Module XXIX – Investigating Wireless
Attacks
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Verifying Wireless
Hac...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Cops Roped in to Provi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Wireless ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Wireless Network...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Networking Technolo...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Networks
There are ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Attacks
• Wardrivin...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Passive Attack
Eavesdropping...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Threats from Electronic
Eman...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Active Attacks on Wireless
N...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Denial-of-Service Attacks
Wi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Man-in-the-Middle Attack
(MI...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hijacking and Modifying a
Wi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hijacking and Modifying a
Wi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Association of Wireless AP a...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Network Forensics in a Wirel...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps for Investigation
Obta...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Key Points to Remember
• The...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Points You Should Not Overlo...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Obtain a Search Warrant
A se...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Document the Scene and
Maint...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Identify Wireless Devices
Id...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Components
Antenna
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Search for Additional Device...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Detect Wireless Connections
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Detect Wireless Enabled
Comp...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Manual Detection of Wireless...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Active Wireless Scanning
Tec...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Passive Wireless Scanning
Te...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Detect WAPs using the Nessus...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Capture Wireless Traffic
• W...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Wireshark
Wireshark is...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Feature of Wireshark
Data ca...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireshark: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: tcpdump
tcpdump is a c...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
tcpdump Commands
•# tcpdump ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
tcpdump Commands (cont’d)
•#...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ClassicStumbler
ClassicStumb...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Network Monitoring
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Network Monitoring
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Kismet
Completely passive, c...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Kismet: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Determine Wireless Field Str...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Prepare Wireless Zones &
Hot...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Methods to Access a Wireless...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1. Direct-connect to the Wir...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1. Direct-connect to the Wir...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1. Direct-connect to the Wir...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1. Direct-connect to the Wir...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Default Credentials List
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1. Direct-connect to the Wir...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1. Direct-connect to the Wir...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1. Direct-connect to the Wir...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
1. Direct-connect to the Wir...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Nmap
• Nmap is used to carry...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scanning Wireless Access Poi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Rogue Access Point
• Beaconi...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools to Detect Rogue Access...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Netstumbler: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools to Detect Rogue Access...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
2. “Sniffing” Traffic Betwee...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scanning using Airodump
The ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scanning using Airodump
(con...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scanning using Airodump
(con...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Airodump: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MAC Address Information
Deta...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Airodump: Points to Note
Col...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forcing Associated Devices t...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check for MAC Filtering
Aire...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check for MAC Filtering (con...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Changing the MAC Address
•if...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Changing the MAC Address
(co...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Changing the MAC Address
(co...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Data Acquisition an...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireless Data Acquisition an...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Report Generation
• Informat...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Association of wirel...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Upcoming SlideShare
Loading in...5
×

File000142

238

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
238
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

File000142

  1. 1. Module XXIX – Investigating Wireless Attacks
  2. 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Verifying Wireless Hackers for Homeland Security Source: http://www.sciencedaily.com/
  3. 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Cops Roped in to Provide Security for Planned Wi-Fi Network Source: http://www.expressindia.com/
  4. 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Wireless Networking Technologies • Wireless Attacks • Hijacking and Modifying a Wireless Network • Association of Wireless AP and Device • Network Forensics in a Wireless Environment • Steps for Investigation • Wireless Components • Active and Passive Wireless Scanning Techniques • Tools This module will familiarize you with:
  5. 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Wireless Network Technologies Steps for Investigation Wireless Components Wireless Attacks Network Forensics in a Wireless Environment Active and Passive Wireless Scanning Techniques Hijacking and Modifying a Wireless Network Wireless Network Technologies Tools
  6. 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wireless Networking Technologies Wireless networking technology is becoming increasingly popular and at the same time many security issues are also arising The popularity of wireless technology is driven by two primary factors, convenience and cost A Wireless Local Area Network (WLAN) allows workers to access digital resources without being locked to their desks Some of the wireless networking technologies are as follows: Bluetooth InfraRed Ultrawideband ZigBee Wireless USB Wi-Fi WiMAX Satellite
  7. 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wireless Networks There are four basic types: Access Point Wireless Network Wired Ethernet Network Extension Point Access Point 1 Wireless Network 1 Wired Ethernet Network Access Point 2 Wireless Network 2 Access Point 1 Wireless Network Wired Ethernet Network 1 Access Point 2 Wired Ethernet Network 2 Peer-to-Peer Extension to a wired network Multiple access points LAN-to-LAN wireless network
  8. 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wireless Attacks • Wardriving is the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere Wardriving: • Warflying involves flying around in an aircraft looking for open wireless networks Warflying: • Warchalking term comes from whackers who use chalk to place a special symbol on a sidewalk or another surface to indicate a nearby wireless network that offers Internet access Warchalking:
  9. 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Passive Attack Eavesdropping on the network traffic can be the possibility of a passive attack Passive attacks are difficult to be sensed Administrator using DHCP on a wireless network could detect that an authorized MAC address has acquired an IP address in the DHCP server logs An eavesdropper can easily seize the network traffic using tools such as Network Monitor in Microsoft products, or TCPdump in Linux-based products, or AirSnort
  10. 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Threats from Electronic Emanations Electronic emanations are the radiations from an electrical or electronic device Threats from electronic emanations: • Unauthorized listening of private conversation • Electronic emanations send the information to destined system • Since the wireless network is insecure, attackers take advantage of emanations to listen or manipulate the information Eavesdropping: • Leakage of information through emanations Data leakage: • Attackers can capture and decode the information from the emanations Sniffing:
  11. 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Active Attacks on Wireless Networks • DoS Attacks • MiTM Attack • Hijacking and Modifying a Wireless Network If an intruder obtains adequate information from the passive attack, then the network becomes more vulnerable to an active attack, which can seize a system through :
  12. 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Denial-of-Service Attacks Wireless LANs are susceptible to the same protocol-based attacks that plague wired LANs WLANs send information via radio waves on public frequencies, making them susceptible to inadvertent or deliberate interference from traffic using the same radio band
  13. 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Man-in-the-Middle Attack (MITM) • Happens when an attacker receives a data communication stream • Not using security mechanisms such as Ipsec, SSH, or SSL makes data vulnerable to an unauthorized user Eavesdropping: • An extended step of eavesdropping • It can be done by ARP poisoning Manipulation: Two types of MITM:
  14. 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hijacking and Modifying a Wireless Network TCP/IP packets go through switches, routers, and APs Each device looks at the destination IP address and compares it with the local IP addresses If the address is not in the table, the device hands the packet to its default gateway This table is a dynamic one that is built up from traffic passing through the device and through Address Resolution Protocol (ARP) notifications from new devices joining the network
  15. 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hijacking and Modifying a Wireless Network (cont’d) There is no authentication or verification of the validity of request received by the device Attacker sends messages to routing devices and APs stating that his MAC address is associated with a known IP address All traffic that goes through that device destined for the hijacked IP address will be handed off to the hacker’s machine
  16. 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Association of Wireless AP and Device Association of AP and wireless device may take place in either of the following ways: • MAC filtering • Pre- Shared Key (PSK) or use of encryption If active traffic is being sent between the access point and the associated device, your wireless forensic laptop can display network packet statistics
  17. 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Forensics in a Wireless Environment • Devices connected to wireless networks such as laptop, network storage device, Ethernet card, Bluetooth and IR dongles • Mobile devices and removable devices which stores data • Wireless network, mobile switching center and visitor location center • Neighboring networks that the caller accesses Forensic fingerprints can be gathered from:
  18. 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Steps for Investigation Obtain a search warrant Identify wireless devices Document the scene and maintain a chain of custody Detect the wireless connections Determine wireless field strength Map wireless zones & hotspots Connect to wireless network Wireless data acquisition and analysis Report Generation
  19. 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Key Points to Remember • The active wireless access points physically located within the search warrant scene • External wireless access points with signal coverage that overlaps the search warrant scene • Which devices connect or are actively connected to associated access points • The approximate range (footprint) and signal strength of the examiner’s wireless network card While conducting a penetration test , the investigator should keep note of the following:
