Investigating Wireless Networks

Module XXIX – Investigating Wireless
Attacks

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Verifying Wireless
Hackers for Homeland Security
Source: http://www.sciencedaily.com/

EC-Council
News: Cops Roped in to Provide
Security for Planned Wi-Fi Network
Source: http://www.expressindia.com/

EC-Council
Module Objective
• Wireless Networking Technologies
• Wireless Attacks
• Hijacking and Modifying a Wireless Network
• Association of Wireless AP and Device
• Network Forensics in a Wireless Environment
• Steps for Investigation
• Wireless Components
• Active and Passive Wireless Scanning Techniques
• Tools
This module will familiarize you with:

EC-Council
Module Flow
Wireless Network
Technologies
Steps for Investigation
Wireless Components
Wireless Attacks
Network Forensics in a
Wireless Environment
Active and Passive
Wireless Scanning
Techniques
Hijacking and Modifying
a Wireless Network
Wireless Network
Technologies
Tools

EC-Council
Wireless Networking Technologies
Wireless networking technology is becoming increasingly popular and at the same time many security issues
are also arising
The popularity of wireless technology is driven by two primary factors, convenience and cost
A Wireless Local Area Network (WLAN) allows workers to access digital resources without being locked to
their desks
Some of the wireless networking technologies are as follows:
Bluetooth InfraRed
Ultrawideband ZigBee
Wireless USB Wi-Fi
WiMAX Satellite

EC-Council
Wireless Networks
There are four basic types:
Access
Point
Wireless
Network Wired
Ethernet
Network
Extension
Point
Access
Point 1
Wireless
Network 1 Wired
Ethernet
Network
Access
Point 2
Wireless
Network 2 Access
Point 1
Wireless
Network Wired
Ethernet
Network 1
Access
Point 2
Wired
Ethernet
Network 2
Peer-to-Peer
Extension to a wired network Multiple access points
LAN-to-LAN wireless network

EC-Council
Wireless Attacks
• Wardriving is the act of locating and possibly exploiting connections to wireless local area
networks while driving around a city or elsewhere
Wardriving:
• Warflying involves flying around in an aircraft looking for open wireless networks
Warflying:
• Warchalking term comes from whackers who use chalk to place a special symbol on a
sidewalk or another surface to indicate a nearby wireless network that offers Internet
access
Warchalking:

EC-Council
Passive Attack
Eavesdropping on the network traffic can be the possibility of a passive attack
Passive attacks are difficult to be sensed
Administrator using DHCP on a wireless network could detect that an authorized MAC address has
acquired an IP address in the DHCP server logs
An eavesdropper can easily seize the network traffic using tools such as Network Monitor in Microsoft
products, or TCPdump in Linux-based products, or AirSnort

EC-Council
Threats from Electronic
Emanations
Electronic emanations are the radiations from an electrical or electronic device
Threats from electronic emanations:
• Unauthorized listening of private conversation
• Electronic emanations send the information to destined system
• Since the wireless network is insecure, attackers take advantage of emanations to listen or manipulate
the information
Eavesdropping:
• Leakage of information through emanations
Data leakage:
• Attackers can capture and decode the information from the emanations
Sniffing:

EC-Council
Active Attacks on Wireless
Networks
• DoS Attacks
• MiTM Attack
• Hijacking and Modifying a Wireless Network
If an intruder obtains adequate information from the
passive attack, then the network becomes more vulnerable
to an active attack, which can seize a system through :

EC-Council
Denial-of-Service Attacks
Wireless LANs are susceptible to the same protocol-based attacks
that plague wired LANs
WLANs send information via radio waves on public frequencies,
making them susceptible to inadvertent or deliberate interference
from traffic using the same radio band

EC-Council
Man-in-the-Middle Attack
(MITM)
• Happens when an attacker receives a data communication stream
• Not using security mechanisms such as Ipsec, SSH, or SSL makes data
vulnerable to an unauthorized user
Eavesdropping:
• An extended step of eavesdropping
• It can be done by ARP poisoning
Manipulation:
Two types of MITM:

