The To DS and From DS Fields

Currently I’m studying for the Certified Wireless Analysis Professional (CWAP) exam and I’m rereading the study guide and I found the chapters that examined the different fields and elements present in the MAC header most interesting. I had a rough idea, but during my studies learned a great deal more about the unique fields and elements dedicated to wireless that keep the network functioning and help packets get delivered. Two fields of particular interest are the To Distribution System (To DS) and From Distribution System (From DS) and how these fields determine if the frame is leaving or entering the wireless environment.

Distribution System

Just a quick definition of the distribution system and basically the DS is the infrastructure that connects multiple access points together to form an Extended Service Set (ESS). The DS is typically an 802.3 Ethernet wired network, but it doesn’t have to be, and the DS can even be a wireless back haul.

MAC Header & Frame Control Field

Lets now look at the MAC header which can contain four address fields. The number of address fields is a major difference between Ethernet frames, which only use two address fields, and wireless frames that could use as many as four address fields. Each address field is 6 bytes in length to hold a standard 48 bit MAC address, and most wireless frames will only use three of the address fields, and wireless frames being transmitted in a wireless distribution system would be the only frames using all four address fields.

The MAC header contains the Frame Control Field consisting of 11 sub fields (see pic below) including the To DS and From DS fields. The To DS and From DS fields are each 1 bit and can be occupied with a 1 or a 0 and there are four possible combinations using these two fields.

MAC Header

The To DS and From DS fields are important for assessing the packet since the bit combination of these fields identifies if the frame is entering or leaving the wireless environment. The fields can also show if the packet is part of an ad hoc network, or part of a wireless distribution system, and if the frame is a Management or Control frame not intended to leave the wireless environment.

To DS and From DS fields are both 0

The frame is either part of an ad-hoc network or the frame is not intended to leave the wireless environment. The screen shot below shows a Beacon Management frame with a status of not leaving the DS or network (see the highlighted line). Management and Control frames will always have the To DS and From DS fields set to 0 and are never sent to the distribution system network.

An Ad-hoc network connects multiple wireless devices together, and typically does not connect to a wired network, so there is no DS involved or requirement to have the fields set to 1.

beacon

To DS field is 1 and From DS field is 0

The frame is leaving the wireless environment and is intended for a computer on the distribution system network. For example after a wireless station authenticates it will need to obtain an IP address and that request will be forwarded by the AP to the DHCP server that resides on the distribution system network.

To DS field is 0 and From DS field is 1

The packet is entering the wireless environment coming from the DS. The screen shot below shows a Data (Type/Subtype field) frame capture in Wireshark, and the highlighted line shows the To DS and From DS fields along with a status of the frame coming from the DS to the station via the access point.

datatods0fromds1

To DS and From DS fields are both 1

When both the To DS and From DS are set to 1 the packet is involved with a wireless distribution system (WDS) network. WDS networks are used to connect multiple networks together, typically for building-to-building connectivity, or a WDS can connect access points together to from a wireless mesh network.

Address Fields

As mentioned the MAC header can contain four addresses and these addresses can change depending on how the To DS and From DS fields are set. Here is quick reference for how the address fields are set for each To DS and From DS combination.

To DS and From DS are both 0

Address 1 = Destination
Address 2 = Source
Address 3 = BSSID

To DS field is 1 and From DS field is 0

Address 1 = BSSID
Address 2 = Source
Address 3 = Destination

To DS field is 0 and From DS field is 1

Address 1 = Destination
Address 2 = BSSID
Address 3 = Source

To DS and From DS are both 1

Address 1 = Receiver
Address 2 = Transmitter
Address 3 = Destination
Address 4 = Source

 Conclusion

When observing packets in a sniffer or pen testing a wireless network It is important to look at the To DS and From DS fields to verify the direction of flow for the packet and how these fields then relate to the MAC addresses in the header.

Advertisements

CWNA CWSP CWAP Study Resources

General Resources

802dot11logoQuick overview of 802 legacy, 802.11a, 802.11b, 802.11g, 802.11n, and the 802.11ac draft standard.

