Posts Tagged ‘audit’
|Failed authentication for XXXX, Date: 2019-11-26, Time: 13:26:01 AEDT, IP: X.X.X.X, Application: MfO, Method: IWA, Reason: Wrong password|
|Failed authentication for XXXX, Date: 2019-11-22, Time: 15:13:23 AEDT, IP: X.X.X.X, Application: App Launcher, Method: EWS Basic, Reason: Wrong password|
Application: MfO = Mimecast for Outlook
Application: App Launcher = MyApps Webbased portal
Method = IWA ( Intergrated Windows Authentication ) usually from the Mimecast Outlook Add In
Method = EWS Basic ( Used by Domain Authentication to check onprem )
Finding issues in wireless networks can be hard , however there are some tools you can use before you get the Spectrum Analyser in!
Great way to visualise SSID strength and channels, just to note when you run this , your Pings will go up!
Great Heatmapping software and paid for software for scanning
How to check to DeAuths
Once you identify the channel, launch https://www.wireshark.org/ on that channel and listen for a minute or two.
First, apply this filter:
wlan.fc.type_subtype == 0xc
This will show you all the deauthentication frames that have been sent out.
Apply this filter next:
wlan.fc.type_subtype == 0x8 && wlan.sa == <BSSID of the SSID you are inspecting>
This will display beacon frames from your AP. Check the signal strength. In this case, we’ve got a good strong signal because we’re right next to the AP (right around -40 dBm on average).
Next, apply this filter:
wlan.fc.type_subtype == 0xc && wlan.sa == <BSSID of the SSID you are inspecting>
This shows deauthentication frames from your AP. Note the signal strength on the far right…
The deauthentication frames are coming in much weaker than the valid beacon frames. This indicates strongly that another AP is spoofing your system.