Lab : Network Securitydtipper/2700/2700_Lab3.doc · Web viewStation Service (SS) : those provided by stations Distribution System Service (DSS): those provided by the DS The following

Telecommunications Program, SIS, University of Pittsburgh

Telecommunications Program

Management and Control Traffic Analysis in 802.11b Lab

Part I: Objective

With this lab you should be able to understand what management and control messages exist in 802.11b infrastructure networks and how they are exchanged.

Part II: Equipment List

Systems: One IBM LaptopTwo external 802.11b wireless card (ORiNOCO and Cisco)Two access points already mounted in the SIS building (4th Floor)

Software: Wireless Client Manager for ORiNOCOAiroPeek NX wireless sniffer version 1.2

Part III: Introduction and BackgroundThis lab should allow you to understand the management and control schemes

used in 802.11b wireless infrastructure networks. A short introduction to the standard is included in order for you to understand the foundations behind the management scheme. This lab manual will not cover in detail all the intricacies of the standard, but will give you the basis and the necessary pointers to more detailed information.

3.1 The 802.11 standard - generalities

The 802.11 standard was published in 1997 by the IEEE (Institute of Electrical and Electronic Engineers) in the “Information Technology – Telecommunications Information exchange between systems area”. The official denomination of the standard is “Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY)

Student Name : _________________________


specifications”. IEEE Standards are available at no cost at http://ieeexplore.ieee.org when accessed via the university’s network.

The 802.11 standard describes the functions and services required to operate wireless devices in adhoc and infrastructure networks. It also details the management and control functions to allow mobility of the devices inside these networks. Additionally, it details the MAC and PHY layer operating specifications as well as authentication and privacy particularities. In this lab exercise you will familiarize yourself with the basic authentication, control and management schemes implemented in the standard.

This lab manual contains introductory information on the 802.11 and 802.11b standard, you are encouraged to read the relevant sections of the IEEE standard to obtain more details. Nevertheless, since standards are usually very extensive and due to the complex terminology they employ, they could be difficult to grasp, therefore you may find useful going through the following references (available through the ieeexplore site).

[1] Prasad, N. R., IEEE 802.11 System Design, ICPWC 2000, pg. 490-494.[2] Bing, B., Measured Performance of the IEEE 802.11 Wireless LAN, Conference on Local Computer Networks, 1999, pg 34-42.

Note: Do not print out the 802.11 or 802.11b standards using the SIS printers, both are very lengthy documents. You will be given pointers to specific sections and chapters in order to answer questions about the operation of wireless networks. Please view these documents online only.

3.2 802.11 Architecture

802.11 wireless networks are built around the Basic Service Set (BSS) concept. The BSS represents coverage areas in which stations (STA) communicate. The following figure shows two BSSs with two stations each.

Stations are the mobile (the ones that access the network while moving) or portable devices that communicate inside the BSS. Examples of STAs are laptops, PDAs or fixed computers with a wireless card. Outside the coverage area of a BSS, stations

Version 2 (11/01/06) Mgmt and Control Traffic Analysis in 802.11b Lab 1of 16

BSS1

STA1 STA2 BSS2

STA8 STA9

http://ieeexplore.ieee.org/


lose connectivity with the network. Since stations are either portable or mobile, the association of a station with a BSS is dynamic. This association is done through a distribution system service (DSS).

BSSs can also be grouped together to form more complex networks. The component in the architecture used to join BSSs is the Distribution System (DS). The following figure illustrates this concept.

Although in the figure the DS appears to be directly related to a physical component of a network, it is important to point out that it is a service that could be implemented in different locations as you will see in this lab.

In the last figure the device labeled AP (access point) is a STA that provides the other stations in the BSS access to the DS. The DS, AP and BSS concepts allow the construction of large networks called ESS (Extended Service Set). The standard allows a station to operate in an ESS as if it would be operating in a single independent BSS, this means that stations may move between BSSs in a transparent way to the LLC (Logical Link Control) sublayer.

