Presentation is loading. Please wait.

Presentation is loading. Please wait.

WiFi Networks Forensics Overview WiFi Networks Forensics Overview Mike Davis, EE/MSEE, CISSP, SysEngr ISSA/TSN/SOeC/ AFCEA/NDIA/IEEE/INCOSE et al

Similar presentations


Presentation on theme: "WiFi Networks Forensics Overview WiFi Networks Forensics Overview Mike Davis, EE/MSEE, CISSP, SysEngr ISSA/TSN/SOeC/ AFCEA/NDIA/IEEE/INCOSE et al"— Presentation transcript:

1 WiFi Networks Forensics Overview WiFi Networks Forensics Overview Mike Davis, EE/MSEE, CISSP, SysEngr ISSA/TSN/SOeC/ AFCEA/NDIA/IEEE/INCOSE et al Glenn G Jacobs, BSEE, Security + Creative Commerce LLC 1

2 5/23/20132 Copyright 2013 Creative Commerce LLC Presentation Overview Why Wireless Networks ? What is Wireless Internet (Wi-Fi ?) WiFi Implementation WiFi Threat Landscape WiFi Basic Security Measures WiFi Tools WiFi Network Discovery WiFi Packet Sniffing Example WiFi WEP Password Cracking Example Web Links

3 5/23/20133 Copyright 2013 Creative Commerce LLC Why Wireless Networks? CONVENIENCE OF INSTALLATION !! Wireless Access Point (WAP) addition to system routers is straightforward Wireless Security has frequently just been taken for granted CONVENIENCE OF MOBILITY !! Businesses with less than $10 million in annual revenue are leading the charge with 83 percent either using or planning to use Wi-Fi (http://news.cnet.com/ html) 76 percent of workforce be using a mobile networking device by 2013 (Laptops/PDAs, etc) (http://ipcarrier.blogspot.com/2010/02/us-is-most-mobile- workforce.html)http://ipcarrier.blogspot.com/2010/02/us-is-most-mobile- workforce.html Connectivity is now as convenient as a local coffee shop

4 5/23/20134 Copyright 2013 Creative Commerce LLC What is Wireless Internet (Wi-Fi ?) Definition: A 2.4 GHz / 5 Ghz radio-frequency data communication architecture and associated protocols based upon the IEEE x standards. A key concept is that WiFi networks exchange data frames between systems using the MAC (Media Access Control) and Logical Link Control (LLC) sublayers of the OSI Dat a Link Layer using an RF LAN card communicating at the PHYS (Physical) layer:

5 5/23/20135 Copyright 2013 Creative Commerce LLC WiFi Implementation Frequency Assignment (2.4GHz shown, b/g/n) NOTE the signal be attenuated by at least 30 dB from its peak energy at ±11 MHz from the centre frequency, the sense in which channels are effectively 22 MHz wide. One consequence is that stations can only use every fourth or fifth channel without overlap, typically 1, 6 and 11 in the Americas.

6 5/23/20136 Copyright 2013 Creative Commerce LLC WiFi Implementation Channel s 1-7 Frequency Assignment (2.4GHz, g) 1. Above frequencies are all permitted in US. Not all WiFi frequencies are legal in all nations.

7 5/23/20137 Copyright 2013 Creative Commerce LLC WiFi Implementation Channel s 8-13 Frequency Assignment (2.4GHz, b/g/n)

8 5/23/20138 Copyright 2013 Creative Commerce LLC WiFi Implementation “G” Standard Up to 54 MB/s data transfer rates Transfer rate drops to 1 MB/s at 300 feet Orthogonal frequency-division multiplexing (OFDM) or Direct Sequence Spread Spectrum (DSSS) Typical range of 300 feet - a hacker’s dream Most “g” hardware backward compatible with “a” and “b” systems WiFi “G” was the most popular WLAN for new installations until 2009

9 5/23/20139 Copyright 2013 Creative Commerce LLC WiFi Implementation “N” Standard (2009) Multi-stream 2.5 GHz/5GHz architecture Up to 150 MB/s single-stream Up to 300 MB/s dual stream Up to 450MB/s three-stream Up to 20 MHz channel width Multiple-input / Multiple Output (MIMO) multi- streaming protocol

10 5/23/ Copyright 2013 Creative Commerce LLC WiFi Implementation “ac” 5G Standard (2013) Multi-stream 5GHz architecture Supplements and incorporates older “N” equipment Up to 450 MB/s single-stream Up to 900 MB/s dual stream Up to 1.3GB/s three-stream Up to 80 MHz channel width Multiple-input / Multiple Output (MIMO) multi- streaming protocol

11 5/23/ Copyright 2013 Creative Commerce LLC WiFi Implementation “Infrastructure Mode” Concept Ethernet Router is cabled to Wireless Access Point (WAP) and radiates WiFi

12 12 WiFi Implementation WiFi Home “Infrastructure Mode” Target WiFi Home “Infrastructure Mode” Target Home Wireless Ethernet Router is cabled to Internet Modem and radiates WiFi Home Wireless Ethernet Router is cabled to Internet Modem and radiates WiFi 5/23/2013 Copyright 2013 Creative Commerce LLC

13 5/23/ Copyright 2013 Creative Commerce LLC WiFi ImplementationTerminology  BSS: Basic Service Set – The WiFi network infrastructure concept- a router or Wireless Application Point (WAP) transmitter communicating with workstations  BSSID: The Media Access Layer (MAC ) link unique ID for router or Wireless Application Point (WAP) transmitter  SSID : Service Set Identifier: The broadcasted WiFi ID which each User must specify to obtain access to a given WiFi network. Functions as a virtural “username”.  Management frames : “Frames that broadcast the router’s SSID, show User “probe requests”, association/disassociation activity, andauthentication/deauthentication

