Security Laboratory

Security Laboratory

Security Laboratory: Wireless Security

This series covers wireless security. We will post papers on the latest threats as well as fundamental tutorial information you need to design and pen test a wireless network.

Other Related Articles in Security Laboratory: Wireless Security

Wireless Security Training and Pen Testing Tutorial: Infrastructure

Joshua Wright

You can't do a pen test of a wireless network without understanding how wireless works. In this training tutorial we will discuss the wireless MAC Layer, Authentication and Association and introduce the concept of Framing. Framing itself is fairly complex and we will dig into that with a separate tutorial. For more information, please consider my course, Assessing and Securing Wireless Networks,

MAC Layer
The 802.11 MAC layer is specified in ISO/IEC 8802-11:1999 - a monstrous 528 page document available at[1] The 802.11 task group identified the necessary mechanisms for access to a contention-based medium (wireless) through the use of Carrier Sense Multiple Access/Collision Avoidance. Although somewhat similar to the popular Ethernet CSMA/CD specification, wireless equipment today does not have the ability to operate in full-duplex mode with a single radio, prohibiting stations from "listening" to collisions while transmitting data. To ensure contention free access to the medium, the framers implemented a mechanism to clear the access medium from any activity (request to send, clear to send), "ensuring" no one else is busy talking when a station wishes to transmit. In practice, this technique only works for willing participants, allowing an attacker to transmit on the wireless network even when the medium is reserved for another station.

The ability to transmit large datagrams is built-into the 802.11 specification with the ability to fragment large packets into several smaller chunks, allowing them to be easily reassembled by the receiving station. In practice however, fragmentation is not widely used.

Reliable data delivery is another important portion of the 802.11 specification, allowing a transmitting station to ensure that any packet that is sent is positively acknowledged by the receiving station. Whenever a station receives a data packet (as an access point or any other node on the network), they transmit an acknowledgment packet to the transmitter to indicate the packet was correctly received. While this ensures reliable packet delivery, it adds a significant overhead to the network, doubling the number of packets that have to be exchanged for each piece of information that is transmitted.

The MAC specification also provides the means to accommodate the separation of logical networks on the same frequency space through the use of basic service set identifiers - a 48 bit address to uniquely identify a collection of wireless stations (STA) an access point (AP).

A mechanism to protect the confidentiality of data was introduced with the infamous Wired Equivalent Privacy specification, and later improved with the Robust Security Network specification. "Robust Security Network (RSN) is an element of 802.11i authentication and encryption algorithms to be used for communications between WAPs and wireless clients. This means that as new threats are discovered, new algorithms can be added."[2] "The RSN protocol functions as follows:

1. The wireless NIC sends a Probe Request.
2. The wireless access point sends a Probe Response with an RSN Information Exchange (IE) frame.
3. The wireless NIC requests authentication via one of the approved methods.
4. The wireless access point provides authentication for the wireless NIC.
5. The wireless NIC sends an Association Request with an RSN Information Exchange (IE) frame.
6. The wireless access point send an Association Response."[3]

Much of the complexity in the 802.11 specification is to accommodate low-power devices such as laptop and hand-held computers, prolonging battery life in these devices.

Authentication and Association
One of the 802.11 specification requirements was the ability for a client to roam an area with a mobile device and retain their connection to the wireless network. To accomplish this, the IEEE designed a system of authentication and association for a client to permit easy hand-off of a client between multiple access points. When a client wishes to connect to a wireless network, they first scan for available networks with probe request packet on all channels where the radio card senses there is activity (legitimate wireless networking service, or simply noise or interference that the radio detects on alternate channels). When an available network receives a probe request, they will transmit a probe response packet containing the necessary information required to use the network including channel information, and:

  • The network Basic Service Set Identification (BSSID), "The unique identifier for an access point in a Basic Service Set (BSS) network."[4] A BSS network is a group of connected 802.11 compliant systems.
  • SSID, "Short for service set identifier, a 32-character unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to the BSS. The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the BSS unless it can provide the unique SSID. Because an SSID can be sniffed in plain text from a packet it does not supply any security to the network."[5]
  • Current BSS time synchronization information, available data rates and other important information.
The client then decides which access point is the best choice for their connection. This process is documented as the active scanning discovery method by the IEEE 802.11 specification, and will typically result in the client having a list of wireless networks that are available at its current location.

After a client has designated the access point it wants to connect to, it will transmit a management frame with an authentication sub-type, requesting authentication to the network. In the case of open networks, the access point simply responds with an authentication success message and the connection process continues. In the case of a network utilizing WEP, the access point will attempt to validate the WEP key of the client that wishes to access the network by sending them an authentication challenge. This challenge request is simply a random collection of data, 128 bytes in length, that is sent to the client. Upon receiving the 128 byte challenge, the client will apply the RC4 encryption algorithm to the challenge text, generating cipher text that is sent back to the access point in an authentication response message. When the AP receives the cipher-text that was generated by the 128 byte challenge, the AP applies the WEP encryption process to the cipher text and determines if the cipher text matches. If the two cipher text blocks match, the AP determines that the client is successfully configured with the correct WEP key, and transmits an authentication success message. If the cipher text blocks do not match, the AP responds with an authentication denied message, and waits for another authentication request from the client.

Once the client gets an authentication success message from the AP, the authentication process is complete. A client may choose to authenticate to multiple access points simultaneously, but can associate to only a single access point at any given time. The association process continues as follows.

Following authentication success, a client will send a management frame with the associate request sub-type to the access point. The access point will check to make sure the client has already authenticated by comparing the source MAC address of the associate message to its list of authenticated access points. If an entry exists indicating the client has already authenticated to the AP, it will generate an associate response message to the client. The associate response message completes the association process and permits the client and access point to start exchanging data.

Unfortunately, this process is fundamentally flawed without any cryptographic authentication or non-repudiation to confirm the identity of client or access point. We will examine tools that exploit this process to the advantage of an attacker.

802.11 Framing
The mechanism used to encapsulate the information in the 802.11 header is defined in the IEEE802.11-1999 specification, defining three types of packet types:

Management frames This type of 802.11 packet is used for various management-related mechanisms including beaconing, network probes and authentication. We’ll look at the characteristics of the management frame format later in this series.

Data frames Data frames are the only packets that include an encrypted payload in a wireless network. Data packets are used to encapsulate user-data over the wireless network, such as IP and ARP packets.

Control frames Control frames are used to positively acknowledge the receipt of data packets. This information isn't typically useful for wireless auditing, although it can be helpful for network troubleshooting.

The IEEE 802.11-1999 specification also defines the addressing mechanisms and features of the wireless network, including roaming, power management, security, fragmentation support, quality of service, etc. From a wireless auditing perspective, it is important to understand the format of 802.11 frames to be able to "read" them to collect information about the network. This material will serve as the foundation for later analysis techniques.