Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

WiFi_Forensics Presentation

advertisement 
WiFi Networks Forensics Overview
Mike Davis, EE/MSEE , CISSP, SysEngr
ISSA/TSN/SOeC/ AFCEA/NDIA/IEEE/INCOSE
et al
mike@sciap.org
Glenn G Jacobs, BSEE, Security +
Creative Commerce LLC
glenn@sciap.org
1
Presentation Overview
•
•
•
•
•
•
•
•
•
•
5/23/2013
Why Wireless Networks ?
What is Wireless Internet (Wi-Fi ?)
WiFi Implementation
WiFi Threat Landscape
WiFi Basic Security Measures
WiFi Tools
WiFi Network Discovery
WiFi Packet Sniffing Example
WiFi WEP Password Cracking Example
Web Links
Copyright 2013 Creative Commerce LLC
2
Why Wireless Networks?

•
•
CONVENIENCE OF INSTALLATION !!
Wireless Access Point (WAP) addition to system routers is
straightforward
Wireless Security has frequently just been taken for granted
CONVENIENCE OF MOBILITY !!
•
Businesses with less than $10 million in annual revenue are
leading the charge with 83 percent either using or planning
to use Wi-Fi
(http://news.cnet.com/2100-1039-992901.html)
•
76 percent of workforce be using a mobile networking
device by 2013 (Laptops/PDAs, etc)
(http://ipcarrier.blogspot.com/2010/02/us-is-most-mobileworkforce.html)
•
Connectivity is now as convenient as a local coffee shop

5/23/2013
Copyright 2013 Creative Commerce LLC
3
What is Wireless Internet (Wi-Fi ?)
Definition: A 2.4 GHz / 5 Ghz radio-frequency data
communication architecture and associated protocols based
upon the IEEE 802.11x standards. A key concept is that WiFi
networks exchange data frames between systems using the
MAC (Media Access Control) and Logical Link Control (LLC)
sublayers of the OSI Dat a Link Layer using an RF LAN card
communicating at the PHYS (Physical) layer:

5/23/2013
Copyright 2013 Creative Commerce LLC
4
WiFi Implementation
Frequency Assignment (2.4GHz shown, 802.11b/g/n)
NOTE the signal be attenuated by at least 30 dB from its peak energy at ±11 MHz from
the centre frequency, the sense in which channels are effectively 22 MHz wide. One
consequence is that stations can only use every fourth or fifth channel without
overlap, typically 1, 6 and 11 in the Americas.
5/23/2013
Copyright 2013 Creative Commerce LLC
5
WiFi Implementation
Channel s 1-7 Frequency Assignment (2.4GHz, 802.11g)
1. Above frequencies are all permitted in US. Not all WiFi frequencies are legal in all
nations.
5/23/2013
Copyright 2013 Creative Commerce LLC
6
WiFi Implementation
Channel s 8-13 Frequency Assignment (2.4GHz, 802.11b/g/n)
5/23/2013
Copyright 2013 Creative Commerce LLC
7
WiFi Implementation
802.11 “G” Standard
Up to 54 MB/s data transfer rates
•
Transfer rate drops to 1 MB/s at 300 feet
•
Orthogonal frequency-division multiplexing (OFDM)
or Direct Sequence Spread Spectrum (DSSS)
•
Typical range of 300 feet - a hacker’s dream
•
Most 802.11 “g” hardware backward compatible
with 802.11 “a” and “b” systems
•
WiFi “G” was the most popular WLAN for new
installations until 2009
•
5/23/2013
Copyright 2013 Creative Commerce LLC
8
WiFi Implementation
802.11 “N” Standard (2009)
•
•
•
•
•
•
Multi-stream 2.5 GHz/5GHz architecture
Up to 150 MB/s single-stream
Up to 300 MB/s dual stream
Up to 450MB/s three-stream
Up to 20 MHz channel width
Multiple-input / Multiple Output (MIMO) multistreaming protocol
5/23/2013
Copyright 2013 Creative Commerce LLC
9
WiFi Implementation
802.11 “ac” 5G Standard (2013)
•
•
•
•
•
•
•
Multi-stream 5GHz architecture
Supplements and incorporates older 802.11 “N”
equipment
Up to 450 MB/s single-stream
Up to 900 MB/s dual stream
Up to 1.3GB/s three-stream
Up to 80 MHz channel width
Multiple-input / Multiple Output (MIMO) multistreaming protocol
5/23/2013
Copyright 2013 Creative Commerce LLC
10
WiFi Implementation
“Infrastructure Mode” Concept

Ethernet Router is cabled to Wireless
Access Point (WAP) and radiates WiFi
5/23/2013
Copyright 2013 Creative Commerce LLC
11
WiFi Implementation
WiFi Home “Infrastructure Mode” Target

Home Wireless Ethernet Router is cabled
to Internet Modem and radiates WiFi
5/23/2013
Copyright 2013 Creative Commerce LLC
12
WiFi Implementation
Terminology




5/23/2013
BSS: Basic Service Set – The WiFi network infrastructure
concept- a router or Wireless Application Point (WAP)
transmitter communicating with workstations
BSSID: The Media Access Layer (MAC ) link unique ID for
router or Wireless Application Point (WAP) transmitter
SSID : Service Set Identifier: The broadcasted WiFi ID
which each User must specify to obtain access to a given
WiFi network. Functions as a virtural “username”.
Management frames : “Frames that broadcast the router’s
SSID , show User “probe requests”,
association/disassociation activity,
andauthentication/deauthentication
Copyright 2013 Creative Commerce LLC
12
WiFi Implementation
802.11 Frame Standards
Current 802.11 standards define "frame" types for use in transmission of data as well as management
and control of wireless links.
•
Frames are divided into very specific and standardized sections. Each frame has a MAC header, payload and FCS.
Some frames may not have payload portion. First 2 bytes of MAC header is a frame control field that provides
detailed information about the frame. The sub fields of the frame control field is presented in order.
•
Protocol Version: It is two bits in size and represents the protocol version. Currently used protocol version is zero.
Other values are reserved for future use.
•
Type: It is two bits in size and helps to identify the type of WLAN frame. Control, Data and Management are
various frame types defined in IEEE 802.11.
•
Sub Type: It is four bits in size. Type and Sub type are combined together to identify the exact frame.
•
ToDS and FromDS: Each are one bit in size. They indicate whether a data frame is headed for a distributed
system. Control and management frames set these values to zero. All the data frames will have one of these bits set.
However communication within an IBSS network always set these bits to zero.
•
More Fragment: The More Fragmentation bit is set most notably when higher level packets have been partitioned
and will be set for all non-final sections. Some management frames may require partitioning as well.
•
Retry: Sometimes frames require retransmission, and for this there is a Retry bit which is set to one when a frame
is resent. This aids in the elimination of duplicate frames.
•
Power Management: The Power Management bit indicates the power management state of the sender after the
completion of a frame exchange. Access points are required to manage the connection and will never set the power
saver bit.
5/23/2013
Copyright 2013 Creative Commerce LLC
14
WiFi Implementation
802.11 Frame Standards (cont’d)
•
More Data: The More Data bit is used to buffer frames received in a distributed system. The access point uses this
bit to facilitate stations in power saver mode. It indicates that at least one frame is available and addresses all
stations connected.
•
WEP: The WEP bit is modified after processing a frame. It is toggled to one after a frame has been decrypted or if
no encryption is set it will have already been one.
•
Order: This bit is only set when the "strict ordering" delivery method is employed. Frames and fragments are not
always sent in order as it causes a transmission performance penalty.
•
The next two bytes are reserved for the Duration ID field. This field can take one of three forms: Duration,
Contention-Free Period (CFP), and Association ID (AID).
•
An 802.11 frame can have up to four address fields. Each field can carry a MAC address. Address 1 is the
receiver, Address 2 is the transmitter, Address 3 is used for filtering purposes by the receiver.
•
The Sequence Control field is a two-byte section used for identifying message order as well as eliminating duplicate
frames. The first 4 bits are used for the fragmentation number and the last 12 bits are the sequence number.
•
An optional two-byte Quality of Service control field which was added with 802.11e.
•
The Frame Body field is variable in size, from 0 to 2304 bytes plus any overhead from security encapsulation and
contains information from higher layers.
•
The Frame Check Sequence (FCS) is the last four bytes in the standard 802.11 frame. Often referred to as the Cyclic
Redundancy Check (CRC), it allows for integrity check of retrieved frames. As frames are about to be sent the FCS is
calculated and appended. When a station receives a frame it can calculate the FCS of the frame and compare it to
the one received. If they match, it is assumed that the frame was not distorted during transmission.
5/23/2013
Copyright 2013 Creative Commerce LLC
15
WiFi Implementation
802.11 Frame Standards (cont’d)
•
Management Frames allow for the maintenance of communication. Some common 802.11 subtypes include:
•
Authentication frame: 802.11 authentication begins with the Wireless Network Interface Card (WNIC) sending an
authentication frame to the access point containing its identity. With an open system authentication the WNIC only
sends a single authentication frame and the access point responds with an authentication frame of its own indicating
acceptance or rejection. With shared key authentication, after the WNIC sends its initial authentication request it will
receive an authentication frame from the access point containing challenge text. The WNIC sends an authentication
frame containing the encrypted version of the challenge text to the access point. The access point ensures the text
was encrypted with the correct key by decrypting it with its own key. The result of this process determines the
WNIC's authentication status.
•
Association request frame: sent from a station it enables the access point to allocate resources and synchronize.
The frame carries information about the WNIC including supported data rates and the Service Set Identifier (SSID)
of the network the station wishes to associate with. If the request is accepted, the access point reserves memory
and establishes an association ID for the WNIC.
•
Association response frame: sent from an access point to a station containing the acceptance or rejection to an
association request. If it is an acceptance, the frame will contain information such an association ID and supported
data rates.
•
Beacon frame: Sent periodically from an access point to announce its presence and provide the SSID, and other
parameters for WNICs within range.
•
Deauthentication frame: Sent from a station wishing to terminate connection from another station.
•
Disassociation frame: Sent from a station wishing to terminate connection. It's an elegant way to allow the access
point to relinquish memory allocation and remove the WNIC from the association table.
•
Probe request frame: Sent from a station when it requires information from another station.
.
5/23/2013
Copyright 2013 Creative Commerce LLC
16
WiFi Implementation
802.11 Frame Standards (cont’d)
•
Probe response frame: Sent from an access point containing capability information, supported data rates, etc., after
receiving a probe request frame.
•
Reassociation request frame: A WNIC sends a reassociation request when it drops from range of the currently
associated access point and finds another access point with a stronger signal. The new access point coordinates the
forwarding of any information that may still be contained in the buffer of the previous access point.
•
Reassociation response frame: Sent from an access point containing the acceptance or rejection to a WNIC
reassociation request frame. The frame includes information required for association such as the association ID and
