Frame Exploration: Probe Response

In the previous post we looked at Probe Requests which are frames sent by a STA wishing to join a BSS and needing additional information to make a selection. The Response is sent from the AP with a list of its capabilities and other information about the BSS. Note this is not the full capabilities.

Since I went over the fields in the previous post Ill start with the FCF in the form of a packet capture.

   FCF

 
 
Again we can see information about what type of frame we are viewing. Management Subtype 5 is a Probe Response. 

Moving on to the Frame Body we'll start with the Basic and Supported Rates. Rates with a (B) marked next to them are basic rates and are required to be supported in order to join the BSS. Also note the lack of a 6Mbps rate. This is because its disabled on my network and therefor not advertised. 

Basic and Supported Rates


Next we can see the regulatory domain the AP is operating in, its channel capabilities and what environment is can be used in. I'd say the most useful part of this is knowing that someone hasnt purchased any second hand or grey market equipment that is not licensed to operate in your domain. If you see any other country than your own be sure you are operating within the specifications set by your regulatory body (FCC, ETSI, etc). Another thing we can learn is what environment the device is licensed to work in. Usually we'll see Indoor/Outdoor/Any, when a device is set to any it generally conforms to indoor rules which are stricter and generally limit power.
 
Channel Operating Parameters

 We are also provided info about what features the AP/BSS can use to manage the radio spectrum. This is a basic Ubiquiti AC Lite AP so it only supports a few things. 
Radio Management


In the HT Info field lists more channel information and another important piece of information, the Non-greenfield STAs Present Element. When we see this set we know there is a STA in the BSS that supports legacy rates. Thankfully HT Protection is not enabled so we shouldnt see any RTS/CTS exchanges happening.

HT Info Field
 


The last field I want to focus on is the VHT field. Again this is a basic Ubiquiti AP so things like TxBF and 160MHZ channels are not supported. 

VHT Capabilities Field
 

There area few more important fields I want to go over in more detail in future posts. Name the WMM field which contains our EDCA parameters, the RSN field which has the cipher suites used and the MD field for roaming purposes. 
 
If you would like to exam this packet on your own Ive linked the PCAP file here


Comments

Post a Comment

Leave a comment...

Popular posts from this blog

Capturing Roaming Events

Image
Finally! I scored a newer laptop to put Kali Linux on along with Windows to do some more wifi shenanigans. Before I was using a WLANPi on my desktop, which limited my mobility of course. Now I can follow devices and get closer to some of my other APs. Yes I know you can also use Pi as a remote capture device but that still didnt help with looking into roaming events. Now its been a few years since Ive used Kali and I was amazed at how polished its become. I think I used Backtrack about a decade ago to try and 'hack' my wifi with a WPA cracking tool. Needless to say that didnt launch my security career but it was quite interesting. There are plenty of tutorials on how to set you capture device in monitor mode so I wont go into that here. If you are curious here is the Airmon-ng website. Please note only certain chipsets are supported in Kali for this. Atheros cards seem to be the defacto standard for monitor mode support but I had a Comfast CF912 and TPLink Archer T9UH adapter ...
Read more

IoT and Smart Home Devices: Part 1

Image
  Source: https://www.sparkfun.com/products/17146                 This is going to be a multi part post going over a little IoT smart plug I picked up on clearance at Walmart. I'll make it clear I'm generally very skeptical about these types of devices so much that I don’t even want my roommates Alexa on the same network as mine. However with these things being so prolific it is best to understand them so we can better protect our networks. Ill start with a little background of the device, how I acquired it, and my research on the brand. I will then do my best to uncover any (hopefully) FCC filings and their documentation. From there we will explore a bit of the theory on how the majority of these cheaper devices connect to our networks. Lastly Ill do my best to capture packets during the join process but we will see how that goes with my limited setup.  I was looking to purchase a new Roku and since Walmart was the closest st...
Read more

Frame Exploration: Authentication Frames

Image
Authentication Frames in 802.11 are not about verifying the identity of clients or forming a secure connection. These frames are used to ensure each radio is actually a valid .11 device that can communicate on the network. It has been described similarly to plugging a network cable into the wall or switch.  Please note this is only valid for networks using WPA or WPA2. WPA3 introduces SAE (Simultaneous Authentication of Equals) and uses a 4 message exchange for authentication. We will be looking at Open System Authentication frames here.  In the above we have the two frame exchange between the client device and the AP. Each message is the essentially the same and contains a Sequence Number and Status Code to tell whether or not authentication was successful.  As with all other frames we can look at the FCF to verify what type of message it is too. And that's all there really is to it. If each radio can authenticate with one another they can proceed to the Association stag...
Read more