Project 2

You were asked to examine the network for any hot spots acting as rogue WAPs. Acting as a security analyst in this lab, you were required to document your findings throughout the duration of the lab by evaluating the security of your internal wireless network for any potential rogue WAPs and wireless vulnerabilities. Additionally, you were required to recommend specific countermeasures for mitigating potential vulnerabilities identified. Based on the knowledge and experience gained from the lab, answer the following questions.

PART 2 & PART 3: FILTERING, INSPECTING, AND ANALYZING THE PCAP FILE— Analysis of the Packet Details of the Loaded PCAP Files | Using the Statistics | Flow Graph Tool

1. What is the BSSID of each device being used, and the MAC address of the WAP found? Remember that the BSSID is the MAC address of the device.

The BSSID of the Cisco device is Cisco_70:18: d0, and for the second Cisco it is Cisco_Li_82:b2:55. The MAC

address of the WAP device are 50:0f:80:70:18:d0, and 00:0C:41:82:b2:55. Another device is the Sony device. The BSSID of this device is Broadcast. The MAC address of this WAP is 40:40:a7:50:73:db.

2. What is the name and vendor of the WAP found? What is/are the channel(s) being used in those cases?

The name of the vendor is Cisco and Sony. Channel 31 and channel 1 are being used in this case.

3. Were any of these in the approved device whitelist? Note that those not on the list are unapproved devices on the network.

In the first file, the devices used were Cisco_Li devices with a channel of 1. This device was present in the

approved devices table. For the second file devices used were not on the approved devices list. The approved device was a cisco device with a MAC address of 00:0c:41:82:b2:55, but the cisco device used in this case was of MAC address. Therefore, none of the devices were on the approved devices list.

4. By analyzing the packet details of the loaded PCAP file, determine the nature of communications occurring between the source and destination endpoints (or IP addresses). What differentiates the receiver and transmitter addresses from the source and destination addresses?

The communications were covered by the 802.11 sets of protocols by IEEE. Some information was.

broadcasted by both devices, while most of the communication was direct with the WAP. The receiver

address was the device that was to receive this broadcast and the transmitter device transmitted this

broadcast. The source address belongs to the device that sent that request and the receiver address.

tells us the receiver device of this request.

5. Do you see any indication of any wireless vulnerabilities such as the use of default SSIDs and passwords and the security implications of the frame check sequence upon analyzing the WLAN traffic? Why or why not?

No wireless vulnerabilities were found. The SSID and the passwords used in these devices were not.

implemented with default credentials. and the frame check sequence was also successfully implemented.

6. Does the channel information match any device in the approved whitelist?  Does the source device, using this channel, match those in the approved whitelist? If not, then this is an unapproved device on the channel being used. 

The channel information does not match any devices in the approved whitelist. The devices were.

operating on channel 36, while the approved devices use channel 1. Therefore, none of the devices

were approved devices.

7. What devices do you suspect as rogue WAPs overall? Explain why.

The Cisco_70:18:d0 was a suspected rogue WAP. The device was not present in the approved devices table

and the OTA capture of the device indicates rogue behavior by the WAP device.

8. By analyzing the packet details of the loaded PCAP file, determine the nature of communications occurring between the source and destination endpoints (or IP addresses).

There were two types of communication between source and destination endpoints. Broadcast and

direct communication. The broadcast communication is broadcasted over the whole network using the

address of the receiver we can send direct information to the destination endpoint.

9. What useful information can you determine from the flow graph based on your analysis w.r.t. any IOC of the wireless/mobile communications?

The flow graph provides much useful information. First, it displays the devices that are communicating

with each other. In our case, it was Cisco and Sony devices. The graph shows four key messages. 2 sent

by Cisco and 2 by Sony WAP. QoS data was transmitted twice by the Sony device. In the end, a

disassociated communication was transmitted by Sony and received by a Cisco device.

10. How is this indication different from the Statistics information retrieved earlier and from the perspective of this attack? Is there any Wireshark feature that can help you arrive at the same conclusion?

The information collected from the graph shows an overview of how the communications took place over the

network. These communications can also be tracked by manually analyzing the PCAP file. We will have to

manually analyze every communication and whether it was successful. Therefore, using both these Wireshark

features we arrive at the same location, but the retrieved information might be more detailed.

11. If malicious actors got into your network to access your network security logs, how could they use the packet details to their advantage? Specifically, what utilities within Wireshark can you count on?

The packet metadata can be used by the attackers to steal the information or by the admins to check if any

data was compromised. Using this metadata in Wireshark and by using packet inspection we can counter

the attacks or check the source of such attacks.

12. Describe some automated tools and techniques that could be added to prevent similar events. Also, consider statements to add to the BYOD policy to strengthen compliance requirements.

To strengthen the BYOD policy mobile device management can be implemented for continuous and constant

monitoring of the network to prevent similar events. To strengthen BYOD, we can restrict data access to some devices, make passwords compulsory and create a blacklist of prohibited devices. To prevent similar events, we can use Wireshark’s real-time traffic management. We can also use automatic tools like glass wire and live wire which analyzes the network and notify in case of any data mishap.

Screenshot #1 Checking 802.11 Radio Information

Screenshot #2 Analyzing 802.11 Beacon Form

Screenshot #3 Wireless LAN Standards for devices

Screenshot #4 Analysing packets for Cisco Device

Screenshot #5 Protocol Hierarchy Menu

Screenshot #6 IEEE beacon Frame analysis

Screenshot #7 Flow diagram of the communication

Screenshot #8 The Communication Procedure between two devices

NOTE: Proceed to the next page and use the space provided to compile a summary of your lab experience report. Use additional space as necessary to complete the report.

SUMMARY OF THE LAB EXPERIENCE REPORT

Use the space below to summarize your lab experience report based on your findings from the lab, making sure to complete all required actions in each step of the lab and respond to all questions. Be sure to incorporate a key part of your findings in your final project report for submission to your professor. You may use additional space as necessary to complete the lab.

The lab focused on Wireshark and its use to analyze traffic data (Wireshark, 2022). The data was captured and

saved in a PCAP file. Wireshark is an open-source packet sniffing tool used by a cyber security analyst to keep

track of network traffic. Some devices on the network were approved while most of the devices were not. The

approved devices operated on channel 1 while the unapproved devices operated on the channel. The analysis

of the packets gave us insight into how the packets are encrypted and how we can analyze them to see if any

malicious entity on the network has affected them. The auditing of these packets also gives us an insight into

how the communications were handled by every sender and receiver device and if the connection was

successful. The communications included in the lab were on the IEEE 802.11 protocol standards (IEEE, 2022).

The IEEE beacon frame menu shows the details of packets like the transmitter, sender, receiver, and destination.

It also shows the BSSID of the sender and receiver and tells us their MAC address. For a more visual

representation, we can check the flow charts using the statistics menu. This chart shows a brief overview of

how the packets were handled, how packets hopped between devices, and their comments for each operation.

The colors show if a connection was successful or not. Using the Wireless submenu, we can also check the WAP

information for our devices. This screen shows how both devices connected and how many times the devices

tried to connect. Manual analysis of packets is a very informed decision and allows detailed insights into the

network, but it is hard work. Therefore, automatic tools can be used to detect any malicious activity on the

network and alert the network admins. Some of these automatic tools are Wireshark and Glasswire (Glasswire,

2022). The lab gave me a practical view of Auditing Wireless Networks Using Incident Response Techniques.

In screenshot 1 I analyzed the radio transmission information of the devices, then in the second screenshot, I

explored the Beacon frame which shows the sender’s BSSID, MAC address, and information about the receiver.

The third screenshot shows the wireless LAN statistics showing the number of percent packets, how many

retries were taken, the communication channel, and the SSID of the communicating devices (Juniper, 2018).

The 4th screenshot shows the broadcast information of the Cisco and Sony devices and their communication

information. The 5th screenshot describes the Protocol hierarchy statistics showing the role of every protocol in

completing this communication. Screenshot number 7 shows the broad view of this whole communication,

how the devices authenticated each other, and their connection establishment. We can also see the comments

for each step and which device sent the request to the other device. This chart shows a lot of information but

does not provide as much detail as the previous screens.

I covered basic to advance of auditing wireless networks. The Wireshark tools provided a detailed in-depth

review for auditing the packets sent by the devices (Leutert, 2009). The analysis of how packets are shared and

how connections are established between the devices was conducted. I gained information on how the devices

are attacked by attackers and how to detect malicious attacks. To mitigate these attacks, we can implement

real-time monitoring for our network that will notify us in case of any malicious activity. We can also strengthen

our BYOD by implementing mobile device management for constant and continuous monitoring. To strengthen

BYOD, we can restrict data access to some devices, make passwords compulsory and create a blacklist of

prohibited devices. To prevent similar events, we can use Wireshark’s real-time traffic management.

Implementing this procedure can help us prevent similar attacks in the future.