supported data rates.
•
Control frames facilitate in the exchange of data frames between stations. Some common 802.11
control frames include:
•
Acknowledgement (ACK) frame: After receiving a data frame, the receiving station will send an ACK frame to the
sending station if no errors are found. If the sending station doesn't receive an ACK frame within a predetermined
period of time, the sending station will resend the frame.
•
Request to Send (RTS) frame: The RTS and CTS frames provide an optional collision reduction scheme for access
point with hidden stations. A station sends a RTS frame to as the first step in a two-way handshake required before
sending data frames.
•
Clear to Send (CTS) frame: A station responds to an RTS frame with a CTS frame. It provides clearance for the
requesting station to send a data frame. The CTS provides collision control management by including a time value
for which all other stations are to hold off transmission while the requesting stations transmits.
•
Data frames carry packets from web pages, files, etc. within the body.[
5/23/2013
Copyright 2013 Creative Commerce LLC
17
WiFi Implementation :
WEP Encryption
Wired Equivalent Privacy
Older standard 64-bit WEP uses
a 40 bit key, which is
concatenated with a CLEAR TEXT
24-bit initialization vector (IV)
to form the RC4 traffic key.
All of the major manufacturers
now implement an extended
128-bit WEP protocol using a
104-bit key size (WEP-104).
Highly vulnerable to forensic packages such as aircrack-ng
DO NOT USE WEP EXCEPT FOR TRAINING/DEMONSTRATION
5/23/2013
Copyright 2013 Creative Commerce LLC
18
WiFi Implementation :
WPA Encryption
WiFi Protected Access (WPA)
Temporal Key Integrity Protocol (TKIP):
1.
implements a key mixing function that combines the secret root key with the
initialization vector before passing it to the RC4 initialization. WEP, in comparison,
merely concatenated the initialization vector to the root key, and passed this value to
the RC4 routine. This permitted the vast majority of the RC4 based WEP key attacks.
2.
WPA implements a sequence counter (TSC) to protect against “replay “ attacks.
Packets received out of order will be rejected by the access point.
3.
TKIP implements a 64-bit message integrity check (MIC) named “MICHAEL”
Vulnerable to forensic packages such as “tkiptun-ng”
http://www.aircrack-ng.org/doku.php?id=tkiptun-ng
http://download.aircrack-ng.org/wiki-files/doc/tkip_master.pdf
5/23/2013
Copyright 2013 Creative Commerce LLC
19
WiFi Implementation :
WPA Encryption (cont’d)
Tkiptun MIC Retrieval Usage: tkiptun-ng <options> <replay interface>
•
Filter options:
•
-d dmac : MAC address, Destination
•
-s smac : MAC address, Source
•
-m len : minimum packet length
•
-n len : maximum packet length
•
-t tods : frame control, To DS bit
•
-f fromds : frame control, From DS bit
•
-D : disable AP detection
•
Replay options:
•
-x nbpps : number of packets per second
•
-a bssid : set Access Point MAC address
•
-c dmac : set Destination MAC address
•
-h smac : set Source MAC address
•
-F : choose first matching packet
•
-e essid : set target AP SSID
5/23/2013
Copyright 2013 Creative Commerce LLC
20
WiFi Implementation :
WPA Encryption (cont’d)
Tkiptun MIC Key Retrieval Usage: tkiptun-ng <options> <replay
interface>
•
Debug options:
•
-K prga : keystream for continuation
•
-y file : keystream-file for continuation
•
-j : inject FromDS packets
•
-P pmk : pmk for verification/vuln testing
•
-p psk : psk to calculate pmk with essid
•
Source options:
•
-i iface : capture packets from this interface
•
-r file : extract packets from this pcap file
•
--help : Displays this usage screen
5/23/2013
Copyright 2013 Creative Commerce LLC
21
WiFi Implementation :
WPA Encryption (cont’d)
Tkiptun MIC Key Retrieval Example:
•
Input:
•
tkiptun-ng -h 00:0F:B5:AB:CB:9D -a 00:14:6C:7E:40:80 -m 80 -n 100
rausb0
•
Output: The interface MAC (00:0E:2E:C5:81:D3) doesn't match the
specified MAC
•
....so Address Resolution Protocol (ARP) is forced…
ARP Reply Checking 192.168.x.y 15:54:11
Reversed MIC Key : C3:95:10:04:8F:8D:6C:66
5/23/2013
Copyright 2013 Creative Commerce LLC
22
WiFi Implementation :
WPA -2 Encryption
WiFi Protected Access -2
•
CCMP (Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol) replaces TKIP
1. Advanced Encryption Standard (AES) is the cipher system
2. Key Management and Message Integrity is handled by a single component built
around AES using a 128-bit key, a 128-bit block, and 10 rounds of encoding per the
FPS-197 standard.
3. A CCMP Medium Access Control Protocol Data Unit (MPDU) comprises five sections:
•
MAC header,
•
CCMP header
•
Data unit
•
Message integrity code (MIC),
•
Frame check sequence (FCS).
Of these, only the data unit and MIC are encrypted.
WPA-2 is vulnerable to “breaking handshake” and “brute force dictionary”
attacks
5/23/2013
Copyright 2013 Creative Commerce LLC
23
WiFi Implementation
Enterprise-Grade Encryption
•
•
5/23/2013
Enterprise –grade WPA: Remote Authentication Dial-In User
Service (RADIUS) . RADIUS uses a challenge/response method for
authentication
When a user logs on, the network access server (NAS), wireless
access point (WAP) or authentication server creates a "challenge,"
which is typically a random number sent to the client machine.
The client software uses its password or a secret key to encrypt
the challenge via an encryption algorithm or a one-way hash
function and sends the result back to the network (the
"response"). The authentication system also performs the same
cryptographic process on the challenge and compares its result to
the response from the client. If they match, the authentication
system has verified that the user has the correct password.
Copyright 2013 Creative Commerce LLC
24
WiFi Threat Landscape
HACKER’S GOALS:
Penetrate / Elevate / Manipulate
• PENETRATION – Hacker accesses system
under attack
• ELEVATION – Hacker increases their system
privilege level by utilizing system services
• MANIPULATION – Hacker directs the
victim’s system to do his bidding
5/23/2013
Copyright 2013 Creative Commerce LLC
25
WiFi Threat Landscape
DHCP contains large amounts of known plaintext
Rogue Wireless Application Points
Hostile Wandering Clients
AdHoc (Peer-to-Peer) “Free Public WiFi” hostile networks
Denial Of Service Attacks
•
57 percent of IT managers are not confident that their organization knows the state of
every endpoint that connects to their network.
•
More than 50 percent of companies are using shared passwords or no encryption at all
on Wi-Fi access points.
•
Only 29 percent of companies check to make sure computers up to date and patched
before allowing traveling or remote employees to access the network when they return
to the office.
•
More than 50 percent of companies surveyed have guests accessing the network every
day, with 20 percent allowing non-employees to plug directly into the network without
security check or controls.
•
31 percent of companies do not know the identity of every user on their network.
•
- http://www.napera.com/news_20081203.html
5/23/2013
Copyright 2013 Creative Commerce LLC
26
WiFi Threat Landscape
WiFi Intrusion at TJ Max – Vulnerability to
Hostile Client
• WiFi Network with inadequate WEP encryption
replaced retail outlet cabling at kiosks in MN
http://www.informationweek.com/shared/printableArticle.jhtml?articleI
D=201400171
5/23/2013
Copyright 2013 Creative Commerce LLC
27
WiFi Basic Security Measures
Change Admin Password Settings

