)
14 26.773438 192.168.0.50 -> 209.188.21.206 HTTP 595 GET /75/pics/75djaws2.jpg HTTP/1.1
15 26.789429 192.168.0.50 -> 209.188.21.206 HTTP 595 GET /75/pics/75djaws1.jpg HTTP/1.1
16 26.814423 192.168.0.50 -> 209.188.21.206 HTTP 595 [TCP ACKed unseen segment] GET /75/pics/75djaws3.jpg HTTP/1.1
17 26.855414 192.168.0.50 -> 209.188.21.206 HTTP 583 [TCP ACKed unseen segment] GET /line.jpg HTTP/1.1
18 26.878523 192.168.0.50 -> 72.14.255.99 HTTP 1174 GET /pagead/ads?client=ca-pub-9011062396508188&dt=1167891175069&lmt=1167891174&format=728x90_as&output=html&channel=8345570081&url=http%3A%2F%2Fsnltranscripts.jt.org%2F75%2F75djaws2.phtml&color_bg=C0C0C0&color_text=000000&color_link=666666&color_url=3366FF&color_border=999999&ad_type=text_image&ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3D%2522land%2Bshark%2522%2Bcandygram%26start%3D0%26ie%3Dutf-8%26oe%3Dutf-8%26client%3Dfirefox-a%26rls%3Dorg.mozilla%3Aen-US%3Aofficial&cc=100&u_h=900&u_w=1440&u_ah=825&u_aw=1440&u_cd=32&u_tz=-480&u_his=2&u_java=true&u_nplug=9&u_nmime=103 HTTP/1.1
19 26.892408 209.188.21.206 -> 192.168.0.50 HTTP 1069 HTTP/1.1 200 OK (JPEG JFIF image)
20 27.450348 192.168.0.50 -> 209.188.21.206 HTTP 529 [TCP ACKed unseen segment] [TCP Previous segment not captured] GET /favicon.ico HTTP/1.1
21 27.493311 209.188.21.206 -> 192.168.0.50 HTTP/XML 607 [TCP ACKed unseen segment] [TCP Previous segment not captured] HTTP/1.1 404 Not Found

Works!!

