|
|
The 802.11 standard divides all packets into three different categories: data, management, and control. These different categories are known as the type of packet. There are many different subtypes for a given packet type. Beacons and deauthentication packets are both examples of management packet subtypes. In order to understand why many of the attacks covered in later chapters work, it helps to know the difference between the packet types.
Control packets are the lowest level of packet type. They are called control packets because they are directly related to the standard's Media Access Control (MAC) rules. Currently, the standard defines six different control packets, shown in Table 3-1.
|
Type |
Subtype |
Description |
|---|---|---|
|
Control |
10 |
Power Save (PS)-Poll |
|
Control |
11 |
Request To Send (RTS) |
|
Control |
12 |
Clear To Send (CTS) |
|
Control |
13 |
Acknowledgment (ACK) |
|
Control |
14 |
Contention-Free (CF)-End |
|
Control |
15 |
CF-End + CF-Ack |
Two of these control frames are directly related to the PCF mode of operation mentioned previously (CF-End and CF-End + CF-Ack). For all practical purposes, these frames are currently unused.
As mentioned in the previous section, RTS/CTS packets help solve the hidden node problem. They can also be used to avoid collisions even when the node is not hidden. When a station wants to transmit a large packet, even without hidden nodes, there is the possibility of a collision. Instead of transmitting a large packet, the station can send an RTS. If the (relatively small) RTS packet gets lost in a collision, little time is wasted retransmitting it. Once the station receives the AP-generated CTS, it can transmit the large packet without worrying about a collision.
There are only two control packets left, PS-Poll and acknowledgments. As mentioned previously, PS-Poll packets are used by clients to retrieve buffered packets from the AP when the client is in power-savings mode. There isn't much to say about acknowledgments. Acknowledgment packets are small, and they are used to acknowledge the receipt of unicast data and some management packets.
The most interesting thing about control packets is that some of them are explicitly designed to be honored by unrelated networks on the same channel. This means that if you and your neighbor have your own networks, and your AP sends out a Clear To Send (CTS), all of the 802.11 nodes that hear it (including your neighbors) are expected to honor the CTS packet and not transmit anything for the duration specified.
The fact that nodes on entirely unrelated networks are expected to process and honor certain packets from each other is interesting. It means that there is a small subset of the 802.11 protocol that, by design, cannot be authenticated. This is a subtle but important difference between 802.11 and virtually any other protocol on the planet.
If you hook up a computer to the Internet without a firewall (or a NAT), you have, in a sense, given anyone else on the Internet the ability to engage your computer in the TCP/IP protocol. If you think this is a bad idea (and obviously you should), you can turn on your own firewall, stick yourself behind a NAT, and so on.
Similarly, when you plug an Ethernet cable into your computer, you are giving everyone on the same broadcast domain the ability to engage your computer in the (relatively simple) layer-two protocol, Ethernet. People generally don't worry about this for two reasons. One is that Ethernet is very simple, and therefore nobody has ever found a remotely exploitable bug in an Ethernet device driver. The other reason is that by virtue of being physically connected to the same wired network, there is some implied level of trust. Neither of these assurances applies to 802.11.
Management packets, like control packets, are also unauthenticated. However, because most management packets are only processed by stations on the same network, they could be authenticated in the future and work is currently underway on that.
Management packets are used to perform various overhead tasks associated with running a wireless network, including such things as associating to a network and finding a network to associate with. Management frames that can generally be seen in the wild are shown in Table 3-2. Most of the packets in this table are covered in detail in "Finding and Connecting to Wireless Networks," later in this chapter.
|
Type |
Subtype |
Description |
|---|---|---|
|
Management |
0 |
Association request |
|
Management |
1 |
Association response |
|
Management |
2 |
Reassociation request |
|
Management |
3 |
Reassociation response |
|
Management |
4 |
Probe request |
|
Management |
5 |
Probe response |
|
Management |
8 |
Beacon |
|
Management |
10 |
Disassociation |
|
Management |
11 |
Authentication |
|
Management |
12 |
Deauthentication |
Data packets can be authenticated in 802.11, as long as some form of encryption is turned on. The strength of this authentication is strictly related to the strength of the encryption being used. WEP provides very little assurance that the packet actually originated from someone on your network. WPA/802.11i provides a much stronger guarantee.
