Digital forensics. Wireless Network Forensics Unplugged. ALNAZIF NOHAMMED

Similar documents
12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

VIDEO Intypedia012en LESSON 12: WI FI NETWORKS SECURITY. AUTHOR: Raúl Siles. Founder and Security Analyst at Taddong

Wireless Networks. Welcome to Wireless

The next generation of knowledge and expertise Wireless Security Basics

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Security in Wireless Local Area Network

9 Simple steps to secure your Wi-Fi Network.

Wireless Threats To Corporate Security A Presentation for ISACA UK Northern Chapter

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

WiFi Security Assessments

Wireless LANs vs. Wireless WANs

Topics in Network Security

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

Cisco Aironet Wireless Bridges FAQ

Chapter 2 Configuring Your Wireless Network and Security Settings

Chapter 3 Safeguarding Your Network

Demystifying Wireless for Real-World Measurement Applications

United States Trustee Program s Wireless LAN Security Checklist

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Introduction to WiFi Security. Frank Sweetser WPI Network Operations and Security

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

Wireless LAN Security In a Campus Environment

Configure WorkGroup Bridge on the WAP131 Access Point

WLAN Authentication and Data Privacy

Nokia E90 Communicator Using WLAN

Network Security Best Practices

CS549: Cryptography and Network Security

Chapter 2 Wireless Settings and Security

Introduction. Course Description

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Computer Networks. Secure Systems

Wireless security. Any station within range of the RF receives data Two security mechanism

Wireless Network Standard and Guidelines

Chapter 2 Wireless Networking Basics

How To Protect A Wireless Lan From A Rogue Access Point

INFORMATION ASSURANCE DIRECTORATE

Self Help Guide IMPORTANT! Securing Your Wireless Network. This Guide refers to the following Products: Please read the following carefully; Synopsis:

WIRELESS NETWORKING SECURITY

Wireless Network Security. Pat Wilbur Wireless Networks March 30, 2007

PwC. Outline. The case for wireless networking. Access points and network cards. Introduction: OSI layers and 802 structure

WI-FI VS. BLUETOOTH TWO OUTSTANDING RADIO TECHNOLOGIES FOR DEDICATED PAYMENT APPLICATION

WHITE PAPER. WEP Cloaking for Legacy Encryption Protection


WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter with RangeBooster. User Guide WIRELESS WUSB54GR. Model No.

WHITE PAPER. Wireless LAN Security for Healthcare and HIPAA Compliance

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

Enterprise Solutions for Wireless LAN Security Wi-Fi Alliance February 6, 2003

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Best Practices for Outdoor Wireless Security

Wi-Fi Client Device Security and Compliance with PCI DSS

Wireless Network Analysis. Complete Network Monitoring and Analysis for a/b/g/n

Analysis of Security Issues and Their Solutions in Wireless LAN 1 Shenam Chugh, 2 Dr.Kamal

THE IMPORTANCE OF CRYPTOGRAPHY STANDARD IN WIRELESS LOCAL AREA NETWORKING

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

Configuring Wireless Security on ProSafe wireless routers (WEP/WPA/Access list)

Configuring Security Solutions

Industrial Communication. Securing Industrial Wireless

A Division of Cisco Systems, Inc. GHz g. Wireless-G. PCI Adapter with RangeBooster. User Guide WIRELESS WMP54GR. Model No.

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Ensuring HIPAA Compliance in Healthcare

Top 10 Security Checklist for SOHO Wireless LANs

Wireless Network Standard

Wiereless LAN

Wireless-N. User Guide. PCI Adapter WMP300N (EU) WIRELESS. Model No.

