Presentation on theme: "Wireless: network forensics unplugged"— Presentation transcript:
1Wireless: network forensics unplugged Section 5.1Network ForensicsTRACKING HACKERS THROUGH CYBERSPACE
2Common wireless devices AM/FM radiosCordless phonesCell phonesBluetooth headsetsInfrared devices, such as TV remotesWireless doorbellsZigbee devices, such as HVAC, thermostat, lighting, and electrical controlsWi-Fi (802.11)—LAN networking over RFWiMAX (802.16)—“last-mile” broadband2Pg 200
3Cases involving wireless networks Recover a stolen laptop by tracking it on the wireless network.Identify rogue wireless access points that have been installed by insiders for convenience or to bypass enterprise security.Investigate malicious or inappropriate activity that occurred via a wireless network.Investigate attacks on the wireless network itself, including denial-of-service, encryption cracking, and authentication bypass attacks.Pg. 200
4IEEE Layer 2 protocol series 802.3 (Ethernet)802.1q (trunking)802.1X (LAN based authentication)(Wi-Fi)2.4 GHz3.7 GHz5 GHzRF has different physical characteristic than copper, requires different protocol
5CSMA / CD vs. CSMA / CA CSMA / CD CSMA / CA Ethernet All stations share the same mediumOnly one station can use the mediumHigh-low voltage will eventually reach all stations on the mediumFirst station to detect overlapping signals sends out a jamming signal (detection)Resend packets at random time incrementsWireless LANNo reliable collision detection by senderAccess point only sure station to receive all of the signalsProblem of the hidden nodeStation listens before it sends signal, if busy it waits a random time before it sends (avoidance)request-to-sendClear-to-send1.http://s4.hubimg.com/u/ _f260.jpg 2.http://redesfran-cisco.blogspot.com/2010/05/csmaca-rts-cts.html1.2.
6802.11 frame types Three types Management Frames—Govern communications between stations, except flow control;Control Frames—Support flow control over a variably available medium (such as RF);Data Frames—Encapsulate the Layer 3+ data that moves between stations actively engaged in communication on a wireless network.PG 203
7Management frames Type 0 Coordinate communication Forensic benefit Not encryptedMAC addressesBasic Service Set Identification (BSSID)Service Set Identifiers (SSIDs)Often point of attacks:WEP crackingEvil Twin
9Control frames Type 1 Manage the flow of traffic Problem of the hidden node addressed here0x1B—Request-to-send (RTS)0x1C—Clear-to-send (CTS)0x1D—Acknowledgment
10Data frame Type 2 Actual data Includes encapsulated higher-layer protocolsSubtypes examples4 = null functionNo data0 = data
11802.11 frame analysis Endianness Big-endian Most significant byte represented, stored or transmitted firstLittle-endianLeast significant byte represented, stored or transmitted first1.1.
12Top – written protocol Bottom – actual transmitted order Mixed-endianBit order within each individual data-field – big endianFields themselves – little endianTop – written protocol Bottom – actual transmitted order
13Wireshark exampleWireshark will correctly interpret the first byte– 0x20 (0b )The raw data show the actual order – 0x08 (0b )
14Wired equivalent privacy (WEP) Key pointsLayer 1 is RF shared by anyone tuned into the appropriate frequencyWireless AP is Layer 2Shared secret key with APWEP is brokenUnprotected key material can be used to brute-force attack shared encryption keyLayer 8 (humans) – shared secret key is not really secretWhy learn it?Legacy equipmentModern equipment used to support legacy equipmentEncrypted?Protected bit set to 1
15TKIP, AES, WPA and WPA2 Wi-Fi Protected Access (WPA) Uses key rotation – Temporal Key Integrity Protocol (TKIP)BrokenWPA2Used Counter Mode with CBC-MAC Protocol (CCMP) mode of AESNot brokenBoth WPA and WPA2Robust security networks (RSN)Management frame includes:BeaconsAssociation RequestsReassociation RequestsProbe Requests
17802.1XModule, extensible authentication framework regardless of physical mediumFramework for low-layer authenticationExtensible Authentication Protocol (EAP)Improves PPPPPP is still commonly usedPPPoEEV-DOCHAPPAPBased on central authentication storeEAP- Transport Layer Security (EAP-TLS)Protected EAP (PEAP)Lightweight EAP (LEAP)Much more likely to have an audit trail
18WAPs Layer 2 device All stations have access to signals Interception easyLogging capabilitiesMAC address filteringDHCP serviceRoutersSNMPSpecial case in investigationNearly unlimited access like a hubCan include Layer 3 routing and Layer 4 NATing
19Why investigate?Wireless access points may contain locally stored logs of connection attempts, authentication successes and failures, and other local WAP activity.WAP logs can help you track the physical movements of a wireless client throughout a building or campus.The WAP configuration may provide insight regarding how an attacker gained access to the network.The WAP configuration may have been modified by an unauthorized party as part of an attack.The WAP itself may be compromised.