Now with a bad pass phrase
"c:\Program Files\Wireshark\tshark.exe" -nr input\wpa-Induction.pcap -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-pwd\",\"INCORRECTPASSWORD:BADSSID\"" -2 -R "http"
1 10.527211 10.10.10.20 -> 239.255.255.250 SSDP 201 M-SEARCH * HTTP/1.1
2 10.527233 10.10.10.20 -> 239.255.255.250 SSDP 237 M-SEARCH * HTTP/1.1
3 10.528237 10.10.10.20 -> 239.255.255.250 SSDP 232 M-SEARCH * HTTP/1.1
4 13.405660 192.168.0.50 -> 66.230.200.100 HTTP 699 GET /wiki/Landshark HTTP/1.1
5 14.390505 192.168.0.50 -> 66.230.200.228 HTTP 630 GET /fundraising/2006/meter.png HTTP/1.1
6 14.496485 66.230.200.228 -> 192.168.0.50 HTTP 510 HTTP/1.0 200 OK (PNG)
7 26.219523 192.168.0.50 -> 209.188.21.206 HTTP 707 GET /75/75djaws2.phtml HTTP/1.1
8 26.310502 209.188.21.206 -> 192.168.0.50 HTTP 1576 [TCP Previous segment not captured] Continuation or non-HTTP traffic
9 26.346504 209.188.21.206 -> 192.168.0.50 HTTP 651 [TCP Previous segment not captured] Continuation or non-HTTP traffic
10 26.571516 192.168.0.50 -> 209.188.21.206 HTTP 583 [TCP ACKed unseen segment] GET /style.css HTTP/1.1
11 26.618552 209.188.21.206 -> 192.168.0.50 HTTP 869 HTTP/1.1 200 OK (text/css)
12 26.719455 192.168.0.50 -> 209.188.21.206 HTTP 588 GET /75/space2.gif HTTP/1.1
13 26.772424 209.188.21.206 -> 192.168.0.50 HTTP 1151 HTTP/1.1 200 OK (GIF89a) (GIF89a) (image/gif)
14 26.773438 192.168.0.50 -> 209.188.21.206 HTTP 595 GET /75/pics/75djaws2.jpg HTTP/1.1
15 26.789429 192.168.0.50 -> 209.188.21.206 HTTP 595 GET /75/pics/75djaws1.jpg HTTP/1.1
16 26.814423 192.168.0.50 -> 209.188.21.206 HTTP 595 [TCP ACKed unseen segment] GET /75/pics/75djaws3.jpg HTTP/1.1
17 26.855414 192.168.0.50 -> 209.188.21.206 HTTP 583 [TCP ACKed unseen segment] GET /line.jpg HTTP/1.1
18 26.878523 192.168.0.50 -> 72.14.255.99 HTTP 1174 GET /pagead/ads?client=ca-pub-9011062396508188&dt=1167891175069&lmt=1167891174&format=728x90_as&output=html&channel=8345570081&url=http%3A%2F%2Fsnltranscripts.jt.org%2F75%2F75djaws2.phtml&color_bg=C0C0C0&color_text=000000&color_link=666666&color_url=3366FF&color_border=999999&ad_type=text_image&ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3D%2522land%2Bshark%2522%2Bcandygram%26start%3D0%26ie%3Dutf-8%26oe%3Dutf-8%26client%3Dfirefox-a%26rls%3Dorg.mozilla%3Aen-US%3Aofficial&cc=100&u_h=900&u_w=1440&u_ah=825&u_aw=1440&u_cd=32&u_tz=-480&u_his=2&u_java=true&u_nplug=9&u_nmime=103 HTTP/1.1
19 26.892408 209.188.21.206 -> 192.168.0.50 HTTP 1069 HTTP/1.1 200 OK (JPEG JFIF image)
20 27.450348 192.168.0.50 -> 209.188.21.206 HTTP 529 [TCP ACKed unseen segment] [TCP Previous segment not captured] GET /favicon.ico HTTP/1.1
21 27.493311 209.188.21.206 -> 192.168.0.50 HTTP/XML 607 [TCP ACKed unseen segment] [TCP Previous segment not captured] HTTP/1.1 404 Not Found

Works!!
wait.. What the HELL!

Oh, it's using the keys I added into Wireshark. Right change to bad pass phrase in Wireshark then rerun in TShark
"c:\Program Files\Wireshark\tshark.exe" -nr input\wpa-Induction.pcap -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-pwd\",\"INCORRECTPASSWORD:BADSSID\"" -2 -R "http"


Fails!! woohoo.

