MeerCAT Pro User Manual
Contents
1. MeerCAT User Manual Page 91 of 108 8 2 3 Save Screenshot of Active View This menu option will export the active view to an image file Available image types are PNG JPEG GIF and Bitmap Ctrl Shift S is the shortcut key for this operation 8 2 4 Email Screenshot of Active View This menu option will create a new email message using your default mail client e g Outlook This message will include the active view as an image attachment and a view s annotation will be used for the body of the email message Ctrl Shift E is the shortcut key for this operation Note In Windows the email client will be launched automatically with the associated attachment 8 2 5 Drag and Drop Each view can be dragged and dropped into other applications This can be done by holding down the Alt key while dragging a views title as shown here Note Not all applications will support this feature 8 2 6 View Annotations Annotations can be added to the Geo Flows Network Topology Navigator and Timeline views similar to notes in PowerPoint To show the view annotations double click or drag the gray bar at the bottom of each view This will expand the view s annotations control Here you can type in notes which will be including in Word PowerPoint and email report A7952 00 18 01 EC 95 52 Channel 10 Encryption WEP 40 Type infrastructure Radial Detection Distribution 0 0 Classification Unknown 20 an Altit2. lt NorthEast gt lt Sector gt lt ForceLevelZeroLoads gt true lt ForceLevelZeroLoads gt lt RetainLevelZeroTiles gt true lt RetainLevelZeroTiles gt lt UseTransparentTextures gt false lt UseTransparentTextures gt lt RetrievalTimeouts gt lt ReadTimeout gt lt Time units milliseconds value 30000 gt lt ReadTimeout gt lt RetrievalTimeouts gt lt Layer gt The layer will show up in Layers View as the value of DisplayName in the configuration file the next time MeerCAT is launched 5 5 7 Adding Bing Imagery Bing imagery can be displayed by using a key obtained from the Bing Maps Account Center http www bingmapsportal com Append the following line to MeerCAT ini located in the same directory as the MeerCAT executable replacing key with a Bing Maps key DbingMapsKey key MeerCAT User Manual Page 39 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC If a key is present the Bing layers will show up in Layers View the next time MeerCAT is launched 5 6 Layers View E Layers 24 E a Layers 10 7 Compass 7 i cubed Landsat 7 MS Virtual Earth Hybrid J Place Names W Scale bar W Status Layer J USDA NAIP USGS USGS Digital Ortho J USGS Urban Area Ortho World Map The Layers view can be used to selectively disable and enable individual Geo View imagery sources 5 7 Bounds View Bounds 23 Ek o Mame Main Street The Bounds view displays a ta
3. Browse Location and Size Latitude 40 8711425 Width Longitude 73 4100675 Height Elevation 0 0000 Maintain aspect ratio Origin fa Top Left OS Top Right gt Center JSE Bottom Left Sf Bottom Right Rotation o j degrees 100 E percent Remove Image Overlay Removes the image overlay from the Geo View EN Allow Image Dragging Click to allow or disallow image dragging of the overlay in the Geo View MeerCAT User Manual Page 57 of 108 AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC 5 15 Alert Patterns View In order to generate alerts criteria need to be provided Sets of criteria are stored in the form of Alert Patterns MeerCAT includes a number of alert patterns for common wireless threats t Patterns x 4 O Name Description Is Enabled Evil Twin Classified as Unknown Rogue SSID matches a Trusted network Yes Misconfigured Classified as Trusted Misconfigured Yes Mobile AP Network Type is infrastructure Moved at least 1000 feet from previous location Yes Trusted Ad Hoc Classified as Trusted Network Type is ad hoc Yes Trusted Default SSID Classified as Trusted SSID is default Yes Trusted Mobile AP Classified as Trusted Network Type is infrastructure Moved at least 500 feet from previous location Yes Trusted Unencrypted Classified as Trusted Using Unencrypted Yes Trusted WEP Encryption Classified as Trusted
4. 2 gt ERP Dev 2 j gt Project X Servers 2 Stane Color Miccinn A7952 Aironet_AD 49 09 8 21 11 4 44 PM 8 21 11 4 43 PM 6 6 Group by Mission Access points with missions can be grouped by mission allowing easy detection Bo P Fe Find an SSID or MAC address Ctrl F A a Demo 470 Accounts Payable 2 ld 078406276536 le O7FX10057728 P ERP Dev 2 F ds AWUGA id SM2 4 d Project X Servers 2 ide 06CM3 i gt O7AV1 Unspecified 464 w MeerCAT User Manual Page 72 of 108 AMP SECURE amp DECISIO A DIVISION OF APPLIED VISIONS INC 7 Communication Flow Graph A communication flow graph is an analytical tool designed to visualize the relationships of and data flow among IEEE 802 11 wireless devices e g laptops and peripherals with network cards network access points personal digital assistants The flow graph is derived from processing a packet capture file It allows users to observe data flow relationships across multiple layers of the TCP IP and OSI network models 7 1 Flows View This view is a visual representation of network communication flows across multiple network layers The nodes represent network addresses and the connections between them represent the direction amount and types of traffic se Flows 3 m 0 49 na Graph Type a WiFi Flows IP Flows Network Layer Filter I T Network layer BB 7 Datalink layer Node Ty
5. FDS020 F FDS020 F b gt FDS020 F id FDS020 F b gt FDS020 T FDS020 1 F FDSO20 2 BV lt e a AORTA Ee Y Os Navigator z A at PASSIES LAa ss ye a 8 pd lt vn as infrastructure WEP FDS020 f 3 i 4 FDS020 00 A0 F8 4D 9E 1A Channel 6 Encryption WEP 40 Type infrastructure Radial Detection Distribution 67 3 Classification Unknown ee d 1 i amp Network Topology sa N i 5 7 ii FDSO20 7 VY Cisco_2D CF 80 T Cisco_6F 58 06 E 7 Dell C4 07 B2 7 Polycom_00 65 18 V i Portwell_1B 92 9C v 5 V SymbolTe_3C D4 76 y y Z SymbolTe_68 71 5E ER 5 2 ad ne e sl AN m FDS020 ed C a 3 i MY ui gt 4 FDS020 7 ee dal re 8 22 11 2 27 PM 7 g Altitude 0 km lat 40 8209 Lon 73 4086 Elev 48 meters 2 8 y z Ny o N 9 Clients 52 w HOED Device History 5 S a o o e 10 MAC Associated Network Classification Mission Is Flagged Ta MAC Address SSID gt Network Type First Seen Last Seen IP Address 2 00 19 B9 C4 07 B2 id FDS020 Unknown Not flagged 1 00 A0 F8 4D 9E 1A I gt FDS030A infrastructure Sat 08 20 11 05 04 08 PM Sat 0
6. In the 2 3 GHz range there are 14 designated channels In the 5 GHz range there are 23 channels available although most consumer equipment makers support only 8 of them An algorithm for performing encryption or decryption A means of organizing wireless devices according to four categories Trusted Friendly Rogue Unknown A device that accesses a network Used to describe an Access Point that conceals its SSID Comma separated values A type of file that stores tabular or database style information in plain text form The location at which a particular wireless network has been detected A collection of data accumulated from a detector of WiFi wireless networks Used in MeerCAT to denote either a Network or Client A route taken by a vehicle on a detection run Page 104 of 108 Encryption Type Friendly Group Cipher IEEE 802 11 MeerCAT User Manual The security protocol used to secure wireless networks This can be WEP WPA WPA2 or Unencrypted A Classification used to denote a device that is known to not be threatening The Cipher suite used to protect broadcast or multicast traffic from an Access Point to multiple Stations If known this can be WEP40 TKIP CCMP WEP104 A collection of IEEE specifications for wireless local area network communication 802 11a signals in the 5 GHz frequency spectrum and supports a data rate of up to 54 Mbps Due to this high frequency 802 11a n
7. Using WEP encryption Yes To add a new Alert Pattern click the Create Alert Pattern button in the Alert Patterns View toolbar To disable or enable a pattern right click it and toggle the Enabled setting To modify an existing pattern right click it and choose Modify The Alert Pattern Properties dialog will appear a Alert Pattern Properties ES Alert Pattern Properties Set the properties for this Alert Pattern Name o Severity E Classification Trusted Friendly Rogue Unknown C Encryption WPA WEP Other Unencrypted C Maximum Signal Strength observed E Network Type Infrastructure Ad hoc Probe Unknown E MAC Address C Detected at more than locations El Detected more than times E Moved by more than feet from previous location E Connected to or more devices of the following classification s Trusted Friendly Rogue Unknown SSID matches a network of the following classification s Trusted Friendly Rogue Unknown O Using Default SSID Yes No E Misconfigured 7 Yes No Radial Detection Distribution minimum E Bounds Outside Within Gr MeerCAT User Manual Page 58 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC 5 15 1 Toolbar Create a new Alert Pattern Presents the above dialog to create a new alert pattern 5 16 Alerts View The Alerts view displays a table of alerts that have been generated based on Alert Patterns Each alert in the table d
8. amp DECISIONS A DIVISION OF APPLIED VISIONS INC i i ununmnnnn a NEE m n 7 zi om colors Define Custom Colors gt 6 3 Assigning the Mission to an Access Point Once missions are created any access point can be assigned the mission by clicking on the choice MeerCAT User Manual Page 69 of 108 Zoom To Set Visible Set Exclusively Visible Ranges Detection Points Local Radiation Field Popup Display Drive Path Device History Known Flag Classification Tags Mission Mapping Copy Delete MeerCAT User Manual AMY SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC Acgounts Payable ERP Dev Project X Servers Unspecified Other 6 4 Color the Network by Mission Access points networks can be colored by mission use the Window gt Preferences again this time selecting General Colors Page 70 of 108 AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC General Colors OT TT Devices Network color Mission Network Topology stage color Client color EER ee Encryption WPA EI WEP Other EE Unencrypted Classification Trusted II Friendly C_ Roque Unknown Misconfigured Misconfigured Not Misconfigured No Configuration EE Other Selected Note Channel colors are fixed See Channels view for legend Restore Defaults Apply 6
9. 12 3 2 Customizing the MeerCAT Console sees sees ee dee ee Gee dee Ee ee Gee ee GE ee 13 SV EE EE EE EE EE EE OD 13 MEN ne RE EE EE N tees 15 4 Importing Data into MeerCAT issie ss ee de de AA de de de AG ee de de de AG ee 17 4 1 moo dis KiS Met Dit RE IS ED ee ei ee ie Re EE go coon EE IE 17 4 2 importing Netstumbler Data asse ses SE ee eie ee GE Gee Si GE Ee Ge Es ei a 18 4 3 eli dinee ad ASAE AG a RE N N EE EE EE 19 4 4 KhowibDeVlies ass uie ER RO Ee ie ER Ee Ed Re ER Ee Oe ee Dee 20 4 4 1 Manually Adding Known DeViceS ees sees see ee ee ee ee ee ee ee ee ee ee RE 21 4 4 2 Importing Known Devices from a CSV File sees see ee ee ee ee ER ee Ee ee RE 23 4 4 3 Marking existing devices as KNOWN sees ee ee ee ee ER ee ee AR ee ee RE 24 4 5 importing Wired Capture Data sissies ie ie oe ve Ge ie sd ee ee di se ee 24 4 6 WETTE eg MT N EE EO N Ad 25 5 Using MeerCAT Fundamental TOOIS esse esse ee ee Re ee ee ee ee ee ee ee ee RE 26 5 1 Meer AFCON io EE EE EE cece 26 Page 3 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC 5 2 Device Explorer VEN ER E N T TE 26 AE EE A E EE EE E RE 27 S2 TOODA TE EE EE EE net vesieea tenses E EE E E E E 27 5 2 3 Illustrative Discovery Comparison ExampleS csecccsssececesececeeececeeseceeeecesseeeeesees 28 5 3 IS OS Wo N AE N OE NA OT OE EE N EN 30 AN GE E E EEA 31 5 4 SEE E E E EE EE EE adie E EEE EE 31 N AE E EE A OE Oo 31 5 5 OOS g
10. 2E 67 5E 00 03 16 00 1 7 94 32 63 D2 00 03 42 00 40 F8 CE1A 10 00 00 00 00 40 F8 CE 1A 10 a A eT a 7 2 1 Toolbar The toolbar of the Flow Details View contains the following buttons TA History Mode This option is only available when the Device Explorer is in Network Mode If enabled this view il FEFEFEFEFEFF FEFEFEFEFEFF FEFEFEFEFEFF FEFEFEFEFEFEF FEFEFEFEFEEF FEFEFEFEFEFF FEFEFEFEFEFF FEFEFEFEFEFEF 00 40 F8 B9 68 7D EEEEEEEEEEEE 00 17 9 4 32 63 D2 O0 17 3F 80 EC 4E 00 A0 F8 CE1TA1 00 1 F 33 2E 67 5E 00 17 3F 80 EC 4E O0 1F 33 2E 67 5E 00 1 7 9 4 32 63 D02 00 40 F8 CE1A 10 00 A0 F8 CE14 10 AT Fs AAO AMILOCALLINE belkinsdg NETGEAR Home belkinsdg NETGEAR Home AMILOCALLINK mUAUENITTA Management 0 Beacon 8 Management 0 Beacon 8 Management 0 Beacon 8 Management 0 Beacon 8 Management 0 Beacon 8 Management 0 Beacon 8 Management 0 Beacon 8 Management 0 Beacon 8 Management 0 Probe Respo KAananement if Rearnn Ml 4 158 12 330 2 0 16 74 will be populated with data from every historical instance of this wireless network in the current database If it is not enabled the view will be populated with only the latest historical instance of the particular network s unless a network is selected in the Device History view in which case the view will be updated to show only the selected instance of the particular network MeerCAT User Manual Page 8
11. 5 Colored by Mission It is easy to see what function the access points have now MeerCAT User Manual Page 71 of 108 AMY SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC File View Report Window Help ig Device Explorer EN B Geo z BlViessTIelilemsElSINE D amen di 7 es DE ED Find an SSID or MAC address Ctrl F a E Demo 470 F sed Accounts Payable 2 F 048412713053 V id 068408711325 V 2 ERP Dev 2 We Aironet_AD 49 D9 Aironet_AD 99 62 F 20 Project X Servers 2 Wl sg A7952 Fi Aimeelinksys E sed Unspecified 464 as id Legend 53 N ea Network Type 2 Probe 2 _ Ad Hoc AD HOC gt Access Point 4 a ji e p 4 de 50m AN Eee ie me i Fi F Encryption S i Altitude 0km Off Globe ld WEP Encryption 3 Network Topology 53 HY 3 AA 5 Encryption Classification Mission id WPA Encryption m gt 3 DA 31 None Unknown Accounts Pay P D 1 Fi pa No Encryption i g gt o Encryption mee ironet de amp Aimeelinksys 048412713053 Aironet_AD 99 62 Aimeelinksys 068408711325 Network Color Mission 4g 068408711325 00 12 0E 4E 41 1D Accounts Pay 8 22 11 2 24 PM 8 21 11 4 43 PM 8 22 11 2 25 PM 8 22 11 2 22 PM U sa tg A7952 00 18 01 EC 95 52 Actiontec Electroni Project X Serv gt ss a e 00 40 96 AD 49 D9 Unknown Aironet ERP Dev Accounts Payable
12. EE james 8 9 07 4 25 PM 8 9 07 4 17 PM 8 9 07 4 40 PM Russo 8 9 07 4 31 PM Sy y Patrioti moggy Se Red unencrypted Blue encrypted 8 9 07 4 19 PM 8 9 07 4 28 PM 8 9 07 4 23 PM 8 9 07 4 26 PM Stages highlighted in yellow indicate the device has been user selected for coordinated views M Ki A Greco SN32 linksys AppleCom_ED F6 00 The stage is user configurable MeerCAT Windows 8 9 07 4 41 PM 8 9 07 4 31 PM 8 9 07 4 23 PM 8 9 07 4 16 PM Menu gt Preferences lt in54g oF Senaolnt 44 B A9 Brit br 94T28 Pe 8 9 07 4 26 PM 8 9 07 4 23 PM MeerCAT User Manual Page 43 of 108 MeerCAT provides tools to analyze device attributes in the Network Topology View 1 Place the mouse cursor over any device A tooltip will appear with the devices attributes 2 Invoke Coordinate views by Left Clicking any device The device will be highlighted in all MeerCAT Console views Tip 2 There are a number of tools to navigate in the Network Topology View a Tocenter a network of interest in Network Topology View Left Click and hold anywhere in white space around network icon gt Move mouse to area To Zoom In Out on any network by Right Click and hold gt Move mouse forward and back 5 9 1 Toolbar AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC i gt Networks Clients Flow Details Wired Captures Ne
13. Enabled when one or more networks are selected draws a polygon convex hull enclosing all the points where the network is detected Show all points where the network was detected Enabled when one or more networks are selected shows all the points that a network was detected v Toggle a display of the access point s interpolated signal strength Enabled when one or more networks are selected shows a heatmap which shows the signal strength around the network by interpolating from the detection points Show extra information about an item on the map Fi Enabled when one or more networks are selected shows a callout with detailed information about the network s 1 00 18 01 E9 A4 AD Channel 1 Encryption WEP 40 Type infrastructure Classification Rogue Q Toggle display of the drive path for a detection run Enabled when one or more detection runs are selected draws a line depicting the drive path x Clear Extra Display Info Clears out all extra info on the map annotations range overlays MeerCAT User Manual Page 35 of 108 ANF SEC amp DEC A DIVISION OF APPLIED VISIONS INC Options Menu ES Boe Bookmarks Go Home Alt Home Save as Home Clear Home Toggle Elevation Adhere Icons to Surface Bookmarks Add the current Geo View camera position as a bookmark change the bookmark preferences or zoom Geo View to an existing bookmarked location 0 EF E Boo
14. FDS020 E is FDS020 F FDS020 FDS020 El FDS020 gt Eg FDS020 1 lis FDSO20 2 is FDS020 is FDS020 id FDS020 7 gt FDS020 gt FDS020 1 E FDS020 E 7 b gt FDS020 gt E FDS020 2 gt Ee FDS020 2 gt E FDS020 9 gt Eye FDS020 5 El FDS020 fit ENN san f Da F 2 i gt Legend 52 Ra F z Network Type te 5 2 Probe FA Ad Hoc AD HOC Access Point 1 a 4 2 el a Fe x P AN gt Encryption Attitude 0 km_ Lat 40 8218 Lon 73 4101 Elev 46 meters ay WEP Encrypti f Cli m kp neryption 1 Networks Clients 2N P n Ve MAC Associated Network Classification Mission Is Flagged Tags Manufacturer IP Address Last Seen Associations Times Seen id ncryption gt P 00 19 B9 C4 07 B2 ds FDS020 Unknown Not flagged Dell Inc Mon 08 22 11 6 10 No Encryption LY 00 03 6B 6F 58 C6 ide FDSO20 Unknown Not flagged Cisco Systems Inc Mon 08 22 11 1 5 YP 00 90 FB 1B 92 9C id FDS020 Unknown Not flagged PORTWELL INC Mon 08 22 11 1 1 Network Color Encryption 00 A0 F8 68 71 5E ig FDS020 Unknown Not flagged SYMBOL TECHNO Mon 08 22 11 1 1 00 90 74 00 65 18 4 gt FDSO20 Unknown Not flagged Polycom Inc Mon 08 22 11 6 12 l ee 00 A0 F8 3C D4 76 id FDS020 Unknown Not flagged SYMBOL
