Although I am started with a question about wardriving, the real question is how many people are scanning for Wi-Fi networks there can connect to when they don't have authorisation to do so.
Detecting Wi-Fi networks can be done in a number of ways.
1) Listening for broadcast beacons (Passive)
Access points will broadcast there SSID and capabilities using a broadcast beacon frame at a regular interval. If you turn of "Broadcast SSID" it is this frame that is no longer broadcast.
2) Probe request & response frames (Active)
A client can issue a probe request with or without a SSID, an access point if it has a matching SSID to that within the probe will send a probe response with the access points capabilities included. If the probe response has a blank SSID then most access points will respond to the probe request with a probe response with the access points capabilities included.
3) Sniffing frames (passive)
This last method involves the client "sniffing" packet capture of frames and then decode them to identify the SSID of the Wi-Fi network.
It is impossible to detect someone using passive methods to locate a Wi-Fi network, until they connect to an access point, however this is beyond the scope of this blog entry, I'm concentrating on detecting probe request and probe responses.
Wi-Fi frames
A bit of a background to the frames used by Wi-Fi networks, the 802.11 standard defines various frame types that stations (NICs and access points) use for communications, as well as managing and controlling the wireless link.
- Data Frames.
- Management Frames
- Control Frames
- Type: two bits identifying the type of WLAN frame. Control, Data and Management are various frame types defined in IEEE 802.11.
- Sub Type: Four bits providing addition discrimination between frames. Type and Sub type together to identify the exact frame.
Control frames are type 1
Data frames are type 2
Management Frames (type 0)
- Authentication frame: subtype 11
- Deauthentication frame: subtype 12
- Association request frame: subtype 0
- Association response frame: subtype 1
- Reassociation request frame: subtype 2
- Reassociation response frame: subtype 3
- Disassociation frame: subtype 10
- Beacon frame: subtype 8
- Probe request frame: subtype 4
- Probe response frame: subtype 5
Use a packet sniffing capable of analysing Wi-Fi packets such as CommView for WiFi or WireShark with a suitable wireless NIC we can sniff the frames being broadcast, in order to keep the exercise ethical we use a filter to ensure we only examining the Probe Request and Probe Response frames.
With wireshark we can use the following rules to formulate a filter
Management frames wlan.fc.type eq 0
Probe request wlan.fc.type_subtype eq 4
Probe response wlan.fc.type_subtype eq 5
What we are looking for is a pattern of probe requests and probe response, a person wardriving will be continually sending out probe requests with a blank SSID, which while they are in range we can detect, a person just doing a quick scan for available networks will send a short burst of probe requests with a blank SSID.
This will be continued with some examples of the findings.
No comments:
Post a Comment