Wireless Traffic Analysis. Kelcey Tietjen DF Written Report 10/03/06



Similar documents
WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

Topics in Network Security

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Lab Exercise Objective. Requirements. Step 1: Fetch a Trace

WiFi Security Assessments

Build Your Own Security Lab

Wireless Encryption Protection

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

A Research Study on Packet Sniffing Tool TCPDUMP

Network Forensics: Log Analysis

Lab VI Capturing and monitoring the network traffic

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

Wireless LAN Security I: WEP Overview and Tools

Firewalls and Intrusion Detection

WI-FI SECURITY: A LITERATURE REVIEW OF SECURITY IN WIRELESS NETWORK

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

NETWORK SECURITY (W/LAB) Course Syllabus

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

Network Security: Workshop

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Figure 1. Wireshark Menu Bar

WHITE PAPER. WEP Cloaking for Legacy Encryption Protection

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

Hole196 Vulnerability in WPA2

Distributed Denial of Service Attack Tools

Introduction to WiFi Security. Frank Sweetser WPI Network Operations and Security

Introduction to Network Security Lab 1 - Wireshark

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Network- vs. Host-based Intrusion Detection

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Some Tools for Computer Security Incident Response Team (CSIRT)

Dr. Arjan Durresi. Baton Rouge, LA These slides are available at:

WIRELESS LAN SECURITY (IEEE b) A Thesis. Submitted to the Department of Computer Science and Engineering. BRAC University.

Transformation of honeypot raw data into structured data

Network Based Intrusion Detection Using Honey pot Deception

Second-generation (GenII) honeypots

A Protocol Based Packet Sniffer

CS5490/6490: Network Security- Lecture Notes - November 9 th 2015

How To Analyze The Security On An Ipa Wireless Sensor Network

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

Particularities of security design for wireless networks in small and medium business (SMB)

Intro to Firewalls. Summary

EKT 332/4 COMPUTER NETWORK

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Lab exercise: Working with Wireshark and Snort for Intrusion Detection

Section 1 Wireless Packet Captures & Connection Analysis- A Review

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Network sniffing packet capture and analysis

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

Solution of Exercise Sheet 5

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Rupinder Singh, Dr. Jatinder Singh

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Wireless LAN Pen-Testing. Part I

Network sniffing packet capture and analysis

A Model-based Methodology for Developing Secure VoIP Systems

Network Attacks and Defenses

Wireshark Hands-On Exercises

PROFESSIONAL SECURITY SYSTEMS

Wireless LAN Security: Securing Your Access Point

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

OS Security. Malware (Part 2) & Intrusion Detection and Prevention. Radboud University Nijmegen, The Netherlands. Winter 2015/2016

Wireless Networks. Welcome to Wireless

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

Customized Data Exchange Gateway (DEG) for Automated File Exchange across Networks

SURVEY OF INTRUSION DETECTION SYSTEM

Packet Sniffing on Layer 2 Switched Local Area Networks

Wireless Security: Secure and Public Networks Kory Kirk

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Bit Chat: A Peer-to-Peer Instant Messenger

The Wireless Network Road Trip

On A Network Forensics Model For Information Security

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Network Instruments white paper

Securing IP Networks with Implementation of IPv6

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Intrusion Detection, Packet Sniffing

When Recognition Matters THE COMPARISON OF PROGRAMS FOR NETWORK MONITORING.

Computer Networks. Secure Systems

Security Event Management. February 7, 2007 (Revision 5)

Tutorial 3. June 8, 2015

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL

Wireless Threats To Corporate Security A Presentation for ISACA UK Northern Chapter


VoIP Security Threats and Vulnerabilities

Transcription:

Wireless Traffic Analysis Kelcey Tietjen DF Written Report 10/03/06

Executive Summary Wireless traffic analysis provides a means for many investigational leads for a forensic examination. It can provide who, what, where, when, and how to the forensic expert involved in an incident response. The tools that are commonly used can be commercial, such as AirDefense, or open source such as Kismet and Wireshark. These tools perform in a similar matter in monitoring the wireless traffic and analyzing the traffic on its own or through a subject matter expert looking at captured data. With the emergence of wireless networks and their gaining popularity into standard business implementation research needs to be done to defer and detect attacks and compromises beyond the scope of what is available today. This research, such as device fingerprinting and traffic modeling, will help protect wireless networks and provide a means for better forensic examination.

Digital Forensics Purpose Wireless traffic analysis can provide many purposes for forensics these purposes are similar to wired traffic analysis but have added signatures from the 802.11x protocol. One of the purposes of forensics on wireless traffic is to allow investigators to identify a computer security incident. You can identify the intrusion or attack by looking at the traffic that is passed on the network. Also by looking at this traffic you can detect many other events such as the culprits involved in the attack, build a better timeline of events, and insure compliance with corporate or government policies. The three basic types of wireless network capture techniques are event monitoring, trap and trace and full content packet capture. Event monitoring is done with an IDS or a logging device and sends signals when a threshold has been reached. These signals tell you when a corresponding event to this alert has happened and further investigation can be done if it is not considered a false positive. The trap and trace method is a way of looking at the headers of the packets set and not looking at the content of the traffic. This form of analysis allows for detection of anomalies in traffic or traces of how the attack happened. The most comprehensive traffic analysis is full packet data analysis. This technique allows the investigator to look at the content of the traffic that is transferred. This full packet capture gives the most evidence when performing and investigation. The problem with full packet capture collections is that when more data is collected the harder it is to mine through it to find what is meaningful. Data mining and high technical skills are needed to analyze this data in its raw form. To implement tools that allow for capture of data is very similar to wired lines but requires a tweaking of these tools for the 802.11x protocol (Prosise).

