wiki:AdditionalInformation
Last modified 42 years ago

  1. Info on Scanning
    1. BSSType (independent, infrastructure, or both)
    2. BSSID (individual or broadcast)
    3. SSID ("network name")
    4. Scan Type (active or passive)
    5. Channel List
    6. Probe Delay
    7. Passive Scanning
    8. Active Scanning
    9. Injection
  2. Info on Attacks
    1. Deauthentication
    2. Authentication Flood
    3. Packet Reinjection
      1. The ARP Request
      2. The ARP Reply
  3. Info on Antennas
    1. Gain
    2. Antenna Types
      1. Vertical
      2. Dipole
      3. Yagi
      4. Parabolic
    3. Cabling
  4. Info on 802.11
    1. CRCs

Info on Scanning

Several parameters are used in the scanning procedure. These parameters may be specified by the user; many implementations have default values for these parameters in the driver.

BSSType (independent, infrastructure, or both)

Scanning can specify whether to seek out independent ad-hoc (computer to computer) networks, infrastructure networks, or all networks.

BSSID (individual or broadcast)

The device can scan for a specific network to join (individual) or for any network that is willing to allow it to join (broadcast). When 802.11 devices are moving, setting the BSSID to broadcast is a good idea because the scan results will include all BSSs in the area. BSSID stands for Basic Service Set ID.

SSID ("network name")

The SSID assigns a string of bits to an extended service set. Most products refer to the SSID as the network name because the string of bits is commonly set to a human-readable string. Clients wishing to find any network should set this to the broadcast SSID. The SSID is also known as the ESSID (extended service set ID).

Scan Type (active or passive)

Active scanning uses the transmission of Probe Request frames to identify networks in the area. Passive scanning saves battery power by listening for Beacon frames.

Channel List

Scans must either transmit a Probe Request or listen on a channel for the existence of a network. 802.11 allows stations to specify a list of channels to try. Products allow configuration of the channel list in different ways. What exactly constitutes a channel depends on the physical layer in use. With direct-sequence products, it is a list of channels. With frequency-hopping products, it is a hop pattern.

Probe Delay

This is the delay, in microseconds, before the procedure to probe a channel in active scanning begins. This delay ensures that an empty or lightly loaded channel does not completely block the scan.

Passive Scanning

Passive scanning saves battery power because it does not require transmitting. In passive scanning, a station moves to each channel on the channel list and waits for Beacon frames. Any Beacons received are buffered to extract information about the BSS that sent them. In the passive scanning procedure, the station sweeps from channel to channel and records information from any Beacons it receives. Beacons are designed to allow a station to find out everything it needs to match parameters with the basic service set (BSS) and begin communications. Passive scanning can detect the presence of access points that have a "hidden SSID". Such access points do not send the SSID in beacon frames, and only respond to probe requests that have the access point's SSID in them.

A nice feature of passive scanning is that, because you are not transmitting, you will not alter the performance or behavior of networks around you.

Active Scanning

In active scanning, a station takes a more assertive role. On each channel, Probe Request frames are used to solicit responses from a network with a given name. Rather than listening for that network to announce itself, an active scan attempts to find the network. Probe Response frames are generated by networks when they hear a Probe Request that is searching for the extended service set to which the network belongs. Active scanning will not find access points with a "hidden SSID". Most simpler stumblers work this way - Netstumbler does, and KisMAC with an active mode driver does, as well as MacStumbler and iStumbler.

Injection

Injection is simply the capability to transmit raw frames from the application instead of through the OS in the normal fashion. Reinjection is a specific attack: resending particular frames back to the target network. Your network adapter must be capable of injection in order to do reinjection. See below under "Info on Attacks" for more about reinjection.

Info on Attacks

Deauthentication

Deauthentication terminates an authenticated relationship. Because authentication is needed before network use is authorized, a side effect of deauthentication is termination of any current association. When clients attempt to reassociate, management frames are generated, containing the SSID of the network in question. If the network has a hidden SSID, these frames can be captured, and the SSID extracted from them. The SSID is then revealed.

