41J Blog

Posts tagged ‘security’

SecurityTube, Wireless Lan Security Megaprimer notes: part 5 (Dissecting WLAN Headers)

October 16, 2011, 8:58 pm

Vivek’s video is here.

Basic Terminology

STA: Station (Wireless Client)

BBS: Basic Services Set (AP and clients in infrastructure or Ad-Hoc Clients)
* Infrastructure BSS: Setup using Access point
* Independent BSS: Ad-Hoc network

BSSID: Basic Service Set Identifier
* Infrastructure Mode: MAC address of AP
* Ad-hoc Mode: Randomly chosen address by first device. (IBSS)

DS: Distribution System (connects APs in ESS).
* The LAN connecting APs together.

ESS: Extended Service Set (set of BSSs)
* Basically everything (BSSs + DS)

WLAN Packet Header

Looking at a beacon frame (could be any frame)

0. Open a frame in wireshark
0.1 Take a look at the “Frame section”
* Contains meta information about the packet, received time etc.

0.2 Take a look at the “Radiotap Header”
* Received from card
* Signal strength (Useful for intrusion detection, can be used to triangulate clients)
* Channel frequency etc.

0.3 WLAN Headers, open “IEEE 802.11 Beacon Frame” section
* Frame type information (subtype)

1. All WLAN Packets have the following fields:
* Frame Control (2 bytes)
* Duration/ID (2 bytes)
* Address 1 (6 bytes)
* FCS (4 bytes) (Checksum)

1.1 Frame Control:
* Bitfield containing a bunch of information:
* Protocol
* Default value 0, may change with major revision (currently always 0)

* Type/Subtype
* Type – Management, Control or Data frame
* Sub-types of each of these.

* To DS and From DS
* Indicate where the packet is going:

To DS	From DS	Info
0	0	STA to STA in the same IBSS (ad-hoc) or management and control frame
0	1	Exiting the Distribution System (DS) (e.g. AP to client)
1	0	Entering the DS (e.g. client to AP)
1	1	Used in Wireless Distribution System (WDS, e.g. extending Wifi network)

* More frag: are more fragments of frame following (data and management only).
* Retry: Indicates that this frame is a retransmission (data and management only).

* Power Management: Indicates if client is in power save mode or active mode. (power save e.g. battery)
* More Data: Indicates that there’s more data queued up to be sent.
* Protected frame: Indicates if frame body in encrypted or not.
* Order: Indicates that all frames must be processed in order.

Check you can see all this in wireshark (Type and subtype are shown twice)

1.2 Duration/ID field
* Used to set “NAV” (Network Allocation Vector).
* NAV is the minimum time to wait before transmission
(tells other clients please wait this long for this packet transmission to complete)

1.3 Address fields
* Depends on type/sub-type (Source address, destination address, BSSID address)

1.4 Sequence Control
* Sequence number of the packet AND Fragment number of the packet.

Check you can see all this in wireshark!

1.5 QoS (quality of service)…

1.6 Frame body: The data payload
* management frame information
* data transmission

1.7 FCS: CRC check over the MAC header and Frame body
* Easy to “fix” FCS if we modify the frame.

Tags: pentest, security, securitytube, wifi, wifiprimer
Category: Uncategorized | Comment

SecurityTube, Wireless Lan Security Megaprimer notes: parts 1 to 4

October 15, 2011, 11:42 pm

These are my notes on Parts 1 to 4 of the security tube wireless security videos here.

I’m using Backtrack verison 5 R1 whereas Vivek is using version 4. The only different so far is that mdk is on the path, so I can just type “mdk” to launch it.

Part 1

This is the wireless device used in all the videos:

Alfa Networks AWUS036H USB Wifi device

* Integrated into Braktrack
* Allows for packet sniffing
* Allows for packet injection
* 1W output

Will also need a AP, two laptops. Some smartphones may be interesting.

Install Backtrack (tutorials use Backtrack 4R2).

Attached the USB Wifi device and connect to VirtualBox if you’re using that.

Part 2

0. Backtrack doesn’t startx, so type startx if you want it.

1. Bring up the wifi card:

ifconfig wlan0 up

2. You need to create a monitor mode interface for monitoring:

airmon-ng # without args shows cards
airmon-ng start wlan0 # creates monitor interface
iwconfig # check that the card is in monitor mode

3. Load Wireshark (at a command prompt type “wireshark”).

4. Start a capture, from the “Capture menu”: Capture->Interfaces->mon0 (start)
4.1 Note: Wireless card can only monitor one channel at a time.
4.2 Note: Different countries have different channels and allowed power levels.