14 5/23/ Copyright 2013 Creative Commerce LLC WiFi Implementation Frame Standards Current standards define "frame" types for use in transmission of data as well as management and control of wireless links. Frames are divided into very specific and standardized sections. Each frame has a MAC header, payload and FCS. Some frames may not have payload portion. First 2 bytes of MAC header is a frame control field that provides detailed information about the frame. The sub fields of the frame control field is presented in order.FCS Protocol Version: It is two bits in size and represents the protocol version. Currently used protocol version is zero. Other values are reserved for future use. Type: It is two bits in size and helps to identify the type of WLAN frame. Control, Data and Management are various frame types defined in IEEE Sub Type: It is four bits in size. Type and Sub type are combined together to identify the exact frame. ToDS and FromDS: Each are one bit in size. They indicate whether a data frame is headed for a distributed system. Control and management frames set these values to zero. All the data frames will have one of these bits set. However communication within an IBSS network always set these bits to zero. More Fragment: The More Fragmentation bit is set most notably when higher level packets have been partitioned and will be set for all non-final sections. Some management frames may require partitioning as well. Retry: Sometimes frames require retransmission, and for this there is a Retry bit which is set to one when a frame is resent. This aids in the elimination of duplicate frames. Power Management: The Power Management bit indicates the power management state of the sender after the completion of a frame exchange. Access points are required to manage the connection and will never set the power saver bit.

15 5/23/ Copyright 2013 Creative Commerce LLC WiFi Implementation Frame Standards (cont’d) More Data: The More Data bit is used to buffer frames received in a distributed system. The access point uses this bit to facilitate stations in power saver mode. It indicates that at least one frame is available and addresses all stations connected. WEP: The WEP bit is modified after processing a frame. It is toggled to one after a frame has been decrypted or if no encryption is set it will have already been one. Order: This bit is only set when the "strict ordering" delivery method is employed. Frames and fragments are not always sent in order as it causes a transmission performance penalty. The next two bytes are reserved for the Duration ID field. This field can take one of three forms: Duration, Contention-Free Period (CFP), and Association ID (AID). An frame can have up to four address fields. Each field can carry a MAC address. Address 1 is the receiver, Address 2 is the transmitter, Address 3 is used for filtering purposes by the receiver.MAC address The Sequence Control field is a two-byte section used for identifying message order as well as eliminating duplicate frames. The first 4 bits are used for the fragmentation number and the last 12 bits are the sequence number. An optional two-byte Quality of Service control field which was added with e e The Frame Body field is variable in size, from 0 to 2304 bytes plus any overhead from security encapsulation and contains information from higher layers. The Frame Check Sequence (FCS) is the last four bytes in the standard frame. Often referred to as the Cyclic Redundancy Check (CRC), it allows for integrity check of retrieved frames. As frames are about to be sent the FCS is calculated and appended. When a station receives a frame it can calculate the FCS of the frame and compare it to the one received. If they match, it is assumed that the frame was not distorted during transmission.

16 5/23/ Copyright 2013 Creative Commerce LLC WiFi Implementation Frame Standards (cont’d) Management Frames allow for the maintenance of communication. Some common subtypes include: Authentication frame: authentication begins with the Wireless Network Interface Card (WNIC) sending an authentication frame to the access point containing its identity. With an open system authentication the WNIC only sends a single authentication frame and the access point responds with an authentication frame of its own indicating acceptance or rejection. With shared key authentication, after the WNIC sends its initial authentication request it will receive an authentication frame from the access point containing challenge text. The WNIC sends an authentication frame containing the encrypted version of the challenge text to the access point. The access point ensures the text was encrypted with the correct key by decrypting it with its own key. The result of this process determines the WNIC's authentication status. Association request frame: sent from a station it enables the access point to allocate resources and synchronize. The frame carries information about the WNIC including supported data rates and the Service Set Identifier (SSID) of the network the station wishes to associate with. If the request is accepted, the access point reserves memory and establishes an association ID for the WNIC. Association response frame: sent from an access point to a station containing the acceptance or rejection to an association request. If it is an acceptance, the frame will contain information such an association ID and supported data rates. Beacon frame: Sent periodically from an access point to announce its presence and provide the SSID, and other parameters for WNICs within range. Beacon frameSSID Deauthentication frame: Sent from a station wishing to terminate connection from another station. Disassociation frame: Sent from a station wishing to terminate connection. It's an elegant way to allow the access point to relinquish memory allocation and remove the WNIC from the association table. Probe request frame: Sent from a station when it requires information from another station..

17 5/23/ Copyright 2013 Creative Commerce LLC WiFi Implementation Frame Standards (cont’d) Probe response frame: Sent from an access point containing capability information, supported data rates, etc., after receiving a probe request frame. Reassociation request frame: A WNIC sends a reassociation request when it drops from range of the currently associated access point and finds another access point with a stronger signal. The new access point coordinates the forwarding of any information that may still be contained in the buffer of the previous access point. Reassociation response frame: Sent from an access point containing the acceptance or rejection to a WNIC reassociation request frame. The frame includes information required for association such as the association ID and supported data rates. Control frames facilitate in the exchange of data frames between stations. Some common control frames include: Acknowledgement (ACK) frame: After receiving a data frame, the receiving station will send an ACK frame to the sending station if no errors are found. If the sending station doesn't receive an ACK frame within a predetermined period of time, the sending station will resend the frame. Request to Send (RTS) frame: The RTS and CTS frames provide an optional collision reduction scheme for access point with hidden stations. A station sends a RTS frame to as the first step in a two-way handshake required before sending data frames. Clear to Send (CTS) frame: A station responds to an RTS frame with a CTS frame. It provides clearance for the requesting station to send a data frame. The CTS provides collision control management by including a time value for which all other stations are to hold off transmission while the requesting stations transmits. Data frames carry packets from web pages, files, etc. within the body. [

