Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

802.11 Management Frames

advertisement 
802.11 Management Frames
Darrell Curry
Travis Howard
Wireless Networks
4/30/07
Table of Contents
1. Types ............................................................................................................................... 3
1.1. Authentication frame ............................................................................................... 3
1.2. Deauthentication frame ............................................................................................ 3
1.3. Association request frame ........................................................................................ 3
1.4. Association response frame ..................................................................................... 3
1.5. Disassociation frame ................................................................................................ 3
1.6. Reassociation request frame .................................................................................... 3
1.7. Reassociation response frame .................................................................................. 3
2. Traces .............................................................................................................................. 4
2.1. MAC Addresses ....................................................................................................... 4
2.2. Trace 1 – Powering off the router ............................................................................ 4
2.3. Trace 2 – Connecting and Disconnecting from router ............................................. 6
2.4. Trace 3 - Connecting and Disconnecting (Different laptop) .................................. 7
2.5. Trace 4 - Reassociation ............................................................................................ 7
2.6. Trace 5 - Deauthentication Attack ........................................................................... 8
2.7. Trace 6 – MAC Filtering.......................................................................................... 9
2.8. Trace 7 – WEP ......................................................................................................... 9
1. Types of frames
1.1. Authentication frame
In 802.11, authentication is the process of an access point accepting the
identity of a radio interface card. The process begins by the radio sending
an authentication frame to the access point and then the access point
sending an authentication frame indicating an acceptance or rejection.
1.2. Deauthentication frame
A deauthentication frame is sent by a station to another station when it
wishes to terminate communications.
1.3. Association request frame
Association allows the AP to reserve resources for a particular wireless
interface. A wireless station begins by sending an association request
from to an AP. This frame contains the SSID that the station wants to
associate with and information about the wireless interface card.
1.4. Association response frame
An access point sends an association response frame when it receives an
association request frame from another station. This response frame
contains if it accepts or rejects the association. The frame also contains
information regarding the association. Such as the association ID and
supported data rates.
1.5. Disassociation frame
A station sends a disassociation frame when it wishes to end the
association. This allows the AP to free resources that it allocated to the
station.
1.6. Reassociation request frame
A station sends a reassociation frame when the signal strength of the
currently associated AP is low and there is a higher strength signal from
another AP. The station will send a reassociation request to the new AP.
1.7. Reassociation response frame
An AP sends an acceptance or rejection to the station sending the
reassociation request. This frame also contains information about the AP.
2. Traces
2.1. MAC Addresses
Cisco-Li_c5:5d:3e - Access Point 1
Buffalo_4a:0e:89 - Access Point 2
Cisco-Li_a9:8e:b8 - Station 1
IntelCor_bd:2b:a0 - Station 2
00:1a:70:35:9d:0b - Station 3
IntelC0r_56:92:64 - Station 4
2.2. Trace 1 – Powering off the router
Figure 1 - Trace 1
In this first trace, we try to connect to the router through the AP. This produces
authentication frames show in packet 1 and 2. Once the data is authenticated, an
association request is sent to the router. Once the router accepts the request, a
response packet is sent as shown in packet 4. At this time there is a full
connection and data can be sent wirelessly. During the authentication frame, we
can tell whether the system is using an open algorithm, requiring WEP
authorization, etc. as shown in the figure below.
Figure 2 - Authentication Frame
Figure 3 - Association Response Frame
As shown in the figure above, once the association response has been sent and
there is a wireless connection established, we can see various information from
the association response such as ESS capabilities, whether the AP or station can
support WEP etc. Also, we can see the supported transfer rates of the network by
looking at the association request or response.
At this time, we disconnected the router’s power adapter to see what management
frames we would see as a result. Deauthentication occurred as shown in packet 5
and 6 of our experiment. We reconnected the power adapter and tried to connect
all over again. We did the experiment completely again, as shown in packets 7-14
with the same results.
2.3. Trace 2 – Connecting and Disconnecting from router
Figure 4 - Trace 2
In this trace, we try to connect to the router through the AP just as we did with the
first trace. This produces authentication frames show in packet 1 and 2. After the
data is authenticated, an association request is sent to the router just as with our
first trace. Once we saw our association response in Wireshark, we started our
next experiment.
