Simulating Wireless...
 
Notifications
Clear all

Simulating Wireless Network to Sniff Traffic

8 Posts
5 Users
0 Likes
786 Views
(@ghostfist)
Posts: 3
New Member
Topic starter
 

Hello all,

I'm trying to figure out a way to simulate a wireless network.

Issue My evidence is a USB device that was bought in another country, the user plugged this device in one of our computers and we saw traffic attempting to go back to where it was bought. The problem is our lab environment isn't connected to the internet (no networking at all). I need to see where the device is trying to reach out too, to confirm what my firewall admins are telling me.

Any thoughts?

I've tried to use wireshark but didn't really get anything from it, tried to route traffic through pfSense (community) no luck.

Any advice, tips, thoughts are greatly appreciated.

Thanks!

 
Posted : 04/07/2018 1:46 am
(@cfa_dave)
Posts: 3
New Member
 

you don't say what the device is. Therefore its hard to recommend something.

Have you goggled the device to get the basic login/code?

As for a network, you can setup a router without connection to real WWW.
however, you need to analyze the device which does not require connect to a network.

David

 
Posted : 04/07/2018 3:02 am
watcher
(@watcher)
Posts: 125
Estimable Member
 

STOP!

You said you have a USB device, "the user plugged this device in one of our computers and we saw traffic attempting to go back to where it was bought." Then you said, "our lab environment isn't connected to the internet (no networking at all)."

Clearly you do have networking if you saw traffic attributable to the device.

Why any of this would lead you to "Wireless" perplexes me.

Step all the way back!

#1
What is this USB device? If merely plugging it in resulted in unknown traffic on your network (that you don't have) then it almost certainly is not a thumb drive. Auto running thumb drives don't happen anymore short of a very old or misconfigured system. There are a number of USB devices that have a physical form factor that look like a thumb drive, but they are not. Automatic activity upon plugin is readily accomplished via a USB HID (Human Interface Device), most often a preprogrammed "keyboard" that begins entering commands as the user.

#2
Analyze the device contents and programming.

#Last!
Connect it to the Internet through a fully instrumented transparent proxy from an instrumented isolated computer or VM. VM's are very handy for obtaining a live memory capture.

Almost forgot. Think carefully about your Internet connection and whether or not you would have a problem with whomever is on the other end tracing the connection back to you!

Sorry if this comes across as overly harsh, it's sort of a bad preretirement flashback.

 
Posted : 04/07/2018 4:27 am
JimC
 JimC
(@jimc)
Posts: 86
Estimable Member
 

I completely agree with @watcher comments on the USB stick - Is it really a wireless network device?

One small tip I could add is that the "Port Mirroring" feature on a switch/router (including some of the better "cheap" ones) can be extremely useful. You can use this to mirror traffic to a logging PC running Wireshark.

If the device is a wireless network device, or you just want to see what/who a computer is trying to talk to, you can quickly setup a standalone network, connect the device to it, and record away in Wireshark.

If there is suspicious traffic you can then use tools like WinHTTP logging or TCPView to figure out which process the traffic is coming from.

Jim

www.binarymarkup.com

 
Posted : 04/07/2018 10:35 am
(@ghostfist)
Posts: 3
New Member
Topic starter
 

Thanks to all for the replies.

@CFA_dave, yes I've done all the research I can do on Google. Unfortunately, the router option is a no go for the lab.

@watcher, I apologize I must not have been clear. Our enterprise does have a network, my lab doesn't have a network. All workstations/VMs are completely standalone, we rebuild VMs when needed. The only information I have is coming from the admins that saw the traffic, without access to logs how else am I going to verify this device is saying what they say it is? Doesn't necessarily need to be wireless but some type of network simulation. The admins claim the device is only a passthrough that allows something like a phone to be charged without transferring data. The device doesn't read as a removable media no contents on it. Physical analysis of the USB shows the copper pins for data transfer are present. My lab is locked down, I want to reiterate the enterprise has network connections to the outside; however, my lab has no networking at all.

@JimC, thanks for the suggestions, unfortunately I'm stuck with just using my standalone workstation and VMs. Unless setting up a virtual switch in Hyper-V works (tried) it sounds like I'm out of luck.

 
Posted : 04/07/2018 1:38 pm
watcher
(@watcher)
Posts: 125
Estimable Member
 

"The only information I have is coming from the admins that saw the traffic …"

So you don't know what may have actually taken place what was clicked/executed, what traffic was seen (DNS, IP addresses, …), or how this was attributed to the device?

I'd suggest taking everything you were told with a big grain of salt.

"The admins claim the device is only a passthrough that allows something like a phone to be charged without transferring data. The device doesn't read as a removable media no contents on it. Physical analysis of the USB shows the copper pins for data transfer are present. …"

Most wires, connectors, pins, use standard parts so presence of the data pins is little value.

Assuming that you are not wedded to using a write-blocker and courtroom forensics

The very first thing I suggest is boot up a Linux machine, a Live ISO would be fine or even preferred in this case. Plugin the device, give Linux a few seconds to potentially announce or complain about the device. From a command line, enter

sudo lsusb

You will see something like this

Bus 002 Device 002 ID 80870024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001 ID 1d6b0002 Linux Foundation 2.0 root hub
Bus 001 Device 005 ID 21090810 VIA Labs, Inc. VL81x Hub
Bus 001 Device 004 ID 21090810 VIA Labs, Inc. VL81x Hub
Bus 001 Device 007 ID 093a2510 Pixart Imaging, Inc. Optical Mouse
Bus 001 Device 006 ID 413c2011 Dell Computer Corp. Multimedia Pro Keyboard
Bus 001 Device 003 ID 413c1005 Dell Computer Corp. Multimedia Pro Keyboard Hub
Bus 001 Device 002 ID 80870024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001 ID 1d6b0002 Linux Foundation 2.0 root hub
Bus 004 Device 003 ID 21090810 VIA Labs, Inc. VL81x Hub
Bus 004 Device 002 ID 21090810 VIA Labs, Inc. VL81x Hub
Bus 004 Device 001 ID 1d6b0003 Linux Foundation 3.0 root hub
Bus 003 Device 001 ID 1d6b0002 Linux Foundation 2.0 root hub

All the USB devices will be listed. If there is no data line then it's not a device. It may be obtuse, generic or unknown. If you can't clearly tell which line applies, remove the device and repeat the lsusb command and look for differences. It's entirely possible that the device identifies itself as a "Dell Keyboard" or similar, so definitely do a difference even if you think it's not there.

Depending upon how paranoid you want or need to be as a function of your operational environment, it's very possible to make a device that only activates data lines at some time much later so you wouldn't even see it in a short test. This is pretty unlikely, but possible.

I can't help but wonder about the original premise; someone brings an unknown device from another country and plugs it into the operational network in order to charge a phone. Really?

 
Posted : 04/07/2018 4:46 pm
(@ghostfist)
Posts: 3
New Member
Topic starter
 

@watcher, great idea thanks for the suggestion. I'll definitely give it a shot and let you know the results. This case is definitely not going to go to the courtroom at this point it's more of finding out what, if anything the device does, and validating what was told. Thanks again I appreciate the help.

 
Posted : 04/07/2018 4:59 pm
(@jakubr)
Posts: 8
Active Member
 

Try to connect device to VM as a Victim host and sniff traffic using fakenet-ng or something similary on second VM acting like a router. I used similary method to analyse malware samples.

 
Posted : 04/07/2018 7:08 pm
Share: