Wireless Network OSINT

Wireless networks is a general term to refer to various types of networks that communicate without the need of wire lines. Wireless networks have proliferated in the last decade. These days almost no enterprise is without them. As a result, every digital forensic investigator should be prepared to handle wireless evidence. Common types of wireless devices and networks include:

• AM/FM radios
• Bluetooth headsets
• Cellular phones
• Infrared devices, such as TV remotes
• Zigbee devices, such as HVAC, thermostat, lighting, and electrical controls
• Wi-Fi (802.11) network devices, and so on.
  

Wi-Fi

Wi-Fi is a wireless networking technology that allows computing devices such as PCs, mobile devices, and other digital devices (such as printers, and video cameras) to interface with the internet. It allows these devices to exchange information with one another, creating a network. Internet connectivity occurs through a wireless router that allows Wi-Fi-compatible devices to interface with the internet. 

Radio signals are the keys, which make Wi-Fi networking possible. These radio signals are transmitted from Wi-Fi antennas and are picked up by Wi-Fi-compatible devices that are equipped with Wi-Fi cards. Whenever a Wi-Fi-compatible device receives any of these signals within the range of a Wi-Fi network, the Wi-Fi card reads the signals and thus creates an internet connection between the user and the network without the use of a network cable.  

On the technical side, the IEEE 802.11x family of standards defines the protocols that enable communications with current Wi-Fi-enabled devices, including wireless routers and wireless access points. Wireless access points support different IEEE standards. Each standard is an amendment that was ratified over time. The standards operate on varying frequencies, deliver different bandwidths, and support a different number of channels.

Wireless Primer

To aid better understanding of the subject matter, it is necessary to introduce some concepts that will be encountered as we go into deeper details.

Term	Description
SSID (Service Set IDentifier)	This is the name of the wireless network.
BSSID (Basic Service Set IDentifier)	Unique ID of a wireless transmitter in MAC address format. The first 3 octets of a BSSID represent the organization that made the device. This Organizationally Unique Identifier (OUI), can be researched to determine the type of device or where it might have come from.  The last 3 octets of the BSSID are mostly unique to the transmitter.
beacon	Announcements from access points broadcasting SSIDs. Ties SSID to BSSID (access point).  SSIDs are broadcast from devices offering Wi-Fi services, such as an access point (AP), mobile hotspot or MiFi, or a device like a printer that has an ad-hoc wireless network configured. These devices offering wireless networks generally will announce their SSIDs by sending out wireless packets called beacons. Client wireless devices listen for these beacons and understand what SSIDs are near.
probe request	Announcement from client requesting a certain SSID. Ties request for SSID to a BSSID (client).  If an AP receives a probe and can service the network the client is asking for, it will reply to the probe with a probe response

Wi-Fi Wardriving

In 1999–2000, Peter Shipley created a technique to automatically log wireless network information along with the inputs from a GPS as he drove his vehicle around an area. He coined the term "war-driving" for this activity, and both the term and the technique took off!

WarDriving, also known as Access Point Mapping, is the act of searching WiFi wireless networks usually in a moving vehicle using a smartphone or laptop.

Wardrivers use a Wi-Fi-equipped device together with a GPS device to record the location of wireless networks. The results can then be uploaded to websites like WiGLE, openBmap or Geomena where the data is processed to form maps of the network neighborhood. There are also clients available for smartphones running Android that can upload data directly. For better range and sensitivity, antennas are built or bought, and vary from omni-directional to highly directional.

The maps of known network IDs can then be used as a geo-location system—an alternative to GPS—by triangulating the current position from the signal strengths of known network IDs.

Using the Wayback Machine, we can look at some of the old images that Peter Shipley created from his war-driving. Since that time, this practice has evolved with better applications and more-flexible platforms for moving about. People regularly use boats, bikes, and even flying drones to collect wireless network data in this fashion. Some of the better free tools are Kismet, Kismac, and the WiGLE.

Google Collected Wi-Fi Data 

In 2010, Google got into the wardriving game and began collecting geotagged  Wi-Fi data early in their Google Street View initiative. Led by Engineer Marius Milner, the creator of NetStumbler, Google Street View cars began logging the Wi-Fi networks of people around the world, creating a directory of wireless networks tied to addresses and Google Maps imagery. This data also included information from networks which had been left unencrypted. They wanted to use this data to increase the accuracy of their location services. Understanding all of the wireless networks in a region allowed them to more effectively locate devices.

 

 

This caused Google a lot of legal trouble over privacy concerns and resulted in over $7 million in fees.  Little was it known that people have been doing this privately for over a decade before Google got caught doing it.

WiGLE

The Wireless Geographic Logging Engine (WiGLE) is a crowd-sourced database of wireless access points. Users in all areas of the country conduct scans of wireless devices in their area; identify details of each device; and submit this data to WiGLE in order to map the found devices on the site. This allows anyone to browse an area for wireless access points or search an address to locate specific devices. 

 Wireless networks can be searched for network name (SSID), unique MAC address of the wireless transmitter (BSSID) location, and other attributes. The results include links that will display the results on an interactive map. Most of the world has been covered.

 

An investigator could also search by the target's name. This may identify routers that have the target's name within the SSID. Many internet users will use the same name for their wireless router as they use for their online screen name. Assume that your target's username was "Wncry". A search on WiGLE for "Wncry" as a router name might produce applicable results. These could identify the router's MAC address, encryption type, and GPS coordinates. A search on Google Maps of the supplied GPS coordinates will immediately identify the home address, a satellite view of the neighborhood, and a street view of the house of the target. All of this intelligence can be obtained from a simple username. These results would not appear on any standard search engines.