1.
2.
5/23/2013
Change Wireless Router/Wireless
Access Point (WAP) Username /
Password from Industry Defaults:
Username: admin
Password: admin
Copyright 2013 Creative Commerce LLC
28
WiFi Basic Security Measures
Change Encryption Settings


5/23/2013
DO NOT USE Wired Equivalent Privacy (WEP)
Encryption – its encryption keys can be broken in
less than 1 minute.
Use stronger encryption such as WPA-PSK (WiFi
Protected Access-Pre-Shared Key). This wireless
encryption method uses a pre-shared key (PSK)
for key management. Keys can usually be entered
as manual hex values, as hexadecimal characters,
or as a Passphrase.
Copyright 2013 Creative Commerce LLC
29
Wifi Tools
SUMMARY






5/23/2013
Handheld Directional RF WiFi Detector with spare
CR2032 Lithium “hearing-aid” batteries
Windows OS or Linux or Mac OS Laptop with
spare fully charged battery packs
Wireless LAN WiFi PC “Interface” Adapter
(Card/USB) that supports “Monitor Mode”
– super critical !
WiFi Forensics Software for network discovery,
packet capture, and analysis
120V Electrical Power – Automotive Adapter
Paper Forms and Logs
Copyright 2013 Creative Commerce LLC
30
Wifi Tools
Handheld Directional RF Detector









