Information System Security
DIGITAL FORENSIC IN WIRELESS NETWORKS
Student Id 557981
In today’s global digital era, a sharp increase in malware and cyber-attacks has been impacted to large enterprises and government agencies. The Internet is the main source of cyber and malware attacks that cause’s bad impact on digital assets and digital crimes such as online banking fraud, identity theft, security breaches, DOS attacks and data distortion. Therefore, digital forensic readiness (DFR) requires coordination between the management and monitoring of a wide variety of resources, both human and technical such as multiple departments and business units, IT infrastructure and computing platforms in large enterprises and government agencies. I would like to focus on Digital Forensic in Wireless Network where there are many open vulnerabilities out there and how to secure Wireless Networks using open source tools.
Wireless networks that follows 802.11b or “Wi-Fi” standard are extremely popular, because of their ease of installation. At the same time, it is very important that companies ensure that using this technology is not a threat to security and performance. To ensure this professional help is required for proper deployment and auditing of wireless network. There are many tools available that help security professionals with Wi-Fi auditing. Some of them are free and open source whereas others are commercial products. The goal of this paper is to review few open source tools that are available for wireless security auditing
Digital forensic readiness:
Digital forensic readiness (DFR) was first described by Tan (2001) as setting up digital forensics in organizations to minimize the cost of digital forensics whilst maximizing the capability of an organization to collect legally reliable digital evidence. Forensic readiness has been studied from many perspectives including resourcing (Reyes and Wiles, 2007), technology use and selection (Carrier & Spafford, 2003), training (Carrier & Spafford, 2003; Rollingson 2004), legal investigations (Casey, 2005), incident response (Ahmed et al., 2012; Shedden et al., 2010a; Tan et al., 2013) and policy (Yasinsac & Manzano, 2001).
Forensic readiness can be divided into operational readiness and infrastructural readiness (Carrier and Spafford, 2003). Operational readiness is concerned with the provision of training
and equipment for individuals who are involved in forensics, whereas, infrastructure readiness is
Concerned with ensuring that the data of an organization is appropriately preserved. These
Concepts are also discussed by Rowlingson (2004) who proposes that activities such as: planning, policing, training, and monitoring elements are important to improve forensic readiness. Grobler et al. (2010) suggest that DFR is proactive forensic activity. They also propose that cultural and governance aspects should be incorporated within forensic readiness, linking digital forensic readiness to organizational management. The framework consists of: (1) a set of Forensic Factors that are concerned with the various areas of forensic readiness; and (2) a set of Forensic Readiness Capabilities that organizations aim to achieve (Fig. 1)
All focus group participants were initially asked ‘what is organizational forensic readiness’ in order to determine their perceptions and views on the areas itself. (Elyas, Ahmad, Maynard, Lonie 2015). The research team identified various attributes such as a collection, preservation, preparation and presentation of evidence.
Here we focused more detail in Wireless Network Audit Framework.
Wireless Network Audits
Wireless network audits, are very similar to wired network equivalent in their goal: they both aim at finding security and performance issues in the network, and establishing a baseline against which future audits will be measured.
The primary difference between a wired network audit and a wireless network audit is at the physical transport layer, we have-radio in one case and cables in the other, and layer 2 characteristics. Using the radio waves for communications may lead to very specific issues that have to be in audit, such as:
• Network access range, fading, and interferences.
• Unauthorized network access.
• Interference with other neighboring networks.
• 802.11 security issues.
Even though unauthorized network access can be an issue with wired networks (physical security breach), it is much more practical with wireless networks, as it is very easy to eavesdrop for an intruder, and at the same time difficult to detect someone passively listening to traffic, though it is not always impossible IDS1. Radio-specific issues are an important factor in the design of a wireless network. Wi-Fi networks use the microwave 2.4-2.48 gigahertz range. This frequency does not propagate well in the environment, and thus enables a more dense cell implementation. It also means that it is very sensitive to fading and propagation oddities.
Proposed Wireless Network Audit Framework
We will divide wireless network audit in two main families: Wireless network security audits and wireless site audit. Though the will be on wireless security, we will cover the description of wireless site audit, since they contain a security component that cannot be overlooked: security needs to be considered from the very first design phase and not as an additional component that can be added at a later stage! A wireless network security audit will generally be conducted over an existing 802.11 network that has already been deployed.
This audit will try to identify issues, and establish a baseline for the network. A wireless site audit,on the other hand, will be conducted before installing a 802.11 network, and will try to identify at an early stage the issues that may be faced during deployment, and gather the relevant information needed to design the structure of the 802.11 network that will be installed on site.
Wireless Security audit
A wireless security audit can be divided into the following phases.
Phase I – Audit Preparation
• Decide assessment strategy:
• Raise network management awareness for audit or not
• Passive/Active/Disrupting survey
• Amount of effort: high-gain antennas, casual access, physical intrusion, rogue AP installation • Legal Issues
• Audit timeframes
• Following the strategy that is decided, constitute Team
Phase II – Security Audit
• Run network stumbles outside of building, determine leaking coverage
• Packet logging and analysis
• Identify relevant leaked info
• Identify AP hardware and configuration
• WEP Key decryption depending on network traffic
• Rogue AP installation – get users to connect to rogue AP and hijack traffic
• Exploits of known factory configuration weaknesses
• Exploits of known deficiency of identified network design
• Map of leaking coverage around site/campus
• List of WiFi AP identified, along with configuration
Phase III – Security Recommendations
• WiFi architecture recommendations
• Adapting existing architecture to offer better security
• Introduce stronger/smarter encryption
• WiFi configuration recommendations
• AP configuration
Wireless Site Audit
A wireless site audit can be divided into the following phases:
Phase I – Planning / Information Survey
• Gather information about the site where survey will be done
• Building Blueprints
• Building Structure
• Gather information about the population that will be or is using WiFi
• Mobility / Roaming
• Planned population
• Gather information about planned or existing wanted network capacity and service levels
Phase II – Site Survey 1: Radio Survey
• Team goes to site and evaluates pre-existing 802.11 networks that can be reached from site • Team evaluates sources of disruption:
• Rogue sources – Interference from other cellular providers, unfiltered electrical appliances
• Spectrum Competition: Bluetooth, proprietary 2.4GHz wireless transmissions, cordless phones
• For existing 802.11 networks owned by the customer, do
• Rogue access points survey
• Radio survey report
• Recommendations for alleviating issues encountered during Radio Survey
Phase III – Site Survey 2: Physical Survey
• Physical building security survey: access control, user identification • AP location strategy:
• RF Signal Fading zones survey
• RF Signal Coverage area and out of building radio leaking survey
• AP Power Level adjustment
• Physical AP enclosure and physical security
• Antenna location
• Recommendations for building security – Corporate Badge, Door control
• Map of location of all AP
• Radio configuration of all AP
• Channel allocation strategy
• Power Levels
In the course of the two survey types described above, specific software will be used.
More precisely, we need:
• RF Monitoring software (“stumblers”)
• Packet analyzers
• Mapping software
• Software kits for exploiting known weaknesses
RF Monitoring Software
RF monitoring software is similar of network packet sniffers for Ethernet. Although packet sniffing on Ethernet networks can be difficult to run, because of traffic separation on various network segments, Wireless sniffing is comparatively easier: all the stations that use a given Wi-Fi network transmit on the same set of channels, and some Wi-Fi network cards can be configured to listen to all traffic on all channels. To conduct a wireless security audit, in view of the tasks specified, the monitoring software must be able to provide at least the following features:
– AP and client detection and identification:
WEP, SSID, manufacturer, configuration.
The first task of the RF monitor software is to identify existing 802.11x traffic and what Access Points and clients can be detected at a specific location. Most RF monitoring software will are usually able to automatically determine the manufacturer and model of detected access points and client workstations.
-Geographical tagging of APs.
This is an important feature of RF monitors: one of the most crucial security threats of wireless networks is the limited control on the actual range of the installed Access Points. The RF monitor must be able to map the coverage of all the Access points it detects. This is usually achieved using GPS receivers.
– Packet logging for analysis by third-party software.
The third main feature of a RF monitor is the ability to log all the packets it receives in a file format that is compatible with higher-level analyzers. Those analyzers are the same as those used for fixed network surveys and can decode higher-level protocols and detect security issues that are not specific to the Wireless aspect of the network. When conducting wireless site surveys, emphasis is put on the radio layer, and network performance. On top of the features previously mentioned, surveyors will need software that can do.
-Power level and signal strength mapping.
Because 802.11x signals are very sensitive to fading, RF monitors must be able to map not only the range of access points, but also the signal strength and quality over the coverage area.
-Network interference from neighboring Wi-Fi networks.
One potential problem that can be identified during a Wi-Fi site audit is the existence of access points that can be reached on the site and do not belong to the company that is doing the audit. It is important that the RF monitor detects those and maps their coverage. Failure to do so can result in workstations associating with the wrong access points once the Wi-Fi network is installed, which can lead to serious security problems.
Packet analyzers decode the traffic that has been recorded by the RF monitor. They are usually not specific to WiFi, but need to be able to decode 802.11 payloads. Packets analyzers let users identify security and performance problems. For example, using the correct set of filters on a packet analyzer, it is relatively easy to detect the presence of “active stumblers” on a network.
Mapping software is used for the production of reports, and to plot access point coverage, power levels, etc. Depending on the way they are used, mapping packages can be either a cosmetic enhancement to the final survey report, or bring real value.
