File000142

Module XXIX – Investigating Wireless Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Verifying Wireless Hackers for Homeland Security

Source: http://www.sciencedaily.com/



News: Cops Roped in to Provide Security for Planned Wi-Fi Network

Source: http://www.expressindia.com/



Module Objective

• Wireless Networking Technologies• Wireless Attacks • Hijacking and Modifying a Wireless Network• Association of Wireless AP and Device • Network Forensics in a Wireless Environment • Steps for Investigation• Wireless Components• Active and Passive Wireless Scanning Techniques• Tools

This module will familiarize you with:



Module Flow

Wireless Network Technologies

Steps for Investigation

Wireless Components

Wireless Attacks

Network Forensics in a Wireless Environment

Active and PassiveWireless Scanning

Techniques

Hijacking and Modifyinga Wireless Network

Wireless Network Technologies

Tools



Wireless Networking Technologies

Wireless networking technology is becoming increasingly popular and at the same time many security issues are also arising

The popularity of wireless technology is driven by two primary factors, convenience and cost

A Wireless Local Area Network (WLAN) allows workers to access digital resources without being locked to their desks

Some of the wireless networking technologies are as follows:

Bluetooth InfraRed

Ultrawideband ZigBee

Wireless USB Wi-Fi

WiMAX Satellite



Wireless Networks

There are four basic types:

AccessPoint

WirelessNetwork Wired

EthernetNetwork

ExtensionPoint

AccessPoint 1

WirelessNetwork 1 Wired

EthernetNetwork

AccessPoint 2

WirelessNetwork 2 Access

Point 1

WirelessNetwork Wired

EthernetNetwork 1

AccessPoint 2

WiredEthernetNetwork 2

Peer-to-Peer

Extension to a wired network Multiple access points

LAN-to-LAN wireless network



Wireless Attacks

• Wardriving is the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere

Wardriving:

• Warflying involves flying around in an aircraft looking for open wireless networks

Warflying:

• Warchalking term comes from whackers who use chalk to place a special symbol on a sidewalk or another surface to indicate a nearby wireless network that offers Internet access

Warchalking:



Passive Attack

Eavesdropping on the network traffic can be the possibility of a passive attack

Passive attacks are difficult to be sensed

Administrator using DHCP on a wireless network could detect that an authorized MAC address has acquired an IP address in the DHCP server logs

An eavesdropper can easily seize the network traffic using tools such as Network Monitor in Microsoft products, or TCPdump in Linux-based products, or AirSnort



Threats from Electronic Emanations

Electronic emanations are the radiations from an electrical or electronic device

Threats from electronic emanations:

• Unauthorized listening of private conversation• Electronic emanations send the information to destined system • Since the wireless network is insecure, attackers take advantage of emanations to listen or manipulate

the information

Eavesdropping:

• Leakage of information through emanations

Data leakage:

• Attackers can capture and decode the information from the emanations

Sniffing:



Active Attacks on Wireless Networks

• DoS Attacks• MiTM Attack• Hijacking and Modifying a Wireless Network

If an intruder obtains adequate information from the passive attack, then the network becomes more vulnerable to an active attack, which can seize a system through :



Denial-of-Service Attacks

Wireless LANs are susceptible to the same protocol-based attacks that plague wired LANs

WLANs send information via radio waves on public frequencies, making them susceptible to inadvertent or deliberate interference from traffic using the same radio band



Man-in-the-Middle Attack (MITM)

• Happens when an attacker receives a data communication stream• Not using security mechanisms such as Ipsec, SSH, or SSL makes data

vulnerable to an unauthorized user

Eavesdropping:

• An extended step of eavesdropping• It can be done by ARP poisoning

Manipulation:

Two types of MITM:



Hijacking and Modifying a Wireless Network

TCP/IP packets go through switches, routers, and APs

Each device looks at the destination IP address and compares it with the local IP addresses

If the address is not in the table, the device hands the packet to its default gateway

This table is a dynamic one that is built up from traffic passing through the device and through Address Resolution Protocol (ARP) notifications from new devices joining the network



Hijacking and Modifying a Wireless Network (cont’d)

There is no authentication or verification of the validity of request received by the device

Attacker sends messages to routing devices and APs stating that his MAC address is associated with a known IP address

All traffic that goes through that device destined for the hijacked IP address will be handed off to the hacker’s machine



Association of Wireless AP and Device

Association of AP and wireless device may take place in either of the following ways:

• MAC filtering• Pre- Shared Key (PSK) or use of encryption

If active traffic is being sent between the access point and the associated device, your wireless forensic laptop can display network packet statistics



Network Forensics in a Wireless Environment

• Devices connected to wireless networks such as laptop, network storage device, Ethernet card, Bluetooth and IR dongles

• Mobile devices and removable devices which stores data• Wireless network, mobile switching center and visitor location center• Neighboring networks that the caller accesses

Forensic fingerprints can be gathered from:



Steps for Investigation

Obtain a search warrant

Identify wireless devices

Document the scene and maintain a chain of custody

Detect the wireless connections

Determine wireless field strength

Map wireless zones & hotspots

Connect to wireless network

Wireless data acquisition and analysis

Report Generation



Key Points to Remember

• The active wireless access points physically located within the search warrant scene• External wireless access points with signal coverage that overlaps the search warrant

scene• Which devices connect or are actively connected to associated access points• The approximate range (footprint) and signal strength of the examiner’s wireless

network card

While conducting a penetration test , the investigator should keep note of the following:



Points You Should Not Overlook While Investigating the Wireless Network

A visual inspection of broadband modems will quickly determine if a wireless access point is physically connected

Investigators should be able to determine if a home network utilizes cable, DSL, or other method of connecting to the Internet

If a wireless access point is physically located, the initial goal is to determine its associated devices by directly connecting to it via a network cable



Obtain a Search Warrant

A search warrant application should include the proper language to perform on-site examination of computer and wireless related equipment

Conduct a forensics test on only the equipment that are permitted to be searched in the warrant



Document the Scene and Maintain a Chain Of Custody

All devices connected to the wireless network must be documented

Take photographs of all evidence

Document the state of the device during seizure

Maintain a chain of custody of documents, photographs, and evidence



Identify Wireless Devices

Identify different wireless devices connected to the network

• Routers • Access points• Repeaters • Hard drives • Antennas • PCMCIA/EIA

Check the physical location of the following wireless hardware:



Wireless Components

Antenna

Wireless Access points

Wireless Router

Wireless Modem

SSID

Mobile Station

Base Station Subsystem

Network Subsystem

Base station controller

Mobile Switching Center



Search for Additional Devices

Send de-authentication packets using Aireplay tool

This may force active wireless equipment to reconnect to the default wireless access point, which will be redirected to the forensic laptop ( since the laptop is running in promiscuous mode)

Aireplay is an additional wireless assessment tool found within the aircrack portion of the BackTrackfolder

The Aireplay tool injects specially crafted data packets into the wireless stream



Detect Wireless Connections

• NetStumbler• MacStumbler• iStumbler• Kismat• KisMAC

Wireless connection are detected using the scanning tools such as:



Detect Wireless Enabled Computers

Check the number of authorized computer, Laptop , PDA connected to the Wireless LAN APs

Check for the public IP and Mac address using scanning tools such as Nmap



Manual Detection of Wireless APs

In manual detection, the investigator has to configure some sort of mobile device such as a handheld PC or laptop

Then, physically visits the area to be monitored for detection of WAPs

This can be done by War-Driving, War-Chalking, and War-Flying



Active Wireless Scanning Technique

In active scanning technique, a scanner broadcasts a probe message and waits for a response from devices in the range

This technique identifies many WAPs but cannot find out those WAPs which do not respond to such type of query



Passive Wireless Scanning Technique

Passive scanning technique identifies the presence of any wireless communication

It detects all the active WAP connections



Detect WAPs using the Nessus Vulnerability Scanner

• Update the Nessus with plugin #11026 by running nessus-update-plugins command• Configure a new scan by selecting plugin #11026 in the “General” family• Enable a port scan for ports 1-100• Disable the “Safe Checks”• Enable the “Enable Dependencies at Runtime”

For detecting the WAP the following steps are performed:

Nessus Vulnerability Scanner is used to detect wireless access points



Capture Wireless Traffic

• Wireshark• tcpdump

Capture wireless traffic using wireless network monitoring and sniffing tools such as:



Tool: Wireshark

Wireshark is a network protocol analyzer for Unix and Windows

It allows examination of data from a live network or from a captured file on disk

It allows the user to see all traffic being passed over the network by putting the network interface into promiscuous mode

Wireshark runs on various computer operating systems including Linux, Mac OS X, and Microsoft Windows



