Home

MeerCAT Pro User Manual

Contents

1. Hacker 00 1C B 3 00 00 03 Channel 11 Encryption None Type probe ME Classification Rogue Le Lat 38 90328 Lon 77 04060 Elev 17 meters Check out this probing network We should perform another audit to get more information 7 2 Report Templates MeerCAT comes with two default templates one for Word and one for PowerPoint These templates can be modified using Word PowerPoint or OpenOffice or a new template can be created and used within MeerCAT Templates are stored and configured in the reportConfig folder located in your user home MeerCAT folder On Windows XP this is usually located at C Documents and Settings lt username gt MeerCAT and on Vista it is located at C Users lt username gt MeerCAT To have a new template appear within MeerCAT you must add the template to the reports xml file in the reportConfig folder MeerCAT User Manual Page 73 of 87 APPLIED AM VISIONS SecureDecisions E Images Image views can be added to a report template by dragging and dropping the associated view s JPG file in the reportConfig folder The position can be placed anywhere within the document or presentation Only the width of the image is maintained when the report is generated The height will maintain the aspect ratio based on the width ISION Tables Table views including the Networks Client Flow Details and Device History tables can be added to a report using the following keyword text T
2. there may be several Multicast MAC nodes with the same address but only one per wireless network but may have several IP addresses associated with it Conversely each node in the IP Flows view belongs to a particular IP address and may have several MAC addresses associated with it These two modes can assist administrators in determining the ways in which different network layers act on the traffic being analyzed Nodes The graph nodes each contain a label which represents a network address associated with them and they all have a fill color associated with the attributes of their communication patterns These colors are all user manageable in the WiFi Flows area of the MeerCAT MeerCAT User Manual Page 56 of 87 APPLIED VISIONS gt preferences Wireless Network nodes represent a known wireless network and are labeled with their SSID or BSSID if the SSID is not known Multicast MAC nodes represent datalink layer broadcast and multicast addresses and Datalink MAC nodes represent generic datalink layer MAC addresses These are the types of nodes that fall under the Datalink Layer categorization because they represent link layer hardware addresses On the other hand there are three classifications for nodes that exhibit network IP layer information Local IP nodes are nodes that have at least one IP address in the private IPv4 range 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 while Other IP
3. 0 Beacon 8 6336 ER 08 16 08 10 08 46 00 03 25 O0 15 70 23 63 80 PEP EE 00 15 70 23 63 at Management 0 Beacon 8 4148 17 08 16 08 10 08 48 00 03 53 O0 e0 98 dass1 55 FP FPS FP SFP FPS FF O00 98 da 31 55 046412713053 Management 0 Beacon 3 9936 54 08 16 06 10 08 48 00 02 58 D Lerzarbd d2rba FEFRFFFFFFFF OO le za 5 4i42 58 Brown METGEAR Management 0 Beacon 8 1784 4 08 16 08 10 08 48 00 03 22 O0 15 70 23 63 a1 FP FP FP SFP FP FF OOS FO SAAI al Management 0 Beacon 8 3072 12 08 16 08 10 08 45 00 03 30 00 15 70 56 30 a0 FEEFFFFFFFIEF 00 15 70 56 30 a0 Management 0 Beacon 8 24856 102 08 16 08 10 09 00 00 00 00 DOO15 702Z4I1EEd 01 50 c2 00 00 0e 00 15 70 56 30 a0 Data 21 Data 0 232 1 a lt i gt Toolbar The toolbar of the Flow Details View contains the following buttons History Mode This option is only available when the Device Explorer is in Network Mode If enabled this view will be populated with data from every historical instance of this wireless network in the current database If it is not enabled the view will be populated with only the latest historical instance of the particular network s unless a network is selected in the Device History view in which case the view will be updated to show only the selected instance of the particular network MeerCAT User Manual Page 68 of 87 APPLIED VISIONS d DIVISION 6 3 Wired Captures MeerCAT File View Window Help et Wifi Flows 53 N
4. Graph Type C wifi Flows Ce IP Flows Network Layer Filter WER Datalink Layer WE Network Layer Node Type Filter WE wireless Network F Datalink MAC WE Multicast Mac WV other IP WY Public 1P WM Local 1P Network Border Ce Encryption Classification C None Search RP H gt Networks Clients Flow Details 3 DI U lt wired Captures 52 N Total Bytes Source IP Destination IP Source Port Destination Port IP Protocol a EthernetTest1 1431 192 168 2 106 76 9 18 10 2387 2387 www 80 Transmission Contr 27699 76 9 18 10 192 168 2 106 www 80 2387 2387 Transmission Contr 3737 192 168 2 106 209 225 0 101 2388 2388 ww 80 Transmission Contr 4650 209 225 0 101 192 168 2 106 ww 80 2388 2388 Transmission Contr 1238 1a2 168 2 106 74 125 19 164 2389 2389 ww 80 Transmission Contr 1134 1a2 168 2 106 66 135 202 211 2390 2390 www 80 Transmission Contr 1526 74 125 19 164 192 168 2 106 wany 80 2389 2389 Transmission Contr 1136 66 135 202 211 192 168 2 106 wany 80 2390 2390 Transmission Contr 1489 1a2 168 2 106 216 34 207 72 2391 2391 www 80 Transmission Contr 4 4450 216 34 207 72 192 168 2 106 wany 80 2391 2391 Transmission Contr il 1344 192 168 2 106 76 9 18 40 2392 2392 www 80 Transmission Contr ES Z 192 168 2 106 2392 2392 Transmission Contr amp Al PE Tia Above is an example of the three views that wired capture data has an effect on in
5. io Attach Large File xz SS A 8 7 Tags The Device Explorer View permits various features of networks and devices to be viewed in more detail For instance the Client Properties window allows the MAC address and Classification to be updated if necessary The Wireless Network Properties window allows these as well as additional fields to be maintained To aid in further grouping networks wireless networks can be given short keywords or tags To assign a tag in the Device Explorer View select a network and right click Select tag from the list of options If tags have already been defined these will be shown in the tag flyout menu as shown below MeerCAT User Manual Page 82 of 87 APPLIED AM VISIONS d VISION ze MeerCAT 7 File View SS Window Help med v DI 3D Geo 5 N Flows iz Devi dr Wire di e Oe DEE EP 3 4 B DC Points of Interest 8 a VA WPA 4 ei F Capitol e Tlg Lincoln Vi e WILL ZoomTo gt Vie WI Set Visible o a ni Set Exclusively Visible El OG Ranges F Ac Detection Points N e B Local Radiation Field e Popup Display J Drive Path KR D Device History EI chan 32 Mel Y Flag ST Classification gt e gt WI Tags gt Federal installations 2 4 Mission Mapping gt Fixed retail a s Copy emm 5 X Delete es ad Properties ee at Lincoln e 8 ebe M A Existing tags can also be selected by cho
6. A VISIONS gt ISION Toolbar The toolbar of the Device History view contains the following buttons Link With Selection Click on this toolbar button to activate or inactivate linking this view with device selection in other views If not linked device history will not change unless the Device History menu option is selected in the context menu for a device Stop Animation Stops the animation in the 3D Geo view Start Animation Displays an animation in the Geographic view indicating the changing location of a device over the course of the selected discovery runs 5 11 Overlays Details The Overlays Details View allows you to add an image such as a floor plan to the 3D Geo View Images must be in bmp gif jpg or png file formats Toolbar The toolbar of the Overlays view contains the following buttons Add Image Overlay Opens the Image Overlay Setup window to import an image MeerCAT User Manual Page 45 of 87 APPLIED VISIONS gt Image Overlay Image Overlay Setup Enter the location and size information For this image overlay Image file Po Browse Location Lt o D Lon O Fe From top left S From top right Ef From bottom right JE From bottom eft Gi From cenker Rotation i 0 0000 degrees Size Maintain Aspect Ratio width Opacity 100 0 percent Remove Image Overlay Removes the image overlay from the 3D Geo View Allow Image Dra
7. As a result we are shown the MAC address of each of these nodes The important thing that we discover is that the large node s MAC address is very close to that of the belkin54g BSSID 00 11 50 43 55 C1 This suggests that it is probably an Ethernet interface on the wireless access point while 00 11 50 43 55 C1 is the MAC address belonging to the wireless interface A similar thing is going on with the 00 1E E5 59 2E A2 node of the Berkowitz network suggesting the same thing is going on there The belkin54g example is a very common signature for someone who plugged a wireless access point into an active switch port and started using it with out of the box open configuration This is a problem for a network security officer because anybody listening to the radio signals nearby can see any connections and information being passed by the network s client s Unless you have decrypted the packet files ahead of time with software such as Wireshark http www wireshark org seeing IP layer communication in this view should draw an immediate red flag Analyzing part of the edge tooltip between the MULTIPLE IP node and 192 168 2 3 as well as the DNS results shows that the local wireless client on belkin54g is connected to many MeerCAT User Manual Page 62 of 87 APPLIED VISIONS d gt home broadband computers on various unreserved ports possibly indicating that the access point is being used as a gateway for an Internet gamer In th
8. B3 00 00 06 n Ren 4 Washington 00 06 25 00 00 02 e lg NETGEAR 00 14 6 00 00 07 BR Ai gt BOUR 00 06 25 00 00 08 Capitol Hacker 00 1 C B3 00 00 03 Lincoln 2 id Capitol 00 06 25 00 00 01 NETGEAR i ir White House 00 06 25 00 00 05 Washington i Lincoln 00 06 25 00 00 04 White House si d Lt a e Access points with missions can be grouped by mission allowing easy detection MeerCAT User Manual Page 54 of 87 APPLIED VISIONS SecureDecisions gt File View Report Window Help ft Device Expl c4 b Wired Capt ma al PS ER A G DC Points of Interest 8 a 7 eed Accounts Payable 1 Ve BOU a F e ERP Dev 2 Je Capitol dr NETGEAR A geo Federal Concessions 2 ig Washington 4 7 dg White House 00 C0 4F 00 00 03 e 00 C0 4F 00 00 04 4 7 ed Project X Servers 1 le Lincoln a 7 sed Retail 1 e Ad hoc 4 7 sed Unspecified 1 00 1C B3 00 00 03 Hacker 6 Communication Flow Graph A communication flow graph is an analytical tool designed to visualize the relationships of and data flow among IEEE 802 11 wireless devices e g laptops and peripherals with network cards network access points personal digital assistants The flow graph is derived from processing a packet capture file It allows users to observe data flow relationships across multiple layers of the TCP IP and OSI network models 6 1 Flows View This view is a visual rep
9. For example if you hold SHIFT and click to select the WPA node all devices that have WPA enabled will become highlighted in all of the views By holding CTRL while selecting devices you can select several devices to become highlighted in all of the views Panning Left clicking on the display allows you to pan Zooming Holding right clicking and moving the mouse up or down causes the view to zoom out in Right clicking without moving the mouse will cause the display to refit to the current window size Searching The search bar in the lower right of the display allows you to query for a particular BSSID SSID MAC address or other label currently in the display such as WEP The sample below shows that only one linksys device was found It is unencrypted and of type infrastructure This searching is incremental so as you type matching nodes will be highlighted A right click in the search panel outside of the text editing area will pop up a list of search results if there are any The user can then click on a search result and the navigator will expand and zoom into that particular item in the graph MeerCAT User Manual Page 36 of 87 APPLIED A VISIONS gt ISION 25 Navigator 3 HEES eq a ad hoc 1 WPA 3 All infrastructure 6 WEP 1 probe 1 Unencrypted 2 1 match search gt Toolbar The toolbar of the Navigator view contains the following buttons History Mode This option is only available whe
10. It is easy to see what function the access points have now MeerCAT User Manual Page 53 of 87 File View Report Window Help APPLIED ab VISIONS DIVISION SecureDecisions fte Device Expl 52 N lt Wired Capt 7 5 p Ww o ES gea W DC Points of Interest 8 APPLE INC 2 b 00 1C B3 00 00 03 Hacker Ad hoc Netgear Inc 1 i gt NETGEAR The Linksys Group Inc 5 lg BQU6 ig Capitol r Lincoln 4g Washington ig White House Channels ze Legend 24 s H e EE OCH 2 3 4 mm r Group by Mission 3D Geo X SEN Flows j Bs Navigator Ch nie BE IESE S IEA GD FS es ra N 5 E4h1S eo ad H a DE P alt al etl A oS e pee om oon wi E 2 VY 1 Pre D I y Unc DC BIED AS Heks 45 10 258 pM 45 10 3 58 Pa 2 NI 2 58 pre KC pi CEIM gt Haca VM 158 Pe Eg 44 10 3 58 PN m We Han VY 158 Pre 5 10 258 PN VY 258 Pr 2 VY 258 Pr 9 9 10 358 Pe Werle VV 358 PM EL 45 10 1 Pre 45 10 1 Pr 5 10 258 Pre Wide Hane VEL 23 Pre is a See E Ma Fees 03 15 00 Fe I H D S i DEER UDLE 500 m Altitude 2km_ Lat 38 8868 Lon 77 0282 Elev 7 meters fa Net 52 N e Clie Flo Fa E Timeline 33 SI Device History Gi Overlays ei SSID BSSID SC Se 1 C B3 00 00 03 Hacker e Ad hoc 00 1C
11. MeerCAT Wired Captures View In the Wired Captures view each wired capture that was imported is listed and may also be removed by right clicking on the capture and selecting Delete Checking off the capture will make the capture data visible to any view that will handle it Flows View In the Flows view wired capture data is only considered when the graph is in IP Flows mode For more information on the Flows View see the Flows View help section MeerCAT User Manual Page 69 of 87 APPLIED A VISIONS SecureDecisions z Flow Details View In the Flow Details view wired data is displayed just like wireless data except the BSSID and SSID fields will be blank for each of these flows as there are no associated wireless networks ISION MeerCAT User Manual Page 70 of 87 APPLIED A VISIONS gt ISION 7 Reporting 7 1 Reporting Features MeerCAT contains various ways to report and present the results of an audit or security analysis This includes copy to clipboard exporting a view to an image file drag and drop views to other applications e mail views and template based report generation to Word or PowerPoint Most of these features are available via the main Report menu Annotations can also be added to views which are then included in the report and also in e mail reports Generate Report The Report gt Generate Report menu will take a given Word or PowerPoint template and insert associated views
