WiFi Networks Forensics Overview WiFi Networks Forensics Overview Mike Davis, EE/MSEE, CISSP,...

WiFi Networks Forensics Overview

Mike Davis, EE/MSEE , CISSP, SysEngrISSA/TSN/SOeC/

AFCEA/NDIA/IEEE/INCOSE et al

[email protected]

Glenn G Jacobs, BSEE, Security +Creative Commerce LLC

[email protected]

1

mailto:[email protected]


5/23/2013 2Copyright 2013 Creative Commerce LLC

Presentation Overview• Why Wireless Networks ?• What is Wireless Internet (Wi-

Fi ?) • WiFi Implementation• WiFi Threat Landscape• WiFi Basic Security Measures• WiFi Tools • WiFi Network Discovery• WiFi Packet Sniffing Example• WiFi WEP Password Cracking

Example• Web Links


Why Wireless Networks? CONVENIENCE OF INSTALLATION !!• Wireless Access Point (WAP) addition to system

routers is straightforward• Wireless Security has frequently just been taken for

granted

CONVENIENCE OF MOBILITY !! • Businesses with less than $10 million in annual

revenue are leading the charge with 83 percent either using or planning to use Wi-Fi

(http://news.cnet.com/2100-1039-992901.html)• 76 percent of workforce be using a mobile

networking device by 2013 (Laptops/PDAs, etc)(

http://ipcarrier.blogspot.com/2010/02/us-is-most-mobile-workforce.html)

• Connectivity is now as convenient as a local coffee shop

http://ipcarrier.blogspot.com/2010/02/us-is-most-mobile-workforce.html

http://ipcarrier.blogspot.com/2010/02/us-is-most-mobile-workforce.html


What is Wireless Internet (Wi-Fi ?)

Definition: A 2.4 GHz / 5 Ghz radio-frequency data communication architecture and associated protocols based upon the IEEE 802.11x standards. A key concept is that WiFi networks exchange data frames between systems using the MAC (Media Access Control) and Logical Link Control (LLC) sublayers of the OSI Dat a Link Layer using an RF LAN card communicating at the PHYS (Physical) layer:


WiFi Implementation Frequency Assignment (2.4GHz shown, 802.11b/g/n)

NOTE the signal be attenuated by at least 30 dB from its peak energy at ±11 MHz from the centre frequency, the sense in which channels are effectively 22 MHz wide. One consequence is that stations can only use every fourth or fifth channel without overlap, typically 1, 6 and 11 in the Americas.


WiFi Implementation Channel s 1-7 Frequency Assignment (2.4GHz, 802.11g)

1. Above frequencies are all permitted in US. Not all WiFi frequencies are legal in all nations.


WiFi Implementation Channel s 8-13 Frequency Assignment (2.4GHz, 802.11b/g/n)


WiFi Implementation 802.11 “G” Standard • Up to 54 MB/s data transfer rates• Transfer rate drops to 1 MB/s at 300 feet • Orthogonal frequency-division multiplexing

(OFDM)or Direct Sequence Spread Spectrum (DSSS) • Typical range of 300 feet - a hacker’s dream• Most 802.11 “g” hardware backward

compatible with 802.11 “a” and “b” systems• WiFi “G” was the most popular WLAN for

new installations until 2009


WiFi Implementation 802.11 “N” Standard (2009)• Multi-stream 2.5 GHz/5GHz architecture• Up to 150 MB/s single-stream• Up to 300 MB/s dual stream• Up to 450MB/s three-stream• Up to 20 MHz channel width• Multiple-input / Multiple Output (MIMO) multi-

streaming protocol


WiFi Implementation 802.11 “ac” 5G Standard (2013)• Multi-stream 5GHz architecture• Supplements and incorporates older 802.11

“N” equipment• Up to 450 MB/s single-stream• Up to 900 MB/s dual stream• Up to 1.3GB/s three-stream• Up to 80 MHz channel width• Multiple-input / Multiple Output (MIMO) multi-

streaming protocol


WiFi Implementation “Infrastructure Mode” Concept

Ethernet Router is cabled to Wireless Access Point (WAP) and radiates WiFi

12

WiFi Implementation WiFi Home “Infrastructure Mode” Target Home Wireless Ethernet Router is

cabled to Internet Modem and radiates WiFi

5/23/2013 Copyright 2013 Creative Commerce LLC


WiFi ImplementationTerminology

BSS: Basic Service Set – The WiFi network infrastructure concept- a router or Wireless Application Point (WAP) transmitter communicating with workstations

BSSID: The Media Access Layer (MAC ) link unique ID for router or Wireless Application Point (WAP) transmitter

SSID : Service Set Identifier: The broadcasted WiFi ID which each User must specify to obtain access to a given WiFi network. Functions as a virtural “username”.

