Mastering WLAN Security: Exploiting Vulnerabilities and Sniffing Techniques with Wireshark

Network analysis

Chapter 2: WLAN and Inherent Insecurity

Authors: Vivek Ramachandran, Cameron Buchanan Translator: Protocol:

Introduction

The higher the building, the deeper the foundation must be. – Thomas à Kempis

Nothing great can be built on a fragile foundation. In our context, security cannot be built on inherent insecurity.

WLANs have specific design insecurities that can be easily exploited, such as packet injection and sniffing (which can be done from a great distance). In this chapter, we will exploit these vulnerabilities.

2.1 Reviewing WLAN Frames

Since this book deals with wireless security, we assume you have a basic understanding of protocols and packet headers. If not, or if you’ve been away from wireless for a long time, it’s a good opportunity to revisit this topic.

Let’s quickly review some basic concepts of WLANs that you probably already know. In WLANs, communication is carried out by way of frames, each having the following header structure:

The fields themselves have a more complex structure:

The type field defines the following three types of WLAN frames:

When discussing different attacks in later chapters, we will discuss the security vulnerabilities of each of these frame types.

Now, let’s see how to use Wireshark to sniff these frames on a wireless network. There are other tools – such as Airodump-NG, Tcpdump, or Tshark – that you can also use for sniffing. In this book, we primarily use Wireshark, but we encourage you to explore other tools. The first step is to create an interface in monitor mode. This creates an interface for your adapter so that we can read all wireless frames in the airspace, regardless of whether they are destined for us. In the wired world, this is commonly called promiscuous mode.

Hands-On – Creating an Interface in Monitor Mode

Let’s set our wireless card to monitor mode.

Follow the guidelines below to get started:

What Just Happened?

We successfully created a monitor mode interface. This interface is used to sniff wireless packets in the airspace and has been created in our wireless adapter.

Try It – Creating Multiple Monitor Mode Interfaces

It’s possible to create multiple monitor mode interfaces with the same physical card. Use the airmon-ng tool to see how this is done.

Great! We have a monitor mode interface ready to read some packets from the airspace. So let’s get started.

In the next exercise, we’ll use Wireshark and the monitor mode interface we just created to sniff packets from the air.

Hands-On – Sniffing Wireless Packets

Follow the guidelines below to get started:

Click the triangle in front to expand and view the details.

Observe the different header fields in the packet and correlate them with the WLAN frame types and subtypes you learned earlier.

What Just Happened?

We just sniffed our first set of packets from the airspace. We launched Wireshark, which uses the monitor mode interface we set up earlier. By checking the bottom area of Wireshark, you should notice the rate of packet capture and the number of packets captured so far.

Try It – Discover Different Devices

Wireshark’s logs can sometimes be intimidating; even in a reasonably constructed wireless network, you will sniff thousands of packets. It’s crucial to drill down to the packets we’re interested in. This can be done using filters in Wireshark. Explore how to use these filters to identify unique wireless devices in the logs – access points and wireless clients.

If you can’t manage it, don’t worry; it’s the next thing we’re going to learn.

Hands-On – Viewing Management, Control, and Data Frames

Now we learn how to use filters in Wireshark to view management, control, and data frames.

Please follow these guidelines step by step:

To view all management frames in the captured packets, enter the filter in the filter window and click. If you intend to stop packets from scrolling down too fast, you can stop the packet capture.

To view control frames, modify the filter expression to.

To view data frames, modify the filter expression to.

For additional subtype selection, use filters. For example, to view beacon frames among all management frames, use the filter below:

Alternatively, you can right-click on any header field in the middle window, then select to use a filter.

This automatically adds the correct filter expression for you in the field.

What Just Happened?

We just learned how to use various filter expressions in Wireshark to filter packets. This helps in monitoring selected packets from devices we’re interested in, rather than attempting to analyze all packets in the airspace.

Similarly, we can view the packet headers of management, control, and data frames in plain text, which are not encrypted. Anyone capable of sniffing packets can read these headers. Note that a hacker could also modify any of these packets and resend them. The protocol does not prevent integrity or replay attacks, which are very easily done. We will see some of these attacks in later chapters.

Try It – Play with Filters

You can refer to the Wireshark manual to understand more available filter expressions and how to use them. Try playing with various filter combinations until you feel confident in diving into any level of detail, even among many packet logs.

In the next exercise, we’ll explore how to sniff data packets transmitted between our access point and wireless clients.

Hands-On – Sniffing Packets on Our Network

In this exercise, we’ll learn how to sniff packets on a specific wireless network. For simplicity, we’ll look at any unencrypted packets.

Follow the guidelines below to get started:

What Just Happened?

We have just sniffed data from the air using WIreshark and various filters. Since our access point wasn’t using any encryption, we could see all the data in plain text. This is a significant security issue because, if using a sniffer like WIreshark, anyone within the RF range of the access point can see all the packets.

