Module XXIX – Investigating Wireless Attacks
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Verifying Wireless Hackers for Homeland Security
Source: http://www.sciencedaily.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Cops Roped in to Provide Security for Planned Wi-Fi Network
Source: http://www.expressindia.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Wireless Networking Technologies• Wireless Attacks • Hijacking and Modifying a Wireless Network• Association of Wireless AP and Device • Network Forensics in a Wireless Environment • Steps for Investigation• Wireless Components• Active and Passive Wireless Scanning Techniques• Tools
This module will familiarize you with:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Wireless Network Technologies
Steps for Investigation
Wireless Components
Wireless Attacks
Network Forensics in a Wireless Environment
Active and PassiveWireless Scanning
Techniques
Hijacking and Modifyinga Wireless Network
Wireless Network Technologies
Tools
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Networking Technologies
Wireless networking technology is becoming increasingly popular and at the same time many security issues are also arising
The popularity of wireless technology is driven by two primary factors, convenience and cost
A Wireless Local Area Network (WLAN) allows workers to access digital resources without being locked to their desks
Some of the wireless networking technologies are as follows:
Bluetooth InfraRed
Ultrawideband ZigBee
Wireless USB Wi-Fi
WiMAX Satellite
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Networks
There are four basic types:
AccessPoint
WirelessNetwork Wired
EthernetNetwork
ExtensionPoint
AccessPoint 1
WirelessNetwork 1 Wired
EthernetNetwork
AccessPoint 2
WirelessNetwork 2 Access
Point 1
WirelessNetwork Wired
EthernetNetwork 1
AccessPoint 2
WiredEthernetNetwork 2
Peer-to-Peer
Extension to a wired network Multiple access points
LAN-to-LAN wireless network
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Attacks
• Wardriving is the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere
Wardriving:
• Warflying involves flying around in an aircraft looking for open wireless networks
Warflying:
• Warchalking term comes from whackers who use chalk to place a special symbol on a sidewalk or another surface to indicate a nearby wireless network that offers Internet access
Warchalking:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Passive Attack
Eavesdropping on the network traffic can be the possibility of a passive attack
Passive attacks are difficult to be sensed
Administrator using DHCP on a wireless network could detect that an authorized MAC address has acquired an IP address in the DHCP server logs
An eavesdropper can easily seize the network traffic using tools such as Network Monitor in Microsoft products, or TCPdump in Linux-based products, or AirSnort
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Threats from Electronic Emanations
Electronic emanations are the radiations from an electrical or electronic device
Threats from electronic emanations:
• Unauthorized listening of private conversation• Electronic emanations send the information to destined system • Since the wireless network is insecure, attackers take advantage of emanations to listen or manipulate
the information
Eavesdropping:
• Leakage of information through emanations
Data leakage:
• Attackers can capture and decode the information from the emanations
Sniffing:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Active Attacks on Wireless Networks
• DoS Attacks• MiTM Attack• Hijacking and Modifying a Wireless Network
If an intruder obtains adequate information from the passive attack, then the network becomes more vulnerable to an active attack, which can seize a system through :
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Denial-of-Service Attacks
Wireless LANs are susceptible to the same protocol-based attacks that plague wired LANs
WLANs send information via radio waves on public frequencies, making them susceptible to inadvertent or deliberate interference from traffic using the same radio band
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Man-in-the-Middle Attack (MITM)
• Happens when an attacker receives a data communication stream• Not using security mechanisms such as Ipsec, SSH, or SSL makes data
vulnerable to an unauthorized user
Eavesdropping:
• An extended step of eavesdropping• It can be done by ARP poisoning
Manipulation:
Two types of MITM:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hijacking and Modifying a Wireless Network
TCP/IP packets go through switches, routers, and APs
Each device looks at the destination IP address and compares it with the local IP addresses
If the address is not in the table, the device hands the packet to its default gateway
This table is a dynamic one that is built up from traffic passing through the device and through Address Resolution Protocol (ARP) notifications from new devices joining the network
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hijacking and Modifying a Wireless Network (cont’d)
There is no authentication or verification of the validity of request received by the device
Attacker sends messages to routing devices and APs stating that his MAC address is associated with a known IP address
All traffic that goes through that device destined for the hijacked IP address will be handed off to the hacker’s machine
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Association of Wireless AP and Device
Association of AP and wireless device may take place in either of the following ways:
• MAC filtering• Pre- Shared Key (PSK) or use of encryption
If active traffic is being sent between the access point and the associated device, your wireless forensic laptop can display network packet statistics
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Network Forensics in a Wireless Environment
• Devices connected to wireless networks such as laptop, network storage device, Ethernet card, Bluetooth and IR dongles