18 5/23/ Copyright 2013 Creative Commerce LLC WiFi Implementation : WEP Encryption Wired Equivalent Privacy Older standard 64-bit WEP uses a 40 bit key, which is40 bit concatenated with a CLEAR TEXT 24-bit initialization vector (IV)initialization vector to form the RC4 traffic key. All of the major manufacturers now implement an extended 128-bit WEP protocol using a 104-bit key size (WEP-104). Highly vulnerable to forensic packages such as aircrack-ng DO NOT USE WEP EXCEPT FOR TRAINING/DEMONSTRATION

19 5/23/ Copyright 2013 Creative Commerce LLC WiFi Implementation : WPA Encryption WiFi Protected Access (WPA) Temporal Key Integrity Protocol (TKIP): 1. implements a key mixing function that combines the secret root key with the initialization vector before passing it to the RC4 initialization. WEP, in comparison, merely concatenated the initialization vector to the root key, and passed this value to the RC4 routine. This permitted the vast majority of the RC4 based WEP key attacks. initialization vector 2. WPA implements a sequence counter (TSC) to protect against “replay “ attacks. Packets received out of order will be rejected by the access point. 3. TKIP implements a 64-bit message integrity check (MIC) named “MICHAEL” Vulnerable to forensic packages such as “tkiptun-ng”

20 5/23/ Copyright 2013 Creative Commerce LLC WiFi Implementation : WPA Encryption (cont’d) Tkiptun MIC Retrieval Usage: tkiptun-ng Filter options: -d dmac : MAC address, Destination -s smac : MAC address, Source -m len : minimum packet length -n len : maximum packet length -t tods : frame control, To DS bit -f fromds : frame control, From DS bit -D : disable AP detection Replay options: -x nbpps : number of packets per second -a bssid : set Access Point MAC address -c dmac : set Destination MAC address -h smac : set Source MAC address -F : choose first matching packet -e essid : set target AP SSID

21 5/23/ Copyright 2013 Creative Commerce LLC WiFi Implementation : WPA Encryption (cont’d) Tkiptun MIC Key Retrieval Usage: tkiptun-ng Debug options: -K prga : keystream for continuation -y file : keystream-file for continuation -j : inject FromDS packets -P pmk : pmk for verification/vuln testing -p psk : psk to calculate pmk with essid Source options: -i iface : capture packets from this interface -r file : extract packets from this pcap file --help : Displays this usage screen

22 5/23/ Copyright 2013 Creative Commerce LLC WiFi Implementation : WPA Encryption (cont’d) Tkiptun MIC Key Retrieval Example: Input: tkiptun-ng -h 00:0F:B5:AB:CB:9D -a 00:14:6C:7E:40:80 -m 80 -n 100 rausb0 Output: The interface MAC (00:0E:2E:C5:81:D3) doesn't match the specified MAC....so Address Resolution Protocol (ARP) is forced… ARP Reply Checking x.y 15:54:11 Reversed MIC Key : C3:95:10:04:8F:8D:6C:66

23 5/23/ Copyright 2013 Creative Commerce LLC WiFi Implementation : WPA -2 Encryption WiFi Protected Access -2 CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) replaces TKIP 1. Advanced Encryption Standard (AES) is the cipher system 2. Key Management and Message Integrity is handled by a single component built around AES using a 128-bit key, a 128-bit block, and 10 rounds of encoding per the FPS-197 standard. 3. A CCMP Medium Access Control Protocol Data Unit (MPDU) comprises five sections: MAC header, CCMP header Data unit Message integrity code (MIC), Frame check sequence (FCS). Of these, only the data unit and MIC are encrypted. WPA-2 is vulnerable to “breaking handshake” and “brute force dictionary” attacks

24 5/23/ Copyright 2013 Creative Commerce LLC WiFi Implementation Enterprise-Grade Encryption Enterprise –grade WPA: Remote Authentication Dial-In User Service (RADIUS). RADIUS uses a challenge/response method for authentication When a user logs on, the network access server (NAS), wireless access point (WAP) or authentication server creates a "challenge," which is typically a random number sent to the client machine. The client software uses its password or a secret key to encrypt the challenge via an encryption algorithm or a one-way hash function and sends the result back to the network (the "response"). The authentication system also performs the same cryptographic process on the challenge and compares its result to the response from the client. If they match, the authentication system has verified that the user has the correct password.

