Wireless Penetration Testing Series Part 2: Basic concepts of WLANs
The Hacker News
This blog post is in continuation of the Wireless Penetration Testing and Hacking series we started (Part 1: Getting Started with Monitoring and Injection) on the basis of the "SecurityTube Wi-Fi Security Expert" (SWSE) course which is based on the popular book "Backtrack 5 Wireless Penetration Testing".

In the third video, the instructor talks about some of the basic concepts of WLANs. We learn that communication over WLAN's happens over frames. There are mainly 3 types of WLAN frames which are Management frames, Control frames, and Data frames. These types of packets also have different subtypes . We learn that an SSID is a name given to an Access point or a network consisting of multiple Access points. We then learn about Beacon frames which are broadcast frames sent out periodically by Access point to broadcast their presence in the current RF (Radio frequency) vicinity. The instructor then starts wireshark and analyzes a beacon frame passing through the network. We learn that a beacon frame is of the type Management and of the subtype 0x08 which denotes that it is a beacon frame. We learn that the beacon frame has 2 types of Parameters (Fixed and tagged). The tagged parameters gives us a lot of information about the network, such as the SSID, the current channel at which the AP is residing, the Vendor specific tag and lots of other information. Everything in this frame is in plaintext, hence if an attacker has the capability to inject packets into the network, then he will be able to inject arbitrary beacon frames into the network or even spoof some of the legitimate Access points which may confuse the client. Same is the case for any type of WLAN frame. Hence all the clients in the RF vicinity will recognize this as a new Access point.

The instructor then gives a demo of the tool mdk3 (available by default in backtrack), which he uses to inject various beacon frames with different BSSID's onto different channels in the network. The tool constantly changes your MAC address to do this. The clients recognize this as a legitimate AP and shows it in it's list of available networks.
In the fourth video of the series, we learn about the basics of AP-Client connections. First of all, a virtual interface "mon0" in monitor mode is created using airmon-ng, this is to ensure that we are able to see all the packets in the air. We then make sure that our card is listening on the same channel as the AP. In order to see only the packets related to Client, we first apply a wireshark filter (wlan.addr == MacAddress_of_the_Client). This gives us all the packets which have either source or destination as the client. We note that the client is sending out a Broadcast Null Probe Request which basically asks the nearby AP's to respond back with its SSID. We note from the trace that the nearby AP's (which are configured to broadcast their SSID's) respond back with their SSID's. This is called a Probe Response. We also note that the client is constantly sending out Probe Requests for the networks in it's cache, i.e the networks it has previously connected to. This is called a directed Probe Request. We then apply the filter ((wlan.addr == MacAddress_of_the_Client) && (wlan.addr == Bssid_of_the_AP)) to see the packets flowing between the AP and the client. We note that after the Probe Request and Response phase, the client sends an Authentication request to the AP and the AP responds back with an Authentication Success response to the client since no authentication is being used. In case of some other type of Authentication the response will depend on the authentication packet sent by the client (the AP may respond back with an Authentication challenge). After this phase the client sends an Association request to the AP and the AP responds back with an Association response with some details about it. After this phase the actual data transfer starts between the AP and the client.
To summarize there are 3 states (as explained in the AP-Client State machine in the video) in which the client can be.

State 1- Unauthenticated, Unassociated- Authentication takes the client to state 1
State 2- Authenticated, Unassociated-Association takes the client to state 2, Deauthentication takes the client to state 1
State 3- Authenticated, Associated -Disassociation takes the client to state 2, Deauthentication takes the client to state 1

Overall the explanation is very clear. The fact that the instructor traces the connections right down to the packet level is very interesting. I will write blog posts for other videos in the next article.

This article has been written by budding security researcher Prateek Gyanchandani, who is currently pursuing the SWSE certification, is an Electronics engineer from IIT-Rourkee and is the founder of Searching-Eye.com.

The SecurityTube Wi-Fi Security Expert (SWSE) is the most comprehensive and advanced course available online which has students from over 30+ countries. You can sign up for the course + certification here. If you choose to sign up, please use "The Hacker News" in the referrer in the signup form.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.