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Closing Wireless Loopholes for PCI Compliance and Security

White paper. Wireless Security: It s Like Securing Your Home

This chapter discusses how to design a wireless network, and includes the following sections: Making the Business Case. Wireless Technology Overview

Security in IEEE WLANs

CS 356 Lecture 29 Wireless Security. Spring 2013

Observer Analyzer Provides In-Depth Management

Huawei WLAN Authentication and Encryption

Running Head: WIRELESS NETWORKING FOR SMALL BUSINESSES. Wireless Networking for Small Businesses. Russell Morgan. East Carolina University

Wireless LAN Security: Securing Your Access Point

TECHNICAL NOTE REFERENCE DOCUMENT. Improving Security for Axis Products. Created: 4 October Last updated: 11 October Rev: 1.

CSC574: Computer and Network Security

Chapter 6 CDMA/802.11i

Your Wireless Network has No Clothes

Preparing the Computers for TCP/IP Networking

Enhancing the Security of Corporate Wi-Fi Networks Using DAIR. Example : Rogue AP. Challenges in Building an Enterprise-scale WiFi Monitoring System

Enterprise Wi-Fi Administration (CWNA) Certified Wireless Network Administrator

USER GUIDE Cisco Small Business

Securing WLANs using i

White paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points.

A Division of Cisco Systems, Inc. Wireless A/G. USB Network Adapter. User Guide WIRELESS WUSB54AG. Model No.

WLAN Information Security Best Practice Document

VPN Technologies: Definitions and Requirements

Wi-Fi Protected Access: Strong, standards-based, interoperable security for today s Wi-Fi networks Wi-Fi Alliance April 29, 2003

WiFi. Is for Wireless Fidelity Or IEEE Standard By Greg Goldman. WiFi 1

BSc (Hons.) Computer Science with Network Security. Examinations for 2011/ Semester 2

Implementing Security for Wireless Networks

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Wireless Encryption Protection

FD Wi-Fi Terminals. FD100 Ti /200 Ti /300 Ti Quick set-up Guide

Securing end devices

Transcription:

Digital forensics Wireless Network Forensics Unplugged ALNAZIF NOHAMMED alnadeef@yahoo.com

Topics The IEEE Layer 2 Protocol Series. Wireless Access Points (WAPs). Wireless Traffic Capture and Analysis. Common Attacks. Locating Wireless Devices. Conclusion.

Quick introduction: Wireless devices have exploded in popularity during the past decade. Common types of wireless devices and networks include: AM/FM radios Cordless phones Cell phones Bluetooth headsets Infrared devices, such as TV remotes Wireless doorbells Wi-Fi (802.11) LAN networking over RF WiMAX (802.16) last-mile broadband2 We will focus our attention on 802.11 Wi-Fi networks specifically. because this type of Wi-Fi networks are extremely common both in the enterprise and at home.

1-The IEEE Layer 2 Protocol Series Why So Many Layer 2 Protocols? The 802.11 Protocol Suite 802.1X

A-Why So Many Layer 2 Protocols: For forensic investigators, it is important to realize that if you are capturing traffic from a wireless network, there may well be stations actively participating in the network that you cannot overhear from your vantage point, due to signal strength unlike on wired media, where voltages propagate much more reliably through copper or fiber cables. This simple fact has far-reaching effects on both data link layer protocols themselves and forensic analysis of the wireless evidence.

B-The 802.11 Protocol Suite 1- Frame Types The 802.11 protocol suite defines different types of frames. For forensic investigators, different types of frames contain different types of evidence, as we will see. There are three types of 802.11 frames: Management Frames Govern communications between stations, except flow control. Control Frames Support flow control over a variably available medium (such as RF). Data Frames Encapsulate the Layer 3+ data that moves between stations actively engaged in communication on a wireless network.

Forensics value they are not encrypted. so these clear-text frames provide a wealth of information as to which stations are trying to communicate, in which ways, and with whom. if the wireless network is not encrypted, or if you have access to the encryption key and can gain access to unencrypted data frames then you can capture and analyze the wireless traffic at Layer 3 and above

2- Frame Analysis The order that bits are transmitted in the 802.11 protocol suite is not straightforward. This can cause forensic analysts to produce incorrect results if you are not careful. To fully understand how the bits we capture correspond with protocol charts and field descriptions. We can use concept of endianness.

