Collecting the MAC Addresses by gorvam saddar

Collecting the MAC Addresses

The attacker gathers legitimate MAC addresses for use later in constructing spoofed frames. The source and destination MAC addresses are always in the clear in all the frames.  There are two reasons why an attacker would collect MAC addresses of stations and APs participating in a wireless network. 
 (1) The attacker wishes to use these values in spoofed frames so that his station or AP is not identified.
 (2) The targeted AP may be controlling access by filtering out frames with MAC addresses that were not registered.

Detection of SSID by gorvam saddar

2           Detection of SSID

The attacker can discover the SSID of a network usually by passive scanning because the SSID occurs in the following frame types: Beacon, Probe Requests, Probe Responses, Association Requests, and Reassociation Requests. Recall that management frames are always in the clear, even when WEP is enabled.

On a number of APs, it is possible to configure so that the SSID transmitted in the Beacon frames is masked, or even turn off Beacons altogether.  The SSID shown in the Beacon frames is set to null in the hope of making the WLAN invisible unless a client already knows the correct SSID.  In such a case, a station wishing to join a WLAN begins the association process by sending Probe Requests since it could not detect any APs via Beacons that match its SSID.

If the Beacons are not turned off, and the SSID in them is not set to null, an attacker obtains the SSID included in the Beacon frame by passive scanning.

When the Beacon displays a null SSID, there are two possibilities.  Eventually, an Associate Request may appear from a legitimate station that already has a correct SSID.  To such a request, there will be an Associate Response frame from the AP.  Both frames will contain the SSID in the clear, and the attacker sniffs these.  If the station wishes to join any available AP, it sends Probe Requests on all channels, and listens for Probe Responses that contain the SSIDs of the APs.  The station considers all Probe Responses, just as it would have with the non-empty SSID Beacon frames, to select an AP. Normal association then begins.  The attacker waits to sniff these Probe Responses and extract the SSIDs.

If Beacon transmission is disabled, the attacker has two choices.  The attacker can keep sniffing waiting for a voluntary Associate Request to appear from a legitimate station that already has a correct SSID and sniff the SSID as described above.  The attacker can also chose to actively probe by injecting frames that he constructs, and then sniffs the response as described in a later section.

When the above methods fail, SSID discovery is done by active scanning (see Section 5).

Wireless Network Sniffing , Authentication, Association, Passive Scanning by gorvam saddar

2.6           Authentication

Authentication is the process of proving identity of a station to another station or AP.  In the open system authentication, all stations are authenticated without any checking.  A station A sends an Authentication management frame that contains the identity of A, to station B.  Station B replies with a frame that indicates recognition, addressed to A.  In the closed network architecture, the stations must know the SSID of the AP in order to connect to the AP.  The shared key authentication uses a standard challenge and response along with a shared secret key.

2.7           Association

Data can be exchanged between the station and AP only after a station is associated with an AP in the infrastructure mode or with another station in the ad hoc mode.  All the APs transmit Beacon frames a few times each second that contain the SSID, time, capabilities, supported rates, and other information.  Stations can chose to associate with an AP based on the signal strength etc. of each AP.   Stations can have a null SSID that is considered to match all SSIDs.

The association is a two-step process. A station that is currently unauthenticated and unassociated listens for Beacon frames. The station selects a BSS to join. The station and the AP mutually authenticate themselves by exchanging Authentication management frames.  The client is now authenticated, but unassociated.  In the second step, the station sends an Association Request frame, to which the AP responds with an Association Response frame that includes an Association ID to the station.  The station is now authenticated and associated.

Wireless LAN,Stations and Access Points, Channels, WEPInfrastructure and Ad Hoc Modes, Frames by gorvam saddar

2.  Wireless LAN Overview

In this section, we give a brief overview of wireless LAN (WLAN) while emphasizing the features that help an attacker.  We assume that the reader is familiar with the TCP/IP suite (see, e.g., [Mateti 2003]).

IEEE 802.11 refers to a family of specifications (www.ieee802.org/11/) developed by the IEEE for over-the-air interface between a wireless client and an AP or between two wireless clients.  To be called 802.11 devices, they must conform to the Medium Access Control (MAC) and Physical Layer specifications. The IEEE 802.11 standard covers the Physical (Layer 1) and Data Link (Layer 2) layers of the OSI Model.  In this article, we are mainly concerned with the MAC layer and not the variations of the physical layer known as 802.11a/b/g.

2.1           Stations and Access Points

A wireless network interface card (adapter) is a device, called a station, providing the network physical layer over a radio link to another station.  An access point (AP) is a station that provides frame distribution service to stations associated with it.  The AP itself is typically connected by wire to a LAN.

The station and AP each contain a network interface that has a Media Access Control (MAC) address, just as wired network cards do. This address is a world-wide-unique 48-bit number, assigned to it at the time of manufacture. The 48-bit address is often represented as a string of six octets separated by colons (e.g., 00:02:2D:17:B9:E8) or hyphens (e.g., 00-02-2D-17-B9-E8). While the MAC address as assigned by the manufacturer is printed on the device, the address can be changed in software.

All Hacking Techniques and methods in Wireless Networks by Gorvam saddar

This article is scheduled to appear in “The Handbook of Information Security”,

1.    Introduction

2.    Wireless LAN Overview

2.1        Stations and Access Points

2.2        Channels

2.3        WEP

2.4        Infrastructure and Ad Hoc Modes

2.5        Frames

2.6        Authentication

2.7        Association

3.    Wireless Network Sniffing

3.1        Passive Scanning

3.2        Detection of SSID

3.3        Collecting the MAC Addresses

3.4        Collecting the Frames for Cracking WEP

3.5        Detection of the Sniffers

4.    Wireless Spoofing

4.1        MAC Address Spoofing

4.2        IP spoofing

4.3        Frame Spoofing

5.    Wireless Network Probing

5.1        Detection of SSID

5.2        Detection of APs and stations

5.3        Detection of Probing

6.    AP Weaknesses

6.1        Configuration

6.2        Defeating MAC Filtering

6.3        Rogue AP

6.4        Trojan AP

6.5        Equipment Flaws

7.    Denial of Service

7.1        Jamming the Air Waves

7.2        Flooding with Associations

7.3        Forged Dissociation

7.4        Forged Deauthentication

7.5        Power Saving

8.    Man-in-the-Middle Attacks

8.1        Wireless MITM

8.2        ARP Poisoning

8.3        Session Hijacking

9.    War Driving

9.1        War chalking

9.2        Typical Equipment

10.       Wireless Security Best Practices

10.1      Location of the APs

10.2      Proper Configuration

10.3      Secure Protocols

10.4      Wireless IDS

10.5      Wireless Auditing

10.6      Newer Standards and Protocols

10.7      Software Tools

11.       Conclusion

GLOSSARY

Cross References

References

Further Reading