25 5/23/ Copyright 2013 Creative Commerce LLC WiFi Threat Landscape HACKER’S GOALS: Penetrate / Elevate / Manipulate PENETRATION – Hacker accesses system under attack ELEVATION – Hacker increases their system privilege level by utilizing system services MANIPULATION – Hacker directs the victim’s system to do his bidding

26 5/23/ Copyright 2013 Creative Commerce LLC WiFi Threat Landscape DHCP contains large amounts of known plaintext Rogue Wireless Application Points Hostile Wandering Clients AdHoc (Peer-to-Peer) “Free Public WiFi” hostile networks Denial Of Service Attacks 57 percent of IT managers are not confident that their organization knows the state of every endpoint that connects to their network. More than 50 percent of companies are using shared passwords or no encryption at all on Wi-Fi access points. Only 29 percent of companies check to make sure computers up to date and patched before allowing traveling or remote employees to access the network when they return to the office. More than 50 percent of companies surveyed have guests accessing the network every day, with 20 percent allowing non-employees to plug directly into the network without security check or controls. 31 percent of companies do not know the identity of every user on their network. -

27 5/23/ Copyright 2013 Creative Commerce LLC WiFi Threat Landscape WiFi Intrusion at TJ Max – Vulnerability to Hostile Client WiFi Network with inadequate WEP encryption replaced retail outlet cabling at kiosks in MN D=

28 5/23/ Copyright 2013 Creative Commerce LLC WiFi Basic Security Measures Change Admin Password Settings Change Wireless Router/Wireless Access Point (WAP) Username / Password from Industry Defaults: 1. Username: admin 2. Password: admin

29 5/23/ Copyright 2013 Creative Commerce LLC WiFi Basic Security Measures Change Encryption Settings DO NOT USE Wired Equivalent Privacy (WEP) Encryption – its encryption keys can be broken in less than 1 minute. Use stronger encryption such as WPA-PSK (WiFi Protected Access-Pre-Shared Key). This wireless encryption method uses a pre-shared key (PSK) for key management. Keys can usually be entered as manual hex values, as hexadecimal characters, or as a Passphrase.

30 5/23/ Copyright 2013 Creative Commerce LLC Wifi ToolsSUMMARY  Handheld Directional RF WiFi Detector with spare CR2032 Lithium “hearing-aid” batteries  Windows OS or Linux or Mac OS Laptop with spare fully charged battery packs  Wireless LAN WiFi PC “Interface” Adapter (Card/USB) that supports “Monitor Mode” – super critical ! – super critical !  WiFi Forensics Software for network discovery, packet capture, and analysis  120V Electrical Power – Automotive Adapter  Paper Forms and Logs

31 5/23/2013 Copyright 2013 Creative Commerce LLC Wifi Tools Handheld Directional RF Detector Hawking Technology Model HWL b/g WiFi Locator Hawking Technology Model HWL b/g WiFi Locator Network Specification : IEEE b/g Network Specification : IEEE b/g Operating Frequency: 2.4~ Ghz Operating Frequency: 2.4~ Ghz Operating Range : Up to 1000 feet (Line of Sight), Up to 300 feet (Indoors) Operating Range : Up to 1000 feet (Line of Sight), Up to 300 feet (Indoors) LEDs 1 x Power, 5 x Signal Strength LEDs 1 x Power, 5 x Signal Strength Antenna Gain: 5.15 dBi Antenna Gain: 5.15 dBi Battery : 1 x Lithium CR2032, 2 Year Battery Life Battery : 1 x Lithium CR2032, 2 Year Battery Life Dimensions 92 (L) x 56 (W) x 25 (H) mm Dimensions 92 (L) x 56 (W) x 25 (H) mm Weight 45g Weight 45g tlist.php?CatID=32&FamID=71&ProdID=131 tlist.php?CatID=32&FamID=71&ProdID=131 Hawking Technology Model HWL1 Hawking Technology Model HWL1 Functionality Functionality Point the Directional Antenna towards the source and press the Locate" button. The signal filters on the Model HWL1 filter through all unwanted 2.4GHz signals, such as BlueTooth, cordless phones and microwaves Point the Directional Antenna towards the source and press the Locate" button. The signal filters on the Model HWL1 filter through all unwanted 2.4GHz signals, such as BlueTooth, cordless phones and microwaves 31

32 5/23/ Copyright 2013 Creative Commerce LLC - Windows OS vs. Linux vs Mac OS Laptop Selection Criteria Wifi Tools - Windows OS vs. Linux vs Mac OS Laptop Selection Criteria  User comfort and familiarity level will affect the OS choice.  Microsoft Windows OS, with its restricted Win32 kernel, has fewer WiFi forensics hardware/software ensembles. Windows has fewer “monitor mode” wireless LAN card/ password-cracking software combinations than Linux. There have been recent additions.  Linux has a large number of historically prominent WiFi forensics packages. The majority of these software packages are still “command-line” and may require time for familiarization. Recently, “windows-like” Linux WiFi forensics software has become available, often as a part of free forensics distributions such as “Backtrack 4”.  MacOS is supported by the popular multifunctional KisMAC WiFi “stumbler” (network discovery) / packet sniffing / password cracking software. KisMAC is geared toward network security professionals. The “Apple Airport” WiFi network card is supported by Linux.

33 5/23/ Copyright 2013 Creative Commerce LLC Wireless LAN WiFi PC Adapter (Card/USB) that supports “Monitor Mode ” Wifi Tools Wireless LAN WiFi PC Adapter (Card/USB) that supports “Monitor Mode ”  “Ordinary” laptop WiFi access (coffee shop Web surfing, , etc) involves the WiFi PC adapter running in so-called “managed mode”. This is the default mode for all purchased laptops.  In managed mode, the User’s laptop wireless adapter and its software depend entirely on the infrastructure’s wireless router to provide network connectivity. Usernames and passwords are seldom required for coffee shops and other public places.  Managed mode is useless for WiFi packet sniffing forensic activities.  Some Windows OS software “stumbler” (WiFi network discovery/enumeration) programs can function (partially) with WiFi adapters operating in managed mode. One of these is “Wireless Mon” by PassMark.  Forensic laptop WiFi network card must be placed in “Monitor” Mode  Popular Laptop WiFi cards such as Broadcom often do not support “Monitor” Mode. Chipsets by Hermes, Prism2, Spectrum24, Raylink, Zydas, and Atheros are supported by most forensics software.