15. None Probe Filter Show probes Hide probes Only probes Network Filter Show all networks Search Filter E Show only search results Defaults The Flows filter is composed of several parts Graph Type toggles graph mode IP Flows or WiFi Flows Network Layer Filter toggles visibility of network or data link layer information If network layer is disabled nodes and links will revert to their data link layer attributes and label or disappear if they have none If data link layer is disabled any node or link without network layer information will disappear If both are disabled nothing is shown in the graph unless show all networks is selected MeerCAT User Manual Page 76 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC Node Type Filter toggles visual attributes and or visibility of the various node types A node will show visual attributes for the highest layer of information that is not filtered out Search Filter when enabled will hide any item that is not a search result or is not somehow connected to a search result in the graph Link Sizes Filter toggles which attribute should be used to determine the size thickness of the links The options are Total Bytes total number of bytes in the flow represented by the link Total Packets total number of packets passed and Average Packet Size average size of packets passed through this link Network Border Filter toggles
16. Options 9 1 9 2 9 3 9 4 9 5 9 6 Flow COlOSs cccccccccececcccccccccecccuccecceucceaceuccs General COlOrs cccccecscecscceccccccceccscesceesecs MeerCAT User Manual i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC Page 7 of 108 AMY SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC 1 Introducing MeerCAT 1 1 What is MeerCAT MeerCAT Mobile Cyber Asset Tracks is a visualization tool specifically developed to help users locate wireless assets and networks and assess the risks to their organization It is designed for post hoc analysis of data acquired from site surveys or wireless security audits such as wardrives that discover identify and locate wireless transmitters File View Report Window Help B een Vide Ft Alem EN DK Ros 2 S a OeAEHO One a ar MeerCAT visualization supports location and risk assessment of Communication wireless devices that may threaten DoD networks Patterns Fr POS oS ME Me ad ms ind an SSID or MAC address Ctri F Q Fl linksys 7 i linksys_SES_20502 F gt Medivisor 2 Wie megahoc v24 2 Wie megahoc v24 1 Wie megahoc v24 1 Vie megahoc v24 2 Vie megahoc v24 1 le megahoc v25 1 id N4GI2 Gids NETGEAR 1 Wl i gt NETGEAR Wig NETGEAR l 4 NETGEAR J3677 00 18 01 FC 1B DD AR Channel 6 Wireless Devices amp B La 0 a he a Ma i p l A 4 3 2 gt f SP a d j OB
17. T 38 57 AM to f 39 52 AM 100026 Duration 55 seconds woos led Channel 6 hooo N Encryptiors Nene Type infrastructure Oe Classification Unknown E EEN n m alls ttt 5 13 Device History View This view displays data in the chronological sequence it was obtained based on MAC address If a device was once a network and then a client that pattern can be seen here You can also click the play button to animate the devices location on the Geo View z Timeline P ice Hi Overlays B ao MAC Address SSID First Seen Last Seen IP Latitude Longitude Encryption Network Type Channel Carrier Min Si acak ip White House Wed 03 03 10 035841 PM Wed 03 03 10 si PM 388767 7 03565 None tos sO 00 C0 4F 00 00 04 ig WhiteHouse Mon 04 05 10 03 58 11 PM Mon 04 05 10 04 18 11 P 38 89767 77 03565 None tods 6 0 If multiple histories for a given device are selected they will be displayed in Geo view with varying opacities according to their age the earlier the history the lower the opacity Additionally their aggregated center position will be marked with the following symbol 5 13 1 Toolbar The toolbar of the Device History view contains the following buttons Link with Selection Click on this toolbar button to activate or inactivate linking this view with device selection in other views If not linked device history will not change unless the Device History menu option is
18. TECHNO Mon 08 22 11 3 4 00 11 5C 2D CF 80 gt FDS020 Unknown Not flagged Cisco Mon 08 22 11 9 17 kg WPA Encryption gt No Encryption j gt Other Stane Color Encrentinn Views can be re sized by grabbing and dragging the view bounds or by using the minimize or maximize buttons Views can be rearranged by dragging the view s title bar to another location Docking a View is changing the location of the view in the current layout Detached Views are views that are shown in a separate window with a smaller trim When working with multiple monitors it can be useful to put a detached view on a separate monitor To detach a view drag the view to the outside of the application window and release the mouse button The layout of the views is called a Perspective The first time MeerCAT is launched the following views are displayed Device Explorer Legend Known Devices Geo Networks and Clients This is referred to as the Default Perspective You can always return to the default perspective by choosing Window gt Reset Perspective from the main menu bar To save the current layout choose Save Perspective As The default perspective may be customized To save the current perspective layout choose Save Perspective As under the Window menu item MeerCAT User Manual Page 14 of 108 AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC we Save Perspective As Enter or select a name
19. additional information on using the Flows view see the Communication Patterns section below and the Flow Details View help section 7 1 7 Toolbar The toolbar of the Flows View contains the following buttons TA History Mode This option is only available when the Device Explorer is in Network Mode If enabled this view will be populated with data from every historical instance of this wireless network in the current database If it is not enabled the view will be populated with only the latest historical instance of the particular network s unless a network is selected in the Device History view in which case the view will be updated to show only the selected instance of the particular network Stop Layout This option stops the force directed layout from acting on the graph Run Layout This option will run the force directed layout for the length of time specified in the WiFi Flows preferences E Zoom to Fit This option will refit the display to fit the size of the current display Gh Magnifier This option will turn the magnifier on or off The magnifier will make nodes within the glass around the mouse point appear larger Use the mouse wheel to determine the level to which the nodes are enlarged Hold the CTRL key and use the mouse wheel to change the range size of the glass around the mouse point that the magnification should affect P Toggle Filter This option will hide or show the WiFi flows filter 7 1 8 Comm
20. el pies EE EO EE N EE 32 D D TOUPOT GEO VIEW Capabliliti S se EE ENE EE N ed EG Ge GE GE 32 SMS oi EE N N re eet 33 i o gt Toolaf EE EE ER Re N RD EE Re GR ee GE Ee ee RE ee eee 34 59 4 SAD SOC CIA ZO Controls ass DE EE N GEE In ie N Ee oi DEE Ee ke 36 5 5 5 Modifying the Geo View Cache locatiON ees see ee ER ee ee ER ee RR ee ee ee 37 5 5 6 Adding additional Geo View imagery SOUFCES sees see ee ee ee ER ee ee ee 38 Did Adding Binne Wafels n GE ER n be ee GR 39 5 6 PY ES UR EE EE 40 5 7 BOUTS Ui EE OE EE N OE N 40 ME EE EEE 40 Su BOUN FOOI es ES tice waa eae EN ER GR GR ee Ee ER OD EE ee 40 5 8 Model EE si E RE E E seuesemnacaventeese ste ganscont 41 5 9 Netwerk Topoloev VIEW Eend ker dae a AD ee EA Ge 42 So WOON AI ORE EE EE OR TR N RE NE 44 DO eed VW oee EE EE OG 45 5 10 1 Selection Highlighting ccccccccccccccccsceeeeeeeseeesseseeeeeececesssseeessseesaeeeeeesseesess 45 tN oD PAU OE EE EE EE EE OE EE EO sents 46 DIO ZOON ikoon E 46 DOA SSC INS Ee Ee N Ee Ge RE ED ee N Ge Ge Ee ed Ee ee 46 DMO sor oi ER NE EE EE EE EE AE N EE EE EE N 46 MeerCAT User Manual Page 4 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC SAL Channels iN OE OE E EE E EEE E ES 51 MAN IE Wera E E OE E 52 SAL TOODA ea E E EE EAEE E TE N E EE E T E EE 52 Bes Devils R ON VIER eerie AEE 55 SAL WOON A EA AE EE E E E EE 55 SAA OVET VOW aa E TE 56 ILALL TOODI eee E EEEE E E E EN EAE E A EE 56 Sla ANEP E VIEW e
21. ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC while selecting individual networks and or clients you can select several devices to become highlighted in all of the views 5 10 2 Panning Left clicking on the display allows you to pan 5 10 3 Zooming Holding the right mouse button and moving the mouse up or down causes the view to zoom out in Right clicking without moving the mouse will cause the display to refit to the current window size 5 10 4 Searching The search bar in the lower right of the display allows you to query for a particular BSSID SSID MAC address or other label currently in the display such as WEP The sample below shows that two unencrypted devices were found and that they are currently classified as type infrastructure Search is incremental as you type matching nodes will be highlighted Clicking on the text matches next to the search box will pop up a list of search results if there are any The user can then click on a search result and the navigator will expand and zoom into that particular item in the graph SP EL EASTER ad hoc 1 WPA 3 All infrastructure 6 WEP 1 probe 1 Unencrypted 2 1 match search gt gt linksy 5 10 5 Toolbar The toolbar of the Navigator view contains the following buttons TA History Mode This option is only available when the Device Explorer is in Network Mode If enabled this view will be populated with data from every historical inst
22. se ve EE os E O EE S E ee ed ee ES ER 58 MR ic EE N EE EE 59 DAG Alert VIEW E AG E ee ee ee E Ee OD ee Be EER 59 SEN EE N N N ete 59 5 162 Alert EDGE EE ER R Ee RE EG ee RE ease ee Ee 60 sd DASHING VIEW asse EE ee EG NE ie GE EO E GE Ge eo ve Eg 61 SAAL io EE OR EE EO EN EE ER 62 IK ok EE EE EE EO EE EE EE EE OO eee 63 De MASS VIEW CP ER EN Ge OE ER saa EE EG EE GR ee ee 65 De AANE IESER EIE EE Ee SO ater ee ED Ge GE ee Ge GE Ge Ge eie 65 O2 DIS VAAN VN OS EE EE E E N ee OR GE GE RD 66 19 3 REMOVE GEES GR GE GE GE EE EO ee GE OE RR Ee es ge 66 Bio Ad User CONOIS ER RE EN ER GR RR ee ree OD EE eee eer 66 ME EE RE N 66 2O SA ER EE RT EE ee eee 67 6 Missi n Ie ONS ies seer ee oie de GE EE Oe DE n Gesu EE oe ee RD ed Ee 68 6 1 Preferences for Mission Map DING sissies sd Ge oe Gas N Ge EG N Ge ee ee Ge ee di 68 6 2 Choosing a Color for the MisSiON ees see ee ee ER RR ee ee ee ee Re ee ee 68 6 3 Assigning the Mission to an Access POINT eie ee ee RE RR ee ER ee RR Ee ee RE 69 6 4 Color the Network by MisSION ees see ee ee ER RR ee RE ee ee ee ee ee ee 70 6 5 Eolored By MISSIO asie ee EE oe Ee oe ee oe AE ee Ge ee 71 6 6 Group Dy MISSIO ee ei ED ee RR Di ee AR oe Ge RE De eg 72 MeerCAT User Manual Page 5 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC 7 Communication Fow Graph ervirge Ee EG ER A 73 7 1 PLOWS NION o e EE E E EE EE N 73 Fel CPD E ORE E E EE EE EE 73 TL2 NOC es E E Ge See ke 74 Flo LI
23. selected in the context menu for a device Stop Animation Stops the animation in the Geo view Start Animation Displays an animation in the Geographic view indicating the changing location of a device over the course of the selected discovery runs MeerCAT User Manual Page 55 of 108 amy SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC 5 14 Overlays View The Overlays View allows you to add an image such as a floor plan to the Geo View Images must be in bmp gif jpg or png file formats MeerCAT scans available directories for imagery when it launches and these images will be shown here SE Timeline ED Device History G Overlays 3 gt E o ae Overlay Image 1 g bldg3_partial png Use the checkbox to the left of an overlay to enable display of the overlay in the Geo View The example below shows a building blueprint placed over an aerial view of a building s roof GENDE ER me LE oe ge Altitude 0 Lat 38 8226 set 7 0257 Elev 0 meters GP Overlays N 3 oo EE FT Ju VIG Overlay Image 1 G bldg3_partial png 5 14 1 Toolbar The toolbar of the Overlays view contains the following buttons Add Image Overlay Opens the setup window to import an image MeerCAT User Manual Page 56 of 108 amy SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC Image Overlay Setup E An image file must be specified Image file
24. the same address but only one per wireless network but may have several IP addresses associated with it Conversely each node in the IP Flows view belongs to a particular IP address and may have several MAC addresses associated with it These two modes can assist administrators in determining the ways in which different network layers act on the traffic being analyzed 7 1 2 Nodes The graph nodes each contain a label which represents a network address associated with them and they all have a fill color associated with the attributes of their communication patterns These colors are all user manageable in the WiFi Flows area of the MeerCAT preferences Wireless Network nodes represent a known wireless network and are labeled with their SSID or BSSID if the SSID is not known Multicast MAC nodes represent datalink layer broadcast and multicast addresses and Datalink MAC nodes represent generic datalink layer MAC addresses These are the types of nodes that fall under the Datalink Layer categorization because they represent link layer hardware addresses On the other hand there are three classifications for nodes that exhibit network IP layer information Local IP nodes are nodes that have at least one IP address in the private IPv4 range 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 while Other IP nodes are nodes that contain at least one multicast broadcast loop back or any other reserved non public
25. to save the current perspective as File View Report Window J pe Perspective Open Perspective Save Perspective As Ei EADIDIEI Ls Name MeerCAT Highlights Find an SSID or MA Preferences T le EMIR F gt FD 020 Existing Perspectives AN Alert Analysis set Flow Analysis a Geographic Analysis default fm Tem poral Analysis Any view that has been closed can be reopened by choosing the View menu from the main MeerCAT menu 3 2 2 Preferences Preferences allow you to customize colors and set various options for some views To access Preferences select from the MeerCAT Window menu Window gt Preferences The default colors for Flows view are shown below MeerCAT User Manual Page 15 of 108 amy SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC ope filter text General Colors DT oY Flows General Colors Devices Geo Bookmarks ne Network color Encryption ba Manufacturers Network Topology stage color Encryption ME es Client color Classificati EER Reporting Encryption Tags Other C Unencrypted Classification Trusted EI Friendly Rogue EI Unknown ERU RA Misconfigured Miscontigured EI Not Misconfigured No Configuration EE Other Selected Note Channel colors are fixed See Channels view for legend MeerCAT User Manual Page 16 of 108 i ld SE
26. wireless transmitters since there were no frames intercepted that would suggest that they have this capability This is visualized by the network border and only nodes with a dashed border can be affirmed as wireless transmitting devices Upon further analysis of the network topology trying to figure out what devices belong to what MAC address we found that the reality of this graph is that most if not all of the data link layer clients are actually machines on the same wired LAN segment as the access point This is just not good practice if not for performance then for security as well as considering all broadcast traffic from the wired LAN is being transmitted in the air as well not only exposing the MAC addresses of several assets on the wired network but also providing a steady flow of data through the air which could be used to aid a hacker in exploiting encryption key vulnerabilities that exist in protocols such as WEP MeerCAT User Manual Page 87 of 108 One possible fix to this is to put the access point on a different VLAN or subnet than the other clients allowing a router to take care of passing any traffic that might need to be passed between the wired and wireless segments of the LAN rather than just automatically forwarding the broadcasts 7 2 Flow Details View The Flow Details View is a companion to the Flows View and requires that packet data was captured during the detection run and loaded into MeerCAT This view allows th
27. 12 27 93 cpe 069 132 121 239 carolina res rr com 69 132 121 239 31 sub 70 216 57 myvzw com 70 216 57 31 174 195 209 71 end cmtc0l enidok ok dh suddenlink net 74 195 209 71 adsl 69 228 0 253 dsl irvnca pacbell net 69 228 0 253 c 98 227 30 82 hsdl il comcast net 98 227 30 82 OK l Perform DNS lookup Q ZoomTo Copy sool ad 1 E Graph Type WiFi Flows IP Flows Network Leyer Filter BV Network layer N 7 Datalink layer Node Type Fiter BV toc BY Puric ip BY Muticest Mac DY Detelink MAC BB OY Viireless Network OV ore P m Search Filter Show only search result Link Sizes Total bytes Total packets Average packet size Network Border Encryption Classification Channel None Probe Filter Show probes Hide probes Only probes mm b O F i In this second screen shot we have decided to go straight to the large node labeled MULTIPLE IP in the belkin54g network In addition to this link layer address being the owner or next hop of multiple IP addresses they are also remote IP addresses that we are concerned with To begin we right click on the node and perform a DNS lookup This gives us an idea as to what sort of IP addresses belong to this link layer entity MeerCAT User Manual Page 81 of 108 de WiFi Flows 3 WiFi Flows IP Flows Network Layer Fi Wer d Network layer Broadcast i d Dataknk layer Node Type Filter BY toch
