These days, wireless network is a very common thing. They are everywhere, specially in big cities. It is not uncommon for investigators to suspect that a wireless has been or is currently under attack. Here are some common attacks on wireless network:
- Rogue Wireless Access Points
- The Evil Twin Attack
- WEP Cracking
Because of the easiness, Eavesdropping on wireless traffic is extremely common. The example of this is script kiddies that can be found in public places, or professional surveillance teams. This thing might be illegal, but the risk of getting caught is very low, and the result of it is valuable. Attackers and forensics investigators use this to their own advantages.
On telecommunications, Eavesdropping is a form of violation. Even stations that are not associated with a wireless network can capture and analyze WAP traffic. That’s why a network forensics investigator should consider that the attacker might have access to the network via a WAP.
Rogue Wireless Access Points
Attackers often wireless access points that allow them to bypass the pesky firewall and remotely access the network later on. Although many companies do regular scans to detect rouge access points, or invest in commercial wireless intrusion detection systems (WIDSs), there are sneaky ways to bypass traditional those things. Forensic investigators need to know about the ways attackers place rogue access points that evade detection.
Evil Twin attack
Usually done to conduct a ‘man in the middle’ attack on an 802.11 client’s traffic. In this attack, the attacker sets up a WAP with the same SSID as one that is used in the local environment. When the client connect to the evil twin, the attacker can harvest credentials, replace image, and many more.
Wired Equivalent Privacy or WEP is designed to encrypt the payload of data frames on a wireless network using a shared key. Once the key is selected, it will be distributed as a pre-shared key or PSK which will not be exposed on the network.
The payload of all data frames will be encrypted with the PSK and a randomly selected initialization vector (IV) so that the encryption key changes for every frame. Unfortunately, there’s a possibility that some of the packets were encrypted with the same IV, but have different plain text input and cipher text output. Based on the knowledge of some of the bits of the key material, attackers might be able to leverage the “related-key
attack”. The attacker’s ability to leverage the related key attack depends on the volume of IVs exposed.
- Sherri Davidoff, Jonathan Ham – Network Forensics: Tracking Hackers through Cyberspace (2012, Prentice Hall)