• Mobile devices and removable devices which stores data• Wireless network, mobile switching center and visitor location center• Neighboring networks that the caller accesses
Forensic fingerprints can be gathered from:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps for Investigation
Obtain a search warrant
Identify wireless devices
Document the scene and maintain a chain of custody
Detect the wireless connections
Determine wireless field strength
Map wireless zones & hotspots
Connect to wireless network
Wireless data acquisition and analysis
Report Generation
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Key Points to Remember
• The active wireless access points physically located within the search warrant scene• External wireless access points with signal coverage that overlaps the search warrant
scene• Which devices connect or are actively connected to associated access points• The approximate range (footprint) and signal strength of the examiner’s wireless
network card
While conducting a penetration test , the investigator should keep note of the following:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Points You Should Not Overlook While Investigating the Wireless Network
A visual inspection of broadband modems will quickly determine if a wireless access point is physically connected
Investigators should be able to determine if a home network utilizes cable, DSL, or other method of connecting to the Internet
If a wireless access point is physically located, the initial goal is to determine its associated devices by directly connecting to it via a network cable
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Obtain a Search Warrant
A search warrant application should include the proper language to perform on-site examination of computer and wireless related equipment
Conduct a forensics test on only the equipment that are permitted to be searched in the warrant
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Document the Scene and Maintain a Chain Of Custody
All devices connected to the wireless network must be documented
Take photographs of all evidence
Document the state of the device during seizure
Maintain a chain of custody of documents, photographs, and evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Identify Wireless Devices
Identify different wireless devices connected to the network
• Routers • Access points• Repeaters • Hard drives • Antennas • PCMCIA/EIA
Check the physical location of the following wireless hardware:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Components
Antenna
Wireless Access points
Wireless Router
Wireless Modem
SSID
Mobile Station
Base Station Subsystem
Network Subsystem
Base station controller
Mobile Switching Center
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Search for Additional Devices
Send de-authentication packets using Aireplay tool
This may force active wireless equipment to reconnect to the default wireless access point, which will be redirected to the forensic laptop ( since the laptop is running in promiscuous mode)
Aireplay is an additional wireless assessment tool found within the aircrack portion of the BackTrackfolder
The Aireplay tool injects specially crafted data packets into the wireless stream
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Detect Wireless Connections
• NetStumbler• MacStumbler• iStumbler• Kismat• KisMAC
Wireless connection are detected using the scanning tools such as:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Detect Wireless Enabled Computers
Check the number of authorized computer, Laptop , PDA connected to the Wireless LAN APs
Check for the public IP and Mac address using scanning tools such as Nmap
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Manual Detection of Wireless APs
In manual detection, the investigator has to configure some sort of mobile device such as a handheld PC or laptop
Then, physically visits the area to be monitored for detection of WAPs
This can be done by War-Driving, War-Chalking, and War-Flying
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Active Wireless Scanning Technique
In active scanning technique, a scanner broadcasts a probe message and waits for a response from devices in the range
This technique identifies many WAPs but cannot find out those WAPs which do not respond to such type of query
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Passive Wireless Scanning Technique
Passive scanning technique identifies the presence of any wireless communication
It detects all the active WAP connections
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Detect WAPs using the Nessus Vulnerability Scanner
• Update the Nessus with plugin #11026 by running nessus-update-plugins command• Configure a new scan by selecting plugin #11026 in the “General” family• Enable a port scan for ports 1-100• Disable the “Safe Checks”• Enable the “Enable Dependencies at Runtime”
For detecting the WAP the following steps are performed:
Nessus Vulnerability Scanner is used to detect wireless access points
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Capture Wireless Traffic
• Wireshark• tcpdump
Capture wireless traffic using wireless network monitoring and sniffing tools such as:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Wireshark
Wireshark is a network protocol analyzer for Unix and Windows
It allows examination of data from a live network or from a captured file on disk
It allows the user to see all traffic being passed over the network by putting the network interface into promiscuous mode
Wireshark runs on various computer operating systems including Linux, Mac OS X, and Microsoft Windows
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Feature of Wireshark
Data can be captured from the live network connection
Live data can be read from the different types of network such as Ethernet
Captured data can be browsed via GUI or via command line
Captured files can be programmatically edited
Display filters can also be used to selectively highlight and color packet summary information
Data display can be refined using a display filter
Hundreds of protocols can be dissected