Management frames : “Frames that broadcast the router’s SSID , show User “probe requests”, association/disassociation activity, andauthentication/deauthentication


WiFi Implementation 802.11 Frame Standards

Current 802.11 standards define "frame" types for use in transmission of data as well as management

and control of wireless links.

• Frames are divided into very specific and standardized sections. Each frame has a MAC header, payload and FCS. Some frames may not have payload portion. First 2 bytes of MAC header is a frame control field that provides detailed information about the frame. The sub fields of the frame control field is presented in order.

• Protocol Version: It is two bits in size and represents the protocol version. Currently used protocol version is zero. Other values are reserved for future use.

• Type: It is two bits in size and helps to identify the type of WLAN frame. Control, Data and Management are various frame types defined in IEEE 802.11.

• Sub Type: It is four bits in size. Type and Sub type are combined together to identify the exact frame.

• ToDS and FromDS: Each are one bit in size. They indicate whether a data frame is headed for a distributed system. Control and management frames set these values to zero. All the data frames will have one of these bits set. However communication within an IBSS network always set these bits to zero.

• More Fragment: The More Fragmentation bit is set most notably when higher level packets have been partitioned and will be set for all non-final sections. Some management frames may require partitioning as well.

• Retry: Sometimes frames require retransmission, and for this there is a Retry bit which is set to one when a frame is resent. This aids in the elimination of duplicate frames.

• Power Management: The Power Management bit indicates the power management state of the sender after the completion of a frame exchange. Access points are required to manage the connection and will never set the power saver bit.

http://en.wikipedia.org/wiki/Frame_check_sequence


WiFi Implementation 802.11 Frame Standards (cont’d)

• More Data: The More Data bit is used to buffer frames received in a distributed system. The access point uses this bit to facilitate stations in power saver mode. It indicates that at least one frame is available and addresses all stations connected.

• WEP: The WEP bit is modified after processing a frame. It is toggled to one after a frame has been decrypted or if no encryption is set it will have already been one.

• Order: This bit is only set when the "strict ordering" delivery method is employed. Frames and fragments are not always sent in order as it causes a transmission performance penalty.

• The next two bytes are reserved for the Duration ID field. This field can take one of three forms: Duration, Contention-Free Period (CFP), and Association ID (AID).

• An 802.11 frame can have up to four address fields. Each field can carry a MAC address. Address 1 is the receiver, Address 2 is the transmitter, Address 3 is used for filtering purposes by the receiver.

• The Sequence Control field is a two-byte section used for identifying message order as well as eliminating duplicate frames. The first 4 bits are used for the fragmentation number and the last 12 bits are the sequence number.

• An optional two-byte Quality of Service control field which was added with 802.11e.

• The Frame Body field is variable in size, from 0 to 2304 bytes plus any overhead from security encapsulation and contains information from higher layers.

• The Frame Check Sequence (FCS) is the last four bytes in the standard 802.11 frame. Often referred to as the Cyclic Redundancy Check (CRC), it allows for integrity check of retrieved frames. As frames are about to be sent the FCS is calculated and appended. When a station receives a frame it can calculate the FCS of the frame and compare it to the one received. If they match, it is assumed that the frame was not distorted during transmission.

http://en.wikipedia.org/wiki/MAC_address

http://en.wikipedia.org/wiki/802.11e



• Management Frames allow for the maintenance of communication. Some common 802.11 subtypes include:

• Authentication frame: 802.11 authentication begins with the Wireless Network Interface Card (WNIC) sending an authentication frame to the access point containing its identity. With an open system authentication the WNIC only sends a single authentication frame and the access point responds with an authentication frame of its own indicating acceptance or rejection. With shared key authentication, after the WNIC sends its initial authentication request it will receive an authentication frame from the access point containing challenge text. The WNIC sends an authentication frame containing the encrypted version of the challenge text to the access point. The access point ensures the text was encrypted with the correct key by decrypting it with its own key. The result of this process determines the WNIC's authentication status.