3-Network-Byte Order (TCP/IP, but NOT 802.11) Network forensic analysts are used to viewing captured bits in big-endian form. The IP protocol specifies the order the bits are transmitted across the network as big-endian. This is often referred to as network-byte order. 4-802.11 Endianness The IEEE 802.11 specification transmits bits in a different order from the TCP/IP protocol suite, which most network forensic analysts are familiar with. Mixed-endian? 802.11 is neither big-endian nor little-endian, but is best described as mixed-endian. While the bit ordering within each individual data field is big-endian, the fields themselves are transmitted in reverse order, within the byte-boundaries.

5-Wired Equivalent Privacy (WEP) Wired Equivalent Privacy (WEP) is part of the 802.11 standards, published by the IEEE. It was proposed as a way to enable a WAP to provide a private network, similar to the environment that a wired hub could provide due to natural limitations of the physical media. To gain access to a WEP-encrypted wireless network, users need knowledge of a shared secret key to gain access to the wireless hub s service at Layer 2.

Forensic investigators should assume that WEP-protected segments are at high risk of Compromise and may be a likely vector for unauthorized network intrusions. On the plus side, investigators who are (legally) conducting covert investigations without the knowledge of local IT staff may find that WEPprotected networks are a convenient point of covert entry to the network.

6-TKIP, AES, WPA, and WPA2. WEP did not provide the level of protection that its designers had intended. Therefore they come up with something better to replace it. Wi-Fi Protected Access (WPA). WPA was a stop-gap measure designed to deal with some of the weaknesses of WEP, such as key rotation.

C-802.1X 802.1X was designed to provide a modular, extensible authentication framework for LANs (regardless of physical medium). It can be used over wired or wireless networks, and it is designed to control access to the LAN. Forensic investigators should be aware of 802.1X when it is used in the environment under investigation because it limits access to the network and requires a back-end authentication system, that typically stores access logs. 802.1X is the IEEE s standard for implementing the IETF s Extensible Authentication Protocol (EAP) over LANs.13 EAP was intended as an improvement to the Point-to-Point Impact on Wireless Networks Implications for the Investigator.

2 -Wireless Access Points (WAPs) Why Investigate Wireless Access Points? Types of Wireless Access Points WAP Evidence

A-Why Investigate Wireless Access Points Wireless access points are typically involved in forensic investigations for one of a few reasons: Wireless access points may contain locally stored logs of connection attempts authentication successes and failures and other local WAP activity. WAP logs can help you track the physical movements of a wireless client throughout a building or campus. The WAP configuration may provide insight regarding how an attacker gained access to the network. The WAP configuration may have been modified by an unauthorized party as part of an attack. The WAP itself may be compromised.

B-Types of Wireless Access Points There are a wide variety of wireless access points available, General classes of WAPs include enterprise and consumer devices..1 Enterprise Enterprise facilities typically span a much wider geographic range than home offices or small businesses. 2- Consumer Small businesses and home users often deploy consumer-class WAPs in their home and office environments. These devices are inexpensive and easy to configure for simple use.

C-WAP Evidence Wireless access points contain both volatile and nonvolatile evidence, although due to their persistent storage capabilities tend to be very limited. WAPs can also send logs over the network to a remote repository. As with switches and routers, most of the evidence on WAPs tends to be quite volatile. Enterprise-class WAPs tend to include the same functionality and range of evidence as wired routers, with the addition of wireless-specific capabilities.

Type of Evidence that can be fined on wireless access points: History of connections by MAC address List of IPs associated with MACs Historical logs of wireless events access requests, key rotation, etc.

