Vai al contenuto

5. Frames and Network Interaction

When devices connect to Wi-Fi networks and information flows through the network, a number of different frames are used in order to ensure everything gets through as efficiently as possible. Capturing and analyzing this traffic will be critical to understanding and exploiting Wi-Fi networks.

In this module, we'll begin to understand more about frames used in Wi-Fi networks, including their headers and fields. We will also learn how wireless devices interact with various types of networks.

We recommend that students work their way through this content slowly and take their time. In particular, we recommend inspecting each capture file before moving on. Students can also return to this module for future reference.

Throughout this module we will be inspecting several files with Wireshark. For example, when we discuss beacon frames, we will inspect a Pcap file with beacon frames. Some sections of this module begin by noting an available reference file. To download the file, follow the link in the footnote.

This module presents an excellent opportunity to get even more comfortable with Wireshark while following along with the content. In some cases, we may focus our attention on a particular frame or series of frames.

5.1. Packets vs Frames

Packets and frames are not interchangeable terms. To understand more about them, it may be helpful to quickly review the Open Systems Interconnection Model (OSI), which is a conceptual model of how systems communicate over a network. A full explanation is outside the scope of this module, but a cursory explanation might be helpful.

Layer Description
7. Application Layer Human-computer interaction layer, where applications can access the network services
6. Presentation Layer Ensures that data is in a usable format and is where data encryption occurs
5. Session Layer Maintains connections and is responsible for controlling ports and sessions
4. Transport Layer Transmits data using transmission protocols including TCP and UDP
3. Network Layer Decides which physical path the data will take
2. Data Link Layer Defines the format of data on the network
1. Physical Layer Transmits raw bit stream over the physical medium

Table 1 - The OSI model

Each layer in the OSI model is stacked and has a specific purpose. For example, the Data Link layer is where MAC headers exist. These headers help determine where the packet should go as it travels between two devices on the same network.

When we capture packets, we capture them at the Data Link layer, which includes the frame. The frame contains authentication as well as additional information about the AP. Capturing packets is generally the starting point for all other Wi-Fi attack vectors, so understanding packets, and frames in particular, is an excellent place to begin.

A packet is the protocol data unit for the network layer (3), and a frame is a unit in the data link layer (2). Packet capture is actually a misnomer because some hardware can capture at layer 3, but sometimes also at layer 2. Some specialized tools can even do layer 1.

In spite of this, "Packet Capture" has become a common term for data captured at either layer 2 or 3. In our case, all of our captures, and most of the tools we will use, operate at layer 2.

5.2. 802.11 MAC Frames

Let's begin by reviewing the base structure of a 802.11 MAC frame in Figure 1.

38aa7d4a68040a870a6b663c79f532ec.png

Figure 1: 802.11 MAC Frame

The structure is split in three parts. First, the MAC Header contains fields common for almost all frames. The first few fields are mandatory. Others may be present depending on the specific frame.

Next, the Frame body carries data or contains additional information. Not all frames will use this section.

Finally, the Frame Check Sequence (FCS) is the Cyclic Redundancy Check (CRC) of the current wireless frame. A CRC is performed over all previous fields to generate the FCS. The frame FCS is re-calculated once the frame arrives at the destination. If it is identical to the one received, then the frame is received without errors. It sometimes isn't present in the captured frames.

Warning

In capture files, sometimes Radiotap headers come before the MAC header. These headers are placed by the driver on the receiver, and contain metadata for the specific frame, including the signal level, the rate, the channel it was received on, and other information. The content and size vary from one driver to another and sometimes from one frame to another.

5.2.1. MAC Header

The following image shows the details of the Header field of a 802.11 MAC frame.

408ba5e08bdc03c5f901732e7c340cc8.png

Figure 2: 802.11 MAC Header

The MAC Header contains a number of fields, and some of them are subsequently split in smaller sections. We'll explore the most import ones and briefly explain each of the fields' content.

5.2.2. Frame Control Field

  • Protocol Version - This field provides the version of the 802.11 protocol used. This value is currently 0.
  • Type - The type is most important field in the frame, and it determines the function of the frame, as well as the presence of some other fields in the frame. There are four different frame types with corresponding values: management (0), control (1), data (2), and extension (3). We will cover the first three later in this module. The fourth is a rare exception, so we won't cover it.
  • Subtype - Each frame type can have one of several subtype field values. These determine the specific function and define the payload.
  • To DS and From DS - These fields indicates whether the frame is going into a distribution system (ToDS) or exiting the distribution system (FromDS).
  • More frag - This field indicates whether more fragments of the frame will follow this one.
  • Retry - The retry field tells us if the frame is being retransmitted. A retransmit occurs when unicast frames aren't acknowledged in time.
  • Power Mgmt - This will show us whether the sending client is in active mode (0) or power-save mode (1).
  • More data - This field indicates if there is data buffered for a client.
  • Protected Frame - This will reveal whether or not encryption or authentication are used in the frame.
  • +HTC/Order - This field tells us if the frame contains an HT Control Field. In some rare instances, it is used to indicate that the frame is being sent using the Strictly-Ordered service class.

5.2.3. Duration/ID

Depending on the frame type and subtype, Duration/ID can have a different meaning. In Power-Save Poll frames (type 1, subtype 10), it contains the client Association Identity (AID) in the 14 least significant bits. The two most significant bits are set. When required, Duration/ID is the duration of the frame in microseconds. In some instances, it has a fixed value of 32768.

5.2.4. Addresses

The following table represents the different cases of these addresses, depending on the From/To DS bits in the Frame Control field.

FromDS ToDS Address 1 Address 2 Address 3 Address 4
0 0 Destination Address Source Address BSSID n/a
0 1 BSSID Source Address Destination Address n/a
1 0 Destination Address BSSID Source Address n/a
1 1 Recipient Address Transmitter Address Destination Address Source Address

Table 2 - Meaning of the 3 or 4 addresses based on ToDS and FromDS value

The first case, where ToDS and FromDS are both set to 0, will occur in IBSS mode (ad-hoc) or when the frame is a management or control frame. The FromDS and ToDS bits are not set as is the case when two clients communicate with one another directly, but this is rarely the case nowadays.

When only ToDS is set, the traffic is coming from a client and meant to reach either the AP or anything connected to it. This would be the case with a ping (ICMP request).

When only FromDS is set, the traffic is going from the AP to the client. Recalling the previous example, this would be a response to the ping.

When both are set, it indicates we are in WDS mode. In this case, one AP is talking to the another, which is why the fourth address field is present in the frame.

5.2.5. Sequence Control

The Sequence Control field consists of two sub-fields and is used to recognize frame duplication.

The Sequence Number (12 bit) subfield indicates the sequence number of each frame. The sequence number is the same for each frame sent for a fragmented frame. The value range for this field is 0-4095. When it reaches 4095, the next sequence will be 0.