• Association request frame: sent from a station it enables the access point to allocate resources and synchronize. The frame carries information about the WNIC including supported data rates and the Service Set Identifier (SSID) of the network the station wishes to associate with. If the request is accepted, the access point reserves memory and establishes an association ID for the WNIC.

• Association response frame: sent from an access point to a station containing the acceptance or rejection to an association request. If it is an acceptance, the frame will contain information such an association ID and supported data rates.

• Beacon frame: Sent periodically from an access point to announce its presence and provide the SSID, and other parameters for WNICs within range.

• Deauthentication frame: Sent from a station wishing to terminate connection from another station.

• Disassociation frame: Sent from a station wishing to terminate connection. It's an elegant way to allow the access point to relinquish memory allocation and remove the WNIC from the association table.

• Probe request frame: Sent from a station when it requires information from another station.

.

http://en.wikipedia.org/wiki/Beacon_frame

http://en.wikipedia.org/wiki/SSID



• Probe response frame: Sent from an access point containing capability information, supported data rates, etc., after receiving a probe request frame.

• Reassociation request frame: A WNIC sends a reassociation request when it drops from range of the currently associated access point and finds another access point with a stronger signal. The new access point coordinates the forwarding of any information that may still be contained in the buffer of the previous access point.

• Reassociation response frame: Sent from an access point containing the acceptance or rejection to a WNIC reassociation request frame. The frame includes information required for association such as the association ID and supported data rates.

• Control frames facilitate in the exchange of data frames between stations. Some common 802.11 control frames include:

• Acknowledgement (ACK) frame: After receiving a data frame, the receiving station will send an ACK frame to the sending station if no errors are found. If the sending station doesn't receive an ACK frame within a predetermined period of time, the sending station will resend the frame.

• Request to Send (RTS) frame: The RTS and CTS frames provide an optional collision reduction scheme for access point with hidden stations. A station sends a RTS frame to as the first step in a two-way handshake required before sending data frames.

• Clear to Send (CTS) frame: A station responds to an RTS frame with a CTS frame. It provides clearance for the requesting station to send a data frame. The CTS provides collision control management by including a time value for which all other stations are to hold off transmission while the requesting stations transmits.

• Data frames carry packets from web pages, files, etc. within the body.[


WiFi Implementation :WEP Encryption

Wired Equivalent Privacy

Older standard 64-bit WEP usesa 40 bit key, which is concatenated with a CLEAR TEXT24-bit initialization vector (IV)to form the RC4 traffic key.All of the major manufacturers now implement an extended 128-bit WEP protocol using a 104-bit key size (WEP-104).

Highly vulnerable to forensic packages such as aircrack-ngDO NOT USE WEP EXCEPT FOR TRAINING/DEMONSTRATION

http://en.wikipedia.org/wiki/40-bit_encryption

http://en.wikipedia.org/wiki/Initialization_vector


WiFi Implementation :WPA Encryption

WiFi Protected Access (WPA)

Temporal Key Integrity Protocol (TKIP):1. implements a key mixing function that combines the secret root key with the

initialization vector before passing it to the RC4 initialization. WEP, in comparison, merely concatenated the initialization vector to the root key, and passed this value to the RC4 routine. This permitted the vast majority of the RC4 based WEP key attacks.

2. WPA implements a sequence counter (TSC) to protect against “replay “ attacks. Packets received out of order will be rejected by the access point.

3. TKIP implements a 64-bit message integrity check (MIC) named “MICHAEL”

Vulnerable to forensic packages such as “tkiptun-ng”

http://www.aircrack-ng.org/doku.php?id=tkiptun-nghttp://download.aircrack-ng.org/wiki-files/doc/tkip_master.pdf

http://en.wikipedia.org/wiki/Initialization_vector

http://www.aircrack-ng.org/doku.php?id=tkiptun-ng


WiFi Implementation :WPA Encryption (cont’d)

Tkiptun MIC Retrieval Usage: tkiptun-ng <options> <replay interface>

• Filter options:

• -d dmac : MAC address, Destination

• -s smac : MAC address, Source

• -m len : minimum packet length

• -n len : maximum packet length

• -t tods : frame control, To DS bit

• -f fromds : frame control, From DS bit

• -D : disable AP detection

• Replay options:

• -x nbpps : number of packets per second

• -a bssid : set Access Point MAC address

• -c dmac : set Destination MAC address

• -h smac : set Source MAC address

• -F : choose first matching packet

• -e essid : set target AP SSID



Tkiptun MIC Key Retrieval Usage: tkiptun-ng <options> <replay interface>

• Debug options:

• -K prga : keystream for continuation

• -y file : keystream-file for continuation

• -j : inject FromDS packets

• -P pmk : pmk for verification/vuln testing

• -p psk : psk to calculate pmk with essid

• Source options:

• -i iface : capture packets from this interface

• -r file : extract packets from this pcap file

• --help : Displays this usage screen



Tkiptun MIC Key Retrieval Example:

• Input:

• tkiptun-ng -h 00:0F:B5:AB:CB:9D -a 00:14:6C:7E:40:80 -m 80 -n 100 rausb0

• Output: The interface MAC (00:0E:2E:C5:81:D3) doesn't match the specified MAC

• ....so Address Resolution Protocol (ARP) is forced… ARP Reply Checking 192.168.x.y 15:54:11 Reversed MIC Key : C3:95:10:04:8F:8D:6C:66


WiFi Implementation :WPA -2 Encryption

WiFi Protected Access -2

• CCMP (Counter Mode with Cipher Block Chaining MessageAuthentication Code Protocol) replaces TKIP1. Advanced Encryption Standard (AES) is the cipher system2. Key Management and Message Integrity is handled by a single component built around AES using a 128-bit key, a 128-bit block, and 10 rounds of encoding per theFPS-197 standard.3. A CCMP Medium Access Control Protocol Data Unit (MPDU) comprises five

sections: • MAC header,• CCMP header• Data unit• Message integrity code (MIC), • Frame check sequence (FCS). Of these, only the data unit and MIC are encrypted.

WPA-2 is vulnerable to “breaking handshake” and “brute force dictionary”

attacks


WiFi ImplementationEnterprise-Grade Encryption• Enterprise –grade WPA: Remote Authentication Dial-In

User Service (RADIUS) . RADIUS uses a challenge/response method for authentication

• When a user logs on, the network access server (NAS),

wireless access point (WAP) or authentication server creates a "challenge," which is typically a random number sent to the client machine. The client software uses its password or a secret key to encrypt the challenge via an encryption algorithm or a one-way hash function and sends the result back to the network (the "response"). The authentication system also performs the same cryptographic process on the challenge and compares its result to the response from the client. If they match, the authentication system has verified that the user has the correct password.


WiFi Threat Landscape HACKER’S GOALS:

Penetrate / Elevate / Manipulate• PENETRATION – Hacker accesses system under attack

• ELEVATION – Hacker increases their system privilege level by utilizing system services

• MANIPULATION – Hacker directs the victim’s system to do his bidding


WiFi Threat LandscapeDHCP contains large amounts of known plaintext

Rogue Wireless Application Points

Hostile Wandering Clients

AdHoc (Peer-to-Peer) “Free Public WiFi” hostile networks

Denial Of Service Attacks

• 57 percent of IT managers are not confident that their organization knows the state of every endpoint that connects to their network.

• More than 50 percent of companies are using shared passwords or no encryption at all on Wi-Fi access points.

• Only 29 percent of companies check to make sure computers up to date and patched before allowing traveling or remote employees to access the network when they return to the office.

• More than 50 percent of companies surveyed have guests accessing the network every day, with 20 percent allowing non-employees to plug directly into the network without security check or controls.

• 31 percent of companies do not know the identity of every user on their network.

• - http://www.napera.com/news_20081203.html

http://www.napera.com/news_20081203.html


WiFi Threat LandscapeWiFi Intrusion at TJ Max – Vulnerability to Hostile Client

• WiFi Network with inadequate WEP encryption replaced retail outlet cabling at kiosks in MN

http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201400171


WiFi Basic Security MeasuresChange Admin Password Settings Change Wireless Router/Wireless

Access Point (WAP) Username / Password from Industry Defaults:

1. Username: admin2. Password: admin


WiFi Basic Security Measures Change Encryption Settings DO NOT USE Wired Equivalent Privacy

(WEP) Encryption – its encryption keys can be broken in less than 1 minute.

Use stronger encryption such as WPA-PSK (WiFi Protected Access-Pre-Shared Key). This wireless encryption method uses a pre-shared key (PSK) for key management. Keys can usually be entered as manual hex values, as hexadecimal characters, or as a Passphrase.


Wifi ToolsSUMMARY Handheld Directional RF WiFi Detector with

spare CR2032 Lithium “hearing-aid” batteries

Windows OS or Linux or Mac OS Laptop with spare fully charged battery packs

Wireless LAN WiFi PC “Interface” Adapter (Card/USB) that supports “Monitor Mode”

– super critical ! WiFi Forensics Software for network

discovery, packet capture, and analysis

120V Electrical Power – Automotive Adapter Paper Forms and Logs


Wifi ToolsHandheld Directional RF Detector

Hawking Technology Model HWL1 802.11b/g WiFi Locator

Network Specification : IEEE 802.11b/g

Operating Frequency: 2.4~2.4835 Ghz

Operating Range : Up to 1000 feet (Line of Sight), Up to 300 feet (Indoors)

LEDs 1 x Power, 5 x Signal Strength

Antenna Gain: 5.15 dBi Battery : 1 x Lithium CR2032, 2

Year Battery Life Dimensions 92 (L) x 56 (W) x 25

(H) mm Weight 45g

http://www.hawkingtech.com/products/productlist.php?CatID=32&FamID=71&ProdID=131

Hawking Technology Model HWL1

Functionality

Point the Directional Antenna towards the source and press the Locate" button. The signal filters on the Model HWL1 filter through all unwanted 2.4GHz signals, such as BlueTooth, cordless phones and microwaves

31


Wifi Tools - Windows OS vs. Linux vs Mac OS Laptop Selection Criteria User comfort and familiarity level will affect the OS choice.

Microsoft Windows OS, with its restricted Win32 kernel, has fewer WiFi forensics hardware/software ensembles. Windows has fewer “monitor mode” wireless LAN card/ password-cracking software combinations than Linux. There have been recent additions.

Linux has a large number of historically prominent WiFi

forensics packages. The majority of these software packages are still “command-line” and may require time for familiarization. Recently, “windows-like” Linux WiFi forensics software has become available, often as a part of free forensics distributions such as “Backtrack 4”.

MacOS is supported by the popular multifunctional KisMAC WiFi “stumbler” (network discovery) / packet sniffing / password cracking software. KisMAC is geared toward network security professionals. The “Apple Airport” WiFi network card is supported by Linux.


Wifi Tools Wireless LAN WiFi PC Adapter (Card/USB) that supports “Monitor Mode” “Ordinary” laptop WiFi access (coffee shop Web surfing ,

email, etc) involves the WiFi PC adapter running in so-called “managed mode”. This is the default mode for all purchased laptops.

In managed mode, the User’s laptop wireless adapter and its software depend entirely on the infrastructure’s wireless router to provide network connectivity. Usernames and passwords are seldom required for coffee shops and other public places.

Managed mode is useless for WiFi packet sniffing forensic activities.

Some Windows OS software “stumbler” (WiFi network discovery/enumeration) programs can function (partially) with WiFi adapters operating in managed mode. One of these is “Wireless Mon” by PassMark.

Forensic laptop WiFi network card must be placed in “Monitor” Mode

Popular Laptop WiFi cards such as Broadcom often do not support “Monitor” Mode. Chipsets by Hermes, Prism2, Spectrum24, Raylink, Zydas, and Atheros are supported by most forensics software.


Wifi Tools Linux WiFi Card Setup

Forensic laptop WiFi network card must be placed in “Monitor Mode”. To accomplish this, as the Linux root User do the following on the Linux command line:

1. iwconfig <enter> 2. Note the Mode: Managed (vs Mode: Monitor)

command line response3. To REQUEST change to Monitor mode : iwconfig eth01 mode monitor <enter> (Note: “eth01” is a typical network card interface

designator. Your PC’s may instead be “ath01” , for example, if your WiFi interface card chipset is

from Atheos).

5/23/2013 35

Wifi Tools Linux WiFi Card Setup (cont’d)

4. To ACTIVATE change to Monitor mode :

ifconfig eth01 up <enter> 5. To CONFIRM activation of Monitor mode : ifconfig eth01 <enter> The command line will display the term UP BOADCAST MULTICAST, indicating Monitor mode .