3- Wireless Traffic Capture and Analysis Spectrum Analysis Wireless Passive Evidence Acquisition Analyzing 802.11 Efficiently

A- Spectrum Analysis There are, literally, an infinite number of frequencies over which data can be transmitted through the air. Sometimes the most challenging part of an investigator s job is simply identifying the wireless traffic in the first place. For Wi-Fi traffic, the IEEE utilizes three frequency ranges: 2.4 GHz (802.11b/g/n)19 3.6 GHz (802.11y)20 5 GHz (802.11a/h/j/n)21 Each of these frequency ranges is divided into distinct channels, which are smaller frequency Bands. Although the IEEE has set globally recognized frequency boundaries for 802.11 protocols, individual countries typically allow only a subset of these frequency ranges B-Wireless Passive Evidence Acquisition In order to capture wireless traffic, investigators need an 802.11 wireless card capable of running in Monitor mode. Many wireless cards do not support this capability. Furthermore, in order to ensure totally passive monitoring, it is preferable to use a special-purpose WiFi monitoring card that can be configured to operate completely passively.

C-Analyzing 802.11 Efficiently In order to analyze efficiently we can use tcpdump and tshark We can use Wireshark to sort out the endianness problem and for large packet captures in particular, tcpdump and tshark tend to be more efficient and scalable.

6.4 Common Attacks Sniffing 224 Rogue Wireless Access Points 225 Evil Twin 227 WEP Cracking

A-Sniffing Eavesdropping on wireless traffic is extremely common, in part because it is so easy to dofrom script kiddies in coffee shops to professional surveillance teams, wireless traffic monitoring is, frankly, popular B-Rogue Wireless Access Points. anyone can purchase a cheap WAP and plug it into the company network. Often, employees do this simply for the sake of convenience, not realizing that it opens the company to attack. Criminals also deliberately plant wireless access points that allow them to bypass the pesky firewall and remotely access the network later on

C-Evil Twin The Evil Twin attack is when an attacker sets up a WAP with the same SSID as one that is used in the local environment, usually in order to conduct a man-inthe-middle attack on 802.11 client s traffic. D-WEP Cracking WEP is designed to encrypt the payload of data frames on a wireless network using a shared key. The key, once selected, is distributed to all stations as a preshared key (PSK). The PSK itself is never exposed on the network, and so it is expected to be shared in some out-of-band way between the stations that need it. Each station encrypts the payload of all data frames with the PSK and a randomly selected initialization vector (IV) so that the encryption key changes for every frame. The problem with using an IV in a reversible, symmetric encryption algorithm, such as RC4, is that stations have to supply the IV in plain text. Each

6.5 Locating Wireless Devices Gather Station Descriptors Identify Nearby Wireless Access Points 229 Signal Strength 231 Commercial Enterprise Tools

Gather Station Descriptors we can learn what a wireless device probably looks like from its network traffic. Identify Nearby Wireless Access Points. the strategy for locating a wireless device will depend in part on the function of the device. Signal Strength There are many tools such as NetStumbler or Kismet that will list the nearby wireless access points and show you their relative signal strengths. Often, you can locate a mysterious wireless device simply by viewing the signal strengths using one of these applications and walking in the direction of increasing signal strength. This works well in situations where the station of interest is not mobile.

Commercial Enterprise Tools Enterprises that deploy campus-wide wireless LANs often install central management consoles, which include mapping and station tracking capabilities. Vendors such as Aruba and Cisco offer specialized wireless tracking and WIDS software for use in these environments. Skyhook Skyhook Wireless Positioning System (WPS) is a proprietary location tracking service provided by Skyhook Wireless. It is an extremely popular alternative to GPS, especially because it works well indoors and can provide results with 10 30m of accuracy in urban environments where GPS is less effective.

Conclusion We talked about the types of evidence that you can gather from wireless access points, and touched on wireless traffic capture and analysis. We reviewed common attacks on wireless networks that investigators should be familiar with so that you can recognize them in the field. Finally, we discussed one of the most common hurdles facing wireless network forensic investigators.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information