Free Wi-Fi Learning Resources from CWNP

The CWNP Question of the Day (QOTD)

CWNP Exam Terms

CWNP Study Guide CD-ROM Downloads

Packetlife WLAN cheat sheet

Wi-Fi Alliance home page

CWNA

Certified Wireless Network Administrator (CWNA) Overview of the Certificfation

CWNA Certified Wireless Network Official Study Guide: Exam PW0-105 (CWNP Official Study Guides)

Here is the link to download the updated PW0-105 CWNA exam objectives

24GHz_channels

5ghzuniibandschannels.jpg

Wi-Fi Back to Basics – 2.4 GHz Channel Planning

Wikipedia page on  WLAN Channels

802.11 Medium Access

Introduction to Wi-Fi Wireless Antennas

Wi-Fi CERTIFIED™ for WMM®-Power Save

Aerohive’s Medium Contention & Mac Sublayer WiFi 101 video (28:00)

Easy db Math in 5 Minutes

Radio Frequency Measurements (1:13)

Understanding IEEE 802.11n

Memorize 802.11 MCS values and Data rates for CWNA or CWDP (YouTube Video)

CWSP

CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204 (CWSP Official Study Guides)

Here is the link to download the updated PW0-204 CWSP exam objectives

EAP Types (Excel file for my own reference)

Marcus Burton, Director of Product Development at CWNP, teaches you the 802.11 4-way handshake. (YouTube Video)

Authentication & Key Management (Marcus Burton, CWNP)

CWSP-802.11r Over-the-Air FT

White Paper (PDF download) Robust Secure Network Fast BSS Transition

White Paper (PDF download) 802.11i Authentication and Key Management

User Guide for the Cisco Secure Access Control System 5.2 (good extra reading on different flavors of EAP)

George Stefanick – CWSP Journey Chapter 5 – RSN

George Stefanick – CWSP Journey Chapter 4 – EAP, EAP, EAP, and EAP

EAP-TLS and PEAP: what they are, part 1 (YouTube Video)

EAP-TLS and PEAP: what they are, part 2 (YouTube Video)

CWAP

CWAP Certified Wireless Analysis Professional Official Study Guide

CWAP Exam Objectives (PDF)

WIRELESS LAN SECURITY MEGAPRIMER PART 5:DISSECTING WLAN HEADERS

802.11 Beacons Revealed

802.11 Beacon Intervals – The Real Story

What is QAM?

CWAP – MAC Header : Frame Control

Understanding Wi-Fi Carrier Sense (Revolution Wi-Fi)

802.11 PPDU Formats

CWAP Study Guide Errata

Extras

My CWNA/CWSP/CWAP YouTube Channel

How I Studied to Pass the CNWA Certification Exam

WiFI Kiwi’s Blog – CWSP Passed!

How to Fix the SIOCSIFFLAGS Error in Kali Linux

I recently rebuilt my laptop and reloaded the applications I use for pentesting including Virtualbox and Kali Linux. If you need help setting up Kali Linux in Virtualbox here is a great link that walks through the setup process.

Once I had Kali up and running in my virtual environment I plugged in my ALFA wireless adapter and made sure the USB device was running in the virtual environment.

I ran iwconfig to verify the wireless interface.

iwconfig

So far so good and I ran ifconfig to verify the interface was up, but the only interface returned was the loopback.

loopback

After discovering the wireless interface was not up and I ran ifconfig wlan0 up to bring it up and got the SIOCSIFFLAGS error.

siocsifflags

I wrote about this error a while back when I was running Backtrack 5 and I first started using the Fern WiFi Cracker. I decided to expand on that post plus I was asked about creating a script to run all the commands at one time instead of typing them individually. The script should be run every time Kali is booted, but after your adapter is plugged in and recognized.

