Today we’ll be setting up an environment which will allow us to easily disect a beacon frame, as well as the other three types of management frames; probes, authentication and association. As you know we’ve covered the 3 types of wireless frames; management, control and data. Last week we went over one of the 4 types of management frames — the beacon.
To recap the demo we began by bringing up our NIC ifconfig wlan0 up and starting a monitor mode interface airmon-ng start wlan0 11 then using the MDK3 tool we can create beacon frames indicating our SSID of choice mdk3 mon0 b -c 11 -n haktip.
Now if we bring up an additional wireless interface ifconfig wlan5 up we can scan for nearby access points iwlist wlan5 scan | grep ESSID and see those beacon frames in action.
This week we’re going to be using airbase-ng and wireshark to put together a nice little wireless packet sniffing environment so that we can better understand management frames.
Airbase-ng is a script that comes bundled with the aircrack-ng suite of tools. Like many of the aircrack tools it is serves multiple purposes. This versatile little tool is mainly aimed at wireless client or stations rather than access points or base stations. It can be used in a wire array of wireless phishing attacks allowing one to obtain WPA handshakes or WEP keys. It can also cause all sorts of mayhem to access points and clients nearby so use with caution.
In todays example we’ll be using the most simple function, and that is mimicing a wireless access point.
You can find the full syntax of the tool by issuing airbase-ng –help. The only paramaters we’ll be specifying in our example will be the channel and ESSID. airbase-ng -c 11 -e haktip mon0
The first thing we see when using airbase-ng in this mode is the report “Created tap interface at0″
Everytime airbase-ng is started a tap interface is created. It isn’t brought up by default but simply issuing ifconfig ath0 up will bring it to life. The neat part about this interface is that even with WEP encryption enabled this tap interface will always show incoming packets after decryption. You can also send packets to this interface and they’ll go out encrypted, if the “-w” option is set.
The next thing listed is airbase-ng setting the MTU, or Maximum Transmission Unit, to 1500. This basically says the maximum size an IP packet can be before it gets split up into multiple packets. For ethernet v2 this is the highest setting possible. You may see MTUs of up to 9000 but only with Jumbo Frames on a gigabit lan.
Finally airbase-ng reports that the access point has been brought up using the BSSID of the NIC. If we want we can specify a different BSSID with the “-a” option or simply use macchanger beforehand.
Ok so we have our fake AP with the SSID “haktip” running so let’s copy the BSSID into our clipboard and startup wireshark&
We’ll select the mon0 interface to listen to and start. Now that we have a few packets lets stop sniffing and apply a filter.
To add a filter to Wireshark come up here to the filter bar and enter the expression. In this case I only want to see frames to or from the BSSID of our haktip access point so enter wlan.addr == BSSID and I’m only interested in beacon frames, so I’ll add && wlan.fc.type_subtype == 0×08
If we open the first frame we can see that it is in fact the type 0×08, or “Beacon”. The destination is Broadcast so it’s being sent out for everyone to hear. We have our source address and a sequence number. Wireshark also knows it’s a wireless management frame, so if we expand that we’ll see capability information under fixed and tagged paramaters. This beacon is saying, among other things, that it cannot support WEP, OFDM modulation isn’t allowed. Under tagged paramaters we’ll notice that the SSID is set to haktip, the support data rates are 1, 2, 5.5 and 11 Mb/s as well as rates 6, 9, 12, 18, 24, 36, 48 and 54 indicating that it’s an 802.11g network, and finally that the channel is set to 1.
And as always we value your feedback and suggestions. If you have a tip to share with me, email email@example.com or leave a comment.
And be sure to check out our sister show, Hak5 for more great stuff just like this.