28. 8 20 11 05 04 51 PM 00 03 6B 6F 58 C6 4d FDS020 Unknown Not flagged b gt 00 A0 F8 4D 9E 1A b gt FDS020 infrastructure Wed 08 17 11 05 06 01 PM Wed 08 17 11 05 11 08 PM 00 90 FB 1B 92 9C id FDS02Z0 Unknown Not flagged i gt 00 A0 F8 4D 9E 1A gt FDS020 infrastructure Mon 08 22 11 02 27 47 PM Mon 08 22 11 02 28 05 PM 00 A0 F8 68 71 5E 4 FDSO20 Unknown Not flagged i gt 00 A0 F8 4D 9E 1A i gt FDSO20 infrastructure Fri 08 19 11 07 31 08 AM Fri 08 19 11 07 31 13 AM 00 90 7A 00 65 18 4 FDSO20 Unknown Not flagged i gt 00 A0 F8 4D 9E 1A b gt FDSO20 infrastructure Thu 08 18 11 05 49 31 PM Thu 08 18 11 05 55 50 PM 00 A0 F8 3C D4 76 gt FDSO20 Unknown Not flagged i gt 00 A0 F8 4D 9E 1A i FDSO20 infrastructure Tue 08 16 11 02 15 05 PM Tue 08 16 11 02 32 10 PM 00 11 5C 2D CF 80 i FDS020 Unknown Not flagged i gt 00 A0 F8 4D 9E 1A i FDSO20 infrastructure Sun 08 21 11 04 51 48 PM Sun 08 21 11 04 51 52 PM m r i By placing different views in separate monitors by dragging the view title bar the user has access to simultaneous views of summary and detailed information 3 1 2 Context Menus Pressing the right mouse button within some views displays contextual menus based on the data represented by a selected data element The example below shows the contextual menu for an access point listed in the Device Explorer MeerCAT User Manual Page 12 of 108 ig AMILOCALLINK A lg Apple Stor
29. 8 of 108 7 3 Wired Captures MeerCAT File View Window Help Oe Wifi Flows 53 N Graph Type a Wifi Flows IP Flows Network Layer Filter MF Datalink Layer E F Network Layer Node Type Filter N IF Wireless Network WM Datalink MAC MF Multicast Mac WV other IP Wi Public 1P WM Local 1P Network Border Encryption Classification None Search RP Bl id Networks Client fd Flow Details 3 gt OM wired Captures z Destination Port IP Protocol EthernetTest1 www 80 Transmission Contr 2387 2387 Transmission Contr Total Bytes Source IP 1431 192 168 2 106 27699 76 9 18 10 Destination IP Source Port 76 9 18 10 2387 2387 192 168 2 106 www 80 3737 4650 1238 1134 1526 1136 1489 4450 1344 192 168 2 106 209 225 0 101 192 168 2 106 192 168 2 106 74 125 19 164 66 135 202 211 192 168 2 106 216 34 207 72 182 168 2 106 209 225 0 101 192 168 2 106 74 125 19 164 66 135 202 211 192 168 2 106 192 168 2 106 216 34 207 72 192 168 2 106 76 18 40 2388 2388 www 80 2389 2389 2390 2390 www 80 www 80 2391 2391 www 80 2392 2392 wy 80 2388 2388 www 80 www 80 2389 2389 2390 2390 www 80 2391 2391 Transmission Contr Transmission Contr Transmission Contr Transmission Contr Transmission Contr Transmission Contr Transmission Contr Transmission Contr il Transmission Contr 192 168 2 106 Transmission C
30. A good indication of whether or not a node belongs to a wireless interface is to look at its border If it has a dashed border then the available packet data shows sufficient evidence to suggest that the particular address belongs to a wireless transmitter That makes the 192 168 2 3 and 00 C0 A8 EE C0 7F nodes known wireless assets probably somebody s laptop MeerCAT User Manual Page 80 of 108 MeerCAT File View Report Window Help TE do Broadcast 1 Wifi Flows DNS Lookup ER AA SE OU N less DNS Lookup Results 1p68 14 71 224 ri ri cox net 68 14 71 224 c 76 124 185 17 hsd pa comcast net 76 124 185 17 cable 55 113 sssnet com 24 140 55 113 cpe 66 25 176 240 austin res er com 66 25 176 240 dynamic acs 24 144 212 206 z00minternet net 24 144 212 206 ip98 165 197 42 ph ph coxnet 98 165 197 42 cpe 76 171 138 129 socal res r com 76 171 138 129 user Oc6tjh8 cable mindspring com 24 110 206 40 cpe 24 175 61 111 elp res tr com 24 175 61 111 12 218 210 152 client mchsi com 12 218 210152 adsl 66 142 58 70 dsl kscymo swbell net 66 142 58 70 Sad07fcf bb sky com 90 208 127 207 dhcp 0 8 2 35 b2 de cpe cabletv on ca 24 235 61 177 64 18 118 162 adsl catt corn 64 18 118 162 530106001 9db81 lt Sfe ck shawcable net 24 71 167 101 SO1060060673al1b3d cg shawcable net 68146 203 196 CPEOO1d7 e2d83ae CM0012257046a2 cpe net cable rogers com 72 140 202 63 ool 45701b5d dyn optoniine net 69 1
31. BY Public P D 7 Munca Mac 7 Dataknk MAC Wees Network N Other P Search Filter Show only search result Link Sizes Total bytes Total packets Average packet size Network Border Encryption Classification Channel None Probe Filter Show probes Hide probes Only probes Using the Network Layer filter we told the WiFi Flows graph to ignore network layer information when displaying the visual attributes of the nodes As a result we are shown the MAC address of each of these nodes The important thing that we discover is that the large node s MAC address is very close to that of the belkin54g BSSID 00 11 50 43 55 C1 This suggests that it is probably an Ethernet interface on the wireless access point while 00 11 50 43 55 C1 is the MAC address belonging to the wireless interface A similar thing is going on with the 00 1E E5 59 2E A2 node of the Berkowitz network suggesting the same thing is going on there The belkinS54g example is a very common signature for someone who plugged a wireless access point into an active switch port and started using it with out of the box open configuration This is a problem for a network security officer because anybody listening to the radio signals nearby can see any connections and information being passed by the network s client s Unless you have decrypted the packet files ahead of time with software such as Wireshark http www wireshark org seeing IP layer communication
32. C amp DEC A DIVISION OF APPLIED VISIONS INC 4 Importing Data into MeerCAT 4 1 Importing Kismet Data 1 To import Kismet including Newcore data you have collected or the sample data set supplied with the MeerCAT CD select from the MeerCAT File Menu File gt Import Kismet Data This will launch the pop up window aw Kismet Import Select files Select a Network File to import Optionally include GPS and or packet data and specify location Network XML file GPS AML file GPS point aggregation threshold Low 3m z Packet Data file Location name 2 On the Network XML file edit click Browse and then search for the folder with the Kismet network data formatted file xml or netxml for Newcore you want to import into MeerCAT The default location of the sample Kismet data is C Program Files MeerCAT demo 3 Onthe GPS XML file edit click Browse and then search for the folder with the Kismet GPS XML file gps or gosxml for Newcore you want to import into MeerCAT This file is optional but if selected will provide more analysis on the location of devices such as range based displays like the radiation field The MeerCAT database supports the storage of large number of data files and high performance data queries to quickly view and compare multiple wardrives Nevertheless you can choose to aggregate GPS detection points that are close to each other in order to minimize the
33. Channel Device moved by more than 300 feet E Encryption SSID E Type Presence Added Removed The Wireless Network filter shows only wireless devices that fit the criteria specified by the user in the selection window MeerCAT User Manual Page 29 of 108 Filter Devices Filter based on network properties Select the network properties to exclude Type Infrastructure Ad hoc Probe Encryption None Z WEP E WPA Classification El E Friendly F Rogue w Device L Phone Non Phone Enter the values to exclude Use commas to separate multiple values BSSIDs SSIDs Channels Radio Type 802 11a 802 11b 5 3 Networks View AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC Filter Devices l Filter based on network properties pl Show only networks with the following characteristics Date filter Within this date range date 3 15 2013 End date 3 15 2013 Location filter From these locations Demo Bounds filter Within these bounds Radial Detection Distribution filter With distribution at least 1 The Networks View offers another tool to simplify wireless device management and security and helps you identify network devices based on their properties including their MAC address SSID vendor security or channel With the Network Device tab
34. Client e MeerCAT DeviceHistory e MeerCAT FlowDetails 8 3 3 Annotations View annotations can be added to a document or presentation The following keywords are used e MeerCAT Geo3D Notes e MeerCAT Flows Notes e MeerCAT NetworkTopology Notes e MeerCAT Navigator Notes e MeerCAT Timeline Notes e MeerCAT ImageViewer Notes MeerCAT User Manual Page 93 of 108 9 Other Preference Options 9 1 Flow Colors The Flows View is capable of displaying many types of connections To customize the display of connections in this View from the MeerCAT main menu select Window gt Preferences Then click on the Flows selection Flows hi Tr Network Layer Filter Local IP C Public IP Node Type Filter Multicast MAC i Datalink MAC m Wireless Network Access Point Ad Hoc Other IP Multicast Broadcast Null Network Layer EI Datalink Layer Ld Force Directed Layout Layout Run Time seconds 8 Restore Defaults Apply This page allows each address type Multicast MAC Datalink MAC Local IP Public IP Wireless Network and Other to have its own color To change colors click on the color to select from the color palette Colors used to depict the Datalink Layer vs the Network Layer can also be customized Another feature of the Flows View which can be customized is the duration of the force directed graphing feature of the display The Flows View uses a technique which
35. E S8 2 med Fi r VOG sdd 3 86 ed S J 4107 a d ay i L T p aad r SS vi Topology 6 NN 113 R HR koe an eS EL VY rr 8 82 ee Atitude Okm Lat 408762 Lon 734116 Elev 48 meters H Aa 4 n a Time Patterns eeeseooeoooeosees amp w OD Broadcast Channel TO 1 2 What are the Benefits of MeerCAT Organizations are deploying or being exposed to wireless local area networks LANs to support mobile connectivity However wireless LANs present unique security challenges as it is easy to introduce unauthorized or intercept authorized wireless signals in organizational networks While there are numerous systems designed to help locate and assess wireless activity they generate significant data that require experience and expertise to correlate and interpret One of the challenges is to quickly turn the wealth of data into meaningful and actionable information Visualization is an effective way to make sense of this data MeerCAT arms users with advanced visual analytics specifically designed to facilitate and expedite the analysis of wireless discovery data to quickly locate and assess the risks of wireless assets Professionals can use MeerCAT to locate both authorized and unauthorized MeerCAT User Manual Page 8 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC rogue access points and unsecu
36. Geo View Capabilities The Geo View provides the tools to locate wireless networks and clients on 3D topographic satellite imagery Users can navigate anywhere on the globe down to street and building views to locate friendly and rogue devices Using the Zoom To tool on a discovery run in the Device Explorer as described in Device Explorer View the coordinated Geo View below that shows all the detected devices in the selected discovery run The Geo View also provides tools to further analyze the attributes of detected wireless devices 1 Display a device attributes by Right Click Device gt Show Popup Display 2 Invoke Coordinated Views to inspect wireless devices by NETGEAR 00 14 6C B0 0B 14 hannel 7 Encryption PSK TKIP WPA Type infrastructure Radial Detection Distribution 47 6 Classification Unknown Left Click on any device on the map Tip 1 Encrypted devices show a lock symbol Tip 2 The device encryption level is displayed on the device icon e g WPA or WEP This will highlight the device in the other MeerCAT Console views MeerCAT User Manual Page 32 of 108 ANF SEG amp DEC A DIVISION OF APPLIED VISIONS INC 3 User customizable views are supported Devices including the ability to redefine the color oe Encryption x coding of wireless networks Network Topology stage color anaes a MeerCAT Windows Menu gt OE Classification or Preferences gt Gen
37. K a TE RE E E E EN N 75 EN AE EE E EA ET EA 76 7 4 5 Preferences for FlOWS sisie ees iN ee niie ve ee n EE DO Ee ee 77 1 16 Ueroa mie aC ClO se EE EG ei ER AE ee Roe ea ge 78 EN ie RE EE EE N EE E 79 7 1 8 Communication Patterns Usage Scenario esse see se ee ee ER Re ee ee 79 Tides NAAN TEX NINO ss EE EES GR DE EN Be ee EE Ge EE Ge ee De N Ge ee Ee Gee Ee 83 7 110 WiFi Broadcast Domain Example EE RE EE EE R 86 7 2 Flow Details Vie Wessie RES EE se ER AE see ei ERG Ee DE ER er RE GAN EE Ee eg 88 T2 ie EE OR EE EO EN ER N 88 7 3 Wired eo dle SE EE EE EE OE N EE EE N 89 Tol WMired Eaptiies VON ee EO ee GE ER n n Ge ee 89 N FONS EE EE EE E EE E E EEE 89 71 9 Flow Details VIEW ee ES EE E E R E EE EO E EEE 89 o ROPO RE E E A a E EE EE E EEA 90 8 1 Reportin os Vd amorio iTr r EE EEATT A E 90 8 2 GOMIEKALGIRCOONE se EE RE N GR EE EE RE Oe eo DEE Ee 90 8 2 1 Report Generation Criteria asses ER se ER N Ge GE GEES DEE RE DR SG oe ES GR RR ee 90 8 2 2 Copy Screenshot of Active View Ee ee ee ee ee ee ee ee ee ee ee ee 91 8 2 3 Save Screenshot of Active View Bi uu ee ee ee ee ee ee ee ee 92 8 2 4 Email Screenshot of Active View ee ee ee ee ee ee ee ee ee ee ee 92 N Dre red io er EE EE EE EE Ea 92 826 VIEW POU COINS arcs RE GE ER EE OR ei Eg GE EG Ee EG EE EG DE 92 8 3 Report Femplates se EEE EE De GE EE EG EG GE Ge EE OG EE Re 93 SA EA EE RE EE ER OE 93 MeerCAT User Manual Page 6 of 108 8 3 2 Tables 8 3 3 Annotations 9 Other Preference
38. MeerCAT The default value is 1024 MB For systems will large amount of available memory you may want to increase this value to 2048 MB or higher Another way to reduce memory requirements is to only have visible the views of interest Closing views not in use will reduce memory load especially views that have requested historical data Although you may notice memory usage peak MeerCAT uses advanced caching and performance optimization to use available memory most efficiently 3 How does MeerCAT determine a device s location If only the network XML file is imported MeerCAT uses the center of the detection range i e max min lat 2 max min long 2 If the GPS file is used then an average of the detected GPS points weighted by the square of the signal strength is used but only points whose signal strength is within 10 of the maximum note that does not mean top 10 of the points 4 What is Radial Detection Distribution Radial Detection Distribution is a measurement of how well MeerCAT can determine the location of a device based on the detections that it has been provided Consider each of a device s detections to lie on a radius extending from its actual location Radial Detection Distribution is the proportion of the sector enclosed by the smallest angle that includes all of the detections to a complete circle For example to obtain the best possible placement the detections would be distributed such that they form a
39. NC Browse to the location of the model s KML file Model Setup Choose a COLLADA model Name WY Capitol Path Collada Models New VorkState Capitol doc kml The model can now be toggled on and off of in Geo View via the corresponding checkbox in the Models view 4 Models 1 7 NY Capitol 5 9 Network Topology View MeerCAT automatically constructs topological maps of the discovered networks and connected clients to help you better understand the impact of wireless vulnerabilities and threat and MeerCAT User Manual Page 42 of 108 aur SEC amp DEC A DIVISION OF APPLIED VISIONS INC determine the appropriate remediation MeerCAT helps you see the detected access points and clients connected to them including rogue and unsecure devices Coordinated views allow MeerCAT users to quickly spot a network of interest in the Network Topology View to help identify connected clients and potential risks for further investigation If multiple networks are checked off in the Device Explorer then the latest information for that network will be shown If only one network is selected then all histories will be shown side by side over time Tip 1 The network stage color is preconfigured to i gt Networks Clients Flow Details lt Wired Captures Network Topology 3 ls amp 0 represent the network security state where the jode sodug johns router belkin54g LexmarkI_40 EC
40. User Manual FAQs A device that has caused more than one alert A Status intended to describe an Alert that has been taken care of by security personnel A user defined term used to describe a device that could potentially be threatening A user defined term used to describe the importance or degree of a particular Alert Pattern Can be High Medium or Low The quantity of radiated power that determines the amount of network bandwidth available ona connection Page 107 of 108 SSID Status TKIP Trusted UAP Unencrypted Unknown Wardrive WEP WEP40 WEP104 WPA MeerCAT User Manual Service Set Identifier The term used to identify a particular Access Point Used to describe the state of an Alert Can be Pending Notified Resolved lgnored Temporal Key Integrity Protocol A security algorithm that changes the key used for each packet It is used as areplacement encryption for WEP A user defined term used to describe a device that is known and should be protected against threats The Upper Address Part third octet of a Bluetooth address See also LAP NAP A device using no method to encipher its signals A user defined term used to describe a device that is neither Trusted Friendly nor Rogue A period during which one drives around collecting WiFi data for later or real time analysis Wired Equivalent Privacy A security algorithm that encrypts each packet separately using a 10
41. Welcome to Secure Decisions MeerCAT a MeerCAT Pro User Manual AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC MeerCAT Pro Version 4 5 Release Copyright 2007 2014 All rights reserved Applied Visions Inc Distribution of this work is prohibited unless prior written permission is obtained from the copyright holder MeerCAT is a trademark of Applied Visions Inc All other trademarks and copyright are the property of their respective owners MeerCAT User Manual Page 2 of 108 MeerCAT User Manual i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC TABLE OF CONTENTS 1 introducing MeerEA ll sees Si RD E E ETE EE ee ee RAEN a 8 1 1 NTE EN CA T aer E E E octane N 8 1 2 What are the Benefits of M CrCAT 2 cccsssssseccccceessseccccseesseecccsseuseecccsseusseesessaaaaeeees 8 1 3 What are MeerCAT s Key Features amp FUNCTIONS ccccceecccsscccsecteneceeeceeeeceeenseteneesens 9 2 OCU SV VS CA csc seers tee Ee Se Ee EE ee Ge ne EO ean 11 2 1 MeercCAT Technical SUBDOFE essens dees REGS Ee Oe ee GE Ee SE ie REG EG Ge GE EN 11 2 2 MeerCAT Feedback and Additional Information sees see 11 2 3 EEC ON ARE EE OE EE E 11 3 Accessing and Navigating MeerCAT esse ss see ee Gee ee dee Gee ee Gee dee ee EE 12 3 1 Controlling Meet Al sie Ge DE AE EE De AE ER Ee N GE OE nests 12 N ees io n ed OE ER 12 sL CONO TM E NUS ona Ee n Ge EE EE OE EG GE We Re ee GE RE N AE EA GE ee Ge
42. ach network Count clients connected to each network Ez Zoom to Fit This option will refit the display to fit the size of the current display gt Orient Left Right The left right button will cause the display to show from left to right as shown below ts Navigator 52 N EIE SY n ad hoc 1 WPA 3 infrastructure 6 WEP 1 probe 1 Unencrypted 2 Orient Top Bottom This option will cause the display to show from top to bottom as shown below MeerCAT User Manual Page 48 of 108 AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC Bs Navigator ss Fae AR ope ad hoc 1 infrastructure 6 probe 1 WPA 3 WEP 1 Unencrypted 2 7 Orient Right Left This option will cause the display to show from right to left as shown below Navigator 52 N RE o Etna WPA 3 ad hoc 1 WEP 1 infrastructure 6 Unencrypted 2 probe 1 f Orient Bottom Top This option will cause the display to show from bottom to top as shown below MeerCAT User Manual Page 49 of 108 AMY SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC 5 Navigator 52 n LE AE AA roles WPA 3 WEP 1 Unencrypted 2 ad hoc 1 ACEi TEA probe 1 MeerCAT User Manual Page 50 of 108 Sam SECURE amp DECIS A DIVISION OF APPLIED VISIONS INC 5 11 Channel
43. address Public IP nodes represent IPv4 addresses that are public MeerCAT User Manual Page 74 of 108 amy SECURE A DIVISION OF APPLIED VISIONS INC sit Flows 3 Geo sms Oar 00 16 6F 80 FE 6D links Broadcast er Graph Type WiFi Flows IP FI Broadcast Network Layer Filter 00 18 01 34 A0 F1 I F Network layer JU n SE Broadcast I T Datalink layer Node Type Filter N Z Local IP Ter tres BY Public IP N Multicast MAC V Datalink MAC Broadcast 02 01 BF A8 32 46 N T Wireless Network E Network Layer 192 168 0 164 E Datalink Layer 00 0A E6 1D 71 FD 50 6A__ 6a J Wireless Network s default 00 15 E9 ED B3 FC 00 0C Other IP Manufacturer Elitegroup Computer System Co ECS Link Sizes Location s Northport Total bytes Broadcast Detection Run s 1 2 70 12 00 AM Total packets Average packet size 00 13 CE 97 A4 EA Sroadeaat es Encryption d Classification Channel None Probe Filter Hide probes mm Wee oi nck In WiFi Flows mode nodes with multiple IP addresses will be depicted larger and labeled MULTIPLE IP In addition Wireless Network nodes that are associated with any IP information will be depicted larger than normal nodes since their color will not be overridden by additional network layer information like their client and multicast counterparts A dashed border around a node shows that the node is known
44. ame location you should select that location in the dropdown menu If no location is specified the data will get added to an Unspecified Location entry 4 Once you have selected the file click OK to import the data into the MVeerCAT database 5 To import more than one file repeat Steps 1 3 above for each file you choose to import for analysis Note NetStumbler only reports no encryption or WEP encryption Devices may be a higher encryption but only show as WEP Also NetStumbler does not collect client information nor does it collect packet data Therefore the Network Topology view will be limited and the Flows and Flow Details views cannot be used 4 3 Bulk Import Kismet Data MeerCAT can import multiple Kismet data files in a single command Access this feature through the MeerCAT File Menu File gt Bulk Import Kismet Data This will launch the pop up window MeerCAT User Manual Page 19 of 108 AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC Bulk Import Select a directory and then choose which files you wish to import Cn Usersmarku AV DEV Documents Include subdirectories GPS point aggregation threshold Location name Cancel The Include subdirectories checkbox allows MeerCAT to search subdirectories for Kismet data to import The Location name can be entered manually or if an existing location is associated with the detection run it can be selected from th
45. ance of this wireless network in the current database If it is not enabled the view will be populated with only the latest MeerCAT User Manual Page 46 of 108 aap SECURE amy DECISIONS A DIVISION OF APPLIED VISIONS INC historical instance of the particular network s unless a network is selected in the Device History view in which case the view will be updated to show only the selected instance of the particular network x Navigator Grouping This option allows you to set the grouping order of the Navigator View tree te MeerCAT Navigator Navigator Grouping Select the groups to use in the navigator view and the order in which to apply them Available Location Name Classification Detection Run Manufacturer Network Type Mowe Up Flagged Encryption Type Cloaked Mowe Down Has Location Misconfigured Channel SSID Cancel mie Navigator Tree Options This dialog allows you to set the depth of the tree meaning how many children will be shown from the focused node The dialog also allows you to select how the node should be colored either by count number of packet or number of clients MeerCAT User Manual Page 47 of 108 AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC 3 MeerCAT Navigator Navigator Tree Options Select tree depth and counting mode Nodes with higher counts will appear darker in the display Tree depth of interest 1 Counting mode Count packets to from e
46. ard and left mouse button click amp drag up and down or hold Ctrl and arrow up or down on the keyboard Tilt Hold SHIFT on the keyboard and left mouse button click amp drag up and down or use Page Up and Page Down on the keyboard Rotate Hold SHIFT on the keyboard and left mouse button click amp drag left and right Stop Spacebar Reset Heading N Reset all R 5 5 3 Toolbar The toolbar of the Geo view contains the following buttons li Go Home Zoom Geo View to the Home location or set the Home location if it has not been set id Go to Location Zoom Geo View to a city or zip code Set Icon Display Options Set icon display options controls automatic aggregation sizing of icons of the map Decrease icon size Decreases the size of all the icons on the map by half df Set icon size to 1 0x Sets all icons back to their original size MeerCAT User Manual Page 34 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC Increase icon size Increases the size of all the icons on the map by 2x Hi Zoom to the Location on the map Enabled when one or more networks are selected zooms to those networks when clicked Show circular area depicting the longest distance a network was detected Enabled when one or more networks are selected draws a circle around the network showing the max detection radius Toggle polygonal area of points where a network was detected
47. ble of all of the bounds that have been stored by the Bounds Tool Bounds can be used as criteria in the Device Explorer Filter or as part of an Alert Pattern Clicking one of the Bounds will display it in the Geo View If the entity is not within the visible area of the current view double clicking will zoom to it 5 7 1 Toolbar The Bounds View toolbar contains the following buttons B H Clear Bounds Selection De select all Bounds to clear them from the Geo View Add Bounds Open the Bounds Tool to create new Bounds 5 7 2 Bounds Tool The Bounds Tool is used to create and modify Bounds Each Bounds entity must have a unique name MeerCAT User Manual Page 40 of 108 AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC N leerCAT File View Report Window Help BN Setup Bounds Name MainStreet Type Free Hand Metric Perimeter 1 518 km Area 81 369 9 m2 Clear Bounds and Start Drawing Pan map using arrow keys Zoom map using keys 100 m da RAME Altitude 2km Lat 40 9057 Lon 73 3570 Elev 3 meters 5 8 Models View The Models view is used to import COLLADA models such as those available from the 3D Warehouse http sketchup google com 3dwarehouse for viewing within the Geo view To add a model click the Add Model button in the Models view toolbar re MeerCAT User Manual Page 41 of 108 AMY SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS I
48. ccess point A notification used in MeerCAT to indicate suspicious behavior on a wireless network What constitutes suspicious behavior can be defined by the analyst via an Alert Pattern A rule that defines suspicious behavior on a network MeerCAT uses an Alert Pattern to generate Alerts from Detection Run data A distinct connection between a Client and Network The Associations column in the Clients table indicates the number of networks to which a client has connected The type of authentication mechanism used by a device to connect to a WLAN If known this can be PSK or IEEE 802 1X A designated geographical area that can be used as filter criteria in the Device Explorer or as part of an Alert Pattern The identifier of a basic service set In an infrastructure network the BSSID is the MAC address of the wireless access point in an ad hoc network the BSSID is a locally administered MAC address that is generated from a random number Page 103 of 108 Carrier CCMP Channel Cipher Classification Client Cloaked CSV Detection Point Detection Run Device Drive Path MeerCAT User Manual The particular IEEE 802 11 standard type used for a network See IEEE 802 11 Counter Mode with Cipher Block Chaining Message Authentication Code Protocol An encryption protocol used in WPA2 A transmission medium used to send a communication signal A WLAN channel is one that is allowed using IEEE 802 11
49. ch network to expand the view of detected connected clients MeerCAT User Manual Page 26 of 108 ANF SEG amp DEC A DIVISION OF APPLIED VISIONS INC a N EN 3 Zoom in on a discovery run or network for all MeerCAT a Foam se Views Drive Path Right Click discovery run or network gt Zoom To Cet Location Or Import b Double Click discovery run network or device mm Delete Properties Tip 3 Delete discovery run data by Right Click on Discovery Run in Device Explorer gt Select Delete 5 2 1 Search The Device Explorer can be searched based on SSID networks or MAC address networks and clients Valid queries consist of SSIDs of at least three characters or MAC addresses of at least two octets An asterisk can be used within the query to represent any series of characters and a question mark can be used in place of any single character There is no need to supply a leading or trailing asterisk as partial matches will be returned by default 5 2 2 Toolbar The toolbar of the Device Explorer view contains the following buttons F Toggle Detection Run Location Grouping Determines whether or not to group the networks and detection runs by the location that was specified when the data was imported CO Toggle Last Seen Grouping Groups items by when they were last seen relative to the current time For example 3 days ago 2 weeks ago 6 months ago 1 year ago Detection Runs S
50. complete circle around the device This would mean that the largest angle between any two adjacent detections would be zero radians and the Radial Detection Distribution would be 100 Consider the common case in which the wardriving vehicle travels along one side of a building containing an access point as seen below The Radial Detection Distribution for this device is 50 7 because all of the detection points are in a relatively straight line MeerCAT has a good idea of the device s latitude because the vehicle traveled from north to south but has a very little idea of its longitude MeerCAT User Manual Page 101 of 108 5 How does MeerCAT determine whether a device is a phone MeerCAT considers a device to be a phone if the OUI Organizationally Unique Identifier portion of its MAC address appears in a list of OUIs of wireless chipsets that are known to be installed in phones Note that some manufacturers use the same chipsets in multiple product lines so it is possible that some devices that are not actually phones are depicted as such MeerCAT User Manual Page 102 of 108 11 Glossary of Terms Access Point Ad hoc Alert Alert Pattern Association Authentication Suite Bounds BSSID MeerCAT User Manual A central transmitter and receiver of WLAN signals that allows wireless devices to connect to a wired network A wireless network where nodes directly communicate to each other without the use of a central a
51. cted select from the MeerCAT File Menu File gt Import NetStumbler Data This will launch the pop up window NetStumbler Import select files Select a NetStumbler file to import Network NS1 file GPS point aggregation threshold Low Gm hd Location name MeerCAT User Manual Page 18 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC 2 On the Network NS1 file edit click Browse and then search for the folder with the NetStumbler data formatted file ns1 you want to import into MeerCAT The MeerCAT database supports the storage of large number of data files and high performance data queries to quickly view and compare multiple wardrives Nevertheless you can choose to aggregate GPS detection points that are close to each other in order to minimize the number of points that are stored in the database The default setting is 3 meters this means that if two points are less than 3 meters apart they will be combined and treated as one point Increasing this threshold will allow more points to be combined and reduce the number of points that need to be stored If you have a very long detection run you may wish to increase this threshold in order to reduce the time it takes to import the data 3 On the Location name edit control enter the name of the location you would like to import the data into such as the name of the site or building that was scanned If you perform subsequent scans of the s
52. d from the default Use the Restore Defaults button to return both values to the initial installation values MeerCAT User Manual Page 96 of 108 Reporting DT v Output directory CA Usersi ChrisE MeerCAT reports Browse Analyst name ChrisE 9 6 Tags The Device Explorer View permits various features of networks and devices to be viewed in more detail For instance the Client Properties window allows the MAC address and Classification to be updated if necessary The Wireless Network Properties window allows these as well as additional fields to be maintained To aid in further grouping networks wireless networks can be given short keywords or tags To assign a tag in the Device Explorer View select a network and right click Select tag from the list of options If tags have already been defined these will be shown in the tag flyout menu as shown below MeerCAT User Manual Page 97 of 108 Device Explorer 24 E Geo P JEFA Find an SSID or MAC address Ctrl F A W ASIM A le attwifi 1 ge belki le belkir Zoom To lg Belkil Set Visible North Pa lg Besti gt Set Exclusively Visible is BILL Ranges lige Brow f BTOr Detection Points P LIE ide cbsto Local Radiation Field Comi opup Display C Popup Display ig Com Drive Path le Cook L coo me Device Histon ig COD ry dr cribliu ta Known i CSCO w Flag ip din eae Classification l defaL ide DENT Tags d Federal Installatio
53. e lige AR ge ASIM lg attwifi 1 lid belkinsde lg belki lie Belki foom To Set Visible Ip Best a gt Set Exclusively Visible F lg Brow gt Fe BTOp Detection Points lg cbsta a Local Radiation Field D lg Comi Popup Display gt Fli Com Drive Path lg Cook F COQ de cribli Device History Known i a He Device Explorer 3 N IF igh Geo SE N s Bo P fe Find an SSID or MAC address Ctrl F E ED E ig defa EE EE lg defa Classification i gt E DEN Tags gt lige Dohe Mission Mapping lg DO ig Dynel LE Copy b gt lige Eds Delete ig EdcOss gt Edge Edcossel 3 i EMR Pe oon ER RR EER 3 2 Customizing the MeerCAT Console 3 2 1 Views AMY SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC There are several windows in the default perspective of MeerCAT each window is called a view The individual views are described in detail in Using MeerCAT Fundamental Tools MeerCAT User Manual Page 13 of 108 am SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC File View Report Window Help Geo 3 N bi i lt lt ie eso Sieal OFiBar o Cal D ERA 7 er z p A gt GO OB FT aa re P lt a Find an SSID or MAC address Ctrl F q Ph rs F EMR i E F FDS020 gt Eli FDS020 2 i gt