Deauthentication is a form of Denial of Service attack against clients. These attacks are often more effective than association and authentication attacks - that's because wireless clients tend to be more willing to believe that anything coming to them from an AP must be valid. This type of client DoS attack can go on indefinitely until the attacker stops the attack. A deauthentication attack is actually more effective than a disassociation attack because it puts the client in a state of complete disconnection.

Authentication Flood

Wireless networks depend on additional authentication routines to ensure that users accessing the network are authorized to do so. Authentication is a necessary prerequisite to association because only authenticated users are authorized to use the network. In practice, though, many access points are configured for "open-system" authentication and will authenticate any station. Flooding a network with authentication frames attempts to force a response from the AP.

An authentication flood is one form of a Denial of Service (DoS) attack against APs. On each AP, the tables that store client connection information have a finite amount of memory and thus can only handle a limited number of wireless client connections. Once this memory fills up, most APs will no longer accept incoming association requests; some APs even crash. This is easier to accomplish when anybody can connect (i.e. open authentication). Authentication attacks are possible mainly because 802.11 management-frame requests and sequencing are not authenticated or monitored for anomalies.

Packet Reinjection

802.11 requires frame retransmissions in the case of loss, so it may be possible for an attacker to retransmit a frame and replacement injected frame to be accepted as legitimate. Frames on wireless networks can easily be tampered with or forged outright, and the protocol does not provide a way to easily stop or even detect such attacks. Acknowledgment (ACK) and Address Resolution Protocol (ARP) are the management frames that are likely to generate responses from the client and AP. If these are reinjected very fast, lots of traffic with different IVs will be captured, enabling the network to be cracked a lot faster.

The ARP Request

The first step in the process is an ARP request to get the MAC address of the default router, 192.168.xxx.xxx. ARP requests are normally broadcast to the local network. On a wireless network, though, different procedures apply. To start with, the ARP request takes more than one frame on the wireless network. Like all ARP requests, it is sent to the broadcast address. However, the BSSID keeps the broadcast from being replicated to wireless stations attached to other BSSs in the area.

The ARP Reply

Once the frame reaches the wired network, the default router can reply. The Reply frame originates from the wired network. The frame retains its source address from the wired network.

Info on Antennas

Gain

The gain of the antenna is the extent to which it enhances the signal in its preferred direction. Antenna gain is measured in dBi, which stands for decibels relative to an isotropic radiator. An isotropic radiator is a theoretical beast that radiates equally in all directions. I've never seen a specification for the gain of the built-in antenna on a wireless card, but I would guess that it's negative (i.e., worse than an isotropic radiator). A rough guess for the Aluminum PowerBook's internal antennas would be about 3 dBi. Simple external antennas typically have gains of 3 to 7 dBi. Specialized external antennas can have gains of 9-12 dBi. Directional antennas can have gains as high as 24 dBi or more, even as high as 48 dBi (but such antennas violate the maximum EIRP if used to transmit and are thereby illegal).

Antenna Types

The antenna type determines its radiation pattern - is it omnidirectional, bidirectional, or unidirectional? Omnidirectional antennas are good for covering large areas; bidirectional antennas are particularly good at covering corridors; unidirectional antennas are best at setting up point-to-point links between buildings, or even different sites.

Vertical

This is a garden variety omnidirectional antenna. Most vendors sell several different types of vertical antenna, differing primarily in their gain; you might see a vertical antenna with a published gain as high as 10 dBi or as low as 3 dBi. How does an omnidirectional antenna generate gain? Remember that a vertical antenna is omnidirectional only in the horizontal plane. In three dimensions, its radiation pattern looks something like a donut. A higher gain means that the donut is squashed. It also means that the antenna is larger and more expensive, though no antennas for 802.11 service are particularly large.

Dipole

A dipole antenna has a figure eight radiation pattern, which means it's ideal for covering a hallway or some other long, thin area. Physically, it won't look much different from a vertical - in fact, some vertical antennas are simply vertically mounted dipoles.

Yagi

A Yagi antenna is a moderately high-gain unidirectional antenna. It looks somewhat like a classic TV antenna. There are a number of parallel metal elements at right angles to a boom. Yagi antennas for 802.11 service have gains between 12 and 18 dBi; aiming them is not as difficult as aiming a parabolic antenna, though it can be tricky.

