Network
Forensics
Module 5 – Wireless Networks
•
Wireless
Network
•
•
A wireless network is any type of computer
network that uses wireless data connections for
connecting network nodes
Provide easy access to client traffic
A convenient entry point into network, and extensive
access logs
•
Wireless
Devices
Common types:
• AM/FM radios
• Codeless phones
• Bluetooth headsets
• Infrared devices
Major challenge: often accessible from a distant point and
can represent loophole in organizational security defense.
Investigation activities can potentially be monitored from a
long distance.
Common
scenarios
requiring
involving
wireless
networks
•
•
•
•
Recover a laptop
Identify rogue wireless access point that has been
installed by insiders for convenience or to bypass
enterprise security
Investigate any malicious activity
Investigate on attacks on network
•
IEEE Layer 2
Protocol
•
•
•
IEEE has published a series of international
standards(“802.11”) for WLANS
Wi-Fi includes the IEEE 802.11 standards.
Not all standards are published by IETF. Many of the
core network protocols were published by IEEE
IEEE standards includes Ethernet( 802.3), trunking
(802.1q), LAN-based authentication(802.1x) and WiFi(802.11) that includes both WEP(Wired Equivalent
Privacy) and WPA(Wi-Fi Protected access)
•
Why we need
so many Layer
2 protocols
•
•
RF and copper don’t have same physical characteristics
and hence the signals sent across them do not behave
the same.
Ethernet(802.3) is designed for carrier sense multiple
access with collision detection (CSMA/CD)
802.11 wireless protocols are used for carrier sense
multiple access with collision avoidance (CSMA/CA)
•
•
Base Ethernet standard is 10Mbps.
Data are transmitted in the form of packets
•
•
CSMA/CD
•
•
Sense channel prior to actual packet transmission.
Transmit packet only if channel is sensed idle; else,
defer the transmission until channel becomes idle.
After packet transmission is started, the node
monitors its own transmission to see if the packet
has experienced a collision
If the packet is observed to be undergoing a
collision, the transmission is aborted and the
packet is retransmitted after a random interval of
time using Binary Exponential Backoff algorithm.
•
CSMA/CD
•
It’s all stations’ responsibility to make sure that the
carrier/medium is in use that describes the carrier sense
part and detect if any 2 stations are trying to use the
medium at the same time that describes the collision
detection part.
Whenever a station detects a collision while transmitting
signals, it sends a jamming signal to all stations using
the medium to inform everyone that they need to stop
communicating and try again after a selected random
time increment to wait(so that they don’t try all at the
same time)
•
•
CSMA/CA
•
IEEE 802.11 standard for WLAN defines a distributed
coordination function (DCF) for sharing access to the
medium based on the CSMA/CA protocol
Collision detection is not used since a node is unable to
detect the channel and transmit data simultaneously
Hidden node: A station that can communicate with the
access point but not with other stations.
•
•
CSMA/CA
•
Collision avoidance technique is used to ensure that 2
stations are not communicating at the same time.
Before transmission, a station listens to determine that
the transmission medium is idle. If busy, it waits until the
end of current transmission and then until an additional
random amount of time(back off factor)
Stations can also send control frames such as “Requestto-send” and “Clear-to-send” to help avoid collisions.
•
802.11 Frame
Types
•
•
Management Frames: Govern Communication between
stations except flow control.
Control Frames: Support flow control over a variably
available medium(such as RF)
Data Frames: Encapsulate the Layer 3+ data that moves
between stations actively engaged in communication on
a wireless network
802.11 Frame Header
•
•
Management
Frames
•
Type 0
Designed to coordinate communication on any wireless
LAN from infrastructure networks to individual stations
sending out probe requests
Management Frame subtypes:
• Association Requests
• Association Responses
• Probes
• Beacons
• Others
•
Forensic Value:
•
Management
Frames
•
•
As these frames are not encrypted, these clear-test
frames provide a lot of information on which
stations are communicating, in which ways and with
whom.
Provides information about station MAC addresses,
identify Basic Service Set Identification(BSSIDs) and
Service Set Identification(SSIDs), successful and
failed authentication attempts.
Common attacks like WEP cracking and Evil Twin
are facilitated through manipulation of
management frames
•
Management
Frames
SUBTYPES:
• 0x0 – Association Request
• 0x1 – Association Response (Status Code: 0x0000: Successful)
• 0x2 – Re-association Request
• 0x3 – Re-association Response
• 0x4 – Probe Request
• 0x5 – Probe Response
• 0x6 – Reserved
• 0x7 – Reserved
• 0x8 – Beacon Frame
• 0x9– Announcement Traffic indication Map(ATIM)
• 0xA – Disassociation
• 0xB – Authentication
• 0xC – De-Authentication
• 0xD – Action
• 0xE – Reserved
• 0xF – Reserved
•
•
•
Control
Frames
Type 1
To Manage the flow of traffic across a wireless network
Subtypes:
• 0x1B – Request-to-send (RTS)
• 0x1C – Clear-to-send (CTS)
• 0x1D – Acknowledgement
 Subtypes “Request-to-send” and “Clear-to-send” are used
to address Hidden node issue. Individual stations send
“request-to-send” and all stations watch for “Clear-tosend” frames.
 Forensic Value: Provide timing and MAC address
information.
Data Frames
•
•
•
Type 2
Contain the actual data
including the encapsulated
higher layer protocols
Subtypes:
• 0– Data
• 4– No Data