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireshark: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: tcpdump
tcpdump is a common computer network debugging tool that runs under the command line
It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
tcpdump Commands
•# tcpdump port 80 -l > webdump.txt & tail -f webdump.txt •# tcpdump -w rawdump•# tcpdump -r rawdump > rawdump.txt •# tcpdump -c1000 -w rawdump•# tcpdump -i eth1 -c1000 -w rawdump
Exporting tcpdumps to a file:
•# tcpdump port 80
Captures traffic on a specific port:
•# tcpdump host workstation4 and workstation11 and workstation13
You can select several hosts on your LAN, and capture the traffic that passes between them:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
tcpdump Commands (cont’d)
•# tcpdump -e host workstation4 and workstation11 and workstation13
Capture all the LAN traffic between workstation4 and the LAN, except for workstation:
•# tcpdump not port 110 and not port 25 and not port 53 and not port 22
You can capture all packets except those for certain ports:
•# tcpdump udp•# tcpdump ip proto OSPFIGP
Filter by protocol:
•# tcpdump host server02 and ip# tcpdump host server03 and not udp# tcpdump host server03 and ip and igmp and not udp
To capture traffic on a specific host and restrict by protocol:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ClassicStumbler
ClassicStumbler scans and displays the wireless access points information within range
It displays the information about the signal strength, noise strength, signal to noise ratio, and channel of the access point
Scanning….
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Network Monitoring Tools
MacStumbler displays information about nearby 802.11b and 802.11g wireless access points which helps to find access points while traveling or to diagnose wireless network problems
iStumbler is the wireless tool for Mac OS X, providing plugins for finding AirPort networks, Bluetooth devices, and Bonjour services with your Mac
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Network Monitoring Tools (cont’d)
AirPort Signal tool scans for open networks in range and creates a table row for each station detected with information about the signals it received
AirFart detects wireless devices, and calculates their signal strength
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Kismet
Completely passive, capable of detecting traffic from APs and wireless clients alike (including NetStumbler clients) as well as closed networks
Requires 802.11b capable of entering RF monitoring mode; Once in RF monitoring mode, the card is no longer able to associate with a wireless network
Kismet needs to run as root, but can switch to lesser privileged UID as it begins to capture
To hop across channels, run kismet_hopper –p
Closed network with no clients authenticated is shown by <nossid>, updated when client logs on
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Kismet: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Determine Wireless Field Strength: Field Strength Meters (FSM)http://www.vk1od.net/fsm/
• Measurement of true RMS, quasi peak and peak power audio power
• Calculation of received RF power (RMS, QP, and Peak) in dBm based on known receiver noise floor
• Calculation of field strength (RMS, QP, and Peak) in dBuV/m based on known antenna gain or antenna factor
• Extrapolation of calculated field strengths to a normalized (1Hz) bandwidth for comparisons
• Flexible output options to save results to text files, email, and online/nearline web transactions
Features:
FSM is a software application that extends a conventional SSB receiver to allow measurement and calculation of field strength of radio signals or interference
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Prepare Wireless Zones & Hotspots Maps
Collect the information after detecting the wireless connection
Analyze them properly to prepare the map
Prepare the static map of wireless zones and hotpots
Map the network using tools such as MS Visio
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Methods to Access a Wireless Access Point
Direct-connect to the wireless access point ( If you have easy direct access)
“Sniffing” traffic between the access point and associated devices ( When direct access is not available)
NOTE: In this module we are showcasing NETGEAR Wireless Router as an example
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1. Direct-connect to the Wireless Access Point
You need a network cable plugged between your forensics laptop and the wireless access point
The forensics laptop should have a standard network adapter
Determine whether the laptop has to be assigned an IP address
If the wireless access point is DHCP enabled then the laptop will automatically be assigned an IP in the same network range
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1. Direct-connect to the Wireless Access Point (cont’d)
If the DHCP is not enabled, you need to assign the IP address to the forensics laptop that is in the same “Class” of the wireless access point
The IP address of the wireless access point can be determined by typing the command “ipconfig” in the command prompt
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1. Direct-connect to the Wireless Access Point (cont’d)
Once you get the IP address of the wireless access point try connecting to it using a web browser
A login window will pop up and will ask to fill in the credentials for obtaining access to the wireless access point
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1. Direct-connect to the Wireless Access Point (cont’d)
Most of the times customers forget to change the default administrator account of the wireless access point
You can search for the default login and password after you confirm the hardware vendor on physical inspection
Visit the below link to find the default information of the wireless access point
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Default Credentials List
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1. Direct-connect to the Wireless Access Point (cont’d)