-------------------------------------------------------------------------If your WiFi interface card chipset is from Atheos use the following below commands instead:

4. “Destroy” Manager Mode wlanconfig atho1 destroy <enter>5. REQUEST change to Monitor mode : wlanconfig atho1 create wlandev wifi0 wlanmode monitor <enter> 6. ACTIVATE change to Monitor mode : ifconfig ath01 up <enter> 7. To CONFIRM activation of Monitor mode : ifconfig ath01 <enter>The command line will display the term UP BOADCAST MULTICAST, indicating Monitor mode.

Copyright 2013 Creative Commerce LLC


Wifi ToolsSoftware Concepts Network Discovery and Enumeration1. Most Packet Capture software also performs Network

Discovery and Enumeration2. “Wireless Mon” (Windows OS) – runs in Managed Mode3. Kismet (Linux – contained on BackTrack 4 distributions)

Packet Capture using capture software “engines”1. WinPcap (Windows OS) 2. LibPcap (Linux library)

Packet “Sniffing” (retrieval/display), Analysis, Reporting

1. Wireshark (Windows OS and Linux)2. Tcpdump (Linux) . Oldest and most popular network

sniffer.3. WinDump (Windows OS’s Win 95 through Win XP)


Wifi Tools Packet Capturing Software

• Digital Packet Capturing (PCAP) provides data stream input for WiFi “sniffer”/analysis software

• WiFi radio signal is received by hardware “interface” card (WNIC) and transferred to PCAP

• PCAP software is often bundled with distribution of sniffer/analysis software

• Windows users – “WinPcap” software• Linux users –”LibPcap” software


WiFi Network Discovery“Wireless Mon” WiFi “Managed Mode” Network “Drive-By” Discovery Software

“Wireless Mon” WiFi Discovery Software by

Passmark.

Runs in WiFi “Managed Mode” (!) – a rarity. This means almost any Windows OS “Wireless Laptop” off the shelf can utilize, at least partially, the functionality of “Wireless Mon”:

1. Detects and monitors wireless (WiFi) networks within range.

2. Provides Service Set Identifier (SSID), system availability, and encryption information

3. Presents live channel usage chart to help identify forensics targets

4. Generates signal strength coverage maps (Professional Edition) by either manually plotting points or using a GPS device 38


WiFi Network Discovery Windows OS “Wireless Mon” WiFi “Managed Mode” Example


WiFi Network Discovery Windows OS “Wireless Mon” WiFi “Managed Mode” Discovery Example

Use Summary Tab to observe nearby WiFi “Channel Use” Channel Use Chart displays number of local WiFi routers for

the selected Channel upon mouseover, as well as their status (green for “Available”, blue for “Connected”, red for “Not Available”)

Majority of small WiFI installations use Channel 6


WiFi Network DiscoveryWindows OS “Wireless Mon” WiFi “Managed Mode” Network Discovery Example (cont’d)

In example below, Wireless Mon Summary Tab shows :1. “ SSID” (Service Set ID) – the WiFi User logon “username”2. “MAC Address” (Machine Access Code Address) - (MAC address is six bytes (48 bits) long,

where the first three bytes (Organizational Unique Identifier,“OUI”) represent the manufacturer )

3. FCC WiFi Channel Assignment 4. WiFi “Security” ( Encryption) Mode (“None”, WEP (weakest encryption), WPA2, or WPA-PSK)

NOTE THAT A LARGE PERCENTAGE OF DEPLOYED SMALL SYSTEMS HAVE ROUTERS

BROADCASTING MANUFACTUER’S NAME (ie, “linksys”, “2WIRE351”)

41

5/23/2013

WiFi Network Discovery Windows OS “Wireless Mon” WiFi “Managed Mode”

Network Discovery Example (cont’d) Use Summary Tab to further observe list of nearby WiFi networks In example below, Summary Tab shows that all below WiFi networks :1. Deploy “Infrastructure” (Wireless Router broadcasts to all nearby receivers)2. Support 54 Mb/s rates3. Use Orthogonal Frequency Division Multiplexing (ODFM 24)

Wireless Mon can store WiFi Discovery results for input to forensic reports

42Copyright 2013 Creative Commerce LLC


WiFi Network Discovery Wireless LAN WiFi PC Adapter (Monitor Mode) – Windows OS

CACE (Creative Advanced Communication Engineering)

“AirPcap TX” Monitor Mode USB Wireless Adapter

Contains WiFi Antenna Utilizes WinPcap 4.01

(beta) packet capture software

Provides packet injection required to support WiFi password cracking software such as AirCrack

Shipped with popular Wireshark sniffer software

Supports Windows Vista OS

http://www.cacetech.com/products/airpcap-tx.htm

CACE Model “AirCap TX”

5/23/2013

5/23/2013 44

WiFi Packet Sniffing Example Wireshark 1. “Associate” (connect) with WiFi network2. Select sniffer “Interface” (WiFi Monitor

Mode network card). Then click on “Options”.



WiFi Packet Sniffing Example Wireshark (cont’d)3. Select Packet Sniffing “Options “

5/23/2013 46

WiFi Packet Sniffing Example Wireshark (cont’d)1. Click “Start” - NOTE below desktop PC printer frame

(UNIX CUPS)



WiFi Packet Sniffing Example Wireshark (cont’d)

5. Click Stop in the WireShark Capture menu .6. Browse through WireShark’s frame list and observe the forensic target WiFi User ‘s “Web Surfing” (HTTP) frames.7. Type the expression “http” in the WireShark “Display Filter”. Then click the adjacent “Apply” button.

8. WireShark will then display only Web Surfing” (HTTP) frames.

5/23/2013 48Copyright 2013 Creative Commerce LLC7/9/2008 For HTCIA/CACI/Gov't Use Only © 2008 CACI 48


• WIRESHARK DISPLAY OF HTTP FRAMES ONLY:



• Forensics Examiner may observe IMAGES from captured HTTP “Web Surfing” Frames:

• Examiner right-clicks on above “JPEG File Interchange Format” line

and exports RAW image file (as “Imagexx.jpg”) to a folder• RESULT:



1. WIRESHARK DISPLAY OF HTTP FRAME HISTORICAL “THREADS”:

Click on the first HTTP frames of interest – usually GET commands

2. In the WireShark Analyze menu, click on Follow TCP Stream 3. TCP Streams will appear parsed by Web Page activity

5/23/2013



• FREE IDENTIFICATION OF WEBSITE ORIGINS FROM HTTP frames of interest – usually GET commands

Type website IP Address into LIVE PRODUCT DEMO at : http://www.ip2location.com/

EXAMPLE: RESULT:

5/23/2013 52


• WIRESHARK DISPLAY OF FTP FRAMES ONLY Type the expression “ftp” in the WireShark “Display Filter”. Then click the adjacent “Apply” button.

• WireShark will then display only File Transfer Protocol (FTP) frames.



WiFi Packet Sniffing Example Wireshark (cont’d)• Forensics Examiner may observe USERNAME and PASSWORD

from captured FTP Frames:

5/23/2013


WiFi Packet Sniffing Example Wireshark (cont’d)• WIRESHARK DISPLAY OF FTP FRAME HISTORICAL

“THREADS”: Click on the first FTP frame of interest – usually USERNAME• In the WireShark Analyze menu, click on Follow TCP Stream • TCP Streams will appear parsed by Web Page activity

5/23/2013 55


• WIRESHARK DISPLAY OF GOOGLE MAIL FRAMES ONLY Type the expression “host” followed by the captured Google Mail server name in the WireShark “Display Filter”. Then click the adjacent “Apply” button.

• WireShark will then display only Google Mail frames.



WEP Password Cracking ExampleDecrypt WEP (Wired Equivalent Privacy) Capture FileWindows OS Command Line – partial GUI supportExaminer clicks on airodump-ng-airpcap andcompletes “IV capture” startup screen:

56

5/23/2013 57

WiFi WEP Password Cracking ExampleDecrypt WEP (Wired Equivalent Privacy) - Begin Creating IV Capture File

Airodump will automatically gather the needed IVs(Initialization Vectors) , starting at a slow pace (# Data

column) 250,000+ IVs required to break 64-bit WEP Key 1,500,000 + IVs required to break 128-bit WEP key Target WiFi Router MUST BE ACTIVE – Users Web Surfing,

etc


5/23/2013 58

WiFi WEP Password Cracking Example Decrypt WEP (Wired Equivalent Privacy) Accelerate IV Capture – Packet Injection Examiner uses aireplay-ng command-line utility to constantly inject packets to accelerate IV creation by target (and capture) Target WiFi router performance may be impacted Target Intrusion Detection Systems (IDS) may respond


