Today we’re diving into the do-dads that make up 802.11, or to be more specific we’ll be going over WiFi frames. It is with careful use or abuse of these frames we’re able to acomplish some pretty nifty tricks.

Download HD Download MP4 Download WMV

If you’re not familiar a frame is simply a data packet. For example, on an Ethernet network a frame is a bunch of data sent from a network card consisting of a header, a payload, and an integrity check of some sort.

The payload itself is simply a protocol packet, typically of the IP variety but it could be anything. The payload is encapsulated, or enclosed, within elements that make up the frame overhead. For example, an 802.3 ethernet frame will begin with the source and destination MAC addresses, as well the EtherType, which is basically a field that defines what kind of protocol is inside. Think of it as the envelope on a letter. The frame will end with a Frame Check Sequence which is a special checksum of the frame. The receiving party uses the Frame Check Sequence to verify the integrity of the frame as a whole. If something gets borked — due to, say, interference on the line — the receiving party will ask for the sender to resend the frame.

Now for the most part 802.11 frames, or WiFi frames, work very similarly and it is with careful use or abuse of these frames we’re able to acomplish some pretty nifty tricks. So, as always, on to the terms.

Now without getting into every octet or bit within a frame, suffice it to say that WiFi frames are made up of the same kind of stuff as Ethernet frames. They contain source and destination MAC addresses. They’ll also contain control fields for specifying what version of the 802.11 protocol they’re using. Again the payload could be anything, like the millions of TCP or UDP packets that make up this video, then they finally end with a frame check sequence.

There are three major kinds of frames in 802.11. Management frames, Control Frames, and Data frames.

Let’s begin with Management frames. There are four types of management frames: Beacon, Probe, Association and Authentication.

A beacon frame is one that an access point or base station preiodically sends out announcing its presence to the world. It will include things like the SSID or service set identifier. We’ll get into the specifics of these in greater detail soon.

The next type of management frame is a probe. Probes come in two flavors: requests and responses. A probe request is one that usually comes from a client. Think of it as your laptop or iphone calling out for an access point, asking whether it’s within range, or trying to get details from an access point it has seen a beacon from.

The probe request is typically followed by a probe response. The access point will send one of these when it hears a probe request. The response will include data pertinent to establishing a connection, such as what data rates that the station supports.

The next type of management frame is association. These come in three flavors: association requests, association responses and disassociation frames.

Association requests are simply that. It’s a frame sent from one station to another asking if they can be friends. They’ll say, among other things, “hey, can you allocate some memory for me” and “let’s synchronize our watches so we can more effectively communicate.”

An association request frame is typically followed by an association response frame, which will either be acceptance — “Sure, let’s be friends!” or rejection.

When two stations want to say “peace out yo” they send a disassociation frame. It’s a polite thing to do as it allows the other party to unallocate memory and other such clean up functions.

The final kind of management frame is authentication. These come in two flavors, authentication and deauthentication.

The aptly named authentication or auth frames begin the process of authentication. In the case of an open access point only two auth frames are exchanged, one asking for access and one saying “come on in ‘pardner”. In the case of the pathetically weak WEP authentication standard the client will send an auth frame asking for access, the station will respond with an auth frame containing bit of text. This is known as a challenge. And finally the client will send a version of that text back having encrypted it with the WEP key.

The authentication process for WPA and WPA2 are a lot more complex and we’ll get to those as this series progresses.

This brings us to the last management frame: deauthentication or deauth. A deauth frame is sent from one station to another to terminate a secure session. The stations may still be associated, but effectively they’re not speaking to one another.

With Management frames covered, let’s go over the last two types of frames: Control and Data.

Control frames come in three varities: Request to Send, Clear to Send, and Acknowledgement frames.

A request to send or RTS fame, as the name would imply, is a short little frame that one station sends to another asking if it can send a data frame. It’s the first part of the two-way handshake that make up tbe beginning of any data transmission.

The second part of the handshake is the Clear to Send or CTS frame. If the station isn’t busy doing other things it’ll send one of these in response to an RTS. The neat thing about this frame is that it’ll specify an amount of time for which the two stations can communicate. The other stations in the area observe this and wait patiently. This minimizes interruptions that would otherwise cause interference resulting in resends and an overall degradation of network performance.

