Wireless Network Forensics Unplugged

ALNAZIF NOHAMMED

alnadeef@yahoo.com

Digital forensics

Topics

The IEEE Layer 2 Protocol Series.

Wireless Access Points (WAPs).

Wireless Traffic Capture and Analysis.

Common Attacks.

Locating Wireless Devices.

Conclusion.

Quick introduction:

Wireless devices have exploded in popularity during the past decade. Common

types of wireless devices and networks include:

• AM/FM radios

• Cordless phones

• Cell phones

• Bluetooth headsets

• Infrared devices, such as TV remotes Wireless doorbells

• Wi-Fi (802.11) LAN networking over RF

• WiMAX (802.16) last-mile broadband2

We will focus our attention on 802.11 Wi-Fi networks specifically. because this

type of Wi-Fi networks are extremely common both in the enterprise and at

home.

1-The IEEE Layer 2 Protocol Series

Why So Many Layer 2 Protocols?

The 802.11 Protocol Suite

802.1X

A-Why So Many Layer 2 Protocols:

For forensic investigators, it is important to realize that if you are capturing

traffic

from a wireless network, there may well be stations actively participating in the

network

that you cannot overhear from your vantage point, due to signal strength unlike

on wired media, where voltages propagate much more reliably through copper or

fiber cables.

This simple fact has far-reaching effects on both data link–layer protocols

themselves and forensic analysis of the wireless evidence.

B-The 802.11 Protocol Suite

1- Frame Types

The 802.11 protocol suite defines different types of frames. For forensic

investigators, different types of frames contain different types of evidence, as we

will see. There are three types of 802.11 frames:

• Management Frames—Govern communications between stations, except flow

control.

• Control Frames—Support flow control over a variably available medium (such as

RF).

• Data Frames—Encapsulate the Layer 3+ data that moves between stations

actively engaged in communication on a wireless network.

Forensics value

they are not encrypted. so these clear-text frames provide a wealth

of information as to which stations are trying to communicate, in which ways,

and with whom.

if the wireless network is not encrypted, or if you have access

to the encryption key and can gain access to unencrypted data frames then you

can capture and analyze the wireless traffic at Layer 3 and above

2- Frame Analysis

The order that bits are transmitted in the 802.11 protocol suite is not

straightforward.

This can cause forensic analysts to produce incorrect results if you are not

careful.

To fully understand how the bits we capture correspond with protocol charts and

field descriptions.

We can use concept of endianness.

3-Network-Byte Order (TCP/IP, but NOT 802.11)

Network forensic analysts are used to viewing captured bits in big-endian form.

The IP protocol specifies the order the bits are transmitted across the network as

big-endian. This is often referred to as network-byte order.

4-802.11 Endianness

The IEEE 802.11 specification transmits bits in a different order from the TCP/IP

protocol suite, which most network forensic analysts are familiar with.

Mixed-endian? 802.11 is neither big-endian nor little-endian, but is best

described as mixed-endian. While the bit ordering within each individual data

field is big-endian, the fields themselves are transmitted in reverse order, within

the byte-boundaries.

5-Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP) is part of the 802.11 standards, published by

the IEEE. It was proposed as a way to enable a WAP to provide a “private”

network, similar to the environment that a wired hub could provide due to

natural limitations of the physical media.

To gain access to a WEP-encrypted wireless network, users need knowledge of

a shared secret key to gain access to the wireless hub’s service at Layer 2.

Forensic investigators

should assume that WEP-protected segments are at high risk of

Compromise and may be a likely vector for unauthorized network intrusions.

On the plus side, investigators who are (legally) conducting covert

investigations without the knowledge of local IT staff may find that WEP-

protected networks are a convenient point of covert entry to the network.

6-TKIP, AES, WPA, and WPA2.

WEP did not provide the level of protection that its designers had intended.

Therefore they come up with something better to replace it.

Wi-Fi Protected Access (WPA).

WPA was a stop-gap measure designed to deal with some of the weaknesses of

WEP, such as key rotation.

C-802.1X

802.1X was designed to provide a modular, extensible authentication

framework for LANs (regardless of physical medium). It can be used over

wired or wireless networks, and it is designed to control access to the LAN.

Forensic investigators should be aware of 802.1X when it is used in the

environment under investigation because it limits access to the network and

requires a back-end authentication system, that typically stores access logs.

802.1X is the IEEE’s standard for implementing the IETF’s Extensible

Authentication Protocol (EAP) over LANs.13 EAP was intended as an

improvement to the Point-to-Point

Impact on Wireless Networks

Implications for the Investigator.

2 -Wireless Access Points (WAPs)

Why Investigate Wireless Access Points?

Types of Wireless Access Points

WAP Evidence

A-Why Investigate Wireless Access Points

Wireless access points are typically involved in forensic investigations for one of

a few reasons:

• Wireless access points may contain locally stored logs of connection attempts

authentication successes and failures and other local WAP activity.

• WAP logs can help you track the physical movements of a wireless client

throughout

a building or campus.

• The WAP configuration may provide insight regarding how an attacker gained

access

to the network.

• The WAP configuration may have been modified by an unauthorized party as

part of

an attack.

• The WAP itself may be compromised.

B-Types of Wireless Access Points

There are a wide variety of wireless access points available, General classes of

WAPs include enterprise and consumer devices.