EC-Council
Hijacking and Modifying a
Wireless Network
TCP/IP packets go through switches, routers, and APs
Each device looks at the destination IP address and compares it with the
local IP addresses
If the address is not in the table, the device hands the packet to its default
gateway
This table is a dynamic one that is built up from traffic passing through the
device and through Address Resolution Protocol (ARP) notifications from
new devices joining the network

EC-Council
Hijacking and Modifying a
Wireless Network (cont’d)
There is no authentication or verification of the validity of
request received by the device
Attacker sends messages to routing devices and APs stating that
his MAC address is associated with a known IP address
All traffic that goes through that device destined for the hijacked
IP address will be handed off to the hacker’s machine

EC-Council
Association of Wireless AP and
Device
Association of AP and wireless device may take place in either of the following ways:
• MAC filtering
• Pre- Shared Key (PSK) or use of encryption
If active traffic is being sent between the access point and the associated device, your
wireless forensic laptop can display network packet statistics

EC-Council
Network Forensics in a Wireless
Environment
• Devices connected to wireless networks such as laptop, network storage device, Ethernet
card, Bluetooth and IR dongles
• Mobile devices and removable devices which stores data
• Wireless network, mobile switching center and visitor location center
• Neighboring networks that the caller accesses
Forensic fingerprints can be gathered from:

EC-Council
Steps for Investigation
Obtain a search warrant
Identify wireless devices
Document the scene and maintain a chain of custody
Detect the wireless connections
Determine wireless field strength
Map wireless zones & hotspots
Connect to wireless network
Wireless data acquisition and analysis
Report Generation

EC-Council
Key Points to Remember
• The active wireless access points physically located within the search warrant scene
• External wireless access points with signal coverage that overlaps the search warrant
scene
• Which devices connect or are actively connected to associated access points
• The approximate range (footprint) and signal strength of the examiner’s wireless
network card
While conducting a penetration test , the investigator
should keep note of the following:

EC-Council
Points You Should Not Overlook
While Investigating the Wireless
Network
A visual inspection of broadband modems will quickly determine
if a wireless access point is physically connected
Investigators should be able to determine if a home network
utilizes cable, DSL, or other method of connecting to the Internet
If a wireless access point is physically located, the initial goal is
to determine its associated devices by directly connecting to it
via a network cable

EC-Council
Obtain a Search Warrant
A search warrant application should include the proper language to perform on-
site examination of computer and wireless related equipment
Conduct a forensics test on only the equipment that are permitted to be searched
in the warrant

EC-Council
Document the Scene and
Maintain a Chain Of Custody
All devices connected to the wireless network must be documented
Take photographs of all evidence
Document the state of the device during seizure
Maintain a chain of custody of documents, photographs, and evidence

EC-Council
Identify Wireless Devices
Identify different wireless devices connected to the network
• Routers
• Access points
• Repeaters
• Hard drives
• Antennas
• PCMCIA/EIA
Check the physical location of the following wireless
hardware:

EC-Council
Wireless Components
Antenna
Wireless Access points
Wireless Router
Wireless Modem
SSID
Mobile Station
Base Station Subsystem
Network Subsystem
Base station controller
Mobile Switching Center

EC-Council
Search for Additional Devices
Send de-authentication packets using Aireplay tool
This may force active wireless equipment to reconnect to the default wireless access point, which will be
redirected to the forensic laptop ( since the laptop is running in promiscuous mode)
Aireplay is an additional wireless assessment tool found within the aircrack portion of the BackTrack
folder
The Aireplay tool injects specially crafted data packets into the wireless stream

EC-Council
Detect Wireless Connections
• NetStumbler
• MacStumbler
• iStumbler
• Kismat
• KisMAC
Wireless connection are detected using the scanning
tools such as:

EC-Council
Detect Wireless Enabled
Computers
Check the number of authorized computer, Laptop , PDA connected to the Wireless LAN
APs
Check for the public IP and Mac address using scanning tools such as Nmap