Before QoS was introduced, there were eight different subtypes for data packets. Almost all of these are due to the (currently unused) PCF mode of operation. Practically speaking, data packets on a non-QoS network have only two subtypes: Subtype 0 indicates a normal data packet, and subtype 4 indicates a null function data packet. Null function data packets are most often used when a client has no data to transfer, but wants to inform the AP that it is changing its power-savings mode.
Unlike Ethernet, most 802.11 packets actually have three addresses, a source address, a destination address, and a Basic Service Set ID (BSSID). The BSSID field uniquely identifies the AP and its collection of associated stations, and is often the MAC address of the AP. The three addresses tell the packets where they are going, who they came from, and what AP to go through.
Not all packets, however, have three addresses. Since it is so important to minimize the overhead of sending control frames (such as acknowledgments), the number of bits used is kept to a minimum. The IEEE also used different terms to describe the addresses in control frames. Instead of a destination address, control frames have a receiver address, and instead of a source address, they have a transmitter address. The most common control frame is an acknowledgment (ACK). Figure 3-4 shows the Wireshark decoding of an ACK packet. Notice that it has only a single address, the receiver address. This is because an ACK packet, by definition, acknowledges the last packet sent. Unlike TCP, there is no need to identify exactly what is being acknowledged.
Figure 3-5 shows a typical data packet. In this packet, the BSSID and destination address are the same because the packet was headed to the Internet, and the AP was the gateway. If the packet had been destined for another machine on the same wireless network, the destination address would be different than the BSSID.
All 802.11 packets have a certain set of fields, regardless of whether they are data frames or control/management frames. This section covers the fields that are carried across all 802.11 packets.
Version All packets carry a 2-bit Version field. Currently, the only defined value is 0.
Type/Subtype These two combined fields uniquely determine what sort of packet you are looking at. For example, type = 0, subtype = 8 indicates that this is a management packet (type 0) that is a beacon (subtype 8).
ToDS/FromDS These two bits indicate whether a packet is coming from or going to the AP (or distribution system, to be pedantic about it). These bits are only relevant to data packets; all management- and control-type packets are supposed to set these bits to 0. If both bits are 1, then the packet is actually a wireless distribution system (WDS) packet being forwarded from one AP to another. If both bits are 0 and the type is data, then the packet is from an ad-hoc network. When only the FromDS field is set, then it is a packet from the AP to a client. If only ToDS is set, the packet is from the client to the AP.
More Fragments Similar to IP. If the packet has more fragments, set to 1.
Retry If a station had to retransmit a data or management frame, it sets this to 1.
Power Management Instead of having a special management or control packet to indicate that a station is entering or leaving power-savings mode, the IEEE decided to include a bit in every packet. If a station wants to inform the AP that it is entering power-savings mode, it simply sets this bit to 1 in the last packet it sends. To leave power-savings mode, a client sets this bit to 0. This is the reason why cards that support power savings transmit null-function data frames occasionally; they want to change their power-savings state, but don't have any real traffic to send.
More Data The More Data bit is set to 1 when an AP wants to inform a station in power-savings mode that the AP still has packets buffered for it.
WEP/Privacy The WEP bit originally indicated whether or not a data packet had been encrypted using the flawed WEP algorithm. Since 802.11i was introduced, the WEP bit is also called the Privacy bit and is also set on data packets encrypted using WPA/WPA2.
Order A transmitter may choose to reorder the delivery of traffic based on the requirements of a given application. If a station cannot accommodate the delivery of outof-order data, it can set the strict Order bit to force the transmitter to send frames in order. In practice, this field is generally not used.
Duration This field indicates how long (in microseconds) the station that transmitted this packet needs the media after this packet. When a station gains access to the media to transmit a data packet, the receiving station can safely acknowledge that packet, without checking to see if the media is available. This is because the duration value in the original data packet included the time required for the receiver to acknowledge it. Unacknowledged packets (such as broadcast data packets) set this to zero.
Any value greater than 32,767 microseconds is illegal. This field also serves other purposes. In PS-Poll fields, instead of a duration, it contains the 14-bit Association ID (AID) of the transmitting client.
|
|
