Greg Hammond

  Source: https://www.sparkfun.com/products/17146                 This is going to be a multi part post going over a little IoT smart plug I picked up on clearance at Walmart. I'll make it clear I'm generally very skeptical about these types of devices so much that I don’t even want my roommates Alexa on the same network as mine. However with these things being so prolific it is best to understand them so we can better protect our networks. Ill start with a little background of the device, how I acquired it, and my research on the brand. I will then do my best to uncover any (hopefully) FCC filings and their documentation. From there we will explore a bit of the theory on how the majority of these cheaper devices connect to our networks. Lastly Ill do my best to capture packets during the join process but we will see how that goes with my limited setup.  I was looking to purchase a new Roku and since Walmart was the closest st...

Association Frames are the last two frames before the STA can connect to the BSS and begin .1x authentication or the 4 way handshake when using PSK. There are two (different) frames as opposed to the two similar frames (with different sequence numbers) in the Authentication exchange. A STA will always send an Association request to an AP. This can be helpful when trying to discern between a STA and BSS in a packet capture if the addresses of each device are not known.You will also find the target BSS in a request frame but not a response frame. Like Authentication frames these are also sent at the minimum required rate for that particular BSS.  Association Request Since the AP already sent out its full list of capabilities in the Probe Response frame, the STA now sends out its full capabilities in the Association Request. With this information the AP now knows if the STA will be able to participate in this BSS or not. Below are two screenshots quickly showing how much additional i...

Authentication Frames in 802.11 are not about verifying the identity of clients or forming a secure connection. These frames are used to ensure each radio is actually a valid .11 device that can communicate on the network. It has been described similarly to plugging a network cable into the wall or switch.  Please note this is only valid for networks using WPA or WPA2. WPA3 introduces SAE (Simultaneous Authentication of Equals) and uses a 4 message exchange for authentication. We will be looking at Open System Authentication frames here.  In the above we have the two frame exchange between the client device and the AP. Each message is the essentially the same and contains a Sequence Number and Status Code to tell whether or not authentication was successful.  As with all other frames we can look at the FCF to verify what type of message it is too. And that's all there really is to it. If each radio can authenticate with one another they can proceed to the Association stag...

In the previous post we looked at Probe Requests which are frames sent by a STA wishing to join a BSS and needing additional information to make a selection. The Response is sent from the AP with a list of its capabilities and other information about the BSS. Note this is not the full capabilities. Since I went over the fields in the previous post Ill start with the FCF in the form of a packet capture.    FCF     Again we can see information about what type of frame we are viewing. Management Subtype 5 is a Probe Response.  Moving on to the Frame Body we'll start with the Basic and Supported Rates. Rates with a (B) marked next to them are basic rates and are required to be supported in order to join the BSS. Also note the lack of a 6Mbps rate. This is because its disabled on my network and therefor not advertised.  Basic and Supported Rates Next we can see the regulatory domain the AP is operating in, its channel capabilities and what environment is can be ...

I finally got around to signing up for the test and really going over the study guide. You can see my most of my notes here if you want an idea of the content and if it wasn't implied in the title already, I passed! While I was able to take a CWNA course through a previous employer that was not the case this time. My study methods were basically reading the book from front to back, reading various blogs (also listed in the top bar), doing packet captures and taking the practice tests. Out of those methods, I feel being able to take packet captures is what will solidify your knowledge for this exam. Luckily I was able to acquire a WLANPi a few years ago before the shortage and discontinuation of the neo2 board. Wlanpros appears to be working on another version (I think I also spied dual radios so maybe we'll get the ability to capture roaming events!) but I haven't seen anything for sale yet.  For those who don't have the pi you can either purchase software like CommVie...

I briefly went over the frames used to connect a STA to a BSS in this post but I also wanted to show more details on what each of them contain. Since the Probe Request is the first frame to explicitly start the joining process we will start here. You can also look at other info about Probe Requests and other frames from my CWAP Notes section. These are sent by the STA wishing to join a certain BSS and will request additional info about the network. However, the info contained in the request is that of the STA sending it. We will find a lot of information about what the client is capable of in this frame. Ive included a visual representation of the mac header and frame control field to make it easier to see how this all works together.  .11 MAC Header Frame Control field Beginning with the info in the Frame Control field, here is a Probe Request I captured on my own network.  We see some information that will be useful when doing packet captures with a protocol analyzer. I...