  20. 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Points You Should Not Overlook While Investigating the Wireless Network A visual inspection of broadband modems will quickly determine if a wireless access point is physically connected Investigators should be able to determine if a home network utilizes cable, DSL, or other method of connecting to the Internet If a wireless access point is physically located, the initial goal is to determine its associated devices by directly connecting to it via a network cable
  21. 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Obtain a Search Warrant A search warrant application should include the proper language to perform on- site examination of computer and wireless related equipment Conduct a forensics test on only the equipment that are permitted to be searched in the warrant
  22. 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Document the Scene and Maintain a Chain Of Custody All devices connected to the wireless network must be documented Take photographs of all evidence Document the state of the device during seizure Maintain a chain of custody of documents, photographs, and evidence
  23. 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Identify Wireless Devices Identify different wireless devices connected to the network • Routers • Access points • Repeaters • Hard drives • Antennas • PCMCIA/EIA Check the physical location of the following wireless hardware:
  24. 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wireless Components Antenna Wireless Access points Wireless Router Wireless Modem SSID Mobile Station Base Station Subsystem Network Subsystem Base station controller Mobile Switching Center
  25. 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Search for Additional Devices Send de-authentication packets using Aireplay tool This may force active wireless equipment to reconnect to the default wireless access point, which will be redirected to the forensic laptop ( since the laptop is running in promiscuous mode) Aireplay is an additional wireless assessment tool found within the aircrack portion of the BackTrack folder The Aireplay tool injects specially crafted data packets into the wireless stream
  26. 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Detect Wireless Connections • NetStumbler • MacStumbler • iStumbler • Kismat • KisMAC Wireless connection are detected using the scanning tools such as:
  27. 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Detect Wireless Enabled Computers Check the number of authorized computer, Laptop , PDA connected to the Wireless LAN APs Check for the public IP and Mac address using scanning tools such as Nmap
  28. 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Manual Detection of Wireless APs In manual detection, the investigator has to configure some sort of mobile device such as a handheld PC or laptop Then, physically visits the area to be monitored for detection of WAPs This can be done by War-Driving, War-Chalking, and War-Flying
  29. 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Active Wireless Scanning Technique In active scanning technique, a scanner broadcasts a probe message and waits for a response from devices in the range This technique identifies many WAPs but cannot find out those WAPs which do not respond to such type of query
  30. 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Passive Wireless Scanning Technique Passive scanning technique identifies the presence of any wireless communication It detects all the active WAP connections
  31. 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Detect WAPs using the Nessus Vulnerability Scanner • Update the Nessus with plugin #11026 by running nessus-update-plugins command • Configure a new scan by selecting plugin #11026 in the “General” family • Enable a port scan for ports 1-100 • Disable the “Safe Checks” • Enable the “Enable Dependencies at Runtime” For detecting the WAP the following steps are performed: Nessus Vulnerability Scanner is used to detect wireless access points
  32. 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Capture Wireless Traffic • Wireshark • tcpdump Capture wireless traffic using wireless network monitoring and sniffing tools such as:
  33. 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Wireshark Wireshark is a network protocol analyzer for Unix and Windows It allows examination of data from a live network or from a captured file on disk It allows the user to see all traffic being passed over the network by putting the network interface into promiscuous mode Wireshark runs on various computer operating systems including Linux, Mac OS X, and Microsoft Windows
  34. 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Feature of Wireshark Data can be captured from the live network connection Live data can be read from the different types of network such as Ethernet Captured data can be browsed via GUI or via command line Captured files can be programmatically edited Display filters can also be used to selectively highlight and color packet summary information Data display can be refined using a display filter Hundreds of protocols can be dissected
  35. 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wireshark: Screenshot
  36. 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: tcpdump tcpdump is a common computer network debugging tool that runs under the command line It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached
  37. 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited tcpdump Commands •# tcpdump port 80 -l > webdump.txt & tail -f webdump.txt •# tcpdump -w rawdump •# tcpdump -r rawdump > rawdump.txt •# tcpdump -c1000 -w rawdump •# tcpdump -i eth1 -c1000 -w rawdump Exporting tcpdumps to a file: •# tcpdump port 80 Captures traffic on a specific port: •# tcpdump host workstation4 and workstation11 and workstation13 You can select several hosts on your LAN, and capture the traffic that passes between them:
  38. 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited tcpdump Commands (cont’d) •# tcpdump -e host workstation4 and workstation11 and workstation13 Capture all the LAN traffic between workstation4 and the LAN, except for workstation: •# tcpdump not port 110 and not port 25 and not port 53 and not port 22 You can capture all packets except those for certain ports: •# tcpdump udp •# tcpdump ip proto OSPFIGP Filter by protocol: •# tcpdump host server02 and ip # tcpdump host server03 and not udp # tcpdump host server03 and ip and igmp and not udp To capture traffic on a specific host and restrict by protocol:
  39. 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited ClassicStumbler ClassicStumbler scans and displays the wireless access points information within range It displays the information about the signal strength, noise strength, signal to noise ratio, and channel of the access point Scanning….