Parabolic

This is a very high-gain antenna. Because parabolic antennas have very high gains they also have very narrow beam widths. You would probably use a parabolic antenna only for a link between buildings; because of the narrow beam width, they are not very useful for providing services to end users. Vendors publish ranges of up to 20 miles for their parabolic antennas.

Cabling

Most vendors sell two kinds of cable: relatively inexpensive thin cable (typically 0.1 inch in diameter) and "low-loss cable" that's substantially thicker (typically 0.4 inch) and much more expensive. The thin cable is usually available only in lengths of a couple of feet, and that's as it should be: it is very lossy, and more than a few feet can easily eat up your entire signal. It's intended for connecting a wireless card in a laptop to a portable antenna on your desktop, and that's all. To put numbers behind this: one vendor specifies a loss of 2.5 dB for a 2-meter cable. That means that close to half of your signal strength is disappearing in just two meters of cable. What does the picture look like when you're using a real low-loss cable? Significantly better, but maybe not as better as you would like. A typical low-loss cable still has a loss of 6.8 dB per 100 feet. This means that, in a 100-foot length of cable, over three quarters of your signal is lost. The moral of the story is clear: keep your access points as close as possible to your antennas. If you decide to use an 802.11a product, which operates at 5-GHz, be aware that cable loss will be an even more significant issue. Losses increase with frequency, and coaxial cable isn't particularly effective at 2.4 GHz, let alone 5 GHz.

For more on antennas and cabling, see Cisco's Aironet Antenna Reference Guide (linked from the front page).

Info on 802.11

CRCs

Cyclic redundancy checks (CRCs) are not cryptographically secure. CRC calculations are straightforward mathematics, and it is easy to predict how changing a single bit will affect the result of the CRC calculation. The CRC is a unique number that is generated by applying a polynomial to the pattern of bits that make up the frame. This value is computed using the CRC, which is a polynomial that is calculated using the contents of the destination, source, type (or length), and data fields. As the frame is generated by the transmitting station, the CRC value is simultaneously being calculated. The 32 bits of the CRC value that are the result of this calculation are placed in the FCS field as the frame is sent. The x31 coefficient of the CRC polynomial is sent as the first bit of the field and the x0 coefficient as the last bit.

WEP uses a 32-bit cyclic redundancy check (CRC) as an integrity check value (ICV). The ICV detects any changes (malicious or inadvertent) in the transmitted message's underlying plain text. Unfortunately, while a CRC easily detects most inadvertent changes, it does not provide integrity or message authenticity capabilities against malicious changes. Thus, an attacker can easily modify messages protected by a CRC.

A CRC uses the mathematics of finite fields, more specifically, GF(2). Fortunately, the mechanics (not the mathematics) of how a CRC works are easily explained. A message M that is n + 1 bits long can be represented as an nth-degree polynomial, M(x). For instance, consider a message consisting of only the single ASCII letter "O," which is represented in binary as 01001111. The polynomial corresponding to this message is 07 + x6 + 05 + 04 + x3 + x2 + x + 1, or x6 + x3 + x2 + x + 1.

For a CRC to work, both the sender and the recipient must agree upon a polynomial G(x) of degree m that will be used to calculate the CRC.This polynomial will be used as a divisor for the message. The WEP CRC polynomial is G(x) = x32 + x26 + x23 + x22 + x16 + x12 + x11 + x10 + x8 + x7 + x5 + x4 + x2 + x + 1, with m = 32 . Transmitting an n + 1-bit message, M also transmits an additional m bits, for a total message length of n + m + 1 bits. We'll call the message and the additional m bits the polynomial P(x). The m + 1 bits added to the original message make P(x) divisible by G(x) with a remainder of 0. The m + 1 bits are determined by increasing the degree of M(x) by m, then by multiplying M(x) by xm to obtain M´(x), and then dividing M´(x) by G(x). The remainder, if any, is then subtracted from M´(x), resulting in P(x) - the transmitted value of n + m + 1 bits.

Verification of the CRC by the recipient involves a similar process. The recipient divides P(x) by G(x), and if the remainder is 0, the message does not contain unintentional errors. The key word here is unintentional because CRCs do not prevent the introduction of intentional errors when the attacker knows G(x).The attacker only needs to modify M(x) and calculate new m + 1 bits, just as the sender did.