Building upon the wireless fundamentals discussed in Chapter 1, Wireless Penetration Testing Fundamentals, there are a number of terms that will come into play during the scanning phase of the wireless assessment. When a wireless network is created, it will be identified by one or more topologies defined by the IEEE 802.11 workgroup. There are three basic network topologies defined by the IEEE 802.11 group. They are as follows:
Now, let's look at each of them in detail:
There are a few other considerations to keep in mind when it comes to BSS:
In addition to the network configurations discussed earlier, IEEE 802.11 defines two configuration modes for operation: the infrastructure mode and the ad hoc mode. In nearly all of the wireless assessments that you will be involved with, the only mode you will be assessing is the infrastructure mode. As discussed previously, most networks are serviced by access points, and the ad hoc mode is rarely seen in production environments:
In the default configuration, an access point works in the Infrastructure Mode and creates a BSS. By having multiple access points acting in each BSS, we can have an ESS established. In the Infrastructure Mode, if you have admin access to an access point, then it implies that you have access to all the traffic originating from, or going to, the client stations associated with it. This is a key tenant of an access point in the Infrastructure mode.
In this section, we will look at Wireless 802.11 frames. You might be familiar with 802.3 Ethernet frames (LAN) in wired networks and will immediately notice the differences when comparing them to WLAN frames. WLAN has three types of frames defined in 802.11 standards. They are as follows:
We will discuss each one of them in detail in this section.
In a wired network, a client station can directly connect to the network using a network cable plugged into a port in a switch or a hub. In a wireless network, since the concept of cables does not exist, a mechanism must be established to provide the client with the same functionality of "plugging in and unplugging". With the help of management frames, the client station performs an action similar to that of connecting and disconnecting cables; however, it is compatible with a wireless connection. These frames are also responsible for maintaining communication between the stations.
There are several subtypes of Management frames, and they are listed as follows:
More information on these frames can be found at http://www.wi-fiplanet.com/tutorials/article.php/1447501/Understanding-80211-Frame-Types.htm.
During the scanning phase of penetration testing, we are primarily interested in beacon frames and probe response frames, which are a subtype of Management frames. In subsequent chapters, you will also take a look at how these management frames can be manipulated to attack the target wireless network. The term "Beacon frames" is commonly simplified to beacons, and they originate from access points at regular intervals. Beacon frames from the access point help a client station discover and associate with the access point. Whenever a client station comes near the Basic Service Area of an access point, it discovers the presence of AP by listening to Beacon frames from the AP. Some guides or benchmarks will recommended the disabling of beacon frames to hide the presence of the AP; however, later in this chapter, we'll look at how the presence of an access point can still be determined even if beaconing is disabled. As an analogy, think of beacon frames as the APs shouting "Marco!" in a game of Marco Polo. The client will be alerted to their presence and can respond in kind.
A beacon frame contains the SSID value, which is of interest to us when it comes to discovering WLANs. We can list WLAN networks in the range by simply capturing the WLAN traffic and extracting the beacon frames in it. While scanning an 802.11 wireless network, our aim is to capture as many beacon frames as possible. Beacon frames comprise much of the information about the target network. By looking into a beacon frame, we can extract the following properties:
Control frames are used to acquire and clear the channel and other traffic management in a wireless medium. These frames are required for the proper operation of the traffic exchange between client stations without hiccups. There are subtypes of control frames, and they are as follows:
Data frames are the actual workhorses in carrying the data from mobile clients to the distribution system. Data frames carry the high layer information in the body of the frame. In the later stages of this chapter, we will be sniffing these frames to extract valuable data transferred to and from client stations.
In this section, we have discussed the different frames used in WLAN. Let's get into the core of the chapter; our aim in this chapter is to discover information about the wireless local area networks of our target.