State of Practice The current state of practice involves many commercial and open source tools. Currently used commercial wireless network analyzers are Air Defense, AirMagnet and AiroPeek. These tools are mainly used to troubleshoot wireless networks but are an excellent source for forensics analysis also. The open source tools that are commonly used are Wireshark, formerly known as Ethereal, and Kismet. Kismet is an IDS suite and wireless protocol analyzer in one. Kismet can be utilized on a UNIX like system or on a Windows based system-using Cygwin. Kismet captures traffic on the network and these network traffic capture dumps can be analyzed by Kismet, Wireshark or AirSnort (Vladimirov). Kismet works as a passive traffic detector by not sending any packets out to detect the traffic, clients or access points. Kismet also uses optional channelhopping, this allows the traffic analysis to take place across multiple channels in a random order and not sequential. This non-sequential way of channelhopping allows Kismet to capture more packets then it would otherwise not. (Wikipedia) Wireshark can be used to analyze network data dumps but it can also capture the data itself. Wireshark can capture the data itself if it has another program at puts your network card into a sniffing mode this is the same for Kismet. On the wired side of networks putting your network card into a sniffing mode is called promiscuous but in the wireless world it is called putting your device into monitoring mode. Each device will have its own way of activating the monitor mode depending on the card type. Once you have your device in monitor mode you can install Wireshark to capture and analyze packets. Wireshark captures the 802.11x protocol along with the Logical Link Control (LLC) protocol. The 802.11x network captures will contain the basics of arrival time and

capture length. LLC will contain ARP packets, IP packets and TCP segments if the traffic is unencrypted or the key to the encryption is known. With the encryption key added into Wireshark options you could decrypt traffic that has been captured either by Kismet or by Wireshark itself. The current types of information that Wireshark captures is the source and destination of the packet, transmitter address, source address, receiver address, destination address, BSSID, frame types, ToDS Flags, FromDS flags, retry flag, protected frame flag (WEP), WEP initialization vector, TKIP IV, CCMP IV, and key identifier to name a few. Wiresharks supports operators for comparison and filter on types of data to make your analysis easier. The other protocol that is also transmitted in wireless in the LLC. This protocol allows 802.11 from having to carry protocols directly. LLC attaches a SNAP header to the packet that contains these other protocols. Useful information that is contained in this header is the control field, telling you whether or not the packet is connectionless data transport or if the data needs to be acknowledged, the organizationally unique identifier (OUI) which allows you to know how to interpret the bytes in the packet, such as IP and the protocol type such as IP or ARP. With this capture of data you can find many other useful signatures that will help out with an investigation. You would be able to identify the source of an attack with the source header or if there is a rouge access on your network that company data is being sent to and in turn being stolen, you could identify this access point with the BSSID. Depending on your type of capture data you can then further investigate how an attack is being carried out or the actual data that was compromised if full packet data capture monitoring is implemented. Along with being able to capture your own data that is encrypted and then decrypt it you also have to watch out for your network being sniffed and decrypted. Decrypting the

current algorithms for wireless encryption can easily be done and there are tools, such as AirSnort, that can easily do this (Gast). Gaps in Technology Current gaps in technology are the ability to characterize wireless traffics into specific services. It would be easier to detect an attack on your network if your traffic models deterred from the standard behavior. You could characterize your traffic into models such as voice, email, images, video, web access or multimedia services. With these models you can also mine down the amount of data when you are looking for specific evidence and ignore the other models of network traffic. This research is currently taking place at the University of Calgary and Saskatchewan. (icore) State of Research Some of the current research that is going on with wireless traffic analysis is being done at Sandia National Laboratories (SNL). SNL is developing ways to fingerprint wireless devices and then in turn find out which of those devices is vulnerable to an attack. Device driver vulnerabilities we showcased at the recent Defcon with an Apple computer being rootkitted from the device driver s ability to be exploited. SNL is using wireless network data to take a statistical approach in identifying these vulnerable drivers from taking the data that is sent out from a wireless device to find an access point. The data that is sent out to find the access points is proprietary and can be used to identify the make and model of the hardware. This analysis is seventy seven to ninety six percent correct and presents opportunities to attacks. (Physorg.com)

Future of Wireless Traffic Analysis Research The future of wireless traffic research is going to be in the area of encryption. Today the current encryption algorithms are easy to break and not secure. This presents the problem to current researches in being able to decrypt stronger algorithms. Being able to decrypt this traffic is vital to the analysis of it, without your designated key the traffic means nothing to you except how it is encrypted. Another area of research and technology is the ability to hide the traffic all together. If the network is not detected you will not have to worry about it being compromised or attacked.

Bibliography icore. 1 Oct. 2006< http://icore.ca.research_wiretraffic.htm >. Matthew Gast, Matthew S. Gast."Chapter 24. 802.11 Network Analysis." 802.11 Wireless Networks: The Definitive Guide. O'Reilly 2002. Online 13 Sept 2006. Physorg.com 1 Oct. 2006 <http://www.physorg.com/news77297467.html>. Chris Prosise, Kevin Mandia, Matt Pepe. Collect Network Based Evidence. Incident Response and Computer Forensics. Mcgraw-Hill Osborne Media 2 edition. July 17, 2003. Wikipedia. 1 Oct. 2006 <http://en.wikipedia.org/wiki/kismet>. Andrew A. Vladimirov, Konstantin V. Gavrilenko, Andrei A. Mikhailovsky. Monitor Mode Network Discovery and Traffic Analysis Tools. Wi-Foo: The Secrets of Wireless Hacking. Pearson / Addison Wesley 2004. Online Sept. 16 2006.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information