Security Laboratory

Security Laboratory

Security Laboratory: Wireless Security

This series covers wireless security. We will post papers on the latest threats as well as fundamental tutorial information you need to design and pen test a wireless network.

Other Related Articles in Security Laboratory: Wireless Security

Wireless Security Training and Pen Testing Tutorial - Framing Part 1

Joshua Wright

In this training tutorial we will begin the discussion on wirelessFraming, cover the Frame Control Field, with particular attention tothe To and From DS, and end with the Duration/ID field. It would bebest to read the previous tutorial: Wireless Security Training and Pen Testing Tutorial: Infrastructure before reading Framing Part 1 since this is fairly complex. For more information, please consider my course, Assessing and Securing Wireless Networks.[1]

Figure 1

Figure 1. (2-20)

This figure illustrates the generic 802.11 frame header. "To meetthe challenges posed by a wireless data link, the MAC was forced toadopt several unique features, not the least of which was the use offour address fields. Not all frames use all the address fields, and thevalues assigned to the address fields may change depending on the typeof MAC frame being transmitted."[2] We refer to this as the genericheader, as different components of the header may change functionalitydepending on the use of the frame; this can make wireless intrusiondetection challenging, but it is certainly possible, Snort-Wireless isan example.

"Writing custom rules for detecting 802.11 frames matching yourspecific criteria is just as easy as writing any other type of customSnort rule. The 802.11 rule engine of Snort-Wireless is built upon therule engine of the standard Snort distribution and for the most part itshares the same syntax. The only difference between the two, is thatinstead of specifying a source IP address and port or destination IPaddress and port, you simply specify source and destination MACaddresses."[3]

We’ll note that two bytes are used for the frame control field,followed by two bytes for the duration/ID field. Address 1 is thedestination address; address 2 is the source address. Address 3 is theBSSID of the network. The Sequence Control field uses two bytes toaccommodate fragmentation and packet reassembly. Address 4 is optional,used only in a wireless distribution system (WDS) to indicate thetransmitter address. When address 4 is not in use, that portion of theheader is used for the data payload, followed by a 4 byte frame checksequence or packet CRC.

Figure 2
Figure 2. (2 - 21)

802.11 Frame Control Field

The frame control field defines the options in use in the remainderof the header fields, and specifies whether the frame is a control,management or data frame. Only data frames will contain standard IP packets.The frame control field also contains the necessary options to processthis packet. The format of the 802.11 frame can (and does) changedepending on the values defined in the frame control field. Let’s takea look at each of the components of this field.

Two bits are reserved to specify the protocol number. Currently, this is always 0.

Two bits are used for the type field; used to specify this frame as a control, management or data frame.

Four bits are used for the sub-type field; used to specify a particular type of control, management or data frame.

Examples of the type/sub-type usage include:
  • 00/0000 - type = Management, sub-type = Association Request
  • 01/1011 - type = Control, sub-type = Request to Send (RTS)
  • 10/0000 - type = Data, sub-type = Payload data, no additional options
  • The remaining 8 bits are used to flag specific options as follows:
  • To DS - Flagged when the frame is destined to the distribution system
  • From DS - Flagged when the frame is sourced from the distribution system.
  • TheToDS and FromDS flagsThe ToDS and FromDS flags are both set in WirelessDistribution System (WDS) networks where access-points connect to otheraccess-points such as a wireless backbone.[4]
  • The ToDS and FromDS flags are both cleared in Ad-Hoc networks
  • More Frag - Flagged when more fragments are yet to be transmitted
  • Retry - Flagged when a packet is retransmitted
  • Power Mgmt - Flagged when power savings is in use by the client station (called STA)
  • More Data - Flagged when more data is ready to be transmitted to the STA previously in power management savings
  • WEP - Flagged when WEP is in use in the BSS
  • Strict Order - Flagged when transmitted packets must be received in the order they were transmitted, else they are discarded

Figure 3
Figure 3. (2 - 25)

To DS and From DS Significance
In the framecontrol header flags field there are two bits known as the ToDistribution System (To DS) and From Distribution System (From DS)bits. These bits are important for assessing the rest of the packetcontents since the combination of these flags identifies the type ofnetwork the packet is associated with.

The distribution system is the infrastructure that connectsmultiple access points together to form an Extended Service Set (ESS),or the infrastructure that connects wireless devices to other devices.Making things a bit confusing though, the distribution system does notneed to be a wired backbone; the distribution system can consist ofadditional wireless networks connecting wireless networks together(such as a wireless LAN connecting to a wireless MAN to anotherfacility). Further, the access point (AP) itself is considered acomponent on the distribution system, even when a node is transmittingto the AP directly. Just remember that the distribution system is themechanism that connects the wireless network to other networks,regardless of the final destination architecture. We'll generally referto the wired network as the distribution network throughout thismaterial for simplicity.

In the case of the To DS bit set, the packet is typically travelingfrom a wireless station to a node that is on the wired network. In thecase of the From DS bit set, the packet is traveling from the wirednetwork or originating at the access point to a node on the wirelessnetwork. With this knowledge, we can look at the contents of the framecontrol field, identify whether To DS or From DS is set, and thenidentify the source MAC address as a wireless or a wired node. If thepacket has the From DS bit set, it originated from the access point orfrom a wired node on the distribution system network. If the packet hasthe To DS bit set, it is a wireless client.

When pen testing a wireless network, things get a little tricky whendifferent combinations of the To DS and From DS flags are used. Whenboth To DS and From DS are set, the packet is from a WirelessDistribution System (WDS) network. WDS networks are used to connectmultiple networks together, typically for building-to-buildingconnectivity. We'll continue to look at the different components in WDSnetworks later in this course. When To DS and From DS flags are cleared(not set), the network is an Independent Basic Service Set (IBSS)network, or an Ad-hoc network. These networks connect multiple nodestogether but do not (typically) connect to wired networks.

It's important to first assess the contents of the From DS and To DSflags to understand the use of the packet that you are observing in asniffer. Next, let's take a look at how the Duration and Identificationfields are defined in wireless networks.

802.11 Duration/ID Field
The duration/id fielddeals with access to the medium, setting the amount of expected timethe transmission medium is expected to be busy for a data transmission.One of the uses of this field is to retrieve a list of any waitingframes when a dozing STA awakes from power-save mode using its assignedassociation identifier (AID). The AID value for the STA is assignedwhen it associates with an AP with power-management enabled in therange 1-2007 per the 802.11 specification. This limits the number ofconcurrent associations that a single AP can accommodate, opening upthe potential for an association Denial of Service attack. DoS does notalways fall within the scope of engagement for a wireless penetrationtest, but if it does, you can try hammering this field.

2. 802.11 Wireless Networks: The Definitive Guide by Matthew Gast, ISBN-13: 978-0-59-610052-0