Network Forensics, Part 5: Wi-Fi (802.11) Forensics

Cybersecurity Digital Forensics Hacking

Welcome back my aspiring DFIR analysts!

In recent recent years, Wi-Fi has become ubiquitous throughout our home and working environments. It provides convenience and a limited amount of security, enough to be used by most people.

In any investigation where Wi-Fi is available, you will be negligent to not inspect and analyze the Wi-Fi network for sources of compromise. This analysis will include a search for anomalies that may indicate compromise or malicious traffic. In this tutorial, we will examine how to properly analyze Wi-Fi traffic with Wireshark to detect such malicious traffic.

If you are not familiar with Wireshark, read this tutorial first.

Step #1: View Wireless AP’s and Clients

The first step is to take an inventory of the avialble AP’s and clients. There are numerous tools that can do this including Netstumbler and Kismac, but I prefer to simply use the aircrack-ng suite tool, airodump-ng as seen below.

Here we can view the BSSID of each AP in the column to the far left and other critical technical data in the following columns followed by the ESSID in the extreme right hand column. In the lower stanza, we can see each client that is connected to the AP’s with their MAC address.

Step #2: Download and Open Wireshark

If don’t don’t have Wireshark installed on your system (it’s installed by default in Kali( do so now. When you run the executable, it will start a screen like that below. Normally, you will select an interface to collect data from but in this tutorial we will be using some capture files.

Step #3: Download our Test pcaps

Download sample pcap file, Network_Join_Nokia_Mobile.pcap, from the Wireshark website here.

Next, open the pcap by using the drop down below as seen below and click on the Open link.

Step #4: Display Filters

Wireshark has numerous built in filters that can be found by clicking on the Analyze ->Display Filter Expression tab. Nearly all the filters we will be using are in the IEEE 802.11IEEE 802.11 wireless LAN directory

Step #5: Find Beacon Frames

The 802.11 protocol suite has a unique set of frames. Each of these different types of frames holds different evidence for the forensic investigator.

  1. Management Frames -governs communication between stations

  2. Control Frames- supports flow control

  3. Data Frames- encapsulates Layer 3 and above data

For more on Wi-Fi frames see Anatomy of Wi-Fi here.

Some of the questions we are trying to resolve in our analysis include;

  1. Are there any beacons in our traffic

  2. Are there any probe responses

  3. Find all the BBBSID’s and SSID’s

  4. Are there unauthorized MAC addresses on our network

The first type of frame we want to locate are the beacon frames.

As we can see above, beacon frames are among the management frames of 802.11 frames. They are type=0 and subtype=0x08. We locate these beacon frames by creating a display filter in Wireshark such as

wlan.fc.type_subtype==0x08

When we filter out everything but the beacon frames we can identify the SSID and the transmitter address.

To filter out everything but the beacon frames and the probe response, we can create filter using the logical OR (||) such as;

wlan.fc.type_subtype==0x08 || wlan.fc.type_subtype==0x05

To view the traffic from one MAC address, we can use the wlan.addr syntax followed by the MAC address, such a;

wlan.addr ==00:16:bc:3d:aa:57

We can be even more specific and filter for the traffic from the transmitter address using the wlan.ta filter such as:

wlan.ta ==00:16:bc:3d:aa:57

Step #6: Identifying Data Frames

As part of our investigation, we will usually want to see the data frames. As stated above, data frames carry the data from Layer 3 on up.

To filter for just data frames, we can create a filter such as;

wlan.fc.type_subtype == 0x20

Of course, we can be very specific and create filters using the Wireshark syntax of logical OR (||) and logical AND (&&) and negation (!). We can filter for machines sending data within the Wi-Fi network with the following filter;

((wlan.ta == 00:16:bc:3d:aa:57) && !(wlan.fc == 0x8000)) && !(wlan.fc.type_subtype == 0x0005) && !(wlan.fc.type_subtype ==0x0004) && !(wlan.addr==ff:ff:ff:ff:ff:ff) && wlan.fc.type==2

Step #7: Identifying a De-authentication Attack

Within the framework of 802.11 frame types is one used to deauthenticate associated clients. It can be used to create an effective Denial of Service (DoS) attack against an AP and is a tell tale sign of an attempted brute force attack against AP using aircrack-ng and other WiFi hacking tools. The deauthenicate frame is a management frame (type 0) and subtype 0x0C. We can search for these deauthenticate frames by creating a Wireshark display filter such as;

wlan.fc.type_subtype==0x0c

Step #8: Other Useful Display Filters

For the forensic investigator, other notable frame filters include the following;

Step #9: Decrypt Traffic

Generally, the Wi-Fi traffic will be encrypted. In the case of WEP, WPA and WPA2-PSK, there is a single key for all of the stations. This means that anyone with access to the PSK can listen to all the traffic from all the stations. For the investigator, this means that they only need to obtain the key from the IT staff to listen in on all traffic at all stations.

To decrypt the traffic in Wireshark, click on the Edit -> Preferences -> Protocol tab.

This will open a Window like below. Click on the IEEE802.11 protocol tab.

Then, click on the Edit button. To obtain the PSK hashed key for the network, you will need to go to https://www.wireshark.org/tools/wpa-psk.html .

This opens a web page as seen above. Enter the Passphrase and the SSID (the SSID is used as salt in PSK hashes) and click Generate PSK. This app will generate your hash after a few minutes.

Finally, enter the Key type (usually wpa-psk) from the pull down menu and enter the PSK hash from the application.

Now, all of the data frames will be decrypted for your easy viewing of their contents.

Summary

Where Wi-Fi is employed at the scene of a suspected intrusion or compromise, an inspection and analysis is critical. Wireshark is the tool of choice for inspecting both live and captured frames. With just a bit of knowledge of the stricture of Wi-Fi frames, the skilled investigator can find and determine the possible source of malicious activity on the network.