While you can use the WiGLE.net site without creating a user account and logging in, it is recommended that analysts sign up for the free accounts so that they can perform more-advanced searches and use the WiGLE API for automated queries using scripts.

 

WiGLE Search

In a network intrusion case, for example, you may discover a rogue access point in the machine of the suspect or victim by examining the registry key

 

 

 

 

 

Conducting a search of the suspect SSID may lead to further discoveries of evidentiary value.

 

 

There are both basic and advanced search forms on the WiGLE. For our purposes, the advanced search is usually the best choice, as it allows detailed searching of WiGLE's data via a number of characteristics. As shown in the image below, whether you wish to search a given latitude and longitude, a network name, or an address, the advanced search will help you locate the data you need. I searched for the network name (SSID) "CozyBear".

Executing a search for networks named "CozyBear", I received 33 records that were matches in WiGLE. Let's look at the results view to understand what we see.

1. The "map" field will launch a popup window with the estimated location of the device. 
2. The Net ID column, commonly called a MAC address or BSSID, is a unique address for the wireless transmitter.
3. Pay attention to the first and most recently seen columns, as some of the data in WiGLE is very old. The "Most Recently" column shows the last date when the device was detected. 
4. The estimated latitude and longitude columns give the rough coordinates of where the device might be located.
5. The channel column allows us insight into what wireless spectrum the device uses. Channels 1–14 use 2.4GHz and others use 5GHz.
   
   
   

Finally, let us get additional information about one of these networks. Considering the network device "14:CC:20:93:33:5C". The next slide will show what the details page looks like when you click the hyperlink on the BSSID.

The detailed network screen displays the approximate latitude and longitude of the wireless network transmitter, what dates the network was seen, and possibly other information from the collection. Clicking on the Google Maps image will launch an interactive map at the location of the network so that you can see what other buildings and networks are nearby and turn on satellite view to see more of what that area looks like. Keep in mind that the locations of these networks are just estimations based on the collected signals. 

 

Since cars drive on streets near houses, the collected data may show that a network is in the middle of the road when it is actually in the buildings on one side or the other. The plotted location of the wireless access point, in most cases, will be on the path that the person collecting it drove, biked, or walked. Exceptions to this would be if the site was doing any triangulation of the data points for a given wireless device.

The below image shows the "CozyBear" SSID located in 2735 Southeast 52nd Avenue, Portland, OR, US, 97206.

You can also submit direct queries to WiGLE via URL as follows:

https://wigle.net/search?ssid=cozybear
https://wigle.net/search#fullSearch?posta1Code=23420

Making Sense of Results

•  Because SSIDs are not globally unique, you will need to decide whether the results seem to align with the target device’s geo-spatial patterns. 
•  There are also some network names you should not bother searching at all (for example “Apple Store”) because they are generic and there could be networks all over the world with the same name. 
• You should also compare dates for when the target device was probing and when possible matching networks were first/last observed in the WiGLE dataset. 
• Some networks may no longer be up and running (regardless of whether they were first/last observed recently or years ago) while others may still be active and simply lack recent (or any) observations in WiGLE. 
• To determine if the SSID belongs to a location, we can search by globally unique MAC address or BSSID. If this BSSID appears elsewhere, it is likely that the AP is mobile rather than static, making our search more difficult. However, if the location is static, we can conclude that is the location of our suspect.
• Wigle notes when the transmitter (BSSID/MAC address) for a device was first and last seen. Because the wireless network (SSID) for a device can change, cataloging a device by its BSSID, which should not change, is better since that will be unique and long-lasting.
• By tracking the BSSID of the device (which is unique), we can watch monitor different configurations of the same device.
  

In conclusion: WiGLE is a great dataset but it is not definitive; take the results with a grain of salt.

 

Other Types of Wireless Devices

While Wi-Fi networks can have major impacts on our OSINT investigations, nowadays we have many other wireless transmitters that we carry with us on a daily basis. These RFID, NFC, cellular, Zigbee, and Bluetooth devices can be used to track us and our targets. Each device has a unique identifier for the wireless radio. While your target moves through a busy marketplace, you can be following behind them, staring at your phone, watching the signal strength of the transmissions from their smart watch. Sounds like something out of a spy novel, yes? Well it is not. Tracking devices and the people holding them is big business for marketing and advertisers and is incredibly helpful for law enforcement to put objects at certain locations.

LightBlue® Explorer for iOS devices and the Android nRF Connect for Mobile  are excellent examples of Bluetooth and Bluetooth Low Energy (BLE) sniffing applications for your mobile devices. Download and install them on your devices and then start them scanning. They will discover a huge variety of devices from televisions and Fitbit step counters to smart watches and Bluetooth beacons. They will note the GPS coordinates where your device detected the other systems and will plot the Relative Signal Strength Indicator (RSSI), which can be used to roughly determine how close to the Bluetooth transmitter you are.

 

 

1. Type and name of device
2. RSSI
3. Graph of RSSI over time
   

 

To get a better idea of how to track devices and the depth of data received from these Bluetooth-sniffing applications, take a look at the sample image from the nRF Connect for Mobile Android application.

In the image above, we see the name and type of the device (1). There is a MAC address (unique device transmitter ID) next to that. Then we have the RSSI (2), which can be used to determine distance from the transmitter (as the number gets closer to 0, you move closer to the transmitter). The application plots the RSSI over time in a plot (3). Finally, if you are allowed to, you can click the "Connect" button to interact with the device. This is, however, not recommend as that moves well beyond OSINT.

Wireless network data and geo-location information need to be interpreted to be useful. Even with the uncertainties, this wireless data can be valuable in your OSINT work.