Feature of Wireshark

Data can be captured from the live network connection

Live data can be read from the different types of network such as Ethernet

Captured data can be browsed via GUI or via command line

Captured files can be programmatically edited

Display filters can also be used to selectively highlight and color packet summary information

Data display can be refined using a display filter

Hundreds of protocols can be dissected



Wireshark: Screenshot



Tool: tcpdump

tcpdump is a common computer network debugging tool that runs under the command line

It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached



tcpdump Commands

•# tcpdump port 80 -l > webdump.txt & tail -f webdump.txt •# tcpdump -w rawdump•# tcpdump -r rawdump > rawdump.txt •# tcpdump -c1000 -w rawdump•# tcpdump -i eth1 -c1000 -w rawdump

Exporting tcpdumps to a file:

•# tcpdump port 80

Captures traffic on a specific port:

•# tcpdump host workstation4 and workstation11 and workstation13

You can select several hosts on your LAN, and capture the traffic that passes between them:



tcpdump Commands (cont’d)

•# tcpdump -e host workstation4 and workstation11 and workstation13

Capture all the LAN traffic between workstation4 and the LAN, except for workstation:

•# tcpdump not port 110 and not port 25 and not port 53 and not port 22

You can capture all packets except those for certain ports:

•# tcpdump udp•# tcpdump ip proto OSPFIGP

Filter by protocol:

•# tcpdump host server02 and ip# tcpdump host server03 and not udp# tcpdump host server03 and ip and igmp and not udp

To capture traffic on a specific host and restrict by protocol:



ClassicStumbler

ClassicStumbler scans and displays the wireless access points information within range

It displays the information about the signal strength, noise strength, signal to noise ratio, and channel of the access point

Scanning….



Wireless Network Monitoring Tools

MacStumbler displays information about nearby 802.11b and 802.11g wireless access points which helps to find access points while traveling or to diagnose wireless network problems

iStumbler is the wireless tool for Mac OS X, providing plugins for finding AirPort networks, Bluetooth devices, and Bonjour services with your Mac



Wireless Network Monitoring Tools (cont’d)

AirPort Signal tool scans for open networks in range and creates a table row for each station detected with information about the signals it received

AirFart detects wireless devices, and calculates their signal strength



Kismet

Completely passive, capable of detecting traffic from APs and wireless clients alike (including NetStumbler clients) as well as closed networks

Requires 802.11b capable of entering RF monitoring mode; Once in RF monitoring mode, the card is no longer able to associate with a wireless network

Kismet needs to run as root, but can switch to lesser privileged UID as it begins to capture

To hop across channels, run kismet_hopper –p

Closed network with no clients authenticated is shown by <nossid>, updated when client logs on



Kismet: Screenshot



Determine Wireless Field Strength: Field Strength Meters (FSM)http://www.vk1od.net/fsm/

• Measurement of true RMS, quasi peak and peak power audio power

• Calculation of received RF power (RMS, QP, and Peak) in dBm based on known receiver noise floor

• Calculation of field strength (RMS, QP, and Peak) in dBuV/m based on known antenna gain or antenna factor

• Extrapolation of calculated field strengths to a normalized (1Hz) bandwidth for comparisons

• Flexible output options to save results to text files, email, and online/nearline web transactions

Features:

FSM is a software application that extends a conventional SSB receiver to allow measurement and calculation of field strength of radio signals or interference



Prepare Wireless Zones & Hotspots Maps

Collect the information after detecting the wireless connection

Analyze them properly to prepare the map

Prepare the static map of wireless zones and hotpots

Map the network using tools such as MS Visio



Methods to Access a Wireless Access Point

Direct-connect to the wireless access point ( If you have easy direct access)

“Sniffing” traffic between the access point and associated devices ( When direct access is not available)

NOTE: In this module we are showcasing NETGEAR Wireless Router as an example



1. Direct-connect to the Wireless Access Point

You need a network cable plugged between your forensics laptop and the wireless access point

The forensics laptop should have a standard network adapter

Determine whether the laptop has to be assigned an IP address

If the wireless access point is DHCP enabled then the laptop will automatically be assigned an IP in the same network range



1. Direct-connect to the Wireless Access Point (cont’d)

If the DHCP is not enabled, you need to assign the IP address to the forensics laptop that is in the same “Class” of the wireless access point

The IP address of the wireless access point can be determined by typing the command “ipconfig” in the command prompt




Once you get the IP address of the wireless access point try connecting to it using a web browser