The Fragment Number (4 bit) subfield indicates the number of each fragment of a frame sent. The value range for this field is 0-15.

5.2.6. QoS control and HT Control Fields

The presence of the QoS control and HT Control fields depend on other values in the frame body. The QoS Control is present only in Quality of Service (QoS) data frames to indicate the quality of service parameters. The HT Control is only present if the +HTC/Order bit is set.

5.3. Frame Types

Let's explore the structure of the common frames we'll encounter on Wi-Fi networks. As we go, we'll inspect an example for each of one. In particular, we will be focused on aspects of the frame types that help describe how devices interact with each other.

We will review management, control, and data frames. There is a fourth type of frames, extension frames, but it's not very common, so we will skip it.

5.3.1. Management Frames

Management frames are used to negotiate and control the relationship between APs and clients. The following table outlines the different types of wireless management frames.

Subtype Field Description
0 Association Request
1 Association Response
2 Re-association Request
3 Re-association Response
4 Probe Request
5 Probe Response
6 Measurement Pilot
7 Reserved
8 Beacon
9 ATIM
10 Disassociation
11 Authentication
12 Deauthentication
13 Action
14 Action No ACK
15 Reserved

Table 3 - Management frames subtypes

We will cover the common frames encountered on wireless networks. All of these frames have the same structure as the base 802.11 MAC frame. The payload varies depending on the subtype.

5.3.2. Beacon

This section includes a reference file, beacon.pcap, in the Resources section.

Beacon frames are the most common frames as they are sent approximately 10 times per second. Beacons are broadcast by the AP to keep the network synchronized.

These frames contain useful information about the network such as the network name (unless SSID is hidden), the channel, the data rates available, type of encryption, and regulatory domain. They are typically sent at the lowest basic rate in order to reach the clients farthest away from the AP.

The structure of a beacon frame is as follows.

d68d6abdc2c28a0013d83059f96d00f6.png

Figure 3: Beacon frame structure

Warning

Although SSID and ESSID are used interchangeably in Wi-Fi tools and AP configuration, there is a small difference. SSID is for single APs. ESSID is when multiple APs in an Extended Service Set (ESS) share the same SSID. The official name of the field in management frames is SSID.

Information in the frame's payload is split in two parts. The first part contains fixed parameters, which will always stay the same.

The first parameter includes Timestamp, which contains an 8-bytes value for a Timing Synchronization Function (TSF). Beacon interval indicates how often beacons are sent. It is expressed in Time Units (TU) where 1 TU is 1.024ms. Capabilities information is subdivided into 14 flags.

The second parameter is dynamic and the amount of information included will depend on the AP. Information Elements (IE) are variable in size, but have a common structure. The first byte indicates the ID of the element and describes how the payload is interpreted. The second indicates the length of the following field (IE payload), which has a maximum length of 255 bytes.

4feb119cabc810d2167683a55532e2d4.png

Figure 4: Management frame IE structure

Information Elements are usually arranged in order based on the ID. In special cases, some IDs are shared among multiple items, so their meaning depends also on the first few bytes in the IE's payload. A good example of this is WPA TKIP, where it depends on the first three bytes in the payload. The other special case is the Element ID Extension, which depends on the value of the first byte of its payload. This is used for 802.11ax information among other things.

Although this section is dynamic, some elements such as the SSID will always be present. Figure 5 includes the SSID element, which has an ID of 0. The length of the field is 8 and it is named supafast.

95d000ae275644cedc64b31733adb7be.png

Figure 5: SSID element

Another field to note in the capture is the Supported Rates of the AP. It shows rates of 6 to 54Mbit/s, which, alone, indicates either an 802.11g or 802.11a network.

ac8861431e6ba7adbf8e2b66969969ed.png

Figure 6: Supported Rates

A 802.11b or mixed 802.11b/g would have these rates between 1 and 11. A mixed 802.11b/g will also have extended supported rates typically between 6 and 54, but this isn't the case in the extended rates below.

181e6294584a237f87607b22a709d03e.png

Figure 7: Extended Supported Rates

The channel number, 36, indicates the network is operating in the 5GHz band.

d2f8103628f76a2f16bb2b0478632ec9.png

Figure 8: Channel number

The country element indicates the regulatory domain, channels availability, and transmit power. Clients sometimes use it to further improve their compliance. On Linux this is called "beacon hinting".

aa0bb0b158b490ee1b54f7dada9967ee.png

Figure 9: Country information

On this particular AP, the regulatory domain is set to US. It gives a set of channels, as well as maximum transmit power. Eight channels are available at a transmit power of 23dBm, starting at channel 36 (40, 44, 48, 52, 56, 60, and 64). There are 11 channels starting at 100 with 23dBm (104, 108, 112, 116, 120, 124, 128, 136, and 140). There are five channels starting at 149 with 30dBm (153, 157, 161, and 165). The reason why it doesn't give precise channel numbers for every single one is because in the 5GHz band they are always separated by 20MHz, which is 4 channels apart, and they don't overlap.

The HT Capabilities and HT Information elements, indicate whether the AP supports High Throughput (HT), or 802.11n, and include other relevant information.

5f15ee75b2040b01ec41346279dc3d0f.png

Figure 10: HT Capabilities and HT Information

Two elements, VHT Capabilities and VHT Operation, indicate the presence of Very High Throughput (VHT), or 802.11ac, and the features supported. Another similarly named field, VHT Tx Power Envelope, helps further improve regulatory compliance.

d27524627c90b0d5d7b72e143437a018.png

Figure 11: VHT Capabilities and VHT Operation

This AP also supports 80MHz channels, with a center channel at 42. It spans from channels 36 to 48, or 5.170GHz to 5.250GHz. If the second centered segment was filled, it would support 160MHz channels or 80+80MHz. The difference is if it ends up being a contiguous 160MHz or not; 80+80 are two 80MHz channels which aren't next to each other.

Finally, the HE Capabilities and HE Operation elements indicate High Efficiency (HE), or 802.11ax, and the features supported.

19bf5606cf362aac66354f4bed3ef90a.png

Figure 12: HE Capabilites and HE Operation

The AP supports 80MHz in HE, as indicated by the Rx and Tx MCS Map. It only has one stream, as indicated by the first line in Basic HE-MCS and NSS Set, with rates using MCS 0 to 7, which means up to 360Mbit/s.

5.3.3. Probe

This section includes a reference file, airport-wifi-01_2_3.cap, in the Resources section.

Probe frames are used to scan for existing APs. Probe requests are sent by clients searching for APs, and they are often sent on multiple channels. An AP will answer with a probe response that contains information about itself.

Probe requests may contain specific criteria, including, for example, encryption and rates. APs or ad-hoc (IBSS) nodes will only respond to probe requests that match what they offer. When the Probe request is directed to a specific SSID, only the AP with that SSID will respond.