Now to try the correct pass phrase again because this is all about TShark
"c:\Program Files\Wireshark\tshark.exe" -nr input\wpa-Induction.pcap -o wlan.enable_decryption:TRUE -o "uat:80211_keys:\"wpa-pwd\",\"Induction:Coherer\"" -2 -R "http"
1 10.527211 10.10.10.20 -> 239.255.255.250 SSDP 201 M-SEARCH * HTTP/1.1
2 10.527233 10.10.10.20 -> 239.255.255.250 SSDP 237 M-SEARCH * HTTP/1.1
3 10.528237 10.10.10.20 -> 239.255.255.250 SSDP 232 M-SEARCH * HTTP/1.1
4 13.405660 192.168.0.50 -> 66.230.200.100 HTTP 699 GET /wiki/Landshark HTTP/1.1
5 14.390505 192.168.0.50 -> 66.230.200.228 HTTP 630 GET /fundraising/2006/meter.png HTTP/1.1
6 14.496485 66.230.200.228 -> 192.168.0.50 HTTP 510 HTTP/1.0 200 OK (PNG)
7 26.219523 192.168.0.50 -> 209.188.21.206 HTTP 707 GET /75/75djaws2.phtml HTTP/1.1
8 26.310502 209.188.21.206 -> 192.168.0.50 HTTP 1576 [TCP Previous segment not captured] Continuation or non-HTTP traffic
9 26.346504 209.188.21.206 -> 192.168.0.50 HTTP 651 [TCP Previous segment not captured] Continuation or non-HTTP traffic
10 26.571516 192.168.0.50 -> 209.188.21.206 HTTP 583 [TCP ACKed unseen segment] GET /style.css HTTP/1.1
11 26.618552 209.188.21.206 -> 192.168.0.50 HTTP 869 HTTP/1.1 200 OK (text/css)
12 26.719455 192.168.0.50 -> 209.188.21.206 HTTP 588 GET /75/space2.gif HTTP/1.1
13 26.772424 209.188.21.206 -> 192.168.0.50 HTTP 1151 HTTP/1.1 200 OK (GIF89a) (GIF89a) (image/gif)
14 26.773438 192.168.0.50 -> 209.188.21.206 HTTP 595 GET /75/pics/75djaws2.jpg HTTP/1.1
15 26.789429 192.168.0.50 -> 209.188.21.206 HTTP 595 GET /75/pics/75djaws1.jpg HTTP/1.1
16 26.814423 192.168.0.50 -> 209.188.21.206 HTTP 595 [TCP ACKed unseen segment] GET /75/pics/75djaws3.jpg HTTP/1.1
17 26.855414 192.168.0.50 -> 209.188.21.206 HTTP 583 [TCP ACKed unseen segment] GET /line.jpg HTTP/1.1
18 26.878523 192.168.0.50 -> 72.14.255.99 HTTP 1174 GET /pagead/ads?client=ca-pub-9011062396508188&dt=1167891175069&lmt=1167891174&format=728x90_as&output=html&channel=8345570081&url=http%3A%2F%2Fsnltranscripts.jt.org%2F75%2F75djaws2.phtml&color_bg=C0C0C0&color_text=000000&color_link=666666&color_url=3366FF&color_border=999999&ad_type=text_image&ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3D%2522land%2Bshark%2522%2Bcandygram%26start%3D0%26ie%3Dutf-8%26oe%3Dutf-8%26client%3Dfirefox-a%26rls%3Dorg.mozilla%3Aen-US%3Aofficial&cc=100&u_h=900&u_w=1440&u_ah=825&u_aw=1440&u_cd=32&u_tz=-480&u_his=2&u_java=true&u_nplug=9&u_nmime=103 HTTP/1.1
19 26.892408 209.188.21.206 -> 192.168.0.50 HTTP 1069 HTTP/1.1 200 OK (JPEG JFIF image)
20 27.450348 192.168.0.50 -> 209.188.21.206 HTTP 529 [TCP ACKed unseen segment] [TCP Previous segment not captured] GET /favicon.ico HTTP/1.1
21 27.493311 209.188.21.206 -> 192.168.0.50 HTTP/XML 607 [TCP ACKed unseen segment] [TCP Previous segment not captured] HTTP/1.1 404 Not Found

Works!!

Good! I think. This is getting confusing.

Now what about my two WPA encrypted capture sessions? One from Network Monitor 3.4 and the other from Kismet on the Raspberry Pi.

"c:\Program Files\Wireshark\tshark.exe" -nr input\wpa-kismet.pcap -2 -R "http"
...
all my fun packets
...


Note the lack of any other settings? That means it got the keys from Wireshark. Sure enough if I nobble the keys in Wireshark then that command returns no packets.

Can I enter the key into TShark ... ?

Nope same problem with encoding the characters making the physical string longer than its max 63 characters.

So before we go any further, that means the Wireshark documentation requiring the encoding of special characters does not apply to double quotes and spaces inside Wireshark, but the only way to specify them in DOS is to use some kind encoding and that bulks out the string length.
I have raised the issue with Wireshark.

