Wireless-Detective WLAN 802.11a/b/g/n Interception System

1
Wireless-DetectiveWLAN 802.11a/b/g/n
Interception System

• Decision Group
• www.edecision4u.com

2
Introduction to Wireless-Detective System
WLAN IEEE 802.11a/b/g/n Interception and
Forensics Analysis System

• Scan all WLAN 802.11a/b/g/n 2.4 and 5.0 GHz
  channels for Access Points and STAs.
• Captures/sniffs WLAN 802.11a/b/g/n packets.
• Real-time decryption of WEP key (WPA Optional
  Module)
• Real-time decoding and reconstruction of WLAN
  packets
• Stores data in raw and reconstructed content
• Displays reconstructed content in Web GUI
• Hashed export and backup

The Smallest, Mobile, Portable and most Complete
WLAN Lawful Interception System in the World!
All in One System!
Important Tool for Intelligent Agencies such as
Police, Military, Forensics, Legal and Lawful
Interception Agencies.
Notes Pictures and logo are property of
designated source or manufacturer
3
Wireless-Detective Implementation Diagram (1)
Wireless-Detective Standalone System - Captures
WLAN packets transmitted over the air ranging up
to 100 meters or more (by using enhanced system
with High Gain Antenna)
WLAN Lawful Interception Standalone
Architecture Wireless-Detective
Deployment (Capture a single channel, a single AP
or a single STA)
4
Wireless-Detective Implementation Diagram (2)
Wireless-Detective Distributed Extreme
Implementation Utilizing multiple/distributed
Wireless-Detective systems (Master Slave) to
conduct simultaneous capture, forbidding and
location estimation functions.
WLAN Lawful Interception Distributed Architecture
Wireless-Detective Deployment (Utilizing min. of
2 systems for simultaneous (Master Slaves)
capturing/forbidding functions. Capture a single
channel, a single AP or a single STA)
Notes For capturing multiple channels, each
Wireless-Detective (WD) can reconfigure/act as
standalone system. For example Deploy 4 WD
systems with each capturing on one single
channel.
5
Wireless-Detective AP Info Capture Mode (1)
Displaying information of Wireless Devices (AP)
in surrounding area.
Obtainable Information MAC of Wireless
AP/Router, Channel, Mbps, Key, Signal Strength,
Beacons, Packets, SSID, Number of Stations
Connected.
6
Wireless-Detective STA Info Capture Mode (2)
Displaying information of Wireless Devices (STA)
in surrounding area.
Obtainable Information Client MAC Address,
Signal Strength, Packets, AP MAC Address, Key
(Encrypted or Unencrypted), SSID.
7
Wireless-Detective Forbidder Mode

• WLAN Jammer/Forbidder Implementation in
  Wireless-Detective system
• Forbid connectivity of STA
• Forbid connectivity of AP

8
Wireless-Detective AP/STA Info Forbidder Mode
Forbid AP (stop any STA from connecting to the
AP) or Forbid STA (stop the STA from connecting
to any AP).
9
Cracking/Decryption of WEP/WPA Key (1)
WEP Key Cracking/Decryption can be done by
Wireless-Detective System!
Auto Cracking (System Default) or Manual Cracking

• WEP Key Cracking/Decryption-- (64, 128, 256 bit
  key)
• Active Crack By utilizing ARP packet injection
  (possibly 5-20 minutes)
• Passive Crack Silently collect Wireless LAN
  packets
• 64-bit key 10 HEX (100-300MB raw data
  /100K-300K IVs collected)
• 128-bit key 26 HEX (150-500MB raw data
  /150K-500K IVs collected)
• 2) WPA-PSK Key Cracking/Decryption-- (Optional
  Module Available)
• WPA-PSK cracking is an optional module. By using
  external server with
• Smart Password List and GPU Acceleration
  Technology, WPA-PSK key
• can be recovered/cracked.
• Notes
• The time taken to decrypt the WEP key by passive
  mode depends on amount network activity.
• The time to crack WPA-PSK key depends on the
  length and complexity of the key. Besides, it is
• compulsory to have the WPA-PSK handshakes packets
  captured.