This time, instead of powering down the router by pulling out the power cable, we
just decided to disconnect from the network through Windows Wireless Network
Connection. This was accessed by double-clicking on the network connection
icon in the system tray and clicking on the button “View Wireless Connections”.
The result of our experiment was the same as the first trace. We got a
deauthentication frame at packet 5, as shown above. This was surprising to us, as
we were expecting at least some difference. By manually disconnecting the
connection, we thought we could have gotten a disassociation frame, because a
station sends this when it wants to disconnect from an access point. We did the
experiment a second time with the same results.
2.4. Trace 3 - Connecting and Disconnecting (Different laptop)
Figure 5 - Trace 3
For our third experiment, we retried our second experiment from another laptop.
We went through the entire process of authentication and association. This time,
when we manually disconnected from the AP, we got a disassociation frame on
packet 7 as opposed to a deauthentication frame. We believe that the difference
here might just be the fact that some equipment does not support certain
management frames.
2.5. Trace 4 - Reassociation
To attempt to obtain reassociation packets, access points 1 and 2 and station 3 was
used. Station 3 was initially associated to AP 2 and AP 1 was next in the list of
preferred networks. AP 2 was set to the lowest output power and its antenna was
removed. Then it was placed in a metal filing cabinet, this caused the signal
strength to become low and station 3 associated with AP 1.
In packets 1-4 station 3 is establishing its initial connection to AP 2. After packet
4 AP 2 is placed in the filing cabinet. In Packet 5-8 it tries to associate to AP 2
even though the signal strength is low. In packets 9-13 it associates to AP 1 and
then in packet 14 station 3 dissassociates from AP 2.
Station 3 never sent an actual reassociation request to AP 1, this test was
performed multiple times and each time station 3 just sent regular association
requests to AP 1 and not reassociation requests.
2.6. Trace 5 - Deauthentication Attack
In this trace Aireplay was used to conduct a deauthentication attack by injecting
deauthentication packets into the air. The packets look like they are coming from
the AP that the station is associated with and thinks it has to reassociate.
Figure 6 - Trace 5
In Figure 6, you can see that packets 1-4 establish the initial association to the AP.
Packets 5-28 are the forged deauthentication packets produced by Aireplay. After
the deauthentication packets the station tries to reestablish a connection to the AP.
Once it associates to the AP again more deauthentication packets are sent and it
will have to associate again.
As shown in the above trace, the station does not send a reassociation request
instead it just sends an association request. This shows that not all hardware
follows the specifications.
2.7. Trace 6 – MAC Filtering
Figure 7 - Trace 6
MAC filtering allows an AP to only allow connection from certain MAC
addresses. In this experiment Station 1’s Mac address was put in the allow list.
In packet 1-4 Station 1 associates to the AP. Then in packet 5, station 2 sends an
authentication request. In packet 6 the AP responds back to the station 2 denying
authentication with an unspecified failure.
2.8. Trace 7 – WEP
Figure 8 - Trace 7
In this experiment 64-bit WEP encryption was set up on the AP. Station 1 was set
up to connect to the AP with an invalid key. From the packets in the above figure
packet 2 shows that even with an invalid key it still successfully authenticates
with the AP. It also successfully associates with the AP, but once it does it can’t
do anything because it encrypts its data with the wrong key so it can’t get an IP
address.
Related documents
An Analytics Approach to Traffic Analysis in Network Virtualization
An Analytics Approach to Traffic Analysis in Network Virtualization
Investigative Report:
Investigative Report:
Word
Word
How to compute the average variance of a
How to compute the average variance of a
WEEKLY 13 LESSON PLAN CSc - itmath
WEEKLY 13 LESSON PLAN CSc - itmath
Geomedicine
Geomedicine
Monday Tuesday Wednesday Thursday Friday Week 2/28
Monday Tuesday Wednesday Thursday Friday Week 2/28
Chapter 2: Classical Civilizations : China
Chapter 2: Classical Civilizations : China
Trace Evidence
Trace Evidence
Download
advertisement