And finally after the RTS / CTS handshake has taken place and the data frames have been sent the receiving station will issue an Acknowledgement or ACK frame. This lets the sender know that everything was received in good condition. If the receiver checks the integrity of the data frames and something is borked it will simply withhold the ACK frame, causing the sender to retry.

And the last frame, as we just mentioned, is the data frame. Containing anything you like inside, these guys are the workhorses of WiFi. Of course they wouldn’t exist without the diligent work of the management and control frames, so, good job everyone. Let’s have some cake!

What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up — tips@hak5.org

And be sure to check out our sister show, Hak5 for more great stuff just like this.

With more than 23 million members, Netflix is the world’s largest subscription service instantly streaming TV episodes and movies over the Internet. For one low monthly price, Netflix unlimited members can instantly watch TV episodes & movies streaming to their TVs and computers. With Netflix you can cancel anytime. Netflix unlimited members can instantly watch thousands of titles on a vast array of devices streaming TV episodes and movies like Microsoft’s Xbox 360, Sony’s PS3 game console and the Nintendo Wii console. Find movies you love – easily! As a Netflix unlimited member you can instantly watch as many movies as you want anytime you want for one low monthly price! You can cancel anytime. Get your FREE Trial membership. Go to netflix.com/hak5 and sign up NOW. Be sure to use this URL so that they know we sent you!

This segment with Darren he demos a couple of tools for us linux folks.

Again the premise is all the same. We’ll be using command line tools to tell our victim we’re the router, and vise versa.

The tools we’ll be using are the dsniff suite and driftnet. If you don’t already have ‘em and you’re rocking Ubuntu it’s simply a matter of issuing sudo apt-get install driftnet dsniff

Before we get our attack started we’ll need to enable packet forwarding. This means we’ll allow the traffic of our targets to flow through our machine.

killall arpspoof

This segment Darren goes over some of the tools to do some interesting things with DNS and hak6.org.

Space cadet Darren explains a bit of the design and characteristic of DNS.

This is more of just a guide to how DNS works and explanation of many of its components.

In this high as a kite edition of Hak5 Darren takes you on an adventure through the wonderful world of DNS. Explore the vast and intricate details of our beloved Domain Name System while exploiting mis-configured routers, brute forcing, and even looking up Wikipedia entries from TXT records.

Download HD Download MP4 Download XviD Download WMV

Keep up with the latest on Hak5 by follow us on Twitter or Facebook. Subscribe and get your weekly technolust delivered automatically. Or show your support and grab some swag from the HakShop – including the new airport friendly WiFi Pineapple and hoodie. Finally if you’d like to suggest a topic for ask a question feel free to hit up feedback@hak5.org.

With a mixture of in-studio and on location in Dublin this week we’re talking to Robin Wood about DHCP Exhaustion and DNS Man-in-the-Middle attacks, talking Metasploit modules and a Pineapple Monkey half-breed.

Download HD Download MP4 Download XviD Download WMV

DHCP Exhaustion and DNS Man-in-the-Middle Attacks

Rather than your typical ARP based Man-In-The-Middle attack, Robin wood brings us two metasploit modules for both denial of service attacking a DHCP server and deploying a rogue DHCP server of your own with a DNS MiTM to boot. Check out the Metasploit DNS and DHCP Exhaustion – BETA at Digininja.org.

The JasagerInterceptor – a Pineapple Monkey mashup

This week we take a look within the community and highlight some of the awesome work done by Beakmyn. In an answer to Deathray’s thread on a Jasager with a network tap like the Interceptor, he brings you just such project. Behold the JasagerInterceptor. I’ve seen it with my own eyes at Shmoocon and I must say it’s a nifty bit of kit.

Jenn Cutter of Open Alpha fame joins us to talk about recent developments in PSP hacking and homebrew. Matt’s got answers to your questions about rolling your own Storage Area Network for all your virtualization needs, and Darren’s filtering packets in the console with ngrep.

Download HD Download MP4 Download XviD Download WMV

While Shannon’s on vacation our friend Jenn Cutter from Open Alpha joins us to talk about the recent developments in PSP hacking and homebrew.