Hawking Technology Model HWL1
802.11b/g WiFi Locator
Network Specification : IEEE 802.11b/g
Operating Frequency: 2.4~2.4835 Ghz
Operating Range : Up to 1000 feet (Line
of Sight), Up to 300 feet (Indoors)
LEDs 1 x Power, 5 x Signal Strength
Antenna Gain: 5.15 dBi
Battery : 1 x Lithium CR2032, 2 Year
Battery Life
Dimensions 92 (L) x 56 (W) x 25 (H)
mm
Weight 45g
http://www.hawkingtech.com/products/produc
tlist.php?CatID=32&FamID=71&ProdID=131
5/23/2013

Hawking Technology Model HWL1

Functionality
Point the Directional Antenna towards the
source and press the Locate" button. The
signal filters on the Model HWL1 filter through
all unwanted 2.4GHz signals, such as
BlueTooth, cordless phones and microwaves
Copyright 2013 Creative Commerce LLC
31
Wifi Tools
- Windows OS vs. Linux vs Mac OS
Laptop Selection Criteria




User comfort and familiarity level will affect the OS choice.
Microsoft Windows OS, with its restricted Win32 kernel, has fewer
WiFi forensics hardware/software ensembles. Windows has fewer
“monitor mode” wireless LAN card/ password-cracking software
combinations than Linux. There have been recent additions.
Linux has a large number of historically prominent WiFi forensics
packages. The majority of these software packages are still
“command-line” and may require time for familiarization. Recently,
“windows-like” Linux WiFi forensics software has become available,
often as a part of free forensics distributions such as “Backtrack 4”.
MacOS is supported by the popular multifunctional KisMAC WiFi
“stumbler” (network discovery) / packet sniffing / password cracking
software. KisMAC is geared toward network security professionals.
The “Apple Airport” WiFi network card is supported by Linux.
5/23/2013
Copyright 2013 Creative Commerce LLC
32
Wifi Tools
Wireless LAN WiFi PC Adapter (Card/USB)
that supports “Monitor Mode”






“Ordinary” laptop WiFi access (coffee shop Web surfing , email, etc)
involves the WiFi PC adapter running in so-called “managed mode”.
This is the default mode for all purchased laptops.
In managed mode, the User’s laptop wireless adapter and its
software depend entirely on the infrastructure’s wireless router to
provide network connectivity. Usernames and passwords are seldom
required for coffee shops and other public places.
Managed mode is useless for WiFi packet sniffing forensic activities.
Some Windows OS software “stumbler” (WiFi network
discovery/enumeration) programs can function (partially) with WiFi
adapters operating in managed mode. One of these is “Wireless
Mon” by PassMark.
Forensic laptop WiFi network card must be placed in “Monitor” Mode
Popular Laptop WiFi cards such as Broadcom often do not support
“Monitor” Mode. Chipsets by Hermes, Prism2, Spectrum24, Raylink,
Zydas, and Atheros are supported by most forensics software.
5/23/2013
Copyright 2013 Creative Commerce LLC
33
Wifi Tools
Linux WiFi Card Setup

1.
2.
3.
5/23/2013
Forensic laptop WiFi network card must be placed in
“Monitor Mode”. To accomplish this, as the Linux root User
do the following on the Linux command line:
iwconfig
<enter>
Note the Mode: Managed (vs Mode: Monitor) command
line response
To REQUEST change to Monitor mode :
iwconfig eth01 mode monitor <enter>
(Note: “eth01” is a typical network card interface
designator. Your PC’s may instead be “ath01” ,
for example, if your WiFi interface card chipset is from
Atheos).
Copyright 2013 Creative Commerce LLC
34
Wifi Tools
Linux WiFi Card Setup (cont’d)
4. To ACTIVATE change to Monitor mode :
ifconfig eth01 up <enter>
5. To CONFIRM activation of Monitor mode :
ifconfig eth01 <enter>
The command line will display the term UP BOADCAST MULTICAST, indicating Monitor mode .
------------------------------------------------------------------------If your WiFi interface card chipset is from Atheos use the following below commands instead:
4. “Destroy” Manager Mode
wlanconfig atho1 destroy <enter>
5. REQUEST change to Monitor mode :
wlanconfig atho1 create wlandev wifi0 wlanmode monitor <enter>
6. ACTIVATE change to Monitor mode :
ifconfig ath01 up <enter>
7. To CONFIRM activation of Monitor mode :
ifconfig ath01 <enter>
The command line will display the term UP BOADCAST MULTICAST, indicating Monitor mode.
5/23/2013
Copyright 2013 Creative Commerce LLC
35
Wifi Tools
Software Concepts

Network Discovery and Enumeration
3.
Most Packet Capture software also performs Network Discovery
and Enumeration
“Wireless Mon” (Windows OS) – runs in Managed Mode
Kismet (Linux – contained on BackTrack 4 distributions)

Packet Capture using capture software “engines”
1.
2.
2.
WinPcap (Windows OS)
LibPcap (Linux library)

