The To DS and From DS Fields

Currently I’m studying for the Certified Wireless Analysis Professional (CWAP) exam and I’m rereading the study guide and I found the chapters that examined the different fields and elements present in the MAC header most interesting. I had a rough idea, but during my studies learned a great deal more about the unique fields and elements dedicated to wireless that keep the network functioning and help packets get delivered. Two fields of particular interest are the To Distribution System (To DS) and From Distribution System (From DS) and how these fields determine if the frame is leaving or entering the wireless environment.

Distribution System

Just a quick definition of the distribution system and basically the DS is the infrastructure that connects multiple access points together to form an Extended Service Set (ESS). The DS is typically an 802.3 Ethernet wired network, but it doesn’t have to be, and the DS can even be a wireless back haul.

MAC Header & Frame Control Field

Lets now look at the MAC header which can contain four address fields. The number of address fields is a major difference between Ethernet frames, which only use two address fields, and wireless frames that could use as many as four address fields. Each address field is 6 bytes in length to hold a standard 48 bit MAC address, and most wireless frames will only use three of the address fields, and wireless frames being transmitted in a wireless distribution system would be the only frames using all four address fields.

The MAC header contains the Frame Control Field consisting of 11 sub fields (see pic below) including the To DS and From DS fields. The To DS and From DS fields are each 1 bit and can be occupied with a 1 or a 0 and there are four possible combinations using these two fields.

MAC Header

The To DS and From DS fields are important for assessing the packet since the bit combination of these fields identifies if the frame is entering or leaving the wireless environment. The fields can also show if the packet is part of an ad hoc network, or part of a wireless distribution system, and if the frame is a Management or Control frame not intended to leave the wireless environment.

To DS and From DS fields are both 0

The frame is either part of an ad-hoc network or the frame is not intended to leave the wireless environment. The screen shot below shows a Beacon Management frame with a status of not leaving the DS or network (see the highlighted line). Management and Control frames will always have the To DS and From DS fields set to 0 and are never sent to the distribution system network.

An Ad-hoc network connects multiple wireless devices together, and typically does not connect to a wired network, so there is no DS involved or requirement to have the fields set to 1.

beacon

To DS field is 1 and From DS field is 0

The frame is leaving the wireless environment and is intended for a computer on the distribution system network. For example after a wireless station authenticates it will need to obtain an IP address and that request will be forwarded by the AP to the DHCP server that resides on the distribution system network.

To DS field is 0 and From DS field is 1

The packet is entering the wireless environment coming from the DS. The screen shot below shows a Data (Type/Subtype field) frame capture in Wireshark, and the highlighted line shows the To DS and From DS fields along with a status of the frame coming from the DS to the station via the access point.

datatods0fromds1

To DS and From DS fields are both 1

When both the To DS and From DS are set to 1 the packet is involved with a wireless distribution system (WDS) network. WDS networks are used to connect multiple networks together, typically for building-to-building connectivity, or a WDS can connect access points together to from a wireless mesh network.

Address Fields

As mentioned the MAC header can contain four addresses and these addresses can change depending on how the To DS and From DS fields are set. Here is quick reference for how the address fields are set for each To DS and From DS combination.

To DS and From DS are both 0

Address 1 = Destination
Address 2 = Source
Address 3 = BSSID

To DS field is 1 and From DS field is 0

Address 1 = BSSID
Address 2 = Source
Address 3 = Destination

To DS field is 0 and From DS field is 1

Address 1 = Destination
Address 2 = BSSID
Address 3 = Source

To DS and From DS are both 1

Address 1 = Receiver
Address 2 = Transmitter
Address 3 = Destination
Address 4 = Source

 Conclusion

When observing packets in a sniffer or pen testing a wireless network It is important to look at the To DS and From DS fields to verify the direction of flow for the packet and how these fields then relate to the MAC addresses in the header.

Advertisements

Changing Your MAC Address Using Macchanger

Macchanger is a free utility used to change the MAC address of the network adapter. Macchanger can randomly assign a MAC address or assign a specific MAC address of your choosing.

Usage

There are several instances changing the MAC address is necessary, but I use the utility while pentesting a wireless network with MAC filtering enabled and have to assign an approved MAC address to the wireless adapter.

Install

The Macchanger utility is included with Kali Linux, but to install the application, update it, or verify your using the most up to date version run the following command. In the screen shot that follows the install command confirms that the newest version is already installed.

#apt-get install macchanger

macchangeinstall

Help

Help with Macchanger can be accessed by running the following two commands.

#macchanger --help

#man macchanger

Assign a Random MAC Address

I’m using an Alfa USB wireless adapter and I will run the following commands to verify the adapters interface and the permanent MAC address.

#ifconfig

#ifconfig wlan1

Macchanger can also be used to verify the manufacture burned in MAC address by running the following command.

#macchanger--show wlan1

Change the MAC address using one of the following commands.

#macchanger -r wlan1

#macchanger -A wlan1

Error Message

If you get an error message the MAC address can’t be changed and the adapter is busy take the adapter down and then rerun Macchanger. (Only the OUI portion of the MAC address is shown in the screen shot and the last 3 octets are blocked out)

adapterbusy

#ifconfig wlan1 down 

#macchanger -A wlan1

changemac

Bring the interface back up and verify the MAC address is changed.

#ifconfig wlan1 up 

#macchanger --show wlan1

changemac2

To return the MAC address to the vendor burned in address run the following command. You may have to take the interface down first.

#ifconfig wlan1 down

#macchanger --permanent wlan1

Assign a Specific MAC Address

The following command will assign a specific MAC address.

