Week 10 Critical Systems Security

Analysis of a Wireless Capture

LAB

Week 10
Week 10 Critical Systems Security

Objectives

 Use Wireshark and tshark to analyse wireless traffic for evidence of malicious activity
 Leverage knowledge of the relative strength or weakness of different wireless network configurations
to focus analysis on the points of an attacker may be more likely to target.
 Use penetration testing tools to access encrypted content protected by weaker mechanisms.

The Case: Analysis of a Wireless Capture

A Client informs you that before returning to University, a summer cyber security student commented that
the wireless network configuration was a joke. She saw numerous flaws in its configuration. In particular,
she said that the DNS-based block for typical "time-wasting" sites such as Facebook was utterly ineffective.
Unfortunately, before the administration team could get more details, the Cybersecurity student left.
The client never had much of a dedicated wireless skill set in-house since the Wi-Fi deployment was
entirely driven by the CEO's desire to have Apple iPads throughout the office to look "cool" for visitors.
Although well-intentioned, the client's IT and security teams could not adequately address the security
concerns associated with wireless networks, leaving what they admit is likely a massive hole in the
corporate security footprint.
However, the news of the ineffective Facebook block has "lit a fire" under the CEO who now considers the
wireless network the culprit for lost productivity around the office.

He has directed the IT and security departments to capture 15-20 minutes of network traffic so they can
"find and fix" the problem. The client hands you the pcap file and asks for your help in finding credible
answers to the boss's incredible questions.

To Prepare:
1. Log into UWECyber VM or Kali Linux VM
2. Create a working directory "CSS" on your desktop
3. Download the file "wireless.zip" from Blackboard, unzip it and copy it in the directory created
"CSS"
4. Open the file "wireless.pcap" in Wireshark

Week 10
Week 10 Critical Systems Security

1. Validate the client's WLAN SSIDs

Open the wireless.pcap file in Wireshark. In the "Name Resolution" section of Wireshark's
"View → Name Resolution" menu, ensure that "untick Enable for MAC Layer" is disabled. This will cause
Wireshark to display each MAC address as the raw six hex bytes, providing a cleaner view of the data.

Using Wireshark's "Statistics → WLAN Traffic" menu option to verify the list of SSIDs and BSSIDs contained
within the capture file. In the "WLAN Traffic Statistics" dialog box, ensure the "Only show existing
networks" option is checked. This option hides unknown networks from the statistical view.

The client has informed you that each of their four wireless network SSIDs contains the word "Target" in its
name, and that each name indicates the purpose of the respective wireless network. Additionally, the
client confirms that each SSID is served by one and only one access point.

a) Complete the table below with the listed data fields for the client's wireless networks. (Note that you
may need to resize data columns, or scroll to the right to get all data points)

BSSID SSID Security Type (WEP/WPA/WPA2 802.11 Channel

The algorithms that Wireshark uses to identify the security/protection type for a given WLAN are
somewhat limited in that they prefer absolute positive identification to make erroneous assumptions.
Therefore, some configurations may reflect a "blank" value in the "Protection" column of the WLAN Traffic
Statistics dialog, even though the WLAN uses encryption. In these cases, manual verification is necessary.

For each of the client's BSSIDs without a listed Protection type, right-click the statistic row, then choose the
"Apply as Filter → Selected → BSSID" menu options. This will return you to the main Wireshark interface
with a display filter applied that matches only traffic to or from the selected network.
Find a "Beacon" frame, which contains a catalog of the capabilities the access point supports.

Week 10
Week 10 Critical Systems Security

b) In the Packet Details pane, browse through the "Tagged Parameters" section of the Wireless LAN
Management Frame to see what you can learn or infer about the protection mechanisms used for each
BSSID. Pay attention to fields that contain information about Cipher Suites, Key Management, and
other standard WLAN security terms. Add your findings to the table you already stated above.
Remember that an access point can provide multiple security standards simultaneously, so review all
fields to ensure you completely characterise the capabilities of each SSID. Recall also that the "RSN"
security type is another name for "WPA2"

BSSID SSID Security Type (WEP/WPA/WPA2) 802.11 Channel

c) Recall that each access point's BSSID follows the same structure as a MAC address on the wired
network interface controller: three manufacturer-identifying bytes (called the OUI) followed by three
device-specific bytes. While not always the case, devices containing multiple hardware interfaces are
often assigned sequential hardware addresses. Return to the WLAN Traffic Statistics window and order
the results by BSSID by clicking the "BSSID" column header. What do you see in the cluster of the
client's known access points? What theories can you think of for this situation? Why do you think this is
the case? How did Wireshark get around this situation?