A login window will pop up and will ask to fill in the credentials for obtaining access to the wireless access point




Most of the times customers forget to change the default administrator account of the wireless access point

You can search for the default login and password after you confirm the hardware vendor on physical inspection

Visit the below link to find the default information of the wireless access point



Default Credentials List




If you are successful in logging to the wireless access point, you will see the screen similar to as shown below:




Click on Attached Devices to find the number of connections made to the wireless access point

It shows the IP address, Device name, and MAC address of each computer attached to the wireless access point




Click on LAN IP Setup to find the LAN TCP/IP setup




Since you are connected over LAN to the wireless access point a “ping-sweep” can reveal other connected systems on the network

Nmap can be used to perform “ping-sweep” and other functions related to scanning

Nmap is a free open source utility for network exploration which is designed to rapidly scan large networks



Nmap

• Nmap is used to carry out port scanning, OS detection, version detection, ping sweep, and many other techniques

• It scans a large number of machines at one time

• It is supported by many operating systems

• It can carry out all types of port scanning techniques

Features



Scanning Wireless Access Points using Nmap

Another method to find live hosts on the network is by using nmap

Since we know that the IP address of the access point, following range of address needs to be scanned 10.0.0.X/24

Execute the following command at the command prompt

•nmap –sP -v 10.0.0.1/24

The result of the above scan will show all the live host in the same subnet; the vendor and MAC address information will be displayed on the screen

To find more information of a specific address e.g 10.0.0.1; execute the below given command:

•nmap –sS –A 10.0.0.1



Rogue Access Point

• Beaconing i.e. requesting a beacon• Network Sniffing i.e. looking for packets in the air

The two basic methods for locating rogue access points:

A rogue/unauthorized access point is one that is not authorized for operation by a particular firm or network

Tools that can detect rogue/unauthorized access points are NetStumbler, MiniStumbler, etc.



Tools to Detect Rogue Access Points: Netstumbler

NetStumbler is a Windows utility for WarDriving written by Marius Milner

Netstumbler is a high-level WLAN scanner; it operates by sending a steady stream of broadcast packets on all possible channels

Access points (APs) respond to broadcast packets to verify their existence, even if beacons have been disabled

• Signal Strength• MAC Address• SSID• Channel details

NetStumbler displays:



Netstumbler: Screenshot



Tools to Detect Rogue Access Points: MiniStumbler

MiniStumbler is the smaller sibling of a free product called NetStumbler

By default, most WLAN access points (APs) broadcast their Service Set Identifier (SSID) to anyone who will listen. This flaw in WLAN is used by MiniStumbler

It can connect to a global positioning system (GPS)



2. “Sniffing” Traffic Between the Access Point and Associated Devices

The forensics laptop is placed between the access points and associated devices in promiscuous mode

In this mode, the forensics laptop captures all the information flowing within the range

BackTrack tool is used to find associated devices in the wireless network

After installing BackTrack, the first step is to run Airodump

Download Airodump tool from:

• http://www.aircrack-ng.org or launched from BackTrack

The ‘Aircrack Suite’ of the BackTrack program has two programs i.e. Airodump and Aireplay



Scanning using Airodump

The Airodump program runs in ‘Scan’ mode

This tools scans all the wireless channels while searching for access points

The scan report shows 8 columns of information i.e. BSSID, PWR, Beacons, #Data, CH, MB, ENC and ESSID



Scanning using Airodump (cont’d)

BSSID MAC address of the access point

PWR Relative strength of wireless signal as received by the location from where the tool scanned the network

Beacons Number of beacons packet received

# Data Number of packets that can be decrypted

CH Channel

MB Current rate of data transfer in megabits per-second

ENC Encryption level set on the access point

ESSID Name of the device



Scanning using Airodump (cont’d)

To confirm the scanning result, the investigator can match the MAC address obtained from scanning to the MAC address present on a label on the scanned Wireless Access point

Make note of the CH (channel) setting

The screenshot in the previous slide shows “netgear” wireless router is operating on channel 6

Select channel 6 while rescanning with Airodump

Switch “-c 6” scans for wireless access point present only on channel 6

“Ctrl +C” is used to stop the scanning process of Airodump



Airodump: Screenshot



MAC Address Information

Details of the vendor of the wireless access point can be found out by the MAC address of the same

Visit http://www.coffer.com/mac_find/ and enter the MAC address to find information of the vendor

It is easy to change the MAC address with the help of few software settings



Airodump: Points to Note

Columns “BSSID”, “CH” and “ESSID” have information that will be useful during the initial phase of the scan

Investigator should concentrate on “Packets” column in the association list

The “Beacons” column does not reflect data passing between the access point and associated equipment

If Airodump cannot determine the state of encryption on the access point, the ENC portion will display “WEP?”