5/23/2013 59

WiFi WEP Password Cracking Example Decrypt WEP (Wired Equivalent Privacy) Capture File

Windows OS Command Line – partial GUI support Forensic Examiner clicks on aircrack-ng GUI andcompletes decryption screen



WiFi WEP Password Cracking Example Recovered Key Display by Aircrack-ng

SUCCESSFUL KEY DECRYPTION• Forensic examiner may insert below Decrypted Key (Hex Format,66756A7839) into WireShark Decryption Keys list. • WireShark will automatically decrypt packets and display them.• Forensic Examiner may “log on” (associate with) WiFi network

(BSS) - bulliron with passkey fujx9


Questions ?

?

5/23/2013 62

Web Links

Hawking Handheld Directional WiFi Detector http://www.hawkingtech.com/products/productlist.php?CatID=32&FamID=71&ProdID=131

Wireshark Packet Sniffer / Analyzer http://www.wireshark.org

CACE (Creative Advanced Communication Engineering) “AirPcap TX” Monitor Mode USB Wireless Adapter for Microsoft Windows

http://www.cacetech.com/products/airpcap-tx.htm

“AirCrack” Password Cracking Software http://www.aircrack-ng.org



Web Links (cont’d)

WEP WiFi Encryption “Cracking”

http://www.smallnetbuilder.com/content/view/30114/98

WPA/WP2 WiFi Encryption “Cracking”


Packet Captures and Network Devices




Remote-Exploit.org “BackTrack 4” Forensics CD (Linux programs run “independently” in User’s CD

drive)

www.remote-exploit.org/backtrack_download.html

PassMark “WirelessMon” Wireless Network Enumeration (“Stumbler”) Utility http://www.passmark.com/products/wirelessmonitor.htm

64



WIGLE (Wireless Geographic Logging Engine) - List of Default WiFi “Service Set IDs” (SSIDs)

http://www.wigle.net/gps/gps/main/ssidstats

Institute of Electrical and Electronic Engineers (IEEE) Searchable List of MAC Address “OUI” (Organizational Unique Identifier) Manuacturer’s Codes - first 3 bytes of MAC address

http://standards.ieee.org/regauth/oui/index.shtml



Forensic Software Product Line Overview from Clarifying Technologies http://www.clarifyingtech.com/public/products/products_public.html

RADIUS “Challenge” User Authentication/Password Utility http://dictionary.zdnet.com/definition/challenge%252Fresponse.html5/23/2013

5/23/2013 67

References

WI-FOO - The Secrets of Wireless Hacking (Andrew Vladimirov et al, Addison-Wesley)

Wireshark & Ethereal – Network Protocol Analyzer Toolkit (Angela Orebaugh et al, Syngress)

Penetration Tester’s OPEN SOURCE TOOLKIT Volume 2 (Aaron Bayles, et al, Syngress)



References

COMPUTER EVIDENCE – Collection and Preservation (Christopher L.T. Brown, Charles River Media)

HACKER’S CHALLENGE 3 (David Pollino et al, McGraw-Hill)

5/23/2013 69

References (cont’d)

REAL DIGITAL FORENSICS - Computer Security and Incident Response (Keith Jones, Richard Bejtlich, Curtis Rose)

ANTI-HACKING TOOLKIT (Mike Shema et al, McGraw-Hill)


Questions?

http://www.amazon.com/Your-Computer-Bugged-Glenn-Jacobs/dp/1435797523


http://www.amazon.com/Your-Computer-Bugged-Glenn-Jacobs/dp/1435797523

5/23/2013 Copyright 2013 Creative Commerce LLC 71

Questions ?

Mike Davis, EE/MSEE , CISSP, SysEngrISSA/TSN/SOeC/

AFCEA/NDIA/IEEE/INCOSE et al

[email protected]

Glenn G Jacobs, BSEE, Security +Creative Commerce LLC

[email protected]



Date post:	16-Dec-2015
Category:	Documents
Upload:	giles-todd
View:	220 times
Download:	1 times

WiFi Networks Forensics Overview WiFi Networks Forensics Overview Mike Davis, EE/MSEE, CISSP,...

Documents