Now onto the Microsoft Network Monitor 3.4 capture file.

...

Big fat 0. Wireshark/TShark is unable to decode the packets generated from Microsoft Network Monitor 3.4 even with the full four way handshake.

Linux WINS!

You will notice that there is no mention of the Freesat app in this post that's for the next post.
23 Jul 2014:
Raspberry Pi WPA2 capture and decryption
Thwarted by the freesat app fiddler failure I decided to turn it up a notch. I do not give up easily!

But then I came across Network Monitor 3.4 and spent a whole day trying to get it to work and get the results into Wireshark.
Lets just say the magical "Scanning Options" "Monitor Mode" is a)not easy to find and b)you have to know to leave the options window open, which is quite non-obvious.

Once in Wireshark all the packets were encrypted and the way Wireshark decrypts them does not seem to work with my mega long and complicated passphrase.

of course I can just use Linux Raspberry Pi to be exact.

I had everything installed from my previous Pi wifi experiments
WEP up the raspberry pi
Automatic WEP on the raspberry pi
Slapping a new MAC on the Pi
WEP key recovery with the Pi
Switching to WPA2 and about time
Reaver can not eat my WPS
Testing the Pi with WPA2
Automatic pi wifi wpa2 connection

I took me a while to realise that Kismet captures packets without asking. But once I had those juicy packets, including the four way handshake all I had to do was decrypt them.

Should be easy I own all the devices and I have the KEY!

airdecap-ng -e 'MYSSID' -p 'The Most amazing "WPA2" passphrase' Kismet-date-time.pcapdump
and out pops a Kismet-date-time.pcapdump-dec file.

Load it into Wireshark and its is mostly gobbledy-goop :( but hang on some of its fine.

The test session I had done to make sure I had something to identify in the capture packets was to browse a lot of pages at Wikipedia, text, text and more human readable text.

The packets that were readable were the HTTP requests/responses but only the headers and reading those headers showed why. To keep bandwidth to a minimum Wikipedia was sending everything gzip(compressed), Wireshark was oblivious to this and just showed me the raw data. Just the same as if you opened a .ZIP file in a text editor.

AGHHHhhh! Wrong wrong wrong! Wireshark happily decodes gzip encoded HTTP but this is ..dun.. ..dun.. ..dunnnnn.. HTTPS

I should point out I could not get "airdecap" to decrypt the Network Monitor 3.4 captures. Oddly Wireshark can load them but not save or export them.

So HTTPS/SSL traffic eh. Can I decrypt them? Yes, but only if I have the master server key and for some reason I do not have access to Wikipedia's SSL key.

The interesting thing was that although I had surfed all over Wikipedia and the HTTPS nature of the connection hid even the names/URLs of the articles I visited some of the image request were not, so you could still determine what I had been looking at, if there were images.

Next step capture the Freesat app in action, and hope its not all SSL.
20 Jul 2014:
Freesat Android app is better than nothing
I have been waiting for a Freesat app for Android and its finally here.

First job was registering a Freesat ID, this in independent of the Freesat account for newsletters and updates, the Humax registered account, the MyHumax account and the forums account.

Next get the App from the Google play store.

Setup Fiddler on an old Windows laptop and point the phones Proxy settings at it.

Now I can setup the Freesat box and get my pairing ID that I can enter into the app.

But the app will not start and Fiddler is showing it trying to securely connect to auth.platform.freesat.tv

Even going to the lengths of installing the fiddler root certificate does not make the app any happier.

Still, turning all that off and the app finds the Humax box and after logging in and pairing shows me all the shows and lets me set a recording.

If only they had any API that I could call via my TV project :(

Better than nothing!
20 Jul 2014:
Windows 8 happy transfer including outlook
A friend who had me buy and install a Windows 8 machine a while back just got a new laptop with Windows 8 pre-installed. I have to say it was very easy to setup just log in with the same 'cloudy' account and the machine configures itself.