The PSP homebrew scene has grown more interesting over the past little while since the user base has been sectioned off into different camps based on the particular unit they purchased and whatever firmware they are using. Thanks to the efforts of Team Typhoon, ChickHEN (homebrew enabler) permits owners of all models to run the unofficial apps and games they’ve grown to love without touching the flash of the PSP, so there’s no worrying about turning it into a brick. No one likes expensive bricks. Keep in mind that ChickHEN is not a piracy tool so don’t expect to run any type of backups though it. Davee has the lowdown on the latest release which can be downloaded here. If you are curious or sceptical, feel free to check out video proof that it works on PSP 3000s.

–Jenn Cutter

Matt answers your questions about storage area networks and recommends QNAP. If you’re feeling hands on rolling your own is a great option too. Matt points out his favorite hardware like 3Ware RAID cards, Transcend IDE Flash Modules, and the Intel Storage Server SSR212MC2. Software wise it’s worth investigating Freenas, and SAN Melody.

Continuing on with Eighty‘s segment on extracting windows executables from packet captures and Mubix‘s segment on network tap analizers, Darren’s taking a look at the open source tool ngrep. If you’re familiar with grep you’ll be at home with this tool. Darren demonstrates using the tool to filter packets from a live capture using a Network Monkey. Alternatively it can be used with pcap files.

Don’t forget to check out our latest contest at Hak5.org/yourlan where the most creative network will win cozy Hak5 gear from our newly opened HakShop

Matt shows us how to turn anything into a service and provide a web frontend to manage them windows server, great for game server administration. Chris Gerling wraps up his three part series on Packet Sniffing with Wireshark techniques for packet filtering. Darren harnesses the CPU power of the HakHouse for good or evil to demonstrate cluster computing. Plus details on our Hak5 Halloween LAN Party!
[ MP4 | XviD | WMV ]

Watch

Show Notes

Matt Lestock turns any windows application into a service using instsrv and srvany and demonstrates how we use this technique, coupled with Panel Daemon to delegate game server administration at the Hak5 playground.

Chris Gerling shows us some packet filtering techniques using the network analyzer Wireshark. He covers capture filters, display filters, colors and statistics. Read more on packet sniffing on his blog at ChrisGerling.com

Darren Kitchen talks about parallel computing. He touches on grid computing and massively parallel processors though he mainly focuses on clustering. Darren demonstrates simple windows password cracking techniques using an openMosix based image and discusses the theory behind setup. Darren has a lot of further reading for you to check out on his blog and would like to hear your feedback about building the Hak5 beowulf cluster!

And on a production note: We’ve switched over from a standard-def composite based video mixing solution to a high-def HDMI based system. Unfortunately until we get a Mac Pro and switch to Final Cut Pro for editing we’re unable to release a 720p version of Hak5. But we’re well on our way to bringing you guys truly high def technolust thanks to everyone who has continued to support this cause. Thanks!

Chris Gerling breaks down IP and TCP headers with Wireshark and building blocks. Shannon Morse shows us DosBox, a free IBM PC DOS emulator. Christine Bourquin talks about Alice, a teaching programming language for beginners. Darren Kitchen summarises his experience at Day-Con and answers some questions about Fon batteries. [ MP4 | XviD | WMV ]

Watch

Show Notes

Chris Gerling dives into the structure of IP and TCP headers in part two of his three part series on packet sniffing. He covers everything from source ports to checksums and everything inbetween offering insight into TCP packets in plain English. Then in part three he covers basic Wireshark usage and advanced techniques. Read more on packet sniffing on his blog at ChrisGerling.com

Shannon Morse shares with us DosBox, the free and open source IBM PC emulator that allows you to break out those old floppies and play your DOS games once again. While we wait for DNF, anyone for a Duke Nukem 3D deathmatch?

Christine Bourquin demos Alice, an innovative 3D programming language that makes it easy to teach programming using a simple drag-and-drop interface. Perfect for the next generation of computer scientists.

Darren Kitchen brings us his review of Day-Con with photos courtesy of the security twits. He also talks about Jasager batteries both big and small.

And on a production note: We’ve switched over from a standard-def composite based video mixing solution to a high-def HDMI based system. We’re not ready to release the full 720p quite yet as we’re ironing out (read: developing on the fly) the post production process but in the mean time we’ve got damn good looking 480p and we’re looking for your feedback. Thanks a million to everyone who has donated and helped make this happen!