12. PM 8 ebe 729 D gt APPLE INC 2 pF a b Netgear Inc 1 4 The Linksys Group Inc 5 i Capitol 7 4g Lincoln T ide linksys gt die Washingter 4 LI We White Hoi amp JE 00 C0 JE 00 C0 JE 00 C0 a 7 ED 4 5 10 3 58 PM 4 APPLE INC 2 VIA 00 1C B3 V Ad hoc 4 Netgear Inc lg NETGEAR 4 The LinksysG Device History H Channels xe Legenc T ES o FI Zoom To Set Visible Set Exclusively Visible Ranges e Detection Points Local Radiation Field Popup Display J Drive Path Classification gt e 111 ida 2 Mission Mapping Accounts Payable 3 ERP Dev Copy 2 Project X Servers e 5 Delete z 6 ER RE Unspecified e 7 Other 8 Color the Network by Mission ISION 2 Access points networks can be colored by mission use the Window Preferences again this time selecting General Colors MeerCAT User Manual Page 52 of 87 APPLIED Aa VISIONS gt ISION type filter text General Colors Bookmarks Bulk Import Networks Flows Network color TE General Colors ES ET Mission Mapping Network Topology stage color Mission Perspectives Reporting Encryption WPA WEP Other Unencrypted CC Classification Misconfigured EH Trusted emm Friendly em Rogue mm Selected Items Note Channel colors are fixed See Channels view for legend Restore Defaults Apply Colored by Mission
13. Page 28 of 87 APPLIED AM VISIONS gt Using the Zoom To tool on a discovery run in the Device Explorer as described in Device Explorer View the coordinated 3D Geo View below that shows all the detected devices in the selected discovery run The 3D Geo View also provides tools to further analyze the attributes of detected wireless devices ISION 1 Display a device attributes by Right Click Device gt Show Popup Display 2 Invoke Coordinated Views to inspect wireless devices by Left Click on any device on the map Tip 1 Encrypted devices show a lock symbol Tip 2 The device encryption level is displayed on the device icon eg WPA or WEP This will highlight the device in the other MeerCAT Console views 3 User customizable views are supported including the ability to redefine the color Colors coding of wireless networks Choose attribute to color networks by a MeerCAT Windows Menu gt EE Se WPA mum wer EG Preferences b Select the attribute that the device color Going will represent Encryption Meconfigued ES Ted mmm Classification or Channel mend mm rooe em O Channel fined colors c Click on any color buttons to select the color code for the selected attribute Tip 3 The network color is preconfigured to represent device classification The default is Blue Secure Trusted Red Unsecure kogue Purple Friendly Orange Miscontigured The 3D Geo Vie
14. WPA 4 W 4 Capitol ig Lincoln P i WPA 4 gt Washington icture 6 WEP 1 ioe White House m Unencrypted 1 JE 00 C0 4F 00 00 03 JE 00 C0 4F 00 00 04 WEP 1 L NETGEAR Unencrypted 3 Search Sl 00 1CB3 00 00 03 Hack WW Ee a ee e Ad hoc Img te SEN SE ig BOU EE EE D e T E d za Fees X Ae Washington NETGEAR 6 E co 6 10 2 Sl S 10 32 5 10 238 E Channels Legend AFS 10 358 PM 4 5 10 358 PM 4 5 10 358 PM 4 5 10 358 PM e mb t EN f MAA AA ME 00 1 53 00 00 03 Hacker 1 Pa Sg Ha oo P A m DIVISION CZ Boor AT reer gases Ke Mi d DOC 2 4 5 20 358 PM i 50 m j Lat 38 8961 Lon 77 0360 Elev9 meters eee di e Timeline ch SSID BSSID Encryption Classification e Washington 00 06 25 00 00 02 WPA Rogue Apr 04 10 Aert 10 e Ad hoc 00 1C B3 00 00 06 None Rogue FSSMTWTFSSMTWTF i gt NETGEAR 00 14 6C 00 00 07 WEP Rogue 00 1 C B3 00 00 03 Hacker SS i gt BOUG 00 06 25 00 00 08 None Rogue Hacker 00 1 C B3 00 00 03 None Rogue 4d Capitol 00 06 25 00 00 01 WPA Rogue Capitol 1 ig White House 00 06 25 00 00 05 WPA Rogue a a Lincoln 4 Lincoln 00 06 25 00 00 04 WPA Rogue 4 L am e Views can be re sized by grabbing and dragging the view bounds or by using the minimize o
15. also that a potentially vital network assets IP address is being exposed through unencrypted radio broadcast MeerCAT User Manual Page 65 of 87 APPLIED AM VISIONS f gt ISION WiFi Broadcast Domain Example 01 00 5E 7F FF FA FI 33 33 00 00 00 0C Network Layer Filter BB 7 Datalink layer Wy Network layer Node Type Filter BBY Wireless Network RS ootsinkMac Manufacturer Cisco Linksys LLC N Multcast MAC Channel 6 N 7 Other P N VY Pubic Ip B Vito P Rog Search Filter F Show only search rend Link Sizes Tota bytes gt Total packets Average packet size Network Border Encryption Gassification Channel None Probe Filter Show probes Hide probes 5 Only probes Network Filter Show al networks Seel Leg N In this example we see the access point OrientPoint talking to its broadcast MAC address In addition there are several other generic data link layer nodes that are also sending broadcast messages through the air Since it looks like there s over 30 nodes sending broadcast messages to the air through the access point this should draw a red flag if not for security issues but for performance since large broadcast domains can cripple network performance MeerCAT User Manual Page 66 of 87 APPLIED AM VISIONS gt CES ISION Graph Type 01 00 5E 7F FF FA DE d IP Flows 33 33 00 00 00 0C Network Layer Filter N Datalink layer BB 2 Network layer Node
16. gie c v8 wer Dl de NEI W ei Unenc Vie 00 1 W Ad 4 5 10 3 58 PM 8 Tie BOU 3 3 10 3 58 PM 8 4 Im Ei Channels 33 7 1 2 ER The devices that remain will show the comparisons you have selected MeerCAT User Manual DC Points of Interest Location moved by more than 300 feet Page 25 of 87 ws MeerCAT VIEET MAA File View Report Window Help Te DeviceE 23 Wired Ca mid EIEL E Lincoln al e linksys Fl NETGEAR r Washington W e White House El E 00 C0 4F 00 00 03 E 00 C0 4F 00 00 04 E 00 C0 4F 00 00 05 Sa 4 5 10 3 58 PM 8 E 00 1C B3 00 00 03 H F Ad hoc Elg BQUE 4 Capitol 7 ide Lincoln Fl NETGEAR er Washington d 4g White House E 00 C0 4F 00 00 03 00 C0 4F 00 00 04 4 mm r Tm 27 Channels ch E Legend 7 mp 2 4 5 1 3D Geo amp Flows AE SAFE ES on ds N 50 m Altitude 1 km Lat 38 8979 Lon 77 0378 Elev 15 meters wv s Navigator 53 APPLIED ab VISIONS DIVISION SecureDecisions el zeien A A DC Points of Interest 2 e Network Topology sa EH A EET White House 3 3 10 3 58 PM White House 4 5 10 3 58 PM 2 3 L gt eem 7 9 10 11 MeerCAT Use
17. nodes are nodes that contain at least one multicast broadcast loop back or any other reserved non public address Public IP nodes represent IPv4 addresses that are public ISION sat WiFi Flows 3 o aa Broadcast Graph Type WiFi Flows IP FI Broadcast e Network Layer Filter Broadcast N Z Datalink layer a 7 Network layer Node Type Filter a Wireless Network v Datalink MAC N Multicast MAC N Other Ip N Pubic 1P N Locat IP 01 00 5E 7F k Search Filter Broadcast Show only search result Link Sizes _ 192 168 0 164 WEIT TEE Total bytes 00 03 FF 39 DF 00 ETER EE Total packets or ayer U 00 11 11 38 76 75 4 A Datalink Layer 00 0A E6 1D 71 FD Average packet size Wireless Network s default 00 15 E9 ED B3 FC Manufacturer Elitegroup Computer System Co ECS Broadcast Network Border Encryption Classification Broadcast 00 12 3F AD A9 31 Channel D None 00 11 11 E3 42 8E Probe Filter Show probes 00 C0 4F 04 B2 F5 Eoeee Ect Hide probes Only probes Network Filter seen J In WiFi Flows mode nodes with multiple IP addresses will be depicted larger and labeled MULTIPLE IP In addition Wireless Network nodes that are associated with any IP information will be depicted larger than normal nodes since their color will not be overridden by additional network layer information like their client and multic
18. rogue Channel Type infrastructure ad hoc probe Max Rate Encryption WPA WEP None Cloaked Known Clients MAC address Classification trusted friendly rogue Tip 3 Users can manually redefine the classification of wireless devices or set the baseline expected configuration of known devices in the Device Explorer 2 To import more than one CSV file for example to import a CSV file for wireless networks and a separate CSV file for wireless clients repeat Step 1 for each file 4 5 Importing Wired Capture Data MeerCAT allows users to import Ethernet packet captures for limited use in some views MeerCAT User Manual Page 20 of 87 APPLIED VISIONS SecureDecisions E namely in the Flow Details View and the IP flow graph type of the Flows View e meerear File view Window Help Ia Wifi Flows 53 gt _ 3 IDS Alerts Treemap Exit ED 11 15 20 HO decryptJuly 3 23 TO decrypted 11 15 20 OV julys 23 Graph Type H E kenny1 916 Wifi Flows e DS se fe wired Capture Import laptop multipleaP 7 IP Flows O Select files TO new vawk city 1273 Network Layer Filter WV Datalink Layer OM Network Layer Select a packet capture file to import Packet Data file AT Test Data packet data EthernetTestFile pcap Browse Node Type Filter Capture label EthernetTest1 BE Wireless Network Jh Datalink MAC BV Multicast mac Rz Pub
19. security posture assist in forensic investigation and ensure policy compliance e Visualizes Communication Flows MeerCAT s wireless network traffic visualization improves the visibility of network performance and security concerns The visual analytic tool processes packet capture files and visually aggregates network traffic and wireless packet flow e Coordinates Views for Investigation MeerCAT users can drill down from any window view for additional details about detected wireless networks and clients Coordinated views allow users to quickly select a device of interest in one MeerCAT window and highlight the device in all other views for various perspectives e Supports Data Filtering MeerCAT enables users to view analyze and filter wireless discovery and security data by a range of variables including the operating channel SSID asset security policies or events e Helps Assess Risks MeerCAT users can assign missions to devices to help assess security risks due to network vulnerabilities and threats e Generates Reports MeerCAT auto generates a range of reports to present the results of an audit or security analysis such as in Word or Power Point MeerCAT also allows users to copy a MeerCAT view and place on a clipboard export to an image file drag and drop to other applications and e mail to colleagues and decision makers e Delivers Out of the Box Integration MeerCAT s data integration with wireless discovery and other securit
20. that the reality of this graph is that most if not all of the data link layer clients are actually machines on the same wired LAN segment as the access point This is just not good practice if not for performance then for security as well considering all broadcast traffic from the wired LAN is being transmitted in the air as well not only exposing the MAC addresses of several assets on the wired network but also providing a steady flow of data through the air which could be used to aid a hacker in exploiting encryption key vulnerabilities that exist in protocols such as WEP MeerCAT User Manual Page 67 of 87 APPLIED A VISIONS i secureDecisions E One possible fix to this is to put the access point on a different VLAN or subnet than the other clients allowing a router to take care of passing any traffic that might need to be passed between the wired and wireless segments of the LAN rather than just automatically forwarding the broadcasts 6 2 Flow Details The Flow Details View is a companion to the Flows View and requires that packet data was captured during the detection run and loaded into MeerCAT This view allows the users to see detailed information about a particular packet capture It can also be sorted by any one of the data fields This table view is tied in with selecting wireless networks and clients in other views which will allow analysts to quickly associate traffic with individual networks e IEEE 802 11 and Ethernet fr
21. 101 18772 18772 1912 1912 Transmission Control Protocol 160 2 12300 72 247 146 48 1921681 101 wwen 80 1948 1948 Transmission Control Protocol ER 1 1532 0 208 67 67 11 192 168 1 101 www BO 1984 1984 Transmission Control Protocol 2456 H 13840 207 68 178 239 192 1681 101 verw 80 1934 1934 Transmission Control Protocol 529 34 1515 0 208 111 160 34 192 168 1101 www 80 1989 1989 Transmission Control Protocol 6 1 556 0 1921681101 72 247 1468 1952 1952 www 80 Transmission Control Protocol E 11 720 1921681 101 08 111 160 34 1949 1989 www 80 Transmission Control Protocol 2 1 720 82 207 123 115 1921681 104 2597 2597 3817 3817 Transmission Control Protocol 1280 199 3120 N A N A N A N A N A 2 m L Since we are observing IP communication and there are several IP addresses aggregated into the single node we switch the graph type over to IP Flows mode This mode builds the graph nodes based on IP address giving us a flow graph similar if not the same to other network layer flow graphs In this view with the help of the flow details table we can see that information is being passed from the IP address 10 31 0 1 to 192 168 1 104 via port 0 in an Internet Control Message Protocol ICMP packet If 10 31 0 1 happens to belong to a router interface on the LAN to which the linksys access point is connected to which is probably the case we can identify that not only is the unencrypted linksys access point a back door to the LAN but
22. 2 PM 2 00 14 41 76 09 70 dr 00 17 DF 70 0E 20 cloaked Rogue Cisco Systems Mon 08 18 08 05 46 34 PM 2 00 14 40 90 63 B1 le Tetlaklaw wireless Rogue Dell Inc Mon 08 18 08 05 59 26 PM 1 POO BFC 6c id Tetlaklaw wireless Rogue Dell Inc Mon 08 18 08 05 59 21 PM 1 POO 1C OF BF 53 C3 id FOSO20 Rogue Cisco Systems Mon 08 18 08 05 52 14 PM zZ E 00 18 01 50 66 1C id OLxd3 Rogue Actiontec Electronics Sat 08 16 08 02 23 36 PM 1 f no11 50 C1 81 87 e odoc4 1 87 49 36 Rogue Belkin Corporation 192 168 1 102 Mon 08 18 08 05 47 04 PM 1 MOOSO 74 02 F7 09 ide 00 40 96 40 9E D5 cloaked Rogue SPECTRALINK CORP Sat 08 16 08 02 28 51 PM 1 WOOO 74 02 16 63 ibe 00 40 96 A0 9E D5 cloaked Rogue SPECTRALINK CORP Sat 08 16 08 0Z 18 16PM 1 E lt l gt Toolbar The toolbar of the Clients view contains the following button ED History Mode This option is only available when the Device Explorer is in Network Mode If enabled this view will be populated with data from every historical instance of the particular wireless network s in the current database If it is not enabled the view will be populated with only the latest historical instance of the particular network s 5 5 3D Geographic View The 3D Geo View provides the tools to locate wireless networks and clients on 3D topographic satellite imagery Users can navigate anywhere on the globe down to street and building views to locate friendly and rogue devices MeerCAT User Manual
23. 53 dslirvnca pacbell net 69 228 0 253 c 98 227 30 82 hsdl il comcast net 98 227 30 82 Node Type Filter V Multicast MAC Show only search result Total packets Network Border Encryption OK Classification Channel None Perform DNS lookup Probe Filter Q Zoom To Show probes i Copy Hide probes Only probes s aa In this second screen shot we have decided to go straight to the large node labeled MULTIPLE IP in the belkin54g network In addition to this link layer address being the owner or next hop of multiple IP addresses they are also remote IP addresses that we are concerned with To begin we right click on the node and perform a DNS lookup This gives us an idea as to what sort of IP addresses belong to this link layer entity MeerCAT User Manual Page 61 of 87 APPLIED VISIONS gt ISION 00 C0 A8 EE C0 7F ue u sc Network Layer Filter Broadcast HR d Datalink layer H I Network layed Node Type Filter D d Wireless Network d Datalink MAC N Multicast MAC Search Filter y Show only search result Link Sizes Total bytes Total packets Average packet size Network Border Encryption Classification Channel None Probe Filter Show probes Hide probes Only probes Using the Network Layer filter we told the WiFi Flows graph to ignore network layer information when displaying the visual attributes of the nodes
24. 61 E megahoc vzd Clients MAC Address 0260 D GU 30 34 OO1E ZA EB B8 1 24 OZ 18 41 EE ZO OG 00 21 E9 40 26 FE 00 1F 9E 7F 74 80 00 18 40 FB BF AZ UO OU FU 57 31 55 DU 1FAOESAB 65 0060 Ba 2A 30 34 l CSCOAD4 OO 1E FE 2Z5 do 43 4 SE Deg 0 OO 16 F8 75 39 83 ide FOBS1 00 18 01 E6 FE 75 lt MeerCAT User Manual Flow Details Encryption Mone PSK TKIP None Mone Mone WEP40 Mone WEP40 Mone F5K TKIP WEF40 WEF40 Classification Rogue Rogue Rogue Rogue Rogue Rogue Rogue Rogue Rogue Rogue Rogue Rogue Il Manufacturer Unknown Netgear Inc Unknown Unknown Unknown Netgear Inc Panasonic Communic Unknown 2 COM INC Cisco Linksys LLC Cisco Linksys LLC Actiontec Electronics Mission Unspecified Unspecified Unspecified Unspecified Unspecified Unspecified Unspecified Unspecified Unspecified Unspecified Unspecified Unspecified Network Type ad hoc infrastructure ad hoc probe ad hoc infrastructure probe infrastructure probe infrastructure infrastructure infrastructure Channel 4 6 11 O O mow Ohh EO e O m Radio Type IEEE 802 11E IEEE BO dic IEEE BO dic IEEE BO 1E IEEE BO 1E IEEE BO dic IEEE BO 1E IEEE BO 11 IEEE BO 1E IEEE BO 11e IEEE BO 11 IEEE BO dic gt Page 27 of 87 dy AW APPLIED VISIONS i secureDecisions E Toolbar The toolbar of the Network
25. APPLIED VISIONS gt ISION Welcome to Secure Decision s MeerCAT L MeerCAT Pro User Manual Applied Visions Inc AVI Secure Decisions Division 6 Bayview Avenue Northport NY 11768 www secureDecisions AVI com 631 754 4920 meercat securedecisions com APPLIED MeerCAT Pro Version 3 2 Release Copyright 2007 2011 All rights reserved Applied Visions Inc Distribution of this work is prohibited unless prior written permission is obtained from the copyright holder MeerCAT is a trademark of Applied Visions Inc All other trademarks and copyright are the property of their respective owners MeerCAT User Manual Page 2 of 87 APPLIED VISIONS gt ISION TABLE OF CONTENTS TRTO Mea E 6 ES W ME E E 6 12 What are the Benefits of MeerCAT ou se se se se se se ee Ge Ge Ge Ge Ge Ge AR AR ee ee Ge Ge Ge Ke Ke AR Rg ee ee ee 6 13 What are MeerCAT s Key Features amp Functions ss ss ss se se se se se Se Ge ee Ge AR Rg ee ee Ee ee 7 d Get ne Help Witi Meer Ds EE EE GER Ga mee eee Ee RE S iA 9 21 MeerciAl eel e Kee eu Le EE ve EE eee ER ER EE Ee Re Wee ER 9 22 Meer AT Feedback and Additional Information sesse se se se se se se Re ee Ge Se Ge Ge Ge Ge AR ARE ee 9 2 3 Ale DS EE EE EE 9 3 Accessing and Navigating MeerCA Tesis sesse eke Ee ke eke Re AKA KEND AD Gee ee ekke ee Res 10 od Eortoliar Meer EE 10 Coordinated SS N EE ONE EE a 10 Be ES VI vi EE EE EE E EE EE ED EN 10 3 2 Customizi
26. Ge Ge Ke AR AR AR ee Ge Ge Ge Ge Ge Ke AR ARE ee ee Ee Ke Ee Ke ee 33 kele ie EE EE EE N ER OR EE 35 Pieter E 35 Selection SIE SE 36 e id EE OE EE EE DE 36 ASe veld oi EE EE EE EE EE 36 MeerCAT User Manual Page 3 of 87 7 7 1 EE EE Keier 5 8 Channels View sesse se se se ee ee ee ee ee Ee AC WR ET Keele E 5 10 Device History View TOOR se EE EE ete EE RE 5 11 Overlays Details Ree e VEE EE EE N 5 12 Legend View 5 13 Image Viewer Adding Images sesse see ee se ee ee ee ee ee ee Displaying Images ss sesse se ee ee ee ee ee ee ee ee ee Removing Images ss see ee ee Ee Ee Re Ge Re ee ser e Kee Te NE EN EN 5 14 Mission Mapping Preferences Page for Mission Mapping Choosing a Color for the Mission Assigning the Mission to an Access Point Color the Network by Mission Colored by Mission Group DY Mission Communication Flow Graph 61 Flows VIEW sessie sei eek bee eed Se eed be ees ies ER OE EE User Graph Interaction dee le ia OO EE cree etme cen ent Communication Patterns Usage Scenario WiFi LAN Example uu se se se sesse ee ee se Se Se Be Ge EE WiFi Broadcast Domain Example 6 2 Flow Del ls Ee ER EER RE OE kere le AE EE N 6 3 Wired Captures Wired Captures View Flows AT Flow Details View se sesse se se se see ee Se Se Ke ee Se Se Ke SE ere age EE Reporting Features Generate Report mussies Ek WOuRSEN Rede Eie ENER Copy Screenshot of Active View 2 MeerCAT User Manual APPLIED VISIONS E gt ISIO
27. ION p select Properties This will bring up the POENG RI i j Refresh Display properties panel Undo Delete Ctrl z New gt Step 2 At the top of the window click on the settings tab This will bring up detailed information for graphics and reveal the hardware vendor This will be necessary to download the proper driver Step 3 In the middle of the screen is a pull down ap Prep menu labeled Display else tn ansen gt __ Read the contents of the box and look for EENEG one of three key words ATI Nvidia or Intel Step 4 Download the appropriate driver based on the previous step The drivers for each can be found at ATI AMD http ati amd com support driver html Nvidia http www nvidia com content drivers drivers as Intel http www intel com support graphics index htm Step 5 Download the driver to your desktop and run it following all default instructions This step may prompt your computer to reboot Make certain any open applications have saved and allow the computer to reboot If you still experience problems this is sometimes related to the amount of memory allocated to MeerCAT Decreasing the JMX value as described in the next question sometimes resolves this issue MeerCAT User Manual Page 86 of 87 APPLIED A VISIONS SecureDecisions E You will also experience this behavior if running MeerCAT on a virtual machine or
28. Layer Filter Mem Local IP General Colors Mission Mapping Public IP Perspectives Reporting Node Type Filter Tags e Color 4 3 3 BEER EEN EEN SUE EELER WII III Custom colors EEEE ERK EEEE ERKE Se kestore Defaults Apply Colors used to depict the datalink layer vs the network layer can also be customized Another feature of the Flows View which can be customized is the duration of the force directed graphing feature of the display The Flows View uses a technique which positions the nodes depicted in the View so that all the edges are of more or less equal length and which minimizes the crossing edges as much as possible The number of seconds during which this technique is applied can be controlled by specifying the duration As of this writing the default is 8 seconds seen in the screenshot above MeerCAT User Manual Page 78 of 87 APPLIED VISIONS SecureDecisions 8 3 General Colors Colors can be helpful in highlighting specific areas of interest throughout MeerCAT To further manage color settings it is possible to color wireless networks identified by MeerCAT according to Encryption Channel Classification or Mission To perform such customization select the Window gt Preferences submenu Then choose General Colors ISION type filter text General Colors Bookmarks Bulk Import Networks Flows General Colors ik oor Mission Mission Mapping Network Topology stage color Missi
29. N Page 4 of 87 9 APPLIED A VISIONS gt ISION Save Screenshot of Active View ai 72 Email Screenshot of Active View PA eet 72 Drar aED OD DE 72 Val ue Te E 72 7 2 Report Temp IE es Ee EE ee EE Re Ee ee ee ee eee ie ee ee ee 73 Et EE EE EE EE EE N 74 Ke E 74 gie 6 lee AA EA EE eee ee ee eee 74 BEE 74 8 1 BOOK IVAVKS RE ER OE N EE EE EE OE N N N E 74 8 2 POW COM OMS esos EE N EO EE ON 76 8 3 OPUS eal ONO S EE RE EO EE EE EN 79 o4 Import oe 6 EE N EE N EE N OE a an aaia 80 09 IVP AIR Ee 81 3 6 EENEG 81 GE SE 82 Frecduenty Asked QUESTIONS sesde Bus idiniin a iniia SE RA Ee Gee Ee Ee 85 MeerCAT User Manual Page 5 of 87 APPLIED AM VISIONS d 1 Introducing Meer AT 1 1 WihatisMeerCAT MeerCAT Mobile Cyber Asset Tracks is a visualization tool specifically developed to help users locate wireless assets and networks and assess the risks to their organization It is designed for post hoc analysis of data acquired from site surveys or wireless security audits such as war drives that discover identify and locate wireless transmitters fr MeerCAT visualization supports location and risk assessment o P wO Zei S egen of wireless devices that may threaten DoD networks a Wie 3 307 d Le eee Ny ee Wie Ad hoc Vi lg Capital i Wie Hacker l F Ar Lincoln T eks PR Vi dr NETGEAR V We Washington Vi i gt White House a 4 5 07 358 PMB de Ad hoc aa cons Commu
30. Remote Desktop Connection RDC 2 Whatis the best configuration for working with large datasets The MeerCAT ini file located in your installation directory can be modified with a text editor to give MeerCAT more system memory The Xmx value represent the maximum amount of RAM given to MeerCAT The default value is 768 MB For systems will large amount of available memory you may want to increase this value to 1024 MB or higher Another way to reduce memory requirements is to only have visible the views of interest Closing views not in use will reduce memory load especially views that have requested historical data Although you may notice memory usage peak MeerCAT uses advanced caching and performance optimization to use available memory most efficiently 3 How does MeerCAT determine a device s location If only the network XML file is imported MeerCAT uses the center of the detection range e max min lat 2 max min long 2 If the GPS file is used then an average of the detected GPS points weighted by the square of the signal strength is used but only points whose signal strength is within 10 of the maximum note that does not mean top 10 of the points MeerCAT User Manual Page 87 of 87
31. S EL Device History Gi Overlays e e Ee Ps s e E Toolbar el eo Bla Sa The toolbar of the Timeline view contains the following buttons ED History Mode This option is only available when the Device Explorer is in Network Mode If enabled this view will be populated with data from every historical instance of this wireless network in the current database If it is not enabled the view will be populated with only the latest historical instance of the particular network s unless a network is selected in the Device History view in which case the view will be updated to show only the selected instance of the particular network Gi Zoom In This option will increase the calendar scale as pictured above Zoom In is also available using Ctrl mouse wheel up D Zoom Out This option shrinks the calendar scale Zoom Out is also available using Ctrl mouse wheel down MeerCAT User Manual Page 42 of 87 ISION H ISION APPLIED VISIONS gt SecureDecisions F ED Device History Overlays EP E e i ca A TT ig Reset Zoom This option returns the time line to its default view cd Networks Lists all discovered network devices and shows an event indicator on dates network devices were actually detected i E Networks with Clients Lists all discovered network devices with an event indicator shown on dates when clients were attached to those networks Individual event indicators are s
32. T to locate both authorized and unauthorized rogue access points and unsecured wireless devices MeerCAT users can also see with what assets are wireless devices connecting to Among the benefits of using MeerCAT to analyze wireless risks Supports post hoc analysis of multiple wireless discovery sessions for periodic security audits and on going assessment of external and internal wireless networks Provides interactive and coordinated geospatial topological and spatio temporal views to quickly locate potential security issues and efficiently identify relevant vulnerabilities and threats Integrates current and historical information to show trends in the behavior of mobile assets and networks that highlight anomalies Interfaces to a variety of wireless discovery and security tools to provide users the flexibility to use MeerCAT with their preferred tools 13 Whatare MeerCAT s Key Features amp Functions Geo locates Wireless Devices MeerCAT visualizes detected wireless devices and their status on 3D geographic maps topographic satellite imagery and imported floor plans Users can navigate anywhere on the globe down to street and building views Generates Network Topology Maps MeerCAT creates a topological view of detected wireless networks to understand the impact of wireless vulnerabilities and threats Users can see the detected access points and clients connected to them Visually Captures Wireless Device Classificatio