10
Automatic System auto crack/decrypt WEP key
(default)Manual Capture raw data and
crack/decrypt WEP key manually

• Cracking/Decryption of WEP Key (2)

Automatic Cracking Key Obtained
11
Automatic System auto crack/decrypt WEP key
(default)Manual Capture raw data and
crack/decrypt WEP key manually

• Cracking/Decryption of WEP Key (3)

Cracking Manually
12

• Cracking/Decryption of WEP Key (4)

WEP Key Cracked!
Select wireless network manually for cracking. If
raw data contains enough IVs, WEP key can be
cracked almost instantly.
13
Wireless-Detective WPA-PSK Cracking Sol. (1)
WPA-PSK Cracking Solution WPA Handshake packets
need to be captured for cracking WPA key. Utilize
Single Server or Distributed Servers (multiple
smart password list attack simultaneously) to
crack WPA key. Acceleration technology GPU
Acceleration
Note WPA handshakes packet can be captured by
Standalone Wireless-Detective system or
Distributed Wireless-Detective systems.
14
Wireless-Detective WPA-PSK Cracking Sol. (2)
WPA/WPA2-PSK cracking module is optional
(dedicated server). Application Utilizing
Password List attack and GPU technology (Graphic
Card Processors) to recover or crack the
WPA/WPA2-PSK Key. Supported WPA WPA-PSK (TKIP)
and WPA2-PSK (AES). Speed up to 30 times faster
than normal CPU. GPU supported NVIDIA and ATI
Notes Pictures and logo are property of
designated source or manufacturer
15
Internet Protocols Supported
16
Reconstruction Sample Email POP3
Date/Time, From, To, CC, Subject, Account,
Password
17
Reconstruction Sample Email SMTP
Date/Time, From, To, CC, BCC, Subject, Size
18
Reconstruction Sample Email IMAP
Date/Time, From, To, CC, Subject, Account,
Password
19
Reconstruction Sample Web Mail (Read)
Date/Time, Content, Web Mail Type
20
Reconstruction Sample Web Mail (Sent)
Date/Time, Form, To, CC, BCC, Subject, Webmail
Type
21
Reconstruction Sample IM/Chat MSN
Date/Time, User Handle, Participant,
Conversation, Count
Including Text Chat Messages, File Transfer and
Webcam sessions reconstruction and
playback. Supports Client and Web MSN.
22
Reconstruction Sample IM/Chat Yahoo
Date/Time, Screen Name, Participant,
Conversation, Count
Including Text Chat Messages, File Transfer, VOIP
and Webcam sessions reconstruction and
playback Supports Client and Web Yahoo.
23
Reconstruction Sample IM/Chat Skype Log
Date/Time, Screen Name, Participant,
Conversation, Count
Skype Text, VoIP and Webcam sessions are
encrypted. However, Skype VoIP Call duration log
can be obtained and source destination IP can
be obtained.
24
Reconstruction Sample File Transfer - FTP
Date/Time, Account, Password, Action, FTP Server
IP, File Name
25
Reconstruction Sample Peer to Peer P2P
Date/Time, Tool, File Name, Last Activated,
Send/Receive Throughput, Details
Including Action (Download/Upload), Peer IP,
Port, Peer Port Throughput
26
Reconstruction Sample HTTP Link (URL)
Date/Time, Link/URL
27
Reconstruction Sample HTTP Content
Date/Time, Link/URL
28
Reconstruction Sample HTTP Reconstruct
Date/Time, HTTP Content
29
Reconstruction Sample HTTP Upload/Download
Date/Time, Action, File Name, HTTP
Download/Upload URL, Size
30
Reconstruction Sample HTTP Video Streaming
Date/Time, Host, File Name, HTTP Content, File
Size
Play back reconstructed FLV video file
31
Reconstruction Sample Telnet
Date/Time, Account, Password, Server IP, File Name
Support play back of Telnet sessions
32
Reconstruction Sample VoIP
33
Reconstruction Sample Incomplete Sessions
34
Data Search Conditions Free Text Search
Search by Parameters/Conditions (Date-Time, IP,
MAC, Account, Subject etc.)
Free Text Search Search by Key Words (Supports
Boolean Search)
35
Data Export Backup Reconstructed Data
Backup the reconstructed content (various
application) to ISO file report format.
36
Data Backup Captured Raw Data Backup
Backup captured raw data (known) and raw data
(unknown unclassified). Export to external PC
or backup through CD/DVD Burner.
37
Conditional Alert Alert through Email
Alert Administrator by Parameters/Conditions
38
Online IP List IP Information
Status, IP, PC Name, Last Seen Time, ISP,
Categorized Group
39
Location Estimation - Wireless Equipment Locator
Utilizes Wireless Sensors and Triangulation
Calculation/Training methodology to estimate the
location of the targeted wireless devices (AP or
STA). Plane Regression 1 WD as Master system
min. 3 WD as Slave systems (sensors)
Allow finding of approximate location of targeted
wireless device in X-Y plane. Estimation error
depending on surrounding environment (ex
blockage etc.). Normally a few meters.
40
Exporting Raw Data Captured for Further Analysis
(1)
Raw data captured can be hashed exported out from
WD system for further analysis.
Known Raw Data Raw data that can be classified
and reconstructed. Unknown Raw Data Raw data
that cannot be classified and reconstructed.
41
Exporting Raw Data Captured for Further Analysis
(2)
Analyze the raw data files using packet analyzer
tool such as Packet Browser, Wireshark and
Ethereal etc.
42
Exporting Raw Data Captured for Further Analysis
(3)
Analyze the raw data files using packet analyzer
tool such as Packet Browser, Wireshark and
Ethereal etc.
43
Exporting Raw Data Captured for Further Analysis
(4)
Analyze the raw data files by using offline
parsing and reconstruction tool, EDDC (product of
Decision Computer Group)
44
Wireless-Detective Unique Advantages/Benefits

• Smallest, portable, mobile and light weight WLAN
  legal interception system. This allows easy
  tracking and capturing of suspects Internet
  activities especially suspect moves from one
  place to another. Suspect wont notice WD
  existence as it looks like normal laptop.
• Detects unauthorized WLAN access/intruders (IDS).
• Provides detailed information of AP, Wireless
  Routers and Wireless Stations (such as channel,
  Mbps, security (encryption), IP, signal strength,
  manufacturer, MAC)
• Provides capturing of WLAN packets from single
  channel, AP, STA or multiple channels by
  deploying distributed/multiple systems. That also
  means flexibility and scalability of deployment
  solution.
• Provides decryption of Wireless key, WEP key (WPA
  cracking is optional module)
• Provides decoding and reconstruction of different
  Internet services/protocols on the fly,
  reconstructed data is displayed in original
  content format on local system Web GUI.
• Supports reserving of raw data captured (for
  further analysis if required) and archiving of
  reconstructed at with hashed export functions.
• Supports condition/parameter search and free text
  search.
• Supports alert by condition/parameter.
• Provides Wireless forbidding/jamming function
• Provides Wireless Equipment Locator function.
• The All-in-One Mobile WLAN Interception System

45
References Implementation Sites and Customers

• Criminal Investigation Bureau
• The Bureau of Investigation Ministry of Justice
• National Security Agency (Bureau) in various
  countries
• Intelligence Agency in various countries
• Ministry of Defense in various countries
• Counter/Anti Terrorism Department
• National Police, Royal Police in various
  countries
• Government Ministries in various countries
• Federal Investigation Bureau in various countries
• Telco/Internet Service Provider in various
  countries
• Banking and Finance organizations in various
  countries
• Others
• Notes Due to confidentiality of this
  information, the exact name and countries of the
  various organizations cannot be revealed.

46
Thank You !
Decision Group decision_at_decision.com.tw
www.edecision4u.com