Packet “Sniffing” (retrieval/display), Analysis, Reporting
1.
1.
2.
3.
Wireshark (Windows OS and Linux)
Tcpdump (Linux) . Oldest and most popular network sniffer.
WinDump (Windows OS’s Win 95 through Win XP)
5/23/2013
Copyright 2013 Creative Commerce LLC
36
Wifi Tools
Packet Capturing Software
• Digital Packet Capturing (PCAP) provides data
stream input for WiFi “sniffer”/analysis software
• WiFi radio signal is received by hardware
“interface” card (WNIC) and transferred to PCAP
• PCAP software is often bundled with distribution of
sniffer/analysis software
• Windows users – “WinPcap” software
• Linux users –”LibPcap” software
5/23/2013
Copyright 2013 Creative Commerce LLC
37
WiFi Network Discovery
“Wireless Mon” WiFi “Managed Mode”
Network “Drive-By” Discovery Software


1.
2.
3.
4.
5/23/2013
“Wireless Mon” WiFi Discovery Software by Passmark.
Runs in WiFi “Managed Mode” (!) – a rarity. This means
almost any Windows OS “Wireless Laptop” off the shelf can
utilize, at least partially, the functionality of “Wireless
Mon”:
Detects and monitors wireless (WiFi) networks within range.
Provides Service Set Identifier (SSID), system availability, and
encryption information
Presents live channel usage chart to help identify forensics targets
Generates signal strength coverage maps (Professional Edition) by
either manually plotting points or using a GPS device
Copyright 2013 Creative Commerce LLC
38
WiFi Network Discovery
Windows OS
“Wireless Mon” WiFi “Managed Mode” Example
5/23/2013
Copyright 2013 Creative Commerce LLC
39
WiFi Network Discovery
Windows OS
“Wireless Mon” WiFi “Managed Mode” Discovery Example



Use Summary Tab to observe nearby WiFi “Channel Use”
Channel Use Chart displays number of local WiFi routers for the
selected Channel upon mouseover, as well as their status (green for
“Available”, blue for “Connected”, red for “Not Available”)
Majority of small WiFI installations use Channel 6
5/23/2013
Copyright 2013 Creative Commerce LLC
36
WiFi Network Discovery
Windows OS
“Wireless Mon” WiFi “Managed Mode” Network Discovery
Example (cont’d)
In example below, Wireless Mon Summary Tab shows :

“ SSID” (Service Set ID) – the WiFi User logon “username”
“MAC Address” (Machine Access Code Address) - (MAC address is six bytes (48 bits) long, where the
first three bytes (Organizational Unique Identifier,“OUI”) represent the manufacturer )
FCC WiFi Channel Assignment
WiFi “Security” ( Encryption) Mode (“None”, WEP (weakest encryption), WPA2, or WPA-PSK)
1.
2.
3.
4.
NOTE THAT A LARGE PERCENTAGE OF DEPLOYED SMALL SYSTEMS HAVE ROUTERS
BROADCASTING MANUFACTUER’S NAME (ie, “linksys”, “2WIRE351”)
5/23/2013
Copyright 2013 Creative Commerce LLC
41
WiFi Network Discovery
Windows OS
“Wireless Mon” WiFi “Managed Mode” Network
Discovery Example (cont’d)


Use Summary Tab to further observe list of nearby WiFi networks
In example below, Summary Tab shows that all below WiFi networks :
3.
Deploy “Infrastructure” (Wireless Router broadcasts to all nearby receivers)
Support 54 Mb/s rates
Use Orthogonal Frequency Division Multiplexing (ODFM 24)

Wireless Mon can store WiFi Discovery results for input to forensic reports
1.
2.
5/23/2013
Copyright 2013 Creative Commerce LLC
42
WiFi Network Discovery
Wireless LAN WiFi PC Adapter (Monitor Mode) –
Windows OS






CACE (Creative Advanced
Communication Engineering)
“AirPcap TX” Monitor Mode
USB Wireless Adapter
Contains WiFi Antenna
Utilizes WinPcap 4.01 (beta)
packet capture software
Provides packet injection
required to support WiFi
password cracking software
such as AirCrack
Shipped with popular
Wireshark sniffer software
Supports Windows Vista OS

