Building upon the wireless fundamentals discussed in Chapter 1, Wireless Penetration Testing Fundamentals, there are a number of terms that will come into play during the scanning phase of the wireless assessment. When a wireless network is created, it will be identified by one or more topologies defined by the IEEE 802.11 workgroup. There are three basic network topologies defined by the IEEE 802.11 group. They are as follows:
- Basic Service Set (BSS)
- Extended Service Set (ESS)
- Independent Basic Service Set (IBSS)
Now, let's look at each of them in detail:
- BSS: This consists of one access point with one or more client stations attached to it. Client stations will communicate through the AP. The following figure shows the basic service set:
There are a few other considerations to keep in mind when it comes to BSS:
- Basic Service Set Identifier (BSSID): This is simply the MAC address of the access point, which is a 48 bit identifier (that is, xx.xx.xx.xx.xx.xx). Each access point and client station has its own unique MAC addresses.
- Service Set Identifier (SSID): This is simply the name of the wireless network that can be configured on an access point. A single access point can be configured with one or multiple SSIDs defined by the network administrator. The SSID is like a label for the WLAN to differentiate it from other WLANs. It is common for organizations to have multiple SSIDs with different characteristics, such as access restrictions, authentication types, or security considerations.
- ESS: This is similar to BSS; however, it contains multiple access points with one or more client stations attached to them rather than just one. It can be viewed as multiple BSSes joined together by a distribution system, such as a wired Ethernet providing a service to stations collectively. A station can freely roam between two BSSes in an ESS without losing connectivity.
- ESSID: The network name of an ESS is called an Extended Service Set Identifier. The ESSID and SSID are similar, but an ESS can contain access points with different SSIDs still connected to the same ESS. Access points connected to the same distribution network can have their own SSIDs, but they are part of an Extended Service Set. The following figure shows an Extended Service Set:
- IBSS: This consists of only client stations connected to each other, and no access points are deployed. Multiple client stations in the same range work in the ad hoc mode.
In addition to the network configurations discussed earlier, IEEE 802.11 defines two configuration modes for operation: the infrastructure mode and the ad hoc mode. In nearly all of the wireless assessments that you will be involved with, the only mode you will be assessing is the infrastructure mode. As discussed previously, most networks are serviced by access points, and the ad hoc mode is rarely seen in production environments:
- The Infrastructure Mode: In the infrastructure mode, the access point works in the default configuration of the AP mode, or the root mode. In the root mode, access points transfer data between client stations and a distribution system. It acts as a middle man between the wireless medium and the distribution medium (the wired network). In the Infrastructure mode, clients communicate via the AP with other wireless clients in the BSS. Clients may also communicate with Internet or other servers on the distribution system through the access point. Even client-to-client communication should go through the AP.
In the default configuration, an access point works in the Infrastructure Mode and creates a BSS. By having multiple access points acting in each BSS, we can have an ESS established. In the Infrastructure Mode, if you have admin access to an access point, then it implies that you have access to all the traffic originating from, or going to, the client stations associated with it. This is a key tenant of an access point in the Infrastructure mode.
- Ad hoc mode: In the ad hoc networking mode, there is no need for a central access point. The client stations in the ad hoc mode form a peer-to-peer network to communicate among themselves. Client stations configured in the ad hoc mode participate in the IBSS topology. Since there is no need for a central access point to transfer data between two client stations, an attacker will typically target the clients themselves rather than the AP. This configuration is rarely used and is not common in either consumer or commercial applications.
In this section, we will look at Wireless 802.11 frames. You might be familiar with 802.3 Ethernet frames (LAN) in wired networks and will immediately notice the differences when comparing them to WLAN frames. WLAN has three types of frames defined in 802.11 standards. They are as follows:
- Management frame
- Control frame
- Data frame
We will discuss each one of them in detail in this section.
In a wired network, a client station can directly connect to the network using a network cable plugged into a port in a switch or a hub. In a wireless network, since the concept of cables does not exist, a mechanism must be established to provide the client with the same functionality of "plugging in and unplugging". With the help of management frames, the client station performs an action similar to that of connecting and disconnecting cables; however, it is compatible with a wireless connection. These frames are also responsible for maintaining communication between the stations.
There are several subtypes of Management frames, and they are listed as follows:
- The Beacon frame
- The ATIM frame
- The Disassociation frame
- The Association Request frame
- The Association Response frame
- The Reassociation Request frame
- The Reassociation Response frame
- The Probe Request frame
- The Probe Response frame
- The Authentication frame
- The Deauthentication frame
- The Action frame
- The Action No ACK frame
- The Timing Advertisement frame
Note
More information on these frames can be found at http://www.wi-fiplanet.com/tutorials/article.php/1447501/Understanding-80211-Frame-Types.htm.
During the scanning phase of penetration testing, we are primarily interested in beacon frames and probe response frames, which are a subtype of Management frames. In subsequent chapters, you will also take a look at how these management frames can be manipulated to attack the target wireless network. The term "Beacon frames" is commonly simplified to beacons, and they originate from access points at regular intervals. Beacon frames from the access point help a client station discover and associate with the access point. Whenever a client station comes near the Basic Service Area of an access point, it discovers the presence of AP by listening to Beacon frames from the AP. Some guides or benchmarks will recommended the disabling of beacon frames to hide the presence of the AP; however, later in this chapter, we'll look at how the presence of an access point can still be determined even if beaconing is disabled. As an analogy, think of beacon frames as the APs shouting "Marco!" in a game of Marco Polo. The client will be alerted to their presence and can respond in kind.
A beacon frame contains the SSID value, which is of interest to us when it comes to discovering WLANs. We can list WLAN networks in the range by simply capturing the WLAN traffic and extracting the beacon frames in it. While scanning an 802.11 wireless network, our aim is to capture as many beacon frames as possible. Beacon frames comprise much of the information about the target network. By looking into a beacon frame, we can extract the following properties:
- SSID
- Encryption
- Channel
- MAC
- Vendor information
Control frames are used to acquire and clear the channel and other traffic management in a wireless medium. These frames are required for the proper operation of the traffic exchange between client stations without hiccups. There are subtypes of control frames, and they are as follows:
- CTS: Clear to Send
- RTS: Request to Send
- ACK: Acknowledgement frame
Data frames are the actual workhorses in carrying the data from mobile clients to the distribution system. Data frames carry the high layer information in the body of the frame. In the later stages of this chapter, we will be sniffing these frames to extract valuable data transferred to and from client stations.
In this section, we have discussed the different frames used in WLAN. Let's get into the core of the chapter; our aim in this chapter is to discover information about the wireless local area networks of our target.