33. Type Filter N wreiess Network D A Detar MAC N Multicast MAC ee EAR ED WA Other 1p HS kr e em 95 2F N vy Pubic IP Nana 4 HM AF R3 k n DE DI Search Filter 1 SE ms WUE TSI BBs i em Show only search result Broadcast Link Ses Total packets Average packet sze Network Border Encryption 5 Classification Channel None Probe Filter Show probes Hide probes 5 Orly probes Network Filter ow all networks S Ed Kalo N FI ef In trying to figure out what s going on here we can run a quick search for Data frames IEEE 802 11 frames contain a type and subtype field which describes what kind of frame is being transmitted There are three major types Data Management and Control and each one has a number of subtypes associated with it It turns out that all of these nodes are broadcasting data rather than beacon frames for example which don t always imply a connection so it s safe to assume that all of these nodes lie in the same broadcast domain A more important thing to notice here is that none of these data link layer MAC addresses can be considered wireless transmitters since there were no frames intercepted that would suggest that they have this capability This is visualized by the network border and only nodes with a dashed border can be affirmed as wireless transmitting devices Upon further analysis of the network topology trying to figure out what devices belong to what MAC address we found
34. ame details are shown for all intercepted packets that are encapsulated in one of these link layer frames e IP and ARP flows also show detailed information about network and transport TCP IP layer attributes of a communication flow such as source and destination ports addresses and protocols le Networks Clients Flow Details 3 St Stark Time Duration Source MAC Destination MAC BSSID SSID IEEESOZ11 Type Total Bytes Total Pz 08 16 08 10 08 46 00 03 30 O0 15 70 F ard8 05 PEP FEEF 00 15 70 7de Os Management 0 Beacon 8 34304 134 E 08 16 08 10 08 46 00 03 31 00 1f33iz2e 67 5e FPFEFFFFFEF OO 1 33 2e 67 5e NETGEAR Home Management 0 Beacon 3 4570 19 08 16 08 10 08 48 00 03 16 O0 17 9a 52 63 d2 FEFFFFFFIFFGFF OOF Gade 63 d2 AMILOCALLINE Management 0 Beacon 8 4158 1 08 16 08 10 08 46 00 00 30 O0 17 5F 80seci e FFFFFFFFFEF 00 17 SF BO er de belkin54g Management 0 Beacon 8 2680 15 08 16 06 10 08 46 DOOO34 O0 a0 Feice ta ri2 FEFFFFFFFFEF OO a0 Feice lai2 Management 0 Beacon 8 19234 59 08 16 08 10 08 46 00 03 42 O0 a0 Feice ta iO FFFFEFFFFFEF OO a0 Feice la io Management 0 Beacon 8 12330 45 08 16 08 10 09 12 O0 00 00 O0 a0 Feice ta 10 DOaMFEbaEE7d O0 a0sFeice la 10 Management 0 Probe Respons 270 1 08 16 08 10 08 46 00 03 36 00 le 2a 00 69 72 PEPEFPF FEEF DO 1e 2a 00 69 72 nyavepizza Management 0 Beacon 8 16724 74 08 16 08 10 08 46 00 03 42 DOidzebhehac8 FFFFEFFFFFFF DO id Fe be barc torres Management
35. and view annotations MeerCAT comes with two default templates one for Word and one for PowerPoint If a view is not visible it will not be added to the report Generate Report Report Parameters Select the report template to use Provide the name of the analyst and the output file name Template Document z Output Directory C Users KennyP MeerCAT reports Browse Output File Untitled Analyst Name KennyP Launch Report Options Template Select from available Word or PowerPoint templates Only the Word reports can contain detail table lists for Networks Clients Device History and Flow Details If custom templates have been created they will also appear here Output Directory Browse to the location where you would like the report to be saved to The default directory can be changed in the Reporting Preferences options in Window gt Preferences Output File The filename to be used when saving the report Analyst Name Name to be inserted into the report template when generating report The default analyst name can be changed in the Reporting Preferences options in Window gt Preferences Launch Report If this is checked the report will automatically open after being generated This will use whatever is currently configured to be your default WorldML or PowerPoint viewer MeerCAT User Manual Page 71 of 87 APPLIED VISIONS SecureDecisions z Copy Screenshot of Active View Th
36. ast counterparts A dashed border around a node shows that the node is known to be a wireless transmitter even if not designated as a wireless network device A node that is defined as a wireless networks and shown in blue by default is known to be wireless transmitter and always has solid border with a color based on encryption or classification MeerCAT User Manual Page 57 of 87 APPLIED A VISIONS SecureDecisions z Links The graph links represent one way communication between two network addresses There are color distinctions for Datalink Layer links that is links that exhibit Ethernet or IEEE802 11 link layer communication and Network Layer links links that exhibit IP communication Their thickness is based on the amount of data passed between the devices In addition in the WiFi Flows mode there are symbolic connections which show the user a symbolic association between a node and one of its associated access points If the node can be traced to the access point without adding a symbolic connection one is not added ISION Filter The filter is composed of several parts Graph Type toggles graph mode IP Flows or WiFi Flows Network Layer Filter toggles visibility of network or data link layer information If network layer is disabled nodes and links will revert to their data link layer attributes and label or disappear if they have none If data link layer is disabled any node or link without network la
37. attribute Tip 3 The network color is preconfigured to represent device classification The default is Blue Secure Trusted Red Unsecure kogue Purple Friendly Orange Mtisconfigured Controls Mouse with scroll wheel Pan Left mouse button click amp drag all directions or arrow keys or double left click an area Use the scroll wheel on the mouse or Hold Ctrl and arrow up or down on the keyboard or Use zoom in and zoom out keys Right mouse button click amp drag up and down or Use Page Up and Page Down on the keyboard or Hold shift and arrow up or down on the keyboard Rotate Right mouse button click amp drag left and right Note Crossing the top and bottom half of the screen while rotating will change direction or Hold shift and arrow up or down on the keyboard MeerCAT User Manual Page 30 of 87 APPLIED A VISIONS E gt ISION Stop Spacebar Reset Heading N Reset all R Single button mouse Pan Left mouse button click amp drag all directions Left mouse button click once to center view or arrow keys or double left click an area Zoom Hold Ctrl on the keyboard and left mouse button click amp drag up and down or hold Ctrl and arrow up or down on the keyboard Tilt Hold Shift on the keyboard and left mouse button click amp drag up and down or use Page Up and Page Down on
38. ble clicking on a node will select all network client and flow objects associated with it or its connections You can select multiple items by holding the SHIFT key Likewise when a network client or flow is selected globally it will be highlighted in the display The search box will highlight link and nodes corresponding to a relevant MAC address IP address port port name network SSID or BSSID and IEEE 802 11 frame types subtypes MeerCAT User Manual Page 58 of 87 APPLIED VISIONS gt Typing www will highlight all nodes and link with a www port associated with them Typing 192 168 1 will highlight all nodes and links in the 192 168 1 0 24 network ISION A right click in the search panel outside of the text editing area will pop up a list of search results if there are any The user can then click on a search result to zoom into that particular item in the graph For additional information on using the WiFi Flows view see the Communication Patterns section below and the Flow Details View help section Toolbar The toolbar of the WiFi Flows view contains the following buttons History Mode This option is only available when the Device Explorer is in Network Mode If enabled this view will be populated with data from every historical instance of this wireless network in the current database If it is not enabled the view will be populated with only the latest historical instance of the particular network
39. clients connected to each network Zoom to Fit This option will refit the display to fit the size of the current display Orient Left Right This option will cause the display to show from left to right as shown below MeerCAT User Manual Page 38 of 87 APPLIED VISIONS SecureDecisions gt es Navigator sg N AS v og Hl ad hoc 1 WPA 3 All infrastructure 6 WEP 1 probe 1 Unencrypted 2 lt gt Orient Top Bottom This option will cause the display to show from top to bottom as shown below Navigator EE EE ad hoc 1 ITT TTT OO probe 1 WPA 3 WEP 1 Unencrypted 2 Orient Right Left This option will cause the display to show from top to bottom as shown below MeerCAT User Manual Page 39 of 87 APPLIED VISIONS meee gt ISION 23 Navigator ei Ziel LIES 75 WPA 3 ad hoc 1 WEP 1 infrastructure 6 Unencrypted 2 probe 1 Orient Bottom Top This option will cause the display to show from top to bottom as shown below 5 Navigator 52 N EIERE prak WPA 3 WEP 1 Unencrypted 2 ad hoc 1 aid dT probe 1 5 8 Channels View Another beneficial feature of MeerCAT is that it can display the channel distribution of detected devices For example the screen below shows that Channel 6 is most widely used which is to be expected since Channel 6 is the default channel used by most access point vendors MeerCAT User Man
40. e Cancel The Include subdirectories checkbox allows MeerCAT to search subdirectories for Kismet data to import The Location name can be entered manually or if an existing location is associated with the detection run it can be selected from the dropdown 44 Known Devices MeerCAT allows you to add known devices which serve as a baseline to alert MeerCAT users of unexpected changes such as misconfigured devices or new devices that were not previously identified This information is critical in defending one s network and enforcing security policies The Known Devices submenu can be selected from the MeerCAT File Menu MeerCAT User Manual Page 18 of 87 ISION E APPLIED Aa VISIONS gt File Report Window Help ca Import Kismet Data Ctrl I tg Import NetStumbler Data eg Bulk Import Kismet Data Ctrl Shitt 1 tig Import Wired Capture Data T Known Devices jg Add Wireless Network Le Add Client eg Import Wireless Networks from CSV LOAD aL Ca Import Client Devices from CSV 15 70 74 D8 04 cloal i zs Manually Adding Known Devices Known Networks To add a known Network select from the MeerCAT File Menu File gt Known Devices gt Add Wireless Network This will open a properties dialog where you can fill in the expected information for the network If the specified network has been detected the information will be applied to it ot
41. e Berkowitz network we cannot see any IP layer information because the packets are encrypted As such we cannot determine how many or what kind of computers 00 C0 A8 EE C0 7F is talking to if 00 1E E5 59 2E A2 is a routing interface This is ideal for a network administrator because the only thing that is being broadcast is that there is traffic passing between the access point and one of its clients WiFi LAN Example ve WiFi Flows i3 IP Flows Network Layer Filter N Datalink tayer E V Network layer Node Type Filter BY Wireless Network N 7 Datalink MAC N Multicast MAC N other BY Pubic BW tocar Search Filter Show only search result Link Sizes Total bytes Total packets Average packet size Network Border Encryption Classification Channel None Probe Filter Show probes Hide probes Only probes In the example above we see two wireless clients 192 168 1 104 and 192 168 1 101 communicating with a local node 192 168 1 255 probably broadcast which we will find out soon and another MULTIPLE IP node that is labeled local MeerCAT User Manual Page 63 of 87 ISION APPLIED VISIONS CERE EN Graph Type a WiFi Flows IP Flows DIVISION Network Layer Filter V Datalink layer E y Datalink Layer 00 12 17 38 E0 D8 Node Type Filter Wireless Network s linksys 00 12 17 38 E0 D8 Manufacturer Cisco Linksys LLC BA Wireless Network MV Datalink MAC N Mu
42. f the latest except in the Network and Clients table views ro Compare Detection Runs Allows the user to select detection runs and compare them by showing only the devices that changed from one detection run to another by looking at several attributes E Filter Wireless Networks Shows only wireless devices that fit criteria specified by the user in the selection window View Menu Allows user to change the order that the devices show up Sorting and optionally group the devices by a criterion e g grouped by encryption type You can also export or import the list of items that are currently checked off in the device explorer Illustrative Windows With Compare Detection Runs you can see if a particular network has changed its encryption SSID channel type or location which is beneficial in alerting you to security concerns or validating whether a corrective action has resolved an issue Choose the detection runs you want to compare by holding the SHIFT or CTRL key down to select them Check off the attributes you want to compare MeerCAT User Manual Page 24 of 87 APPLIED VISIONS SecureDecisions F VISION File View Report Window Help ME Te DeviceE 2 2 Wired IE zl ei APE T DC Points of Interest VB WPA My V gt Capit ig Linc VI Je Was Whit What changes would you like to show 3 Gen Y Ti Compare Detection Runs vs 0