CACE Model “AirCap TX”
http://www.cacetech.com/products/airpcap-tx.htm
5/23/2013
Copyright 2013 Creative Commerce LLC
43
WiFi Packet Sniffing Example
Wireshark
1.
2.
5/23/2013
“Associate” (connect) with WiFi network
Select sniffer “Interface” (WiFi Monitor Mode
network card). Then click on “Options”.
Copyright 2013 Creative Commerce LLC
44
WiFi Packet Sniffing Example
Wireshark (cont’d)
3. Select Packet Sniffing “Options “
5/23/2013
Copyright 2013 Creative Commerce LLC
45
WiFi Packet Sniffing Example
Wireshark (cont’d)
1.
5/23/2013
Click “Start” - NOTE below desktop PC printer frame (UNIX CUPS)
Copyright 2013 Creative Commerce LLC
46
WiFi Packet Sniffing Example
Wireshark (cont’d)
5. Click Stop in the WireShark Capture menu .
6. Browse through WireShark’s frame list and observe the forensic
target WiFi User ‘s “Web Surfing” (HTTP) frames.
7. Type the expression “http” in the WireShark “Display Filter”.
Then click the adjacent “Apply” button.
8. WireShark will then display only Web Surfing” (HTTP) frames.
5/23/2013
Copyright 2013 Creative Commerce LLC
47
WiFi Packet Sniffing Example
Wireshark (cont’d)
•
WIRESHARK DISPLAY OF HTTP FRAMES ONLY:
5/23/2013
7/9/2008
Copyright
Creative Commerce
For2013
HTCIA/CACI/Gov't
Use LLC
Only © 2008 CACI
48
WiFi Packet Sniffing Example
Wireshark (cont’d)
•
•
•
Forensics Examiner may observe IMAGES from captured HTTP
“Web Surfing” Frames:
Examiner right-clicks on above “JPEG File Interchange Format” line
and exports RAW image file (as “Imagexx.jpg”) to a folder
RESULT:
5/23/2013
Copyright 2013 Creative Commerce LLC
49
WiFi Packet Sniffing Example
Wireshark (cont’d)
1.
1.
2.
WIRESHARK DISPLAY OF HTTP FRAME HISTORICAL “THREADS”:
Click on the first HTTP frames of interest – usually GET commands
In the WireShark Analyze menu, click on Follow TCP Stream
TCP Streams will appear parsed by Web Page activity
5/23/2013
Copyright 2013 Creative Commerce LLC
50
WiFi Packet Sniffing Example
Wireshark (cont’d)
•
FREE IDENTIFICATION OF WEBSITE ORIGINS FROM HTTP frames
of interest – usually GET commands
Type website IP Address into LIVE PRODUCT DEMO at :
http://www.ip2location.com/
EXAMPLE:
5/23/2013
RESULT:
Copyright 2013 Creative Commerce LLC
51
WiFi Packet Sniffing Example
Wireshark (cont’d)
•
WIRESHARK DISPLAY OF FTP FRAMES ONLY
Type the expression “ftp” in the WireShark “Display Filter”.
Then click the adjacent “Apply” button.
• WireShark will then display only File Transfer Protocol (FTP) frames.
5/23/2013
Copyright 2013 Creative Commerce LLC
52
WiFi Packet Sniffing Example
Wireshark (cont’d)
•
Forensics Examiner may observe USERNAME and PASSWORD from
captured FTP Frames:
5/23/2013
Copyright 2013 Creative Commerce LLC
53
WiFi Packet Sniffing Example
Wireshark (cont’d)
• WIRESHARK DISPLAY OF FTP FRAME HISTORICAL “THREADS”:
Click on the first FTP frame of interest – usually USERNAME
• In the WireShark Analyze menu, click on Follow TCP Stream
• TCP Streams will appear parsed by Web Page activity
5/23/2013
Copyright 2013 Creative Commerce LLC
54
WiFi Packet Sniffing Example
Wireshark (cont’d)
WIRESHARK DISPLAY OF GOOGLE MAIL FRAMES ONLY
Type the expression “host” followed by the captured Google Mail server
name in the WireShark “Display Filter”. Then click the adjacent “Apply” button.
•
•
WireShark will then display only Google Mail frames.
5/23/2013
Copyright 2013 Creative Commerce LLC
55
WEP Password Cracking Example
Decrypt WEP (Wired Equivalent Privacy)
Capture File
Windows OS Command Line – partial GUI support
Examiner clicks on airodump-ng-airpcap and
completes “IV capture” startup screen:
5/23/2013
Copyright 2013 Creative Commerce LLC
56
WiFi WEP Password Cracking Example
Decrypt WEP (Wired Equivalent Privacy)
- Begin Creating IV Capture File
Airodump will automatically gather the needed IVs
(Initialization Vectors) , starting at a slow pace (# Data column)



5/23/2013
250,000+ IVs required to break 64-bit WEP Key
1,500,000 + IVs required to break 128-bit WEP key
Target WiFi Router MUST BE ACTIVE – Users Web Surfing, etc
Copyright 2013 Creative Commerce LLC
57
WiFi WEP Password Cracking Example
Decrypt WEP (Wired Equivalent Privacy)
Accelerate IV Capture – Packet Injection
Examiner uses aireplay-ng command-line
utility to constantly inject packets to
accelerate IV creation by target (and capture)


5/23/2013
Target WiFi router performance may be impacted
Target Intrusion Detection Systems (IDS) may respond
Copyright 2013 Creative Commerce LLC
58
WiFi WEP Password Cracking Example
Decrypt WEP (Wired Equivalent Privacy) Capture
File
Windows OS Command Line – partial GUI support