Notice that in this lab and in accordance to what is being installed in the SIS building you will only be working with infrastructure networks. In these networks STAs communicate among themselves or with fixed stations via the AP. The APs also include what is called in the standard “Portal functions”; this means that the APs also allow communications with fixed wireless networks.

The IEEE 802.11 standard does not constrain the DS to be either data link or network layer based or either centralized or distributed in nature. This results in not having specifics about the implementation of the DS in the standard, but only having definition of services. In general, services can usually be associated with different components of the architecture.

3.2.1 Categories of the IEEE 802.11 services (both are used by the IEEE 802.11 MAC layer)


BSS1

STA1 STA2

BSS2

STA8 STA9DS

AP

AP


Station Service (SS) : those provided by stations Distribution System Service (DSS): those provided by the DS

The following set of Station Services is provided in every STA or AP (APs have also STA functionalities):

Authentication Deauthentication Privacy MSDU (MAC service data unit) delivery

The following set of Distribution System Services is provided in every AP.

Association Disassociation Distribution Integration (not reviewed here but used by AP’s “portal” functionalities) Reassociation

Each of the DSS or SS services is supported via different MAC frame types. Some of the services relate to MAC management messages while others relate to MAC data messages. All messages gain access to the wireless medium via the MAC sublayer medium access method (based on CSMA/CA) described in the standard but outside this lab’s scope. (The IEEE 802.11 MAC sublayer uses three types of messages: data, management, control messages).

3.2.2 Delivery of messages in an ESS

STA1 STA4

The previous figure helps in illustrating how messages are delivered in an ESS. If a data message is sent from STA1 inside BSS1 to STA4 inside BSS2 then the message is first sent to the output STA, AP1. Then AP1 gives the message to the distribution service of the DS. This service is in charge of delivering the information to the adequate output station, AP2. Finally the AP2 delivers the message to STA4. How the message is distributed within the DS is not specified in the 802.11 standard. Only the necessary information for the service to determine the correct output port is specified by the standard. This necessary information is provided to the DS via three association related services (association, reassociation y disassociation).


AP1 AP2DS


A station needs to be associated to the BSS before being able to receive any messages. Association is necessary in order to support mobility. The following mobility types are defined in the standard.

Stations may move inside their original BSS (called no-transition mobility). Between BSS but inside their original ESS (called BSS transition). Outside their original ESS (called ESS transition; nevertheless connection of

upper layers like IP or TCP is not guaranteed by 802.11 specifications and disruption of service is likely).

Association, reassociation and disassociation

The concept of association allows the distribution service to know which AP to access to reach a specific STA. Once association occurs a STA can experience no-transition mobility inside the BSS and maintain connectivity (at any given instant a STA can be associated to no more than one AP). However, association is necessary but not sufficient to support BSS transition.

A STA learns about the presence of APs in a given area by scanning all the 802.11 channels.

Handover

When a station determines that it must migrate from one AP to another (for example because of signal power measurements) it invokes the reassociation service. The reassociation service is also used to change attributes of an already established association.

When either an AP or a STA wants to terminate an association, they invoke the disassociation service. The disassociation service is a notification, not a request; therefore it cannot be refused by any party. You will see in this lab that the actual MAC protocol implementation does not make use of this service and that disassociation messages cannot be generated with the equipment that you will be using.

Control services

In order to provide functionalities similar to those of wired networks the IEEE 802.11 standard incorporates the access and the confidentiality control services. These two services provide a limited similarity to wired networks in the sense that a wireless network could appear to be physically separated from other wireless networks. Authentication replaces the wired medium connection, while privacy is obtained by providing confidentiality of the data transmitted on the network.

Since the network boundaries of a wireless network are not predefined and any user could eventually connect to it, the authentication service in 802.11 provides a mean to ‘logically’ separate the network. All stations use this service (a station service) to establish their identity in the network. There is no authentication scheme mandated by



the standard, therefore several schemes are available. In this lab you will study a basic scheme that provides a limited authentication. This authentication takes place at the link level (there is no end-to-end or user to server authentication in the standard); this authentication is basically used to configure the wireless links according to the network configuration.

A deauthentication service is also provided in the standard; nevertheless, as you will see in the lab actual MAC layer implementations do not make use of this service. The deauthentication service generates a notification (not a request) that results in a disassociation of a STA from a BSS.

Since any STA inside a BSS is capable of listening to all network traffic, the 802.11 standard provides a non-mandatory privacy service based on the WEP (wireless equivalent privacy) mechanism. This mechanism is not implemented in the network that you will be using. WEP has been shown to be easily broken and other mechanisms have been proposed.

Depending upon the state of a particular STA certain data, control or management frames can be sent. Usually a station will proceed to authenticate itself and then get associated with the AP that radiates the strongest signal (usually, but not necessarily, the closest one).

Remember that the services are implemented by the exchange of messages sent in 802.11 frames. The following table indicates the types of frames that are sent/received by STA or AP’s depending on the state in which a STA is in a BSS.

State1Unauthenticated

and Unassociated

State 2Authenticated

andUnassociated

State 3Authenticated

andAssociated

Control framesRequest to send (RTS) X X XClear to send (CTS) X X XAcknowledgement (ACK)

X X X

Contention Free (CF) X X XCF-End X X XPS-Poll X

Management framesProbe request/response X X XBeacon X X XAuthentication X X XDeauthentication X X XAnnouncement Traffic Indication Message (ATIM)

X X X

Association request/response

X X

Reassociation request/response

X X

Disassociation X XData frames

With control bits “from X X X



DS” and “to DS” set to falseWith either “from DS” or “to DS” bits set to true

X

(For more information refer to section 5.5 of the 802.11 standard for specifics about transitions and conditions between states)

Part IV: Procedure

4.1 Description of the experiments you will be performing

With the wireless sniffer (the Airopeek NX software version 2.0.1) you will be able to analyze the contents of 802.11 MAC frames. 802.11 MAC frames are appended a header by a physical sublayer before these are transmitted through the air. This header includes a preamble and the header itself (these are appended by a sublayer called PLCP). The software you will be using does not allow the capture of these PLCP header and PLCP preamble but only of the MAC part of the frame transmitted through the air.

With the sniffer you will be capturing different types of frames that will allow you to observe how a STA (a laptop) authenticates, associates and reassociates in the SIS network. You will also be observing and analyzing how other management frames are used.

For example through the lab you will see that when the authentication service is invoked by a station it will send a message containing the following information (you should be able to verify this information when you capture traffic with the sniffer).

Association request messageMessage type ManagementMessage subtype Association requestInformation items

IEEE address of the STA initiating the associationIEEE address of the AP with which the STA will associateESS ID

(direction of message from STA to AP)

The Association response message will have a similar structure but will include in the information items a field to indicate if the association was ‘successful’ or ‘unsuccessful’. If an association is successful an association ID will also be included in the response.



4.1.2 MAC frame formats

The 802.11 frames have the following structure

MAC headerContains: frame control, duration, address and sequence control information

Variable length bodyContains: information that varies according to the frame type

Frame Check Sequence(FCS)Contains: an IEEE 32 bit CRC

With the wireless sniffer you will analyze the structure of several frame types.

4.1.3 MAC sublayer management

The standard specifies management functions at both the PHY and MAC sublayers.

Among the management functions implemented at the MAC sublayer level is synchronization. A timer synchronization function (TSF) is implemented in order to keep all STA inside a BSS synchronized. All STAs maintain a local TSF timer. In infrastructure networks (like the one in the SIS building) the TSF is managed by the APs. Each AP maintains independent TSFs and periodically broadcast a special frame called beacon. The beacon contains information that the stations use to adjust their own TSF timers.

