by Nipun Jaswal, CISE, C|EH, OSWP,

Wireless attacks are so common these days, and if a hacker finds a WEP enabled network, there is no bigger jackpot for them. People have become smart and tend to use a WPA/WPA2 enabled network these days, but still vulnerabilities in the wireless architecture seem yet unsolved. In this article we will look at those traditional WEP attacks and will try investigating who, actually who, tried to break into the network and what activities they performed? Basically we will reconstruct the entire crime scene that happened over the wireless network.


What you will learn:

  • Step By Step guide to investigating attacks

  • What to look for and what to exclude from capture files

  • Understanding wireless traffic down to the packet level


What you should know:

  • Basic familiarity with wireless cracking

  • Basics of TShark/ Wireshark.

  • Familiarity with Packet Structures


Wireless cracking is so common these days that hackers used to look around for vulnerable wireless networks in their cars and roam around the cities. That’s basically war driving but the thing here to take a note of is that you might never know who actually broke into your network, since the hacker does not have to plug in a wire from your network into his system. You might never know in which corner of the building this malicious guy is performing some serious hacking onto your network, or might be sending malicious and dangerous emails which might lead you to jail because of your network being used by the attacker. Wireless is most vulnerable when it comes to WEP encryption standard, now in this very article we will look at various methodologies used to track back that malicious guy and see what actually he is performing on the network.


My friend ‘Mike’ called me up last Monday and told me that he has been experiencing very slow internet speed. But when I asked him about his data plan he told me that he has recently opted for 8MBps connection. I advised him to look for some open ports for cross checking if there is anything malicious going on in the background. He clearly told me that his anti-virus is updated on the daily basis also he has the latest firewall installed in his system. I asked him to shut his laptop down and try browsing the net from his mobile phone, but again he faced the same problem. He also told me that last month he was away but still his entire bandwidth quota was assumed to be full.

As soon as he said this, I knew what exactly happened. Someone has the access to his Wi-Fi passkey and is using his internet connection for free.


Next thing I advised to my friend was to change the passkey and told him to analyze the speed. He did exactly that and his problem was resolved, he got much higher speeds which were according to his data plan.


I got another call from him in the afternoon stating that the same problem has occurred again. Now, I was pretty sure that some malicious player was around. I asked my friend to turn his network off and I told him I was going to visit his place soon.

I reached his place in the evening, and I booted up my laptop which is preconfigured with Kali Linux. Meanwhile I asked my mate to change the passkey again and he changed the key. I started my wireless card in the monitor mode:



Figure 1. Monitor Mode


Then I started analyzing the network using Wireshark.


Figure 2. Capture Interface


However, I do not know the new key set by friend at this point in time. Now, to start the wireless card in monitor mode, open the terminal in Kali linux/ Backtrack. And type in:


#airmon-ng start wlan0 5


This command instructs wireless interface card to analyze all the traffic coming only in channel 5 frequency as my friend’s network was using channel 5.

Now, I asked my friend to continue his work on his network as he was busy mailing his business emails and variety of other things on the network. After half an hour, my friend started experiencing the same network bandwidth problem, which confirmed the breach again. I stopped the capture of Wireshark for more packets and started to analyze the breach.

Finding associations

The very first step is to find out how many clients are actually sent the association packets to the Access Point (AP).



Figure 3. Association Packets


We can find this by typing the filter:




This will display all the clients who sent an association request. Here 0x00 denotes association type request. As we can see from the screenshot above it is very clear that we have the following devices:

  • Sony Mobile (Known)

  • Apple Device (Known)

  • TP link (unknown)

  • 24:fd:52:03:49:e9 (unknown)

The known devices are the property of my friend but we also have here two unknown devices which confirm the breach.

Let’s investigate further and see what else evidence we can get. Now we can further confirm that only the above listed devices were able to successfully associate. We can apply the following filter:


wlan.fc.type_subtype==0x01 && wlan_mgt.fixed.status_code==0x0000


0x01 denote association response and status code denotes the successful association in the above command. In our case, all the devices have successfully associated so we skip its screenshot.


Finding Endpoints

Next step is to check how much data has been transferred by all the players in the network and find out who transferred the maximum. As you might know that in case of WEP enabled networks, the thing which is required to crack the key is lots of data. So let's see who has transferred what amounts of data.