20Enterprise apsSupport for IEEE a/b/g/nPhysical media is RF wavesLayer 3+ functionality, including:Support for routing protocolsDHCPNetwork address translationPacket filteringCentralized authenticationAuditable access logs (local and central)Station location trackingPerformance monitoring capabilitiesPower over Ethernet (PoE)Indoor and outdoor optionsThe interface options for enterprise-class wireless access points frequently include:Console (command-line interface (CLI))Remote console (SSH/Telnet)SNMPWeb interfaceProprietary interfaceCentral management interfacePg 215
21CONSUMER APs Support for IEEE 802.11a/b/g/n Physical media is RF waves Often contain Layer 3+ functionality, including:Limited routingDHCP serviceNATingLimited filteringLogging (locally and sometimes remotely)
22Wap evidence Volatile Persistent Operating system image Boot loader History of connections by MAC addressList of IPs associated with MACsHistorical logs of wireless events (access requests, key rotation, etc.)History of client signal strength (can help identify geographic location)Routing tablesStored packets before they are forwardedPacket counts and statisticsARP table (MAC address to IP address mappings)DHCP lease assignmentsAccess control listsI/O memoryRunning configurationProcessor memoryFlow data and related statisticsOperating system imageBoot loaderStartup configuration filesOff-SystemAggregationstorage
23Spectrum analysis IEEE supports three frequencies: 2.4 GHz (802.11b/g/n)US only allows uses of channels 1 – 11Japan allows uses through 143.6 GHz (802.11y)5 GHz (802.11a/h/j/n)Greenfield (GF) mode802.11n devices operating in GF are not visible to a/b/gDevicesMetaGeek’s Wi-SpyAirMagnet
24Passive evidence acquisition Wireless card must have Monitor modeA separate card used only for Monitor mode is bestAirPcap USPMonitor Layer3 WiFiRuns on windowsDecrypts WEPInfo that can be gatheredBroadcast SSIDsWAP MAC addressesSupported encryption / authentication algorithmsAssociated client MAC addresses
25Efficient analysis Are there any beacons in the wireless traffic? Are there any probe responses?Can you find all the BSSIDs/SSIDs from authenticated/associated traffic?Can you find malicious traffic? What does that look like?Is the captured traffic encrypted using WEP/WPA? Is anyone trying to break the encryption?
26Tcpdump and tshark Use BPF filters and wireless protocol knowledge Find WAPs‘wlan = 0x80’Encrypted data frames'wlan  = 0x08 and wlan  & 0x40 = 0x40 '
27Common attacks Sniffing An attacker eavesdrops on the network Rogue Wireless Access PointsUnauthorized wireless devices that extend the local network, often for an end-user’s convenienceChanging the channelIllegal use of channel 14Greenfield modeBluetooth Access PointPowerful class 1 devicesWireless Port knockingPg 224
28Common attacks continued The Evil Twin AttackAn attacker sets up a WAP with the same SSID as a legitimate WLANMan-in-the-middle attackWEP CrackingAn attacker attempts to recover the WEP encryption key to gain unauthorized access to a WEP-encrypted network.Forced generation of large amounts of initialization vectors (IV) until right one is created
29Locating wireless devices Strategies:Gather station descriptors, such as MAC addresses, which can help provide a physical description so that you know what to look forFor clients, identify the WAP that the station is associated with (by SSID)Leverage commercial enterprise wireless mapping softwarePoll the device’s signal strengthTriangulate on the signal
30Gather station descriptors OUI assigned by the manufacturerSrc and dst MAC addressesMake educated guess about the devices manufacturerWireshark will do this automatically
31Identify nearby wireless aps Generally device will connect to closest AP as the signal is usually strongestWAP logs and traffic monitoringStation association requests and responsesPassive monitoring
32Signal StrengthReceived Signal Strength Indication (RSSI) and Transmit (Tx) RateSent only if the capture tool supplies the dataWireshark can be configured as such by editing user preferencesNetStumblerWindows tool (XP, Vistumbler is a Win 7 option)Used for blackhats and whitehatsPresence can be detectedSupports GPS integrationUseful for wardriving and warwalking
33Signal strength continued KismetLibpcap-basedLinuxWireshark- and tcpdump-compatible data loggingNetwork IP range detectionHidden network SSID decloakingGraphical mapping of networksManufacturer and model identification of access points and clientsDetection of known default access point configurationsRuntime decoding of WEP packets for known networksNamed pipe output for integration with other tools, such as a Layer 3 IDS like SnortDistributed remote drone sniffingXML outputOver 20 supported card types
34Signal strength continued again KisMACCommercial Enterprise ToolsAruba and CiscoSkyhookWireless Positioning System (WPS)Apples “Locate Me” featureEye-Fi SD cards
35Works CitedDavidoff, S., & Ham, J. (2012). Network Forensics Tracking Hackers Through Cyberspace. Boston: Prentice Hall.