Frame Exploration: Probe Requests

I briefly went over the frames used to connect a STA to a BSS in this post but I also wanted to show more details on what each of them contain. Since the Probe Request is the first frame to explicitly start the joining process we will start here. You can also look at other info about Probe Requests and other frames from my CWAP Notes section.

These are sent by the STA wishing to join a certain BSS and will request additional info about the network. However, the info contained in the request is that of the STA sending it. We will find a lot of information about what the client is capable of in this frame.

Ive included a visual representation of the mac header and frame control field to make it easier to see how this all works together.

 .11 MAC Header

https://upload.wikimedia.org/wikipedia/commons/7/72/802.11_frame.png

Frame Control field

File:802.11 Frame Control.png

Beginning with the info in the Frame Control field, here is a Probe Request I captured on my own network. 


We see some information that will be useful when doing packet captures with a protocol analyzer. It is possible to filter out certain types of packets when using this field. Creating a filter for 0x4000 will create a filter for a Management Frame with a Subtype of 4 which is a Probe Request. If we wanted to filter out Action frames we could make a filter for a FCF with a value of 0xd000. Note the hex value is a combination of the version, frame type and frame subtype. Of course you can always use the cheat sheet from Semfio Networks.

Moving to the address fields we see 4 are present but only two are utilized. Since we are only transmitting from STA to AP there is only a need for two. In this scenario the AP is the RA/DA and the STA is the TA/SA. 

Next we have the frame body. The primary function of this field is to give the AP enough info so it can make a decision on whether the STA can join the BSS. As you can see there is a bit of info but the AP mainly is concerned with basic rates. The other capabilities such as number of radio chains, and TxBF are nice but not a deal breaker.   

Frame Body


Supported rates field expanded

 

HT Capabilities field expanded

 
 
Now we can start seeing what the client is potentially capable of. Something interesting I see is the lack of support for a Greenfield PPDUs (I might have to test this). There are more elements in this field but I will upload a pcap file if anyone wants to view it further. 

 

VHT Capabilities field expanded

Of course we also have the VHT field since this is an .11ac device. Again something interesting (but not surprising) is the lack of support for 160MHz channels. I captured this from a Pixel 3a, the lack of support could be based on the fact its not a flagship device for cost savings or power savings by using a less capable chip. 

As a side note, this highlights the need to understand what devices will be used in an environment before deploying a WLAN system. Another take away we can see is the lack of MU Beamformee support. In AC MU-MIMO was never really implemented in the field and it required a lot of variables to line up just right to make it happen. This is not the same as MU-MIMO in AX which uses OFDMA technology to break up the channel in to smaller channels or Resource Units while the former uses beamformed Spatial Streams to target individual clients with the intended signals while simultaneously nullifying the signals to the other clients in the transmission. 

Combining the above information allows the AP to make an informed decision on whether or not the STA can join and what capabilities it might be able to leverage with it. Next post we will look at the Probe Response frame which contains the APs capabilities. 

Download for PCAP of Probe Request

Comments

Post a Comment

Leave a comment...

Popular posts from this blog

Capturing Roaming Events

Image
Finally! I scored a newer laptop to put Kali Linux on along with Windows to do some more wifi shenanigans. Before I was using a WLANPi on my desktop, which limited my mobility of course. Now I can follow devices and get closer to some of my other APs. Yes I know you can also use Pi as a remote capture device but that still didnt help with looking into roaming events. Now its been a few years since Ive used Kali and I was amazed at how polished its become. I think I used Backtrack about a decade ago to try and 'hack' my wifi with a WPA cracking tool. Needless to say that didnt launch my security career but it was quite interesting. There are plenty of tutorials on how to set you capture device in monitor mode so I wont go into that here. If you are curious here is the Airmon-ng website. Please note only certain chipsets are supported in Kali for this. Atheros cards seem to be the defacto standard for monitor mode support but I had a Comfast CF912 and TPLink Archer T9UH adapter ...
Read more

IoT and Smart Home Devices: Part 1

Image
  Source: https://www.sparkfun.com/products/17146                 This is going to be a multi part post going over a little IoT smart plug I picked up on clearance at Walmart. I'll make it clear I'm generally very skeptical about these types of devices so much that I don’t even want my roommates Alexa on the same network as mine. However with these things being so prolific it is best to understand them so we can better protect our networks. Ill start with a little background of the device, how I acquired it, and my research on the brand. I will then do my best to uncover any (hopefully) FCC filings and their documentation. From there we will explore a bit of the theory on how the majority of these cheaper devices connect to our networks. Lastly Ill do my best to capture packets during the join process but we will see how that goes with my limited setup.  I was looking to purchase a new Roku and since Walmart was the closest st...
Read more

Frame Exploration: Authentication Frames

Image
Authentication Frames in 802.11 are not about verifying the identity of clients or forming a secure connection. These frames are used to ensure each radio is actually a valid .11 device that can communicate on the network. It has been described similarly to plugging a network cable into the wall or switch.  Please note this is only valid for networks using WPA or WPA2. WPA3 introduces SAE (Simultaneous Authentication of Equals) and uses a 4 message exchange for authentication. We will be looking at Open System Authentication frames here.  In the above we have the two frame exchange between the client device and the AP. Each message is the essentially the same and contains a Sequence Number and Status Code to tell whether or not authentication was successful.  As with all other frames we can look at the FCF to verify what type of message it is too. And that's all there really is to it. If each radio can authenticate with one another they can proceed to the Association stag...
Read more