Digital forensics Wireless Network Forensics Unplugged ALNAZIF NOHAMMED alnadeef@yahoo.com
Topics The IEEE Layer 2 Protocol Series. Wireless Access Points (WAPs). Wireless Traffic Capture and Analysis. Common Attacks. Locating Wireless Devices. Conclusion.
Quick introduction: Wireless devices have exploded in popularity during the past decade. Common types of wireless devices and networks include: AM/FM radios Cordless phones Cell phones Bluetooth headsets Infrared devices, such as TV remotes Wireless doorbells Wi-Fi (802.11) LAN networking over RF WiMAX (802.16) last-mile broadband2 We will focus our attention on 802.11 Wi-Fi networks specifically. because this type of Wi-Fi networks are extremely common both in the enterprise and at home.
1-The IEEE Layer 2 Protocol Series Why So Many Layer 2 Protocols? The 802.11 Protocol Suite 802.1X
A-Why So Many Layer 2 Protocols: For forensic investigators, it is important to realize that if you are capturing traffic from a wireless network, there may well be stations actively participating in the network that you cannot overhear from your vantage point, due to signal strength unlike on wired media, where voltages propagate much more reliably through copper or fiber cables. This simple fact has far-reaching effects on both data link layer protocols themselves and forensic analysis of the wireless evidence.
B-The 802.11 Protocol Suite 1- Frame Types The 802.11 protocol suite defines different types of frames. For forensic investigators, different types of frames contain different types of evidence, as we will see. There are three types of 802.11 frames: Management Frames Govern communications between stations, except flow control. Control Frames Support flow control over a variably available medium (such as RF). Data Frames Encapsulate the Layer 3+ data that moves between stations actively engaged in communication on a wireless network.
Forensics value they are not encrypted. so these clear-text frames provide a wealth of information as to which stations are trying to communicate, in which ways, and with whom. if the wireless network is not encrypted, or if you have access to the encryption key and can gain access to unencrypted data frames then you can capture and analyze the wireless traffic at Layer 3 and above
2- Frame Analysis The order that bits are transmitted in the 802.11 protocol suite is not straightforward. This can cause forensic analysts to produce incorrect results if you are not careful. To fully understand how the bits we capture correspond with protocol charts and field descriptions. We can use concept of endianness.
3-Network-Byte Order (TCP/IP, but NOT 802.11) Network forensic analysts are used to viewing captured bits in big-endian form. The IP protocol specifies the order the bits are transmitted across the network as big-endian. This is often referred to as network-byte order. 4-802.11 Endianness The IEEE 802.11 specification transmits bits in a different order from the TCP/IP protocol suite, which most network forensic analysts are familiar with. Mixed-endian? 802.11 is neither big-endian nor little-endian, but is best described as mixed-endian. While the bit ordering within each individual data field is big-endian, the fields themselves are transmitted in reverse order, within the byte-boundaries.
5-Wired Equivalent Privacy (WEP) Wired Equivalent Privacy (WEP) is part of the 802.11 standards, published by the IEEE. It was proposed as a way to enable a WAP to provide a private network, similar to the environment that a wired hub could provide due to natural limitations of the physical media. To gain access to a WEP-encrypted wireless network, users need knowledge of a shared secret key to gain access to the wireless hub s service at Layer 2.
Forensic investigators should assume that WEP-protected segments are at high risk of Compromise and may be a likely vector for unauthorized network intrusions. On the plus side, investigators who are (legally) conducting covert investigations without the knowledge of local IT staff may find that WEPprotected networks are a convenient point of covert entry to the network.
6-TKIP, AES, WPA, and WPA2. WEP did not provide the level of protection that its designers had intended. Therefore they come up with something better to replace it. Wi-Fi Protected Access (WPA). WPA was a stop-gap measure designed to deal with some of the weaknesses of WEP, such as key rotation.
C-802.1X 802.1X was designed to provide a modular, extensible authentication framework for LANs (regardless of physical medium). It can be used over wired or wireless networks, and it is designed to control access to the LAN. Forensic investigators should be aware of 802.1X when it is used in the environment under investigation because it limits access to the network and requires a back-end authentication system, that typically stores access logs. 802.1X is the IEEE s standard for implementing the IETF s Extensible Authentication Protocol (EAP) over LANs.13 EAP was intended as an improvement to the Point-to-Point Impact on Wireless Networks Implications for the Investigator.
2 -Wireless Access Points (WAPs) Why Investigate Wireless Access Points? Types of Wireless Access Points WAP Evidence
A-Why Investigate Wireless Access Points Wireless access points are typically involved in forensic investigations for one of a few reasons: Wireless access points may contain locally stored logs of connection attempts authentication successes and failures and other local WAP activity. WAP logs can help you track the physical movements of a wireless client throughout a building or campus. The WAP configuration may provide insight regarding how an attacker gained access to the network. The WAP configuration may have been modified by an unauthorized party as part of an attack. The WAP itself may be compromised.
B-Types of Wireless Access Points There are a wide variety of wireless access points available, General classes of WAPs include enterprise and consumer devices..1 Enterprise Enterprise facilities typically span a much wider geographic range than home offices or small businesses. 2- Consumer Small businesses and home users often deploy consumer-class WAPs in their home and office environments. These devices are inexpensive and easy to configure for simple use.
C-WAP Evidence Wireless access points contain both volatile and nonvolatile evidence, although due to their persistent storage capabilities tend to be very limited. WAPs can also send logs over the network to a remote repository. As with switches and routers, most of the evidence on WAPs tends to be quite volatile. Enterprise-class WAPs tend to include the same functionality and range of evidence as wired routers, with the addition of wireless-specific capabilities.
Type of Evidence that can be fined on wireless access points: History of connections by MAC address List of IPs associated with MACs Historical logs of wireless events access requests, key rotation, etc.
3- Wireless Traffic Capture and Analysis Spectrum Analysis Wireless Passive Evidence Acquisition Analyzing 802.11 Efficiently
A- Spectrum Analysis There are, literally, an infinite number of frequencies over which data can be transmitted through the air. Sometimes the most challenging part of an investigator s job is simply identifying the wireless traffic in the first place. For Wi-Fi traffic, the IEEE utilizes three frequency ranges: 2.4 GHz (802.11b/g/n)19 3.6 GHz (802.11y)20 5 GHz (802.11a/h/j/n)21 Each of these frequency ranges is divided into distinct channels, which are smaller frequency Bands. Although the IEEE has set globally recognized frequency boundaries for 802.11 protocols, individual countries typically allow only a subset of these frequency ranges B-Wireless Passive Evidence Acquisition In order to capture wireless traffic, investigators need an 802.11 wireless card capable of running in Monitor mode. Many wireless cards do not support this capability. Furthermore, in order to ensure totally passive monitoring, it is preferable to use a special-purpose WiFi monitoring card that can be configured to operate completely passively.
C-Analyzing 802.11 Efficiently In order to analyze efficiently we can use tcpdump and tshark We can use Wireshark to sort out the endianness problem and for large packet captures in particular, tcpdump and tshark tend to be more efficient and scalable.
6.4 Common Attacks Sniffing 224 Rogue Wireless Access Points 225 Evil Twin 227 WEP Cracking
A-Sniffing Eavesdropping on wireless traffic is extremely common, in part because it is so easy to dofrom script kiddies in coffee shops to professional surveillance teams, wireless traffic monitoring is, frankly, popular B-Rogue Wireless Access Points. anyone can purchase a cheap WAP and plug it into the company network. Often, employees do this simply for the sake of convenience, not realizing that it opens the company to attack. Criminals also deliberately plant wireless access points that allow them to bypass the pesky firewall and remotely access the network later on
C-Evil Twin The Evil Twin attack is when an attacker sets up a WAP with the same SSID as one that is used in the local environment, usually in order to conduct a man-inthe-middle attack on 802.11 client s traffic. D-WEP Cracking WEP is designed to encrypt the payload of data frames on a wireless network using a shared key. The key, once selected, is distributed to all stations as a preshared key (PSK). The PSK itself is never exposed on the network, and so it is expected to be shared in some out-of-band way between the stations that need it. Each station encrypts the payload of all data frames with the PSK and a randomly selected initialization vector (IV) so that the encryption key changes for every frame. The problem with using an IV in a reversible, symmetric encryption algorithm, such as RC4, is that stations have to supply the IV in plain text. Each
6.5 Locating Wireless Devices Gather Station Descriptors Identify Nearby Wireless Access Points 229 Signal Strength 231 Commercial Enterprise Tools
Gather Station Descriptors we can learn what a wireless device probably looks like from its network traffic. Identify Nearby Wireless Access Points. the strategy for locating a wireless device will depend in part on the function of the device. Signal Strength There are many tools such as NetStumbler or Kismet that will list the nearby wireless access points and show you their relative signal strengths. Often, you can locate a mysterious wireless device simply by viewing the signal strengths using one of these applications and walking in the direction of increasing signal strength. This works well in situations where the station of interest is not mobile.
Commercial Enterprise Tools Enterprises that deploy campus-wide wireless LANs often install central management consoles, which include mapping and station tracking capabilities. Vendors such as Aruba and Cisco offer specialized wireless tracking and WIDS software for use in these environments. Skyhook Skyhook Wireless Positioning System (WPS) is a proprietary location tracking service provided by Skyhook Wireless. It is an extremely popular alternative to GPS, especially because it works well indoors and can provide results with 10 30m of accuracy in urban environments where GPS is less effective.
Conclusion We talked about the types of evidence that you can gather from wireless access points, and touched on wireless traffic capture and analysis. We reviewed common attacks on wireless networks that investigators should be familiar with so that you can recognize them in the field. Finally, we discussed one of the most common hurdles facing wireless network forensic investigators.