54. e dropdown 4 4 Known Devices MeerCAT allows you to add known devices which serve as a baseline to alert MeerCAT users of unexpected changes such as misconfigured devices or new devices that were not previously identified This information is critical in defending one s network and enforcing security policies The Known Devices submenu can be selected from the MeerCAT File Menu MeerCAT User Manual Page 20 of 108 amy SECURE DECISIONS A DIVISION OF APPLIED VISIONS INC View Report Window Help Import Kismet Data Ctrl I Import NetStumbler Data Bulk Import Kismet Data Ctrl Shift EEEE ed CA ke Known Devices t Ee Add Network Add Client Import Wired Capture Data Q Database F Exit gg Import Networks from CSV hs gig Import Clients from CSV 4 4 1 Manually Adding Known Devices 4 4 1 1 Known Networks To add a known Network select from the MeerCAT File Menu File gt Known Devices gt Add Network This will open a properties dialog where you can fill in the expected information for the network MeerCAT User Manual Page 21 of 108 AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC sm Wireless Network Pro Wireless Network Properties Set the properties for this wireless network BSSID Manufacturer Network type Unknown Encryption SSID F Cloaked Max data rate LJ Mbits sec Flagged Annotation for this de
55. e users to see detailed information about a particular packet capture It can also be sorted by any one of the data fields This table view is tied in with selecting wireless networks and clients in other views which will allow analysts to quickly associate traffic with individual networks e IEEE 802 11 and Ethernet frame details are shown for all intercepted packets that are encapsulated in one of these link layer frames e IP and ARP flows also show detailed information about network and transport TCP IP layer attributes of a communication flow such as source and destination ports addresses and protocols le Networks Clients Start Time Destination MAC 802 11 Type Total Bytes Total Par AP KARNA RAAP EE RANA EE EE DEE ETE ARNAN MAN KARN nese GEE EG EE EE AARAA BEER ED GED GE EE EE EET GER EE GES HOED ESE EE EE ER EED EED EE REDE EERDER NANAMAN rete EE EG GE EER GE EER Pertanaccutesetsscentseceesheneesssctsakcsceac REED BEEEDEEREE GEGEE ER GR EE EE EE ER EE EG OE ES EE EER BEREG EER EE SEDEER 08 16 08 10 08 48 08 16 08 10 08 46 06 16 08 10 08 46 08 16 08 10 08 46 08 16 08 10 08 46 08 16 08 10 08 46 06 16 08 10 08 48 08 16 08 10 08 46 08 16 08 10 09 12 AR 16 08 1NBAF d Flow Details 4 Duration Source MAC 00 03 30 00 15 70 74 08 05 00 03 16 00 1 7 9 4 32 63 D2 00 00 30 00 1 7 3F 80 EC4E 00 03 40 00 A0 F8 CE 1A 17 00 03 31 00 1 F 33 2E 67 5E 00 00 30 00 17 3F 80 EC 4E 00 03 31 00 1 F 33
56. e what data each chart will display based on the contents selected in the toolbar button see below These charts allow the user to easily see alert patterns and summary network information Across the top of the window is a date range that represents the time frame the data is from MeerCAT User Manual Page 61 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC To highlight specific networks or alert patterns in the Device Explorer and other views click on an item in any of the dashboard s charts Any networks related to the selected item will be highlighted in the other charts as well as other views in MeerCAT Each chart can be expanded to utilize all of the space available to the dashboard view hiding the other two charts in the process This can be accomplished by clicking on the button in the upper right hand corner of the frame of the chart that is to be expanded The view can be restored to show all three charts by clicking the same button a second time Charts from the Dashboard view can be included in a report See Chapter 7 for information 5 17 1 Toolbar The toolbar of the Dashboard view contains the following button E Set Dashboard Contents This option allows the user to determine which categories are displayed in each chart of the Dashboard view The following options are available for each chart Pie Chart Alert Patterns Alert Severities Encryption Totals Network Types Top 10 Manufacturers Ba
57. eline 52 EP Device History g Overlays b 28 10 Mar 07 10 Mar 14 10 Mar 21 10 Apr 04 10 MIWTESSM WTESSMIWTESSMIWTESSMEWTES SMTW LIES A right mouse click anywhere in the view will bring up the following menu Hs _ Zoom In Zoom Out Reset Zoom Level yw SU Bars Selecting Zoom In will increase the calendar scale which can be repeated to allow hourly details to be seen Zoom Out will shrink the calendar scale Reset Zoom Level will return to the default view Aug 16 14 00 Aug 17 14 00 19 00 20 00 21 00 22 00 23 00 00 00 01 00 02 00 03 00 04 00 05 00 07 00 08 00 09 00 11 _ 0 0 0 0 10 0 0 26 10 1 90 71 10 1 90 80 10 33 90 3 131 107 2 140 192 168 11 1 192 168 11 209 Bel E 3 z 3 7 5 12 1 Toolbar PAA Ble eo eu F The toolbar of the Timeline view contains the following buttons History Mode MeerCAT User Manual Page 52 of 108 AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC This option is only available when the Device Explorer is in Network Mode If enabled this view will be populated with data from every historical instance of this wireless network in the current database If it is not enabled the view will be populated with only the latest historical instance of the particular network s unless a network is selected in the Device History view in which case the view will be updated t
58. eport Generation Criteria e Select Report Select the type of report to generate and the format if applicable o Snapshot of Current Analysis report on the currently open views and their annotations o Alert Summary report on the alerts that have been generated o Repeat Offender List report on devices that have caused multiple alerts Configure Report options if applicable Include alerts only in this range if unchecked all dates will be included Include alerts only from these locations if none selected all locations will be included Include only severity select the severities to report on Include only status select the statuses to report on O O SO Organize alerts by select how alerts should be grouped One of the following Alert Pattern Alert Status Device Location Severity o Analyst Name Name to be inserted into the report template when generating report The default analyst name can be changed in the Reporting Preferences options in Window gt Preferences or by modifying the Analyst Name and generating a new report e Output Directory Browse to the location where the report should be saved The default directory can be changed in the Reporting Preferences options in Window gt Preferences or by modifying the path and generating a new report e Output File The filename to be used when saving the report e Open report after generation If this is checked the report will automat
59. epresentation of the networks checked in the Device Explorer The Navigator view is helpful for visualizing and navigating large amounts of data As nodes are selected in the tree the view changes its focus to that item maximizing screen space This view also provides extensive grouping aggregation filtering and searching capabilities In the example below color darkness is used to indicate groups with a greater count Alternatively coloring can be based on packets or number of clients connected to the network Here we see that the bulk of the networks are of type infrastructure We know this based on the darker color and the count of 6 displayed in the label ts Navigator 23 A te B Geog n ad hoc 1 WPA 3 infrastructure 6 WEP 1 probe 1 Unencrypted 2 search gt gt 5 10 1 Selection Highlighting If anode has not been expanded double clicking it will cause focus to that node and expand any available children If an item represents a specific device in the data set selecting it will cause it to become highlighted and all the other views within MeerCAT will highlight that group as well In addition if you hold the SHIFT key and select an item the item becomes highlighted as well as all of its children For example if you hold SHIFT and click to select the WPA node all devices that have WPA enabled will become highlighted in all of the views By holding CTRL MeerCAT User Manual Page 45 of 108 i
60. eral Colors coer EE EE b Selectthe attribute that the device color oi EE ii EE will represent Encryption se mm Unencrypted MEHE Classification or Channel a EG a c Click on any color buttons to select the med _ ens mm color code for the selected attribute Kamie ma Unknown El Misconfigured Misconfigured E Not Misconfigured HEEN No Configuration EE Other Selected EE Tip 3 The network color is preconfigured to represent device classification The default is Blue Secure Trusted Red Unsecure Rogue Purple Friendly Orange Misconfigured 5 5 2 Controls Mouse with scroll wheel Pan Left mouse button click amp drag all directions or arrow keys or double left click an area Zoom Use the scroll wheel on the mouse or Hold CTRL and arrow up or down on the keyboard or Use zoom in and zoom out keys Tilt Right mouse button click amp drag up and down or Use PAGE UP and PAGE DOWN on the keyboard or Hold SHIFT and arrow up or down on the keyboard Rotate Right mouse button click amp drag left and right or Hold SHIFT and arrow left or right on the keyboard Stop Spacebar MeerCAT User Manual Page 33 of 108 ANF SEG amp DEC A DIVISION OF APPLIED VISIONS INC Reset Heading N Reset all R Single button mouse Pan Left mouse button click amp drag all directions Left mouse button click once to center view or arrow keys or double left click an area Zoom Hold CTRL on the keybo
61. etworks have a shorter range than those of 802 11b g 802 11b signals in the 2 4 GHz frequency spectrum and supports a data rate of up to 11 Mbps It is an expansion of the original standard and has therefore been accepted as the quintessential technology for wireless LANs 802 11g signals in the 2 4 GHz frequency spectrum and supports a data rate up to 54 Mbps It is backwards compatible with 802 11b 802 11n is the newest IEEE standard for WiFi It uses multiple wireless signals and multiple input multiple output MIMO antennas It signals in both the 2 4 GHz and 5 GHz frequency spectrums and supports a data rate of up to 100 Mbps Page 105 of 108 IEEE 802 1X lgnored Infrastructure IP Address LAP Local Radiation Field Location MAC address Misconfigured Mission Mapping NAP MeerCAT User Manual An IEEE standard that provides an authentication protocol for devices connecting to a wireless network A Status intended to describe a false positive Alert or one that should simply be disregarded A mode of operation in which devices communicate through an access point that functions as the connection point to a wired network A number assigned to a device that is part of a network using the Internet Protocol for communication The Lower Address Part last three octets of a Bluetooth address It is transmitted with every Bluetooth packet See also NAP UAP A display of an access point s interp
62. ference screen shown below MeerCAT User Manual Page 95 of 108 Use the Restore Defaults button to switch back to the original MeerCAT default Import DT or 7 Zoom to Location after import Bulk Import Default bulk import folder C Users ChrisE Documents Browse 9 4 Maintain Perspectives MeerCAT allows users to tailor different views to suit the particular style of analysis and type of task Once these View settings which views are showing which options have been invoked which zoom level is in effect etc have been created they can be saved so that the workspace can be restored at any time A list of available perspectives is available through the Window gt Open Perspective submenu The same list is available through MeerCAT Preferences Access the list through the Window gt Preferences and select Perspectives from the option list to the left Perspectives DT Y Available perspectives Flow Analysis Geographic Analysis default Temporal Analysis To remove a perspective highlight it and click Delete 9 5 Reporting Options By default reports created using MeerCAT are written to a default folder e g c Users username DOMAIN MeerCAT reports Windows 7 A different folder can be specified by selecting Window gt Preferences from the main menu and then selecting the Reporting option from the list on the left of the screen This screen also permits the default analyst s name to be change
63. ficial in alerting you to security concerns or validating whether a corrective action has resolved an issue Additionally it is possible to determine whether a device that was present in an earlier detection run is absent in a later run or vice versa Choose the detection runs you want to compare by holding the SHIFT or CTRL key down to select them Check off the attributes you want to compare MeerCAT User Manual Page 28 of 108 AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC The devices that remain match the comparison criteria you have selected grouped by the property in which the change occurred DOn Find an SSID or MAC address Ctrl F 4 Demo 304 a EES SSID 19 ide OOAOFSELLOTO t E le Atronet_AQ 9E EA cloaked 3 t FI ds Aironet_A0 9F A9 cloaked 7 gt E le Aironet_A0 E3 F8 cloaked 1 p le Cisco E2 22 70 cloaked 2 E HonHaiPr_39 65 28 E HonHaiPr_4B E4 C4 BestBuy Lite OnT_B5 9E 7A BestBuy CA Research_04 00 1D tmobile t Ee SymbolTe 40 96 50 1 dg BNDEMO t Fa FDSO20 14 FI ide FDSO20 Mid FDSO30A E 4g Kds Dual Band El le linksys El le 02061 E gt G4241 E 4 Roldos a PEF Removed 285 E ae O7FX10057728 E a OBFXO1025282 n E LA FTNA 11 Compare Detection Runs Select Detection Runs and properties to compare Location Detection Run B 22 11 2 16 PM B A1 11 4 40 PM 20 11 4 49 PM a 19 11 7 26 AM 6 18 11 5 44 PM Properties
64. hows a list of detection runs and expanding each detection run will show the individual devices that were detected on that run Networks Displays the latest history for all devices detected across all detection runs The user can then select a network and look at the Device History view to see the instances when the device was seen if Link With Selection is enabled in that view If a particular historical instance is selected within the Device History view that instance will be shown instead of the latest except in the Network and Clients table views MeerCAT User Manual Page 27 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC B Compare Detection Runs Allows the user to select detection runs and compare them by showing only the devices that changed from one detection run to another by looking at several attributes g Filter Wireless Networks Shows only wireless devices that fit criteria specified by the user in the selection window 7 View Menu Allows user to change the order that the devices show up Sorting and optionally group the devices by a criterion e g grouped by encryption type You can also export or import the list of items that are currently checked off in the Device Explorer 5 2 3 Illustrative Discovery Comparison Examples With Compare Detection Runs you can see if a particular network has changed its channel location encryption SSID or type which is bene
65. ically open after being generated in the selected document format the default Word or PowerPoint viewer MeerCAT User Manual Page 90 of 108 o Note The associated application will launch automatically with Windows For Linux save the file then open with Open Office or a compatible application Report Parameters Select the report type configure its options specify where to save the report and then generate the file Select Report Snapshot of Current Analysis document Snapshot of Current Analysis presentation Alert Summary document Alert Summary presentation Repeat Offender List document Configure Report Options Include alerts only in this range Start 6 11 2012 3 16 23 PM End 7 10 2012 3 16 23 PM 15 days ago 5 days ago Yesterday Today Include alerts only from these locations Demo Include only severity Low Medium x High Include only status Pending Notified Resolved Ignored Organize alerts by Alert Pattern Analyst Name ChrisE File Save Location Output Directory C Users ChrisE MeerCA T reports Output File MeerCAT Report 2012 07 10 Open report after generation 8 2 2 Copy Screenshot of Active View iS This menu option will copy the active view to your systems clipboard This can be useful if you simply want to paste the view to another application Ctrl Shift C is the shortcut key for this operation
66. import dialog as illustrated above MeerCAT User Manual Page 24 of 108 i d SEC amp DEC A DIVISION OF APPLIED VISIONS INC 4 6 Manufacturers MeerCAT determines the manufacturers of each device based on their MAC address If some manufacturers are appearing as Unknown manufacturers it is possible that a newer version of the manufacturers list containing a mapping is available To update the manufacturers list go to the Manufacturers section of the Preferences Window gt Preferences Manufacturers DT TE Click Update to download and install the latest manufacturer information Update Alternatively if you do not currently have a connection to the internet choose a previously downloaded Wireshark manuf file Path Browse The latest manuf file is always available from https The list can either be updated online or from a previously downloaded file MeerCAT User Manual Page 25 of 108 amy SECURE aap DECISIONS A DIVISION OF APPLIED VISIONS INC 5 Using MeerCAT Fundamental Tools 5 1 MeerCAT Console The MeerCAT Console provides multiple coordinated views of the same data for faster incident investigation You can select a device of interest in one MeerCAT window which will highlight the device in all other views to provide you various perspectives 5 2 Device Explorer View The Device Explorer view shows the imported discovery runs and lists the detected networks and connected clients for each ru
