Book Two- Chapter Eight- Wireless

Question 1

What is the difference between active wireless scanning and passive wireless scanning?

Answer 1

Active wireless scanning: The active scanning technique involves broadcasting a probe message and waiting on a response from devices in the range. This technique identifies many WAPs but obviously cannot find those WAPS that do not respond to the probe message.

Passive wireless scanning: Identifies the presence of any wireless communication. Through this technique, an investigator will identify all active WAP connections, but he/she may not find a WAP that is not currently serving any devices.

Question 2

Describe the steps involved in performing a forensic investigation in a wireless environment:

Answer 2

1. obtain a search warrant
2. identify wireless devices
3. detect rogue access points
4. document the scene and maintain the chain of custody
5. detect wireless connections
6. determine the wireless field’s strength
7. map wireless zones and hot spots
8. connect to the wireless network
9. acquire and analyze wireless data
10. generate a report

Question 3

What is a rouge access point?

Answer 3

An unauthorized access point in a wireless network. Attackers typically depoly these access points to sniff important data on the network. Attackers can also use rouge access points to hijack user sessions on the wireless network.

An investigator can detect a rogue access point by following 2 steps:

1. Access point detection: The investigator first needs to use one of the techniques for detecting a wireless access point to discover the access point on the network.
2. Verifying whether or not the access point is a rogue access point: After identifying the access point in the network, the next step is to verify whether or not the identified access point is a rogue access point. to tell whether an access point is authorized, the investigator has to check the following:

MAC
SSID
Vender
Media Type
Channel

Tools for Detecting Rogue Access Points:
NetStumbler,MiniStumbler, and inSSIDer are other tools that help investigators discover rogue access points.

NetStumbler- a Windows Utility that is often used for wardriving (this does not work with Windows 7 and above). For those OS, use inSSIDer. It is a high-level WLAN scanner that operates by sending a steady stream of broadcast packet on all possible channels. Acces points repond to the broadcast packets to verify their existence, even if beacons have been disabled.
NetStumbler displays info about the access point, including the following:

• Signal-to-Noise Ratio
• MAC address
• SSID
• Channel details

A user can also connect to a GPS to find location info about any access points discovered.

MiniStumbler- the smaller sibling of NetStumbler. It provides much of the same information as NetStumbler, but is written for handheld devices running Pocket PC or Windows Mobile OS, does not work with Windows 7 and above.

inSSIDer- a wireless network scanner for Windows OS X and Android that will provide info needed to select the most appropriate channel networks and signal strength. It is designed to overcome the limitations of NetStumbler. inSSIDer 4 will show the Wi-Fi environment in both physical and logical formats. its simple, filterable display identifies signal overlap, channel conflicts, and configuration issues that are used to discover issues that can degrade your wireless network performance.

Question 4

How can an attacker hijack wireless network traffic?

Answer 4

TCP/IP packets go through switches, routers, and wireless access points. Each device looks at the destination IP address and checks for that address in its table of local IP addresses. This table is dynamically built up from traffic that passes through the device and from ARP notifications from devices joining the network.
If the destinantion IP address is not in the device’s table, it passes the address off to its default gateway.

However, there is no authentication or verification of the validity of a packet that a device receives. A malicious user can send messages to routing devices and access points stating that his/her MAC address is associated with a known IP address. All traffic that goes through those devices that is intended for the hijacked IP address will instead go to th malicious user’s machine.

Question 5

How do electronic emanations help an attacker access a wireless network?

Answer 5

electronic components always release emissions, and someone could collect emissions from electrical components and piece them together into readable data

Question 6

How is security provided for the connection between devices and wireless access points (WAP)?

Answer 6

Security between a WAP and it’s associated devices is provided through MAC filtering or the use of a PSK (pre-saved key) or encryption

Question 7

Describe what should be included in a report for a forensic investigation involving a wireless network

Answer 7

The investigator should acquire the DHCP logs, firewall logs, and network logs. He/she can use tools like fwanalog and Firewall Analyzer to view the firewall log files.

The report should include:

List of wireless evidence
Documents of the evidence and other supporting items
List of tools for investigation
Devices and setup used in the examination
Brief description of the examination steps
Details about the findings:
Information about the files, internet-related evidence, data and image analysis
investigator’s conclusion

Question 8

What does an investigator need to do to determine if an access point is a rogue access point?

Answer 8

An investigator can detect a rogue access point by following 2 steps:

1. Access point detection: The investigator first needs to use one of the techniques for detecting a wireless access point to discover the access point on the network.
2. Verifying whether or not the access point is a rogue access point: After identifying the access point in the network, the next step is to verify whether or not the identified access point is a rogue access point. to tell whether an access point is authorized, the investigator has to check the following:

MAC
SSID
Vender
Media Type
Channel

Tools for Detecting Rogue Access Points:
NetStumbler,MiniStumbler, and inSSIDer are other tools that help investigators discover rogue access points.

NetStumbler- a Windows Utility that is often used for wardriving (this does not work with Windows 7 and above). For those OS, use inSSIDer. It is a high-level WLAN scanner that operates by sending a steady stream of broadcast packet on all possible channels. Acces points repond to the broadcast packets to verify their existence, even if beacons have been disabled.
NetStumbler displays info about the access point, including the following:

*Signal-to-Noise Ratio
*MAC address
*SSID
*Channel details
A user can also connect to a GPS to find location info about any access points discovered.

MiniStumbler- the smaller sibling of NetStumbler. It provides much of the same information as NetStumbler, but is written for handheld devices running Pocket PC or Windows Mobile OS, does not work with Windows 7 and above.

inSSIDer- a wireless network scanner for Windows OS X and Android that will provide info needed to select the most appropriate channel networks and signal strength. It is designed to overcome the limitations of NetStumbler. inSSIDer 4 will show the Wi-Fi environment in both physical and logical formats. its simple, filterable display identifies signal overlap, channel conflicts, and configuration issues that are used to discover issues that can degrade your wireless network performance.