top of page
Search
  • Writer's pictureotw

Network Forensics, Part 5: Wi-Fi (802.11) Forensics

Updated: Dec 28, 2022


Welcome back my aspiring DFIR analysts!


In recent recent years, Wi-Fi has become ubiquitous throughout our home and working environments. It provides convenience and a limited amount of security, enough to be used by most people.


In any investigation where Wi-Fi is available, you will be negligent to not inspect and analyze the Wi-Fi network for sources of compromise. This analysis will include a search for anomalies that may indicate compromise or malicious traffic. In this tutorial, we will examine how to properly analyze Wi-Fi traffic with Wireshark to detect such malicious traffic.


If you are not familiar with Wireshark, read this tutorial first.


Step #1: View Wireless AP's and Clients


The first step is to take an inventory of the avialble AP's and clients. There are numerous tools that can do this including Netstumbler and Kismac, but I prefer to simply use the aircrack-ng suite tool, airodump-ng as seen below.



Here we can view the BSSID of each AP in the column to the far left and other critical technical data in the following columns followed by the ESSID in the extreme right hand column. In the lower stanza, we can see each client that is connected to the AP's with their MAC address.


Step #2: Download and Open Wireshark


If don't don't have Wireshark installed on your system (it's installed by default in Kali( do so now. When you run the executable, it will start a screen like that below. Normally, you will select an interface to collect data from but in this tutorial we will be using some capture files.


Step #3: Download our Test pcaps


Download sample pcap file, Network_Join_Nokia_Mobile.pcap, from the Wireshark website here.


Next, open the pcap by using the drop down below as seen below and click on the Open link.




Step #4: Display Filters


Wireshark has numerous built in filters that can be found by clicking on the Analyze ->Display Filter Expression tab. Nearly all the filters we will be using are in the IEEE 802.11IEEE 802.11 wireless LAN directory



Step #5: Find Beacon Frames


The 802.11 protocol suite has a unique set of frames. Each of these different types of frames holds different evidence for the forensic investigator.

  1. Management Frames -governs communication between stations

  2. Control Frames- supports flow control

  3. Data Frames- encapsulates Layer 3 and above data

For more on Wi-Fi frames see Anatomy of Wi-Fi here.


Some of the questions we are trying to resolve in our analysis include;

  1. Are there any beacons in our traffic

  2. Are there any probe responses

  3. Find all the BBBSID's and SSID's

  4. Are there unauthorized MAC addresses on our network


The first type of frame we want to locate are the beacon frames.


As we can see above, beacon frames are among the management frames of 802.11 frames. They are type=0 and subtype=0x08. We locate these beacon frames by creating a display filter in Wireshark such as


wlan.fc.type_subtype==0x08



When we filter out everything but the beacon frames we can identify the SSID and the transmitter address.


To filter out everything but the beacon frames and the probe response, we can create filter using the logical OR (||) such as;


wlan.fc.type_subtype==0x08 || wlan.fc.type_subtype==0x05


To view the traffic from one MAC address, we can use the wlan.addr syntax followed by the MAC address, such a;


wlan.addr ==00:16:bc:3d:aa:57


We can be even more specific and filter for the traffic from the transmitter address using the wlan.ta filter such as:


wlan.ta ==00:16:bc:3d:aa:57




Step #6: Identifying Data Frames


As part of our investigation, we will usually want to see the data frames. As stated above, data frames carry the data from Layer 3 on up.



To filter for just data frames, we can create a filter such as;


wlan.fc.type_subtype == 0x20


Of course, we can be very specific and create filters using the Wireshark syntax of logical OR (||) and logical AND (&&) and negation (!). We can filter for machines sending data within the Wi-Fi network with the following filter;


((wlan.ta == 00:16:bc:3d:aa:57) && !(wlan.fc == 0x8000)) && !(wlan.fc.type_subtype == 0x0005) && !(wlan.fc.type_subtype ==0x0004) && !(wlan.addr==ff:ff:ff:ff:ff:ff) && wlan.fc.type==2





Step #7: Identifying a De-authentication Attack


Within the framework of 802.11 frame types is one used to deauthenticate associated clients. It can be used to create an effective Denial of Service (DoS) attack against an AP and is a tell tale sign of an attempted brute force attack against AP using aircrack-ng and other WiFi hacking tools. The deauthenicate frame is a management frame (type 0) and subtype 0x0C. We can search for these deauthenticate frames by creating a Wireshark display filter such as;


wlan.fc.type_subtype==0x0c



Step #8: Other Useful Display Filters


For the forensic investigator, other notable frame filters include the following;





Step #9: Decrypt Traffic


Generally, the Wi-Fi traffic will be encrypted. In the case of WEP, WPA and WPA2-PSK, there is a single key for all of the stations. This means that anyone with access to the PSK can listen to all the traffic from all the stations. For the investigator, this means that they only need to obtain the key from the IT staff to listen in on all traffic at all stations.


To decrypt the traffic in Wireshark, click on the Edit -> Preferences -> Protocol tab.


This will open a Window like below. Click on the IEEE802.11 protocol tab.


Then, click on the Edit button. To obtain the PSK hashed key for the network, you will need to go to https://www.wireshark.org/tools/wpa-psk.html .

This opens a web page as seen above. Enter the Passphrase and the SSID (the SSID is used as salt in PSK hashes) and click Generate PSK. This app will generate your hash after a few minutes.


Finally, enter the Key type (usually wpa-psk) from the pull down menu and enter the PSK hash from the application.



Now, all of the data frames will be decrypted for your easy viewing of their contents.


Summary


Where Wi-Fi is employed at the scene of a suspected intrusion or compromise, an inspection and analysis is critical. Wireshark is the tool of choice for inspecting both live and captured frames. With just a bit of knowledge of the stricture of Wi-Fi frames, the skilled investigator can find and determine the possible source of malicious activity on the network.


Recent Posts

See All

4 Comments


astriddavina54
astriddavina54
Jan 03, 2023

I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, Henryclarkethicalhacker@gmail.com and on whatsapp him on +1262-236-7526...


Like

Hi everyone... I am Mike Luciano and I’m so addicted to winning the lottery. I’ve just scooped my FOURTH jackpot of $1million – taking my total winnings to $4.6million through the help of one legit spell caster named Dr Amber. My first ever win was $100,000. Last year, I won $500,000 from the Pennsylvania state lottery and I also won $3 million in 2016 bringing the grand total of my winnings to $4.6 million. All my winnings have been made possible with the numbers given to me by Dr Amber. I've been so blessed, winning big three times in my lifetime. His spell casting is unique and safe unlike some fake spell casters that are just after your money without…

Like

Com exceção do Microsoft Word Starter 2010 com baixar microsoft word gratis suporte para publicidade, o Word nunca foi gratuito, exceto como parte de uma avaliação por tempo limitado do Office. Quando a avaliação expirar, você não poderá continuar usando o Word sem comprar o Office ou uma cópia independente do Word.

Like

You can hire Henryclarkethicalhacker for all your hacking needs which include clearing of criminal and driving records, credit hack fix, college grade changes, cloning phones, spying on anyone, hacking all social media accounts, etc,. Reach him via Henryclarkethicalhacker at gmail com,

Text him,, Whatsapp,,+1 8 1 3 4 2 1 1 3 2 6.


Like
bottom of page