34 5/23/ Copyright 2013 Creative Commerce LLC Linux WiFi Card Setup Wifi Tools Linux WiFi Card Setup Forensic laptop WiFi network card must be placed in “Monitor Mode”. To accomplish this, as the Linux root User do the following on the Linux command line: Forensic laptop WiFi network card must be placed in “Monitor Mode”. To accomplish this, as the Linux root User do the following on the Linux command line: 1. iwconfig 1. iwconfig 2. Note the Mode: Managed (vs Mode: Monitor) command line response 3. To REQUEST change to Monitor mode : iwconfig eth01 mode monitor iwconfig eth01 mode monitor (Note: “eth01” is a typical network card interface designator. Your PC’s may instead be “ath01”, (Note: “eth01” is a typical network card interface designator. Your PC’s may instead be “ath01”, for example, if your WiFi interface card chipset is from Atheos). for example, if your WiFi interface card chipset is from Atheos).

35 5/23/ Linux WiFi Card Setup (cont’d) Wifi Tools Linux WiFi Card Setup (cont’d) 4. To ACTIVATE change to Monitor mode : 4. To ACTIVATE change to Monitor mode : ifconfig eth01 up ifconfig eth01 up 5. To CONFIRM activation of Monitor mode : 5. To CONFIRM activation of Monitor mode : ifconfig eth01 ifconfig eth01 The command line will display the term UP BOADCAST MULTICAST, indicating Monitor mode. The command line will display the term UP BOADCAST MULTICAST, indicating Monitor mode If your WiFi interface card chipset is from Atheos use the following below commands instead: 4. “Destroy” Manager Mode wlanconfig atho1 destroy 4. “Destroy” Manager Mode wlanconfig atho1 destroy 5. REQUEST change to Monitor mode : wlanconfig atho1 create wlandev wifi0 wlanmode monitor wlanconfig atho1 create wlandev wifi0 wlanmode monitor 6. ACTIVATE change to Monitor mode : ifconfig ath01 up ifconfig ath01 up 7. To CONFIRM activation of Monitor mode : ifconfig ath01 ifconfig ath01 The command line will display the term UP BOADCAST MULTICAST, indicating Monitor mode. Copyright 2013 Creative Commerce LLC

36 5/23/ Copyright 2013 Creative Commerce LLC Wifi Tools Software Concepts  Network Discovery and Enumeration 1. Most Packet Capture software also performs Network Discovery and Enumeration 2. “ Wireless Mon” (Windows OS) – runs in Managed Mode 3. Kismet (Linux – contained on BackTrack 4 distributions)  Packet Capture using capture software “engines” 1. WinPcap (Windows OS) 2. LibPcap (Linux library)  Packet “Sniffing” (retrieval/display), Analysis, Reporting 1. Wireshark (Windows OS and Linux) 2. Tcpdump (Linux). Oldest and most popular network sniffer. 3. WinDump (Windows OS’s Win 95 through Win XP)

37 5/23/ Copyright 2013 Creative Commerce LLC Wifi Tools Packet Capturing Software Digital Packet Capturing (PCAP) provides data stream input for WiFi “sniffer”/analysis software WiFi radio signal is received by hardware “interface” card (WNIC) and transferred to PCAP PCAP software is often bundled with distribution of sniffer/analysis software Windows users – “WinPcap” software Linux users –”LibPcap” software

38 5/23/2013 Copyright 2013 Creative Commerce LLC WiFi Network Discovery “Wireless Mon” WiFi “Managed Mode” Network “Drive-By” Discovery Software “Wireless Mon” WiFi “Managed Mode” Network “Drive-By” Discovery Software “Wireless Mon” WiFi Discovery Software by Passmark. “Wireless Mon” WiFi Discovery Software by Passmark. Runs in WiFi “Managed Mode” (!) – a rarity. This means almost any Windows OS “Wireless Laptop” off the shelf can utilize, at least partially, the functionality of “Wireless Mon”: Runs in WiFi “Managed Mode” (!) – a rarity. This means almost any Windows OS “Wireless Laptop” off the shelf can utilize, at least partially, the functionality of “Wireless Mon”: 1. Detects and monitors wireless (WiFi) networks within range. 2. Provides Service Set Identifier (SSID), system availability, and encryption information 3. Presents live channel usage chart to help identify forensics targets 4. Generates signal strength coverage maps (Professional Edition) by either manually plotting points or using a GPS device 38

39 5/23/ Copyright 2013 Creative Commerce LLC WiFi Network Discovery Windows OS “Wireless Mon” WiFi “Managed Mode” Example Windows OS “Wireless Mon” WiFi “Managed Mode” Example

40 5/23/ Copyright 2013 Creative Commerce LLC Windows OS “Wireless Mon” WiFi “Managed Mode” Discovery Example WiFi Network Discovery Windows OS “Wireless Mon” WiFi “Managed Mode” Discovery Example Use Summary Tab to observe nearby WiFi “Channel Use” Use Summary Tab to observe nearby WiFi “Channel Use” Channel Use Chart displays number of local WiFi routers for the selected Channel upon mouseover, as well as their status (green for “Available”, blue for “Connected”, red for “Not Available”) Channel Use Chart displays number of local WiFi routers for the selected Channel upon mouseover, as well as their status (green for “Available”, blue for “Connected”, red for “Not Available”) Majority of small WiFI installations use Channel 6 Majority of small WiFI installations use Channel 6

41 5/23/2013 Copyright 2013 Creative Commerce LLC WiFi Network Discovery Windows OS “Wireless Mon” WiFi “Managed Mode” Network Discovery Example (cont’d) In example below, Wireless Mon Summary Tab shows : In example below, Wireless Mon Summary Tab shows : 1. “ SSID” (Service Set ID) – the WiFi User logon “username” 2. “MAC Address” (Machine Access Code Address) - (MAC address is six bytes (48 bits) long, where the first three bytes (Organizational Unique Identifier,“OUI”) represent the manufacturer ) 3. FCC WiFi Channel Assignment 4. WiFi “Security” ( Encryption) Mode (“None”, WEP (weakest encryption), WPA2, or WPA-PSK) NOTE THAT A LARGE PERCENTAGE OF DEPLOYED SMALL SYSTEMS HAVE ROUTERS NOTE THAT A LARGE PERCENTAGE OF DEPLOYED SMALL SYSTEMS HAVE ROUTERS BROADCASTING MANUFACTUER’S NAME (ie, “linksys”, “2WIRE351”) BROADCASTING MANUFACTUER’S NAME (ie, “linksys”, “2WIRE351”) 41

42 5/23/2013 Windows OS “Wireless Mon” WiFi “Managed Mode” Network Discovery Example (cont’d ) WiFi Network Discovery Windows OS “Wireless Mon” WiFi “Managed Mode” Network Discovery Example (cont’d ) Use Summary Tab to further observe list of nearby WiFi networks Use Summary Tab to further observe list of nearby WiFi networks In example below, Summary Tab shows that all below WiFi networks : In example below, Summary Tab shows that all below WiFi networks : 1. Deploy “Infrastructure” (Wireless Router broadcasts to all nearby receivers) 2. Support 54 Mb/s rates 3. Use Orthogonal Frequency Division Multiplexing (ODFM 24) Wireless Mon can store WiFi Discovery results for input to forensic reports Wireless Mon can store WiFi Discovery results for input to forensic reports 42 Copyright 2013 Creative Commerce LLC

43 43 Copyright 2013 Creative Commerce LLC Wireless LAN WiFi PC Adapter (Monitor Mode) – Windows OS WiFi Network Discovery Wireless LAN WiFi PC Adapter (Monitor Mode) – Windows OS CACE (Creative Advanced Communication Engineering) CACE (Creative Advanced Communication Engineering) “AirPcap TX” Monitor Mode USB Wireless Adapter “AirPcap TX” Monitor Mode USB Wireless Adapter Contains WiFi Antenna Contains WiFi Antenna Utilizes WinPcap 4.01 (beta) packet capture software Utilizes WinPcap 4.01 (beta) packet capture software Provides packet injection required to support WiFi password cracking software such as AirCrack Provides packet injection required to support WiFi password cracking software such as AirCrack Shipped with popular Wireshark sniffer software Shipped with popular Wireshark sniffer software Supports Windows Vista OS Supports Windows Vista OShttp://www.cacetech.com/products/airpcap-tx.htm CACE Model “AirCap TX” CACE Model “AirCap TX” 5/23/2013

44 44 Packet Sniffing Example Wireshark WiFi Packet Sniffing Example Wireshark 1. “Associate” (connect) with WiFi network 2. Select sniffer “Interface” (WiFi Monitor Mode network card). Then click on “Options”. Copyright 2013 Creative Commerce LLC

45 5/23/ Copyright 2013 Creative Commerce LLC Packet Sniffing Example Wireshark (cont’d) WiFi Packet Sniffing Example Wireshark (cont’d) 3. Select Packet Sniffing “Options “

46 5/23/ Packet Sniffing Example Wireshark (cont’d) WiFi Packet Sniffing Example Wireshark (cont’d) 1. Click “Start” - NOTE below desktop PC printer frame (UNIX CUPS) Copyright 2013 Creative Commerce LLC

47 5/23/ Copyright 2013 Creative Commerce LLC Packet Sniffing Example Wireshark (cont’d) WiFi Packet Sniffing Example Wireshark (cont’d) 5. Click Stop in the WireShark Capture menu. 6. Browse through WireShark’s frame list and observe the forensic target WiFi User ‘s “Web Surfing” (HTTP) frames. target WiFi User ‘s “Web Surfing” (HTTP) frames. 7. Type the expression “http” in the WireShark “Display Filter”. Then click the adjacent “Apply” button. Then click the adjacent “Apply” button. 8. WireShark will then display only Web Surfing” (HTTP) frames.

48 5/23/ Copyright 2013 Creative Commerce LLC 7/9/2008 For HTCIA/CACI/Gov't Use Only © 2008 CACI 48 Packet Sniffing Example Wireshark (cont’d) WiFi Packet Sniffing Example Wireshark (cont’d) WIRESHARK DISPLAY OF HTTP FRAMES ONLY: WIRESHARK DISPLAY OF HTTP FRAMES ONLY:

49 5/23/ Copyright 2013 Creative Commerce LLC Packet Sniffing Example Wireshark (cont’d) WiFi Packet Sniffing Example Wireshark (cont’d) Forensics Examiner may observe IMAGES from captured HTTP “Web Surfing” Frames: Forensics Examiner may observe IMAGES from captured HTTP “Web Surfing” Frames: Examiner right-clicks on above “JPEG File Interchange Format” line Examiner right-clicks on above “JPEG File Interchange Format” line and exports RAW image file (as “Imagexx.jpg”) to a folder and exports RAW image file (as “Imagexx.jpg”) to a folder RESULT: RESULT:

50 50 Copyright 2013 Creative Commerce LLC Packet Sniffing Example Wireshark (cont’d) WiFi Packet Sniffing Example Wireshark (cont’d) 1. WIRESHARK DISPLAY OF HTTP FRAME HISTORICAL “THREADS”: Click on the first HTTP frames of interest – usually GET commands Click on the first HTTP frames of interest – usually GET commands 1. In the WireShark Analyze menu, click on Follow TCP Stream 2. TCP Streams will appear parsed by Web Page activity 5/23/2013

51 51 Copyright 2013 Creative Commerce LLC Packet Sniffing Example Wireshark (cont’d) WiFi Packet Sniffing Example Wireshark (cont’d) FREE IDENTIFICATION OF WEBSITE ORIGINS FROM HTTP frames of interest – usually GET commands FREE IDENTIFICATION OF WEBSITE ORIGINS FROM HTTP frames of interest – usually GET commands Type website IP Address into LIVE PRODUCT DEMO at : Type website IP Address into LIVE PRODUCT DEMO at : EXAMPLE: RESULT: EXAMPLE: RESULT:

52 5/23/ Packet Sniffing Example Wireshark (cont’d) WiFi Packet Sniffing Example Wireshark (cont’d) WIRESHARK DISPLAY OF FTP FRAMES ONLY WIRESHARK DISPLAY OF FTP FRAMES ONLY Type the expression “ftp” in the WireShark “Display Filter”. Type the expression “ftp” in the WireShark “Display Filter”. Then click the adjacent “Apply” button. Then click the adjacent “Apply” button. WireShark will then display only File Transfer Protocol (FTP) frames. WireShark will then display only File Transfer Protocol (FTP) frames. Copyright 2013 Creative Commerce LLC

53 53 Copyright 2013 Creative Commerce LLC Packet Sniffing Example Wireshark (cont’d) WiFi Packet Sniffing Example Wireshark (cont’d) Forensics Examiner may observe USERNAME and PASSWORD from captured FTP Frames: Forensics Examiner may observe USERNAME and PASSWORD from captured FTP Frames: 5/23/2013

54 54 Copyright 2013 Creative Commerce LLC Packet Sniffing Example Wireshark (cont’d) WiFi Packet Sniffing Example Wireshark (cont’d) WIRESHARK DISPLAY OF FTP FRAME HISTORICAL “THREADS”: WIRESHARK DISPLAY OF FTP FRAME HISTORICAL “THREADS”: Click on the first FTP frame of interest – usually USERNAME Click on the first FTP frame of interest – usually USERNAME In the WireShark Analyze menu, click on Follow TCP Stream In the WireShark Analyze menu, click on Follow TCP Stream TCP Streams will appear parsed by Web Page activity TCP Streams will appear parsed by Web Page activity

55 5/23/ Packet Sniffing Example Wireshark (cont’d) WiFi Packet Sniffing Example Wireshark (cont’d) WIRESHARK DISPLAY OF GOOGLE MAIL FRAMES ONLY WIRESHARK DISPLAY OF GOOGLE MAIL FRAMES ONLY Type the expression “host” followed by the captured Google Mail server name in the WireShark “Display Filter”. Then click the adjacent “Apply” button. Type the expression “host” followed by the captured Google Mail server name in the WireShark “Display Filter”. Then click the adjacent “Apply” button. WireShark will then display only Google Mail frames. WireShark will then display only Google Mail frames. Copyright 2013 Creative Commerce LLC

56 5/23/2013 Copyright 2013 Creative Commerce LLC WEP Password Cracking Example Decrypt WEP (Wired Equivalent Privacy) Capture File Windows OS Command Line – partial GUI support Examiner clicks on airodump-ng-airpcap and completes “IV capture” startup screen: 56

57 5/23/ Decrypt WEP (Wired Equivalent Privacy) - Begin Creating IV Capture File WiFi WEP Password Cracking Example Decrypt WEP (Wired Equivalent Privacy) - Begin Creating IV Capture File Airodump will automatically gather the needed IVs (Initialization Vectors), starting at a slow pace (# Data column) 250,000+ IVs required to break 64-bit WEP Key 250,000+ IVs required to break 64-bit WEP Key 1,500,000 + IVs required to break 128-bit WEP key 1,500,000 + IVs required to break 128-bit WEP key Target WiFi Router MUST BE ACTIVE – Users Web Surfing, etc Target WiFi Router MUST BE ACTIVE – Users Web Surfing, etc Copyright 2013 Creative Commerce LLC

58 5/23/ Decrypt WEP (Wired Equivalent Privacy) Accelerate IV Capture – Packet Injection WiFi WEP Password Cracking Example Decrypt WEP (Wired Equivalent Privacy) Accelerate IV Capture – Packet Injection Examiner uses aireplay-ng command-line utility to constantly inject packets to accelerate IV creation by target (and capture) Target WiFi router performance may be impacted Target WiFi router performance may be impacted Target Intrusion Detection Systems (IDS) may respond Target Intrusion Detection Systems (IDS) may respond Copyright 2013 Creative Commerce LLC

59 5/23/ Decrypt WEP (Wired Equivalent Privacy) Capture File WiFi WEP Password Cracking Example Decrypt WEP (Wired Equivalent Privacy) Capture File Windows OS Command Line – partial GUI support Forensic Examiner clicks on aircrack-ng GUI and Forensic Examiner clicks on aircrack-ng GUI and completes decryption screen Copyright 2013 Creative Commerce LLC

60 5/23/ Copyright 2013 Creative Commerce LLC Recovered Key Display by Aircrack-ng WiFi WEP Password Cracking Example Recovered Key Display by Aircrack-ng SUCCESSFUL KEY DECRYPTION Forensic examiner may insert below Decrypted Key (Hex Format, Forensic examiner may insert below Decrypted Key (Hex Format, 66756A7839) into WireShark Decryption Keys list. WireShark will automatically decrypt packets and display them. WireShark will automatically decrypt packets and display them. Forensic Examiner may “log on” (associate with) WiFi network (BSS) - bulliron with passkey fujx9 Forensic Examiner may “log on” (associate with) WiFi network (BSS) - bulliron with passkey fujx9

61 5/23/ Copyright 2013 Creative Commerce LLC Questions ? ?