.1 Enterprise

Enterprise facilities typically span a much wider geographic range than home

offices or small businesses.

2- Consumer

Small businesses and home users often deploy consumer-class WAPs in their home

and office environments. These devices are inexpensive and easy to configure for

simple use.

C-WAP Evidence

Wireless access points contain both volatile and nonvolatile evidence,

although due to their persistent storage capabilities tend to be very limited.

WAPs can also send logs over the network to a remote repository.

As with switches and routers, most of the evidence on WAPs tends to be quite

volatile.

Enterprise-class WAPs tend to include the same functionality and range of

evidence as

wired routers, with the addition of wireless-specific capabilities.

Type of Evidence that can be fined on wireless access points:

History of connections by MAC address

• List of IPs associated with MACs

• Historical logs of wireless events access requests, key rotation, etc.

3- Wireless Traffic Capture and Analysis

Spectrum Analysis

Wireless Passive Evidence Acquisition

Analyzing 802.11 Efficiently

A- Spectrum Analysis

There are, literally, an infinite number of frequencies over which data can be

transmitted through the air. Sometimes the most challenging part of an

investigator’s job is simply identifying the wireless traffic in the first place. For

Wi-Fi traffic, the IEEE utilizes three frequency ranges:

• 2.4 GHz (802.11b/g/n)19

• 3.6 GHz (802.11y)20

• 5 GHz (802.11a/h/j/n)21

Each of these frequency ranges is divided into distinct channels, which are

smaller frequency Bands. Although the IEEE has set globally recognized frequency

boundaries for 802.11 protocols,

individual countries typically allow only a subset of these frequency ranges

B-Wireless Passive Evidence Acquisition

In order to capture wireless traffic, investigators need an 802.11 wireless card

capable of running in Monitor mode. Many wireless cards do not support this

capability. Furthermore, in order to ensure totally passive monitoring, it is

preferable to use a special-purpose WiFi monitoring card that can be configured

to operate completely passively.

C-Analyzing 802.11 Efficiently

In order to analyze efficiently we can use tcpdump and tshark

We can use Wireshark to sort out the endianness problem and for large packet

captures in particular, tcpdump and tshark tend to be more efficient and

scalable.

6.4 Common Attacks

Sniffing 224

Rogue Wireless Access Points 225

Evil Twin 227

WEP Cracking

A-Sniffing

Eavesdropping on wireless traffic is extremely common, in part because it is so

easy to doFrom script kiddies in coffee shops to professional surveillance teams,

wireless traffic monitoring is, frankly, popular

B-Rogue Wireless Access Points.

anyone can purchase a cheap WAP and plug it into the company network. Often,

employees do this simply for the sake of convenience, not realizing that it opens

the company to attack.

Criminals also deliberately plant wireless access points that allow them to bypass

the pesky firewall and remotely access the network later on

C-Evil Twin

The “Evil Twin” attack is when an attacker sets up a WAP with the same SSID as

one that is used in the local environment, usually in order to conduct a man-in-

the-middle attack on 802.11 client’s traffic.

D-WEP Cracking

WEP is designed to encrypt the payload of data frames on a wireless network

using a shared key. The key, once selected, is distributed to all stations as a “pre-

shared key” (PSK).

The PSK itself is never exposed on the network, and so it is expected to be

shared in some out-of-band way between the stations that need it.

Each station encrypts the payload of all data frames with the PSK and a randomly

selected initialization vector (IV) so that the encryption key changes for every

frame. The problem with using an IV in a reversible, symmetric encryption

algorithm, such as RC4, is that stations have to supply the IV in plain text. Each

station adds a cleartext 24-bit IV to each frame, but 24 bits is actually quite

small when you consider the number of frames that can be transmitted across a

WLAN.

6.5 Locating Wireless Devices

Gather Station Descriptors

Identify Nearby Wireless Access Points 229

Signal Strength 231

Commercial Enterprise Tools

Gather Station Descriptors

we can learn what a wireless device probably looks like from its network traffic.

Identify Nearby Wireless Access Points.

the strategy for locating a wireless device will depend in part on the function of the device.

Signal Strength

There are many tools such as NetStumbler or Kismet that will list the nearby wireless access points and show you their relative signal strengths. Often, you can locate a mysterious wireless device simply by viewing the signal strengths using one of these applications and walking in the direction of increasing signal strength. This works well in situations where the station of interest is not mobile.

Commercial Enterprise Tools

Enterprises that deploy campus-wide wireless LANs often install central

management consoles, which include mapping and station tracking capabilities.

Vendors such as Aruba and Cisco offer specialized wireless tracking and WIDS

software for use in these environments.

Skyhook

Skyhook Wireless Positioning System (WPS) is a proprietary location tracking

service provided by Skyhook Wireless.

It is an extremely popular alternative to GPS, especially because it works well

indoors and can provide results with 10–30m of accuracy in urban environments

where GPS is less effective.

Conclusion

We talked about the types of evidence that you can gather from

wireless access points, and touched on wireless traffic capture and analysis. We

reviewed

common attacks on wireless networks that investigators should be familiar with

so that you

can recognize them in the field. Finally, we discussed one of the most common

hurdles facing

wireless network forensic investigators.