So many clients machine still run windows?
Will you be ever see an age that has MAC or Linux domination on the client end, maybe never !
So I thought, this blog post might be a good start to get some hands-on on Windows Wireless troubleshooting.
Everyone is like: I have only limited options, it’s Windows !
I say: The road is not that narrow as you think it is. Look beyond the horizon.
A ran into Netmon a few years back and since then, it has fascinated me. I considered wireless captures to be impossible without additional hardware/software on Windows.
A great recap to that knowledge can be found right up the alley of CTS:
Now, here is how you get started:
Psst , we don’t need Monitor mode here.
(CMD access with admin privileges are needed)
How to trigger/start tracing:
netsh trace start scenario = wlan tracefile=wlanwpp.etl
netsh trace stop
The usual location is the Users directory.
The Netmon software (Archived) can be grabbed from : https://www.microsoft.com/en-in/download/details.aspx?id=4865
Open the file with extension as “.etl”.
File — Open — Capture should help you navigate to the file.
If you see any parser errors, you might want to enable the right parser profiles in Tools — Options.
Note: The Windows parser profile should be set as active.
In this post, I would like to start with something simple enough.
In case of WPA2 PSK, if you enter the wrong passphrase, the conversation will never go past M1 and M2 in the context of the 4 way Handshake. We know this !
If you don’t go get you CWNA or CWSP https://www.cwnp.com/it-certifications
Learn more about the 4 way handshake:
Did you know that Windows 10 tries for 4 x 5 (20) times before giving up?
I don’t think its a adapter thing but more of an OS thing; I will check this on another adpater and share an update.
Here is a snippet of what and where to look for?
A more detailed view on what to look at in that cluttered view:
As you can see in the above screenshot, I was trying to connect to an SSID called Bunker and my Qualcomm Atheros adapter is also specified here.
Scrolling down, we can observe more details:
It’s a PSK based, CCMP protected SSID which is operating in BSS type Infra and not in adhoc mode.
What follows shows the PSK error, where I typed in the wrong pre-shared key. One can also see the M1 and M2 frames in the below snippet.
and finally a successful connection with all M1, M2, M3 and M4 frames:
To conclude, there is a lot to derive from these traces, sometimes even as much as a 802.11 trace.
You just need to know the basics and know where to look for it.
Hope this was informational !