Wireless Penetration Testing Beginner’s – WLAN & its Inherent Insecurities

In this tutorial, we shall look at the following:

  • ‹  Revisiting WLAN frames
  • ‹  Different frame types and subtypes
  • ‹  Using Wireshark to sniff management, control, and data frames
  • ‹  Sniffing data packets for a given wireless network
  • ‹  Injecting packets into a given wireless network

Let’s get started!

Revisiting WLAN frames

As this book deals with the security aspects of wireless, we will assume that you already have a basic understanding of the protocol and the packet headers. If not, or if it’s been some time since you worked on wireless, this would be a good time to revisit this topic again.
Let’s now quickly review some basic concepts of WLANs that most of you may already be aware of. In WLANs, communication happens over frames. A frame would have the following header structure:

The Frame Control field itself has a more complex structure:

The Frame Control field itself has a more complex structure:

The Frame Control field itself has a more complex structure:

The Type field defines three types of WLAN frame:

  1. Management frames: Management frames are responsible for maintaining communication between access points and wireless clients. Management frames can have the following subtypes:
    • ‰  Authentication
    • ‰  Deauthentication
    • ‰  Association request
    • ‰  Association response
    • ‰  Reassociation request
    • ‰  Reassociation response
    • ‰  Disassociation
    • ‰  Beacon
    • ‰  Probe request
    • ‰  Probe response
  2. Control frames: Control frames are responsible for ensuring a proper exchange of data between access points and wireless clients. Control frames can have the following subtypes:
    • ‰  Request to Send (RTS)
    • ‰  Clear to Send (CTS)
    • ‰  Acknowledgement (ACK)
  3. Data frames: Data frames carry the actual data that is sent on the wireless network. There are no subtypes for data frames.

We will discuss the security implications of each of these frames when we discuss different attacks in later chapters.

We will now look at how to sniff these frames over a wireless network using Wireshark. There are other tools—such as Airodump-NG, Tcpdump, or Tshark—that you can use for sniffing as well. We will, however, mostly use Wireshark in this book, but we encourage you to explore other tools as well. The first step to do this is to create a monitor mode interface. This will create an interface for our adapter, which allows us to read all wireless frames

in the air, regardless of whether they are destined for us or not. In the wired world, this is popularly called promiscous mode.

Time for action – creating a monitor mode interface

Let’s now set our wireless adapter into monitor mode.

Follow these instructions to get started:

  1. Boot Kali with your adapter connected. Once you are within the console, enter iwconfig to confirm that your card has been detected and the driver has been loaded properly. Time for action – creating a monitor mode interface
  2. Use the ifconfig wlan1 up command to bring the card up (where wlan1 is your adapter). Verify whether the card is up by running ifconfig wlan1. You should see the word UP in the second line of the output as shown in the following screenshot: o put our card into monitor mode, we will use the airmon-ng utility that is available by default on Kali. First run airmon-ng command to verify whether it detects the available cards. You should see the wlan0 interface listed in the output:
  3. To put our card into monitor mode, we will use the airmon-ng utility that is available by default on Kali. First run airmon-ng command to verify whether it detects the available cards. You should see the wlan0 interface listed in the output: o put our card into monitor mode, we will use the airmon-ng utility that is available by default on Kali. First run airmon-ng command to verify whether it detects the available cards. You should see the wlan0 interface listed in the output:
  4. Now enter airmon-ng start wlan1 command to create a monitor mode interface corresponding to the wlan0 device. This new monitor mode interface will be named mon0. (You can verify if it has been created by running airmon-ng without arguments again). Now enter airmon-ng start wlan1 command to create a monitor mode interface corresponding to the wlan0 device. This new monitor mode interface will be named mon0. (You can verify if it has been created by running airmon-ng without arguments again).
  5. Also, running ifconfig mon0 should now display a new interface called mon0Now enter airmon-ng start wlan1 command to create a monitor mode interface corresponding to the wlan0 device. This new monitor mode interface will be named mon0. (You can verify if it has been created by running airmon-ng without arguments again).

What just happened?

We have successfully created a monitor mode interface called mon0. This interface will be used to sniff wireless packets off the air. This interface has been created for our wireless adapter.

Have a go hero – creating multiple monitor mode interferes

It is possible to create multiple monitor mode interfaces using the same physical card. Use the airmon-ng utility to see how you can do this.
Awesome! We have a monitor mode interface just waiting to read some packets off the air. So let’s get started.
In the next exercise, we will use Wireshark to sniff packets off the air using the mon0 monitor mode interface we just created.