Forensic Value: Provide
info on volumes and
directionality of traffic
and stations involved
802.11 Frame Analysis
•
•
•
•
It is very important for stations to be synchronized to interpret unordered bits according to a protocol used
by both receiver and sender
When MSB bits are represented, stored or transferred first it is called “Big -endian”
When LSB bits are represented, stored or transferred first it is called “Little-endian”
Endian uses Base-10 math.
Network Byte Order
•
•
If a system is a combination of big-endian and little-endian then it is called “mixed-endian” or “middleendian”
Forensic Investigators are used to viewing the captured bits in big-endian form.
802.11 Endianness
•
•
802.11 is neither big-endian nor little-endian, but is best described as “mixed-endian.”
While the bit ordering within each individual data field is big-endian, the fields themselves are transmitted
in reverse order, within the byte-boundaries.
•
When the first byte of the frame is actually transmitted, the least significant field (“Subtype”) is sent
first! The Type goes second, and the protocol version goes third
More 802.11 Endianness
•
•
libpcap receives the bytes in reverse order
The bits are displayed, nibble by nibble, in hexadecimal representation. When interpreting
the data, libpcap treats the bit received first as the most significant bit in the nibble
More 802.11 Endianness (cont)
•
•
in Wireshark’s Packet Details panel, Wireshark has correctly interpreted the first byte of the
802.11 frame (“Version/Type/Subtype”) as 0x20 (0b00100000). However, when you view the raw
traffic in the Packet Bytes panel below, it appears as 0x08, since the bits were actually received
in that order (0b00001000)
Let’s look at the second byte of the 802.11 frame, the “Flags.” This contains six single-bit frame
control flags and the 2-bit DS field. These are transmitted in reverse order, from least to most
significant, field-by-field! Again, while Wireshark correctly interpreted the flags in the second
byte (as seen in the Packet Details panel), due to the order in which the bits were received, the
Packet Bytes panel displays 0x41 (0b01000001), and not 0x42 (0b01000010)

Wired
Equivalent
Privacy(WEP)



Wired Equivalent Privacy (WEP) is part of the 802.11
standards, published by the IEEE
It was proposed as a way to enable a WAP to
provide a “private” network, similar to the
environment that a wired hub could provide due to
natural limitations of the physical media
WAP’s Physical layer is Radio Frequency
To gain access to a WEP-encrypted wireless
network, users need knowledge of a “shared secret”
key to gain access to the wireless hub’s service at
Layer

Problems in WEP :

Wired
Equivalent
Privacy(WEP)


WEP protocol has a commonly known flaw that
allows any eavesdropper (any station with
sufficient RF gain) to harvest unprotected key
material, which can then be used to expedite a
brute-force attack and recover the shared
encryption key
Widely published tools such as “aircrack-ng”
make it easy even for beginners to crack WEP
keys and access “protected” wireless networks
WEP is used with shared secret key but when it
is shared with many people it does not stay
secret anymore. Changing the shared secret is
difficult, which means that even compromised
shared secrets often remain unchanged for long
periods of time.


Wired
Equivalent
Privacy(WEP)

Why WEP?
Legacy equipment—Sometimes WAPs are
deployed and forgotten, or never maintained, or
passwords are never rotated. Lack of resources may
prevent equipment upgrades.
Modern equipment deployed to support legacy
equipment—Modern WAPs may be deployed in an
environment where other legacy devices persist,
and therefore must be configured to support the
lowest common denominator with respect to key
length and cryptosystem

How can you tell if a packet capture or stream is
encrypted?

Wired
Equivalent
Privacy(WEP)

802.11 management frames have a “Privacy”
subfield that is set to “1” when “data
confidentiality is required for all data type
frames exchanged within the BSS.” In other
words, when the access point is configured to
use WEP, WPA, or WPA2, the “Privacy” subfield
in WAP management frames is set to 1
802.11 data frames include a “Protected” bit
within the first byte offset of the 802.11 MAC
framing, which indicates whether encryption is
in use. The “Protected” bit is set to “1” when
WEP, WPA,WPA2 is enabled

TKIP, AES,
WPA, and
WPA2


WEP did not provided the intended level of
protection so the IEEE 802.11 working group came
up with a new protocol “Wi-Fi Protected Access”
(WPA)
WPA was a measure designed to deal with some of
the weaknesses of WEP, such as key rotation. This
was done through the introduction of the Temporal
Key Integrity Protocol (TKIP)
When flaws were discovered in WPA, WPA2 was
implemented.

