WLAN connection(open,wep-open,wep-shared,wpa-tkip,wpa2-aes)
In this article, we will try to understand the minimum frame exchanges for below security connection.
A. open security
B. WEP-open
C. WEP-shared
D. WPA-TKIP
E. WPA2-AES
A. OPEN / NO / NONE security WLAN connection:
Step1: STA does an active or passive scan. It depends on implementation.
Step2: Connect to AP.
a. Layer 2 connection:
|STA| |AP|
Authentication Frame [1] —————————->
<—————————— Authentication Frame [2]
Association Request [3] ——————————–>
<—————————— Association Response [4]
b. Layer 3 DHCP procedure: We are not going into details of the DHCP procedure here. We will explain this in another article.
Let us see the AP-CLIENT State Machine.
Sniffer Capture:
Let us see all the frames discussed above in a sniffer capture.
Though there are many fields in all the frames let us find out important fields from the above frames [2 Auth frames, Assoc Req and Res].
- Authentication frame from station:
- Auth Algo: Open
- Auth SEQ: 1
- Status Code: Successful
- Authentication frame from AP:
- Auth Algo: Open
- Auth SEQ: 2
- Status Code: Successful
- Association Request:
- Listen Interval: In multiple of Beacon Interval.
- SSID: AP SSID
- *Supported Rate [8]: 1,2,5.5,11,6,9,12,18
- *Extended Supported Rate[4]: 24, 36,48,54
- (Optional)If STA/AP supports 11n or 11ac then we should see HT or VHT capabilities respectively.
- (Optional)If WMM is supported then, we should see WMM IE.
* Here it’s 11bg data rate*
- Association Response:
- Status Code: Success or reject
- AID: 0-2007
- *Supported Rate: 1,2,5.5,11,6,9,12,18
- *Extended Supported Rate: 24, 36,48,54
- (Optional)If STA/AP supports 11n or 11ac then we should see HT or VHT capabilities respectively.
- (Optional)If WMM is supported then, we should see WMM IE.
- No security IE as open security connection.
* Here it’s 11bg data rate*
Basic Rate:
- AP mandates that stations joining the BSS support certain rates. The rates required by the AP are called basic rates.
- All management frames, multicast, and broadcast packets are transmitted using one of the Basic Rates.
- 7th bit is set to 1 for the Basic rate.
Supported Rate:
- Support for these rates is not required to join a BSS, but a station may choose to transmit at any supported rate that the receiving station supports.
- 7th bit is set to 0 for the supported rate.
- Data packets can be sent at a supported rate.
Extended Supported rate:
- For STAs supporting more than eight data rates, this element shall be included in all of the frame types that include the supported rates element.
- 7th bit is set to 0 for extended supported rate.
B. WEP-OPEN security [64/126bits] WLAN connection:
Important points about OPEN security:
- Same frame exchanges as Open Security.
- Total 4 frame exchanges as WEP-Open Security.
- Same fields as Open Security for connection except privacy bit is 1 in capability information in Association Request and Response.
- But data exchanges happen in WEP security.
First Authentication frame:
Second Authentication frame:
Association Request frame:
Association Response frame:
C. WEP-SHARED security [64/128bits] WLAN connection:
- Total 6 frame exchanges.
- Frame exchanges may be 8 also. If AP supports WEP-SHARED and client sends first AUTH frame as OPEN system algorithm. Then AP rejects this AUTH frame, so client has to send another AUTH with SHARED KEY. This is reason for 2 extra frame exchanges for Open algorithm authentication at the beginning.
Here is rejection message from AP
- Frame 1: Authentication [Sent by client]:
- Auth Algo: Shared
- Auth seq: 1
- Status Code: Successful
- Frame 2: Authentication [Sent by AP]:
- Auth Algo: Shared
- Auth seq: 2
- Status Code: Successful
- Challenge text: Data
- Frame 3: Authentication:
- WEP Header
- Encrypted Challenge text
- We can see Algo as Shared, Seq as 3, Status Code-Successful if we could decrypt it.
- Frame 4: Authentication:
- Auth Algo: Shared
- Auth seq: 4
- Status Code: Successful
- Frame 5: Assoc Request:
- Same as WEP-OPEN
- Frame 6: Assoc Response:
- Same as WEP-OPEN
C. WPA-TKIP Security WLAN connection:
- Frame 1 Authentication: Same as open authentication.
- Frame 2 Authentication: Same as open authentication.
- Frame 3 Association Request:
– Privacy bit 1 + WPA element.
- Frame 4 Association Response:
– Privacy bit 1
- 6 EAPOL frames exchanges. 4 EAPOL frame will be visible as EAPOL, 2 EAPOL will be seen as Data frame. We will discuss in another post.
D. WPA2-AES Security WLAN connection:
- Frame 1 Authentication: Same as open authentication.
- Frame 2 Authentication: Same as open authentication.
- Frame 3 Association Request:
– Privacy bit 1 + RSN Information.
- Frame 4 Association Response:
Privacy bit 1. No RSNI IE present in normal Association Response frame.
- M1 to M4 exchanges.
Conclusion:
We have learned the different frame exchanges from no-security to WPA2-aes security. In another post we will go into deep on EAPOL frame exchanges.