The structure of probe requests and responses is similar to beacons. Probe request payloads only consist of IEs. The response, which comes from the AP, will contain both the same static and the same dynamic section as the beacon.

A probe request will contain at the very least a SSID IE. It may contain more, depending on the device.

The following capture includes a broadcast probe request.

101892488d3a068bf7024231ea729065.png

Figure 13: Broadcast Probe Request

A probe response, from the AP, follows the request.

37b01954c95615661acb56b242a7c338.png

Figure 13: Broadcast Probe Request

5.3.4. Authentication

This section includes a reference file, airport-wifi-01_24_26.cap, in the Resources section.

Authentication frames are used when connecting to an AP. There is no authentication request or response. Both the client and the AP use the same authentication frame.

The payload contains four fields.

e08e05337be11399124a80b4b1032834.png

Figure 14: Authentication frame structure

Within an authentication frame, the Authentication Algorithm identifies the type of authentication used. The most common is Open authentication, but we will also encounter Simultaneous Authentication of Equals, which is used with WPA3, and in rare cases, Shared Authentication, which is used with WEP Shared Authentication.

The authentication process consists of several authentication frames (the exact number of frames exchanged can vary). The Authentication Transaction Sequence Number keeps track of the current state of the authentication process and will usually be a value between 1 and 4.

The Status Code indicates success (0) or failure (other values). Other than 0, each value indicates a different type of failure.

Warning

MAC filtering is an after-thought by vendors, and not part of the 802.11 standard. Implementation varies from one vendor to another. When MAC filtering is enabled on the AP and the MAC address of the client is not authorized to connect, the AP may or may not answer. If it does answer, it can either indicate a failure, or success.

Depending on the authentication algorithm and the sequence number, the frame sometimes contain data after all these fields. The meaning of the data in this section depends on the value of the authentication algorithm and the authentication sequence fields.

In the following figure, a client is starting an open authentication phase with an AP.

0246597f52716c2aacc1471ad95e4a1d.png

Figure 15: Authentication

The second frame includes the response from the AP.

cac5f622addb66da1dd44a0d4a483fb4.png

Figure 16: Authentication Response

5.3.5. Association

This section includes a reference file, airport-wifi-01_28_30.cap, in the Resources section.

Association frames are used to connect to an AP and are always preceded by authentication frames. The client sends an association request, which is usually followed by an association response from the AP.

An association request frame has the following structure.

3a9f6a699e24e49db3059c44b8a3bb61.png

Figure 17: Association request structure

The capabilities are identical to the beacon frame. The listen interval is expressed in TU and indicates how often it will wake up to listen to beacons when in power-save mode. Although it is followed by optional IEs, an SSID IE, along with one of the supported rates field, are required to associate to the AP. When connecting to an AP with encryption, the selected encryption parameters must be specified in this frame as well.

The following figure contains an association request for the "airport-wifi" network.

eae3f9760a89f231a0702872e4f286bd.png

Figure 18: Association Request

APs reject or accept an Association Request with an Association Response.

Warning

When MAC filtering is in place and the MAC address is not authorized, the behavior of the AP can vary. It will either ignore or deny the device.

The Association Response has the following structure.

4f7c43e758d828ed50b84a7180f5a428.png

Figure 19: Association response structure

Figure 20 includes a successful association response as indicated by the Status code.

e8c080f152fe674879fafbbe67f494f3.png

Figure 20: Association Response

5.3.6. Deauthentication

This section includes two reference files:

  • Airport wifi pcap
  • aireplay-ng pcap

Deauthentication frames invalidate the authentication between a client and an AP. While they are used in attacks, they also occur when a client is disconnecting or when the AP forces the client to reauthenticate for security reasons.

Deauthentication frame structure consists of one 2-bytes long field in the frame body. This field, the Reason Code, indicates the reason for the deauthentication.

In the following frame, the client is disconnecting and uses a reason code 3 ("Deauthenticated because sending STA is leaving").

764b6a86a052bc5f4758400242158ac1.png

Figure 21: Reason Code Deauthenticated

In the next example, the frame was sent by aireplay-ng to the BSSID 00:89:6e:1a:43:90. It uses the reason code 7 ("Class 3 frame received from nonassociated client").

dfa307841331b704396ad737ad92c62e.png

Figure 22: Reason code

AP and clients normally send one deauthentication, a large amount of deauthentication frames usually indicates an attack in progress.

5.3.7. Control Frames

Control frames help to deliver data frames as well as other unicast frames. They need to be heard reliably, so they are short and sent at a low rate. The following table shows the different types of control frames.

Subtype Field Description
0-6 Reserved
7 Control Wrapper
8 Block ACK Request
9 Block ACK
10 PS-Poll
11 RTS
12 CTS
13 ACK
14 CF End
15 CF End + CF-ACK

Table 4 - Control frames subtypes

Let's go over some of the more common control frame subtypes.

5.3.8. ACK

This section includes a reference file, ack.pcap, in the Resources section.

An ACK frame tells the sending client that the frame was received correctly. These frames are sent for each unicast (directed to a specific device) frame sent.

f5b9152e4fe60754fdcc9fea3a54eed4.png

Figure 23: ACK Frame diagram

We can open an ACK frame in a Wireshark capture to inspect it more closely.

6aaeddcae1185aa8a3dbc4fe2592382f.png

Figure 24: ACK Frame in Wireshark

The ACK frame has a Type field set to 1, which means it is a control frame. The ACK Subtype field is 13.

Block ACK allows one to disable ACK for a certain number of frames and then acknowledge them, which improves throughput. They contain a bitmap of the fragments and each bit represents the status of one of them (ACK/NACK).

5.3.9. RTS/CTS

This section includes a reference file, rts-cts.pcap, in the Resources section.

This section includes a reference file.

RTS/CTS is a supplement to the CSMA/CA mechanism that helps in reducing collisions. It adds overhead to the wireless communication, because additional frames have to be added before and after the communication. Figure 25 illustrates the process.

8aac7dbb2d9165c454d4049c23a36e2d.png

Figure 25: RTS/CTS communication sequence

In Figure 25, Node 1 wants to communicate with Node 2, which can be either an AP or a client.

First, Node 1 sends a "Request to Send" to Node 2. If there was no collision and the request is accepted, Node 2 sends a "Clear to Send" to Node 1 telling it to proceed. Other devices in the surroundings hearing the CTS wait as well. Next, Node 1 sends its data. The data is acknowledged with an ACK frame by Node 2. If the data send fails, no ACK frame is sent.

Let's review the RTS frame structure, which has a length of 20 bytes.

d74994db65283fcd7e461a32cae0e042.png

Figure 26: RTS frame structure

By comparison, a CTS frame has the same length (14 bytes) and structure as an ACK frame.