Week 10
Week 10 Critical Systems Security

d) Apply a display filter to match the BSSID for the access point that provides this newly discovered
WLAN. (Right-Click the entry in the "WLAN Traffic Statistics" dialog, then select "Apply as Filter →
Selected → BSSID"). Examine each beacon frame. What do you notice is absent from the frame when
compared to those from the previous wireless networks? Why do you think this is the case? How did
Wireshark get around this situation?

Week 10
Week 10 Critical Systems Security

2. Review the security of the various SSIDs and characterise communications

While this is a response-based investigation, it is still important to understand the weaknesses associated
with various WLAN security modes. In this case, the client has a policy regarding such configurations, but it
would also help to establish what routes an attacker might have used to conduct malicious activity. Most
attackers will take the path of least resistance while conducting their activities, meaning the "easy targets"
are often good investigative leads to follow.

a) Given the SSIDs identified above, rank them in order of least to most secure.

ORDER SSID SECURITY TYPE (WEP/WPA/WPA2) NOTES

and KEY MGMT METHOD

b) Given the non-compliant access point status with the weakest security configuration, characterise
the activity that occurred using its SSID. First, list the hardware addresses that used this SSID. Then, use
tshark with a display filter to limit traffic to the SSID in question and display the source address (wlan.sa)
and destination address (wlan.da) for each matching frame.
List the conversations you identify, and annotate the known and unknown hardware addresses.

tshark -n -t wireless.pcap -Y 'wlan_mgt.ssid=="Covert_WLAN" '

-T fileds -e wlan.sa -e wlan.da | sort | uniq -c

Week 10
Week 10 Critical Systems Security

c) For each unknown hardware address identified above, use tshark to identify the associated IP
address(es). Next, use a display filter that limits matched frames to those with each hardware address
as the sending station containing IP traffic. Next, display the source IP addresses. Then, run the same
tshark command but reverse the filters and indicated fields to reflect the destination hardware address
and IP address, respectively.

d) With what other systems did the IP address(es) you just identified communicate, and with what layer
four protocols?

Week 10
Week 10 Critical Systems Security

3) Check for subverting the DNS filter

Although not a primary focus of this investigation, the client's representative keeps asking you about
people getting around the filters they have in place through the Open DNS service. In particular, he is
interested to know whether anyone is able to access Facebook, which is against corporate policy. You ask if
determining whether there was any traffic containing DNS queries for Facebook would address his
concerns. He agrees that this approach would be sufficient to test his theory.

a) What Wireshark display filter can you use to identify any DNS queries for Facebook-related domains
quickly? How many DNS lookups did this filter match?

b) Do you think this finding sufficiently addresses whether users may be subverting the DNS filter
thoroughly?

Week 10
Week 10 Critical Systems Security

4) Identify weak encryption keys

We will attempt to decrypt the traffic from the protected WLANs better to address the client's question
about DNS subversion. Again, attacking the weakest link first is a reasonable approach. In this case, the
access point providing the Staff_Target_WLAN is the next in line. It uses WEP protection, which has long
been proven to be a trivially weak encryption standard.
Install Aircrack-ng software, which can examine live network traffic or a pcap file to determine if the
conditions are conducive to exploiting WEP's inherent weaknesses. If so, Aircrack-ng will provide the
WEP key.
a) Examine the command-line options for the "aircrack-ng" utility and then use it to attempt
identification of the WEP key in use. Write the command below and then identify the WEP key.
Reference the man-page if you are not familiar with Aircrack-ng's options.

This information shows two possible approaches to decrypting the WEP-protected traffic.
If the analytic workflow may include any pcap-aware tools than Wireshark, it would be most beneficial to
create a second copy of the source pcap file, but with all WEP-encrypted content replaced with its
corresponding decrypted equivalent. The Airdecap-ng software, also installed on your SIFT Workstation,
provides this functionality.

b) Examine the command-line options for the "airdecap-ng" utility and then use it with the key above to
create a working copy of the source pcap file with the WEP encryption removed. Write the command
you use below.

Week 10
Week 10 Critical Systems Security

5) Examine WEP-protected traffic

a) Now that you can examine the contents of the WEP-protected traffic, open the decrypted file in
Wireshark and re-apply the same DNS query filter you identified above.
(Note that airdecap-ng wrote as a new file named wireless-dec.pcap ).
How many results match the filter this time? For any results identified, what was the query and
response?

Week 10