If you are successful in logging to the wireless access point, you will see the screen similar to as shown below:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1. Direct-connect to the Wireless Access Point (cont’d)
Click on Attached Devices to find the number of connections made to the wireless access point
It shows the IP address, Device name, and MAC address of each computer attached to the wireless access point
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1. Direct-connect to the Wireless Access Point (cont’d)
Click on LAN IP Setup to find the LAN TCP/IP setup
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1. Direct-connect to the Wireless Access Point (cont’d)
Since you are connected over LAN to the wireless access point a “ping-sweep” can reveal other connected systems on the network
Nmap can be used to perform “ping-sweep” and other functions related to scanning
Nmap is a free open source utility for network exploration which is designed to rapidly scan large networks
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Nmap
• Nmap is used to carry out port scanning, OS detection, version detection, ping sweep, and many other techniques
• It scans a large number of machines at one time
• It is supported by many operating systems
• It can carry out all types of port scanning techniques
Features
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scanning Wireless Access Points using Nmap
Another method to find live hosts on the network is by using nmap
Since we know that the IP address of the access point, following range of address needs to be scanned 10.0.0.X/24
Execute the following command at the command prompt
•nmap –sP -v 10.0.0.1/24
The result of the above scan will show all the live host in the same subnet; the vendor and MAC address information will be displayed on the screen
To find more information of a specific address e.g 10.0.0.1; execute the below given command:
•nmap –sS –A 10.0.0.1
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Rogue Access Point
• Beaconing i.e. requesting a beacon• Network Sniffing i.e. looking for packets in the air
The two basic methods for locating rogue access points:
A rogue/unauthorized access point is one that is not authorized for operation by a particular firm or network
Tools that can detect rogue/unauthorized access points are NetStumbler, MiniStumbler, etc.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools to Detect Rogue Access Points: Netstumbler
NetStumbler is a Windows utility for WarDriving written by Marius Milner
Netstumbler is a high-level WLAN scanner; it operates by sending a steady stream of broadcast packets on all possible channels
Access points (APs) respond to broadcast packets to verify their existence, even if beacons have been disabled
• Signal Strength• MAC Address• SSID• Channel details
NetStumbler displays:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Netstumbler: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools to Detect Rogue Access Points: MiniStumbler
MiniStumbler is the smaller sibling of a free product called NetStumbler
By default, most WLAN access points (APs) broadcast their Service Set Identifier (SSID) to anyone who will listen. This flaw in WLAN is used by MiniStumbler
It can connect to a global positioning system (GPS)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
2. “Sniffing” Traffic Between the Access Point and Associated Devices
The forensics laptop is placed between the access points and associated devices in promiscuous mode
In this mode, the forensics laptop captures all the information flowing within the range
BackTrack tool is used to find associated devices in the wireless network
After installing BackTrack, the first step is to run Airodump
Download Airodump tool from:
• http://www.aircrack-ng.org or launched from BackTrack
The ‘Aircrack Suite’ of the BackTrack program has two programs i.e. Airodump and Aireplay
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scanning using Airodump
The Airodump program runs in ‘Scan’ mode
This tools scans all the wireless channels while searching for access points
The scan report shows 8 columns of information i.e. BSSID, PWR, Beacons, #Data, CH, MB, ENC and ESSID
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scanning using Airodump (cont’d)
BSSID MAC address of the access point
PWR Relative strength of wireless signal as received by the location from where the tool scanned the network
Beacons Number of beacons packet received
# Data Number of packets that can be decrypted
CH Channel
MB Current rate of data transfer in megabits per-second
ENC Encryption level set on the access point
ESSID Name of the device
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scanning using Airodump (cont’d)
To confirm the scanning result, the investigator can match the MAC address obtained from scanning to the MAC address present on a label on the scanned Wireless Access point
Make note of the CH (channel) setting
The screenshot in the previous slide shows “netgear” wireless router is operating on channel 6
Select channel 6 while rescanning with Airodump
Switch “-c 6” scans for wireless access point present only on channel 6
“Ctrl +C” is used to stop the scanning process of Airodump
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Airodump: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MAC Address Information
Details of the vendor of the wireless access point can be found out by the MAC address of the same
Visit http://www.coffer.com/mac_find/ and enter the MAC address to find information of the vendor
It is easy to change the MAC address with the help of few software settings
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Airodump: Points to Note
Columns “BSSID”, “CH” and “ESSID” have information that will be useful during the initial phase of the scan
Investigator should concentrate on “Packets” column in the association list
The “Beacons” column does not reflect data passing between the access point and associated equipment
If Airodump cannot determine the state of encryption on the access point, the ENC portion will display “WEP?”