Try It – Analyze Data Packets

Further analyze the data packets using WIreshark. You’ll notice that DHCP requests are generated by the client, and if a DHCP server is available, it will return an address. Then you’ll find ARP packets and packets from other protocols. It’s quite simple this way to passively discover hosts on a wireless network. It’s crucial to view packet logs and reconstruct how applications on wireless hosts communicate with the rest of the network. One of the interesting features Wireshark provides is the ability to follow streams. This lets you view multiple packets together that make up a TCP conversation in the same connection.

Additionally, try logging into and analyzing data traffic generated by other popular sites.

We will demonstrate how to inject packets into a wireless network.

Hands-On – Packet Injection

We use the aireplay-ng tool to carry out this exercise, which comes preloaded in Kali.

Follow the guidelines below to get started:

What Just Happened?

We have just used aireplay-ng to successfully inject packets into our test network environment. Note that our card injected these arbitrary packets into the network without actually connecting to the wireless access point.

Try It – Explore Aireplay-ng Tool

In later chapters, we will thoroughly explore packet injection. For now, please explore the other options the Aireplay-ng tool offers for injecting packets. You can use Wireshark to monitor the airspace to verify if the injection was successful.

2.2 Key Notes on WLAN Sniffing and Injection

WLANs typically operate in three different frequency ranges: 2.4 GHz, 3.6 GHz, and 4.9/5.0 GHz. Not all WIFI cards support all three ranges and the associated bands. For example, Alfa cards only support IEEE 802.11b/g. This means that this card cannot handle 802.11a/n. The essence here is sniffing or injecting packets in specific bands. Your WIFI card needs to support it.

Another interesting aspect of WIFI is that each band has multiple channels. Note that your WIFI card can only be on one channel at a time. You cannot tune your card to multiple channels simultaneously. This is akin to the radio in your car. At any given time, you can only tune it to one available channel. If you wish to listen to something else, you need to switch channels. The same principle applies to WLAN sniffing. This gives an important conclusion – we cannot sniff all channels simultaneously; we can only choose the channel we are interested in. This means, if the channel of the access point we are interested in is 1, we need to set our card to channel 1.

While we focused on WLAN sniffing, the principles of injection are the same. To inject packets into a specific channel, we need to tune the card to that channel.

Let’s now conduct some exercises to set the card to specific channels or perform channel hopping, set regulatory domains and power levels, among others.

Hands-On – Experimenting with Adapters

Follow the steps below carefully:

What Just Happened?

We’ve learned that wireless sniffing and packet injection depend on the support of the hardware. This is to say, we can only handle the bands and channels that the card supports. Additionally, a wireless card can only be on one channel at a time. This indicates that we can only sniff or inject one channel at a time.

Try It – Sniff Multiple Channels. If you need to sniff multiple channels at the same time, you’ll need multiple physical WIFI cards. If you can acquire additional cards, try sniffing multiple channels simultaneously.

4.3 The Role of Regulatory Domains in Wireless Networks

The complexity of WIFI doesn’t end here. Each country has its own policy for unlicensed spectrum allocation. This regulates the power levels allowed and the spectrum use. For instance, the FCC regulates that if you’re using WLAN in the US, you must comply with these regulations. In some countries, non-compliance with these regulations results in penalties.

Let’s now see how to find default regulatory settings and how to modify them as needed.

Hands-On – Experimenting with Adapters

Carefully follow these steps:

Insert the adapter, and you’ll see something like this. It displays the default regulatory settings that the card is using.

What Just Happened?

Each country has its own regulations for unlicensed wireless bands. When we set the regulatory domain to a specific country, our card follows the permitted channels and designated power levels. However, sniffing the card’s regulatory domain to force it to operate on unauthorized channels and transmit data at power levels higher than allowed is relatively easy.

Try It – Explore Regulatory Domain

Examine the various parameters you can set, such as channel, power, regulatory domain, and others. Use the command set on Kali. This will give you deep insight into configuring the card and altering its settings while in different countries.

Quiz – WLAN Packet Sniffing and Injection

Q1 What type of frame is responsible for authentication within WLANs?

Q2 What’s the name of the second monitor mode interface created using airmon-ng on?

Q3 What is the filter expression used to view non-beacons in Wireshark?

Summary

In this chapter, we made some crucial observations about WLAN protocols.

Management, control, and data frames are unencrypted, so anyone monitoring the airspace can easily read them. Note that data packet payloads can be protected with encryption for greater confidentiality. We discuss this in the next chapter.

By setting the card to monitor mode, we can sniff the entire airspace around us.

Since management and control frames lack integrity protection, tools like aireplay-ng make it easy to inject packets by monitoring or simply replaying them.

Unencrypted data packets can also be modified and replayed onto the network. Even if the packets are encrypted, we can still replay them as WLANs are designed without packet replay protection.

In the next chapter, we will look at different authentication mechanisms used in WLANs, such as MAC filtering and shared authentication, among others. We’ll understand various security flaws through practical demonstrations.

Share this