43. g Images nr Remove To remove an image select it in the image list and click on the button at the top of the view This will delete the image from the list User Controls In the Image Viewer there are a number of mouse and keyboard controls that assist in the image viewing Use the mouse wheel to zoom in and out of image Likewise the Page Up and Page Down keys will zoom in and out of the image respectively Click and hold the left mouse button anywhere in the display and move the mouse to pan the image up down left or right Likewise the arrow keys can be used to pan the image around the display Toolbar The toolbar of the Image Viewer contains the following buttons Zoom to Fit This option will refit the image to fit the size of the current display Previous Image This option brings up the previous image in the viewer s image list gt Next Image MeerCAT User Manual Page 49 of 87 APPLIED VISIONS SecureDecisions F VISION This option brings up the next image in the viewer s image list 5 14 Mission Mapping Mission mapping permits functional names to be added to an access point For example a wireless asset could have a mission of Invoicing or Personnel These access points can be grouped and colored by mission thus facilitating visualization Preferences Page for Mission Mapping Access the Mission Mapping page by Window gt Preferences From this dialog you can create rena
44. gging Click to allow or disallow image dragging of the overlay in the 3D Geo View 5 12 Legend View The Legend View provides quick reference to the meaning of certain visual attributes such as icons and colors within the various MeerCAT views It allows the user to quickly see which attribute the network icons are colored by as well as which attribute the network topology stage is colored by In addition icons are provided to show the difference between Probe Ad Hoc and Access Point or infrastructure wireless networks as they appear in the various views The appropriate icons for encryption type are also listed Finally next to each entry in the legend view is a number in parenthesis This number represents how many networks in the visible data set are classified by this entry MeerCAT User Manual Page 46 of 87 ISION E APPLIED AM VISIONS gt ISION Adr Legend 3 i Channel Network Type Probe 2 R Ad Hoc 2 ADH Access Point 12 Encryption aft WPA Encryption 7 gt No Encryption 7 Network Color Encryption aft WEP Encryption 2 aft WPA Encryption 7 lS No Encryption 7 lS Other Stage Color Encryption lt gt No Encryption 7 gt Other Interaction The legend view is automatically updated when new data becomes visible or the user changes one of the colors in the MeerCAT Preferences In addition double clicking on one of the icons in
45. herwise it will appear as Not Present as depicted below al S Fe G Unspecified Location 1 Not Present 8 E s 058402105875 E s 94728 ie 00 14 BF F0 D8 32 E 4 Apple Network 7576f E s Greco ep james ak NETGEAR E 6 wireless Known Clients To add a known client device select from the MeerCAT File Menu File gt Known Devices gt Add Client This will open a properties dialog where you can fill in the expected information for the client The information will be applied to any instances of the client that have been detected or that are detected in the future MeerCAT User Manual Page 19 of 87 ISION E APPLIED VISIONS el gt 4 e Client Proper ies x ISION Client Properties Set the properties for this wireless client MAC address ene Comments Save and Close Save Importing Known Devices from a CSV File MeerCAT also supports import of CSV Comma Separated Values files Its purpose is to import a list of known devices into MeerCAT 1 To import a CSV file select from the MeerCAT File Menu File gt Known Devices gt Import Wireless Network Client from CSV This will launch a browser window to locate and select the CSV file to import Tip 1 Sample CSV files are provided on the MeerCAT CD Tip 2 The expected order of the CSV file fields are as follows Known Networks SSID BSSID Classification trusted friendly
46. his text will be replaced at report generation time with the actual table data e MeerCAT Networks e MeerCAT Client e MeerCAT DeviceHistory e MeerCAT FlowDetails Annotations View annotations can be added to a document or presentation The following keywords are used e MeerCAT Geo3D Notes e MeerCAT Flows Notes e MeerCAT NetworkTopology Notes e MeerCAT Navigator Notes e MeerCAT Timeline Notes e MeerCAT ImageViewer Notes 8 Other Preference Options 8 1 Bookmarks Bookmarks can be used to save the settings in a particular 3D Geo View such as zoom level or specific areas of interest Select the View Menu from the 3D Geo Toolbar Then choose Bookmark gt Add jm tee A c Fyfe on D es Flows 5 Navigator Pla SEE Bookmarks Add 1 GER a eo D I eel pannan orri misri Veeegger Search MeerCAT User Manual Page 74 of 87 APPLIED AM VISIONS f gt re e eee OF ct eet E er L ISION Next enter a memorable name for the bookmark then click OK Kc oh Liu D LC BI Hecho AM 1 PN 34 10 158 D UA def VY 1 Pe amp Co VY 358 pe VY 158 pe vide He 3 9 10 3 58 pr Z ES FO Enter the name for this bookmark Washington Monument Altitude 0 b Net E Cie Flo amp start Time Duratio ben ee ee ee en eee ee Bookmarks can be deleted or renamed through the Preferences menu From the MeerCAT main menu select Window gt Prefe
47. hown for individual clients In this view holding the mouse over an event indicator will show a pop up window with the client details MeerCAT User Manual Page 43 of 87 P Derice Hton E Get a 4 ME t E Clients and Networks Lists all discovered clients with an event indicator on dates they connected to network devices Holding the mouse over an event indicator will show a pop up with the individual network device details 2 ED Device History Overlay P amp RA Kas SSS EE N ER PR BEE EE EE TEE EE EE EE TE EE EE EE EG Tee linksys 00 02 6F 01 7 7 F1 af Date Detected Wed Jun 2 2010 Time Detected 3 54 57 PM to 3 56 54 PM Duration 2 minutes Channel 6 Encryption Unencrypted Type infrastructure Classification Friendly 5 10Device History View This view displays data in the chronological sequence it was obtained based on MAC address If a device was once a network and then a client that pattern can be seen here You can also click the play button to animate the devices location on the 3D Geo View S Timeline mE IP Latitude Longitude Encryption Network Type Channel Carrier Min Si E 00 C0 4F 00 00 04 We White House Wed 03 03 10 03 58 11 PM Wed 03 03 10 04 18 11 PM nnn 3889701 1103363 Nome es me n N N IB EN 00 C0 4F 00 00 04 lg White House Mon 04 05 10 03 58 11 PM Mon 04 05 10 04 18 11 P 38 89767 77 03565 None tods 6 O MeerCAT User Manual Page 44 of 87 APPLIED
48. ients connected to trusted networks and trusted clients connected to rogue networks 5 7 Navigator View The Navigator View provides an alternative tree representation of the networks checked in the Device Explorer The Navigator view is helpful for visualizing and navigating large amounts of data As nodes are selected in the tree the view changes its focus to that item maximizing screen space This view also provides extensive grouping aggregation filtering and searching capabilities In the example below color darkness is used to indicate groups with a greater count Alternatively coloring can be based on packets or number of clients connected to the network Here we see that the bulk of the networks are of type infrastructure We know this base on the darker color and the count of 6 displayed in the label MeerCAT User Manual Page 35 of 87 APPLIED A VISIONS el gt CG Navigator 23 ao Be o gt o ISION ad hoc 1 WPA 3 infrastructure 6 WEP 1 probe 1 Unencrypted 2 Selection Highlighting If a node has not been expanded double clicking it will cause focus to that node and expand any available children If an item represents a specific device in the data set selecting it will cause it to become highlighted and all the other views within MeerCAT will highlight that group as well In addition if you hold the SHIFT key and select an item the item becomes highlighted as well as all of its children
49. ints of Interest 8 za a VB WPA 4 V 4 Capitol V gt Lincoln WPA 4 de Washington icture 6 WEP 1 4 7 id White House Unencrypted 1 VE 00 C0 4F 00 00 03 ryp 4 E 00 C0 4F 00 00 04 a VB WEP 1 V r NETGEAR a Mi d Unencrypted 3 00 1C B3 00 00 03 Hack le Ad hoc ig BOUG Network Topology SS K D P Rl a a Mm tfi E Channels 32 We Legend z m 5 e e m e o 1 z Washington e 2 e 3 WET 4 5 10 3 58 PM 4 Altitude 1km Lat 38 8881 Lon 77 0357 Elev 5 meters L eo oe Se Ter e 5 ae SES S m ry AO te Networks 23 e Clients Flow Details SO CIS Timeline SU Device History 23 E Overlays amp a m e 7 SSID BSSID Encryption Classification MAC Address SSID e First Seen 6 4g Washington 00 06 25 00 00 02 WPA Rogue id 00 06 25 00 00 02 ip Washington Wed 03 03 10 03 58 11 PM e 9 Ad hoc 00 1C B3 00 00 06 None Rogue l 00 06 25 00 00 02 i gt Washington Mon 04 05 10 03 58 11 PM RS 10 id NETGEAR 00 14 6C 00 00 07 WEP Rogue Soe ee ae e 11 2 i gt BOUS 00 06 25 00 00 08 None Rogue Hacker 00 1 C B3 00 00 03 None Rogue 4 Capitol 00 06 25 00 00 01 WPA Rogue id White House 00 06 25 00 00 05 WPA Rogue i Lincoln 00 06 25 00 00 04 WPA Rogue Ra w ER mm MIER Mm r By placing different views in separate monitors by dragging the view title ba
50. ion E Networks run to expand the view of detected networks gee or EE ker F Ad hoc lt Detected jy ad Client ig White House Tip 1 Number of detected networks in a Tee discovery run is the number adjacent to the J8 wam N run pT Discovery jee Washington Run a Wer White House E 00 C0 4F 00 00 Tip 2 Networks with unknown locations are OV 5 E 00 C0 4F 00 00 04 annotated with a mark on the device icon 18 wer a N EE lid NETGEAR e laj Unencrypted 3 Network 2 Expand each discovered network to show the 3 T001 C 83 00 00 03 Hacker E Ad hoc discovered clients connected to that network BOUG Click on the symbol adjacent to each network to expand the view of detected connected clients 3 Update the attributes of a device P Set Exclusively Visible Users can quickly update device properties after an Sea analysis of a discovery session For example a v Y Flag device initially classified as rogue may bea Classification neighboring network that is friendly which the Ge S ME Delete user may then reclassify Right Click client Properties 4 Update the attributes of a wireless network Right Click network gt Properties MeerCAT User Manual Page 22 of 87 APPLIED A VISIONS meee gt ISION Wirckoss Network Properties Wireless Network Properties Set the properties For this wire
51. is menu option will copy the active view to your systems clipboard This can be useful if you simply want to paste the view to another application Ctlr Shift C is the shortcut key for this operation ISION Save Screenshot of Active View Er This menu option will export the active view to an image file Available image types are PNG JPEG GIF and Bitmap Ctrl Shift S is the shortcut key for this operation Email Screenshot of Active View This menu option will create a new email message using your default mail client e g Outlook This message will include the active view as an image attachment and a view s annotation will be used for the body of the email message Ctrl Shift E is the shortcut key for this operation Drag and Drop Each view can be dragged and dropped into other applications This can be done by holding down the Alt key while dragging a views title as shown here Geh 3D Geo 7 View Annotations Annotations can be added to the 3D Geo Flows Network Topology Navigator and Timeline views similar to notes in PowerPoint To show the view annotations double click or drag the gray bar at the bottom of each view This will expand the view annotations control Here you can type in notes which will be including in Word PowerPoint and email report MeerCAT User Manual Page 72 of 87 APPLIED VISIONS on gt qale a DOMA E K Gr 1 ISION Dee n ETEN Frankl McEhErson Square
52. less network ESD 0040 A0 SIF AS Manufacturer Network type infrastructure Encryption Classification Rogue zem 6 a Max date rate Channel Mbits sec Flagged Comments for this device Override network location 5 Zoom in on a discovery run or network for all MeerCAT E Zoom To Views ED Drive Path Right Click discovery run or network gt Zoom To Set Location ZS Delete sOI Double Click discovery run network or device Tip 4 Delete discovery run data by Right Click on Discovery Run in Device Explorer gt Select Delete Toolbar The toolbar of the Device Explorer view contains the following buttons F Toggle Detection Run Location Grouping Determines whether or not to group the networks and detection runs by the location that was specified when the data was imported Detection Runs Shows a list of detection runs and expanding each detection run will show the individual devices that were detected on that run cd Networks Displays the latest history for all devices detected across all detection runs The user can then select a network and look at the Device History view to see the instances when the device was seen if Link With Selection is enabled in that view MeerCAT User Manual Page 23 of 87 APPLIED A VISIONS SecureDecisions E If a particular historical instance is selected within the Device History view that instance will be shown instead o
53. lic 1P WM Local 1P Network Border Ce Encryption Classification 1 None Probe Filter 4 Ce Show probes e To import a wired Ethernet capture click File on the Meer AT menu and select Import Wired Capture Data This will bring you to an import dialog as illustrated above 5 Using MeerCAT Fundamental Tools 5 1 MeerCAT Console The MeerCAT Console provides multiple coordinated views of the same data for faster incident investigation You can select a device of interest in one MeerCAT window which will highlight the device in all other views to provide you various perspectives These views are described in this chapter 5 2 Device Explorer View The Device Explorer view shows the imported discovery runs and lists the detected networks and connected clients for each run It enables you to view analyze and filter wireless discovery and security data by a range of variables such as the device type manufacturer SSID and other device property The Device Explorer also provides a number of tools for coordinating other MeerCAT Console views and identifying the attributes of detected wireless devices MeerCAT User Manual Page 21 of 87 APPLIED AM VISIONS gt 1 Expand each discovery run to display the individual e amp Wires captu 5 ISION JAS FT networks detected ae Number of 3 3 10 3 58 PM YS Detected Click on the symbol adjacent to each sess
54. lows 3 sorozo TE GE e Graph Type E WiFi Flows Wifi Flows DNS Lookup ks IP Flows DR DNS Lookup Results I Network L Filt Broadcast ip68 14 71 224 ri ri coxnet 68 14 71 224 Word D n c 16 124 185 17 hsdl pa comcast net 76 124 185 17 N Datalink layer cable 55 113 sssnet com 24 140 55 113 ay Network layer cpe 66 25 176 240 austin res cr com 66 25 176 240 dynamic acs 24 144 212 206 zoominternet net 24 144 212 206 ip98 165 197 42 ph ph cox net 98 165 197 42 BY Wireless Network cpe 76 171 138 129 socal res r com 76 171 138 128 N 7 Datalink MAC user Oc6tjhB cable mandspring com 24 110 206 40 cpe 24 175 61 111 elp res t cem 2417561111 12 218 210 152 client mchsi com 12 218 210 152 N 7 Other ip adsl 66 142 58 70 dsl kscymo swbell net 66 142 58 70 Bi Public Sad07fcf bb sky com 90 208 127 207 av Local IP dhcp 0 8 2 35 b2 4e cpe cabletv on ca 24 235 61 177 2 64 138 118 162 adsi catt com 64 18 118 162 Search Filter S01060019db81 lt 9fe ok sh awcable net 24 71 167 101 SO1060060673al1b3d cg shawcable net 68 146 203 196 CPEOO1d7 e2d83ae CM0012257046a2 cpe net cable rogers com 72140 202 63 Link Sizes ool 45701b5d dyn optoniine net 69 112 27 93 Total bytes cpe 069 132 121 239 carolina res rr com 69 132 121 239 31 sub 70 216 57 myvzw com 70 216 57 31 r74 195 209 71 endl cmtcOl enidok ok dh suddenlink net 74 195 209 71 D Average packet size adsl 69 228 0 2
55. lticast MAC H Mher IP BE Publie IP Search Filter wi Show only search result Link Sizes Total bytes Total packets Average packet size Network Border Encryption 5 Classification 3 Channel None Probe Filter Show probes Hide probes 5 Only probes ka Above we have disabled the network layer information of the graph and can see the similarities between the BSSID of the linksys access point and the MAC address of the local IP node associated with multiple IP addresses in our capture Again this suggests that the latter is the interface to which traffic is sent that will pass over a wired network MeerCAT User Manual Page 64 of 87 APPLIED Aa VISIONS e WiFi Flows 23 moan DIVISION Graph Type WEI Flows IP Flows Network Layer Filter Node Type Filter BBY Wireless Network Network Layer 10 31 0 1 gt 192 168 1 104 Datalink Layer 00 12 17 38 E0 D6 Or gt 00 D0 41 F6 29 19 Or Wireless Networks linksys 00 12 17 38 E0 D8 linksys 00 12 17 38 E0 D8 Total Bytes 176 Total Packets 2 Average Packet Size 88 0 Search Filter Show only search result Link Sizes Total bytes Total packets Average packet size v ee Dek Sa SR ptal Bytes Total Pack Average Pa SourcelP Destination 1P Source Port Destination Port IP Protocol 3 i 88 0 10 3101 1921681104 Or 0 Or 0 Internet Control Message Protocol 18 3 116 0 201 166 41 131 1921681
56. me and remove mission names and assign colors to them Missions can also be added through the Device Manager select Other when prompted for Mission findow Help V RE type filter text Mission Mapping DT oy T Bookmarks Mission Flows General Colors ie ed As Project A Servers E Accounts Payable Mission Mapping EPP Dey Perspectives Rename Reporting Tags OK Cancel MeerCAT User Manual Page 50 of 87 APPLIED MM VISIONS f SecureDecisions E Choosing a Color for the Mission Clicking on Color brings up the color picker gene O MEEN type filter text Mission Mapping Gro Bookmarks Mission Flows Unspecified I ein Weer See x Servers Accounts Payable Mission Mapping ERP Dev Perspectives Rename Reporting Color C_ Tags d NEE 1 ENE NE ENE EE See EE NE EE EE See EE 866 Se EES D in i Krecrccrc 3 3 3 Colors d l Apply ars Assigning the Mission to an Access Point Once missions are created any access point can be assigned the mission by clicking on the choice MeerCAT User Manual Page 51 of 87 APPLIED VISIONS f gt ile View Report Window Help EE LE EE EE t Device Explorer 3 gt lt 4 Wired Captures O E 3D Geo SN Flows GIE DES IE g g 4 DC Points of Interest 2 a 4 V EP 3 3 10 3 58
57. n and Security Events MeerCAT s color coded and user customizable iconographic representation of device classification and security status allows users to immediately identify wireless devices that present risks to their networks Device details include the SSID location coordinates encryption type and configuration Maps Access Point Coverage and Channels MeerCAT generates wireless coverage maps based upon the location and RF signal strength of detected access points from war drives It displays RF signal coverage areas to help users identify interference by neighboring networks and unauthorized stations and signal spillage in unsecured perimeters Charts Channel Usage MeerCAT charts the RF channel distribution for all detected networks A histogram displays the frequency distribution of access points on each channel to determine potential interference Displays Events and Changes MeerCAT users can interactively compare the results of war drives with comparative views between two points in time such as before and after MeerCAT User Manual Page 7 of 87 APPLIED VISIONS gt remediation Geospatial and topological views allow users to track wireless asset movement and state changes over time e Helps Analyze Device Behavior Over Time MeerCAT users can benefit from the ability to analyze the activity of suspicious wireless devices over time Events and trends can be viewed over days weeks or even months to help improve network
58. n the Device Explorer is in Network Mode If enabled this view will be populated with data from every historical instance of this wireless network in the current database If it is not enabled the view will be populated with only the latest historical instance of the particular network s unless a network is selected in the Device History view in which case the view will be updated to show only the selected instance of the particular network a Navigator Grouping This option allows you to set the grouping order of the tree MeerCAT User Manual Page 37 of 87 APPLIED VISIONS SecureDecisions gt Ser MeerCAT Navigator Navigator Grouping Select the groups to use in the navigator view and the order in which to apply them Available Location Name Classification Detection Run Manufacturer Network Type Move Up Flagged Encryption Type Cloaked Move Down Has Location Misconfigured Channel SSID Cancel e Navigator Tree Options This dialog allows you to set the depth of the tree meaning how many children will be shown from the focused node The dialog also allows you to select how the node should be colored either by count number of packet or number of clients Ser MeerCAT Navigator Navigator Tree Options Select tree depth and counting mode Nodes with higher counts will appear darker in the display oh Tree depth of interest 1 Counting mode Count packets to from each network Count
59. ng tne MeerCAT Console iii ee es ee ee sen Se ie es Re 11 EE EE OR OE EO EE N N OR GO N 11 PET NG eege 14 4 Importing Data Into MeerCAT occ se se se se ee Ge ee GR RR ee Ge Ge Ge Ge Ge Ge ee AR Re ee Ge Ge Ge Ge Ge Ge GR RR ee ee Ge ee nae 15 4 1 Importing Kismet Dat sesse es ie ass pers Ee een ieR Rees Re eene eke Ee ER Roe Ee eek Reese ee eene 15 4 2 Importing NetStumbler Data ss se se se ee ee ee Ee Ge Ge Ee Ge Ge Ge Ge Ge Ge Ge ee ee Ge ee ee ee ee ee ee ee ee 16 4 3 Bulk Import Kismet Data ou sesse se se se se se se Re ee Ge Ge Ge Ge Ge Ge Ke AR AR ee Ge Ge Ge Ge Ge Ke Ke AR AR ee ee Ge Ee Ke Ke Ke ARE 17 4 NEON TA COS OE EE RE EE 18 Manually Adding Known DeViCeS sesse sesse se se se se ee ee ee ee RR AR AR AR AR AR AR GR Ge Ge Ge KA KA Ge Ge Ge Ee Ke Ke Ee Ee ee ee 19 Importing Known Devices from a CSV File sesse see ees RR RR AR AR GR AR GR Ge Ge Ge AG Ge Ge Ee Ee Ee ee Ee ee 20 AS Importing Wired Capture Data uses sies sie NEK ER eke EN ese Ge ke ek eke RE eb N Re es ee Ge Ge ee 20 5 Using MeerCAT Fundamental Tools ee 21 5 1 MeerCAT Ne ue E EN 5 2 Derice EDIO OF VIEW aare ee ere eee EE ee eee ese 21 Bo 9 so EE OE EE ER OE EE IE 23 PMNS ge Vind a 24 5 3 RENE 27 Keele 28 SA iS AE EE RE EE EE N OE A 28 Ref le OE EE EE ER EE 28 S9 Eeer 28 CONTO AE ER EE EE EE E EE EE N 30 keel EE ER RE EE EE 31 SDS PECA CON OIS se Re Ee ee ee Re ee Re ee RR ee 32 5 6 Network Topology View se se se se se se ee Ge AR Re ee Ge Ge Ge
60. ngth Enabled when one or more networks are selected shows a heatmap which shows the signal strength around the network by interpolating from the detection points Toggle a display of the client s interpolated signal strength Enabled when one or more clients are selected shows a heatmap which shows a client s signal strength by interpolation Show extra information about an item on the map Enabled when one or more networks are selected shows a callout with detailed information about the network s git 00 18 01 E9 A4 AD Channel 1 Encryption WEP 40 Type infrastructure P Toggle display of the drive path for a detection run Enabled when one or more detection runs are selected draws a line depicting the drive path Ex Clear Extra Display Info Clears out all extra info on the map annotations range overlays 3D Specialized Controls Additional controls are available in this View to supplement navigation within the view These controls are shown below MeerCAT User Manual Page 32 of 87 APPLIED a VISIONS SecureDecisions E This set of controls and buttons can be found in the lower left corner of the 3D Geo View 3 Directional Control Use this control to move the 3D image left right up or down Zoom Use these buttons to zoom in or out Rotation Use these buttons to rotate the image to the left or right Tilt Use these buttons to tilt the image forward or back
61. nication VA Hacker d Be HS Patterns Wi de NETGEAR s E e Network lepology Wiig Washington F tg White House Wireless o 8 Devices i Location Ve linksys EN 8 9 07 4 31 PM e Elev 4 meters Cownlosding Lat 33 89172 Lon 77 03821 Feb2s 07 Mart 0 Mailo Mei Mar25 07 Apoo Apr OT EG Deeg Z nes DNA ee ZO WEES SI WEES Su WEES Su eeneg een S i LA E 12 Mat are the Benefits of MeerCAT Organizations are deploying or being exposed to wireless local area networks LANS to Support mobile connectivity However wireless LANs present unique security challenges as itis easy to introduce unauthorized or intercept authorized wireless signals in organizational networks While there are numerous systems designed to help locate and assess wireless activity they generate significant data that require experience and expertise to correlate and interpret One of the challenges is to quickly turn the wealth of MeerCAT User Manual Page 6 of 87 VISION APPLIED A VISIONS E gt ISION data into meaningful and actionable information Visualization is an effective way to make sense of this data MeerCAT arms users with advanced visual analytics specifically designed to facilitate and expedite the analysis of wireless discovery data to quickly locate and assess the risks of wireless assets Professionals can use MeerCA
62. ny device The device will be highlighted in all MeerCAT Console views MeerCAT User Manual am Type infrastructure APPLIED VISIONS d gt 5S james BSSID 00 16 86 CB 7F 14 Encryption WPA Classfication Rogue Page 34 of 87 ISION APPLIED Tip 2 There are a number of tools to s Network Topology 25 VISIONS SecureDecisions E navigate in the Network Topology View ED Lie a To center a network of interest in Network Topology View Lett Click and hold anywhere in white space around network icon gt Move mouse to area To Zoom In Out on any network by Fil T C Biel Right Click and hold Move mouse hi NA 8 forward and back W Ite ouse 4 5 10 3 58 PM Toolbar The toolbar of the Network Topology view contains the following buttons History Mode This option is only available when the Device Explorer is in Network Mode If enabled this view will be populated with data from every historical instance of this wireless network in the current database If it is not enabled the view will be populated with only the latest historical instance of the particular network s unless a network is selected in the Device History view in which case the view will be updated to show only the selected instance of the particular network 2 Zoom the display such that all of its contents are visible Show only networks with clients Show rogue cl
63. o increase this threshold in order to reduce the time it takes to import the data 3 On the Location name edit enter the name of the location you would like to import the data into such as the name of the site or building that was scanned If you perform subsequent scans of the same location you should select that location in the dropdown menu If no location is specified the data will get added to an Unspecified Location entry 4 Once you have selected the file click OK to import the data into the MeerCAT database 5 To import more than one file repeat Steps 1 3 above for each file you choose to import for analysis Note NetStumbler only reports no encryption or WEP encryption Devices may be a higher encryption but only show as WEP Also NetStumbler does not collect client information nor does it collect packet data Therefore the Network Topology view will be limited and the Flows and Flow Details views cannot be used 4 3 Bulk Import Kismet Data MeerCAT can import multiple Kismet data files in a single command Access this feature through the MeerCAT File Menu File gt Bulk Import Kismet Data This will launch the pop up window MeerCAT User Manual Page 17 of 87 APPLIED AA VISIONS gt Bulk Import Select a directory and then choose which files you wish to import CA Usersmarku AV DEV Documents F Include subdirectories GPS point aggregation threshold Low 3m Location nam
64. on Perspectives Reporting Encryption Other EE Unencrypted em Classification Misconfigured II Trusted EI Selected Items C Note Channel colors are fixed See Channels view for legend Restore Defaults Apply Cancel MeerCAT User Manual Page 79 of 87 APPLIED Aa VISIONS SecureDecisions 8 4 Import Folder By default MeerCAT looks for data to import in default user specific folder e g c Users username DOMAIN Documents Windows 7 This can be changed by accessing the Import preference screen shown below Use the Restore Defaults button to switch back to the original MeerCAT default type filter text Import de T ze we Bookmarks Be Default import folder C Users marku AVLDEV Documents General Colors Import Mission Mapping Perspectives Reporting Tags Apply Restore Defaults Ce Meer AT User Manual Page 80 of 87 APPLIED VISIONS SecureDecisions E 8 5 Maintain Perspectives MeerCAT allows users to tailor different views to suit the particular style of analysis and type of task Once these View settings which views are showing which options have been invoked which zoom level is in effect etc have been created they can be saved so that the workspace can be restored at any time A list of available perspectives is available through the Window gt Open Perspective submenu The same list is available through MeerCAT Preferences Access the list through the Window g