6592092309676c75c3e13f87ffb811e4.png

Figure 27: CTS frame structure

Figure 28 includes the entire RTS/CTS sequence in action.

ecf0378e4df48435338b851c3471ec12.png

Figure 28: The RTS/CTS sequence in Wireshark

Let's review this capture frame-by-frame to start getting a better understanding of how this transaction takes place.

In the second frame, the AP sends a RTS to the client. Notice that the frame Type is 1 (Control frame) and the Subtype is 11 (RTS).

15d1288f1b55f16f0940428ac03b5109.png

Figure 29: The RTS/CTS sequence in Wireshark - RTS

In the following frame, the client responds to the AP with CTS. The Subtype of the frame is 12 (CTS).

0f1603a1a9f809da38ffc488cf94090a.png

Figure 30: The RTS/CTS sequence in Wireshark - CTS

After it receives a CTS message from the client, the AP sends a data frame from the internal network.

0bf2cbbc2d6807f7f9bc950272bea2e6.png

Figure 31: The RTS/CTS sequence in Wireshark - Data frame

Once it has successfully received the data frame, the client sends an ACK (Subtype 13) back to the AP.

20a99a6435e5f6ff9eedaf77524c52cd.png

Figure 32: The RTS/CTS sequence in Wireshark - RTS - ACK

In some instances, devices use CTS-to-self protection mechanism before sending data. As mentioned earlier, all other devices hearing CTS will hold before transmitting. The amount of time to wait is specified in this frame's duration field, displayed in Figure 31. As a result, some devices send a CTS before their transmission in improve the likelihood of a successful transfer.

5.3.10. Data Frames

There are a number of different types of data frames, most of which are used to carry data between devices. The following table shows the different types.

Subtype Field Description
0 Data
1 Data + CF ACK
2 Data + CF Poll
3 Data + CF ACK + CF Poll
4 Null Function (No Data)
5 CF ACK (No Data)
6 CF Poll (No Data)
7 CF ACK + CF Poll (No Data)
8 QoS Data
9 QoS Data + CF ACK
10 QoS Data + CF Poll
11 QoS Data + CF ACK + CF Poll
12 QoS Null (No Data)
13 Reserved
14 QoS CF Poll (No Data)
15 QoS CF ACK + CF Poll (No Data)

Table 5 - Data frames subtypes

The most common data frames are Data (subtype 0), Null Function (subtype 4), and their equivalent with QoS (subtypes 8 and 12 respectively).

QoS data frames are used when prioritizing traffic sensitive to delays, such as voice or video. They contain a QoS Control field before the payload.

5.3.11. Data

This section includes a reference file, airport-wifi_34.pcap, in the Resources section.

Let's examine a DHCP request (UDP) captured on an open network. It happens to be a QoS data frame.

d7d4939f0807f15e1fa49f3a35d39724.png

Figure 33: QoS Data

5.3.12. Null Data

This section includes a reference file, null-data-packet.pcap, in the Resources section.

Null frames consist only of MAC headers and a FCS. Clients use them when they are going into power-saving mode. This is the case in Figure 33, where we note that the power management (PWR MGT) bit is set.

d11520182cdb19caf518e084e7dd72db.png

Figure 33: Null frame sent from a client

When the client exits power-saving mode, it will send the same frame with the power management bit reset. The AP will send the client any buffered frames that are waiting.

5.4. Interacting with Networks

Now that we've spent some time exploring the common frames used on networks, let's discuss the steps required for connect to and then transmit data on a wireless network. We will also compare a few different types of network encryption.

We'll begin with the steps of connecting to a wireless network.

706083c6e0ac7218912b8ba00f4a3e90.png

Figure 34: The stages in connecting to a network

We can separate this process into three steps: probe, authentication, and association.

During the probe stage, the client first sends a probe on all channels to find an AP. Then the APs that are in range answer the probe request.

During authentication, the client will usually select the AP with the strongest signal whose SSID was previously chosen in the OS user interface. The actual authentication process varies, depending on, for example, the type of encryption. This stage ends when the AP sends a response to the authentication.

Third is the association stage. The client sends an association request. As with authentication, the length of this part of the process varies. Once this stage has been completed, the client can communicate with the network.

When WPA encryption is used or when on Opportunistic Wireless Encryption (OWE) networks, there is one more step. After association, a client is required to go through key exchange and verification. This is required to be able to to use the network.

Let's explore how these different phases happen on network with different encryption schemes.

5.4.1. Open Network

This section includes a reference file, open.pcap, in the Resources section.

We will now open up our network capture and peer into the workings of wireless networks. We will first review a beacon from the network, the first frame, which gives details about the network. Although beacons occur about 10 times a second, this capture only contains one for brevity since beacons are all identical.

4110a535914509b33009fd80086a2b66.png

Figure 35: Privacy bit

In IEEE802.11 Wireless Management > Fixed Parameters > Capabilities information, the Privacy bit indicates that the AP is not encrypted.

Tagged parameters includes more details about this network. The first parameter tells us the SSID of the network, "freewifi". The channel, 6, in DS parameter set indicates the AP is operating in the 2.4GHz. The protocol could be 802.11b, 802.11g, 802.11n, or a combination of those. The Supported rates shows 802.11b rates, and Extended supported rates shows 802.11a/g rates.

Since we know the 2.4GHz frequency band supports rates between 1 and 54Mbps, we can conclude that the network is 802.11b/g.

3af4dbe937f8fe6300adf6fa0d1fe7e6.png

Figure 36: Tagged parameters

The connection process we explained earlier is present here in frames 2 to 7. Frames 2 and 3 are the probe and response. After this, the authentication process takes place in frames 4 and 5. Finally, the association process happens in frames 6 and 7.

In frame 2, the probe request, we may note that Wireshark has marked the SSID parameter as Wildcard. When we open this field, we note that there is no SSID present, which means the client is searching for any AP within range.

bd652aaf92d12b192e9113ca96cfb9d8.png

Figure 37: SSID parameter set

Any AP hearing this frame will answer the probe request. The response from freewifi is in frame 3. The information in the IEEE802.11 Wireless Management section is identical to the content of its beacon.

5c8152b191b5da84f97a3ceb62df18a9.png

Figure 38: Retry

In the flags in the Info column, the R, which stands for retry, shows that a frame has been resent by the AP. In this case, we might guess that the client was scanning on other channels and didn't receive or acknowledge an answer from the AP. Since the answer wasn't acknowledged, the AP resent it.

After completing the probe process, the client begins authentication with frame 4. In the following figure, the client is trying Open Authentication. Although Shared Authentication is an option for this field, it is not available for open networks.

73c9908fb1592c900992e918b96889b0.png

Figure 39: Authentication algorithm

The response from the AP is in frame 5, which indicates the authentication was successful.

