Security Laboratory

Security Laboratory

Security Laboratory: Wireless Security

This series covers wireless security. We will post papers on the latest threats as well as fundamental tutorial information you need to design and pen test a wireless network.

Other Related Articles in Security Laboratory: Wireless Security


Wireless Security Training and Pen Testing Tutorial - Framing Part 1


Joshua Wright

In this training tutorial we will begin the discussion on wireless Framing, cover the Frame Control Field, with particular attention to the To and From DS, and end with the Duration/ID field. It would be best to read the previous tutorial: Wireless Security Training and Pen Testing Tutorial: Infrastructure before reading Framing Part 1 since this is fairly complex. For more information, please consider my course, Assessing and Securing Wireless Networks.[1]

Figure 1

Figure 1. (2-20)

This figure illustrates the generic 802.11 frame header. "To meet the challenges posed by a wireless data link, the MAC was forced to adopt several unique features, not the least of which was the use of four address fields. Not all frames use all the address fields, and the values assigned to the address fields may change depending on the type of MAC frame being transmitted."[2] We refer to this as the generic header, as different components of the header may change functionality depending on the use of the frame; this can make wireless intrusion detection challenging, but it is certainly possible, Snort-Wireless is an example.

"Writing custom rules for detecting 802.11 frames matching your specific criteria is just as easy as writing any other type of custom Snort rule. The 802.11 rule engine of Snort-Wireless is built upon the rule engine of the standard Snort distribution and for the most part it shares the same syntax. The only difference between the two, is that instead of specifying a source IP address and port or destination IP address and port, you simply specify source and destination MAC addresses."[3]

We’ll note that two bytes are used for the frame control field, followed by two bytes for the duration/ID field. Address 1 is the destination address; address 2 is the source address. Address 3 is the BSSID of the network. The Sequence Control field uses two bytes to accommodate fragmentation and packet reassembly. Address 4 is optional, used only in a wireless distribution system (WDS) to indicate the transmitter address. When address 4 is not in use, that portion of the header is used for the data payload, followed by a 4 byte frame check sequence or packet CRC.

Figure 2
Figure 2. (2 - 21)

802.11 Frame Control Field

The frame control field defines the options in use in the remainder of the header fields, and specifies whether the frame is a control, management or data frame. Only data frames will contain standard IP packets. The frame control field also contains the necessary options to process this packet. The format of the 802.11 frame can (and does) change depending on the values defined in the frame control field. Let’s take a look at each of the components of this field.

Two bits are reserved to specify the protocol number. Currently, this is always 0.

Two bits are used for the type field; used to specify this frame as a control, management or data frame.

Four bits are used for the sub-type field; used to specify a particular type of control, management or data frame.


Examples of the type/sub-type usage include:
  • 00/0000 - type = Management, sub-type = Association Request
  • 01/1011 - type = Control, sub-type = Request to Send (RTS)
  • 10/0000 - type = Data, sub-type = Payload data, no additional options
  • The remaining 8 bits are used to flag specific options as follows:
  • To DS - Flagged when the frame is destined to the distribution system
  • From DS - Flagged when the frame is sourced from the distribution system.
  • The ToDS and FromDS flagsThe ToDS and FromDS flags are both set in Wireless Distribution System (WDS) networks where access-points connect to other access-points such as a wireless backbone.[4]
  • The ToDS and FromDS flags are both cleared in Ad-Hoc networks
  • More Frag - Flagged when more fragments are yet to be transmitted
  • Retry - Flagged when a packet is retransmitted
  • Power Mgmt - Flagged when power savings is in use by the client station (called STA)
  • More Data - Flagged when more data is ready to be transmitted to the STA previously in power management savings
  • WEP - Flagged when WEP is in use in the BSS
  • Strict Order - Flagged when transmitted packets must be received in the order they were transmitted, else they are discarded

Figure 3
Figure 3. (2 - 25)

To DS and From DS Significance
In the frame control header flags field there are two bits known as the To Distribution System (To DS) and From Distribution System (From DS) bits. These bits are important for assessing the rest of the packet contents since the combination of these flags identifies the type of network the packet is associated with.

The distribution system is the infrastructure that connects multiple access points together to form an Extended Service Set (ESS), or the infrastructure that connects wireless devices to other devices. Making things a bit confusing though, the distribution system does not need to be a wired backbone; the distribution system can consist of additional wireless networks connecting wireless networks together (such as a wireless LAN connecting to a wireless MAN to another facility). Further, the access point (AP) itself is considered a component on the distribution system, even when a node is transmitting to the AP directly. Just remember that the distribution system is the mechanism that connects the wireless network to other networks, regardless of the final destination architecture. We'll generally refer to the wired network as the distribution network throughout this material for simplicity.

In the case of the To DS bit set, the packet is typically traveling from a wireless station to a node that is on the wired network. In the case of the From DS bit set, the packet is traveling from the wired network or originating at the access point to a node on the wireless network. With this knowledge, we can look at the contents of the frame control field, identify whether To DS or From DS is set, and then identify the source MAC address as a wireless or a wired node. If the packet has the From DS bit set, it originated from the access point or from a wired node on the distribution system network. If the packet has the To DS bit set, it is a wireless client.

When pen testing a wireless network, things get a little tricky when different combinations of the To DS and From DS flags are used. When both To DS and From DS are set, the packet is from a Wireless Distribution System (WDS) network. WDS networks are used to connect multiple networks together, typically for building-to-building connectivity. We'll continue to look at the different components in WDS networks later in this course. When To DS and From DS flags are cleared (not set), the network is an Independent Basic Service Set (IBSS) network, or an Ad-hoc network. These networks connect multiple nodes together but do not (typically) connect to wired networks.

It's important to first assess the contents of the From DS and To DS flags to understand the use of the packet that you are observing in a sniffer. Next, let's take a look at how the Duration and Identification fields are defined in wireless networks.

802.11 Duration/ID Field
The duration/id field deals with access to the medium, setting the amount of expected time the transmission medium is expected to be busy for a data transmission. One of the uses of this field is to retrieve a list of any waiting frames when a dozing STA awakes from power-save mode using its assigned association identifier (AID). The AID value for the STA is assigned when it associates with an AP with power-management enabled in the range 1-2007 per the 802.11 specification. This limits the number of concurrent associations that a single AP can accommodate, opening up the potential for an association Denial of Service attack. DoS does not always fall within the scope of engagement for a wireless penetration test, but if it does, you can try hammering this field.

1. http://www.sans.org/training/description.php?mid=3
2. 802.11 Wireless Networks: The Definitive Guide by Matthew Gast, ISBN-13: 978-0-59-610052-0
3. http://snort-wireless.org/docs/usersguide/chap2.html
4. http://wireless.ictp.trieste.it/school_2002/lectures/ermanno/802.11_MAC_functionality.ppt