This step is not specific to wireless security surveys, and very similar to its fixed network equivalent. There are a lot of automated vulnerability assessment tools available on the market, which can automatically produce very detailed reports, such as Nessus. Using automated tools is a tradeoff: if they are kept up to date and follow security disclosures on reliable security groups (CERT advisories), they do add real value. If not, they bring a false sense of security. When it comes to wireless-specific vulnerabilities, the same few issues keep popping up.
While most Wi-Fi surveys can be done using only software tools and wireless network cards, it is important to note that in some cases, specialized hardware can be used for specific aspects of the audit.
The GPS system is a military system managed by the United States, which enables devices to know their geographical coordinates within a precision of a few meters. GPSes are often used for wireless surveys, as this enables RF monitors to add geographical information to the information they log, and most if not all RF monitoring software supports GPSes. It is nevertheless important to note that the GPS system does not work indoor, which makes its use irrelevant for surveys inside offices.
Spectrum analyzers are high-end devices that monitor the strength of various frequencies in the RF spectrum. Their use is not trivial, they are expensive and they need to be operated by qualified personnel. They enable surveyors to create a very precise map of RF coverage for access points, and can also spot sources of interference, such as other devices operating in the
2.4GHz band: bluetooth, cordless phones, defective microwave ovens…
Hardware-based Wi-Fi monitors
There are a few Wi-Fi monitors on the market that use dedicated hardware. They usually combine the features of a software-based RF monitor with the added functionality of a basic spectrum analyzer. These will not be covered in this paper. Sing Open-source software for Wi-Fi surveys
Considerations on Open Source
The open source movement was born in 1984 (http://www.gnu.org/) , and has now become an integral part of the software industry. It was born out of the belief that it is the interest of everyone to be able to freely share the source code of their projects, as it will lead to better quality software. This point has been argued countless times, and a good reference on the matter is “The Cathedral and the Bazaar”, by Eric S. Raymond. It is important to realize that personal motivation is usually the main driver and success factor behind open-source projects: people need to be passionate about their project and motivate the rest of the contributors, in order to get good results. Keeping this in mind, Wi-Fi has a few characteristics that have made it very popular amongst the Open Source community: it is both a low-cost and a high-tech system. It offers a lot of potential for tweaking and creating community networks (consume1, nycwireless1), and you only need one Wi-Fi card and a cheap antenna to start playing with the technology. In short, its “hype factor” is very high! For these reasons, and as soon as the cost of 802.11b cards became affordable a few years ago, a lot of high-quality software was written to let people explore the possibilities of 802.11b, leading to the first generation of wireless network survey tools, also called “stumblers”, and to the development of a new hacking activity: “War driving”. It is important to note that the characteristics of the tools developed for “war driving” are exactly those that are needed for doing wireless security audits!
This war driving movement raised the awareness of the industry about wireless security issues, and pushed professional security software companies to broaden their offering in that area. This new software offer came after most of the open source scanners and survey tools were developed, as a response to a new threat. For example, the “Sniffer Wireless” product, very similar to kismet in its capabilities, was released in September 2002, whereas the Kismet project dates back from before December 2001 (from the Change log in the Kismet source). Focus on the open-source offering met is not the intention of this paper to go over the perceived benefits of Open Source software of general, but rather to show that its use is relevant for Wireless security. As seen in the table above, there is a real open-source offering when it comes to Wireless scanners and survey tools: 802.11a and b protocols are supported by several products, on a lot of varied platforms (Linux, Windows and Pocket PC).
An added benefit of Open Source products is that, as they do not require the purchase of a license, they can easily be used together to complement the features of several different packages and create a more powerful setup.
On the other hand, two issues can sometimes be an issue with corporate use of Open Source software:
– Lack of support
– Open-source licensing terms
Lack of support is often seen as a big problem, as this forces companies that rely on open source tools to count on community support and there is guarantee that bugs will be fixed. In our case, this problem is alleviated by the fact that, as mentioned above, wireless tools are being very actively developed and are the same tools used by war drivers: any bug or shortcoming of those tools will impact both sides of the security field! The issue of Open-source licenses, especially the Gnu GPL (General Public License) concerns the fact that source code and/or changes to it must be redistributed or made available along with copies of the software (section three of the Gnu GPL). This can be deemed unacceptable in some business situations. In the case of wireless surveys, this is actually not an issue, as there is no redistribution of any kind of software involved in surveys.
Example of a Survey setup
This section describes a practical example of a survey setup that is suited for wireless security audits. It only relies on Open Source tools.
Comparing the above feature list to the list described in the “Software” section, we can see that this setup offers all the features that are necessary to accomplish all the steps of a wireless survey.
Capano, D. E. (2015). Wireless intrusion detection and protection systems. Control Engineering, 62(11), 80.
Joshua Wright, GCIH, CCNA (2002). Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection Retrieved from http://www.willhackforsushi.com/papers/l2-wlan-ids.pdf
Kershaw, Mike (2003), “KISME T 2.8.0” Retrieved from: http://www.kismetwireless.net/documentation.shtml