Frame Exploration: Association Frames

Association Frames are the last two frames before the STA can connect to the BSS and begin .1x authentication or the 4 way handshake when using PSK. There are two (different) frames as opposed to the two similar frames (with different sequence numbers) in the Authentication exchange. A STA will always send an Association request to an AP. This can be helpful when trying to discern between a STA and BSS in a packet capture if the addresses of each device are not known.You will also find the target BSS in a request frame but not a response frame. Like Authentication frames these are also sent at the minimum required rate for that particular BSS. 

Association Request

Since the AP already sent out its full list of capabilities in the Probe Response frame, the STA now sends out its full capabilities in the Association Request. With this information the AP now knows if the STA will be able to participate in this BSS or not.

Below are two screenshots quickly showing how much additional information is sent by the client in a Probe Request vs an Association Request

(Probe Request)


(Association Request)

 

Association Response
 
The Response is the second frame of the exchange. Here the AP will list the settings in use for this BSS. Other than configurations on the BSS the most important piece of this puzzle is whether or not the Association was successful. This can be found in Element 2 of the capture as seen below.

If for any reason the association fails there will be a failure code listed here as well. The list as documented in the 802.11-2020 standard is widely available online and can be used to further troubleshoot any issues. We also find the AID (Association ID) here which helps differentiate individual STA's in the BSS. 

After this, one of three things will happen. If no security is enabled the STA will now be able to Tx using this BSS. If PSK is enabled the two devices will perform the 4 way handshake (WPA/WPA2). If 802.1x is enabled the devices will go through the EAP security exchange with the Authentication Server, Authenticator (AP) and Supplicant (STA).

Feel free to download and view the frames I used for this post here.

Comments

Post a Comment

Leave a comment...

Popular posts from this blog

Capturing Roaming Events

Image
Finally! I scored a newer laptop to put Kali Linux on along with Windows to do some more wifi shenanigans. Before I was using a WLANPi on my desktop, which limited my mobility of course. Now I can follow devices and get closer to some of my other APs. Yes I know you can also use Pi as a remote capture device but that still didnt help with looking into roaming events. Now its been a few years since Ive used Kali and I was amazed at how polished its become. I think I used Backtrack about a decade ago to try and 'hack' my wifi with a WPA cracking tool. Needless to say that didnt launch my security career but it was quite interesting. There are plenty of tutorials on how to set you capture device in monitor mode so I wont go into that here. If you are curious here is the Airmon-ng website. Please note only certain chipsets are supported in Kali for this. Atheros cards seem to be the defacto standard for monitor mode support but I had a Comfast CF912 and TPLink Archer T9UH adapter ...
Read more

IoT and Smart Home Devices: Part 1

Image
  Source: https://www.sparkfun.com/products/17146                 This is going to be a multi part post going over a little IoT smart plug I picked up on clearance at Walmart. I'll make it clear I'm generally very skeptical about these types of devices so much that I don’t even want my roommates Alexa on the same network as mine. However with these things being so prolific it is best to understand them so we can better protect our networks. Ill start with a little background of the device, how I acquired it, and my research on the brand. I will then do my best to uncover any (hopefully) FCC filings and their documentation. From there we will explore a bit of the theory on how the majority of these cheaper devices connect to our networks. Lastly Ill do my best to capture packets during the join process but we will see how that goes with my limited setup.  I was looking to purchase a new Roku and since Walmart was the closest st...
Read more

Frame Exploration: Authentication Frames

Image
Authentication Frames in 802.11 are not about verifying the identity of clients or forming a secure connection. These frames are used to ensure each radio is actually a valid .11 device that can communicate on the network. It has been described similarly to plugging a network cable into the wall or switch.  Please note this is only valid for networks using WPA or WPA2. WPA3 introduces SAE (Simultaneous Authentication of Equals) and uses a 4 message exchange for authentication. We will be looking at Open System Authentication frames here.  In the above we have the two frame exchange between the client device and the AP. Each message is the essentially the same and contains a Sequence Number and Status Code to tell whether or not authentication was successful.  As with all other frames we can look at the FCF to verify what type of message it is too. And that's all there really is to it. If each radio can authenticate with one another they can proceed to the Association stag...
Read more