Forensic Examiner clicks on aircrack-ng GUI and
completes decryption screen
5/23/2013
Copyright 2013 Creative Commerce LLC
59
WiFi WEP Password Cracking Example
Recovered Key Display by Aircrack-ng
SUCCESSFUL KEY DECRYPTION
Forensic examiner may insert below Decrypted Key (Hex Format,
66756A7839) into WireShark Decryption Keys list.
•
WireShark will automatically decrypt packets and display them.
•
Forensic Examiner may “log on” (associate with) WiFi network (BSS) bulliron with passkey fujx9
•
5/23/2013
Copyright 2013 Creative Commerce LLC
60
Questions ?
?
5/23/2013
Copyright 2013 Creative Commerce LLC
61
Web Links

Hawking Handheld Directional WiFi Detector

Wireshark Packet Sniffer / Analyzer
http://www.hawkingtech.com/products/productlist.php?CatID=32&Fa
mID=71&ProdID=131
http://www.wireshark.org

CACE (Creative Advanced Communication Engineering)
“AirPcap TX” Monitor Mode USB Wireless Adapter for
Microsoft Windows
http://www.cacetech.com/products/airpcap-tx.htm

“AirCrack” Password Cracking Software
http://www.aircrack-ng.org
5/23/2013
Copyright 2013 Creative Commerce LLC
62
Web Links (cont’d)

WEP WiFi Encryption “Cracking”
http://www.smallnetbuilder.com/content/view/30114/98

WPA/WP2 WiFi Encryption “Cracking”
http://www.smallnetbuilder.com/content/view/30278/98

Packet Captures and Network Devices
http://www.smallnetbuilder.com/content/view/30305/235
5/23/2013
Copyright 2013 Creative Commerce LLC
63
Web Links (cont’d)

Remote-Exploit.org “BackTrack 4” Forensics CD
(Linux programs run “independently” in User’s CD drive)
www.remote-exploit.org/backtrack_download.html

PassMark “WirelessMon” Wireless Network Enumeration
(“Stumbler”) Utility
http://www.passmark.com/products/wirelessmonitor.htm
5/23/2013
Copyright 2013 Creative Commerce LLC
64
Web Links (cont’d)


WIGLE (Wireless Geographic Logging Engine)
- List of Default WiFi “Service Set IDs” (SSIDs)
http://www.wigle.net/gps/gps/main/ssidstats
Institute of Electrical and Electronic Engineers
(IEEE) Searchable List of MAC Address “OUI”
(Organizational Unique Identifier) Manuacturer’s
Codes - first 3 bytes of MAC address
http://standards.ieee.org/regauth/oui/index.shtml
5/23/2013
Copyright 2013 Creative Commerce LLC
65
Web Links (cont’d)


Forensic Software Product Line
Overview from Clarifying Technologies
http://www.clarifyingtech.com/public/
products/products_public.html
RADIUS “Challenge” User
Authentication/Password Utility
http://dictionary.zdnet.com/definition/challe
nge%252Fresponse.html
5/23/2013
Copyright 2013 Creative Commerce LLC
66
References


WI-FOO - The Secrets of Wireless Hacking (Andrew
Vladimirov et al, Addison-Wesley)
Wireshark & Ethereal – Network Protocol Analyzer
Toolkit (Angela Orebaugh et al, Syngress)
Penetration Tester’s OPEN SOURCE TOOLKIT
Volume 2 (Aaron Bayles, et al, Syngress)

5/23/2013
Copyright 2013 Creative Commerce LLC
67
References


COMPUTER EVIDENCE – Collection
and Preservation (Christopher L.T.
Brown, Charles River Media)
HACKER’S CHALLENGE 3 (David Pollino
et al, McGraw-Hill)
5/23/2013
Copyright 2013 Creative Commerce LLC
68
References (cont’d)

REAL DIGITAL FORENSICS Computer Security and Incident
Response (Keith Jones, Richard
Bejtlich, Curtis Rose)

ANTI-HACKING TOOLKIT (Mike
Shema et al, McGraw-Hill)
5/23/2013
Copyright 2013 Creative Commerce LLC
69
Questions?
http://www.amazon.com/Your-Computer-Bugged-Glenn-Jacobs/dp/1435797523
5/23/2013
Copyright 2013 Creative Commerce LLC
70
Questions ?
Mike Davis, EE/MSEE , CISSP, SysEngr
ISSA/TSN/SOeC/ AFCEA/NDIA/IEEE/INCOSE et
al
mike@sciap.org
Glenn G Jacobs, BSEE, Security +
Creative Commerce LLC
glenn@sciap.org
5/23/2013
Copyright 2013 Creative Commerce LLC
71
Related documents
Indoor Localization System
Indoor Localization System
Presentation
Presentation
White-Fi: What are the Applications
White-Fi: What are the Applications
Presentation: the data link layer, Ethernet and WiFi
Presentation: the data link layer, Ethernet and WiFi
Our network story - Curveball Solutions
Our network story - Curveball Solutions
research and evaluate ubnt wifi antenna for a 5 km
research and evaluate ubnt wifi antenna for a 5 km
Download
advertisement