Course Resource

Incident Response Lab Exercise

Introduction

The company you are working for has implemented a bring your own device (BYOD) policy, but the chief information officer (CIO) is worried about it being too lax. The CIO is concerned that there may be misbehaving employees setting up hot spots (or rogue devices) on the corporate wireless network that could create risk to the data. The company also wants to avoid bad publicity that could occur with a data breach. The CIO knows that rogue wireless access points (WAPs) can cause man-in-the-middle attacks and jeopardize the security of the network. The CIO has tasked you to examine the network for hot spots acting as rogue WAPs. The legal and human resource departments may be interested as well.

Goal of the Lab

You will analyze precreated Wireshark packet captures and identify the bad actor.

Lab Overview

You will access the virtual lab environment to start the CST 630 lab area. The WINATK01 VM workstation will be used for this lab. This VM has the necessary .pcap files and tools to complete the lab. The two .pcap files are 802.11_state_machine.pcap and fake_access_point_ beacons.pcap.

The software tool is Wireshark, which can be found in the Lab Resources\Applications folder on the desktop of WINATK01. Using these tools and files, determine if a rogue WAP exists and provide details of its operation.

An approved whitelist is available below to help you determine whether a device is good or bad.

Approved Whitelist of Network Devices
DeviceVendorMac AddressSSIDChannelBSSID
APCisco-Li00:0c:41:82:b2:55Coherer1Cisco-Li_82:b2:55
APCisco-Li0c:68:03:d6:88:78Test48Cisco-Li_d6:88:78

Lab Resources

In this lab, you will use the following VM:

  • WINATK01

Use the following username and password to access the lab:

  • Username: StudentFirst
  • Password: Cyb3rl@b

Software Requirements

The following software will be used in this lab and can be found on WINATK01 VM:

  • Wireshark

Additional Lab Resources

Review the following to reinforce your understanding of the key concepts in this lab:

  • Refer to this Wireshark link for official documentations, user manuals, FAQs, webcast slides, online videos, and online presentations.
  • Refer to the optional lab reference resources at the end of this lab document for additional details.
  • Use tools like the UMGC library, Google search engine, YouTube, and others for external resources such as videos, peer review articles, white papers, trade magazines, and online documentations.
  • Be mindful of digital rights infringement and cite sources to credit authors where appropriate to support your work.

Tasks

You will complete each of the following tasks as part of the lab. The data collected and screenshots will be used in the project deliverables.

Task 1: Analyze WAP Beacon Traffic With Wireshark

One way to determine if a rogue WAP is on the network is to check network traffic packets for beacon traffic. Beacon traffic contains information about the network contained in the Basic Service Set Identifier (BSSID). The BSSID contains the Media Access Control (MAC) or Ethernet physical address of the device. The Service Set Identifier (SSID) is what the user device would use to attach to the WAP. SSIDs are broadcasted by WAPs to let devices trying to connect where they find a WAP to connect in order to get on the network.

Normally, WAPs send out beacons and SSIDs to alert users they are available to connect to the network. However, with rogue WAPs or hot spots, attackers will use this to divert users to their WAP to capture information. This can be log-in information or other personally identifiable information (PII).

In this task, you will analyze captured network traffic and identify if there is a rogue WAP in the network. You will use Wireshark to analyze precaptured network traffic in a .pcap file. You will need to find evidence of any unapproved WAPs. Use the provided whitelist of approved devices to help determine what network devices are legitimate. Use it to compare the information found in the lab against the list.

Answering the following questions will help you focus and find any rogue WAP:

  • What is the BSSID?
  • What is the name of the WAP found?
  • What is the vendor of the WAP?
  • What is the MAC address of the WAP found?
  • What is the SSID of the WAP?
  • What is the channel being used?
  • What is the BSSID of each device? Remember that the BSSID is the MAC address of the device.
  • What is the SSID being used?
  • Were any of these in the approved device whitelist? Those not on the list are unapproved devices on the network.

Understanding and Using Wireshark in the Lab

In this task, you will use Wireshark to examine network packet captures from previous network activity that has been saved on the VM. Wireshark—a network protocol analyzer—is an open source tool for capturing and analyzing network traffic or network packets.

A packet capture or packet sniffer tool is used to identify, intercept, log, and analyze network traffic. Wireshark or any packet sniffer can help cybersecurity professionals analyze network traffic to enhance computer security and minimize cyber threats. The tool can also be used for network troubleshooting, protocol development, and other similar tasks.

A Brief Overview of the Wireshark User Interface

The Wireshark user interface (UI) contains three main sections: the packet list pane, the packet details pane, and the packet bytes pane.