TKIP, AES,
WPA, and
WPA2

In order for stations to communicate their ability to
conform to the new specifications, a new category
of functionality was created called robust security
networks (RSNs)
Stations configured to support RSN associations
(RSNAs) such as WPA and WPA2 include RSN
information within the tagged parameters of
management frames, including Beacons,
Association Request, Re-association Request, and
Probe Response
•-
WAP is a layer 2 (Data Link) device that aggregates
endpoint stations into a LAN.
•
Wireless
Access Points:
•
•
•
-
Uses Radio frequency through air Instead of Voltage
across the air.
The Physical layer is a shared medium.
They act like hubs with much more capabilities and
whose physical access is unlimited.
Any one within the RF range can intercept the traffic.
•
Why
investigate
Wireless
Access Points ?
•
•
•
•
Logs of connection attempts, authentication successes
and failures, and other local WAP activity.
Logs can track connections and physical movements of
a wireless client throughout a building or campus.
Insight into how an attacker may have gained access
Configurations may have been modified during an
attack thus giving investigators an idea of the attackers
motives.
The WAP may still be compromised and require a fix
Wireless Access points types
Any device with standard 802.11 capability can be used as WAP. Therefor investigator must be familiar with variety of access
points.
-Enterprise WAPs
-Consumer WAPs
Enterprise WAPs.
• Requires centralized management such as wireless access controllers where administrator can monitor network state.
• Support for IEEE 802.11a/b/g/n
• Physical media is RF waves
• Layer 3+ functionality, including– Support for routing protocols ( Some Access points have L3 capabilities )
• DHCP
• Network address translation
• Packet filtering
• Centralized authentication
• Auditable access logs (local and central)
• Station location tracking
• Performance monitoring capabilities
• Power over Ethernet (PoE)
• Indoor and outdoor options The interface options for enterprise-class wireless access points frequently include:17,18
• Console (command-line interface (CLI))
• Remote console (SSH/Telnet), SNMP
• Web interface
• Proprietary interface
• Central management interface
Consumer
• Consumers may purchase their own WAPs (or routers with built-in wireless capabilities).
• WAP functionality is commonly built into DSL modems and cable modems leased from an ISP. In these
cases, you may not have legal or technical access to the device without support from the local ISP.
Support for IEEE 802.11a/b/g/n
• Physical media is RF waves
• Often contain Layer 3+ functionality, including: – Limited
• Routing
• DHCP service
• NAT
• Limited filtering
• Logging (locally and sometimes remotely)
Examples of consumer class WAPs are:
• Ubiquitous
• Linksys WRT54G
• Apple Airport.
WAP Evidence
Volatile Evidence:
Persistent Evidence:
•
WAPs are not designed to include much local persistent storage space.
The WAP operating system and startup configuration files are
maintained in persistent storage by necessity.
•
•
•
•
•
•
•
•
•
•
•
logs of wireless events (access requests, key
rotation, etc.)
History of client signal strength (can help
identify geographic location)
Routing tables
Stored packets before they are forwarded
Packet counts and statistics
ARP table (MAC address to IP address
mappings)
DHCP lease assignments
Access control lists
I/O memory
Running configuration
Processor memory
Flow data and related statistics
•
•
•
Operating system image
Boot loader
Startup configuration files
Off System Evidence:
Wireless access points can be configured to send event logs to remote
systems for off-site aggregation and storage. Syslog and SNMP are
commonly supported
Wireless Traffic Capture and Analysis
Spectrum Analysis: Commonly used frequency ranges for WiFi
• 2.4 GHz (802.11b/g/n)
• 3.6 GHz (802.11y)
• 5 GHz (802.11a/h/j/n)
Each of these frequency ranges is divided into distinct channels, which are smaller frequency bands. WiFi equipment
manufactured for use in the United States is generally not capable of transmitting or receiving traffic on all of the channels
used in Japan. This has important consequences for forensic investigators. For example, an attacker can purchase a
Japanese WAP that supports Channel 14 and plug it into a corporate network in the United States, and U.S. wireless clients
will not “see” the access point.
•
2.4 GHz vs. 5
GHz
Deployment
Considerations:
•
•
Geographical Location. Before getting to far, consider the
geographical location of where the WLAN will operate. 2.4GHz WLANs
have regulatory acceptance throughout most of the World; however,
the use of 5GHz for WLANs is somewhat limited. For example, the U.S.
allows operation of 5GHz WLANs, but other countries such as china do
not.
Performance. The 5GHz bands have much greater spectrum available.
In this band there are 12 non-overlapping channels, each with 20MHz
of bandwidth. This means significantly better performance as
compared to the 2.4GHz band. The entire 2.4GHz band is 80MHz wide,
which only allows three non-overlapping channels. If high
performance is an important requirement, then lean toward the 5GHz
band.
Facility Size. As frequency increases, range generally decreases. As a
result, 5GHz systems generally have less range than ones operating in
the 2.4GHz band. The selection of a 5GHz WLAN could require a
greater number of access points, which can result in higher costs. As a
result, you may benefit by deploying 2.4GHz systems in larger facilities
unless high performance is critical.
Wireless Passive Evidence Acquisition
•
•
•
•
You need an 802.11 wireless card capable of running in Monitor mode.
