Frame Analysis

Popularity:

4

Simplicity:

5

Impact:

8

Risk Rating:

6

Hackers love the 802.11 frame specification because it lends itself very well to field manipulation. Because the management and control frames are not protected by encryption, modifying or spoofing fields and injecting them back into the wireless network is trivial.

Unlike 802.3 Ethernet, 802.11 uses Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) with a virtual carrier sensing mechanism (Request-To-Send & Clear-To-Send) and unicast positive acknowledgment from the receiver (receiver ACK) for ordering communications across the air medium. The 802.11 media access control layer also handles packet retransmission and fragmentation. In an 802.11-based communication, a station wanting to transmit senses the medium. If another station is already transmitting, the station will defer transmission until later; otherwise, it will transmit. Should two stations sense a free medium at the same time and then proceed to transmit, unaware of the other station that is also transmitting at the same time, a collision occurs. With a collision detection (CD) mechanism like that used by 802.3 Ethernet, both stations see the ensuing collision on the wire and initiate a random backoff timer to determine when to retransmit. In a WLAN, because you cannot assume all stations hear each other all the time (a basic assumption of the CSMA/CD scheme), this is not possible. The air medium around the receiver might also not be free just because the medium around the transmitter is free.

Thus, 802.11 uses CSMA/CA with Positive Acknowledge to get around this. Whenever a station transmits, the receiving station checks the CRC of the received frame and sends an acknowledgment (ACK) frame. Receipt of the ACK indicates to the transmitter that the receiver received the frame. The transmitter will attempt to retransmit the frame fragment until it receives an ACK or it discards the frame if a predetermined number of retransmissions has been reached. The ACK is only sent in response to unicast frames, not multi- or broadcast. The CSMA/CA mechanism is aided by virtual carrier sensing, implemented to reduce the likelihood of two stations colliding because they cannot hear each other. The transmitting station first emits a Request-To-Send (RTS) control frame. The RTS includes information on the source, destination, and duration of communication. If the medium is free, the receiver will reply with a Clear-To-Send (CTS) control frame that includes the same duration information. All stations that receive either the RTS or CTS will update their internal indicator, called the Network Allocation

Vector (NAV), with the given duration and then use this indicator together with CSMA/ CA when sensing the medium—they would be unable to transmit and communicate with the AP for the given duration.

As you've probably guessed by now from the preceding two paragraphs, there is potential for abuse here. By injecting RTS control frames in a constant stream toward the AP, an attacker could monopolize the channel because the other stations would be forced to update their NAV values constantly, limiting their opportunities to transmit. As the specification requires an AP to respond to an RTS with a CTS, the attacker will be able to use the AP to propagate the attack to all clients associated with it. The attacker would also be hard to triangulate and pin down if he or she used this in conjunction with a cantenna or other hi-gain antenna. Modifying the duration variable in the RTS frame to a max of 32,767 microseconds could magnify the impact of this attack by extending the duration of channel-access denial for the other stations, depending on the capability of the AP involved.

The general structure of an 802.11 frame is shown in Figure 8-12.

Unlike 802.3 Ethernet, 802.11 has two additional address positions other than the usual source and destination addresses. This is because 802.11 APs act as central relays through which all traffic has to pass under infrastructure mode between wired and wireless hosts and between the wireless hosts themselves. The AP manages all traffic for its Signal Set Identifier (SSID). The AP has a Basic Service Set IDentifier (BSSID) that is central to this relaying system as the clients have to know which particular AP they are attempting to relay the information to, as more than one AP may be in the vicinity.

Thus the additional address fields are implemented because you also have to identify the AP's address as the ultimate destination, which may not be the AP. The transmitting station, however, must craft the frame so the AP that the frame is relayed through will accept it. Since the frame must also be identified as coming from or going to the AP, the concept of a distribution system should be mentioned here. Essentially, the AP acts as a gateway to the distribution system, which is the wired infrastructure sitting behind the AP, including the AP itself. The Frame Control Header (FCH), shown in Figure 8-13, has two fields: ToDS and FromDS.