Packet List Pane: This pane is located at the top of the user interface and displays all active packets captured with Wireshark. Notice that each line or row is assigned a specific number. This number is the packet number in the capture file and does not change. When a packet is selected in the top pane, you will notice that corresponding details appear in the other panes: packet details and packet bytes/status.

Wireshark Packet Details 
Wireshark Section Subitem Explanation 
Packet List No. sequentially assigned packet number
 Timeindicates the timestamp when a packet was captured
 Source indicates where the packet originated
 Destination indicates where the packet was sent
 Protocol specifies the protocols involved (e.g., TCP, UDP, FTP)
 Length measures the packet length in bytes
 Info provides additional details about the packet

Packet Details Pane: This pane, located in the middle, displays the protocols and associated fields of the selected packet in a collapsed format. Each frame, protocol, or detail in each row can be expanded in the form of plus sign ("+") or right arrow symbol (">") to display additional details. You can set filters, based on protocol type, by right-clicking on the desired item within this pane.

Packet Bytes/Status Pane: This pane, located at the bottom, displays the raw data of the selected packet from the packet list pane in a hexadecimal dump format. This is useful in identifying suspicious packet contents, as some content will be easily viewed in ordinary ASCII characters.

Starting the Lab

Wireshark is configured to allow you to analyze individual .pcap files in this. You will first analyze the Fake_Access_Point_Beacons.pcap file, located on the WINATK01 VM. Note that Wireshark files have the .pcap extension.

Packet capture may be examined with tools such as Wireshark, PRTG network monitor, ManageEngine NetFlow analyzer, WinDump, and tcpdump.

Start the lab VM to access and analyze the Fake_Access_Point_Beacons.pcap file.

  1. To begin the lab, allocate and start WINATK01 VM. Then log into the VM to get started. To allocate the resources and start the VM, follow the instructions in the "Complete This Lab" box within the classroom steps.
  2. Open the cst630project2_resources folder and access the two .pcap files as shown below using the following path:

Desktop>Lab Resources>Project Resources> cst630project2_resources.

Screenshot of the Project Resources folder within the WINATK01 VM in UMGC Virtual Labs. At left, the Lab Resources folder is highlighted on the desktop. At top, the path to Project 2 resources is highlighted: Desktop>Lab Resources>Project Resources>cst630project2_resources. At center, highlighted, are the two .pcap files, 802_11_state_machine and Fake_Access_Point_Beacons.

Source: Microsoft, UMGC Virtual Labs

Note: Alternatively, there is a CST 630 Project Resources link in Project Resources under the Lab Resources folder, where you can download it. However, due to the size of the .pcap files, it has been placed in the cst630project2_resources folder for easy access and use.
Screenshot of an alternate method in WINATK01 in UMGC Virtual Labs to access the CST 630 Project Resources, using the Lab Resources>Project Resources path. The CST 630 Project Resources file is highlighted with an arrow.

Source: Microsoft, UMGC Virtual Labs

Start Wireshark

  1. Start Wireshark on the WINATK01 VM from the Applications folder under the Lab Resources folder located on the desktop of the VM as shown below (Desktop>Lab Resources> Applications). Double-click or right-click and select Open to launch Wireshark.
Screenshot of the steps to launch Wireshark from the WINATK01 VM in UMGC Virtual Labs. Under Lab Resources>Applications, the Wireshark app is highlighted, and the Open selection is highlighted on the drop-down menu.

Source: Microsoft, UMGC Virtual Labs

You should see the main Wireshark user interface as shown below.

Screenshot of the main Wireshark page within WINATK01 VM in UMGC Virtual Labs. The Capture page is shown, with six options: Local Area Connection, Ethernet 1, Ethernet 2, two Local Area Connection fields, and daaslab.

Source: Wireshark, UMGC Virtual Labs

Open a .pcap File

Once Wireshark opens, you will load the Fake_Access_Point_Beacons.pcap file into Wireshark for analysis.

  1. Next, click the Open option under the File drop-down menu on the left side of the window.
Screenshot of the File>Open drop-down menu in Wireshark within the WINATK01 VM in UMGC Virtual Labs. The Open selection is highlighted at upper left with an arrow.

Source: Wireshark, UMGC Virtual Labs

  1. Navigate to the cst630project2_resources folder and then select the Fake_Access_Point_Beacons.pcap file. Click Open. Wireshark will load this file to analyze.
Screenshot of the Open Capture File window in Wireshark within the WINATK01 VM in UMGC Virtual Labs. The Fake_Access_Point_Beacons.pcap file is highlighted in the list as well as in the File Name field. The Open button at lower right is highlighted with an arrow.

Source: Wireshark, UMGC Virtual Labs

  1. Next, you will analyze the loaded .pcap file in Wireshark to identify rogue wireless access points.
Screenshot of the Fake_Access_Point_Beacons.pcap file loaded into Wireshark within the WINATK01 VM in UMGC Virtual Labs. The three panes are shown, and some data is highlighted in the packet bytes pane.

Source: Wireshark, UMGC Virtual Labs

Now, examine the .pcap file to find rogue wireless access points (WAPs). This involves reviewing the following information against different characteristics of a WAP as shown in the approved devices in the network whitelist:

  • BSSID
  • SSID
  • Channel
  • Vendor name
  • MAC address

Gather the relevant information and screenshots that can be included in your deliverables for submission.

Analyze a .pcap File

Now analyze the Fake_Access_Point_Beacons.pcap file to answer the questions.

  1. Once the file has loaded, you should see the screen below:
Screenshot of the Fake_Access_Point_Beacons.pcap file loaded into Wireshark within the WINATK01 VM in UMGC Virtual Labs. The three panes are shown, and some data is highlighted in the packet bytes pane.

Source: Wireshark, UMGC Virtual Labs

  1. Note: You should be able to see the three panes: packet list (top), packet details (middle), and packet bytes (bottom). Click on one of the lines shown in the packet list pane (top). Then go to the packet details pane (middle) and click the arrow next to the IEEE 802.11 Beacon frame to expand it to see the details.
Screenshot of Fake_Access_Point_Beacons.pcap file in Wireshark within the WINATK01 VM in UMGC Virtual Labs. The top file in the packet list pane is highlighted with an arrow, and another arrow points to the arrow next to the IEEE 802.11 Beacon entry in the packet details pane.

Source: Wireshark, UMGC Virtual Labs 

  1. Look at the source address and BSSID. The first part is the vendor name while the second part is the last three parts of the MAC address. Together they form the BSSID. Look at the 12-character set in parentheses. This is the MAC address of the device.
Screenshot of the Fake_Access_Point_Beacons.pcap file in Wireshark within the WINATK01 VM in UMGC Virtual Labs. In the packet details pane, the source address and the BSSID are highlighted.

Source: Wireshark, UMGC Virtual Labs 

  1. Compare the BSSID, vendor name, and MAC address against the whitelist.

Then answer the following questions:

  • What is the BSSID?
  • What is the name of the WAP found?
  • What is the vendor of the WAP?
  • What is the MAC address of the WAP found?
  • Were these in the whitelist? If not, then they are part of an unapproved device.

Repeat the above steps and examine at least five other packets. Note this information in your report.

  1. You will examine other BSSID, Channel, and SSID values. From the top menu, click Wireless and then WLAN Traffic in the drop-down menu.
Screenshot of the Fake_Access_Point_Beacons.pcap file in Wireshark within the WINATK01 VM in UMGC Virtual Labs. The Wireless selection from the top menu is highlighted with an arrow, and the WLAN Traffic from the drop-down menu is highlighted with an arrow.

Source: Wireshark, UMGC Virtual Labs

  1. Examine the values listed in the BSSID, Channel, and SSIDs columns. What can you infer from this information?
Screenshot of the Wireless LAN stats in Wireshark from the Fake_Access_Point_Beacons.pcap file within the WINATK01 VM in UMGC Virtual Labs. The upper left section of the BSSID, Channel, and SSID columns are highlighted.

Source: Wireshark, UMGC Virtual Labs 

  1. Again, examine the values listed in BSSID, Channel, and SSIDs fields being used against the approved whitelist to answer the questions regarding these findings.

Answer the following questions:

  • What is the BSSID?
  • What is the channel being used by the WAP?
  • What is the SSID of the WAP?
  • Were these in the whitelist? If not, then they are part of an unapproved device.
  • Were any rogue WAPs found? If so, how many?

Repeat this to see other BSSIDs.

Note: You don't need to check all BSSID items. Taking a sample of 10 BSSIDs is a good sample set.

Note the information and include it in your report for submission. Take screenshots and note any devices not in the whitelist.

Close the packet capture but leave the lab open for the next task. You will next evaluate another way to determine if a rogue WAP exists in the network.

Task 2: Analyze 802.11 State Machine Traffic With Wireshark

Another way to determine if a rogue WAP is in the network is to check the 802.11 network traffic between WAPs. A rogue WAP device attempting to connect to a network will send a probe request. This is used to find the SSID of the nearest wireless network base station. The base station will send a probe response back to the requesting rogue WAP. This handshake of traffic between devices establishes the rogue WAP on the network. To find these rogue WAPs, check the approved device whitelist.