Special-purpose WiFi monitoring card that can be configured to operate completely
passively
Tools such as AirPcap USB adapters, that are designed for exactly this task.
plugs into a USB port and can monitor Layer 2 WiFi traffic (one channel at a time).
Common Information that can be gathered:
•
•
•
•
Associated client MAC addresses Broadcast SSIDs
Supported encryption/authentication algorithms
WAP MAC addresses
Associated client MAC addresses
What to look
for when
analyzing
802.11:
•
•
•
•
•
Are there any beacons in the wireless traffic?
Are there any probe responses?
Can you find all the BSSIDs/SSIDs from
authenticated/associated traffic?
Can you find malicious traffic? What does that look like?
Is the captured traffic encrypted using WEP/WPA? Is
anyone trying to break the encryption?
Common Attacks
•
•
Sniffing - An attacker eavesdrops on the network
•
•
The Evil Twin attack - where An attacker sets up a WAP with the same SSID as a legitimate WLAN
Rogue Wireless Access Points - Unauthorized wireless devices that extend the local network, often for
an end-user’s convenience
WEP Cracking - where An attacker attempts to recover the WEP encryption key to gain unauthorized
access to a WEP-encrypted network.
Locating Wireless Devices
The single most challenging aspect of wireless networks for the investigator is the inherent difficulty in
physically locating devices of interest
Strategies for locating wireless devices include:
1. Gather station descriptors, such as MAC addresses, which can help
provide a physical description .
2. For clients, identify the WAP that the station is associated with (by
SSID);
3. Leverage commercial enterprise wireless mapping software;
4. Poll the device’s signal strength; and
5. Triangulate the signal.
•
•
Bluetooth
Access Points
•
When you think about Bluetooth, you probably envision
your tiny little headset that crackles and hisses every
time you walk too far away from your phone.
However, there’s more to Bluetooth than your rinky-dink
headset. Bluetooth Class 1 devices are much more
powerful, with ranges similar to 802.11b WAPs. A
Bluetooth Class 1 device can transmit up to 100mW,
with a typical range of up to about 91m (or possibly
miles, if the receiver has a directional antenna).You can
buy a Class 1 Bluetooth WAP for $100–$200.
Bluetooth uses Frequency Hopping Spread Spectrum,
and hops 1,600–3,200 times a second across 79 channels
throughout the 2.4–2.4835 GHz band. Because it’s
spread out across the spectrum, it can be hard to notice
and easily mistaken for noise by the untrained eye. Most
Wireless IDS systems and security teams simply don’t
look for it
•
There are, literally, an infinite number of frequencies over which
data can be transmitted through the air.
•
For Wi-Fi traffic, the IEEE utilizes three frequency ranges:
• 2.4 GHz (802.11b/g/n)19
• 3.6 GHz (802.11y)20
• 5 GHz (802.11a/h/j/n)21
•
Wireless
Spectrum
The precise frequencies in use vary by country. For example, the
United States only allows WiFi devices to communicate over
channels 1–11 in the 2.4 GHz range, while Japan allows
transmission over all 14 channels.
•
As a result, WiFi equipment manufactured for use in the United
States is generally not capable of transmitting or receiving traffic
on all of the channels used in Japan. This has important
consequences for forensic investigators.
•
For example, an attacker can purchase a Japanese WAP that
supports Channel 14 and plug it into a corporate network in the
United States, and U.S. wireless clients will not “see” the access
point.
•
Perhaps the single most challenging aspect of wireless
networks for the investigator is the inherent difficulty in
physically locating devices of interest.
•
Locating
Wireless
Devices
•
For example, a compromised laptop can physically move to
different locations or a rogue wireless access point may be
hidden in some crafty location (e.g., ceiling tiles)
Strategies for locating wireless devices
•
•
•
•
•
1. Gather station descriptors, such as MAC addresses, which can
help provide a physical description so that you know what to look
for;
2.For clients, identify the WAP that the station is associated with
(by SSID);
3. Leverage commerical enterprise wireless mapping software;
4.Poll the device’s signal strength; and
5.Triangulate on the signal.
•
You can learn a lot about what a wireless device
probably looks like from its network traffic.
•
Identifying
Station
Descriptors
•
•
The 802.11 frame indicates the source and destination station
MAC addresses. (For wireless access points, the “BSSID” field in
the 802.11 header is also the MAC address of the WAP’s network
card.)
Hence, from sniffing Layer 2 network traffic and examining the
MAC addresses in 802.11 frames of interest, you can make an
educated guess as to the manufacturer of the device generating
the traffic.
The content of wireless traffic itself can provide a surprising
amount of insight regarding the physical description of a device
if you “crack” the encryption
•
For example, if the traffic includes HTTP data, which contains UserAgent headers sent by an Apple device, it could reveal a User-Agent
string “iTunes-iPad/3.2.1 (16GB)”; then we know that we’re most
likely looking for a 16GB iPad, running OS version 3.2.1. This
evidence would correlate nicely with the Apple MAC address
revealed in the 802.11 frame.
•
•
Identifying
WAPs
•
In the case where you are searching for a client station
that is actively associating with other WAPs, it is often
helpful to identify which WAPs the station is
associating with
Generally (although not always), endpoint stations
associate with a wireless access point that is physically
close by
There are basically two ways to find out which WAP is a