Time for action – sniffing wireless packets

Follow the following instructions to begin sniffing packets:

1. Power up the Access Point Wireless Lab that we configured in Chapter 1, Wireless
Lab Setup.

2. Start Wireshark by typing Wireshark & in the console. Once Wireshark is running,
navigate to Capture | Interfaces.

elect packet capture from the mon0 interface by clicking on the Start button to the right of the mon0 interface as shown in the previous screenshot. Wireshark will begin the capture, and now you should see packets within the Wireshark window.

3. Select packet capture from the mon0 interface by clicking on the Start button to the right of the mon0 interface as shown in the previous screenshot. Wireshark will begin the capture, and now you should see packets within the Wireshark window. These are wireless packets that your wireless adapter is sniffing off the air. In order to view any packet, select it in the top window and the entire packet will be displayed in the middle window.

4. These are wireless packets that your wireless adapter is sniffing off the air. In order to view any packet, select it in the top window and the entire packet will be displayed in the middle window. screen-shot-2016-11-05-at-3-07-45-am

Click on the triangle in front of IEEE 802.11 Wireless LAN management frame to expand and view additional information.

Look at the different header fields in the packet and correlate them with the WLAN frame types and sub-types you have learned earlier.

What just happened?

We just sniffed out first set of packets off the air! We launched Wireshark, which used
the monitor mode interface mon0 we created previously. You should notice, by looking at Wireshark’s footer region, the speed at which the packets are being captured and also the number of packets captured till now.

Have a go hero – finding different devices

Wireshark traces can be a bit daunting at times; even for a reasonably populated
wireless network, you could end up sniffing a few thousand packets. Hence, it is important to be able to drill down to those packets that interest us. This can be accomplished using filters in Wireshark. Explore how you can use these filters to identify unique wireless devices in the traces– both access points and wireless clients.
If you are unable to do this, don’t worry as this is the next thing we will learn.

Time for action – viewing management, control, and data frames

Now we will learn how to apply filters in Wireshark to look at Management, Control and Data Frames.

Please follow the below instructions step by step:

1. To view all the Management frames in the packets being captured, enter the filter wlan.fc.type == 0 into the filter window and click Apply. You can stop the packet capture if you want to prevent the packets from scrolling down too fast.

screen-shot-2016-11-05-at-3-10-39-am

2. To view Control Frames, modify the filter expression to read wlan.fc.type == 1.

screen-shot-2016-11-05-at-3-11-33-am

3. To view data frames, modify the filter expression to wlan.fc.type == 2.

screen-shot-2016-11-05-at-3-12-41-am

4. To additionally select a sub-type, use the wlan.fc.subtype filter.
For example, to view all the Beacon frames among all Management frames, use the following filter:
(wlan.fc.type == 0) && (wlan.fc.subtype == 8).

screen-shot-2016-11-05-at-3-13-48-am

5. Alternately, you can right-click on any of the header fields in the middle window and then select Apply as Filter | Selected to add it as a filter.

screen-shot-2016-11-05-at-3-14-39-am

6. This will automatically add the correct filter expression for you in the Filter field.

What just happened?

We just learned how to filter packets in Wireshark using various filter expressions. This helps us monitor selected packets from devices we are interested in, instead of trying to analyze all the packets in the air.
Also, we can see that the packet headers of Management, Control and Data frames are in plain text and are not encrypted. Anyone who can sniff the packets can read these headers. It is also important to note that it is also possible for a hacker to modify any of these packets and re-transmit them. As there is no integrity or replay attack mitigation in the protocol, this is very easy to do. We will look at some of these attacks in later chapters.

Have a go hero – playing with filters

You can consult Wireshark’s manual to know more about available filter expressions and how to use them. Try playing around with various filter combinations till you are confident that you can drill down to any level of detail, even in a very large packet trace.
In the next exercise, we will look at how to sniff data packets transferred between our access point and wireless client.

Time for action – sniffing data packets for our network

In this exercise, we will learn how to sniff data packets for a given wireless network. For the sake of simplicity, we will look at packets without any encryption.