Octets: 2

2

6

6

6

2

6

0-2312

4

Frame control

Duration/ ID

Address 1

Address 2

Address 3

Sequence control

Address 4

Frame body

CRC

Figure 8-12

802.11 frame structure

BO B1

B2 B3 B4 B 7 B8

B9

BIO

Bll

B12

B13

B14

B15

Protocol version

Type

Subtype

ToDS

FromDS

More frag

Retry

Pwr mgt

More data

WEP

Order

Figure 8-13

Frame Control Header structure

ToDS indicates a frame going toward an AP and FromDS indicates a frame transmitted by the AP to a wireless station. All data-bearing frames will set either one of these fields to 1. Both fields are set to 0 for management and control frames and stations operating in ad hoc mode. Both fields are set to 1 only when a frame is being transmitted from one AP to another in a Wireless Distribution System or WDS (i.e., bridge or repeater mode).

As shown in Figure 8-14, when combined with the Address 1, 2, 3, and 4 fields, ToDS and FromDS allow a station to transmit frames to a given AP (BSSID) for an ultimate Destination Address (DA) and to insert its MAC address as the Source Address (SA). The Receiver Address (RA) and Transmitter Address (TA) are set only if the frame is going between two APs in a WDS.

By examining the frame header, the attacker can identify whether the communication is to a wireless station, whether it is coming from or going to the AP, or whether the frame is being sent between two APs configured for WDS operation (either as wireless repeaters or as wireless bridges), and identify the capabilities of a particular AP.

ToDS

From DS

Address 1

Address 2

Address 3

Address 4

0

0

DA

SA

BSSID

N/A

0

1

DA

BSSID

SA

N/A

1

0

BSSID

SA

DA

N/A

1

1

RA

TA

DA

SA

Figure 8-14 ToDS and FromDS and Address 1-4 field value matrix

Figure 8-14 ToDS and FromDS and Address 1-4 field value matrix

In addition to understanding a given frame's destination, the FCH Type and Subtype fields provide useful information for analysis and are shown in the following table.

Type Description

Type Value

Subtype Description

Subtype Value

(bits S and 2)

(bits 7, B, S, and 4)

Management frame

00

Association request

0000

Management frame

00

Association response

0001

Management frame

00

Reassociation request

0010

Management frame

00

Reassociation

0011

response

Management frame

00

Probe request

0100

Management frame

00

Probe response

0101

Management frame

00

Reserved

0110-0111

Management frame

00

Beacon

1000

Management frame

00

ATIM

1001

Management frame

00

Disassociation

1010

Management frame

00

Authentication

1011

Management frame

00

Deauthentication

1100

Management frame

00

Reserved

1101-1111

Control frame

01

Reserved

0000-1001

Control frame

01

Power save poll

1010

Control frame

01

RTS

1011

Control frame

01

CTS

1100

Control frame

01

ACK

1101

Control frame

01

CF-End

1110

Control frame

01

CF-End + CF-Ack

1111

Data

10

Data

0000

Data

10

Data + CF-Ack

0001

Data

10

Data + CF-Poll

0010

Type Description

Type Value (bits 3 and 2)

Subtype Description

Subtype Value (bits 7, 6, 5, and 4)

Data

10

Data + CF-Ack + CF-Poll

0011

Data

10

Null function (no data)

0100

Data

10

CF-Ack (no data)

0101

Data

10

CF-Poll (no data)

0110

Data

10

CF-Ack + CF-Poll (no data)

0111

Data

10

Reserved

1000-1111

Reserved

11

Reserved

0000-1111

Crafting frames to include special values for particular fields, e.g., disassociation and deauthentication, is a technique frequently used by attackers to cause DoS against given BSSIDs. Where such DoS attempts are conducted in association with a ph00ling or Evil-Twin type attack, attackers can easily steal confidential information from the victims. Deauthentication/disassociation attacks can also be used to speed up attacks on WEP and WPA-PSK-protected WLANs by forcing clients to reassociate and generate ARP traffic (for WEP-based attacks) or redo a WPA four-way handshake, which can then be used to run an offline dictionary- or rainbow-table-based cracking attack against the passphrase. Examples of frame manipulation will be covered later in this chapter in the section, "Cracking Encryption."

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment