{"id":461,"date":"2011-10-16T20:58:17","date_gmt":"2011-10-16T20:58:17","guid":{"rendered":"http:\/\/41j.com\/blog\/?p=461"},"modified":"2011-10-16T21:05:15","modified_gmt":"2011-10-16T21:05:15","slug":"securitytube-wireless-lan-security-megaprimer-notes-part-5","status":"publish","type":"post","link":"https:\/\/41j.com\/blog\/2011\/10\/securitytube-wireless-lan-security-megaprimer-notes-part-5\/","title":{"rendered":"SecurityTube, Wireless Lan Security Megaprimer notes: part 5 (Dissecting WLAN Headers)"},"content":{"rendered":"<p>Vivek&#8217;s video is <a href=\"http:\/\/www.securitytube.net\/video\/1772\">here<\/a>.<\/p>\n<h2>Basic Terminology<\/h2>\n<p>STA: Station (Wireless Client)<\/p>\n<p>BBS: Basic Services Set (AP and clients in infrastructure or Ad-Hoc Clients)<br \/>\n  * Infrastructure BSS: Setup using Access point<br \/>\n  * Independent BSS: Ad-Hoc network<\/p>\n<p>BSSID: Basic Service Set Identifier<br \/>\n  * Infrastructure Mode: MAC address of AP<br \/>\n  * Ad-hoc Mode: Randomly chosen address by first device.  (IBSS)<\/p>\n<p>DS: Distribution System (connects APs in ESS).<br \/>\n  * The LAN connecting APs together.<\/p>\n<p>ESS: Extended Service Set (set of BSSs)<br \/>\n  * Basically everything (BSSs + DS)<\/p>\n<h2>WLAN Packet Header<\/h2>\n<p>Looking at a beacon frame (could be any frame)<\/p>\n<p>0. Open a frame in wireshark<br \/>\n0.1 Take a look at the &#8220;Frame section&#8221;<br \/>\n    * Contains meta information about the packet, received time etc.<\/p>\n<p>0.2 Take a look at the &#8220;Radiotap Header&#8221;<br \/>\n    * Received from card<br \/>\n    * Signal strength (Useful for intrusion detection, can be used to triangulate clients)<br \/>\n    * Channel frequency etc.<\/p>\n<p>0.3 WLAN Headers, open &#8220;IEEE 802.11 Beacon Frame&#8221; section<br \/>\n    * Frame type information (subtype)<\/p>\n<p>1. All WLAN Packets have the following fields:<br \/>\n   * Frame Control (2 bytes)<br \/>\n   * Duration\/ID   (2 bytes)<br \/>\n   * Address 1     (6 bytes)<br \/>\n   * FCS           (4 bytes) (Checksum)<\/p>\n<p>1.1 Frame Control:<br \/>\n    * Bitfield containing a bunch of information:<br \/>\n      * Protocol<br \/>\n        * Default value 0, may change with major revision (currently always 0)<\/p>\n<p>      * Type\/Subtype<br \/>\n        * Type &#8211; Management, Control or Data frame<br \/>\n        * Sub-types of each of these.<\/p>\n<p>      * To DS and From DS<br \/>\n        * Indicate where the packet is going:<\/p>\n<table border=\"1\">\n<tr>\n<td>To DS<\/td>\n<td>From DS<\/td>\n<td>Info<\/td>\n<\/tr>\n<tr>\n<td>0<\/td>\n<td>0<\/td>\n<td>STA to STA in the same IBSS (ad-hoc) or management and control frame<\/td>\n<\/tr>\n<tr>\n<td>0<\/td>\n<td>1<\/td>\n<td>Exiting the Distribution System (DS) (e.g. AP to client)<\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>0<\/td>\n<td>Entering the DS  (e.g. client to AP)<\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>1<\/td>\n<td>Used in Wireless Distribution System (WDS, e.g. extending Wifi network)<\/td>\n<tr>\n<\/table>\n<p>      * More frag: are more fragments of frame following (data and management only).<br \/>\n      * Retry: Indicates that this frame is a retransmission (data and management only).<\/p>\n<p>      * Power Management: Indicates if client is in power save mode or active mode. (power save e.g. battery)<br \/>\n      * More Data: Indicates that there&#8217;s more data queued up to be sent.<br \/>\n      * Protected frame: Indicates if frame body in encrypted or not.<br \/>\n      * Order: Indicates that all frames must be processed in order.<\/p>\n<p>   Check you can see all this in wireshark (Type and subtype are shown twice)<\/p>\n<p>1.2 Duration\/ID field<br \/>\n    * Used to set &#8220;NAV&#8221; (Network Allocation Vector).<br \/>\n    * NAV is the minimum time to wait before transmission<br \/>\n      (tells other clients please wait this long for this packet transmission to complete)<\/p>\n<p>1.3 Address fields<br \/>\n    * Depends on type\/sub-type (Source address, destination address, BSSID address)<\/p>\n<p>1.4 Sequence Control<br \/>\n    * Sequence number of the packet AND Fragment number of the packet.<\/p>\n<p>   Check you can see all this in wireshark!<\/p>\n<p>1.5 QoS (quality of service)&#8230;<\/p>\n<p>1.6 Frame body: The data payload<br \/>\n    * management frame information<br \/>\n    * data transmission<\/p>\n<p>1.7 FCS: CRC check over the MAC header and Frame body<br \/>\n    * Easy to &#8220;fix&#8221; FCS if we modify the frame.     <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Vivek&#8217;s video is here. Basic Terminology STA: Station (Wireless Client) BBS: Basic Services Set (AP and clients in infrastructure or Ad-Hoc Clients) * Infrastructure BSS: Setup using Access point * Independent BSS: Ad-Hoc network BSSID: Basic Service Set Identifier * Infrastructure Mode: MAC address of AP * Ad-hoc Mode: Randomly chosen address by first device. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1],"tags":[14,13,12,10,11],"class_list":["post-461","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-pentest","tag-security","tag-securitytube","tag-wifi","tag-wifiprimer"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1RRoU-7r","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/461","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/comments?post=461"}],"version-history":[{"count":6,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/461\/revisions"}],"predecessor-version":[{"id":467,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/461\/revisions\/467"}],"wp:attachment":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/media?parent=461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/categories?post=461"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/tags?post=461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}