During this network trace the real Access Point was on channel 1. For our attack we cloned this victim access point on channel 13. The attacker used a WNDA3200 and TL-WN722N. The monitor used a Belkin F5D8053 and a WNDA3200. The first victim used an AWUS036h, and the second victim was a Samsung Galaxy S3 i9305.
We have three type of traces, all corresponding to our example attack on WPA mixed mode:
channelmitm tool: attack_mitm.pcap.attacker_1.pcap and attacker_13.pcap. These represent the interface on channel 1 and 13, respectively.monitor_1.pcap and monitor_13.pcap, respectively.The usage of an external (independent) monitor is important because the traces created by the attacker are done at the OS level. Hence injected frames might have undergone (minor) modifications by the firmware before being transmitted. Additionally not all management packets are captured (in particular ACKs of injected frames are not included). Our independent monitor device captures all these missing (or potentially modified) frames.
The network traces have been filtered to prevent private data from being leaked.
wlan.addr == 00:22:6b:fb:49:2b || wlan.addr == 90:18:7c:6e:6b:20 || wlan.addr == 00:c0:ca:62:a4:f6!(wlan.fc.type_subtype == 0x04) || wlan_mgt.ssid == "testnetwork" || wlan_mgt.ssid == ""!(eapol.keydes.key_info == 0x010a)!(dns || icmp). Note that this is done in wireshark with decryption enabled.(wlan.addr == 00:22:6b:fb:49:2b || wlan.addr == 90:18:7c:6e:6b:20 || wlan.addr == 00:c0:ca:62:a4:f6)
&& (!(wlan.fc.type_subtype == 0x04) || wlan_mgt.ssid == "testnetwork" || wlan_mgt.ssid == "")
&& !(eapol.keydes.key_info == 0x010a) && !(dns || icmp)