05-11-2012, 11:38 AM
Initial Reconnaissance of a Suspect Wireless Network
Initial Reconnaissance.doc (Size: 153.5 KB / Downloads: 63)
Executive Summary
There is illegal activity taking place on the Griffis Business and Technology Park campus. It is suspected that there is a wireless network being used to conduct illegal activities. It is necessary to conduct initial evidence gathering activities against the suspect network. The network is to be searched out. Once located it is necessary to gather information about the network and any encryption. Once it is possible to access the network then any tools and techniques available are to be used to investigate the network and gather evidence.
We assumed that data broadcast over the network is junk data for the purpose of generating traffic. We assumed that computers with relevant evidence are generating traffic.
We found the suspect wireless network at the base gym. The wireless network was broadcasting the SSID “Vortex”. We setup a laptop to listen to traffic going over the wireless network for a few days. From this data we determined that the suspect network was using WEP+ encryption. We used a dictionary attack technique to determine the WEP+ key. The WEP key was “abcde”. Once we broke the key we analyzed the unencrypted traffic. Our analysis yielded the necessary network information we needed to talk to the wireless network. The data we did analyze was junk data for generating traffic. We used the vulnerability scanner nessus to determine if there where any open holes for us to take advantage of. We found an anonymous FTP server on one of the machines. The anonymous ftp server contained a file titled evidence.txt that congratulated us on finding the evidence and instructed us to include the following code in our report: 56912280.
Problem Statement
There appears to be illegal activity taking place at the Griffis Business and Technology Park. The suspects are apparently using computers and an illegal wireless network to conduct their activities.
It is necessary to conduct initial evidence gathering activities against the suspects. The wireless network is to be searched for and located in the Griffis Business and Technology Park area. Once the network is located we are to use any tools and techniques available to us to investigate the wireless network and gather evidence.
The evidence is to be documented. Each vulnerability used against the network is to be documented. Each documented vulnerability is to include documentation on how that vulnerability could have been prevented.
Background and Assumptions
War Driving
War driving consists of driving around and looking for unsecured wireless networks. Many wireless networks broadcast their SSID. SSID is an acronym for Service Set Identifier. War driving programs such as Macstumbler listen for these broadcasts to identify wireless networks. Knowing the SSID is essential to gaining access to a wireless network. It is possible to disable the SSID broadcast. However the SSID is sent with all data transmitted over the wireless network. It is possible for a war driver to monitor traffic going over the radio waves for SSIDs. This method is more difficult than listening for broadcast SSIDs.
WEP
WEP is an acronym for Wired Equivalent Privacy. 802.11b wireless communications are by there very nature insecure. Radio waves are used to transmit data which can be analyzed by anyone with the proper equipment. The 802.11b standard defines WEP to offer an extra layer of security to help counteract this inherent insecurity. [1]
WEP +
There is a flaw in WEP that is well documented in the Fluhrer, Mantin, and Shamir paper [2]. The flaw takes advantage of transmitting data with a reused RC4 key stream. Vendor implementations of the WEP standards are the source of this flaw. Vendor implementations sometime reuse initialization vectors over and over again for transmitting data. This results in using an RC4 key stream multiple times to encrypt data. If any of the original encrypted data can be guessed with statistical methods or otherwise it is then possible to obtain the key [3].
There is a standard known as WEP+ that helps protect against the Fluhrer, Mantin, and Shamir attack. WEP+ defines a technique known as weak key avoidance. Transmitters that implement WEP+ will avoid using cryptographically weak keys that are described in the Fluhrer, Mantin, and Shamir paper [4].
WEP Dictionary Attack
WEP Keys can be generated using an ascii string. It is possible to crack such generated keys using the common dictionary attack. The idea behind a dictionary attack is to use words from a wordlist as the decryption key. The attack consists of trying words until the decrypted data can be verified as being correct.
Data Broadcast over the Network is Garbage Data
We assumed that data broadcast over the network is garbage data. When we analyzed some of the data we saw a repeated back and forth conversation of “UnTraf” between the two machines. It is possible that potential evidence was broadcast over the network. We chose not to investigate this possibility due to time constraints. If this assumption was false then potential evidence may have been missed.