Beacons serve several purposes. Since all APs independently broadcast them all the time, these are analyzed by STA during the scanning process in order to determine with which AP to start the authentication and association procedures (this is just one way of doing it). When scanning the available channels an STA will look for beacons containing the SSID of the ESS it is supposed to look for.

The SSID value is usually manually entered during the configuration of the wireless card driver. For the SIS building the SSID is “sis01”.

Up to this point we have only reviewed the 802.11 standard. In 1999 IEEE published an extension to the original standard, known as IEEE 802.11b. This extension is formally known as “Higher Speed Physical Layer Extension in the 2.4 GHz Band”. This extension allows the transmission of data at 5.5 and 11Mbps. The original standard allowed transmission at 1 or 2 Mbps. 802.11b networks are backwards compatible with 802.11 ones.

4.2 The WildPacket AiroPeek NX software tool



You will be using the AiroPeek NX software to capture traffic. First, you will need to collect some configuration information for the software to function adequately.4.2.1 Obtaining the MAC address and the channel numbers

You will be analyzing traffic coming from two access points on the 4th floor of the SIS buildings and from the IBM laptop. The figure on the next page will help you in locating the two access points. The access point located at location A is right side of corridors from the wireless lab, while B is in the other side of corridors. In order to properly identify the STAs and APs that you will be using for this lab you will need the MAC addresses of these devices. Therefore you will need to obtain three MAC addresses.

For obtaining the MAC address of the AP located inside the wireless lab.

1- Turn on the laptop and wait until Windows XP boots up. 2- Ask the GSR in charge of the lab for the username and password for this lab if

these need3- Locate Access Point A as shown in figure below.4- Walk near the access point with your IBM Laptop

Double click on the green icon on the windows toolbar (the Client Manager icon

. When the icon is green it means that the ORiNOCO wireless card is associated to a valid wireless network.

If you DO NOT see the Client Manager icon turning green you might need to disable and enable the internal network card. To do this click on Start -> Settings -> Network Connections and right click on the Wireless Network Connection for the ORiNOCO Wireless LAN PC card icon . Select Disable. Wait a few seconds and right click on the same icon again and select Enable.

5- After double clicking on the green icon, select Advanced then Site Monitor (the Site Monitor screen will allow you to identify the strongest signal; you should stand right next to the AP in order to be sure you identify the correct signal)

6- Standing right next to the AP in the lab, record the MAC address and the Channel of the strongest signal in Table-1 (these should appear on the Site Monitor tab, the pull down menus will allow you to select MAC address, Channel



and SNR. The AP with strongest SNR is the one you are interested in)

7- Walk to Access Point B and repeat the process.8- With the Site Monitor record the MAC address and the Channel of the strongest

signal in Table-19- Select Advance > card diagnostic in order to obtain MAC address of ORiNOCO

wireless card or type ipconfig/all in DOS command prompt. You can do it by following.

10- Click on Start -> Run …11- Type “command”, this will open a Command Line Interface12- In the command window type “ipconfig /all”13- Record the MAC address of ORiNOCO wireless card.

Now that you have collected the MAC addresses and channel number information you will start capturing packets with the WildPackets Airo Peek NX software.

Note: DO NOT TOUCH the CISCO wireless card. Do not connect the CISCO wireless card to any network.

4.2.2 Starting the Airo Peek NX program

1- Click on the Start button of the windows taskbar2- Go to the Programs item of the menu3- Look for the WildPackets Airo Peek NX and select it to start the program4- You will need to tell the program that it should capture frames using the external

Cisco card. As soon as you start the program for the first time the “Monitor Options” window appears. Select the Wireless Network connection that corresponds to the Cisco card. You can know which connection is the appropriate one by looking at the Properties description located in the bottom of the Monitor Options window.

5- After selecting the appropriate card click on the OK button.

Capturing Frames:


Wireless Lab

AB


The first traffic you are interesting in analyzing is the beacons broadcast by the APs.

Remember Beacons are signals that are broadcast from an Access Point once every 100 ms. A STA can use the beacons to calculate the signal strength of the neighboring Access Points. In this lab you will capture beacons near both APs and visualize how the reported signal power varies.

4.2.3 Observing the Beacons

1- Start WildPacket AiroPeek NX (if you have not done so already)2- Click File then New 3- Select CAPTURE > CAPTURE OPTION4- Rename the capture title to “<your initials>_beacons” then click OK 5- Click on the 802.11 tab of the Capture Options window6- Select TOOL > OPTIONS7- On the options window click on 802.11 tab then click the Scan button 8- Next click on Scan radio button and then on the Edit Scanning Options button.9- When the Channel Scanning Options window appears, enable only the two

channels that you recorded in Table-1.10- Click on the duration times and change them to 1000 msecs for both channels

then click Ok (the software allows you to listen to one channel at a time; you are configuring it to listen to a different channel every other 1000 msecs).

11- Click Ok to close the Capture Options window12- A new capture window should appear13- Click on the Filter tab on the bottom right of the capture screen. 14- Go to Edit on the menu bar and click on Insert. This will enable you to create

your own filter. 15- Rename the filter “<your initials>_beacon_samples_apa”. This filter will be

used to listen to traffic coming only from access point A.16- Place a check mark in the address filter box17- Change the type to Physical 18- Type the MAC address of your Access Point A (from Table-1) in address 1 19- Click on the box below and change the selection so that it reads address 1 to 2 20- Address 2 should be set to Any address21- Place a check mark in the Protocol Filter22- Click the Protocol Filter button 23- Double click on IEEE802.11 to drop down the menu 24- Double click on 802.11 management button 25- Highlight Beacon and click Ok 26- Click Ok on the edit filter menu27- The filter that you just created should be listed in alphabetical order. 28- Place a check mark in the box next to it to activate it.29- Right click on that filter and click Duplicate.30- The filter will be listed under “Copy of <your initials>_beacon samples”. Double

click it.



31- Change the name to “<your initials>_beacon_samples_apb”. This filter will only capture traffic coming from access point B.

32- Change the address to the Mac address of Access Point B in Table 1.33- Click OK34- Place a check mark in the box next to it. 35- You should now have only two filters with check markers highlighted36- Click on the Packets tab on the far left of the capture screen 37- Click on the Start capture button on the upper right hand corner of the window.38- Proceed to walk from Access point A to Access point B39- Press Stop capture when you are done (next to AP B). View the captured data

and notice how the signal column indicates how the power of the signal coming from AP A decreased as you moved. In the same way the power of the signal coming from AP B has increased. This information is used by the station to determine when to handover from one AP to another.

40- Walk back to the wireless lab.41- You do not need to save the capture traffic.

4.2.4 Observing a HandoverAfter recording the beacons you are going to analyze the authentication ->

association -> reassociation message exchange traffic. This process is called handover or handoff.

How to identify Authentication, Associations and Re-associations.

1- Click File and New2- Name the capture title to “<your initials>_management” then click OK3- Select the 802.11 tab then click on Number4- Change the number of the channel to the number of the channel used by the

Access Point A, inside the lab. 5- Click OK6- Click on the Filters tab on the lower right of the capture window7- Click on Edit and Insert8- Type in “<your initials>_management” in the filter box. This filter will be used

to filter out all traffic except management traffic.9- Place a check mark in the Address filter box10- Change the Type to Physical if it is not already done 11- The box below the Type should read Both Directions 12- Insert the Mac address of the Toshiba laptop internal wireless card from Table 113- Click on Any address in the address 2 box14- Place a check on the Protocol Filter15- Click the Protocol Filter16- Double click on IEEE 802.11. There should be a sub menu that falls down17- Click on 802.11 Management. 18- Click OK (802.11 Management should appear next to the Protocol button)19- Click Ok on the edit filter menu20- The filter that you just created should be listed in alphabetical order. Place a

check mark in the box next to it (make sure this is the only active filter)