Figure 4. Endpoints


Oops seems like the unknown device TP link is the most active in here sending huge data, now this analysis increases the level of confidence on the evidence that TP-LINK device adapter is a malicious player on the network.

The endpoints can be viewed by browsing to statistics tab and selecting Endpoints in Wireshark.


Analyzing the Suspect

As we have seen above, up to this point we have valid proof against TP-LINK device behaving as the malicious player. So, let’s analyze its activity and see what the player behind this device was actually trying to do:


Figure 5. Attack’s starting point


It seems that the device started the attack of sending the ARP type packets from the packet number 25897, as leading this points it’s purely data packets sent from this address to the AP.

To confirm the suspect sending data packets after this point let’s set a filter:

Figure 6. Attack in progress


Here wlan.fc.type==2 defines the type ‘DATA’ packets. As we can see it’s clearly starting from 25897 so analyzing these packets we can see the attack starting at 6:45:50 pm

Now also analyzing the last data frame sent from the malicious device we will see its 6:49:45 pm so the total time of attacking the AP was calculated to be 3:55 seconds.


Finding out the Replayed Packet

As we know that the attack initiated at packet number 25897, let’s see what data packets were there before this packets which has been re-played by this malicious device. Let’s put the following filter:


wlan.fc.type==2 && frame.number<25897 && frame.number>25775 && wlan.addr==ff:ff:ff:ff:ff:ff


Now the filter is about showing the data packet whose destination address is ff:ff:ff:ff:ff:ff and is before the frame from where the attack was initialized.


Figure 7. Broadcast Packet


So we now know that a data packet from the apple device was used to replay the packet and perform an ARP REQUEST/REPLAY type attack.

So let’s see what we have got up to this point:

Table 1. Results

No. of AP


No. Of Clients


No. Of Unknown clients


Replayed Data Packet Number


Attack Started from Packet


Difference of Packets


Time Difference Between packets

0.04 sec

Attack ended after


Attack started at


Attack Completed in

3 min 55 sec

Possible Attack


MAC Address(Attacker)


Figure 8. Mac Address (Attacker)


Next step is to find out which system was used to connect to the attacked AP after the successful attack has been carried out. We can simply achieve this by finding out successfully associated client after the attack.


Figure 9. Culprit Connected


The filter for this packet is:

Wlan.fc.type_subtype==0x01 && wlan_mgt.fixed.status_code==0x0000 && frame.number>91679


We have used 91679 here because we need to find the association after the last packet of the attack. As you can see here the last packet of the attack was at:

Figure 10. Attack ending


So finally we got the address of the attacker machine which was used to connect to the AP therefore it is 24:fd:52:03:49:e9.

And this concludes our discussion, now you can further decrypt this entire packet capture file using Airdecap using the WEP key. And further look to see important information in regards to HTTP or other protocols. This will help you find the attacker or may be his social media account in some cases.



Resolving my friend’s problem we have found out who actually was attacking his AP, further analysis of the same took me to the Facebook account of the kid trying to break in. And then we found out it was a local school boy living down stairs on the first floor! Now, we have clearly seen how easy it was to analyze and find out what attack and actually who conducted it over the network, we have seen the attack pertaining to WEP networks.

Further scope of this article will enable you to carry out forensic analysis onto WPA/WPA2 and enterprise security enabled networks. Learn security at the packet level, and then you would be actually able to protect the attacks.


  • Use Long Passwords which are hard to guess

  • Keep Your Network Broadcast SSID Hidden

  • Try implementing WPA/WPA2 instead of WEP


  • Buy Cards Having High power

  • Use a High Range Antenna, a common example is 9dbi

  • Alfa cards are popular for wireless hacking so choose wisely

  • Buy AirPcap for effective wireless forensics


- Wireless forensics


- WPA2


- Wireshark


Professional with 2+ year of experience in the field of IT Security, Proficient in IT security awareness programs, Network based forensics, Exploit Development, web application penetration testing and wireless penetration testing and mobile forensics. Proven track record in IT security training and trained over 10,000+ students and over 2000+ professionals in the regions of India and Africa. Authoring “Mastering Metasploit” for PACKTPUB. Developer of web application penetration testing course, the first distance learning application testing course in India. Listed as Hall of fame Security researchers in Adobe, Microsoft, AT&T, Nokia, Redhat, Baracudda labs,, Kaneva, Facebook,Blackberry

For more check out my profile on



E-mail – [email protected]



September 5, 2014
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013