5. You can force card on to specific channel for example:

iwconfig wlan0 channel 1

6. Some tools can hop between channels showing traffic, for example airodump:

airodump-ng --band bg mon0

Part 3: Beacon Frames

Three types of packets: Management, Control, Data (there are subtypes of these too)
You can find a LOT of information here: 802.11 specs: http://standards.ieee.org/about/get/802/802.11.html

Access points are configured with SSIDs. That’s a network name, used for discovery. SSID can be for one AP or multiple APs. To allow clients to find them access points broadcast “Beacon Frames”.

1. Capturing Beacon frames with wireshark:

ifconfig wlan0 up      
airmon-ng start wlan0
wireshark&amp;amp;amp;

2. Examine the beacon frame. Select a beacon frame in wireshark.
2.1 Look at Management frame header.
2.2 Note that there are “Fixed parameters” and “Tagged parameters”
2.3 “Fixed Parameters”: Look in “Capabilities Information”, it tells you if it’s an AP or not.
2.4 “Tagged Parameters”: note you can see supported rates and the device channel. Possibly encryption information.

3. Attackers can inject their own beacon frames! We’re going to show you how.

3.1 We’ll use MDK to create beacon frames. Type the following to get info on mdk:

mdk --help b # shows info about beacon flooding

To broadcast beacon frames, type the following:

mdk3 mon0 -b -n PWNEDSSID

You should be able to see the network PWNEDSSID on other devices!

Part 4: Dissecting AP-Client Connections

Note1: Vivek plays around a lot with wireshark filters in this video, some of it isn’t strictly required, but it gets you used to using filters.

Note2: Make *SURE* you are filtering to/from the correct MAC addresses. I found this partiuclarly important if you have a lot of Apple hardware around…

0. Setup an open access, access point.

1. We’re going to connect a smartphone or PC to this AP, so have a client ready.

2. Make sure wifi is off on the smartphone/PC.

3. Set the channel of the Backtrack laptop wifi card to the same channel as the open access point, as follows:
3.1 As before, use airodump-ng mon0 to display the channel the AP is on.
3.2 As before, use iwconfig wlan0 channel to change the card to that channel.

4. Make a capture of the traffic using wireshark (as before).

5. Filter for traffic not to/from our access point and filter out beacon frames.
5.1 The filter will eventually read as (wlan.addr == ACCESSPOINTMAC) && !(wan.fc.type_subtype == 0x08)
5.2 You can build this filter by pointing and clicking in wireshark:
Open a beacon frame, under “802.11 Beacon frame” right click on “Source address”, select “apply as filter”->Selected
Edit the filter box change “wlan.sa” to “wlan.addr”.

Under “IEEE 802.11 Beacon frame” select “Type/Subtype”. Right click, select “apply as filter”->”and not selected”

6. Attach the client smartphone/laptop to the network.

7. Add another address to the filter. This is the client address.
7.1 remove the && !(wan.fc.type_subtype == 0x08) portion of the filter.
7.2 In the “IEEE 802.11” section of the packet select the MAC of the client and right click:
“apply as filter”->”and selected”

8. Remove the (wlan.addr == ACCESSPOINTMAC) part of the filter. Your filter should just read:
(wlan.addr == CLIENTMAC), where CLIENTMAC is the mac address of your smartphone/PC.

9. Take a look at the packet trace in wireshark.
9.1 Find the first “Probe Request” from the smartphone/PC.
9.2 Note that it’s a Broadcast packet.
9.3 Note that below that packet you can see a “Probe Response” coming from your access point.
9.4 Client may also send out “Probe Requests” to networks previously connected to.

10. Add the access point mac to the filter. As before right click the access point address and select “apply as filter”->”add selected”.
Change wlan.sa to wlan.addr.

11. Scroll down a little, you should be able to find a packet labeled “Authentication” from your AP to the client.
11.1 Note that the Authentication packet from the client as “Authentication SEQ: 0x0001” and the reply has “SEQ: 0x0002”.

12. Now we see the association packets.
12.1 Note that the client sends an “Association Request”
12.2 Note that the AP replies with an “Association Response”

13. After that we should be able to see data packets, such as ARP requests etc.

14. Vivek makes some interesting observations about the packet exchange, and wireless state machine: