CT-7691-Mobile Wireless Security 3-2-3

Chapter 7: WLAN Configuration

 Introduction
• Institute of Electrical and Electronics Engineers (IEEE)
• IEEE 802.11 standards
STANDARD DESCRIPTION
802.2 Specifies the logical link control (LLC).
802.3 Specifies a bus topology using CSMA/CD at 10 Mbps.
802.4 Specifies a token-passing bus access method
802.5 Specifies a token-passing ring access method.
802.10 Specifies LAN security and privacy access methods.
802.11 Specifies 1 Mbps and 2 Mbps wireless networks.
802.11a Specifies high-speed wireless networking in the 5 GHz band up to 54 Mbps.
802.11b Specifies high-speed wireless networking in the 2.4 GHz band up to 11 Mbps.
802.15 Specifies Bluetooth (see Chapter 2) LANs in the 2.4-2.5 GHz band.

Table 1.3 Common IEEE 802 Standards

• Another wireless 802 standard, called IEEE 802 Broadband Wireless Access
(802.WBA, or 802.16). IEEE 802.16 standardizes the air interface and related
functions associated with the wireless local loop (WLL) for wireless broadband
subscriber access.
…
  WLAN Configurations
. The IEEE 802.11 WLAN architecture is built around a basic service set (BSS).
- A BSS is a set of stations, mobile or fixed, that communicate with one
another.
- By definition, a station can be any of two types:
a stationary Access Point or a wireless node (fixed or mobile).
There are two types of BSS:
. Independent BSS (IBSS), and
. Infrastructure BSS.
The former consists of at least two devices communicating directly with
each other, while the latter involves devices communicating through an
access point.
 The simplest WLAN configuration is an independent basic service system
(IBSS) also known as “Ad hoc” mode.
 When all of the stations in the BSS are mobile stations and there is no
connection to a wired network, the Ad hoc mode is being implemented.
 The IBSS is the entire WLAN, and only those stations communicating with each
other in the IBSS are part of this local area network.

Figure, next, shows how the basic service set is configured in an independent
basic service system.
 …

• When a basic service set includes an access point (AP), the BSS is
no longer independent and is called an infrastructure BSS.
- An access point (AP) is a dual-mode device that provides wireless
relay services and connection to a wired network.
It can be used for both indoor and outdoor connectivity.
 …
• In an infrastructure BSS, all mobile stations communicate with the
access point.
- The AP provides both local relay functions for the BSS and
connection to the wired LAN.
Therefore, if a mobile station in the BSS must communicate with
another mobile station, the communication must first be sent to the
AP and then from the AP to the desired destination, as shown in
this Figure.
 …
802.11 Wireless Network Operational Modes
• The IEEE 802.11 wireless networks operate in one of two
operational modes: ad hoc or infrastructure mode.
• The IEEE standard defines -
- the ad hoc mode as Independent Basic Service Set (IBSS), and
- the infrastructure mode as Basic Service Set (BSS).
- Ad hoc mode is a peer-to-peer type of networking, whereas
infrastructure mode uses access points to communicate between
the mobile devices and the wired network.

Ad Hoc Mode
• In ad hoc mode, each mobile device client communicates directly with the
other mobile device clients within the network.
- That is, no access points are used to connect the ad hoc network directly
with any wired local area network.
 …
• As shown in Figure bellow, ad hoc mode is designed such that only the
clients within transmission range (within the same cell) of each other can
communicate.
- If a client in an ad hoc network wants to communicate outside of the
cell, a member of the cell must operate as a gateway and perform
routing service.
 …
Infrastructure Mode
• As shown in Figure , bellow, each mobile device client in infrastructure
mode sends all of its communications to a network device called an access
point (AP).
- The access point acts as an Ethernet bridge and forwards the
communications to the appropriate network, either the wired local area
network or another wireless network.
 Association Frames
• Before they can communicate data, mobile wireless clients and access
points must establish a relationship, or an association.
- Only after an association has been established can the two wireless stations
exchange data. In infrastructure mode, the clients associate with an access
point.
• Forming an association is an eight-step process that moves through these
three states:
 Unauthenticated and unassociated
 Authenticated and unassociated
 Authenticated and associated
 …
.

• To transition between the states, the communicating parties exchange

messages, called management frames. Here’s how this is done:
1. All access points transmit a beacon management frame at a fixed interval.
2. To associate with an access point and join a BSS, a mobile device client
listens for beacon messages to identify the access points within range.
3. The mobile device client selects the BSS to join in a vendor-independent
manner.
 …
4. The client may also send a probe request management frame to find an
access point affiliated with a desired service set identifier (SSID).
- An SSID is an identification value programmed into a wireless access point.
5. After identifying an access point, the client and the access point perform a
mutual authentication by exchanging several management frames as part of
the process.
6. After successful authentication, the client moves into the second state,
authenticated and unassociated.
7. Moving from the second state to the third and final state, authenticated and
associated, involves the client sending an association request frame, and the
access point responding with an association response frame.
8. The mobile device client becomes a peer on the wireless network, and can
transmit data frames on the network.
 …
.
Figure. Basic service sets (BSSs)

A BSS without an AP is called an ad hoc network;

a BSS with an AP is called an infrastructure network.
 …
.
Figure. Extended service sets (ESSs)
 …
.
Figure. MAC layers in IEEE 802.11 standard
 …
.
Figure. CSMA/CA flowchart
 …
.
Figure. Frame format
 …
.
 …
.
 …
.
Figure. Control frames

Table . Values of subfields in control frames

 …
. Table. Addresses

Table. Physical layers

 …
.
  The IEEE 802.11 Physical (PHY) Layer
Spread Spectrum Technology
• The communication standard for wireless LANs is spread spectrum, a wideband
radio frequency technique.
- Spread spectrum uses a radio transmission mode, which broadcasts signals over
a range of frequencies.
- The receiving mobile device must know the correct frequency of the spread-
spectrum signal being broadcast.
• Most wireless LANs use spread spectrum technology, as it helps
mobile devices circumvent the absence of interference immunity often
associated with narrowband systems.
- Spread spectrum uses a transmission mode that consumes more
bandwidth than narrowband transmission, but produces a signal that
is stronger and easier to detect by other devices.
- Thus, spread spectrum trades off some bandwidth efficiency for
gains in security, integrity and reliability of transmission.

• Two very different, but equally popular, spread spectrum RF technologies for
2.4 GHz wireless LANs currently exist:
- direct-sequence spread spectrum (DSSS), and
- frequency-hopping spread spectrum (FHSS)
 …
• Unlicensed wireless networks can operate in three areas of the radio
spectrum, referred to as the Industrial, Scientific, and Medical (ISM)
bands.
The frequencies for these regions are:
 902 – 928 MHz
 2.4 – 2.4835 GHz
 5.725 – 5.825 GHz

• IEEE 802.11b operates in the 2.4 – 2.4835 GHz frequency spectrum.

 Since there are a host of other unlicensed devices that operate in these
same regions of the E-M spectrum, techniques are needed to avoid
interference.
- One such technique, developed to help secure the transmission,
involves spreading transmissions across a range of frequencies,
rather than transmitting on one frequency all the time.
- This is commonly referred to as spread spectrum modulation.
 …
• The IEEE 802.11 is a family of standards that governs the operations and
functions of WLANs.
- it specifically concerns itself only with the functions of WLANs at the
Physical (PHY) layer and Media Access Control sublayer of the OSI
reference model.
The following figure shows the entire OSI model.
 Physical layer
• The Physical layer is the first layer (Layer 1) in the OSI reference model. It
defines the relationship between a device and the physical communication
medium.
• The IEEE 802.11 of Physical layer specifies the wireless signaling techniques
used for transmitting and receiving information over the airwaves.
Some sample signaling techniques are listed below:
 Frequency-hopping spread spectrum (FHSS)
…
 Direct-sequence spread spectrum (DSSS)
…
 Orthogonal frequency division multiplexing (OFDM)
• Specifies use in the 5 GHz frequency bands and the 2.4 GHz ISM bands.
Most of the recent IEEE 802.11 standards implement this PHY and its
variants.
• OFDM generally supports higher data rates.
• Systems implementing this PHY can support 6, 9, 12, 18, 24, 36, 48, and 54
Mbit/s data rates.
 …
 Frequency-hopping spread spectrum (FHSS)
• This signaling (modulation) technique specifies use in the 2.4 GHz industrial,
scientific, and medical (ISM) frequency band.
• The specific frequency range is 2.402–2.480 GHz.
• FHSS is one of the modulation techniques used in early WLAN
implementations and is rarely used today.
• It supports data rates of 1–2 Mbit/s.
 …
 Direct Sequence Spread Spectrum
• Spread spectrum modulation techniques are used to widen the RF bandwidth
of a signal so the transmitted bandwidth is much wider than would be
necessary for information transmission alone.
- This type of communication makes the signal resistant to noise and
interference.
• DSSS combines a data signal at the sending station with a high-bit sequence
commonly referred to as a chipping code. This is the only spread spectrum
technique implemented in IEEE 802.11b.

 This signaling (modulation) technique specifies use in the 2.4 GHz ISM band.
 The specific frequency range is 2.400–2.497 GHz.
 Systems implementing this PHY can support 1 Mbit/s and 2 Mbit/s data rates.
• High rate direct sequence spread spectrum (HR/DSSS)
Systems implementing this PHY can provide data rates of 1, 2, 5.5, and 11 Mbit/s.
 …
802.11: FHSS vs. DSSS Technology

FHSS DSSS
• Transmits by using a narrowband carrier • Transmits data by “chipping code”:
that changes over 79 frequencies in a
given pattern. – Generating a redundant bit pit pattern
for each bit sent
– Value Propositions:
• Scalability through access point – Value Propositions:
roaming on different channels • Higher throughput
• interference immunity • echo (multi-path) resistance
• Cost • wider range
• FCC guidelines restrict from shipping • Upgradeable/Scaleable
anything above 10Mbps.
• Speed currently up to 11Mbps
• Vendor interoperability with the 802.11b
standard
 …
 Regulatory Requirements
• WLAN IEEE 802.11 - compliant radios operating in the 2.4-GHz
Industrial, Scientific, and Medical (ISM) bands must comply with the local
geographical regulatory domains before operating in this spectrum.
- These technical requirements are specified to comply with the regulatory
requirements for WLANs to minimize the amount of interference a radio
can generate or receive from another in the same proximity.
• The IEEE 802.11 standard identifies the minimum technical requirements
for interoperability and compliance based upon established regulations for
Europe, Japan, and North America.
• The lists and tables below specify the current regulatory and technical
requirements for various geographical areas.
 IEEE 802.11 Protocol Architecture

.
  IEEE 802.11 MAC Frame Formats
• MAC is a sublayer of the OSI’s Data Link layer, or layer 2.
• The MAC sublayer is basically responsible for providing addressing and
medium access control mechanisms that make it possible for several nodes
to communicate in a network.
• The MAC functions are used to control and manage access to the
transmission medium in a communications system.

• The STAs in a wireless network cannot always be guaranteed to be within

earshot of each other so that they can hear (or detect) when the other STAs are
transmitting. - This phenomena is known as the “hidden node” problem in
RF communications.
• To detect when the medium is available for use, 802.11based systems trying
to avoid any type of collision in the first place. -This is Carrier Sense Multiple
Access with Collision Avoidance (CSMA/CA), and the key word here is
“avoidance.”
- A popular method for implementing CSMA/CA in wireless LANs is known as
the Distributed Coordination Function (DCF).
 …
MAC Frame Types
• Depending on their function, IEEE 802.11 MAC frame types can be grouped
into three categories:
- control frames, management frames, and data frames.

 General Frame Format

• The general IEEE 802.11 frame structure is depicted in Figure bellow.
- This frame structure is found in all frames, regardless of frame types.