rogue endpoint client associated with or attempting to
associate with: WAP logs and traffic monitoring.
•
•
In an environment that captures wireless authentication
attempts on a central logging system, you may be able to watch
station association requests and responses by examining logs on
the central server
Passively monitor the wireless traffic for association requests,
responses, and other Layer 2 traffic related to the MAC address
of interest
•
NetStumbler
•
•
Kismet
•
Tools
•
A widely used libpcap-based 802.11 “wireless network detector,
sniffer, and intrusion detection system” for Linux/UNIX operating
systems
KisMAC
•
•
A Windows tool designed to discover 802.11 networks. Though it is
extremely popular for blackhats and whitehats alike, it is not totally
passive, which means that its presence and activities can be detected
by other wireless auditing tools
A free, open source 802.11 discovery tool for Mac OS X, which is open
source and supports the same essential features as NetStumbler for
Windows. However, KisMAC supports totally passive scanning,
meaning that it can merely observe RF traffic without emitting any
RF
Commercial Enterprise Tools
•
Enterprises that deploy campus-wide wireless LANs often install
central management consoles, which include mapping and station
tracking capabilities. Vendors such as Aruba and Cisco offer
specialized wireless tracking and WIDS software for use in these
environments
Client Authentication
Process:
•
•
•
•
•
•
•
•
The Access points continuously sends out
Beacon Frames which are picked up by the
nearby WLAN clients.
The client can also broadcast on its own
probe request frame on every channel
Access points within range respond with a
probe response frame.
The client decides which access point (AP)
is the best for access and sends an
authentication request.
The access point will send an
authentication reply.
Upon successful authentication, the client
will send an association request frame to
the access point.
The access point will reply with an
association response.
The client is now able to pass traffic to the
access point.
802.11 frame review
802.11 Frame Types:
• Management Frames—Govern communications between stations, except flow control ( Type 0 )
• Control Frames—Support flow control over a variably available medium (such as RF); (Type 1)
• Data Frames—Encapsulate the Layer 3+ data that moves between stations actively engaged in
communication on a wireless network. ( Type 2)
•
Management
frames
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Management Frames Management frames (type 0) are designed to
coordinate communication on any wireless LAN, from infrastructure
networks to individual stations sending out probe requests
• 0x0 — Association Request
• 0x1 — Association Response – Status Code: 0x0000 — Successful
• 0x2 — Re-association Request
• 0x3 — Re-association Response
• 0x4 — Probe Request
• 0x5 — Probe Response
• 0x6 — Reserved
• 0x7 — Reserved
• 0x8 — Beacon frame
• 0x9 — Announcement Traffic Indication Map (ATIM)
• 0xA — Disassociation
• 0xB — Authentication
• 0xC — De-authentication
• 0xD — Action
• 0xE — Reserved
• 0xF — Reserved
•
Control
Frames
Control frames (type 1) are designed to manage the flow of
traffic across a wireless network
• 0x1B—Request-to-send (RTS)
• 0x1C—Clear-to-send (CTS)
• 0x1D—Acknowledgment
•
Data Frames
Data Frames Data frames (type 2) contain the actual
data transmitted across the wireless network, including
encapsulated higher-layer protocols. For instance, every
IP packet that flows across the wireless 802.11 network
is part of the payload of an 802.11 data frame.
Association request frame
• 802.11 associations enable the access point to allocate resources for and
synchronize with a radio NIC. A NIC begins the association process by
sending an association request to an access point.
Association Response Frame
• An access point sends an association response frame containing an acceptance
or rejection notice to the radio NIC requesting association and will include the
Association ID of the requester. If the access point accepts the radio NIC, the
frame includes information regarding the association, such as association ID.
•
•
Probe Request Frame
A station or client becomes active on a PC when the wlan card it enabled becomes active
Sends a probe request frame when it needs to obtain information from another station or access
point
Probe Response Frame
•
In response to the probe request, APS with matching criteria will respond with a probe
response frame containing synchronization information and access point load and
would contain capability information such as supported data rates.
•
Control Frames
Request to Send (RTS) frame: The RTS/CTS function is optional and reduces frame collisions
present when hidden stations have associations with the same access point. A station sends a
RTS frame to another station as the first phase of a two-way handshake necessary before
sending a data frame
Data Frames
These are the frames which come later in the game after the basic WLAN communication is
already established between the Mobile station and the Access point
Is this data protected?
•
•
Summary
•
With the explosion of mobile devices and wireless
deployments in enterprises and homes, forensic
investigators are increasingly tasked with examining
wireless traffic and devices
Reviewed common attacks on wireless networks that
investigators should be familiar with so that you can
recognize them in the field
One of the most common hurdles facing wireless
network forensic investigators: locating wireless
devices.
•
The very feature that makes wireless networks so popular—client
mobility—is perhaps our biggest investigative challenge