Follow these instructions to get started:

1. Switch on the access point we named Wireless Lab. Let it remain configured to use no encryption.
2. We will first need to find the channel on which the Wireless Lab access point is running. To do this, open a terminal and run airodump-ng –bssid mon0 where , which is the MAC address of our access point. Let the program run, and shortly you should see your access point shown on the screen along with the channel it is running on.
3. We can see from the preceding screenshot that our access point Wireless Lab is running on Channel 11. Note that this may be different for your access point.
In order to sniff data packets going to and fro from this access point, we need to lock our wireless card on the same channel, that is channel 11. To do this, run the iwconfig mon0 channel 11 command and then run iwconfig mon0 to verify it. You should see the Frequency: 2.462 GHz value in the output. This corresponds to Channel 11.

In this exercise, we will learn how to sniff data packets for a given wireless network. For the sake of simplicity, we will look at packets without any encryption.

4. Now fire up Wireshark and start sniffing on the mon0 interface. After Wireshark has started sniffing the packets, apply a filter for the bssid of our access point as shown below using wlan.bssid == in the filter area. Use the appropriate MAC address for your access point.

screen-shot-2016-11-05-at-3-26-25-am

5. In order to see the data packets for our access point, add the following to the filter (wlan.bssid == ) && (wlan.fc.type_subtype == 0x20). Open your browser on the client laptop and type in the management interface the URL of the access point. In my case, as we have seen in previous tutorial, Wireless Lab Setup, it is http://192.168.0.1. This will generate data packets that Wireshark will capture.

6. Packet sniffing allows us to analyze unencrypted data packets very easily. This is the reason why we need to use encryption in wireless.

What just happened?

We have just sniffed data packets over the air with Wireshark using various filters. As our access point is not using any encryption, we are able to see all the data in plain text. This is a major security issue as anyone within RF range of the access point can see all the packets if he uses a sniffer such as Wireshark.

Have a go hero – analyzing data packets

Use Wireshark to analyze the data packets further. You would notice that a DHCP request
is made by the client and, if a DHCP server is available, it responds with an address. Then you would find ARP packets and other protocol packets on the air. This is a nice and simple way to do passive host discovery on the wireless network. It is important to be able to see a packet trace and reconstruct how applications on the wireless host are communicating with the rest of the network. One of the interesting features Wireshark provides is the ability to follow a stream. This allows you to view multiple packets together, that are part of a TCP exchange, in the same connection.

Also, try logging into www.gmail.com or any other popular website and analyze the data traffic generated.

We will now see a demonstration of how to inject packets into a wireless network.

Time for action – packet injection

We will be using the aireplay-ng tool, which is available in Kali, for this exercise. Follow the instructions below carefully:

1. In order to do an injection test, first start Wireshark and the filter expression (wlan.bssid == ) && !(wlan.fc.type_subtype == 0x08). This will ensure that we only see non-beacon packets for our lab network.
2. Now run the following command aireplay-ng -9 -e Wireless Lab -a mon0 on a terminal.
3. Go back to Wireshark and you should see a lot of packets on the screen now. Some of these packets have been sent by aireplay-ng, which we launched, and others are from the access point Wireless Lab in response to the injected packets.
What just happened?
We just successfully injected packets into our test lab network using aireplay-ng. It is important to note that our card injected these arbitrary packets into the network without being actually connected to the access point Wireless Lab.

What just happened?

We just successfully injected packets into our test lab network using aireplay-ng. It is important to note that our card injected these arbitrary packets into the network without being actually connected to the access point Wireless Lab.

Have a go hero – installing Kali on VirtualBox

We will look at packet injection in greater detail in later chapters; however, feel free to explore other options of the Aireplay-ng tool to inject packets. You can verify whether injection succeeded by using Wireshark to monitor the air.

Important note on WLAN sniffing and injection

WLANs typically operate within three different frequency ranges – : 2.4 GHz, 3.6 GHz and 4.9/5.0 GHz. Not all Wi-Fi cards support all these ranges and associated bands. For instance,, an Alfa card only supports IEEE 802.11b/g. This would mean that this card cannot operate in 802.11a/n. The key here is to sniff or inject packets in a particular band; your Wi-Fi card will need to support it.

Another interesting aspect of Wi-Fi is that, in each of these bands, there are multiple channels. It is important to note that your Wi-Fi card can only be on one channel at any given moment. It is not possible to tune into multiple channels at the same time. The best analogy I can give you is your car radio. You can tune it to only one of the available channels at any given time. If you want to hear to something else, you will have to change the channel. The same principle applies to WLAN Sniffing. This brings us to an important conclusion—we cannot sniff all channels at the same time; we will need to select the channel that is of interest to us. What this means is that, if our access point of interest is on channel 1, we will need to set our card on channel 1.

Though we have addressed WLAN sniffing in the above paragraphs, the same applies to injection as well. To inject packets on a specific channel, we will need to put the card radio on that channel.

Let’s now do some exercises on setting our card to specific channels, channel hopping, setting regulatory domains, power levels etc.

Time for action – experimenting with your adapter

Follow the instructions below carefully:

1. Enter the iwconfig wlan0 command to check the capabilities of your card.
As you can see in the figure below, my adapter can operate in the b, g, and n bands.
screen-shot-2016-11-05-at-3-33-01-am

2. To set the card on a particular channel, we use the iwconfig mon0 channel X commands.
screen-shot-2016-11-05-at-3-34-15-am
3. The iwconfig series of commands does not have a channel hopping mode.
One could write a simple script over it to make it do so. An easier way is to use Airodump-NG with options to either hop channels arbitrarily, use only a subset,
or use only selected bands. All these options are illustrated in the screenshot below when we run airodump-ng –help:
screen-shot-2016-11-05-at-3-35-51-am

What just happened?

We understood that both wireless sniffing and packet injection depend on the hardware support available. This means that we can only operate on bands and channels allowed by our card. Also, the wireless card radio can only be on one channel at a time. This further means that we can only sniff or inject in one channel at a time.

Have a go hero – sniffing multiple channels

If you need to simultaneously sniff on multiple channels, you will require multiple physical Wi-Fi cards. If you can procure additional cards, then try to sniff on multiple channels simultaneously.

The role of regulatory domains in wireless

The complexities of Wi-Fi don’t end here. Every country has its own unlicensed spectrum allocation policy. This specifically dictates allowed power levels and allowed users for the spectrum. In the US, for example, the FCC decides this and, if you use WLANs in the US, you have to abide by these regulations. In some countries, not doing this is a punishable offense.
Now let’s look at how we can find the default regulatory settings and then how to change them if required.

Time for action – experimenting with your adapter

Follow these instructions carefully:
1. Reboot your computer and do not connect your adapter to it yet.
2. Once logged in, monitor the kernel messages using the tail command:
screen-shot-2016-11-05-at-3-36-57-am

Insert the adapter, and you should see something that resembles the following screenshot. This shows the default regulatory settings applied to your card:
screen-shot-2016-11-05-at-3-37-42-am

3. Let’s assume that you are based in the US. To change your regulatory domain to the US, we issue the command iw reg set US in a new terminal:
screen-shot-2016-11-05-at-3-38-47-am

If the command is successful, we get an output such as the one in the following screenshot in the terminal where we monitoring /var/log/messages:
screen-shot-2016-11-05-at-3-39-35-am

4. Now try changing the card to channel 11; it will work. But, when you try changing it to channel 12, you get an error. This is because channel 12, cannot be used in the US.
screen-shot-2016-11-05-at-3-40-33-am

5. The same applies for power levels. The US only allows a maximum of 27 dBm (500 milliwatts); thus even though my adapter has an advertised power of 1 Watt (30 dBm), we cannot set the card to the maximum transmit power:
screen-shot-2016-11-05-at-3-43-25-am

6. However, if we were in Bolivia, then we could transmit at a power of 1 Watt as this is allowed there. As we can see, once we set the regulatory domain to Bolivia—iw reg set BO—we can change the card power to 30DMB or 1 Watt. We can also use channel 12 in Bolivia, which was disallowed in the US:
screen-shot-2016-11-05-at-3-44-36-am

Every country has its own regulations for the use of the unlicensed wireless band. When we set our regulatory domain to a specific country, our card will obey the allowed channels and power levels specified. However, it is easy to change the regulatory domain of the card and force it to work on disallowed channels and to transmit at a power level that is greater than allowed.

Have a go hero – exploring regulatory domains

Look at the various parameters you can set such as channel, power, regulatory domains etc. using the iw series of commands on Kali. This should give you a firm understanding of how to configure your card when you are in various countries and require to change your card settings.

Pop quiz – WLAN packet sniffing and injection
Q1. Which frame types are responsible for authentication in WLANs?
1. Control
2. Management 3. Data
4. QoS
Q2. What is the name of the second monitor mode interface that can be created on wlan0 using airmon-ng?
1. Mon0 2. Mon1 3. 1Mon 4. Monb
Q3. What is the filter expression to view all non-beacon frames in Wireshark?
1. !(wlan.fc.type_subtype == 0x08)
2. wlan.fc.type_subtype == 0x08
3. (no beacon)
4. Wlan.fc.type == 0x08

Back to top button
Close