21- In order to capture all necessary frames you will need to disable the internal wireless card before start capturing traffic. This is done in order to be able to capture the association messages generated when the card is enabled again. Go to Start -> Settings -> Network Connections, Right Click on Wireless Network Connection ORiNOCO Wireless LAN pc card and select Disable

22- Click Start capture. Notice that since you only have one filter active there should be no traffic being captured.

23- Now to see the initial exchange of messagees you have to enable the Toshiba internal wireless card again. Go to Start -> Settings -> Network Connections, Right Click on Wireless Network Connection ORiNOCO Wireless LAN pc card and select Enable.

24- As soon as you enable the card you should see the program started to capture traffic. Observe and write down what kinds of frames were the first ones exchanged after you activated the card, you will need to notice just the frame types in order to answer a question at the end of the lab.

25- Walk all the way around the 4th floor and come back to the lab.26- When you come back to the Wireless lab click Stop Capture.27- Observe the protocol column on the Capture screen.28- You should see the two Auth (authentication) messages (first few lines of the

capture), an Assoc Req (association request), Assoc Rsp (association response) and a Reassoc (reassociation) messages.

29- If you don’t you will need to start a new capture (and disabling the internal wireless card first) and walk around the 4th floor again.

30- Double click on an authentication, association request and association response messages and fill out Table-2,3 and 4. (In order to go back from the packet window to the capture window, close the adequate window, be sure to close the packet window and not the Airopeek NX software one)

31- Open the second Auth message and notice the type of response (Successful or not).

32- Close all windows and delete the filters you created by highlighting them and hitting the Delete (Del) key.

How to identify DisassociationsThe MAC implementation varies by vendor and with the equipment you have you cannot force it to generate dissociation messages. If you want to observe disassociation messages you may want to capture traffic and look only for management frames. But you are not required to do so in this lab.

Table 1 – Mac address and channels

Mac Address Channel Number

Access Point A



Access Point B

Toshiba laptop

Table 2 – Authentication

Data rateChannel

Channel frequency Signal level

MAC Header type MAC header Subtype

DurationDestination

SourceBSSID

Auth Algorithm

Table 3 –Association

Data rateChannel

Channel frequency Signal level

MAC Header type MAC header Subtype

Duration fieldDestination

SourceBSSIDSSID

Table 4- Association Response

Data rate



ChannelChannel frequency

Signal level MAC Header type

MAC header SubtypeDuration field Destination

SourceBSSID

Status codeAssociation ID

Part V: Questions

In order to answer the following questions you may want to read the first two references cited in this lab manual. When referring to the 802.11 standard you will be assigned to read specific sections. Give brief answers to the following questions (limit each answer to less than 100 words)

1. When you examined the auth frames you noticed a close/open system field. What is an open or closed 802.11 system?

2. What is the meaning of the duration field in the authentication frame?

3. Why is the data rate reported in some frames 2Mbps instead of 11Mbps?

4. What is the sublayering structure of the physical layer in 802.11? (Hint: there are two sublayers, just name them)

5. Remember you were asked to observe frame types before authentication. What frames types did you observe? What are the types of scanning implemented in the standard? How do they work? Based on your answer, what type of scanning is being used?

6. During the lab you observed the implementation of a very limited authentication scheme. Why is it limited? Briefly describe the Radius and Shared Key via WEP authentication schemes.

(Turn in only Tables 1,2,3,4 and the answers to the questions. DO NOT turn in any file or captured data).


Documents

Lab : Network Securitydtipper/2700/2700_Lab3.doc · Web viewStation Service (SS) : those provided by stations Distribution System Service (DSS): those provided by the DS The following