67. in this view should draw an immediate red flag Analyzing part of the edge tooltip between the MULTIPLE IP node and 192 168 2 3 as well as the DNS results shows that the local wireless client on belkin54g is connected to many home MeerCAT User Manual Page 82 of 108 broadband computers on various unreserved ports possibly indicating that the access point is being used as a gateway for an Internet gamer In the Berkowitz network we cannot see any IP layer information because the packets are encrypted As such we cannot determine how many or what kind of computers 00 CO A8 EE CO 7F is talking to if 00 1E E5 59 2E A2 is a routing interface This is ideal for a network administrator because the only thing that is being broadcast is that there is traffic passing between the access point and one of its clients 7 1 9 WiFi LAN Example WiFi Flows c3 Oo i a 5 Graph Type WiFi Flows IP Flows Network Layer Filter rd d Network layer BY Ostabnk layer Node Type Filter BV loca P BY Pubs P BY Moticast MAC BY Ostaink MAC BBY Wiretess Network BY Othe P Search Filter Show only search result Link Sizes a Total bytes Total packets Average packet size Network Border Encryption Classification Channel None Probe Filter Show probes Hide probes Only probes In the example above we see two wireless clients 192 168 1 104 and 192 168 1 101 communicating with a local node 192 168 1 255 probably broadcas
68. isplays eight fields the name of the device the time it was detected the location of detection its status pending notified resolved ignored Alert Pattern category type severity and a description The Alerts view enables the user to quickly identify problems and visualize them in the Geo view To zoom to a particular device in the Geo view double click on that device in the Alerts view table then open the Geo view 5 16 1 Toolbar The Alert Patterns Toolbar contains the following buttons Alert Patterns Selecting this button will display the Alert Patterns view MeerCAT User Manual Page 59 of 108 AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC Filter Alerts Customize which alerts are displayed in the Alert view table by selecting this option The following dialog will be displayed Filter lm Filter Alerts i Select the elements to include gt Date filter Start date 3 14 2013 End date 3 15 2013 Location filter Show only alerts from these locations Low Status Pending Notified C Resolved Ignored Syne Filter by visible networks clients This dialog enables the user to filter alerts by date location severity and or status When filtering by severity the low setting as shown displays all alerts and the high setting only displays high severity alerts Additionally filtering by currently visible networks client
69. kmarks t all Add Go Home Alt Home ienei Save as Home Datacenter Clear Home HO Toggle Elevation EE Go Home Zoom Geo View to the Home location or set the Home location if it has not been set Save as Home Save the current position as the Home position Geo View will open at the Home position if it has been defined Clear Home Clear the currently saved Home position Toggle Elevation Toggle between displaying elevation data and a flat globe Adhere Icons to Surface Toggle between displaying icons on the surface of the earth and at their observed altitude according to GPS information Bookmarks can be removed or renamed from the Geo Bookmarks preference page Geo Bookmarks hi T F Bookmark Datacenter Bookmarks are accessible via the dropdown menu in the Geo View toolbar 5 5 4 3D Specialized Controls Additional controls are available in this View to supplement navigation within the view These MeerCAT User Manual Page 36 of 108 AMY SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC controls are shown below This set of controls and buttons can be found in the lower left corner of the Geo View 3 Directional Control Use this control to move the 3D image left right up or down Rotation Use these buttons to rotate the image to the left or right Tilt Use these buttons to tilt the image forward or backward Vertical Exaggeration Use these buttons to increase or dec
70. l remember If an image by that name already exists in the image list then a dialog will pop up asking if you would like to go back or overwrite the previous item on the image list 5 19 2 Displaying Images To display an image simply select it from the image list at the top of the view All images that have been successfully added will be in this list represented by the name given during the add image process 5 19 3 Removing Images ME Remove To remove an image select it in the image list and click on the button at the top of the view This will delete the image from the list 5 19 4 User Controls In the Image Viewer there are a number of mouse and keyboard controls that assist in the image viewing Use the mouse wheel to zoom in and out of image Likewise the Page Up and Page Down keys will zoom in and out of the image respectively Click and hold the left mouse button anywhere in the display and move the mouse to pan the image up down left or right Likewise the arrow keys can be used to pan the image around the display 5 19 5 Toolbar The toolbar of the Image Viewer contains the following buttons E Zoom to Fit This option will refit the image to fit the size of the current display 7 Previous Image This option brings up the previous image in the viewer s image list MeerCAT User Manual Page 66 of 108 ANF SEG amp DEC A DIVISION OF APPLIED VISIONS INC gt Next Image This option brings up
71. le you can easily browse and sort through the various categories of detected devices to quickly validate unauthorized devices MeerCAT User Manual Page 30 of 108 de Networks 52 SSID 10700 a Free Public WiFi if k OLXAZ ide jm5478 a Tehlubez le geeksquad B 74914 SIMON WiFi A Clients BSSID 00 18 01 64 F9 82 02 18 41 26 26 0A 00 21 69 1246 D 86 00 18 01 F1 10 86 00 1 D 7E E1 B9 A0 00 1 FC A CD 93 00 00 1 F SB4C44 90 00 22 68 CC E5 00 14 BF CE AA ES 00 30 65 07 28 D1 OO 0B 6C 33 3 A F2 5 3 1 Toolbar The toolbar of the Networks view contains the following button TA History Mode Encryption WEP40 None None WEP40 WEP40 AES CCM None None WEP40 None None Mh Classification Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Manufacturer Actiontec Electroni Unknown manufac Apple Inc Actiontec Electroni Cisco Linksys CISCO SYSTEMS I Apple Inc Hon Hai Precision I Cisco Linksys Apple Computer I Sychip Inc Mission SECURE DEC A DIVISION OF APPLIED VISIONS INC Is Flagged Not flagged Not flagged Not flagged Not flagged Not flagged Not flagged Not flagged Not flagged Not flagged Not flagged Not flagged Tags mo Network Typ infrastructur ad hoc probe infrastructur infrastructur infrastructur probe probe infrast
72. n It enables you to view analyze and filter wireless discovery and security data by a range of variables such as the device type manufacturer SSID and other device property The Device Explorer also provides a number of tools for coordinating other MeerCAT Console views and identifying the attributes of detected wireless devices Oo Do 1 Expand each discovery run to display the individual networks detected AM z a E 8 16 11 2 04 PM 278 Discovery 7 n WPA 82 Click on the arrow symbol adjacent to each Ba ee i Run ide 048412713053 session run to expand the view of detected D Orsi networks See sample showing circled icon below iG Hoe A092 Detected E Apple 06 D8 76 F Apple 08 60 40 E Apple_52 BA 66 soundrooms F S Apple 56 65 AD 5 Apple B1 A6 51 AppleCom 27 95 82 Client Tip 1 Number of detected networks ina discovery run is the number adjacent to the ss N Detected AskeyCom_22 A3 E8 run sensors ens Network ne Belkin_C1 81 97 Medivisor e D E A Cisco_57 47 EE 263 Tip 2 Networks with unknown locations are Gee A Cisco_CD 93 03 sege 4g Cisco_CD D8 F3 cloaked 2 1 1 em onra ssiri annotated with a mark on the device icon Blip anm cooked 2 Expand each discovered network to show the discovered clients connected to that network Click on the arrow symbol adjacent to ea
73. n Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown TN Is Flagged Not flagged Not flagged Not flagged Not flagged Not flagged Not flagged Not flagged Not flagged Not flagged Not flagged Not flagged Tags The toolbar of the Clients view contains the following button MeerCAT User Manual Manufacturer CISCO SYSTEMS L ARRIS Group Inc CISCO SYSTEMS L CISCO SYSTEMS L Symbol Technolog CISCO SYSTEMS I Apple Inc CCO SYSTEMS L Hewlett Packard C CISCO SYSTEMS L Apple Inc IP Address 24 A7 168 1 24 47 1681 192 168 1 2 192 168 1 106 D o Last See Fri 08 2 Fri 08 2 Fri 08 2 Fri 08 2 Fri 08 2 Fri 08 2 Sun 08 Fri 08 2 Fri 08 2 Fri 08 2 F Page 31 of 108 Wed 08 _ AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC TA History Mode This option is only available when the Device Explorer is in Network Mode If enabled this view will be populated with data from every historical instance of the particular wireless client s in the current database If it is not enabled the view will be populated with only the latest historical instance of the particular network s 5 5 Geographic View Modern network management tools integrate 3D Geographic tools with network diagrams to improve legibility and provide logical groupings of sub networks In MeerCAT the Geo View provides this capability 5 5 1 Tour of
74. nTerra Aerial with Labels lt DisplayName gt Service serviceName OGC WMS version 1 1 1 gt lt GetCapabilitiesURL gt http wms onterrasystems com WMSService svc key WMSLatLon request G etCapabilities lt GetCapabilitiesURL gt lt GetMapURL gt http wms onterrasystems com WMSService svc key WMSLatLon lt GetMapURL gt lt LayerNames gt OnTerraWMS lt LayerNames gt lt StyleNames gt AerialWithLabels lt StyleNames gt lt Service gt lt RetrievePropertiesFromService gt true lt RetrievePropertiesFromService gt lt LastUpdate gt 26 93 2009 00 00 00 GMT lt LastUpdate gt lt DataCacheName gt OnTerra AerialWithLabels lt DataCacheName gt lt ImageFormat gt image png lt ImageFormat gt lt AvailableImageFormats gt lt ImageFormat gt image png lt ImageFormat gt lt AvailableImageFormats gt lt FormatSuffix gt png lt FormatSuffix gt MeerCAT User Manual Page 38 of 108 ANF SEG amp DEC A DIVISION OF APPLIED VISIONS INC lt TileOrigin gt lt LatLon units degrees latitude 90 longitude 180 gt lt TileOrigin gt lt LevelZeroTileDelta gt lt LatLon units degrees latitude 36 longitude 36 gt lt LevelZeroTileDelta gt lt TileSize gt lt Dimension width 512 height 512 gt lt TileSize gt lt Sector gt lt SouthWest gt lt LatLon units degrees latitude 85 longitude 180 gt lt SouthWest gt lt NorthEast gt lt LatLon units degrees latitude 85 longitude 180 gt
75. nographic representation of device classification and security status allows users to immediately identify wireless devices that present risks to their networks Device details include the SSID location coordinates encryption type and configuration Maps Access Point Coverage and Channels MeerCAT generates wireless coverage maps based upon the location and RF signal strength of detected access points from wardrives It displays RF signal coverage areas to help users identify interference by neighboring networks and unauthorized stations and signal spillage in unsecured perimeters Charts Channel Usage MeerCAT charts the RF channel distribution for all detected networks A histogram displays the frequency distribution of access points on each channel to determine potential interference Displays Events and Changes MeerCAT users can interactively compare the results of wardrives with comparative views between two points in time such as before and after remediation Geospatial and topological views allow users to track wireless asset movement and state changes over time Helps Analyze Device Behavior Over Time MeerCAT users can benefit from the ability to analyze the activity of suspicious wireless devices over time Events and MeerCAT User Manual Page 9 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC trends can be viewed over days weeks or even months to help improve network security posture assist in forensic inves
76. ns Dohe Mission Mappin Fixed etail pping ig DON D Copy Residential Dyn E Cops i 4 m Delete iana Existing tags can also be selected by choosing Other Use the following screen which also allows new tags to be added as needed MeerCAT User Manual Page 98 of 108 Tag Enter or select a tag name Federal Installations Fixed retail Residential Once defined tags can be maintained through the Preferences menu Select the Main Menu gt Window gt Preferences and then the Tags option from the list on the left The window shown below allows tags to be added deleted or renamed Select New to create a new tag To remove or rename a tab first highlight it make changes as needed then select Rename or Remove as appropriate Tags roy wy Tag Federal installations Fixed retail Residential MeerCAT User Manual Page 99 of 108 10 Frequently Asked Questions 1 The geographic globe appears but no imagery is displayed only a halo outline This is commonly attributed to an outdated video card driver Follow these steps to update your driver Step 1 These instructions are for Windows RD users On the desktop right click and Arrange Icons By gt select Properties This will bring up the l l Refresh Display properties panel Undo Delete Ctrl z Step 2 At the top of the window click on the settings tab This will bring up detailed information for graphics and re
77. number of points that are stored in the database The default setting is 3 MeerCAT User Manual Page 17 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC meters this means that if two points are less than 3 meters apart they will be combined and treated as one point Increasing this threshold will allow more points to be combined and reduce the number of points that need to be stored If you have a very long detection run you may wish to increase this threshold in order to reduce the time it takes to import the data 4 On the Packet Data file edit control click Browse and then search for the folder with the Kismet Packet Data file pcap dump or pcapdump you want to import into MeerCAT This file is optional but if selected will provide data for the Flows and Flow Details packet views 5 On the Location name edit enter the name of the location you would like to import the data into such as the name of the site or building that was scanned If you perform subsequent scans of the same location you should select that location in the dropdown menu If no location is specified the data will get added to an Unspecified Location entry 6 Once you have selected the file click OK to import the data into the MeerCAT database 7 To import more than one file repeat Steps 1 5 above for each file you choose to import for analysis 4 2 Importing NetStumbler Data 1 To import NetStumbler data you have colle
78. o show only the selected instance of the particular network Zoom In This option will increase the calendar scale as pictured above Zoom In is also available using Ctrl mouse wheel up Zoom Out This option shrinks the calendar scale Zoom Out is also available using Ctrl mouse wheel down Apr lay Jun E Ek Reset Zoom This option returns the time line to its default view Networks Lists all discovered network devices and shows an event indicator on dates network devices were actually detected MeerCAT User Manual Page 53 of 108 AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC Timeline 22 EA EE i Psa e O se Networks with Clients Lists all discovered network devices with an event indicator shown on dates when clients were attached to those networks Individual event indicators are shown for individual clients In this view holding the mouse over an event indicator will show a pop up window with the client details Clients and Networks Lists all discovered clients with an event indicator on dates they connected to network devices Holding the mouse over an event indicator will show a pop up with the individual network device details MeerCAT User Manual Page 54 of 108 AMY SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC OE Timeline 2 PA A o Ann aas ini Aug 24 08 71 EG NE 3 5 0000 LEI jonan N N E mu aie
79. oadcast messages to the air through the access point this should draw a red flag if not for security issues but for performance since large broadcast domains can cripple network performance MeerCAT User Manual Page 86 of 108 BORA DO Graph Type WEiFlons P Flows 01 00 5E F FF FA Network Layer Fiter 33 33 00 00 00 0C dese By tenek ayer R 0 12 3F 78 B T Dade ier Node Type Fize E Locale Erti l EE Marken vac TOR 03 FF A F 1A 90 l d JF BD IF Desai MAC __00 14 22 B3 83 0E ma 7 CO 104 B3 41 72 3E DF 0 Bi Ore Broadcast BL thd Ts D Link Sixes Total bytes a Gor 7215 C0 BB aes J Awerege packet ice Network Border Encryption Classification Network Fiker Show el netnorks Search Fike L Show ordy search results u mens Kalo El NE y S In trying to figure out what s going on here we can run a quick search for Data frames IEEE 802 11 frames contain a type and subtype field which describes what kind of frame is being transmitted There are three major types Data Management and Control and each one has a number of subtypes associated with it It turns out that all of these nodes are broadcasting data rather than beacon frames for example which don t always imply a connection so it s safe to assume that all of these nodes lie in the same broadcast domain A more important thing to notice here is that none of these data link layer MAC addresses can be considered