  40. 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wireless Network Monitoring Tools MacStumbler displays information about nearby 802.11b and 802.11g wireless access points which helps to find access points while traveling or to diagnose wireless network problems iStumbler is the wireless tool for Mac OS X, providing plugins for finding AirPort networks, Bluetooth devices, and Bonjour services with your Mac
  41. 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wireless Network Monitoring Tools (cont’d) AirPort Signal tool scans for open networks in range and creates a table row for each station detected with information about the signals it received AirFart detects wireless devices, and calculates their signal strength
  42. 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Kismet Completely passive, capable of detecting traffic from APs and wireless clients alike (including NetStumbler clients) as well as closed networks Requires 802.11b capable of entering RF monitoring mode; Once in RF monitoring mode, the card is no longer able to associate with a wireless network Kismet needs to run as root, but can switch to lesser privileged UID as it begins to capture To hop across channels, run kismet_hopper –p Closed network with no clients authenticated is shown by <nossid>, updated when client logs on
  43. 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Kismet: Screenshot
  44. 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Determine Wireless Field Strength: Field Strength Meters (FSM) http://www.vk1od.net/fsm/ • Measurement of true RMS, quasi peak and peak power audio power • Calculation of received RF power (RMS, QP, and Peak) in dBm based on known receiver noise floor • Calculation of field strength (RMS, QP, and Peak) in dBuV/m based on known antenna gain or antenna factor • Extrapolation of calculated field strengths to a normalized (1Hz) bandwidth for comparisons • Flexible output options to save results to text files, email, and online/nearline web transactions Features: FSM is a software application that extends a conventional SSB receiver to allow measurement and calculation of field strength of radio signals or interference
  45. 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Prepare Wireless Zones & Hotspots Maps Collect the information after detecting the wireless connection Analyze them properly to prepare the map Prepare the static map of wireless zones and hotpots Map the network using tools such as MS Visio
  46. 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Methods to Access a Wireless Access Point Direct-connect to the wireless access point ( If you have easy direct access) “Sniffing” traffic between the access point and associated devices ( When direct access is not available) NOTE: In this module we are showcasing NETGEAR Wireless Router as an example
  47. 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 1. Direct-connect to the Wireless Access Point You need a network cable plugged between your forensics laptop and the wireless access point The forensics laptop should have a standard network adapter Determine whether the laptop has to be assigned an IP address If the wireless access point is DHCP enabled then the laptop will automatically be assigned an IP in the same network range
  48. 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 1. Direct-connect to the Wireless Access Point (cont’d) If the DHCP is not enabled, you need to assign the IP address to the forensics laptop that is in the same “Class” of the wireless access point The IP address of the wireless access point can be determined by typing the command “ipconfig” in the command prompt
  49. 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 1. Direct-connect to the Wireless Access Point (cont’d) Once you get the IP address of the wireless access point try connecting to it using a web browser A login window will pop up and will ask to fill in the credentials for obtaining access to the wireless access point
  50. 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 1. Direct-connect to the Wireless Access Point (cont’d) Most of the times customers forget to change the default administrator account of the wireless access point You can search for the default login and password after you confirm the hardware vendor on physical inspection Visit the below link to find the default information of the wireless access point
  51. 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Default Credentials List
  52. 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 1. Direct-connect to the Wireless Access Point (cont’d) If you are successful in logging to the wireless access point, you will see the screen similar to as shown below:
  53. 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 1. Direct-connect to the Wireless Access Point (cont’d) Click on Attached Devices to find the number of connections made to the wireless access point It shows the IP address, Device name, and MAC address of each computer attached to the wireless access point
  54. 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 1. Direct-connect to the Wireless Access Point (cont’d) Click on LAN IP Setup to find the LAN TCP/IP setup
  55. 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 1. Direct-connect to the Wireless Access Point (cont’d) Since you are connected over LAN to the wireless access point a “ping-sweep” can reveal other connected systems on the network Nmap can be used to perform “ping-sweep” and other functions related to scanning Nmap is a free open source utility for network exploration which is designed to rapidly scan large networks
  56. 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Nmap • Nmap is used to carry out port scanning, OS detection, version detection, ping sweep, and many other techniques • It scans a large number of machines at one time • It is supported by many operating systems • It can carry out all types of port scanning techniques Features
  57. 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scanning Wireless Access Points using Nmap Another method to find live hosts on the network is by using nmap Since we know that the IP address of the access point, following range of address needs to be scanned 10.0.0.X/24 Execute the following command at the command prompt •nmap –sP -v 10.0.0.1/24 The result of the above scan will show all the live host in the same subnet; the vendor and MAC address information will be displayed on the screen To find more information of a specific address e.g 10.0.0.1; execute the below given command: •nmap –sS –A 10.0.0.1
  58. 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Rogue Access Point • Beaconing i.e. requesting a beacon • Network Sniffing i.e. looking for packets in the air The two basic methods for locating rogue access points: A rogue/unauthorized access point is one that is not authorized for operation by a particular firm or network Tools that can detect rogue/unauthorized access points are NetStumbler, MiniStumbler, etc.
  59. 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools to Detect Rogue Access Points: Netstumbler NetStumbler is a Windows utility for WarDriving written by Marius Milner Netstumbler is a high-level WLAN scanner; it operates by sending a steady stream of broadcast packets on all possible channels Access points (APs) respond to broadcast packets to verify their existence, even if beacons have been disabled • Signal Strength • MAC Address • SSID • Channel details NetStumbler displays:
  60. 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Netstumbler: Screenshot
  61. 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools to Detect Rogue Access Points: MiniStumbler MiniStumbler is the smaller sibling of a free product called NetStumbler By default, most WLAN access points (APs) broadcast their Service Set Identifier (SSID) to anyone who will listen. This flaw in WLAN is used by MiniStumbler It can connect to a global positioning system (GPS)
  62. 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 2. “Sniffing” Traffic Between the Access Point and Associated Devices The forensics laptop is placed between the access points and associated devices in promiscuous mode In this mode, the forensics laptop captures all the information flowing within the range BackTrack tool is used to find associated devices in the wireless network After installing BackTrack, the first step is to run Airodump Download Airodump tool from: • http://www.aircrack-ng.org or launched from BackTrack The ‘Aircrack Suite’ of the BackTrack program has two programs i.e. Airodump and Aireplay
  63. 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scanning using Airodump The Airodump program runs in ‘Scan’ mode This tools scans all the wireless channels while searching for access points The scan report shows 8 columns of information i.e. BSSID, PWR, Beacons, #Data, CH, MB, ENC and ESSID
  64. 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scanning using Airodump (cont’d) BSSID  MAC address of the access point PWR  Relative strength of wireless signal as received by the location from where the tool scanned the network Beacons  Number of beacons packet received # Data  Number of packets that can be decrypted CH  Channel MB  Current rate of data transfer in megabits per-second ENC  Encryption level set on the access point ESSID  Name of the device
  65. 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scanning using Airodump (cont’d) To confirm the scanning result, the investigator can match the MAC address obtained from scanning to the MAC address present on a label on the scanned Wireless Access point Make note of the CH (channel) setting The screenshot in the previous slide shows “netgear” wireless router is operating on channel 6 Select channel 6 while rescanning with Airodump Switch “-c 6” scans for wireless access point present only on channel 6 “Ctrl +C” is used to stop the scanning process of Airodump
  66. 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Airodump: Screenshot
  67. 67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MAC Address Information Details of the vendor of the wireless access point can be found out by the MAC address of the same Visit http://www.coffer.com/mac_find/ and enter the MAC address to find information of the vendor It is easy to change the MAC address with the help of few software settings
  68. 68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Airodump: Points to Note Columns “BSSID”, “CH” and “ESSID” have information that will be useful during the initial phase of the scan Investigator should concentrate on “Packets” column in the association list The “Beacons” column does not reflect data passing between the access point and associated equipment If Airodump cannot determine the state of encryption on the access point, the ENC portion will display “WEP?” Airodump requires several packets to make a determination of the type of encryption being used
  69. 69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forcing Associated Devices to Reconnect Aireplay tool attempts to confuse the connected wireless devices by sending de-authentication packets The wireless devices are made to think that the wireless access point is not functioning; Once disconnected the devices attempt to reconnect to the same access point Airodump should be running in the background while the de-authentication packets are sent Use the command given below to send de-authentication packets: •aireplay-ng --deauth 5 -a {MAC of AP} {interface} • Where: MAC of AP  MAC address of the access point • interface  Type of wireless network card If physical access to the wireless access point is available then unplug the device and plug it back in. At the same time make sure that Airodump is running on the forensics laptop Note that the rest button is NOT pressed
  70. 70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Check for MAC Filtering Aireplay-ng can be used to determine whether the target access point used MAC filtering or not Attempt forced association, if the wireless network card of the forensics laptop supports packet injection If MAC filtering is active on the target access point then association will be denied Open a terminal window within BackTrack tool In the command prompt, type the below given command: •aireplay-ng –fakeauth 0 –e {target ESSID} –a {MAC address of AP} –h {MAC address of your forensic laptop’s wireless card} An example would be •aireplay-ng –fakeauth 0 –e belkin54g –a 00:11:50:53:9A:24 –h •00:20:A6:52:23:30
  71. 71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Check for MAC Filtering (cont’d) Unsuccessful attempt does not indicate MAC filtering at the target access point If an associated MAC address is shown while scanning with airodump-ng, attempt to re- associate by spoofing forensics laptop’s MAC address Within the BackTrack program, select “BackTrack”, “Wireless Tools”, “Miscellaneous”, “MAC Changer” Once the command is executed a message will be displayed showing whether the authentication and association were successful
  72. 72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Changing the MAC Address •ifconfig {interface} down If required, force the card to shutdown by typing: •macchanger –m {MAC of currently associated device} {interface} Command to change the MAC address: Before changing the MAC, the wireless network card of the forensics laptop should not be active; Close airodump-ng or any other program that utilizes the network card before continuing
  73. 73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Changing the MAC Address (cont’d) The screenshot below shows a list of available options for “macchanger”
  74. 74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Changing the MAC Address (cont’d) Reactivate the forensics laptop’s wireless network card by using the below given command •ifconfig {interface} up Attempt an authentication and association to the access point using the spoofed MAC address If you see the “success” message, MAC filtering is indeed active on the access point If MAC filtering is turned off and encryption is turned on, this method of authentication will not yield any success After the MAC address is changed, the display will show the previous and new MAC address and vendor settings
  75. 75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wireless Data Acquisition and Analysis Acquire the DHCP logs, Firewall logs, and network logs Use fwanalog and Firewall Analyzer to view the firewall log files • DHCP Log files for issued MAC addresses • Firewall logs for intrusions • Network logs for intrusion activities Analyze log files for:
  76. 76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Wireless Data Acquisition and Analysis (cont’d) Decrypt the encrypted log files Crack the password protected log files using Hydra and Cain & Abel tools Analyze the traffic shown by sniffing tools such as Wireshark • Registry analysis • USB device footprints • Network connection history logs • Wireless device logs Check the following logs file:
  77. 77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Report Generation • Information about the files • Internet related evidence • Data and image analysis Details about the finding: Note the name of Investigator List of wireless evidence Documents of the evidence and other supporting items List of tools used for investigation Devices and set up used in the examination Brief description of examination steps Conclusion of the investigation
  78. 78. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Association of wireless AP and device may take place in either of the ways, MAC filtering or Pre- Shared Key (PSK) or use of encryption Methods To Access A Wireless Access Point includes Direct-connect to the wireless access point and “Sniffing” traffic between the access point and associated devices A rogue/unauthorized access point is one that is not authorized for operation by a particular firm or network Details of the vendor of the wireless access point can be found out by the MAC address of the same Eavesdropping on the network traffic can be the possibility of a passive attack To investigate wireless attacks, Keep a check on DHCP Log files for issued MAC addresses, Firewall logs for intrusions and Network logs for intrusion activities
  79. 79. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  80. 80. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×