Security Basics mailing list archives
Re: Wireless Forensics
From: "Alex Harasic Gil" <alharasic () mi cl>
Date: Thu, 08 Sep 2005 10:01:28 -0400
On Wed, 7 Sep 2005 18:48:02 -0400 <cerealkilla () cox net> wrote:
Hello all,Wireless as in WiFi, 802.11 What is involved in wireless forensics?
For what I understand, wireless forensics is about figuring out what happend and how it happend on a wireless network after there has been an attack. So, doing forensics on a network attack in this case it will consists of analizing the Wireless AP logs, and/or
all network devices such as routers/switches logs.Most Access point let you see a table of recent DHCP clients that are or were connected to the network. This is a good starting point since you can determine which IP/MAC address are authorized and which ones are not part of your network. Also the Access Point let you see a table of all MAC address that have associated with the AP. This also, is a good starting point. There would be very useful also to see if there has been any changes
in the configuration of the AP.
What is the goal of WF?
The goal is trying to determine if there has been an attack on the network,
and how that was done.
What tools might you use? Hardware & Software
Since the attack was done to the network/AP, pretty much all you need to do is review access logs.
Why would you need/use WF?
To see whether your wireless network has been used for ilegal
access, or if your network is or has been under attack.
What is an example of a typical incident and/or response involving wireless?
A Wifi Hacker, parks near your company, finds a wireless signal with his laptop. He then loads Kismet, sees your SSID and MAC, can also see your IP range. If the network has WEP encryption enabled he could try to crack it, probably it will take him no more than 20 minutes to do that. With all that data he will configure is laptop with a valid IP address, WEP key, SSID, and he's all set to browse through your network.
What you could see after that attack is, a MAC address associated to your AP. You won't see anything else, unless you have a Wireless IDS, which will help you have a better idea on what happend, otherwise, you'll only see somebody
had associated with your IP.
How do different wireless security implementations help or hurt in WF?
Wireless IDS will help you have a better understanding on how the attack
was done.
Where might I find more information related to wireless forensics?
Practice? Best regards Alex S. Harasic
Current thread:
- Wireless Forensics cerealkilla (Sep 07)
- Re: Wireless Forensics Ivan . (Sep 08)
- Re: Wireless Forensics Alex Harasic Gil (Sep 08)
- <Possible follow-ups>
- RE: Wireless Forensics Hagen, Eric (Sep 08)