EC-Council
Manual Detection of Wireless
APs
In manual detection, the investigator has to configure some sort of mobile
device such as a handheld PC or laptop
Then, physically visits the area to be monitored for detection of WAPs
This can be done by War-Driving, War-Chalking, and War-Flying

EC-Council
Active Wireless Scanning
Technique
In active scanning technique, a scanner broadcasts a probe message and waits for a
response from devices in the range
This technique identifies many WAPs but cannot find out those WAPs which do not
respond to such type of query

EC-Council
Passive Wireless Scanning
Technique
Passive scanning technique identifies the presence of any wireless communication
It detects all the active WAP connections

EC-Council
Detect WAPs using the Nessus
Vulnerability Scanner
• Update the Nessus with plugin #11026 by running nessus-update-plugins command
• Configure a new scan by selecting plugin #11026 in the “General” family
• Enable a port scan for ports 1-100
• Disable the “Safe Checks”
• Enable the “Enable Dependencies at Runtime”
For detecting the WAP the following steps are performed:
Nessus Vulnerability Scanner is used to detect wireless access points

EC-Council
Capture Wireless Traffic
• Wireshark
• tcpdump
Capture wireless traffic using wireless network
monitoring and sniffing tools such as:

EC-Council
Tool: Wireshark
Wireshark is a network protocol analyzer for Unix and Windows
It allows examination of data from a live network or from a captured file on
disk
It allows the user to see all traffic being passed over the network by putting
the network interface into promiscuous mode
Wireshark runs on various computer operating systems including Linux,
Mac OS X, and Microsoft Windows

EC-Council
Feature of Wireshark
Data can be captured from the live network connection
Live data can be read from the different types of network such as Ethernet
Captured data can be browsed via GUI or via command line
Captured files can be programmatically edited
Display filters can also be used to selectively highlight and color packet summary information
Data display can be refined using a display filter
Hundreds of protocols can be dissected

EC-Council
Wireshark: Screenshot

EC-Council
Tool: tcpdump
tcpdump is a common computer network debugging tool that runs under the command line
It allows the user to intercept and display TCP/IP and other packets being transmitted or
received over a network to which the computer is attached

EC-Council
tcpdump Commands
•# tcpdump port 80 -l > webdump.txt & tail -f webdump.txt
•# tcpdump -w rawdump
•# tcpdump -r rawdump > rawdump.txt
•# tcpdump -c1000 -w rawdump
•# tcpdump -i eth1 -c1000 -w rawdump
Exporting tcpdumps to a file:
•# tcpdump port 80
Captures traffic on a specific port:
•# tcpdump host workstation4 and workstation11 and workstation13
You can select several hosts on your LAN, and capture the
traffic that passes between them:

EC-Council
tcpdump Commands (cont’d)
•# tcpdump -e host workstation4 and workstation11 and workstation13
Capture all the LAN traffic between workstation4 and the LAN,
except for workstation:
•# tcpdump not port 110 and not port 25 and not port 53 and not port 22
You can capture all packets except those for certain ports:
•# tcpdump udp
•# tcpdump ip proto OSPFIGP
Filter by protocol:
•# tcpdump host server02 and ip
# tcpdump host server03 and not udp
# tcpdump host server03 and ip and igmp and not udp
To capture traffic on a specific host and restrict by protocol:

EC-Council
ClassicStumbler
ClassicStumbler scans and displays the wireless access points information within range
It displays the information about the signal strength, noise strength, signal to noise ratio, and channel of
the access point
Scanning….