Office was much the same. The icon was pre-installed that took us to the Office website. Logged in and it set about installing a new (you start with 5 licences) copy of Office.

The finally step was a bit more painful but I doubt most people would have to do it.

Outlook on the main machine was setup with multiple accounts, at least 6, and I was not about to recreate them all from scratch.

the trick was to export the registry key
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles

And import it again on the new machine. I thought I had also copied the required .PST files that Outlook uses to store data but for some reason there were a number of tiny ones that did not seem to be used that the "profile" required.

Once that voodoo was complete it just worked, client very happy!

Another black eye for all the Windows 8 haters. No, I do not have Windows 8, but I use it at work quite happily. And I hate Apple more than Microsoft!
13 Jul 2014:
What I found was that motion does not like certain resolutions for the Raspberry Pi Camera with uv4l.

Ones it did like were

2592x1920
1920x1072
640x480

I opted for the 1920x1072 as the 2592x1920 files were massive and I wanted each captured image uploaded via FTP.

The sensitivity needed to be tuned to
threshold 60000
for such a large file(pixel count).

There is also a great "setup" option. Passing " -s" to motion causes it to spit out what number of pixels changed and if you have the remote web server enabled you can view these values dynamically as the image turns blue when the threshold is reached. On top of that there is a second web server option that exposes the motion.conf setting and you can modify them in real time with out restarting!

The FTP bit was easy. In the motion conf file is a setting called "on_picture_save" and with wput you just set it to

on_picture_save wput ftp://USERNAME:PASSWORD@FTP.SERVER.NAME %f


The "%f" gets replaced with the file name created by motion.

Job done, it really is this easy!
12 Jul 2014:
uv4l userspace driver gives life to motion and the raspberry pi camera
So I have had my Raspberry Pi Noir camera for a few months but I have not done anything with it other than test it works.

I wanted to use motion to set the camera as motion detector but was surprised to find that the Raspberry Pi camera does not show up in
/dev/video0
as USB and other cameras do and motion does not have a built in way of handling the Raspberry Pi Camera.

Many MANY places say that that is the end of the line, no way to use motion with the Raspberry Pi camera :(

Except with a fork of motion called MMAL Motion but it is known to have bits that are in the main branch missing and I wanted to FTP the images when taken to a remote server.

There was whispers of another option that would generate the necessary /dev/video0.

Step up to the plate UV4L Userspace Video4Linux2

the use cases list is quite long as this code supports nearly all video4linux applications. From motion, opencv, video streaming via RTMP and everything between.

Install instructions are easy to follow and consist of


sudo vi /etc/apt/sources.list

and adding

deb http://www.linux-projects.org/listing/uv4l_repo/raspbian/ wheezy main

then updating with the standard

sudo apt-get update
sudo apt-get install motion uv4l uv4l-raspicam

(for some reason the last command failed, stating something about not being configured but after running it again it installed fine).

I did reboot at this point but I do not think that is necessary.

uv4l --driver raspicam --auto-video_nr
installed the /dev/video0
and motion just ran. Immediately recording an image every time I moved in front of the camera.
LD_PRELOAD=/usr/lib/uv4l/uv4lext/armv6l/libuv4lext.so motion

As a bonus the developer handily offeres an example motion.conf file that sets your Raspberry Pi up as a streaming server. Just connect with a browser.
LD_PRELOAD=/usr/lib/uv4l/uv4lext/armv6l/libuv4lext.so motion -c motion.conf

Needless to say I was more than happy to donate




loading results, please wait loading animateloading animateloading animate
[More tags]
rss feed

email

root

flog archives


Disclaimer: This page is by me for me, if you are not me then please be aware of the following
I am not responsible for anything that works or does not work including files and pages made available at www.jumpstation.co.uk I am also not responsible for any information(or what you or others do with it) available at www.jumpstation.co.uk In fact I'm not responsible for anything ever, so there!

[Pay4Foss banner long]