80. olated signal strength A user defined term used to represent an area at which a detection run took place It serves as a filtering criteria in the Device Explorer and Alerts table Media Access Control address A unique hardware identifier of a node in a network It is a 48 bit address space written in hexadecimal in the form XX XX XX XX XX XX A network with a configuration that does not match its known configuration A user defined term that allows an analyst to identify and group devices belonging to the same function The Nonsignificant Address Part first two octets of a Page 106 of 108 Network Notified Pairwise Cipher Pending Probe PSK Radial Detection Distribution Repeat Offender Resolved Rogue Severity Signal Strength MeerCAT User Manual Bluetooth address See also LAP UAP A device serving as an access point A Status intended to describe an Alert whose existence has been passed along to security personnel An encryption Cipher used for unicast data between a station and access point If known this can be WEP40 TKIP CCMP WEP104 A Status intended to describe an Alert that has not yet been handled by security personnel This is the default status of an incoming alert Used to describe a device that is monitoring or collecting data about a network Pre Shared Key An authentication method where both access point and all clients share the same key Please see the
81. ontr amp b Above is an example of the three views that wired capture data has an effect on in MeerCAT 7 3 1 Wired Captures View In the Wired Captures view each wired capture that was imported is listed and may also be removed by right clicking on the capture and selecting Delete Checking off the capture will make the capture data visible to any view that will handle it 7 3 2 Flows View In the Flows view wired capture data is only considered when the graph is in IP Flows mode For more information on the Flows View see the Flows View help section 7 3 3 Flow Details View In the Flow Details view wired data is displayed just like wireless data except the BSSID and SSID fields will be blank for each of these flows as there are no associated wireless networks MeerCAT User Manual Page 89 of 108 8 Reporting 8 1 Reporting Features MeerCAT contains various ways to report and present the results of an audit or security analysis This includes copy to clipboard exporting a view to an image file drag and drop views to other applications e mail views and template based report generation to Word or PowerPoint Most of these features are available via the main Report menu Annotations can also be added to views which are then included in the report and also in e mail reports 8 2 Generate Report The Report gt Generate Report menu creates a document or presentation based on one of a number of templates 8 2 1 R
82. or 26 hexadecimal digit key It has been widely criticized due to a number of weaknesses Standard 64 bit WEP that uses a 40 bit key Extended 128 bit WEP that uses a 104 bit key WiFi Protected Access A security algorithm developed in response to the weaknesses found in WEP encryption It uses the TKIP protocol and includes a message integrity check intended to prevent packet tampering Page 108 of 108
83. ow graphs In this view with the help of the flow details table we can see that information is being passed from the IP address 10 31 0 1 to 192 168 1 104 via port 0 in an Internet Control Message Protocol ICMP packet If 10 31 0 1 happens to belong to a router interface on the LAN to which the Linksys access point is connected to which is probably the case we can identify that not only is the unencrypted Linksys access point a back door to the LAN but also that a potentially vital network asset s IP address is being exposed through unencrypted radio broadcast MeerCAT User Manual Page 85 of 108 7 1 10 WiFi Broadcast Domain Example 01 00 5E F FF FA Ai 33 33 00 00 00 0C i 7 BBY Network tayer BB F Oetelink tayer wy d Node Type Filter EIE BY Puke iP BY Musa Mac Manufacturer Cesco Linksys LLC Channel 6 WPA Encryption BE OY Weeless Network Rog D T Olink aac BY Orhei Search Filter F Show only search result Link Sizes Total bytes gt Total packets Average packet size Network Border Encryption Classification Dwnnel None Probe Filter Show probes Hide probes Only probes Network Filter Show al networks v In this example we see the access point OrientPoint talking to its broadcast MAC address In addition there are several other generic data link layer nodes that are also sending broadcast messages through the air Since it looks like there s over 30 nodes sending br
84. pe Filter N Z Local IP Hd N 7 Public IP BBY Multicast MAC IV Datalink MAC HR V Wireless Network E Network Layer unknown Datalink Layer 00 17 3F 03 D8 2E N 71 Other IP Wireless Network s belkin54g 00 17 3F 03 D8 2E Link Si Manufacturer Belkin Corporation ee Channel 1 Total bytes Encryption WEP Encryption Total packets Classification Unknown Average packet size Location s Kenny s Office Detection Run s 11 15 07 8 52 AM Network Border Encryption Classification Channel None Probe Filter Show probes Hide probes Only probes Network Filter searen EA show all networks s Once the data is loaded the display will lay out the graph and a small overview mini map at the top right of the filter shows the entire graph as well as a red box representing the area viewable in the main display 7 1 1 Graph Type There are two modes in which the Flows graph can be displayed IP Flows and WiFi Flows default Both graphs represent the same data set using a different method for building the MeerCAT User Manual Page 73 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC actual graph WiFi Flows uses the data link layer addresses of packet flows to distinguish between nodes and then layers any IP information on top of that IP Flows does the opposite That is each node in the WiFi Flows graph belongs to a unique MAC address there may be several Multicast MAC nodes with
85. positions the nodes depicted in the View so that all the edges are of more or less equal length and which minimizes the crossing edges as much as possible The number of seconds during which this technique is applied can be controlled by specifying the duration As of this writing the default is 8 seconds seen in the screenshot above MeerCAT User Manual Page 94 of 108 9 2 General Colors Colors can be helpful in highlighting specific areas of interest throughout MeerCAT To further manage color settings it is possible to color wireless and clients identified by MeerCAT according to Encryption Channel Classification or Mission To perform such customization select the Window gt Preferences submenu Then choose General Colors As shown below select the type of coloring to be performed from the dropdown menu General Colors TE Devices Network color Encryption Network Topology stage color Encryption Client color FEE Encryption WPA C__ WEP Other Unencrypted EE Classification Trusted EE Friendly Rogue Unknown 7 Misconfigured Misconfigured Not Misconfigured No Configuration EI Other Selected Note Channel colors are fixed See Channels view for legend Restore Defaults 9 3 Import By default MeerCAT looks for data to import in default user specific folder e g c Users username DOMAIN Documents Windows 7 This can be changed by accessing the Import pre
86. r Chart Alert Pattern Trend Alert Patterns Alert Severities Alerts by Location Alerts by Severity Location Encryption by Date Encryption by Network Type Encryption Totals Network Types Networks by Day Top 10 Manufacturers Line Chart Alert Pattern Trend Encryption by Date MeerCAT User Manual Page 62 of 108 amy SECU amp DEC A DIVISION OF APPLIED VISIONS INC 5 18 Legend View Network Type Probe 0 Ad Hoc 0 RD Har Access Point 0 Encryption aft WEP Encryption 0 At WPA Encryption 0 P No Encryption 0 Network Color Encryption le WEP Encryption 0 Lp WPA Encryption 0 lS No Encryption 0 P Other 0 Stage Color Encryption lt gt Other 0 Client Color Classification trusted Friendly SH roye Unknown The Legend View provides quick reference to the meaning of certain visual attributes such as icons and colors within the various MeerCAT views It allows the user to quickly see which attribute the network icons are colored by as well as which attribute the network topology stage is colored by In addition icons are provided to show the difference between Probe Ad Hoc and Access Point or infrastructure wireless networks as they appear in the various views MeerCAT User Manual Page 63 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC The appropriate icons for encryption type are also listed Finally next to each entry in the legend
87. rease vertical exaggeration 5 5 5 Modifying the Geo View cache location By default MeerCAT will cache Geo View imagery to the MeerCATImagery directory within the ProgramData directory typically C ProgramData The cache location can be changed by modifying the MeerCATDataFileStore xml file within the MeerCAT directory in the user s home directory created after the first time MeerCAT is launched For example to read from and write to a cache on another drive or possibly a network share mapped MeerCAT User Manual Page 37 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC as a drive MeerCATDataFileStore xml might look like the following lt xml version 1 0 gt lt dataFileStore gt lt readLocations gt lt location wwDir Z MyData MeerCATImagery gt lt readLocations gt lt writeLocations gt lt location wwDir Z MyData MeerCATImagery create true gt lt writeLocations gt lt dataFileStore gt 5 5 6 Adding additional Geo View imagery sources Additional WMS imagery sources can be added to Geo View by adding configuration files for them to the Geo View cache location see 5 5 5 For example to add an aerial with labels layer for an OnTerra subscription a file called OnTerraAerialWithLabels xml can be placed into the Geo View cache location with the following contents lt xml version 1 0 encoding UTF 8 gt lt Layer version 1 layerType TiledImageLayer gt lt DisplayName gt O
88. red wireless devices MeerCAT users can also see with what assets are wireless devices connecting to Among the benefits of using MeerCAT to analyze wireless risks Supports post hoc analysis of multiple wireless discovery sessions for periodic security audits and on going assessment of external and internal wireless networks Provides interactive and coordinated geospatial topological and spatio temporal views to quickly locate potential security issues and efficiently identify relevant vulnerabilities and threats Integrates current and historical information to show trends in the behavior of mobile assets and networks that highlight anomalies Interfaces to a variety of wireless discovery and security tools to provide users the flexibility to use MeerCAT with their preferred tools 1 3 What are MeerCAT s Key Features amp Functions Geo locates Wireless Devices MeerCAT visualizes detected wireless devices and their status on 3D geographic maps topographic satellite imagery and imported floor plans Users can navigate anywhere on the globe down to street and building views Generates Network Topology Maps MeerCAT creates a topological view of detected wireless networks to understand the impact of wireless vulnerabilities and threats Users can see the detected access points and clients connected to them Visually Captures Wireless Device Classification and Security Events MeerCAT s color coded and user customizable ico
89. ring values in the Layout Run Time affects how fast or slow the Flows View loads and how spread out or compact it appears The range is O to 99 seconds Entering the value of 0 causes the Flows View to load slowly and appear compact Entering the value of 99 causes the Flows View to load fast and appear more spread out After changing the value click Apply then OK to use the value Restore the default colors and Layout Run Time by clicking Restore Defaults then OK 7 1 6 User Graph Interaction Clicking on a node or link will globally select its associated network s client s or flow s Double clicking on a node will select all network client and flow objects associated with it or its connections You can select multiple items by holding the CTRL key Likewise when a network client or flow is selected globally it will be highlighted in the display The search box will highlight link and nodes corresponding to a relevant MAC address IP address port port name network SSID or BSSID and IEEE 802 11 frame types subtypes Typing www will highlight all nodes and link with a www port associated with them Typing 192 168 1 will highlight all nodes and links in the 192 168 1 0 24 network Clicking on the text matches next to the search box will pop up a list of search results if there are any The user can then click on a search result to zoom into that particular item in the graph MeerCAT User Manual Page 78 of 108 For
90. ructur probe probe This option is only available when the Device Explorer is in Network Mode If enabled this view will be populated with data from every historical instance of the particular wireless network s in the current database If it is not enabled the view will be populated with only the latest historical instance of the particular network s 5 4 Clients View The Clients View is a companion to the Networks View offering another tool to simplify wireless device management and security The Clients View helps you identify individual client devices based on their properties including their MAC or IP address associated network classification or when they were last seen With the Clients View you can easily browse and sort through the various categories of detected client devices to quickly validate unauthorized devices The Associations column can be useful for finding clients that have made connections to multiple networks k Networks Clients 3 MAC OO LF SB44 ED 28 a Associated Network 00 00 0C 07 AC FB ge optimumwifi El 00 19 A6 EC CD 3E gt UVVO2 00 08 21 FE8 A 00 dr Edc9ssel OO AA A2A1 7586 ge EdcOssel 00 15 70 40 37 69 id SymbolTe 40s EE 00000 COTACGFE gt optimumwifi megahocw24 00 00 0C 07 AC 28 Ie Edcassel 00 1 C C 4 00 98 57 TechTubez OO 00 0C 07 AC FC lg optimumwiti 4 a OO LF 5B 44 ED 28 amp megahoc v24 5 4 1 Toolbar Classification Unknow
91. s View Another beneficial feature of MeerCAT is that it can display the channel distribution of detected devices For example the screen below shows that Channel 6 is most widely used which is to be expected since Channel 6 is the default channel used by most access point vendors 1 Expand a channel to display the individual devices Channels 22 3 E operating at a channel e EED En DEEG Click on the right arrow symbol adjacent to each mag channel to expand the view of detected devices N E5 using this channel e 4l Tip Number of detected devices operating at 5 e 6 m 174 each channel is the number adjacent to the bar chart e 7 4 e 8 1 e 9 6 The Channels View will look like this once the right e 10 05 arrow to the left of a channel is expanded e 1 m 82 i Channels 23 5 m E o 1 4 e 2 N3 i Cisco _70 2E30 cloaked ig brit bridge 2 lage DG NET 3 05 4 5 6 ss 174 IM 8 1 9 06 10 NS 11 NEE 62 Two Channels View toolbar buttons allow selection of 2 4 or 5 GHz channel usage to be displayed By n MeerCAT User Manual Page 51 of 108 AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC 5 12 Timeline View The Timeline View displays data in the chronological sequence it was obtained One can view wireless networks relative to each other on the basis of the time they were obtained With detection runs on the same route devices can be compared over time Tim
92. s can be specified 5 16 2 Alert Submenu Right clicking on a device in the Alerts view table will display the following submenu MeerCAT User Manual Page 60 of 108 AMP SECURE amp DECISIO A DIVISION OF APPLIED VISIONS INC EN foom To Set Visible N Set Exclusively Visible Status Po z Err ia Selecting Zoom To will cause the Geo View to zoom to the selected device Set Visible will highlight the selected device in various other views and will result in this device being checked in the Device Explorer view Similarly Set Exclusively Visible will result in the selected device being the only visible device Status can be selected to alter the status of the selected alert 5 17 Dashboard View The Dashboard View displays three different charts for Alerts or Wireless Networks Dashboard 2 sl Tr ng ds Bed MEI II fe Encryption Totals o Top 10 Manufacturers o ajddy ur ajddy SAS ODSD 109 3 UT JBN eqniy ur addy w umouyun odio JLH 3 Bunswes Unencrypted WPA wep Manufacturer Encryption by Date 400 U nencrypted Network Count thy hu ws wi lS WPA 7 i m 0 0 Jan 29 Apr 19 Nov 26 Jan 10 2013 2013 2013 2014 The top left chart is a pie chart top right a bar chart and bottom a line chart Each of these charts can depict a number of different data queries allowing the user to choos
93. sual results from site surveys and security audits MeerCAT User Manual Page 10 of 108 ANF SEG amp DEC A DIVISION OF APPLIED VISIONS INC 2 Getting Help With MeerCAT 2 1 MeerCAT Technical Support All technical inquiries and bug reports can be submitted via email to meercat support securedecisions com 2 2 MeerCAT Feedback and Additional Information Applied Visions Inc welcomes and encourages feedback on its products from its customers Please submit your product inputs user requirements and feedback to meercat securedecisions com 2 3 Licensing The MeerCAT software is distributed with license key s for each qualified licensed user in your organization Please refer to your MeerCAT Software License Agreement for terms and conditions If you require additional licenses please contact Applied Visions Inc at meercat securedecisions com MeerCAT User Manual Page 11 of 108 AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC 3 Accessing and Navigating MeerCAT 3 1 Controlling MeerCAT 3 1 1 Coordinated Views Interactions between two or more views in the MeerCAT workspace are coordinated through MeerCAT s highlighting features Selecting data in any view highlights the data in yellow in the other views File View Report Window Help Ht Device Explorer a n o GO DLT Find an SSID or MAC address Ctrl F al Mid Edcossel 3 ig EMR E FDS020 F b gt FDS020 2 F b gt
