WiFi Forensics for Data Leakage

In this article I will be going through a WiFi forensics scenario, conducting a penetration test for a company who thinks that there is someone leaking sensitive company info.

The three questions I will be trying to answer are:

  1. How is information is getting leaked out the network?
  2. Can you tell something about the attacker or attacker machine?
  3. What information has been exchanged with the attacker?

The first thing that I am given is a Wireshark window with a packet capture which has been stopped. The first thing I do is to try to get an idea for where this capture was taken, so I select “Wlan Traffic” from the “Wireless” menu. This should give us an idea of the wlans that the capture was taken from.

The SSID “Big_Coffee_House” has does not have any data packets, only beacons and probe requests. This is not normal, so I think we should look into it a bit further. Using the filter “wlan contains Big_Coffee_House” will give us all the packets that were captured on that wlan.

Beacon frames are typically sent by the access point and are contain all the information about the network which in WiFi terminology is called its own BSS. In this case, as you can see in the photo above, the beacon frames are being used to send data and possibly get commands as well.

As far as the attacker’s information, we can see from the image below, that the attacker’s MAC address is 00:11:22:33:44:55, which is not a real MAC address, so we know that is fraudulent. Also, looking at the antenna signal, at -8dBm, we can see that it is extremely strong, which means that the attacker is located close to the AP or possibly nearby with a directional antenna.

So I have found the communication vector and some information about the attacker, now let’s try to find exactly what was leaked.

Looking through the payloads of the packets from Big_Coffee_House, I found a few different instances of data being sent out.

  1. “Send Data”
  2. “Secret information XX1345”
  3. “Critical Info”
  4. “Critical Password: ducks_rock331”
  5. “Trade Price : $45000”

This was a simple challenge using a gui-based tool to figure out if sensitive business data has been leaked, and I feel like it was a great refresher. If you are interested in trying the challenge yourself, and possibly finding additional information, check it out here, on the AttackDefense labs, as the “Backdoored System” challenge!

Leave a Reply

Your email address will not be published. Required fields are marked *