CN416

Intrusion Detection and Forensics

Location Awareness II

Lecturer: Mr. Saeb Sisan

 Geolocation

• When Voice over IP (VoIP) services became

commonplace, there was a challenge.
• Federal regulations require
telecommunications providers to be able to
support enhanced 911 (E-911) services to
phone subscribers.
• Anyone dialing 911 should be able to be
located by the phone network.
 Geolocation
• In a traditional phone network, this is easy
because the phones are hard-wired to the central
office and each subscriber has an address
associated with it.
• If a call comes from a particular phone number
using a wired line, it’s guaranteed that the call
has come from a specific physical address
because hard-wired lines can’t be moved.
• When the caller dials 911, the central office
knows which public service access point (PSAP) to
route the call to.
 Geolocation

• VoIP, though, uses interface devices that

convert traditional phones and the signals
they use to IP.
• These devices can be taken anywhere.
• As long as they can get an IP address and can
communicate with the servers within the VoIP
provider network.
• There is nothing to prevent the service from
being used.
 Geolocation
• That, however, causes problems for the service
providers because they are required to be able to
hand off location information for their subscriber.
• As noted earlier, there is nothing inherent about
an IP address that can provide physical addresses.
• while it is possible to read hostnames and
network paths to get some location out of them.
• the hostname and network path don’t have
nearly the specificity required by E-911.
 Geolocation
• At a minimum, the service provider needs to be
able to know which PSAP to route the call to.
• There are a number of ways to do this including :
1. just hard-coding the subscriber into a database
associated with a particular PSAP.
• VoIP services are not the only ones where
location information from IP addresses is
important or at least very useful.
• As a result, there are databases that will keep
track of that information.
 Geolocation

2. As well as web interfaces that can perform

lookups from IP addresses.
• In fact, some of these websites will tell you
where you are based on your IP address.
 Geolocation

• Just to demonstrate some of the challenges

associated with looking up geographic
location from an IP address.
• Sometimes you will get different locations.
• To highlight that point, Figure 6-4 shows
location information related to an IP address
belonging to Google.
Geolocation
 This is information from three different
databases,
Geolocation
though the site in question,
www.iplocation.net, provides results from
many other databases.

While two of them appear to show the same

location,

When you look at the latitude and longitude,

they are quite different.

The two showing the same city will map to

very different locations.

10
 Geolocation
• The third location is not
only in a different city
and state but most of
the way across the
United States.
• A fourth database
shows New York and
the fifth shows
Mountain View again.
 Geolocation

• As a result, you have a start on a location from

the IP address, but it is by no means definitive.
• In some cases, all the lookup service is doing is
running a whois, getting the owner of the IP
address, and providing the city for that owner.
As previously discussed, that’s not always that
useful.
 Geolocation
• One of the databases at
db-ip.com is not only
more accurate but will
also use IPv6 to perform
a lookup.
• Some of the backbone
providers are using IPv6
to communicate back
and forth.
• In Figure 6-5, you can
see a lookup of my
external IPv6 address.
Geolocation
 Geolocation
• While the address belongs to
Comcast.
• db-ip.com isn’t just providing
the location of the IP address
according to whois because
that would be based on
Comcast’s address.
• Which is not in Vermont.
• However, while we are very
close to a real location.
• The database maps this
address to a town that is
nearby rather than the town I
am actually located in.
 Geolocation

• The company MaxMind maintains several

databases related to location information and
mapping network information.
• These databases can be integrated with
Wireshark to save the effort of performing
multiple lookups using a web interface.
• You can download lite versions of the
databases from MaxMind and then tell
Wireshark where the databases are using the
preferences settings.
 Geolocation

• There is a configuration setting for the

locations of GeoIP databases.
• MaxMind provides databases for both IPv4
and IPv6
• As well as information about the autonomous
system (AS) number used by service providers
for routing purposes.
• The city where the address is located, and the
address in longitude and latitude form.
 Geolocation

• There is a configuration setting for the

locations of GeoIP databases.
• MaxMind provides databases for both IPv4
and IPv6
• As well as information about the autonomous
system (AS) number used by service providers
for routing purposes.
• The city where the address is located, and the
address in longitude and latitude form.
 Geolocation

• Once you have a packet capture, you can look

at the Endpoints dialog box in the Statistics
menu.
• This collection of information will give you IP
addresses that were found in your packet
capture.
• If there are entries in the MaxMind databases,
they will display the information
 Geolocation

• See an example of this in Figure 6-6.

 Geolocation
• Wireshark provides fields
for the country the IP
address appears to be
located in.
• The AS number associated
with the service provider,
which also yields the name
of the service provider.
• Finally, you can also see the
city, longitude, and latitude
columns that are associated
with the IP address. Not all
IP addresses will be able to
be looked up in the
database.
 Location-Based Services

• As web applications get more functionality

and have to provide the same or similar
services as truly:
• Mobile devices like smartphones
• Semi-mobile devices like laptops
• Immobile systems like desktop computers,
• There is a need for the application provider to
obtain location-based information.
 Location-Based Services

• The World Wide Web Consortium (W3C) has

developed :
• An application programming interface, called
the Geolocation API
• Geolocation API and a set of specifications
that will allow devices that don’t have GPS
capability to also provide a location.
 Location-Based Services

• This interface is commonly provided in web

pages using JavaScript.
• The JavaScript makes calls to a navigator
object looking for the GeoIP information.
• This may simply be based on information
about the IP address that is known using
techniques referenced earlier.
 Location-Based Services

• When your browser asks if it is okay to provide

location information to the website you are
visiting.
• It is probably using this W3C location
interface.
 WiFi Positioning

• One way to get information about where

people may be is to get someone to report on
those people.
 WiFi Positioning

• This may be a self-check-in where the user

provides information about himself in one
form or another.
• However, it may also be that other people are
collecting information and sharing it with a
public database.
 WiFi Positioning

• WiFi Positioning System (WPS) is an attempt

to provide a way to locate systems using the
wireless networks they are connected to.
• Databases are available to locate WiFi
networks.
• Some of these databases are populated by
users who collect the information and submit
it to the database provider.
 WiFi Positioning

• One of these database providers is WiGLE,

which is a database for wireless hotspots
around the world.
• Using WiGLE, you can view maps of locations
and see the different WiFi networks that may
be available within a particular geographic
area.
 WiFi Positioning
• WiFi networks not only have a Service Set
Identifier (SSID) associated with them, which is
the network name.
• but they also have a Basis Service Set Identifier
(BSSID), This looks like and often is a MAC
address.
• The wireless access point, as a network device,
has a MAC address associated with the network
interface.
• This MAC address may become the BSSID for the
wireless network to provide a layer-2 addressable
identifier for the network.
 WiFi Positioning

• WiGLE and other similar databases will not

only store SSID information, but also store
BSSID information.
 WiFi Positioning

• You can see an example of both BSSIDs and

SSIDs in Figure 6-7
 WiFi Positioning

• The map shown is a part of the website at

wigle.net, and is a location nearby.
• You can search locations and zoom in on the
map.
• You can see SSIDs like Zombies ate My WiFi.
• As well as BSSIDs, which just appear to be
MAC addresses.
 WiFi Positioning

• This is one way that systems can obtain

information about their position.
• Locating systems in physical space can be
challenging.
• Using volunteers to provide information
about WiFi networks helps with that effort.