Airodump requires several packets to make a determination of the type of encryption being used



Forcing Associated Devices to Reconnect

Aireplay tool attempts to confuse the connected wireless devices by sending de-authentication packets

The wireless devices are made to think that the wireless access point is not functioning; Once disconnected the devices attempt to reconnect to the same access point

Airodump should be running in the background while the de-authentication packets are sent

Use the command given below to send de-authentication packets:

•aireplay-ng --deauth 5 -a {MAC of AP} {interface}

• Where: MAC of AP MAC address of the access point• interface Type of wireless network card

If physical access to the wireless access point is available then unplug the device and plug it back in. At the same time make sure that Airodump is running on the forensics laptop

Note that the rest button is NOT pressed



Check for MAC Filtering

Aireplay-ng can be used to determine whether the target access point used MAC filtering or not

Attempt forced association, if the wireless network card of the forensics laptop supports packet injection

If MAC filtering is active on the target access point then association will be denied

Open a terminal window within BackTrack tool

In the command prompt, type the below given command:

•aireplay-ng –fakeauth 0 –e {target ESSID} –a {MAC address of AP} –h {MAC address of your forensic laptop’s wireless card}

An example would be

•aireplay-ng –fakeauth 0 –e belkin54g –a 00:11:50:53:9A:24 –h•00:20:A6:52:23:30



Check for MAC Filtering (cont’d)

Unsuccessful attempt does not indicate MAC filtering at the target access point

If an associated MAC address is shown while scanning with airodump-ng, attempt to re-associate by spoofing forensics laptop’s MAC address

Within the BackTrack program, select “BackTrack”, “Wireless Tools”, “Miscellaneous”, “MAC Changer”

Once the command is executed a message will be displayed showing whether the authentication and association were successful



Changing the MAC Address

•ifconfig {interface} down

If required, force the card to shutdown by typing:

•macchanger –m {MAC of currently associated device} {interface}

Command to change the MAC address:

Before changing the MAC, the wireless network card of the forensics laptop should not be active; Close airodump-ng or any other program that utilizes the network card before continuing



Changing the MAC Address (cont’d)

The screenshot below shows a list of available options for “macchanger”



Changing the MAC Address (cont’d)

Reactivate the forensics laptop’s wireless network card by using the below given command

•ifconfig {interface} up

Attempt an authentication and association to the access point using the spoofed MAC address

If you see the “success” message, MAC filtering is indeed active on the access point

If MAC filtering is turned off and encryption is turned on, this method of authentication will not yield any success

After the MAC address is changed, the display will show the previous and new MAC address and vendor settings



Wireless Data Acquisition and Analysis

Acquire the DHCP logs, Firewall logs, and network logs

Use fwanalog and Firewall Analyzer to view the firewall log files

• DHCP Log files for issued MAC addresses• Firewall logs for intrusions• Network logs for intrusion activities

Analyze log files for:



Wireless Data Acquisition and Analysis (cont’d)

Decrypt the encrypted log files

Crack the password protected log files using Hydra and Cain & Abel tools

Analyze the traffic shown by sniffing tools such as Wireshark

• Registry analysis • USB device footprints • Network connection history logs • Wireless device logs

Check the following logs file:



Report Generation

• Information about the files • Internet related evidence• Data and image analysis

Details about the finding:

Note the name of Investigator

List of wireless evidence

Documents of the evidence and other supporting items

List of tools used for investigation

Devices and set up used in the examination

Brief description of examination steps

Conclusion of the investigation



Summary

Association of wireless AP and device may take place in either of the ways, MAC filtering or Pre- Shared Key (PSK) or use of encryption

Methods To Access A Wireless Access Point includes Direct-connect to the wireless access point and “Sniffing” traffic between the access point and associated devices

A rogue/unauthorized access point is one that is not authorized for operation by a particular firm or network

Details of the vendor of the wireless access point can be found out by the MAC address of the same

Eavesdropping on the network traffic can be the possibility of a passive attack

To investigate wireless attacks, Keep a check on DHCP Log files for issued MAC addresses, Firewall logs for intrusions and Network logs for intrusion activities





Technology

File000142