6a589aba96ab13e802758a4a51273d54.png

Figure 40: Status code Authentication

Now, in frame 6, the client begins the association process by sending an association request. The client must provide the SSID and the rates or it won't be able to connect.

76952c37d599499d5312b10fc9c32a37.png

Figure 18: Association request

In frame 7, the AP accepts the association. The highlighted Status code in Figure 41 indicates that the association was successful.

f4fc9c04233cdd44547421bd0d0b9b38.png

Figure 41: Association Status code

At this point, the client is able to communicate on the network. It sends a DHCP request because it doesn't have an IP address and it needs other network information. There is no encryption on this network, so the DHCP request is visible in frames 8 to 16. The Your (client) IP address field in frame 16 includes the IP address that the client was granted, 192.168.200.137.

dc141fc4ded293df158581a092a1bb6d.png

Figure 42: DHCP IP address

In frames 19 to 25, the client is pinging 8.8.8.8.

9e90b0a4c7f16c6f19ec79ba69af8874.png

Figure 43: Pinging 8.8.8.8

The last frame doesn't have a response, but that doesn't necessarily mean a response wasn't sent. Sometimes, as a result of our location or interference, we might not necessarily hear or capture every single frame.

In frame 28, a device is trying to resolve example.com. The response, in frame 29 includes an IP address of 93.184.216.34.

b5f366d8d9ce75d0a978108e176e14c1.png

Figure 44: Answers

We can also notice another R in the flags of IEEE802.11 Data, which indicates this frame was retried. The client didn't hear the first time the response was sent.

Frames 30 to 49 are the frames for the website http://example.com. The request is in frame 34:

6d43a63e0d9ccc876a04a141e9f5d550.png

Figure 45: HTTP

Frame 38 includes the response from the server, 200/OK, which means the page exists. This frame also includes the following data.

e03fb3020e3906a0d5cfef1d98711f78.png

Figure 46: Line-based text data

In frame 42, the browser requests the icon of the websites by querying the favicon.ico. In frame 44, the server returns a 404 because it doesn't have one.

0a904aab04d98eee11b87859d69ec04a.png

Figure 47: 404 error

5.4.2. EAPoL

Next we'll explore the Extensible Authentication Protocol over LAN (EAPoL) frames, which are commonly used during the handshake when connecting to an AP with WPA, WPA2, WPA3, or OWE. We will also encounter them during a WPS exchange, or when Protected Management Frames, 802.11w, is used on the network.

Before we begin, let's review the EAPoL frame format that will be used in the handshakes we'll review.

b6670262cf166964112798500c6a6d48.png

Figure 48: EAPoL-Key frame structure

The authentication section of the EAPoL frame is divided into several fields.

  • The Protocol Version (1 byte) has a value of 1, 2, or 3. These values represent 802.1X-2001, 802.1X-2004, or 802.1X-2010 respectively. Values of 1 and 2 are the most common.
  • The Packet type (1 byte) usually has a value of 3, which means it is a key.
  • The Packet Body Length field (2 bytes) indicates the packet body length or the amount of data after this field.
  • The Descriptor Type (1 byte) usually has a value of either 2, which indicates "EAPoL RSN Key" when WPA2 is in use, or 254, which indicates "EAPoL WPA Key" when WPA1 is in use.
  • The Key Information (2 bytes) specifies the characteristics of the key, which is divided in smaller parts.
  • The Key Length (2 bytes) gives us the length of the PTK. A value of 5 or 13 indicates WEP40 and WEP104, and values of 16 or 32 indicates TKIP, CCMP, GCMP, BIP-CMAC, or BIP-GMAC cipher.
  • The Replay Counter (8 bytes) is increased incrementally each time EAPoL frames travel back and forth. This helps to avoid replaying old messages. The Replay Counter is usually 1 in the first part of the handshake (frame 1 and 2) and 2 in the second part. In cases when the exchange fails, because of an incorrect key or a weak signal, the number will go higher.
  • The Key Nonce (32 bytes) contains a nonce from the transmitter.
  • The EAPoL Key IV (16 bytes) contains the IV used with the KEK. When it's not required, this field will contain a 0.
  • The Key Receive Sequence Counter (8 bytes) is used in message 3 and 4, to indicate the counter for the GTK. It is not used with WEP, but does have a few other uses.
  • The Key Identifier (8 bytes) is an unused field, reserved for future use. It is set to 0.
  • The Key MIC field (variable size) is the MIC of this packet, called EAPoL-Key, from and including Protocol Version. Its size will depend on the AKM used.
  • The Key data length field (2 bytes) defines the length of the upcoming Key Data field.
  • The Key Data field includes additional data for the key exchange. The data may also be one or more Robust Security Network Elements (RSNE) or Key Data Elements (KDE). An RSNE starts with 0x30 and KDE starts with 0xdd.

The Key Information is further divided into a number of smaller fields.

  • By default, the Key descriptor version (bits 0, 1 and 2) is set to 0, but could also be set to values of 1, 2, or 3 to indicate a specific algorithm. The values of 1, 2, and 3 are mappings to algorithms used for the MIC, its length, and the encryption key. One (1) is for ARC4 encryption with HMAC-MD5, two (2) is for NIST AES key wrap with HMAC-SHA1-128, and three (3) is NIST AES key wrap with AES-128-CMAC.
  • When the Key Type (bit 3) is set, the result is going to be a PTK. When not set, the result is going to be a group key or SMK.
  • Bits 4 and 5 are reserved and not in use at this time.
  • If Install (bit 6) is set, the client will need to install the keys.
  • Key ACK (bit 7) indicates whether or not the receiving party expects an EAPoL-Key message.
  • When Key MIC (bit 8) is set, a MIC is present.
  • Secure (bit 9) is set when the initial key exchange is complete. It will be set in message 3 (from the Authenticator to Supplicant) and in message 4 (from the Supplicant to Authenticator).
  • Error (bit 10) is set when a MIC failure happens.
  • Request (bit 11) is only set by a Supplicant in a MIC Failure report. It can also requests the Authenticator to initiate a 4-way handshake or group key handshake.
  • The Encrypted Key Data (bit 12) is set if the Key Data field is encrypted.
  • SMK Message (bit 13) specifies if the packet is part of a SMK handshake.

Key Data can contain two types of data: key data cryptographic encapsulation(s) (KDE) or RSNE. The structure of KDE is as follows.

142dfc730ddf891ca9993b1d8c3b17a3.png

Figure 49: KDE structure

The RSNE structure is a bit more complex.

c1005fb327f7062dd0966a7588098e83.png

Figure 50: RSNE structure

The last element will only be present if the one before it is also present. The Pairwise Cipher Suite List contains items in the following format.