- It should be strongly noted the MAC header is never encrypted. Only the data
content in the Frame body can be encrypted to prevent eavesdropping.
 …
Control Frames
• These most basic frame types are very important for all WLAN
communications and are used to support the delivery of the other
(management and data) MAC frame types.
• All the wireless STAs must be able to see the control frames—in other
words, the information in the control frames is not secret or classified in
any way.
• Control frames are used, for example, when a wireless STA needs to
negotiate and gain access to the WLAN using CSMA/CA.
- Other types of control frames are the Request to Send (RTS), Clear to Send
(CTS), and Acknowledgment (ACK) frames.
 …
.
  IEEE 802.11 Management Frame Type
• These frame types are used for management purposes on the WLAN, where
they play a very important role.
- Management frames are used by wireless STAs whenever an STA officially
wants to participate or discontinue its participation in the network and for
other miscellaneous housekeeping purposes.
Here are some sample management frame types:
■ Beacon frame - A very important management MAC frame type, it performs
various functions, such as time synchronization among the STAs; it also stores the
value of the SSID being used, and specifies the data rates supported on the WLAN,
among other things.
■ Association Request frame - These frames are sent by the STA to request
association with the AP.
■ Association Response frame - These frames contains the AP’s response to the
STA regarding the STA’s association request. It is either a yeas or no.
■ Reassociation Request frame - These frames are used by STAs whenever they
need to be reassociated with an AP.
■ Reassociation Response frame - These frames are sent by the AP in response to
the STAs request to reassociate with the AP
 …
■ Authentication frame -These frames are used whenever a STA needs to
participate in or join a BSS. Mere association is not nearly enough— the STA
needs to be authenticated to make full use of the BSS. The STA uses
authentication frame types to confirm its identity.
■ Deauthentication frame - Authenticated STAs use these frame types to
signal their intention to terminate the authenticated (secure)
communications.
■ Disassociation frame - This frame is sent by a STA that is associated with an
AP to inform the AP that it wants to discontinue the association. Note that
this is not a request, and as such a response or acknowledgment or
confirmation is not required from the AP.
■ Probe Request frame - STAs send probe request frames whenever they
need to discover information about other STAs. Such information might
include the capabilities of the other STA or information about the supported
data rates.
■ Probe Response frame - This frame carries the response to probe requests.
 …
• The main purpose of this frame is to allow mobile stations to join the
WLAN.
• This is the frame we want to enumerate with AiroPeek.
- We want to retrieve the “SECRET WLAN Infrastructure Name” or Service
Set Identification (SSID). - This is the key into joining our target IEEE
802.11b WLAN and the connected wired backbone network. The
following management frame subtypes are our primary targets:
 Beacons
 Probe request and Probe response
 Association request
 Reassociation request
 …
Beacon Frame
• Access Points will periodically transmit a beacon frame, about 10
frames a second, to provide synchronization among the mobile
stations and to announce its capabilities.
• All station clocks are synchronized by these beacons while
operating in infrastructure mode.
• These wireless broadcasts are used by mobile stations to find a
particular Access Point or other stations that match its parameters.
• The following information is included in every beacon frame:
 Timestamp
 Beacon Interval (usually every 100 milliseconds)
 Capability Information
 SSID
 Supported Rates (1, 2, 5.5, and/or 11 Mbps)
 Other parameters
 …
Probe Request and Probe Response Frames
• Mobile stations will send a Probe Request Frame to quickly locate
an IEEE 802.11 WLAN.
- To find a particular Access Point, a mobile station will broadcast a
Probe Request frame to all channels with the SSID of the AP it
wishes to find.
- The station can also send a Probe Request with the broadcast
address in the SSID field. - It will then check all the Probe
Responses for the SSID that matches the SSID it wishes to join.
The body of the Probe Request Frame contains two subfields:
 SSID
 Supported Rates (1, 2, 5.5, 11 Mbps)
• By definition, in an infrastructure BSS, the Access Point will always,
always, respond to a Probe Request Frame!
• The Probe Response Frame is identical to the Beacon Frame.
 …
Association Request
• The Association Request Frames is sent by a mobile station to request an
association with an Access Point.
The Association Request Frame contains the following information:
 Capability Information
 Listen Interval (how often a mobile station wakes to listen to Beacons)
 SSID
 Supported Rates

Reassociation Request
• The Reassociation Request Frames contain the following information:
 Capability Information
 Listen Interval
 Current Access Point Address
 SSID
 Supported Rates
 …
Data Frames
• These frame types are responsible for transporting the actual data payload
to and from the communication end points.
  Systematic Exploitation of an 802.11b WLAN
802.11b Exploitation Software: AiroPeek
• The information contained in the IEEE 802.11b MAC headers will always provide
an attacker with the critical information needed for a successful attack against an
802.11b WLAN as these header frames are never encrypted.
• By utilizing an 802.11b protocol analyzing software, an attacker will be able to
retrieve the information required to authenticate and associate with the target
Access Point and gain access into the backbone wired network.
• The release of the AiroPeek software suite configured an IEEE 802.11b - compliant PCMCIA
card into promiscuous mode.
- In this condition, the PCMCIA card can monitor and capture all IEEE 802.11b
broadcast and multicast traffic within its sensitivity range.
- Such tools are known as “sniffers” and they allow an attacker to passively harvest
a wealth of information on a target in order to execute a focused and surgical
attack.

It should be noted that only the Cisco 342 card was tested. Specific details on
supported PCMCIA cards can be found through AiroPeek’s website
(www.wildpackets.com).
 …
• Nevertheless, due to the inherent vulnerabilities in the IEEE 802.11b
standard, in particular the transmitting of the Media Access Control
(MAC) headers in the clear, an IEEE 802.11b WLAN can now be
easily exploited with this particular software.
• AiroPeek will capture the entire IEEE 802.11b MAC header and
display, in great detail, the information contained in each field and
subfield.
• The remainder of this section will focus on the capabilities of this
sniffer and introduce a systematic approach in exploiting an IEEE
802.11b wireless local area network to gain access into the
backbone wired network.
• It is important to note that the exploitation methodology described in
this example is dependent upon the successful eavesdropping on
IEEE 802.11b signals.
 …
.