EC-Council
Wireless Network Monitoring
Tools
MacStumbler displays information about
nearby 802.11b and 802.11g wireless access
points which helps to find access points while
traveling or to diagnose wireless network
problems
iStumbler is the wireless tool for Mac OS X,
providing plugins for finding AirPort networks,
Bluetooth devices, and Bonjour services with
your Mac

EC-Council
Wireless Network Monitoring
Tools (cont’d)
AirPort Signal tool scans for open networks
in range and creates a table row for each station
detected with information about the signals it
received
AirFart detects wireless devices, and
calculates their signal strength

EC-Council
Kismet
Completely passive, capable of detecting traffic from APs and wireless clients alike (including NetStumbler
clients) as well as closed networks
Requires 802.11b capable of entering RF monitoring mode; Once in RF monitoring mode, the card is no
longer able to associate with a wireless network
Kismet needs to run as root, but can switch to lesser privileged UID as it begins to capture
To hop across channels, run kismet_hopper –p
Closed network with no clients authenticated is shown by <nossid>, updated when client logs on

EC-Council
Kismet: Screenshot

EC-Council
Determine Wireless Field Strength:
Field Strength Meters (FSM)
http://www.vk1od.net/fsm/
• Measurement of true RMS, quasi peak and peak power
audio power
• Calculation of received RF power (RMS, QP, and Peak)
in dBm based on known receiver noise floor
• Calculation of field strength (RMS, QP, and Peak) in
dBuV/m based on known antenna gain or antenna
factor
• Extrapolation of calculated field strengths to a
normalized (1Hz) bandwidth for comparisons
• Flexible output options to save results to text files,
email, and online/nearline web transactions
Features:
FSM is a software application that extends a conventional
SSB receiver to allow measurement and calculation of
field strength of radio signals or interference

EC-Council
Prepare Wireless Zones &
Hotspots Maps
Collect the information after detecting
the wireless connection
Analyze them properly to prepare the
map
Prepare the static map of wireless zones
and hotpots
Map the network using tools such as MS
Visio

EC-Council
Methods to Access a Wireless
Access Point
Direct-connect to the wireless access point ( If you have easy direct access)
“Sniffing” traffic between the access point and associated devices ( When direct
access is not available)
NOTE: In this module we are showcasing
NETGEAR Wireless Router as an example

EC-Council
1. Direct-connect to the Wireless
Access Point
You need a network cable plugged between your forensics laptop and the wireless access point
The forensics laptop should have a standard network adapter
Determine whether the laptop has to be assigned an IP address
If the wireless access point is DHCP enabled then the laptop will automatically be assigned an IP in the
same network range

EC-Council
Access Point (cont’d)
If the DHCP is not enabled, you need to assign the IP address to the forensics laptop that is
in the same “Class” of the wireless access point
The IP address of the wireless access point can be determined by typing the command
“ipconfig” in the command prompt

EC-Council
Once you get the IP address of the wireless access point try connecting to it using a web
browser
A login window will pop up and will ask to fill in the credentials for obtaining access to the
wireless access point

EC-Council
Most of the times customers forget to change the default
administrator account of the wireless access point
You can search for the default login and password after you
confirm the hardware vendor on physical inspection
Visit the below link to find the default information of the wireless
access point

EC-Council
Default Credentials List

EC-Council
If you are successful in logging to the wireless access point, you will see the screen similar to
as shown below:

EC-Council
Click on Attached Devices to find the number of connections made to the wireless access point
It shows the IP address, Device name, and MAC address of each computer attached to the wireless
access point

EC-Council
Click on LAN IP Setup to find the LAN TCP/IP setup

EC-Council
Since you are connected over LAN to the wireless access point a “ping-sweep” can reveal
other connected systems on the network
Nmap can be used to perform “ping-sweep” and other functions related to scanning
Nmap is a free open source utility for network exploration which is designed to rapidly scan
large networks

EC-Council
Nmap
• Nmap is used to carry out port
scanning, OS detection, version
detection, ping sweep, and many
other techniques
• It scans a large number of
machines at one time
• It is supported by many operating
systems
• It can carry out all types of port
scanning techniques
Features

EC-Council
Scanning Wireless Access Points
using Nmap
Another method to find live hosts on the network is by using nmap
Since we know that the IP address of the access point, following range of address needs to be scanned
10.0.0.X/24
Execute the following command at the command prompt
•nmap –sP -v 10.0.0.1/24
The result of the above scan will show all the live host in the same subnet; the vendor and MAC address
information will be displayed on the screen
To find more information of a specific address e.g 10.0.0.1; execute the below given command:
•nmap –sS –A 10.0.0.1

EC-Council
Rogue Access Point
• Beaconing i.e. requesting a beacon
• Network Sniffing i.e. looking for packets in the air
The two basic methods for locating rogue
access points:
A rogue/unauthorized access point is one that is not authorized
for operation by a particular firm or network
Tools that can detect rogue/unauthorized access points are
NetStumbler, MiniStumbler, etc.

EC-Council
Tools to Detect Rogue Access Points:
Netstumbler
NetStumbler is a Windows utility for WarDriving written by Marius Milner
Netstumbler is a high-level WLAN scanner; it operates by sending a steady stream of
broadcast packets on all possible channels
Access points (APs) respond to broadcast packets to verify their existence, even if beacons
have been disabled
• Signal Strength
• MAC Address
• SSID
• Channel details
NetStumbler displays:

EC-Council
Netstumbler: Screenshot

EC-Council
Tools to Detect Rogue Access Points:
MiniStumbler
MiniStumbler is the smaller sibling of a free product
called NetStumbler
By default, most WLAN access points (APs) broadcast
their Service Set Identifier (SSID) to anyone who will
listen. This flaw in WLAN is used by MiniStumbler
It can connect to a global positioning system (GPS)

EC-Council
2. “Sniffing” Traffic Between the
Access Point and Associated Devices
The forensics laptop is placed between the access points and associated
devices in promiscuous mode
In this mode, the forensics laptop captures all the information flowing
within the range
BackTrack tool is used to find associated devices in the wireless network
After installing BackTrack, the first step is to run Airodump
Download Airodump tool from:
• http://www.aircrack-ng.org or launched from BackTrack
The ‘Aircrack Suite’ of the BackTrack program has two programs i.e.
Airodump and Aireplay

EC-Council
Scanning using Airodump
The Airodump program runs in ‘Scan’
mode
This tools scans all the wireless channels
while searching for access points
The scan report shows 8 columns of
information i.e. BSSID, PWR, Beacons,
#Data, CH, MB, ENC and ESSID

EC-Council
(cont’d)
BSSID  MAC address of the access point
PWR  Relative strength of wireless signal as received by the location from where the
tool scanned the network
Beacons  Number of beacons packet received
# Data  Number of packets that can be decrypted
CH  Channel
MB  Current rate of data transfer in megabits per-second
ENC  Encryption level set on the access point
ESSID  Name of the device

EC-Council
(cont’d)
To confirm the scanning result, the investigator can match the MAC address obtained from
scanning to the MAC address present on a label on the scanned Wireless Access point
Make note of the CH (channel) setting
The screenshot in the previous slide shows “netgear” wireless router is operating on
channel 6
Select channel 6 while rescanning with Airodump
Switch “-c 6” scans for wireless access point present only on channel 6
“Ctrl +C” is used to stop the scanning process of Airodump

EC-Council
Airodump: Screenshot

EC-Council
MAC Address Information
Details of the vendor of the wireless access point can be found out by the MAC address of the same
Visit http://www.coffer.com/mac_find/ and enter the MAC address to find information of the vendor
It is easy to change the MAC address with the help of few software settings

EC-Council
Airodump: Points to Note
Columns “BSSID”, “CH” and “ESSID” have information that will be useful
during the initial phase of the scan
Investigator should concentrate on “Packets” column in the association
list
The “Beacons” column does not reflect data passing between the access
point and associated equipment
If Airodump cannot determine the state of encryption on the access point,
the ENC portion will display “WEP?”
Airodump requires several packets to make a determination of the type of
encryption being used

EC-Council
Forcing Associated Devices to
Reconnect
Aireplay tool attempts to confuse the connected wireless devices by sending de-authentication packets
The wireless devices are made to think that the wireless access point is not functioning; Once
disconnected the devices attempt to reconnect to the same access point
Airodump should be running in the background while the de-authentication packets are sent
Use the command given below to send de-authentication packets:
•aireplay-ng --deauth 5 -a {MAC of AP} {interface}
• Where: MAC of AP  MAC address of the access point
• interface  Type of wireless network card
If physical access to the wireless access point is available then unplug the device and plug it back in. At
the same time make sure that Airodump is running on the forensics laptop
Note that the rest button is NOT pressed

EC-Council
Check for MAC Filtering
Aireplay-ng can be used to determine whether the target access point used MAC filtering or not
Attempt forced association, if the wireless network card of the forensics laptop supports packet
injection
If MAC filtering is active on the target access point then association will be denied
Open a terminal window within BackTrack tool
In the command prompt, type the below given command:
•aireplay-ng –fakeauth 0 –e {target ESSID} –a {MAC address of AP} –h {MAC address of
your forensic laptop’s wireless card}
An example would be
•aireplay-ng –fakeauth 0 –e belkin54g –a 00:11:50:53:9A:24 –h
•00:20:A6:52:23:30

EC-Council
Check for MAC Filtering (cont’d)
Unsuccessful attempt does not indicate MAC filtering at the target access point
If an associated MAC address is shown while scanning with airodump-ng, attempt to re-
associate by spoofing forensics laptop’s MAC address
Within the BackTrack program, select “BackTrack”, “Wireless Tools”, “Miscellaneous”,
“MAC Changer”
Once the command is executed a message will be displayed showing whether the
authentication and association were successful

EC-Council
Changing the MAC Address
•ifconfig {interface} down
If required, force the card to shutdown by typing:
•macchanger –m {MAC of currently associated device} {interface}
Command to change the MAC address:
Before changing the MAC, the wireless network card of the forensics laptop should not be
active; Close airodump-ng or any other program that utilizes the network card before
continuing

EC-Council
(cont’d)
The screenshot below shows a list of available options for “macchanger”

EC-Council
(cont’d)
Reactivate the forensics laptop’s wireless network card by using the below given
command
•ifconfig {interface} up
Attempt an authentication and association to the access point using the spoofed MAC
address
If you see the “success” message, MAC filtering is indeed active on the access point
If MAC filtering is turned off and encryption is turned on, this method of authentication
will not yield any success
After the MAC address is changed, the display will show the previous and new MAC
address and vendor settings

EC-Council
Wireless Data Acquisition and
Analysis
Acquire the DHCP logs, Firewall logs, and network logs
Use fwanalog and Firewall Analyzer to view the firewall log files
• DHCP Log files for issued MAC addresses
• Firewall logs for intrusions
• Network logs for intrusion activities
Analyze log files for:

EC-Council
Wireless Data Acquisition and
Analysis (cont’d)
Decrypt the encrypted log files
Crack the password protected log files using Hydra and Cain &
Abel tools
Analyze the traffic shown by sniffing tools such as Wireshark
• Registry analysis
• USB device footprints
• Network connection history logs
• Wireless device logs
Check the following logs file:

EC-Council
Report Generation
• Information about the files
• Internet related evidence
• Data and image analysis
Details about the finding:
Note the name of Investigator
List of wireless evidence
Documents of the evidence and other supporting items
List of tools used for investigation
Devices and set up used in the examination
Brief description of examination steps
Conclusion of the investigation

EC-Council
Summary
Association of wireless AP and device may take place in either of the ways, MAC filtering
or Pre- Shared Key (PSK) or use of encryption
Methods To Access A Wireless Access Point includes Direct-connect to the wireless
access point and “Sniffing” traffic between the access point and associated devices
A rogue/unauthorized access point is one that is not authorized for operation by a
particular firm or network
Details of the vendor of the wireless access point can be found out by the MAC address
of the same
Eavesdropping on the network traffic can be the possibility of a passive attack
To investigate wireless attacks, Keep a check on DHCP Log files for issued MAC
addresses, Firewall logs for intrusions and Network logs for intrusion activities

EC-Council

Investigating Wireless Networks

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (16)

Similar to Investigating Wireless Networks

Similar to Investigating Wireless Networks (20)

More from Desmond Devendran

More from Desmond Devendran (20)

Recently uploaded

Recently uploaded (20)

Investigating Wireless Networks