62 5/23/ Web Links Hawking Handheld Directional WiFi Detector mID=71&ProdID=131 Hawking Handheld Directional WiFi Detector mID=71&ProdID=131 Wireshark Packet Sniffer / Analyzer Wireshark Packet Sniffer / Analyzer CACE (Creative Advanced Communication Engineering) “AirPcap TX” Monitor Mode USB Wireless Adapter for Microsoft Windows CACE (Creative Advanced Communication Engineering) “AirPcap TX” Monitor Mode USB Wireless Adapter for Microsoft Windows “AirCrack” Password Cracking Software “AirCrack” Password Cracking Software Copyright 2013 Creative Commerce LLC

63 5/23/ Copyright 2013 Creative Commerce LLC Web Links (cont’d) WEP WiFi Encryption “Cracking” WEP WiFi Encryption “Cracking” WPA/WP2 WiFi Encryption “Cracking” WPA/WP2 WiFi Encryption “Cracking” Packet Captures and Network Devices Packet Captures and Network Devices

64 5/23/2013 Copyright 2013 Creative Commerce LLC Web Links (cont’d) Remote-Exploit.org “BackTrack 4” Forensics CD Remote-Exploit.org “BackTrack 4” Forensics CD (Linux programs run “independently” in User’s CD drive) (Linux programs run “independently” in User’s CD drive) PassMark “WirelessMon” Wireless Network Enumeration (“Stumbler”) Utility PassMark “WirelessMon” Wireless Network Enumeration (“Stumbler”) Utilityhttp://www.passmark.com/products/wirelessmonitor.htm 64

65 5/23/ Copyright 2013 Creative Commerce LLC Web Links (cont’d) WIGLE (Wireless Geographic Logging Engine) WIGLE (Wireless Geographic Logging Engine) - List of Default WiFi “Service Set IDs” (SSIDs) - List of Default WiFi “Service Set IDs” (SSIDs)http://www.wigle.net/gps/gps/main/ssidstats Institute of Electrical and Electronic Engineers (IEEE) Searchable List of MAC Address “OUI” (Organizational Unique Identifier) Manuacturer’s Codes - first 3 bytes of MAC address Institute of Electrical and Electronic Engineers (IEEE) Searchable List of MAC Address “OUI” (Organizational Unique Identifier) Manuacturer’s Codes - first 3 bytes of MAC address

66 66 Copyright 2013 Creative Commerce LLC Web Links (cont’d) Forensic Software Product Line Overview from Clarifying Technologies products/products_public.html Forensic Software Product Line Overview from Clarifying Technologies products/products_public.html RADIUS “Challenge” User Authentication/Password Utility nge%252Fresponse.html RADIUS “Challenge” User Authentication/Password Utility nge%252Fresponse.html 5/23/2013

67 67 References WI-FOO - The Secrets of Wireless Hacking (Andrew Vladimirov et al, Addison-Wesley) WI-FOO - The Secrets of Wireless Hacking (Andrew Vladimirov et al, Addison-Wesley) Wireshark & Ethereal – Network Protocol Analyzer Toolkit (Angela Orebaugh et al, Syngress) Wireshark & Ethereal – Network Protocol Analyzer Toolkit (Angela Orebaugh et al, Syngress) Penetration Tester’s OPEN SOURCE TOOLKIT Penetration Tester’s OPEN SOURCE TOOLKIT Volume 2 (Aaron Bayles, et al, Syngress) Volume 2 (Aaron Bayles, et al, Syngress) Copyright 2013 Creative Commerce LLC

68 5/23/ Copyright 2013 Creative Commerce LLC References COMPUTER EVIDENCE – Collection and Preservation (Christopher L.T. Brown, Charles River Media) COMPUTER EVIDENCE – Collection and Preservation (Christopher L.T. Brown, Charles River Media) HACKER’S CHALLENGE 3 (David Pollino et al, McGraw-Hill) HACKER’S CHALLENGE 3 (David Pollino et al, McGraw-Hill)

69 5/23/ References (cont’d) REAL DIGITAL FORENSICS - Computer Security and Incident Response (Keith Jones, Richard Bejtlich, Curtis Rose) REAL DIGITAL FORENSICS - Computer Security and Incident Response (Keith Jones, Richard Bejtlich, Curtis Rose) ANTI-HACKING TOOLKIT (Mike Shema et al, McGraw-Hill) ANTI-HACKING TOOLKIT (Mike Shema et al, McGraw-Hill) Copyright 2013 Creative Commerce LLC

70 Questions? 5/23/ Copyright 2013 Creative Commerce LLC

71 5/23/2013 Copyright 2013 Creative Commerce LLC 71 Questions ? Mike Davis, EE/MSEE, CISSP, SysEngr ISSA/TSN/SOeC/ AFCEA/NDIA/IEEE/INCOSE et al Glenn G Jacobs, BSEE, Security + Creative Commerce LLC 71


Download ppt "WiFi Networks Forensics Overview WiFi Networks Forensics Overview Mike Davis, EE/MSEE, CISSP, SysEngr ISSA/TSN/SOeC/ AFCEA/NDIA/IEEE/INCOSE et al"

Similar presentations


Ads by Google