Airodump requires several packets to make a determination of the type of encryption being used
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forcing Associated Devices to Reconnect
Aireplay tool attempts to confuse the connected wireless devices by sending de-authentication packets
The wireless devices are made to think that the wireless access point is not functioning; Once disconnected the devices attempt to reconnect to the same access point
Airodump should be running in the background while the de-authentication packets are sent
Use the command given below to send de-authentication packets:
•aireplay-ng --deauth 5 -a {MAC of AP} {interface}
• Where: MAC of AP MAC address of the access point• interface Type of wireless network card
If physical access to the wireless access point is available then unplug the device and plug it back in. At the same time make sure that Airodump is running on the forensics laptop
Note that the rest button is NOT pressed
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check for MAC Filtering
Aireplay-ng can be used to determine whether the target access point used MAC filtering or not
Attempt forced association, if the wireless network card of the forensics laptop supports packet injection
If MAC filtering is active on the target access point then association will be denied
Open a terminal window within BackTrack tool
In the command prompt, type the below given command:
•aireplay-ng –fakeauth 0 –e {target ESSID} –a {MAC address of AP} –h {MAC address of your forensic laptop’s wireless card}
An example would be
•aireplay-ng –fakeauth 0 –e belkin54g –a 00:11:50:53:9A:24 –h•00:20:A6:52:23:30
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check for MAC Filtering (cont’d)
Unsuccessful attempt does not indicate MAC filtering at the target access point
If an associated MAC address is shown while scanning with airodump-ng, attempt to re-associate by spoofing forensics laptop’s MAC address
Within the BackTrack program, select “BackTrack”, “Wireless Tools”, “Miscellaneous”, “MAC Changer”
Once the command is executed a message will be displayed showing whether the authentication and association were successful
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Changing the MAC Address
•ifconfig {interface} down
If required, force the card to shutdown by typing:
•macchanger –m {MAC of currently associated device} {interface}
Command to change the MAC address:
Before changing the MAC, the wireless network card of the forensics laptop should not be active; Close airodump-ng or any other program that utilizes the network card before continuing
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Changing the MAC Address (cont’d)
The screenshot below shows a list of available options for “macchanger”
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Changing the MAC Address (cont’d)
Reactivate the forensics laptop’s wireless network card by using the below given command
•ifconfig {interface} up
Attempt an authentication and association to the access point using the spoofed MAC address
If you see the “success” message, MAC filtering is indeed active on the access point
If MAC filtering is turned off and encryption is turned on, this method of authentication will not yield any success
After the MAC address is changed, the display will show the previous and new MAC address and vendor settings
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Data Acquisition and Analysis
Acquire the DHCP logs, Firewall logs, and network logs
Use fwanalog and Firewall Analyzer to view the firewall log files
• DHCP Log files for issued MAC addresses• Firewall logs for intrusions• Network logs for intrusion activities
Analyze log files for:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Data Acquisition and Analysis (cont’d)
Decrypt the encrypted log files
Crack the password protected log files using Hydra and Cain & Abel tools
Analyze the traffic shown by sniffing tools such as Wireshark
• Registry analysis • USB device footprints • Network connection history logs • Wireless device logs
Check the following logs file:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Report Generation
• Information about the files • Internet related evidence• Data and image analysis
Details about the finding:
Note the name of Investigator
List of wireless evidence
Documents of the evidence and other supporting items
List of tools used for investigation
Devices and set up used in the examination
Brief description of examination steps
Conclusion of the investigation
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Association of wireless AP and device may take place in either of the ways, MAC filtering or Pre- Shared Key (PSK) or use of encryption
Methods To Access A Wireless Access Point includes Direct-connect to the wireless access point and “Sniffing” traffic between the access point and associated devices
A rogue/unauthorized access point is one that is not authorized for operation by a particular firm or network
Details of the vendor of the wireless access point can be found out by the MAC address of the same
Eavesdropping on the network traffic can be the possibility of a passive attack
To investigate wireless attacks, Keep a check on DHCP Log files for issued MAC addresses, Firewall logs for intrusions and Network logs for intrusion activities
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited