Jump to content

Recommended Posts

Posted

I've had a question posed to me from an investigator I work with.  He believes a Wifipineapple was used recently to obtain data being transmitted by a company laptop over Wifi.  Is there any forensic evidence or trace data on the laptop itself that could confirm or dispute this claim?

 

Thanks!

JD

Posted

If this happened at home or on the road, you're up shits creek more or less, and a VPN/Tunnel would be something laptop employees should be using in practice to protect against this, regardless of where they are unless physically plugged into the work LAN and wif is off.

Very doubtful this is traceable after the fact, but curious if anyone else has input.

Only way I can see, is if they compared MAC addresses(and if not spoofed to same address) of the AP they connected to, both works, and the foreign device. More than likely this was an attack on the same connection, vs using a Pineapple, if the laptop was meant to connect to the main company network, unless it was bridged to the company network, which would be more or less transparent to end users. You'd need to be actively looking at the traffic, know a baseline safe point for your wifi devices, and then compare when new devices are on the network. This would require a lot of traffic analysis, either automated by some sort of IDS or such device as well as manually inspecting traffic. Safeguards for somethings can be put in place ahead of time, like activating sticky bits for MAC addresses, which would ban unknown devices plugged into the network on switch ports(switch port security), but not sure how that works with respect to wifi. Other thing is, a lan tap could help siphon data off a network as well without little to no impact and almost as untraceable other than network speeds on the same segment of the LAN, you'd have to physically inspect to find one on the premises. I'm sure there are vendors out there with the next ids9000 that has some sort of firewall alerts to these kinds of issues, but doubtful anyone is actively practicing much of this in the real world other than maybe banks and large corps.

If there were IPv6 addresses floating across as well, it's claimed that you might be able to reverse the actual devices MAC address, which would get you the OUI of said pineapple to determine a manufacturer, but this is if the MAC isn't spoofed/changed - http://blog.superuser.com/2011/02/11/did-you-know-that-ipv6-may-include-your-mac-address-heres-how-to-stop-it/

 

Posted

Thanks for the reply.  To give some better insight.  This is a LARGE corporation laptop system that was out on travel.  Employee are requested to use VPN immediately for all activity, but CAN access unfiltered internet etc if they do not login to VPN.  It is unclear at this time if the employee was VPN connected the whole time, part of the time, or not at all.  This event likely occurred while off-campus at a hotel.  My only thought was to see if the MAC address was not spoofed and shows that it connected to a MAC of an unknown manufacturer.

 

Thanks,

JD

Posted
2 hours ago, Izittru said:

Thanks for the reply.  To give some better insight.  This is a LARGE corporation laptop system that was out on travel.  Employee are requested to use VPN immediately for all activity, but CAN access unfiltered internet etc if they do not login to VPN.  It is unclear at this time if the employee was VPN connected the whole time, part of the time, or not at all.  This event likely occurred while off-campus at a hotel.  My only thought was to see if the MAC address was not spoofed and shows that it connected to a MAC of an unknown manufacturer.

 

Thanks,

JD

Short of logging all wifi data for BSSID(which can be spoofed since it's just the MAC address) to corresponding SSID, or forensic evidence on the device itself, which is a whole other animal. I'm going to chalk it up to live and learn and maybe a policy change on how laptops access the internet. Where I used to work, all devices were forced through a work proxy, even when remote, you had to be on the VPN, and were still filtered for internet access over the work's proxy and filters. 

 

Posted

arp -a entries that are dynamic, only stay resident for 2 minutes. Static entries are permanent while on the same subnet and survive a reboot while dynamic ones do not.

 

I use a bat script to put in my home routers with their corresponding MAC and IP addresses in windows. Makes MITM attacks lock up most of the time. ex:

netsh interface ipv4 add neighbors "Local Area Connection" 192.168.0.1 00-00-00-00-00-00

 

Posted

Something I hadn't thought about, which could have happened AT the workplace, that is if this was specifically targeted at employees as well, is if the workplace uses WPA Enterprise with a Radius server, they could have been attacked in the office itself. Much over my head, but a blog post explaining the attack with a video might will explain better than I can. - https://www.offensive-security.com/penetration-testing/hacking-wpa-enterprise-with-kali-linux/

 

  • 2 weeks later...
Posted

If the employee was on vpn there should be some kind of log fine when he/she connected to the corp network. That should be able to help you to determine if they used the vpn or not. 

Posted
3 hours ago, Malachai said:

If the employee was on vpn there should be some kind of log fine when he/she connected to the corp network. That should be able to help you to determine if they used the vpn or not. 

Not sure that helps determine if they were hacked over rogue wifi though, or if they maintained only a VPN connection and didn't browse the web off the VPN while connected to the VPN network at the same time. A VPN doesn't prevent being hacked on same subnet, where in an attacker can break into the machine and then pivot to the internal network. It's only going to encrypt your data in transport between your machine and some other network, preventing snooping on the wire. This is null when someone actively attacks the laptop and has control of it though, which would be something forensics should have a look at to determine if there was any kind of compromise there in if data was stolen or suspected to be, from the use of said laptop.

On 1/23/2017 at 3:07 PM, Izittru said:

Thanks for the reply.  To give some better insight.  This is a LARGE corporation laptop system that was out on travel.  Employee are requested to use VPN immediately for all activity, but CAN access unfiltered internet etc if they do not login to VPN.  It is unclear at this time if the employee was VPN connected the whole time, part of the time, or not at all.  This event likely occurred while off-campus at a hotel.  My only thought was to see if the MAC address was not spoofed and shows that it connected to a MAC of an unknown manufacturer.

 

Thanks,

JD

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...