65. osing Other Use the following screen which also allows new tags to be added as needed MeerCAT User Manual Page 83 of 87 APPLIED AM VISIONS SecureDecisions E T 4g Washington r iba a ig White House 8 WEF di Une EI Se Fle 4 vw e mg Federal installations Fixed retail 3 ep Residential 1 tude eo 4 i f sl 5 Trees T A T Once defined tags can be maintained through the Preferences menu Select the Main Menu Window gt Preferences and then the Tags option from the list on the left The window shown below allows tags to be added deleted or renamed Select New to create a new tag To remove or rename a tab first highlight it make changes as needed then select Rename or Remove as appropriate MeerCAT User Manual Page 84 of 87 APPLIED AM VISIONS gt ISION Window Help type filter text Bookmarks Tag Flows Federal installations Fixed retail Residential General Colors Import Mission Mapping Perspectives Reporting Tags Apply 9 Freduently Asked uestions 1 The geographic globe appears but no imagery is displayed only a halo outline This is commonly attributed to an outdated video card driver Follow these steps to update your driver MeerCAT User Manual Page 85 of 87 APPLIED ah VISIONS SecureDecisions E Step 1 These instructions are for Windows inp A E users On the desktop right click and IS
66. r the user has access to simultaneous views of summary and detailed information Context Menus Pressing the right mouse button within some views displays contextual menus based on the data represented by a selected data element The example below shows the contextual menu for an access point listed in the Device Explorer MeerCAT User Manual Page 10 of 87 APPLIED VISIONS SecureDecisions S ISION File View Report Window Help Te DeviceE 3 dr WiredCa O 3D Geo 7 N vu Flows Lal S ez ET ea 4 DC Points of Interest 8 n i a VB WPA 4 E oe on 7 4 Capitol ES p zu T r Lincoln Set Visible Set Exclusively Visible Ranges d Detection Points Local Radiation Field Popup Display Drive Path Device History Flag Channels Classification Tags Mission Mapping e e 1 Copy 2 Delete e 3 Al Properties Altitude 1km_L 3 2 Customizing the MeerCAT Console Views There are several windows in the default perspective of MeerCAT each window is called a view The individual views are described in detail in Using MeerCAT Fundamental Tools MeerCAT User Manual Page 11 of 87 APPLIED AM VISIONS SecureDecisions Fite View Report Window Help DeviceE 53 Wida O 3DGeo E d Flows He Navigator 52 rt K g Tei ebe ez nika AAK EST 7 1ER IKEA IER Pl ELIEL cota W DC Points of Interest 8 T B
67. r Manual 4 Ps Networks 2 ig White House 8 i gt White House Clients Flow Details BSSID 00 06 25 00 00 05 00 06 25 00 00 05 None WPA Rogue Rogue 21 Feb 28 Mar07 Mar14 Mar 21 Mar 28 Apr04 Apr Page 26 of 87 l APPLIED AM VISIONS DIVISION The Wireless Network filter shows only wireless devices that fit the criteria specified by the user in the selection window ww Filter Filter Wireless Networks Select the ele ments to exclude Use commas to separate multiple values Encryption Type Classification Radio type BSSIDs SSID Channels Accuracy Date filter None E Infrastructure E Trusted Cl 802 11a Show only networks from this date range 7 6 211E Location filter Show only networks from these locations Di e WEP E WPA Ad hoc Probe Friendly Roque 802 11b 802 11g 6 1 2011 Ges 5 3 Networks View The Networks View offers another tool to simplify wireless device management and security and helps you identify network devices based on their properties including their MAC address SSID vendor security or channel With the Network Device Table you can easily browse and sort through the various categories of detected devices to quickly validate unauthorized devices debe Networks E3 5510 e megahoc w24 ide BILL e Free Public WiFi e e le Tetlaklaw wireless Igo 020
68. r maximize buttons Views can be rearranged by dragging the view s title bar to another location Docking a Viewis changing the location of the view in the current layout Detached Views are views that are shown in a separate window with a smaller trim When working with multiple monitors it can be useful to put a detached view on a separate monitor To detach a view drag the view to the outside of the application window and release the mouse button The layout of the views is called a Perspective You can always return to the default perspective by choosing Window gt Reset Perspective from the main menu bar To save the current layout choose Save Perspective As MeerCAT User Manual Page 12 of 87 APPLIED AM VIIONS SecureDecisions E Window Help Enter or select a name to save the current perspective as Open Perspective Save Perspective As Existing Perspectives Preferences Ser MeerCAT default Se MeerCAT 1 Ze Perspective 2 Any view that has been closed can be reopened by choosing the View menu from the main MeerCAT menu Spatial Temporal Flows Alerts Navigator Channels Legend Wired Captures Image Viewer MeerCAT User Manual Page 13 of 87 APPLIED AM VISIONS SecureDecisions 2 Preferences Preferences allow you to customize colors and set various options for some views ISION type filter text General Colors Bookmarks Bulk Import Networks Flows General Color
69. rences Then click on Bookmarks to see this dialog box Highlight the bookmark of interest then select Remove or Rename to maintain bookmarks MeerCAT User Manual Page 75 of 87 APPLIED AM VISIONS dl gt ISION Bookmarks Bookmarks Flows Bookmark Washington Monument General Colors Import Mission Mapping Perspectives Reporting Tags Proje Je Lin Retail Za 8 2 Flow Colors The Flows View is capable of displaying many types of connections To customize the display of connections in this View from the MeerCAT main menu select gt Window gt Preferences Then click on the Flows selection MeerCAT User Manual Page 76 of 87 APPLIED Aa VISIONS gt ISION type filter text Flows Bookmarks f Bulk Import Network Layer Filter Flows Local IP General Colors Mission Mapping Public IP Perspectives i Reporting Node Type Filter Tags Multicast MAC Datalink MAC Network Layer Datalink Layer Force Directed Layout Layout Run Time seconds Restore Defaults Apply This page allows each address type Broadcast MAC Datalink MAC Local IP Remote IP Wireless Network and Other to have its own color To change colors click on the color to select from the color palette MeerCAT User Manual Page 77 of 87 APPLIED VISIONS SecureDecisions gt type filter text Flows Bookmarks Bulk Import Network
70. resentation of network communication flows across multiple network layers The nodes represent network addresses and the connections between them represent the direction amount and types of traffic MeerCAT User Manual Page 55 of 87 APPLIED VISIONS gt ISION WiFi Flows 7 wO Graph Type WiFi Flows IP Flows Network Layer Filter a V Datalink layer H V Network layer Node Type Filter a V Wireless Network v Datalink MAC N Multicast MAC 33 33 FF 8E 68 33 E Other IP ST WY Public 1p 33 33 00 00 00 16 _ 33 33 00 01 00 03 BR Local iP Search Filter 8 33 00 00 00 0C rN E Show only search result p 33 3 33 33 00 00 00 02 SC TT 82 72 28 Total bytes Total packets Average packet size Network Border Encryption Classification Once the data is loaded the display will lay out the graph and a small overview at the top of the filter right shows the entire graph as well as a red box representing the area viewable in the main display Graph Type There are two modes in which the Flows graph can be displayed IP Flows and WiFi Flows default Both graphs represent the same data set using a different method for building the actual graph WiFi Flows uses the data link layer addresses of packet flows to distinguish between nodes and then layers any IP information on top of that IP Flows does the opposite That is each node in the WiFi Flows graph belongs to a unique MAC address
71. s GC Mission Mapping Network Topology stage color Perspectives Reporting Encryption We WPA Other mm Classification Misconfigured EI Trusted Friendly em Rogue Selected Items Note Channel colors are fixed See Channels view for legend MeerCAT User Manual Page 14 of 87 APPLIED A VISIONS f SsecureDecisions E 4 Importing Data Into MeerCAT 4 1 Importing Kismet Data 1 To import Kismet including Newcore data you have collected or the sample data set supplied with the MeerCAT CD select from the MeerCAT File Menu File gt Import Kismet Data This will launch the pop up window Se Kismet Import Select files Select a Network File to import Optionally include GPS and or packet data and specify location Network AML file GPS XML file a GPS point aggregation threshold Low 3m hd Packet Data file Location name Cancel 2 On the Network XML file edit click Browse and then search for the folder with the Kismet network data formatted file xml or netxml for Newcore you want to import into MeerCAT The default location of the sample Kismet data is C Program Files MeerCAT demo 3 On the GPS XML file edit click Browse and then search for the folder with the Kismet GPS XML file gps or gpsxml for Newcore you want to import into MeerCAT This file is optional but if selected will provide more analysis on the location of devices such a
72. s range based displays like the radiation field The MeerCAT database supports the storage of large number of data files and high performance data queries to quickly view and compare multiple wardrives Nevertheless you can choose to aggregate GPS detection points that are close to each other in order to minimize the number of points that are stored in the database The default setting is 3 meters this means that if two points are less than 3 meters apart they will be combined and treated as one point Increasing this threshold will allow MeerCAT User Manual Page 15 of 87 APPLIED A VISIONS SecureDecisions E more points to be combined and reduce the number of points that need to be stored If you have a very long detection run you may wish to increase this threshold in order to reduce the time it takes to import the data 4 On the Packet Data file edit click Browse and then search for the folder with the Kismet Packet Data file pcap dump or pcapdump you want to import into MeerCAT This file is optional but if selected will provide data for the Flows and Flow Details packet views 5 On the Location name edit enter the name of the location you would like to import the data into such as the name of the site or building that was scanned If you perform subsequent scans of the same location you should select that location in the dropdown menu If no location is specified the data will get added to an Unspecified Loca
73. s unless a network is selected in the Device History view in which case the view will be updated to show only the selected instance of the particular network Stop Layout This option stops the force directed layout from acting on the graph Run Layout This option will run the force directed layout for the length of time specified in the WiFi Flows preferences Zoom to Fit This option will refit the display to fit the size of the current display D Magnifier This option will turn the magnifier on or off The magnifier will make nodes within the glass around the mouse point appear larger Use the mouse wheel to determine the level to which the nodes are enlarged Hold the CTRL key and use the mouse wheel to change the range size of the glass around the mouse point that the magnification should affect Fe Toggle Filter This option will hide or show the WiFi flows filter Communication Patterns Usage Scenario The WiFi Flows View is a useful tool in analyzing wireless network flows This help section contains examples on how to use the WiFi Flows View to learn more about the structure and vulnerability of wireless networks For a general approach to understanding the WiFi MeerCAT User Manual Page 59 of 87 APPLIED AA VISIONS gt Flows view please see the WiFi Flows help in the Using MeerCAT Fundamental Tools section va WiFi Flows no afFA D Graph Type WiFi Flows IP Flows Broadca
74. s view contains the following button History Mode This option is only available when the Device Explorer is in Network Mode If enabled this view will be populated with data from every historical instance of the particular wireless network s in the current database If it is not enabled the view will be populated with only the latest historical instance of the particular network s 5 4 Clients View The Clients View is a companion to the Networks View offering another tool to simplify wireless device management and security Clients View helps you identify individual client devices based on their properties including their MAC or IP address associated network classification or when they were last seen With the Clients View you can easily browse and sort through the various categories of detected client devices to quickly validate unauthorized devices The Associations column can be useful for finding clients that have made connections to multiple networks le Networks E Clients E2 Flow Details Ss MAC Associated Network Classification Manufacturer IP Address Last Seen Associations 7 ROA Ao go A0 20 id Tetlaklaw wireless Hooue Dell Inc Mon 08 18 08 05 59 27 PM 1 E P O LCCdp0gppz e TechTubez Rogue Hewlett Packard Mon 08 18 08 05 54 08 PM 1 00 18 16 48 88 8E id OD 17 DF ZD DE 20 cloaked Hooue Cisco Systems Mon 08 18 08 05 59 51 PM 1 MOO 19 CE 22 58 he 00 17 DF 70 0E 20 cloaked Rogue Cisco Systems Mon 08 18 08 05 46 4
75. st Network Layer Filter il d Datalink layer D 4 Network layer Node Type Filter D 4 Wireless Network V Datalink MAC Multicast MAC N Geer BY Public ip Local IP Search Filter Show only search result Link Sizes Total bytes Total packets Average packet size Network Border 9 Encryption Classification Channel None Probe Filter Show probes Hide probes Above is a picture depicting two wireless access points Berkowitz and belkin54g Since the border filter is set to encryption this means that Berkowitz is using an encryption standard that is not WEP or WPA and belkin54g is using no encryption These color classifications are available in the legend view and can be edited in the MeerCAT preferences What s important to note here is that the two of these wireless networks are set up and behave very similarly except for their encryption which makes a world of difference in wireless networking A good indication of whether or not a node belongs to a wireless interface is to look at its border If it has a dashed border then the available packet data shows sufficient evidence to suggest that the particular address belongs to a wireless transmitter That makes the 192 168 2 3 and 00 C0 A8 EE C0 7F nodes known wireless assets probably somebody s laptop MeerCAT User Manual Page 60 of 87 ISION E APPLIED ha DIVISION VISIONS secureDecisions MeerCAT File View Report Window Help WAR F
76. t Preferences and select Perspectives from the option list to the left EE ene Zem Perspectives e e erter Available perspectives Flows General Colors MeerCAT default Delete Import Washington Monument Zoom Mission Mapping White House Zoom Perspectives Reporting Tags To remove a perspective highlight it and click Delete 8 6 Reporting Options By default reports created using MeerCAT are written to a default folder e g c Users username DOMAIN MeerCAT reports Windows 7 A different folder can be specified by selecting Window gt Preferences from the main menu and then selecting the Reporting option from the list on the left of the screen This screen also permits the default analysts name to be changed from the default Use the Restore Defaults button to return both values to the initial installation values MeerCAT User Manual Page 81 of 87 sc MeerCAT p APPLIED Aa VISIONS d gt ISION N e e pa EE File View Report Window Help e e ms I E x rr G reee Els ol filter text R i E Titer k E DC Pad DOP BERE i SS B WE Bookmarks S aiii Output director CA Users imarku AVI DEV MeerCAT reports e We General Colors Fi Import Analyst name MarkU Wa Mission Mapping FI sl WE Perspectives Eg Un Reporting Tags ay Ec a wes e 1 D 2 a 3 4 5l 6 OC 7 re Restore Defaults Apply AnfiMirmse ks f k
77. the keyboard Rotate Hold Shift on the keyboard and left mouse button click amp drag left and right Stop Spacebar Reset Heading N Reset all R Toolbar The toolbar of the 3D Geo view contains the following buttons Set Icon Display Options Set icon display options controls automatic aggregation sizing of icons of the map Decrease icon size Decreases the size of all the icons on the map by half 1 0 E e 4 Set icon size to 1 0x Sets all icons back to their original size E Increase icon size Increases the size of all the icons on the map by 2x Add Image Overlay Invokes the image overlay dialog 2 Zoom to the Location on the map Enabled when one or more networks are selected zooms to those networks when clicked Show circular area depicting the longest distance a network was detected MeerCAT User Manual Page 31 of 87 APPLIED A VISIONS SecureDecisions E Enabled when one or more networks are selected draws a circle around the network showing the max detection radius Toggle polygonal area of points where a network was detected Enabled when one or more networks are selected draws a polygon convex hull enclosing all the points where the network is detected Show all points where the network was detected Enabled when one or more networks are selected shows all the points that a network was detected Toggle a display of the access point s interpolated signal stre
78. the legend view will bring up the preferences page that is associated with the particular attribute MeerCAT User Manual Page 47 of 87 APPLIED VISIONS d gt 5 13 Image Viewer image Viewer leo ss computerimage jpg v Add Above is a screen shot of a random image being shown by the Image Viewer Adding Images Add To add an image click on the button at the top of the view A dialog will appear enter the image file s location or click the Browse button to select a file The PNG GIF JPEG BMP and WBMP file formats are supported by default MeerCAT User Manual Page 48 of 87 ISION E APPLIED A VISIONS f SecureDecisions E Image Import Select a file Select an image to load and choose a name for MeerCAT to identify that image File C Users MeerlAT Pictures comm jpg Name commil jpg Next pick a unique Name for the image to be shown in the image list MeerCAT will suggest a name based on the image s original file name but be sure to pick a name that you will remember If an image by that name already exists in the image list then a dialog will pop up asking if you would like to go back or overwrite the previous item on the image list Displaying Images To display an image simply select it from the image list at the top of the view All images that have been successfully added will be in this list represented by the name given during the add image process Removin
79. tion entry 6 Once you have selected the file click OK to import the data into the MeerCAT database 7 To import more than one file repeat Steps 1 5 above for each file you choose to import for analysis 4 2 Importing NetStumbler Data 1 To import NetStumbler data you have collected select from the MeerCAT File Menu File gt Import NetStumbler Data This will launch the pop up window Ser NetStumbler Import elect files Select a NetStumbler file to import Network NS1 file GPS point aggregation threshold Low 3m Location name Cancel 2 On the Network NS1 file edit click Browse and then search for the folder with the NetStumbler data formatted file ns1 you want to import into MeerCAT MeerCAT User Manual Page 16 of 87 APPLIED A VISIONS SecureDecisions E The MeerCAT database supports the storage of large number of data files and high performance data queries to quickly view and compare multiple wardrives Nevertheless you can choose to aggregate GPS detection points that are close to each other in order to minimize the number of points that are stored in the database The default setting is 3 meters this means that if two points are less than 3 meters apart they will be combined and treated as one point Increasing this threshold will allow more points to be combined and reduce the number of points that need to be stored If you have a very long detection run you may wish t
80. ual Page 40 of 87 APPLIED VISIONS f SecureDecisions F VISION 1 Expand a channel to display the individual devices TE Channels 52 N de Legend 5 D operating at a channel Em 1E Click on the symbol adjacent to each e 2 channel to expand the view of detected devices e S x GC l using this channel 5 Tip Number of detected devices operating at DIR each channel is the number adjacent to the bar i chart e 9 10 BEES 5 9 Timeline View The timeline view displays data in the chronological seguence it was obtained One can view wireless networks relative to each other on the basis of the time they were obtained With detection runs on the same route devices can be compared over time SE Timeline K N Ei Device History Le Overlays b 28 10 Mar 07 10 Mar 14 10 Mar 21 10 Mar 28 10 Apr 04 10 MI WIT F SMIT WT FS 3MI WIT F 3 2 MT WT FSS MI WT EF 3 2 MT WOT F 5 N da EE ON OR ER N N N EA EA EE ER IR N EE ER _ TS fi it BREE EA EE N N Se ON ON ON EN N A E mouse click anywhere in the view will bring up the following menu Zoom In Zoom Out Reset Zoom Level yw SU Bars Selecting Zoom In will increase the calendar scale which can be repeated to allow hourly details to be seen Zoom Out will shrink the calendar scale Reset Zoom Level will return to the default view MeerCAT User Manual Page 41 of 87 APPLIED AM VISIONS ES Timeline na
81. w provides the tools to locate wireless networks and clients on 3D topographic satellite imagery Users can navigate anywhere on the globe down to street and building views to locate friendly and rogue devices Using the Zoom To tool on a discovery run in the Device Explorer as described in Device Explorer View the coordinated 3D Geo View below that shows all the detected devices in the selected discovery run The 3D Geo View also provides tools to further analyze the attributes of detected wireless devices MeerCAT User Manual Page 29 of 87 APPLIED VISIONS d gt ISION 4 Display a device attributes by Right Click Device gt Show Popup Display 5 Invoke Coordinated Views to inspect wireless devices by Left Click on any device on the map Tip 1 Encrypted devices show a lock symbol Tip 2 The device encryption level is displayed on the device icon e g WPA or WEP This will highlight the device in the other MeerCAT Console views 6 User customizable views are supported including the ability to redefine the color Colors coding of wireless networks Choose attribute to color networks by a MeerCAT Windows Menu gt Canpa Preferences sys im las one EER wem MEE b Select the attribute that the device color cession will represent Encryption Msconfigued mm Trusted Classification or Channel em mm hoe Lem c Click on any color buttons to select the color code for the selected
82. ward Elevation Use these buttons to increase or decrease elevation 5 6 Network Topology View MeerCAT automatically constructs topological maps of the discovered networks and connected clients to help you better understand the impact of wireless vulnerabilities and threat and determine the appropriate remediation MeerCAT helps you see the detected access points and clients connected to them including rogue and unsecure devices Coordinated views allow MeerCAT users to quickly spot a network of interest in the Network Topology View to help identify connected clients and potential risks for further investigation If multiple networks are checked off in the Device Explorer then the latest information for that network will be shown If only one network is selected then all histories will be shown side by side over time MeerCAT User Manual Page 33 of 87 Tip 1 The network stage color is preconfigured to represent the network security state where the default coding Is Red unencrypted Blue encrypted Stages highlighted in yellow indicate the device has been user selected for coordinated Views The stage is user configurable MeerCAT Windows Menu gt Preferences MeerCAT provides tools to analyze device attributes in the Network Topology View 1 Place the mouse cursor over any device A tooltip will appear with the devices attributes 2 Invoke Coordinate views by Lett Click a
83. y tools allow users to get immediate visual results from site surveys and security audits ISION MeerCAT User Manual Page 8 of 87 APPLIED A VISIONS SecureDecisions 2 Getting Help With MeerCAT 2 1 MeerCAT Technical Support All technical inquiries and bug reports can be submitted via email to meercat support securedecisions com 22 MeerCAT Feedback and Additional Information Applied Visions Inc welcomes and encourages feedback on its products from its customers Please submit your product inputs user requirements and feedback to meercat securedecisions com 23 Licensing The MeerCAT software is distributed with license key s for each qualified licensed user in your organization Please refer to your MeerCAT Software License Agreement for terms and conditions If you require additional licenses please contact Applied Visions Inc at meercat securedecisions avi com MeerCAT User Manual Page 9 of 87 ISION H APPLIED AM VISIONS DIVISION 3 Accessing and Navigating MeerCAT 3 1 Controlling MeerCAT Coordinated Views Interactions between two or more views in the MeerCAT workspace are coordinated through MeerCAT s highlighting features Selecting data in any view highlights the data in yellow in the other views File View Report Window Help 3 Wired Ca DI 3D Geo D Flows OOOO CDe Navigator AN CDI 9 mS EF slk AAK IS S TER TFIN BR PASSEATA 4 DC Po
84. yer information will disappear If both are disabled nothing is shown in the graph unless show all networks is selected Node Type Filter toggles visual attributes and or visibility of the various node types A node will show visual attributes for the highest layer of information that is not filtered out Search Filter when enabled will hide any item that is not a search result or is not somehow connected to a search result in the graph Link Sizes Filter toggles which attribute should be used to determine the size thickness of the links The options are Total Bytes total number of bytes in the flow represented by the link Total Packets total number of packets passed and Average Packet Size average size of packets passed through this link Network Border Filter toggles which attribute should be used to determine the border color of a Wireless Network node This can be based on the network s encryption or its device classification It can also be disabled to show a border that is slightly darker than its fill color Probe Filter allows the user to show or hide probe requests and responses It also allows the user to show only probe requests and responses Show All Networks option to force all wireless networks to be shown on the graph even if they do not exhibit any non point to point communication User Graph Interaction Clicking on a node or link will globally select its associated network s client s or flow s Dou

Download Pdf Manuals

Related Search

Related Contents

30RQ 162-262 "A" 30RQ 302-522 Pompe à chaleur air/eau  Itech Clip Naro 601    MNL-1445-QRG-SSG-L    H-200 Fuel Cell Stack  

Copyright © All rights reserved.

• https://telegra.ph/Calculate-Wire-Resistor-from-Voltage-Drop-da54ca4e-11-16
• https://telegra.ph/DC-Voltage-Drop-Calculator-c58a93c3-11-16
• https://telegra.ph/Wire-Size-Calculator-From-Voltage-Drop-63068a26-11-16
• https://telegra.ph/AC-Single-phase-Voltage-Drop-Calculator-76c76924-11-16
• https://telegra.ph/Concrete-Block-Calculator-5730f6ce-11-17
• https://telegra.ph/1-3-6-Concrete-Mix-Calculator-f7820456-11-13
• https://telegra.ph/1-4-8-Concrete-Mix-Calculator-6aefb393-11-13
• https://telegra.ph/Wire-Size-Calculator-From-Voltage-Drop-d3629810-11-17
• https://telegra.ph/Wire-Size-Calculator-From-Voltage-Drop-90e1c6b2-11-18
• https://telegra.ph/Calculate-Current-from-Voltage-Drop-95c706d2-11-18