#macchanger --mac=aa:bb:cc:11:22:33 wlan1

macspec

Using the Macchanger GUI

If you’re not comfortable running commands there is a Macchanger GUI. A couple of commands will have to be run from the terminal window. One to install the Macchanger GUI application and the second to start the GUI application.

#apt-get install macchanger-gtk

#macchanger-gtk

macchangegtk

After the GUI opens select the options to change the MAC address and click the Change MAC button.

As you can see Macchanger is a great utility to change the MAC address and is simple to use and offers a GUI application as well. Let me know any questions in the comments section below or share any commands you find easier to use with Macchanger, or pass along any other utilities you use to change the MAC address.

Thanks for visiting my blog and happy pentesting!

Home Wireless Network Security Tips

A small office home office (SOHO) wireless router can be setup in just minutes, and can be a convenient and cost effective way to extend your home network. Many people don’t do much in the way of configuration or security on a SOHO wireless router when installing the device. However, just plugging in a wireless router without changing any of the factory default settings presents an insecure wireless network and can serve as an open internet portal to anyone nearby. Not only will it be an open internet connection, but it could open up unauthorized access to the computers on the network and the data stored on them. Anyone with a little knowledge of wireless networks and with the right utilities can sniff unencrypted wireless communications potentially capturing any data including passwords traversing the air waves.

Here is a list of some wireless security strategies that can be configured on most wireless routers. While no one feature will simply secure the wireless network, applying most or all will provide a layered approach to security. Some of these settings require an intermediate to advanced knowledge of wireless routers. For assistance or additional help with these settings consult the user’s manual for your specific wireless router.

  • Change the default Admin password used to access the wireless router.
    • Default passwords for routers are well known or can be found on the internet with some simple Google searches. If you setup encryption along with some of the other advanced security measures on the router it will all be useless if someone can just log into the router using the default password.
  • Enable Encryption.
    • Setting up encryption on the wireless network and protecting the traffic from being read by an unauthorized person is the most critical security feature to enable on the router. If someone in range of your wireless network was capturing the traffic encryption will scramble the data so it would appear as gibberish to that person. WEP was the original encryption method for wireless networks, but WEP has several known flaws and therefore should not be used. It is recommended to use WPA encryption or the stronger WPA2 encryption if all your wireless devices can support these levels of encryption. When using the WPA encryption methods a preshared key must be entered on the router and the same key is also entered on all of the clients wanting to join the network. When selecting a key avoid common dictionary words and use a random stream of letters, numbers, and symbols with a minimum of 20 characters in length. A wireless network using WPA encryption provides both security by controlling who can connect to the network, but also privacy by encrypting the communications as they travel across your network.
  • Change the default name of your wireless network (SSID).
    • The service set identifier (SSID) is the name of the network the wireless clients will use to connect to the network, and like the default password the factory set name given to the wireless network can be found out very easily. When selecting a name for the SSID don’t use anything that would identify who owns the network, such as your name, address, phone number, etc… You also don’t have use anything cryptic for the SSID, and a good choice is something that doesn’t bring attention to the name of the network and lets it blend in with any of the other surrounding networks.
  • Enable MAC Address Filtering.
    • Every network device is hard coded with a unique physical address called the MAC address. Wireless Routers can be configured with a list of MAC addresses allowed to connect to the wireless network. This sounds like a great setting to control the devices that connect to your network, but a reasonably skilled hacker can use free utilities from the internet to monitor traffic on the network to capture MAC addresses of devices on the allowed list. With the allowed MAC address the bad guy can spoof the MAC address on their device to make it appear as if it is in the allowed list.
  • Disable SSID broadcast.
    • Disabling the broadcast of the network name and essentially hiding the presence of the network sounds like a great feature, and I have seen some people rely on this feature alone for the security of their network. Similar to the MAC filtering setting mentioned before, anyone with a little bit of knowledge and the right utilities can scan the airwaves and discover hidden network SSIDs, so disabling the network broadcast should never be relied on as a cover all security setting. Don’t use this setting by itself, but combine it with other settings mentioned to have strength with multiple security layers.
  • Disable managing the router from a wireless client.
    • Force any client to be physically plugged into the router using a network cable to log in to the management interface.
  • Enable HTTPS for accessing the management interface.
    • Whenever HTTPS is available to encrypt communications it should always be taken advantage of. Using HTTPS to manage the router will prevent the user name and password from being compromised.
  • Centrally locate the wireless router in the house.
    • If you can locate the wireless router in a central location in the residence it should theoretically provide an even coverage area and control some of the leakage of the signal seen by your neighbors. You can also control the coverage area by adjusting the power setting on the wireless router, but this is a bit more of an advanced setting and not all SOHO routers allow power settings to be adjusted. Setting the power level to low may create dead zones in the wireless network coverage. Consult the user’s manual for your router for specific instructions on adjusting the power level.
  • Set time constraints to disable access to the wireless network.
    • Set restrictions when no one can use the wireless network without powering down the entire network or affecting the wired connections. For example if no uses the wireless network overnight a time restriction banning clients from connecting from 11:00pm to 6:00am to the wireless network can be configured. Powering down the router during vacations or during extended periods of non-usage can be the ultimate security setting to prevent outside hackers from trying to connect to the network.
  • Check for firmware updates on the router.
    • Routers have software called firmware loaded on them that control the capabilities of the router. The router vendors will release updates for the firmware to improve functionality or patch vulnerabilities. Checking every so often for firmware updates will guarantee your router has all the latest features and security patches applied.

Plugging in a wireless router and not configuring any of the security settings is the equivalent of leaving your house and not locking any of the doors. Hopefully the overview here will give you some information on how to lock down your wireless network and keep your neighbors from using you as an internet service provider.