In this task, you will analyze traffic and identify if there is a rogue WAP in the network. Similarly, you will use Wireshark to analyze precaptured network traffic in a .pcap file. You will need to find evidence of any unapproved WAPs. Refer to the whitelist of approved devices provided to compare the information found against the list.

Answering the following questions will help you focus and find any rogue WAP:

  • What is the vendor name of the source/receiver?
  • What is the MAC address of the sources/receiver?
  • Were these in the whitelist?
  • Does the channel information match any device in the approved whitelist?
  • Does the source device, using this channel, match those in the approved whitelist?
  • What is the vendor of the transmitter/source?
  • What is the MAC address of the transmitter/source?
  • Does the transmitter/source match any entry in the whitelist?
  • What is the channel being used?
  • Is the channel being used in the whitelist?
  • What is the BSSID of each device?
  • What is the SSID being used?
  • Were any of these in the approved device whitelist?
  • What devices do you suspect as rogue WAPs overall?

Open the Second .pcap File

  1. Load the 802.11_state_machine.pcap file into Wireshark for analysis. On Wireshark, click on the Open option under the File menu on the left side of the window.
Screenshot of the File>Open drop-down menu in Wireshark within the WINATK01 VM in UMGC Virtual Labs. The Open selection is highlighted at upper left with an arrow.

Source: Wireshark, UMGC Virtual Labs 

  1. Navigate to the cst630project2_resources folder and then select the 802.11_state_machine.pcap file. Click Open. Wireshark will load this file to analyze.
Screenshot of the Open Capture File window in Wireshark within the WINATK01 VM in UMGC Virtual Labs. The 802.11_state_machine.pcap file is highlighted and selected and also appears in the highlighted File name field. The Open button at right is highlighted with an arrow.

Source: Wireshark, UMGC Virtual Labs

  1. The 802.11_state_machine.pcap file is loaded into Wireshark ready to analyze.
Screenshot of the uploaded 802.11_state_machine.pcap file in Wireshark showing the three panes.

Source: Wireshark, UMGC Virtual Labs

Examine the .pcap file to find rogue WAPs. This involves reviewing the following information against different characteristics of a WAP as shown in the approved devices in the network whitelist:

  • BSSID
  • SSID
  • Channel
  • Vendor name
  • MAC address

Collect information and relevant screenshots that will be included in your deliverables.

Analyze the Second .pcap File

Analyze the 802.11_state_machine.pcap file to answer the questions.

  1. Once the file has loaded, you should see the screen below. Click the first row of the packet list pane.
Screenshot highlighting the first row of the packet list pane in Wireshark for the 802.11_state_machine.pcap file within the WINATK01 VM in UMGC Virtual Files.

Source: Wireshark, UMGC Virtual Labs

  1. Look in the Info column on the right. Notice that the Apple device is performing a probe request to connect to the network.
Screenshot of the 802.11_state_machine.pcap file in Wireshark within the WINATK01 VM in UMGC Virtual Labs. Highlighted with an arrow is a probe request from an Apple device.

Source: Wireshark, UMGC Virtual Labs 

  1. Look at the packet details pane and click the arrow next to IEEE 802.11 Probe Request to open the frame.
Screenshot of the 802.11_state_machine.pcap file in Wireshark within the WINATK01 VM in UMGC Virtual Labs after the arrow in the packet details pane next to the probe request is clicked. The output of the request is highlighted.

Source: Wireshark, UMGC Virtual Labs

  1. Scroll down to see and note the source and transmitter addresses in the packet details pane.
Screenshot of the details of the probe request in the 802.11_state_machine.pcap file in Wireshark within the WINATK01 VM in UMGC Virtual Labs. Transmitter and source address areas are highlighted in the packet details pane.

Source: Wireshark, UMGC Virtual Labs 

  1. Compare the vendor name and MAC address against the whitelist.

Answer the following:

  • What is the vendor name of the source/receiver?
  • What is the MAC address of the sources/receiver?
  • Were these in the whitelist? If not, then they are part of an unapproved device.
  1. Click on the 802.11 radio information in the packet details pane (middle). Notice the channel number. This is the channel used by a WLAN device to connect to the network.
Screenshot of the 802.11_state_machine.pcap file in Wireshark within the WINATK01 VM in UMGC Virtual Labs, with the packet details pane showing highlighted radio and channel information.

Source: Wireshark, UMGC Virtual Labs

  1. Check this value against similar devices in the whitelist.

Answer the following questions:

  • Does the channel information match any device in the approved whitelist?
  • Does the source device, using this channel, match those in the approved whitelist? If not, then this is an unapproved device on the channel being used.
  1. Click on the second row in the packet list pane. Notice that the Cisco device is performing a probe response to the device connecting to the network.
Screenshot of the Wireshark analysis of the 802.11_state_machine.pcap file within WINATK01 VM in UMGC Virtual Labs. In the top packet list pane, the second line is highlighted, noting a probe response from a Cisco device. The center packet details pane response is also highlighted.
Probe Response of 802.11_state_machine.pcap File

Source: Wireshark, UMGC Virtual Labs 

  1. Look at the middle pane and click the IEEE 802.11 Probe Response to expand and see detailed information. Notice both the transmitter and source addresses.
Screenshot of Wireshark analysis of the 802.11_state_machine.pcap file within the WINATK01 VM in UMGC Virtual Labs. After a click on the arrow in the highlighted IEEE 802.11 Probe Response field, details on the transmitter and source addresses are shown and highlighted as output on the left side of the screen.

Source: Wireshark, UMGC Virtual Labs

Note: Both source and transmitter addresses are the same. The receiver and destination information are also the same.

  1. Notice that the device is a Cisco base station with its MAC address. Check this against the whitelist.

Answer the following questions:

  • What is the vendor of the transmitter/source?
  • What is the MAC address of the transmitter/source?
  • Does the transmitter/source match any entry in the whitelist? If not, then it's an unapproved device.
  1. Click on the 802.11 radio information in the middle pane. As before, notice the channel number.
Screenshot of Wireshark analysis of the 802.11_state_machine.pcap file within WINATK01 VM in UMGC Virtual Labs. In the center pane, clicking the arrow next to 802.11 radio information produces output, highlighted on the left side. An arrow points to Channel: 48.

Source: Wireshark, UMGC Virtual Labs

Answer the following:

  • What is the channel being used?
  • Is the channel being used in the whitelist? If not, then it may be an unapproved device and channel being used.
  1. In the top menu, click the Wireless tab and then WLAN Traffic from the drop-down menu.
Screenshot of Wireshark analysis of the 802.11_state_machine.pcap file within WINATK01 VM in UMGC Virtual Labs. At top center, the Wireless menu item is highlighted with an arrow, and the WLAN Traffic selection in the drop-down menu is also highlighted with an arrow.

Source: Wireshark, UMGC Virtual Labs

  1. Notice the BSSID, Channel, and SSID being used. This information may be different for different VMs.
Screenshot of Wireshark analysis of WLAN Statistics from a probe response in the 802.11_state_machine.pcap file within the WINATK01 VM in UMGC Virtual Labs. The image shows BSSID, Channel, and SSID fields.

Source: Wireshark, UMGC Virtual Labs 

Notice that the channel is not displayed. It was obtained earlier opening the 802.11 Radio information area.

Answer the following questions:

  • What is the BSSID of each device? Remember that the BSSID is the MAC address of the device.
  • What is the SSID being used?
  • Were any of these in the approved device whitelist? Those not on the list are unapproved devices on the network.

Notice which BSSID is the base station. This MAC address is usually the one connected to the network.

Use this information for your report. Take screenshots and note whether any devices are in the whitelist or not.

What devices do you suspect as rogue WAPs overall? Explain why.

Note: Cisco is a commonly used vendor of wireless network devices. However, Apple and other vendors manufacture hot spots or small WAPs that can connect to a network if allowed. These can provide a weakness in the network and invite attacks such as man-in-the-middle.

Use the screenshots and information collected, along with your findings, in your project deliverables for submission.

Task 3: Recommendations

With the BYOD policy implemented, the CIO may ask you for any recommendations to help avoid incidents such as those found. What recommendations for detecting these kinds of events can you make? Describe some automated tools and techniques that could be added to prevent similar events. Also consider statements to add to the BYOD policy to strengthen compliance. Add these to your deliverables as well.

Task 4: Proper Handling of Cyber Incident Evidence

Because you may be collecting evidence that could be used against a misbehaving employee, the legal office wants you to protect any information. The use of a chain of custody is used to secure data and evidence. These take the form of an asset signed sheet to track the location and who has handled the evidence. Also, a safe can be used to store and protect evidence.

In your deliverables related to the lab:

  1. Include a statement that the information collected has been protected against being changed or altered.
  2. Also state that a chain of custody form has been used and the information has been properly stored in a safe with limited access.

Statements like these are used to help protect the evidence in case of a legal action against an employee. It is possible that one day you may be called to testify in court, and this is a good practice to learn.

Congratulations. You have completed the lab. Close all applications, exit the virtual lab, and ensure that you describe your findings and incorporate them into your final deliverables for submission.