Whether you're a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems... Read More
Today we're diving into the do-dads that make up 802.11, or to be more specific we'll be going over WiFi frames. It is with careful use or abuse of these frames we're able to accomplish some pretty nifty tricks.
If you're not familiar a frame is simply a data packet. For example, on an Ethernet network a frame is a bunch of data sent from a network card consisting of a header, a payload, and an integrity check of some sort.
The payload itself is simply a protocol packet, typically of the IP variety but it could be anything. The payload is encapsulated, or enclosed, within elements that make up the frame overhead. For example, an 802.3 ethernet frame will begin with the source and destination MAC addresses, as well the EtherType, which is basically a field that defines what kind of protocol is inside. Think of it as the envelope on a letter. The frame will end with a Frame Check Sequence which is a special checksum of the frame. The receiving party uses the Frame Check Sequence to verify the integrity of the frame as a whole. If something gets borked -- due to, say, interference on the line -- the receiving party will ask for the sender to resend the frame.
Now for the most part 802.11 frames, or WiFi frames, work very similarly and it is with careful use or abuse of these frames we're able to accomplish some pretty nifty tricks. So, as always, on to the terms.
Now without getting into every octet or bit within a frame, suffice it to say that WiFi frames are made up of the same kind of stuff as Ethernet frames. They contain source and destination MAC addresses. They'll also contain control fields for specifying what version of the 802.11 protocol they're using. Again the payload could be anything, like the millions of TCP or UDP packets that make up this video, then they finally end with a frame check sequence.
There are three major kinds of frames in 802.11. Management frames, Control Frames, and Data frames.
Let's begin with Management frames. There are four types of management frames: Beacon, Probe, Association and Authentication.
A beacon frame is one that an access point or base station periodically sends out announcing its presence to the world. It will include things like the SSID or service set identifier. We'll get into the specifics of these in greater detail soon.
The next type of management frame is a probe.Probes come in two flavors: requests and responses. A probe request is one that usually comes from a client. Think of it as your laptop or iphone calling out for an access point, asking whether it's within range, or trying to get details from an access point it has seen a beacon from.
The probe request is typically followed by a probe response. The access point will send one of these when it hears a probe request. The response will include data pertinent to establishing a connection, such as what data rates that the station supports.
The next type of management frame is association. These come in three flavors: association requests, association responses and disassociation frames.
Association requests are simply that. It's a frame sent from one station to another asking if they can be friends. They'll say, among other things, "hey, can you allocate some memory for me" and "let's synchronize our watches so we can more effectively communicate."
An association request frame is typically followed by an association response frame, which will either be acceptance -- "Sure, let's be friends!" or rejection.
When two stations want to say "peace out yo" they send a disassociation frame. It's a polite thing to do as it allows the other party to unallocate memory and other such clean up functions.
The final kind of management frame is authentication. These come in two flavors, authentication and de-authentication.
The aptly named authentication or auth frames begin the process of authentication. In the case of an open access point only two auth frames are exchanged, one asking for access and one saying "come on in 'pardner". In the case of the pathetically weak WEP authentication standard the client will send an auth frame asking for access, the station will respond with an auth frame containing bit of text. This is known as a challenge. And finally the client will send a version of that text back having encrypted it with the WEP key.
The authentication process for WPA and WPA2 are a lot more complex and we'll get to those as this series progresses.
This brings us to the last management frame: deauthentication or deauth. A deauth frame is sent from one station to another to terminate a secure session. The stations may still be associated, but effectively they're not speaking to one another.
With Management frames covered, let's go over the last two types of frames: Control and Data.
Control frames come in three varieties: Request to Send, Clear to Send, and Acknowledgement frames.
A request to send or RTS fame, as the name would imply, is a short little frame that one station sends to another asking if it can send a data frame. It's the first part of the two-way handshake that make up tbe beginning of any data transmission.
The second part of the handshake is the Clear to Send or CTS frame. If the station isn't busy doing other things it'll send one of these in response to an RTS. The neat thing about this frame is that it'll specify an amount of time for which the two stations can communicate. The other stations in the area observe this and wait patiently. This minimizes interruptions that would otherwise cause interference resulting in resends and an overall degradation of network performance.
And finally after the RTS / CTS handshake has taken place and the data frames have been sent the receiving station will issue an Acknowledgement or ACK frame. This lets the sender know that everything was received in good condition. If the receiver checks the integrity of the data frames and something is borked it will simply withhold the ACK frame, causing the sender to retry.
And the last frame, as we just mentioned, is the data frame. Containing anything you like inside, these guys are the workhorses of WiFi. Of course they wouldn't exist without the diligent work of the management and control frames, so, good job everyone. Let's have some cake!
What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up -- firstname.lastname@example.org
And be sure to check out our sister show, Hak5 for more great stuff just like this.
With more than 20 million members, Netflix is the world's largest subscription service instantly streaming TV episodes and movies over the Internet. Members can instantly watch thousands of titles on a vast array of devices streaming TV episodes and movies like Microsoft's Xbox 360, Sony's PS3 and Nintendo's Wii console. As a Netflix unlimited member you can instantly watch as many movies as you want anytime you want for one low monthly price. There are no late fees or due dates. As a new member and a Hak5 viewer, you can get a FREE Trial membership. Go to Netflix.com/hak5 and sign up now.
5 days ago
Employers want social media passwords, US gets a #CPO, and #TheOnion! All that and more this time on #ThreatWire! http://t.co/SrZpicvnt6
8 days ago
#Installing #Solar panels, #Google #Chrome #extensions, and more on @Hak5! http://t.co/QppYLgZpi5
8 days ago
Legalizing #Internet eavesdropping, #LivingSocial is #hacked, and more on this weeks #ThreatWire! http://t.co/xyIxzy8kes
8 days ago
@thescribe I didn't! They were disabled and enabled throughout the segment. Each one has a different icon. - @Snubs
8 days ago
@myraitnetwork thank you!
23 days ago
#PGP #Encrypt your email, back up your #Gmail Account with #Ubuntu, text #messaging your #WiFi #Pineapple On #Hak5! http://t.co/KSZeO4GEPU