5dc2c10b1c3d951a485f8459a8262e96.png

Figure 51: RSNE Pairwise Cipher Suite item

5.4.3. WEP

This section includes 2 reference files:

  • WEP Open Authentication
  • WEP Shared Authentication

Both in the Resource section.

The connection process for WEP is similar to the one we just explored for open networks. The client will send probe requests and receive responses. Then it will start the authentication process and the association before finally being able to communicate on the network.

The main difference that we will note in the frames, is that the Privacy bit is set in the beacons, probe response, and association frames. The Privacy bit indicates encryption. Because of a lack of WPA or WPA2 tags in these frames, we also know that the security algorithm is WEP.

WEP can be either open authentication or shared authentication. With open authentication, the process is identical to an open network. With shared authentication, the client receives random data called challenge text from the AP. The client has to encrypt the challenge text to prove it has the right key. The AP will then try to decrypt using its own key. If successful, the client will be allowed to continue with association. Shared authentication is much less common than open authentication, and the broadcasting AP doesn't advertise it. For this reason, many clients will try open authentication first. If they get denied one or more times, they will try shared authentication.

5.4.4. WPA1

This section includes a reference file, wpa1.pcap, in the Resources section.

We will be using a display filter, !(wlan.fc.type == 1), in Wireshark to skip over control frames that aren't relevant in this exchange.

The first frame is a beacon from the AP. It advertises WPA1 PSK TKIP.

7df98d29f79dbdbec854d7ea60374f31.png

Figure 52: Frame 1: Beacon with WPA IE

The following frame is a probe request, followed by a probe response by the AP. Both have the same IEs.

873013b6c64396aa516dcee42ad7a6a7.png

Figure 53: Frame 3: Probe Response with WPA IE

The authentication is similar to one we reviewed earlier. Let's skip to the association request from the client. This request includes an agreement to connect using WPA1 PSK TKIP.

8a1e6a2846df6d0d448667a10b8ef058.png

Figure 54: Frame 55: Association request with WPA IE

The association response indicates it is successful.

c7484069eb9160266c211e8ff83ed262.png

Figure 55: Frame 57: Association response

Afterward, we note the 4-way handshake, which is initiated by the AP.

5d446e8364834dfdd179338aea2a390c.png

Figure 56: Frame 59: EAPoL message 1

At this point the client generates its nonce. Since it has all the necessary information, it can derive the PTK next.

0ac20ddfce0228e8eeab1b57e3094828.png

Figure 57: Frame 61: EAPoL message 2 - part 1

Now that the AP, which is the Authenticator in this case, has received the nonce from the client (Supplicant), it can generate the PTK. It will also confirm both supplicant and authenticator share the same key by verifying the MIC. Finally, it will prepare the third message, which contains the GTK.

55424aa81740b46705ca6ee0e523cba7.png

Figure 57: Frame 61: EAPoL message 2 - part 2

In the flags under the Key Information section of this message, the AP tells the client to install the keys.

ebf38bbd698647eb356ed187f1649bf6.png

Figure 58: Frame 63: EAPoL message 3 - part 1

The Key Data in this third message contains a KDE within an IE (which are typically found in management frames such as beacons) for WPA1.

3f4954931693cba16d827cf097e1ead5.png

Figure 59: Frame 63: EAPoL message 3 - part 2

The last message is simply an acknowledgment that will allow the flow of encrypted data. The AP will check the MIC and then install the keys for the newly connected client.

0e26f7d194c3dedb884f5b6f4c22a14f.png

Figure 60: Frame 65: EAPoL message 4

The group key handshake is done afterward, in frames 67 and 69. We will need to decrypt the capture in order to be able to review them.

57b8ad86550184c295a7be167188b542.png

Figure 61: Frame 67: Group Handshake message 1

686665e23371de862254752bd6f3f57d.png

Figure 62: Frame 69: Group Handshake message 2

5.4.5. WPA2

This section includes a reference file, wpa-Induction.pcap, in the Resources section.

The first frame is a beacon from the AP. It advertises WPA1 and WPA2, both with AES/CCMP and TKIP. Group Cipher in both cases is TKIP, which means that all frames that are broadcast or multicast will be encrypted using TKIP. The unicast ones will depend on the cipher selected by the client.

We will be using a display filter, !(wlan.fc.type == 1), in Wireshark to skip over control frames that aren't relevant in this exchange.

12c28bc608574b09e7d4370043ce8b29.png

Figure 63: Frame 1: Beacon with RSN IE

e44b3703519f65678abd4807f2a23742.png

Figure 64: Frame 1: Beacon with WPA IE

The authentication section is uneventful (frames 78 and 80). In the association request (frame 82), the client is selecting WPA2 with AES or RSN as well as TKIP for the group cipher.

ed022685083e93906f6eef113e4941a0.png

Figure 65: Frame 82: Association request with RSN

The AP responds with a successful Association Response (frame 84), and then proceeds to start the 4-way handshake.

fa8bf854ea8f0636fd48b0c9efd0494c.png

Figure 66: Frame 84: Association response

This 4-way handshake is similar to the one in the WPA1 section. There are a few key differences because it is WPA2 CCMP.

In this first EAPoL message, the key information indicates it's using CCMP with HMAC-SHA1 MIC.

886826969c5a74ff091e3f151a35e606.png

Figure 67: Frame 87: 4-way handshake (EAPoL message 1) - part 1

The WPA Data field shows an RSNE with a PMKID.

b1aa632da0af61bf25bb37a4505fe78b.png

Figure 68: Frame 87: 4-way handshake (EAPoL message 1) - part 2

We note an RSNE in the WPA Key Data field, showing details of the cipher used.

![Frame 89: 4-way handshake (EAPoL message 2)(../images/Packets_and_Network_Interaction/packet_89_4_way_handshake_eapol_message_2_part_2.png)

This third message likely contains the GTK in the Key Data field. We suspect this is the case because when we decrypt the capture we notice there is no GTK handshake afterward. The data field would also contain the IGTK if 802.1w was negotiated.

![Frame 92: 4-way handshake (EAPoL message 3)(../images/Packets_and_Network_Interaction/packet_92_4_way_handshake_eapol_message_3.png)

Finally, the last EAPoL indicates the client has installed the keys, and the AP can now do it as well, to encrypt the traffic.

![Frame 94: 4-way handshake (EAPoL message 4)(../images/Packets_and_Network_Interaction/packet_94_4_way_handshake_eapol_message_4.png)

5.4.6. WPA3

This section includes a reference file, wpa3-psk.pcap, in the Resources section.

This packet capture shows a WPA3 dragonfly handshake followed by a 4-way handshake.

We'll use the !(wlan.fc.type == 1) display filter in Wireshark to skip over control frames that aren't relevant in this exchange.