94. sys 00 12 17 38 0 D8 linksys O0 12 17 38 E0 D8 Average Packet Size 88 0 Search Filter Show only search result Link Sizes Total bytes Total packets Average packet size v m p Search og ptal Bytes Total Pack Average Pa Source IP Destination IP Source Port Destination Port IP Protocol 3 1 88 0 10 31 01 192 1681104 Or 0 Or 0 Internet Control Message Protocol 18 3 116 0 201 166 41 131 1921681101 18772 18772 1912 1912 Transmission Control Protocol 160 2 1230 0 72 247 146 48 192 168 1 101 www 80 1948 1948 Transmission Control Protocol 932 1 1532 0 208 67 67 11 192 168 1101 www BO 1984 1984 Transmission Control Protocol E 2456 9 1384 0 207 68 178 239 192 168 1101 veww 80 1934 1934 Transmission Control Protocol 529 34 1515 0 208 111 160 34 1921681101 www 80 1989 1989 Transmission Control Protocol 56 1 556 0 1621681101 72 247 1468 1952 1952 www 80 Transmission Control Protocol 92 11 72 0 1921681101 208 111 160 34 1989 1989 vee 80 Transmission Control Protocol 1 720 82 207 123115 192 168 1104 2597 2597 3817 3817 Transmission Control Protocol 1 1280 8 3120 N A N A N A N A N A m Since we are observing IP communication and there are several IP addresses aggregated into the single node we switch the graph type over to IP Flows mode This mode builds the graph nodes based on IP address giving us a flow graph similar if not the same to other network layer fl
95. t which we will find out soon and another MULTIPLE IP node that is labeled local MeerCAT User Manual Page 83 of 108 TELIBE Graph Type WiFi Flows IP Flows Network Layer Filter BB ov Network layer BBY Datalink layer Network Layer unknown Datalink Layer 00 12 17 38 E0 D8 Node Type Fiter Wireless Network s linksys 00 12 17 38 E0 D8 E Ficar Manufacturer Cisco Linksys LLC Channel 6 BY Public P Unencrypted BY Muticast mac H F Dataink MAC BY Wireless Network BY Othe P tat Search Filter Show only search result Link Sizes Total bytes Total packets Average packet size Network Border Encryption 5 Classification D Channel o None Probe Filter Show probes Hide probes D Only probes Above we have disabled the network layer information of the graph and can see the similarities between the BSSID of the Linksys access point and the MAC address of the local IP node associated with multiple IP addresses in our capture Again this suggests that the latter is the interface to which traffic is sent that will pass over a wired network MeerCAT User Manual Page 84 of 108 Js WiFi Flows 23 a 0 an Graph Type WEL Flows IP Flows Network Layer Filter Node Type Filter N 7 Wireless Network m Network Layer 10 31 0 1 gt 192 168 1 104 Datalink Layer 00 12 17 38 E0 D6 Or gt 00 D0 41 F6 29 19 Or Wireless Networks link
96. the next image in the viewer s image list 5 20 Status Line The status line can be found at the bottom of the main window There are 6 different items that can be shown 1 Access Point 2 Ad Hoc Network 3 Probes 4 Alerts The number on the left shows the number that are visible The number on the right shows the total number of items If you forget which item is which you can hover over them and the tooltip will tell you the full name of the item 265 267 ef 29 40 176 176 AA 070 MeerCAT User Manual Page 67 of 108 amy SECU amp DEC A DIVISION OF APPLIED VISIONS INC 6 Mission Mapping Mission mapping permits analysts to add a functional name to a device For example a wireless asset could have a mission of Logistics Invoicing or Personnel These access points can be grouped and colored by mission improving their visibility in MeerCAT views 6 1 Preferences for Mission Mapping Access the Mission Mapping page by Window gt Preferences gt Mission Mapping From this dialog you can create rename and remove mission names and assign colors to them Missions can also be added through the Device Manager select Other when prompted for Mission Mission Mapping DT T Mission Unspecified Project X Servers Accounts Payable 6 2 Choosing a Color for the Mission Clicking on Color brings up the color picker MeerCAT User Manual Page 68 of 108 AMY SECURE
97. tigation and ensure policy compliance e Visualizes Communication Flows MeerCAT s wireless network traffic visualization improves the visibility of network performance and security concerns The visual analytic tool processes packet capture files and visually aggregates network traffic and wireless packet flow e Coordinates Views for Investigation MeerCAT users can drill down from any window view for additional details about detected wireless networks and clients Coordinated views allow users to quickly select a device of interest in one MeerCAT window and highlight the device in all other views for various perspectives e Supports Data Filtering MeerCAT enables users to view analyze and filter wireless discovery and security data by a range of variables including the operating channel SSID asset security policies or events e Helps Assess Risks MeerCAT users can assign missions to devices to help assess security risks due to network vulnerabilities and threats e Generates Reports MeerCAT auto generates a range of reports to present the results of an audit or security analysis such as in Word or Power Point MeerCAT also allows users to copy a MeerCAT view and place on a clipboard export to an image file drag and drop to other applications and e mail to colleagues and decision makers e Delivers Out of the Box Integration MeerCAT s data integration with wireless discovery and other security tools allow users to get immediate vi
98. to be a wireless transmitter even if it is not designated as a wireless network device A node that is defined as a wireless network and shown in blue by default is known to be a wireless transmitter and always has a solid border with a color based on encryption or classification 7 1 3 Links The graph links represent one way communication between two network addresses There are color distinctions for Datalink Layer links that is links that exhibit Ethernet or IEEE802 11 link layer communication and Network Layer links links that exhibit IP communication Their thickness is based on the amount of data passed between the devices In addition in the WiFi Flows mode there are symbolic connections which show the user a symbolic association between a node and one of its associated access points If the node can be traced to the access point without adding a symbolic connection one is not added MeerCAT User Manual Page 75 of 108 aur SEC amp DEC A DIVISION OF APPLIED VISIONS INC 7 1 4 Filter The Flows filter pane is shown below Graph Type WiFi Flows i IP Flows Network Layer Filter B F Network layer i Datalink layer Node Type Filter E W Local IP FI S Public IP g Multicast MAC Datalink MAC l iK W Wireless Network H W Other IP Link Sizes Total bytes Total packets Average packet size Network Border Encryption O Classification Channel
99. twork Topology 3 mle A em johns routfjohns router belkin54g _ gt james 8 9 07 4 25 8 9 07 4 17 PM 8 9 07 4 40 PM d D a SyTy Patriot moggy linksys_SES 64064 8 9 07 4 19 PM 8 9 07 4 28 PM 8 9 07 4 23 PM 8 9 07 4 26 PM si dy a S D Greco SN32 linksys AppleCom_ED F6 00 8 9 07 4 41 PM 8 9 07 4 31 PM 8 9 07 4 23 PM 8 9 07 4 16 PM lt in54g Senaolnt_44 B0 A9 Brit_br 94728 14PL1 8 9 07 4 26 PM 8 9 07 4 23 PM Network Topology E3 5 D SI White House 4 5 10 3 58 PM The toolbar of the Network Topology view contains the following buttons TA History Mode This option is only available when the Device Explorer is in Network Mode If enabled this view will be populated with data from every historical instance of this wireless network in the current database If it is not enabled the view will be populated with only the latest historical instance of the particular network s unless a network is selected in the Device History view in MeerCAT User Manual Page 44 of 108 i ld SEC amp DEC A DIVISION OF APPLIED VISIONS INC which case the view will be updated to show only the selected instance of the particular network 2 Zoom the display such that all of its contents are visible Show only networks with clients Show rogue clients connected to trusted networks and trusted clients connected to rogue networks 5 10 Navigator View The Navigator View provides an alternative tree r
100. ude 0 km Lat 40822 Loon 734110 Elev ab meters Check out this probing network We should perform another audit to get more information MeerCAT User Manual Page 92 of 108 8 3 Report Templates MeerCAT comes with two default templates one for Word and one for PowerPoint These templates can be modified using Word PowerPoint OpenOffice or a new template can be created and used within MeerCAT Templates are stored and configured in the reportConfig folder located in your user home MeerCAT folder To have a new template appear within MeerCAT you must add the template to the reports xml file in the reportConfig folder 8 3 1 Images Image views can be added to a report template by dragging and dropping the associated view s placeholder JPG file in the reportConfig folder The position can be placed anywhere within the document or presentation Only the width of the image is maintained when the report is generated The height will maintain the aspect ratio based on the width There is an additional step for using the placeholder in a PowerPoint presentation The object associated with the placeholder must be named to match the text shown in the placeholder 8 3 2 Tables Table views including the Networks Client Flow Details and Device History tables can be added to a document report using the following keyword text This text will be replaced at report generation time with the actual table data e MeerCAT Networks e MeerCAT
101. unication Patterns Usage Scenario The Flows View is a useful tool in analyzing wireless network flows This section contains examples on how to use the Flows View to learn more about the structure and vulnerability of wireless networks For a general approach to understanding the Flows view please see the MeerCAT User Manual Page 79 of 108 Flows help in the Using MeerCAT Fundamental Tools section sas WiFi Flows Graph Type WiFi Flows IP Flows Broadcast Network Layer Filter BB 7 Network layer N Datalink layer Node Type Filter BB Pi Local IP N 7 Pubic r BBY Multicast MAC E F Datalink MAC BB lv Wireless Network N Other IP Search Filter Show only search result Link Sizes Total bytes Total packets Average packet size Network Border Encryption Classification Channel None Probe Filter Show probes Hide probes Silir miha Above is a picture depicting two wireless access points Berkowitz and belkin54g Since the border filter is set to encryption this means that Berkowitz is using an encryption standard that is not WEP or WPA and belkin54g is using no encryption These color classifications are available in the legend view and can be edited in the MeerCAT preferences What s important to note here is that the two of these wireless networks are set up and behave very similarly except for their encryption which makes a world of difference in wireless networking
102. usted friendly rogue unknown Channel Type infrastructure ad hoc probe Max Rate Encryption WPA WEP None Cloaked Known Clients MAC address Classification trusted friendly rogue unknown Tip 3 Users can manually redefine the classification of wireless devices or set the baseline expected configuration of known devices in the Device Explorer MeerCAT User Manual Page 23 of 108 amp SECURE amp DECISIO A DIVISION OF APPLIED VISIONS INC 2 TO import more than one CSV file for example to import a CSV file for wireless networks and a separate CSV file for wireless clients repeat Step 1 for each file 4 4 3 Marking existing devices as Known To mark a device that has already been imported as Known right click it in the Device Explorer and choose the Known option au Device History te Know Y Flag IN This will add the device to the Known Devices view and allow for its properties to be changed via a new Properties context menu command Copy ers m 4 5 Importing Wired Capture Data MeerCAT allows users to import Ethernet packet captures for limited use in some views namely in the Flow Details View and the IP flow graph type of the Flows View Select files Select a packet capture file to import Packet Data file Capture label Cancel To import a wired Ethernet capture click File on the MeerCAT menu and select Import Wired Capture Data This will bring you to an
103. veal the hardware vendor This will be necessary to download the proper driver Step 3 In the middle of the screen is a pull down menu labeled Display Read the contents of the box and look for one of three key words ATI Nvidia or Intel ar a bee lhe Omare oem ise Appear OG na Pe rede ses h Pe ye d arr d pas HE Step 4 Download the appropriate driver based on the previous step The drivers for each can be found at ATI AMD http ati amd com support driver html Nvidia http www nvidia com content drivers drivers as Intel http www intel com support sraphics index htm MeerCAT User Manual Page 100 of 108 Step 5 Download the driver to your desktop and run it following all default instructions This step may prompt your computer to reboot Make certain any open applications have saved and allow the computer to reboot If you still experience problems this is sometimes related to the amount of memory allocated to MeerCAT Decreasing the JMX value as described in the next question sometimes resolves this issue You will also experience this behavior if running MeerCAT on a virtual machine or Remote Desktop Connection RDC 2 What is the best configuration for working with large datasets The MeerCAT ini file located in your installation directory can be modified with a text editor to give MeerCAT more system memory The Xmx value represent the maximum amount of RAM given to
104. vice Channel 0 C Override network location Latitude 40 82 11425 Altitude tm 46 0265 Longitude 73 4100675 Save and Close The information will be applied to any instances of the network that have been detected or that are detected in the future 4 4 1 2 Known Clients To add a known client device select from the MeerCAT File Menu File gt Known Devices gt Add Client MeerCAT User Manual Page 22 of 108 amy SECU amp DEC A DIVISION OF APPLIED VISIONS INC This will open a properties dialog where you can fill in the expected information for the client The information will be applied to any instances of the client that have been detected or that are detected in the future Client Properties Set the properties for this wireless client MAC address AB CD EF 12 34 56 Classification Trusted 4 Flagged Comments Auditor s laptop 4 4 2 Importing Known Devices from a CSV File MeerCAT also supports importing CSV Comma Separated Values files Its purpose is to import a list of known devices into MeerCAT 1 To import a CSV file select from the MeerCAT File Menu File gt Known Devices gt Import Networks Clients from CSV This will launch a browser window to locate and select the CSV file to import Tip 1 Sample CSV files are provided on the MeerCAT CD Tip 2 The expected order of the CSV file fields are as follows Known Networks SSID BSSID Classification tr
105. view is a number in parenthesis This number represents how many networks in the visible data set are classified by this entry Legend View Interactions The legend view is automatically updated when new data becomes visible or the user changes one of the colors in the MeerCAT Preferences In addition double clicking on one of the icons in the legend view will bring up the preferences page that is associated with the particular attribute MeerCAT User Manual Page 64 of 108 AMP SECURE amp DECISIONS A DIVISION OF APPLIED VISIONS INC 5 19 Image Viewer i plesn computerimage j v Add Remove geJpg A Le w Above is a screen shot of a random image being shown by the Image Viewer 5 19 1 Adding Images gt Add To add an image click on the button at the top of the view A dialog will appear enter the image file s location or click the Browse button to select a file The PNG GIF JPEG BMP and WBMP file formats are supported by default MeerCAT User Manual Page 65 of 108 AMP SFC DEC A DIVISION OF APPLIED VISIONS INC Image Import Select a file Select an image to load and choose a name for MeerCAT to identify that image File C Users MeerlAT Pictures comm1 jpg Browse Name comml jpa Cancel Next pick a unique Name for the image to be shown in the image list MeerCAT will suggest a name based on the image s original file name but be sure to pick a name that you wil
106. which attribute should be used to determine the border color of a Wireless Network node This can be based on the network s encryption or its device classification It can also be disabled to show a border that is slightly darker than its fill color Probe Filter allows the user to show or hide probe requests and responses It also allows the user to show only probe requests and responses Show All Networks option to force all wireless networks to be shown on the graph even if they do not exhibit any non point to point communication 7 1 5 Preferences for Flows The Preferences for the flows are shown below MeerCAT User Manual Page 77 of 108 r we Preferences type filter text Flows v vv Flows General Colors Network Layer Filter Geo Bookmarks m Local IP L Import m Manufacturers Public IP CL Mission Mapping Perspectives Node Type Filter Multicast MAC a Tags Datalink MAC a Wireless Network Access Point Ad Hoc EERE Other IP Multicast Broadcast Null EEN Network Layer EEN Datalink Layer C Force Directed Layout Layout Run Time seconds 8 Restore Defaults Apply a ers Clicking a color located next to a Network Layer and Node Type filter brings up the color picker Customizing the colors affects the appearance of the Flows View filters After changing the color click Apply then OK to use the selected color Ente
Download Pdf Manuals
Related Search