First open a text editor and type in the script shown in the screen shot below. I prefer the gedit text editor and since that is not loaded in Kali I used Leafpad and coming from the Windows world it reminds me of Notepad.

script

Name the file and save it to the Root directory.

saveas2

Open the Terminal window and do a quick ls command to verify the file is present.

lscommand

To run the script type ./<file name>

filepremissions

You’ll probably get an error message about permissions denied and running the chmod 755 <file name> command will adjust the permissions on the file as needed.

chmodalfa

Rerun the script ./<file name>

runscript

If there are no errors you are good to go and can run ifconfig to verify the wireless interface is up.

ifconfig

I will run the script every time I boot Kali whether or not the interface shows as being up in the ifconfig results.

Trouble shooting wireless issues in Kali Linux can be a frustrating process, but use your Google Fu skills and you’ll find a lot of good links and people offering up advice. Good Luck!

Changing Your MAC Address Using Macchanger

Macchanger is a free utility used to change the MAC address of the network adapter. Macchanger can randomly assign a MAC address or assign a specific MAC address of your choosing.

Usage

There are several instances changing the MAC address is necessary, but I use the utility while pentesting a wireless network with MAC filtering enabled and have to assign an approved MAC address to the wireless adapter.

Install

The Macchanger utility is included with Kali Linux, but to install the application, update it, or verify your using the most up to date version run the following command. In the screen shot that follows the install command confirms that the newest version is already installed.

#apt-get install macchanger

macchangeinstall

Help

Help with Macchanger can be accessed by running the following two commands.

#macchanger --help

#man macchanger

Assign a Random MAC Address

I’m using an Alfa USB wireless adapter and I will run the following commands to verify the adapters interface and the permanent MAC address.

#ifconfig

#ifconfig wlan1

Macchanger can also be used to verify the manufacture burned in MAC address by running the following command.

#macchanger--show wlan1

Change the MAC address using one of the following commands.

#macchanger -r wlan1

#macchanger -A wlan1

Error Message

If you get an error message the MAC address can’t be changed and the adapter is busy take the adapter down and then rerun Macchanger. (Only the OUI portion of the MAC address is shown in the screen shot and the last 3 octets are blocked out)

adapterbusy

#ifconfig wlan1 down 

#macchanger -A wlan1

changemac

Bring the interface back up and verify the MAC address is changed.

#ifconfig wlan1 up 

#macchanger --show wlan1

changemac2

To return the MAC address to the vendor burned in address run the following command. You may have to take the interface down first.

#ifconfig wlan1 down

#macchanger --permanent wlan1

Assign a Specific MAC Address

The following command will assign a specific MAC address.

#macchanger --mac=aa:bb:cc:11:22:33 wlan1

macspec

Using the Macchanger GUI

If you’re not comfortable running commands there is a Macchanger GUI. A couple of commands will have to be run from the terminal window. One to install the Macchanger GUI application and the second to start the GUI application.

#apt-get install macchanger-gtk

#macchanger-gtk

macchangegtk

After the GUI opens select the options to change the MAC address and click the Change MAC button.

As you can see Macchanger is a great utility to change the MAC address and is simple to use and offers a GUI application as well. Let me know any questions in the comments section below or share any commands you find easier to use with Macchanger, or pass along any other utilities you use to change the MAC address.

Thanks for visiting my blog and happy pentesting!

AirTight Networks Cloud Management Console

It’s been a month since I attended Wireless Field Day 5 and one of the most impressive demonstrations during the event was by AirTight Networks. Now that I have played with the AirTight AP device along with the cloud management console I wanted to share some of the features plus how user-friendly the system is.

A quick overview of the AirTight Networks solution is there is no controller or central management device placed in your network data center, and the entire wireless network can be configured, managed, and monitored in the cloud. The configuration and Wi-Fi policies defined in the cloud are than pushed out to the APs and all the routing decisions are done at the networks edge. Another nice feature is the cloud management program is HTML5 based and can be accessed from any smart device.

When I first logged into the AirTight cloud console it is a little over whelming, but I quickly found the system and UI very easy to navigate. Near the top of the screen is a navigation bar listing the six main areas of the system, and below the navigation bar is a bread crumb location trail, and between these two location tool bars I found it extremely easy to move around the system or know my current location.

locationbar

Navigation Tool Bars

Help on any screen is just a click away! No matter what screen your on a ? in the upper right corner can be clicked on for immediate help for the current screen and options.

dasboardhelp

Dashboard Help Screen

The consoles home screen displays a dashboard to quickly convey information or statistics about the network and connected devices.

Dashboard

Dashboard

The dashboard screen is fully customizable, and adding extra dashboards and widgets can be done with a few clicks of the mouse. The screen shot below shows a newly added dashboard screen along with the different widget categories to add monitoring or information elements to the dashboard screen.

dasboardwid

Dashboard and Widget Setup

On the left hand side of the main screen is the location tree to organize the wireless network. Wi-Fi policies and configuration settings can be assigned at any level in the location tree, or locations can inherit policies from higher level folders.

Location Tree

Location Tree

A really nice feature is when your down to the building level a floor plan can be uploaded to the system. I uploaded a simple PNG file, but as the screen shot below shows I can still assign some dimensions to the floor plan as part of the upload.

Floor Plan Upload

Floor Plan Upload

Once the floor plan is uploaded the AP devices can be placed on top of the floor plan and a heat map showing the approximate coverage areas can be generated.

Floor Plan Heat Map

Floor Plan Heat Map

There is an option to upload a SPM file that can have more intelligence built into the floor plan including the building materials which would give a better representation of the heat map coverage area.

The configuration area is where the majority of the Wi-Fi and AP settings are defined. Below is a screen shot of the configuration screen to create an SSID profile. I don’t have enough time to cover the different sections or options available, but a great demonstration video by Sean Blanton (@blantr0n) is available on the Airtight Networks web site. Sean covers many of the configuration options in the video, and I definitely recommend watching this video for anyone wanting to learn more of the granular settings that can be configured.

SSIDprofile

SSID Profile Configuration

Another great resource to learn about the AirTight Networks cloud management console is the Wireless Field Day 5 demonstration presented by Kaustubh Phanse.

One final awesome resource is since the Wireless Field Day 5 event AirTight Networks is having a promotion for anyone to receive a free AP and a cloud management trail to conduct their own test. For anyone interested in this promotion visit the AirTight Networks web site for more information.

exatwfd5

AirTight Networks Promotion

Additional demonstration videos about AirTight Networks and their wireless network solutions are available on the Wireless Field Day 5 YouTube page.

Studying for Wireless Field Day 5

WFD-Logo1-wpcf_400x398No… there isn’t a test at Wireless Field Day 5, but being one of the two new delegates to the event I wanted to gather as much knowledge as I could prior to the nine vendor presentations at WFD5. For the most part I know of each vendor and their products, but have limited working experience with their solutions, so I wanted to share some of my research I have done to prepare for Wireless Field Day 5. To keep this post of moderate length I cannot mention every vendor and/or resource, and the vendors mentioned here is in no way favoring them or a knock on the other vendors. With nine vendors presenting, and each having two hours for a total of 18 hours of demonstrations I’m sure to have plenty to share in future posts about all the vendors.

One of my fellow WFD5 delegates wrote a great blog post last week about the upcoming Wireless Field Day event and what to aspect from such an event. The published post was by @wirednot and mentions several of the vendors presenting at WFD5 and lists some of the hot topics that might come up during the presentations. Again, being one of the two first time delegates this blog post gave me an overall feel for the event and had some good links to learn about past delegates, past Wireless Field Day events, and links to several of the vendors presenting.

Another really good article titled “Another Controller-less Wi-Fi Solution” posted this week by @matthewnorwood highlights the Airtight Networks APs and management solutions. The article has a link to the Airtight Network web site where I watched a series of demonstration videos. The videos were well-organized and ranged from 2 to 6 minutes in length, and each video concentrated on a certain area or topic for the Airtight solution. I found the videos very informative and they covered some hot topics in wireless including cloud management, software defined radios, BYOD, security and monitoring. The article isn’t completely about Airtight Networks and Matthew does talk about the three planes of wired and wireless traffic along with an overview on basic WLAN network architectures (some cool graphics).