The first frame is a beacon from the AP, advertising the ESSID "WPA3-Network", SAE in the RSN IE, and 802.11w (which is mandatory for WPA3).

4ede983ff6ebb4d1625201aec2d86ab3.png

Figure 69: Frame 1: Beacon

The second frame is a probe request and the third is a response to that request. It contains the same IEs as the beacon and advertises SAE, 802.11w, and BIP in the RSN IE. There is one exception, the Traffic Indication Map.

3d036b19ca662470dc372a8f1403c649.png

Figure 70: Frame 3: Probe response

The dragonfly handshake occurs during authentication part. In the first authentication frame (5), we note that the algorithm isn't "Open authentication" like it was with WEP, WPA1, or WPA2. Now the algorithm is Simultaneous Authentication of Equals (SAE) using the default group, 19. This first authentication frame is the start of the commit phase where both sides commit to a shared secret.

38ca3c1d5e532a4b32c2922abf393399.png

Figure 71: Frame 5: Authentication - Commit message from client

The second frame (7) of the authentication stage is where the AP sends its scalar and finite field element.

6a2427037393f82895d23fd43b1a924e.png

Figure 72: Frame 7: Authentication - Commit message from AP

This next frame (9) is the confirm message from the client.

6a47ba97bfc9f8c7714e5f6ce5767276.png

Figure 73: Frame 9: Authentication - Confirm message from client

And finally, in frame 11, there is an answer from the AP.

8cf37815bbfaea1e533f9466821c2b7f.png

Figure 74: Frame 11: Authentication - Confirm message from AP

The association phase, which comes next, is uneventful. First the client indicates the specifics of the RSNA, including AES for unicast and multicast, SAE, and 802.11w.

1f282966cbeb1b62d54c33f720e4bf66.png

Figure 75: Frame 13: Association Request

Next, the AP sends the association response, accepting it.

7bfea4a55a4b2d2a98b10b8e6bcf5f7c.png

Figure 76: Frame 15: Association Response

The association stage concludes with the 4-way handshake, which uses AES/CCMP.

2c15ba60679f188dda334e24d04737de.png

Figure 76: Frame 17: Association 4-way Handshake

5.4.7. Disagreeing on Group

[

Jump to resources to start virtual machines and/or answer labs

]

This section includes a reference file, wpa3-dh-group-disagreement.pcap, in the Resources section.

In most cases, a client and an AP will settle on the default group, 19. However, it is possible to configure groups on the AP and the client. In this section we'll explore a PCAP in which the client has a custom selection of groups that is different than what the AP would normally accept. The client will will go through the groups one by one until it finds one the AP can agree on.

Again, we'll use the !(wlan.fc.type == 1) display filter in Wireshark to skip over control frames that aren't relevant in this exchange.

The first frame is a beacon from the AP, advertising "WPA3-Network" with SAE and mandatory 802.11w.

44563045f98134cb460a6bfc140ed965.png

Figure 77: Frame 1: Beacon

The third frame is a response to the probe request with the same information as in the beacon.

ac38902ae7a8cf5c692f69b26631b0b9.png

Figure 78: Frame 3: Probe response

The authentication for the dragonfly handshake starts at frame 51 where the client tries using group 15.

67fc3badb51844312b4c9e9211d03315.png

Figure 79: Frame 51: Authentication - client - group 15

The AP doesn't support group 15 and rejects it.

c9a3944e40382989d9d443ca43c66813.png

Figure 80: Frame 53: Authentication - AP - disagreeing group 15

Next, the client tries again. This time with group 16.

d1ef42416c66bfffe5d36aeb2bd98acd.png

Figure 81: Frame 55: Authentication - client - group 16

The AP rejects this one as well.

9b318dc156bccde96f95ac24a15acfcb.png

Figure 82: Frame 57: Authentication - AP - disagreeing group 16

Next, the client tries group 19.

b0ef9c51e0be83862171e25ebd438fe5.png

Figure 83: Frame 59: Authentication - client - group 19

Group 19 is the default group and is required in any implementation, so it will always be accepted.

154309780b3f9a5a790b92e0bc4c4167.png

Figure 84: Frame 61: Authentication - AP - Accepting group 19

Now the client proceeds to the confirm phase.

09209b510ebf384afef5d45db21e3a53.png

Figure 85: Frame 63: Authentication - Client - Confirm

The following frame from the AP concludes the authentication phase, which is successful, as indicated by the status code.

6889fd63e7425b42e842f9c14ae5a48a.png

Figure 86: Frame 65: Authentication - AP - Confirm

From here, the client will associate to the AP and complete the 4-way handshake.

Resources

Some of the labs require you to download the file(s) below.

Resource name
wpa3-dh-group-disagreement.pcap

5.4.8. Opportunistic Wireless Encryption

[

Jump to resources to start virtual machines and/or answer labs

]

This section includes a reference file, owe.pcap, in the Resources section.

In this section we'll review a capture that contains a successful OWE association. Once again, we'll use !(wlan.fc.type == 1) to skip over control frames.

Frame 1 below shows a beacon with a RSN tag offering OWE only.

fa864ea90bf2509ae439e5d034f657c1.png

Figure 87: Frame 1: Beacon with RSN IE with OWE

Like WPA3, OWE requires 802.11w. This protects some management frames that are susceptible to attacks.

The following figure contains a client probe that also has an RSN IE with OWE, and 802.11w.

b2a7b91cb4ba8ee87dcc98d298b454fd.png

Figure 88: Frame 3: Probe response with RSN IE with OWE

The open authentication, with frames 51 and 52 from the client and the AP respectively, is uneventful. Whereas WPA3 used the authentication for the dragonfly handshake, OWE does public key exchange in the association phase. The association request from the client is in frame 55.

1f8e6503d3a53990e679f9f4838b9914.png

Figure 89: Frame 55: Association request

The last IE in the association request is an extended IE, which contains the Diffie-Hellman parameters from the client. These include the Diffie-Hellman group used, default group 19, and the public key.

In the following frame, the AP sends its information as well.

974cf15a5e4e3edeaffe39378b7ee2f9.png

Figure 90: Frame 57: Association response

From there, they can both derive the same PMK for use in the 4-way handshake like in WPA2, in frame 59, 61, 63, and 65.

Resources

Some of the labs require you to download the file(s) below.

Resource name
owe.pcap

5.4.9. Wi-Fi Protected Setup

[

Jump to resources to start virtual machines and/or answer labs

]

This section includes a reference file, wpsdata.cap, in the Resources section.

This packet capture contains a successful WPS exchange. It has duplicate frames (frames with the retry bit set) because some frames were not acknowledged by the receiving device. When the ACK is not received within a specific amount of time, the frame it is supposed to acknowledge is assumed lost. The transmitter sends it again, however, this time the retry bit is set.

We will be using our !(wlan.fc.type == 1) display filter in Wireshark again.