Working in the education market I have followed Aerohive Networks and read about their BYOD and education solutions. Like the other vendors the Aerohive website is full of information with plenty of documentation, videos, and blogs. Aerohive does have a YouTube channel (other vendors may have YouTube channels as well) and the videos posted on YouTube were another resource I used to learn about Aerohive. Andrew von Nagy will be presenting at WFD5 for Aerohive and I look forward to meeting Andrew and seeing his presentation. Anyone following Andrew on Twitter (@andrewvonnagy) knows he shares a lot of great stuff, not just on Aerohive, but wireless technologies in general. Andrew’s revolutionwifi blog was one of the first wireless blogs I started following and I’m always impressed with the content, knowledge, and style of how Andrew presents the material he writes about.

To be honest all the delegates for Wireless Field Day 5 have outstanding blogs and I have spent many hours reading their posts. These blogs are a tremendous resource for me with tons of information and details on networking, wireless, security, hardware, software, storage, etc… Each delegate’s perspective on the wireless world and related technologies along with their knowledge and passion for wireless really shows in their posts. Links to all the delegates blogs are available on the Wireless Field Day 5 website.

Three vendors, Fluke Networks, Metageek, and Wildpackets will be presenting on their products for packet analysis, site surveying, network performance, and network monitoring. I’m familiar with these vendors and most of their products, but I still visited each of their websites for a refresher ahead of WFD5. Since I don’t have an expansive IT budget I tend to use freely available utilities and I’m really looking forward to seeing these three presentations and how their enterprise solutions compare to the open source tools I’m accustomed to using. I definitely should have more to post about these three vendors, the presentations, and their products.

For myself reading the blogs and visiting the vendor websites was not only great for learning, but for also noticing trends and what could be the future direction for wireless technologies.

For anyone wanting to see the Wireless Field Day 5 presentation schedule along with links to watch the live demonstrations can visit the Wireless Field Day 5 web site. The event can be followed on Twitter using the #WFD5 hash tag.

Virtual High Five for Wireless Field Day 5!

WFD-Logo1-wpcf_400x398With just over a week to Wireless Field Day 5 I wanted to say thank you to Stephen Foskett (@sfoskett) and the Wireless Field Day crew. I was so honored when asked about attending Wireless Field Day 5 and have been totally impressed with the planning, communication, and organization of the event. Stephen and crew have worked hard to plan so many of the details I feel my only responsibility is making the flight and bringing some extra clothes!

To increase my excitement for WFD5 I have checked out blog posts from past WFD attendees and they really paint a picture of the events being nothing short of excellent with great people coming together to share their technical knowledge.

One such article, “The Value of Tech Field Day” by @pandom_ has circulated on Twitter this past week.

I have never personally met the other delegates, but have run across or had conversations with most if not all of them through social media. I do consider the other delegates the “rock stars” of the wireless world and really look forward to meeting them and talking wireless, but mostly learning as much as I can cram into my memory!

Stephen and crew have also set up a great lineup of vendor presentations and since I first saw the lineup 2 or 3 more vendors were added, and at last glance there are 9 vendors presenting at the conference!

Between rubbing elbows with the other delegates and seeing the vendor presentations I will be on information overload and I wish I could stick a USB drive in my ear to help bring home the material and knowledge I’m sure to learn.

Thanks to Stephen, the WFD5 crew, the other delegates, and the vendors! Being a Wireless Field Day newbie everyone has been tremendous and made me feel welcome and already part of the Wireless Field Day family!

Thank You! Dale

Any one wanting to check out the list of delegates along with the vendor presentation schedule can visit the Wireless Field Day 5 website, and the event can be followed on Twitter with the #WFD5 hash tag.