Frame 1 below shows a beacon with the WPS tag.

4591f916f6dcc99c3121b389f4bf7d49.png

Figure 91: Frame 1: Beacon with WPS IE

Frames 4 to 16 (17 is a control frame and is not included) show the probe request from the client, the response from the AP, as well as the authentication and the association to the AP.

7b595f5e65e7f9c2c701985c310776b8.png

Figure 92: Frames 4 to 17: probing, authentication, association

Frame 18 includes the EAP Start from the client.

6aca882eac7f201cdeefd27cd0f47081.png

Figure 93: Frame 18: EAPoL start

Frame 20 includes the EAP Request Identity from the AP.

aafb6b2ca6c7e4111d8b422588919769.png

Figure 94: Frame 20: EAP Request Identity

After several retried frames, the identity response (with WFA-SimpleConfig-Enrollee-1-0) is frame 28.

c12d3f7179bb71721c7e27b1f7086881.png

Figure 95: Frame 28: EAP Response Identity

Because of the retried EAP Response Identity, the request with WSC Start appears in frame 26, before the response.

6eded314f03cefcc6058135f61e4d9e4.png

Figure 96: Frame 26: Request Expanded Types

The AP and the client will now exchange a series of eight messages called M1 to M8, sent in a sequential order, back and forth, to confirm the WPS PIN and securely exchange the passphrase, in M8. M1 includes information from the enrollee, and M2 will add registrar information. In WPS, the Registrar is an entity, not necessarily an AP, that can give access to the network. An enrollee is a device, most often either an AP or a client, looking to get the passphrase for the network. M1 (and M2 in a smaller measure) will help determine which is which.

Frame 30 shows M1 with detailed information about the enrollee, which includes the manufacturer of the wireless adapter (Atheros), the name of the device (WXP-JBRAEUER-T1), and the device password ID used. This last bit of information indicates, the type of password used (0000, default value), which indicates a PIN. Also included are the MAC address, nonce and public key (DH).

9bbad330132ca0f277197f84b865b780.png

Figure 97: Frame 30: M1

Frame 38 shows M2 with information about the AP, a D-Link DIR-655 Model A1/A2. This frame also contains both the Enrollee and Registrar nonce as well as the public key (DH) of the Registrar.

9fa56fb4eb0204eebbaad41c0111a925.png

Figure 98: Frame 38: M2

Frame 42 below shows M3, which has been re-transmitted a few times (39, 40, 41, and 42) with the Registrar nonce and both E-Hash values (from the enrollee and the registrar).

b1ed6e724f417fa133dd21be3a639511.png

Figure 99: Frame 42: M3

Frame 43 below is M4 type with R-S1 encryption settings.

7270f6dfaa8d21cef389564bbe99ac9a.png

Figure 100: Frame 43: M4

The first half of the PIN has been validated.

Frame 44 is M5 type with E-S1 encryption settings. The second part of the PIN will be verified in the next few messages.

4905f5315bd669565e370596df3d8502.png

Figure 101: Frame 44: M5

Frame 45 is M6 type with R-S2 encryption settings.

ac8775a0ed9184b45a220fa858a97e43.png

Figure 102: Frame 45: M6

Frame 46 is M7 type with E-S2 encryption settings.

44f48d2d2d289b7bd491d1bbd1096c6d.png

Figure 103: Frame 46: M7

Frame 47 below is M8 type with encrypted wireless settings for the Enrollee.

87c536a5b6bdb8f2e22f23a807f3310c.png

Figure 104: Frame 47: M8

WSC Done in frame 48 indicates the WPS (Wi-Fi Simple Configuration) exchange is finished.

fa09cd47e41942445eb4367f42f0a7c3.png

Figure 105: Frame 48: WSC Done

Frame 49 below shows EAP Failure to indicate the end of the registration protocol session, so now the client can now use the credentials to do the 4-way handshake:

26943454d52f455b8854296069a3edbd.png

Figure 106: Frame 49: EAP Failure

Resources

Some of the labs require you to download the file(s) below.

Resource name
wpsdata.cap

5.4.10. 802.11w

[

Jump to resources to start virtual machines and/or answer labs

]

This section includes a reference file, pmf.pcap, in the Resources section.

This capture file shows the SA Query mechanism in action when 802.11w is negotiated by a client.

The first frame is a beacon. We notice that WPA2 CCMP is being used in the RSN IE (for both unicast and multicast frames). The Authentication Key Management (AKM) shows that pre-shared Key (PSK) is used. By default, SHA1 is used when Wireshark doesn't specify anything (AKM type with a value of 2), but in this case, 802.11w uses SHA256 (AKM type with a value of 6).

When RSN Capabilities are expanded, only the "Management Frame Protection Capable" bit is set, and thus the AP can accept clients with and without 802.11w.

1d02f6db673092f8d51d36025545dd1b.png

Figure 107: Frame 1: Beacon

The following few frames include several Probe Requests, in which the client is scanning for APs. Frame 3 shows a response from the AP with similar information as in the Beacon described in Figure 107.

6ba5b0278f7419b4fd2746cd48deb35a.png

Figure 108: Frame 3: Association Response

Authentication starts at frame 50. The AP responds with frame 51, and the client then associates to the AP in frames 52 and 53. In frame 52, the association request, the client indicates it supports the AKM requested by the AP as well as PMF. With these settings, the client will only associate to an AP that either is set to "Capable" or "Required".

4a045d3ff7273bbc9f1d2b4d4a88eaaf.png

Figure 109: Frame 52: Association Request

The 4-way handshake is similar to any other WPA2 handshake.

Frame 132 is a deauthentication sent by an attacker. It is followed by two action frames and then more deauthentication frames. This could be a containment from a Wireless Intrusion Prevention System (WIPS), but in this case it is deauthentication attack from aireplay-ng.

0d282dd524944ced437e62f90e4667c1.png

Figure 110: Frame 132: Deauthentication from an attacker

The first action frame (Figure 111) is an encrypted SA Query from the client, checking on the AP.

1f7934d09989c673c2eb3d2e99a84da4.png

Figure 111: Frame 133: Action frame: SA Query

The AP responds immediately in frame 134. As a result, the AP will ignore deauthentications that do not come directly from the client.

a2e7b01afe88d96ab2c94eb2798289d0.png

Figure 112: Frame 134: Action frame: SA Query response

Finally, the client sends a deauthentication frame when disconnecting from the network so the AP can free resources associated to the client's connection.

a0565f075ef689d35cba2e54a438e7cb.png

Figure 113: Frame 309: Deauthentication from the client

5.5. Wrapping Up

In this module, we first went over the 802.11 frame structure, and explored the details of common frames encountered on Wi-Fi networks. We then learned how these frames work together when connecting to networks with different encryption types.