Version: 1.02.1 February 9, 2008
By: darkAudax
Files linked to this tutorial:
wds.authentication.cap
arp.request.from.ap.wired.client.cap
arp.request.from.wds.wired.client.cap
ap.wired.client.ping.wds.wired.client.cap
A Wireless Distribution System is a system that enables the interconnection of access points and related clients wirelessly. This Wikipedia entry has an excellent description of WDS. I strongly encourage you to read the Wikipedia entry prior to reading this tutorial. It is important to understand what a WDS is and the number of variations.
WDS can be used to provide two modes of wireless AP-to-AP connectivity:
This tutorial will be exploring the second mode above where APs communicate with each other and wireless stations. At this point in time, the aircrack-ng suite does not fully support all attacks on WDS. It is intended more to document observations about WDS and be a learning vehicle. As the aircrack-ng suite is enhanced specifically for WDS, then this tutorial will be updated.
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.
Please send any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
ESSID: teddy
MAC address: 00:14:6C:7E:40:80
Channel: 9
Note: This is the AP which is in AP mode
MAC address: 00:40:F4:77:F0:9B
ESSID: teddy
MAC address: 00:14:6C:04:57:9B
Channel: 9
Note: This is the AP which is in WDS mode.
MAC address: 00:08:02:6A:1D:97
This section provides some background information which is important to understand.
Each data frame contains four address fields and two individual To/From DS (Distribution System) fields. Each of the ToDS and FromDS fields can have a value of 0 or 1. Distribution system basically means the local LAN. Here is the meaning of these To/From DS fields.
To/From DS values | Meaning |
---|---|
To DS = 0, From DS = 0 | A data frame direct from one STA to another STA within the same IBSS, as well as all management and control type frames. |
To DS = 0, From DS = 1 | Data frame exiting the DS. |
To DS = 1, From DS = 0 | Data frame destined for the DS. |
To DS=1, From DS = 1 | Wireless distribution system (WDS) frame being distributed from one AP to another AP. |
The content of the Address fields of the data frame is dependent upon the values of the To DS and From DS bits and is defined below. Where the content of a field is shown as not applicable (N/A), the field is omitted. Note that Address 1 always holds the receiver MAC address of the intended receiver (or, in the case of multicast frames, receivers), and that Address 2 always holds the AMC address of the station that is transmitting the frame.
The following describes the contents of each address field depending on the To/From DS fields:
To DS | From DS | Address 1 | Address 2 | Address 3 | Address 4 |
---|---|---|---|---|---|
0 | 0 | RA = DA | TA = SA | BSSID | N/A |
0 | 1 | RA = DA | TA = BSSID | SA | N/A |
1 | 0 | RA = BSSID | TA = SA | DA | N/A |
1 | 1 | RA | TA | DA | SA |
Meaning
We will start by looking at how a WDS looks like in airodump-ng:
CH 9 ][ Elapsed: 44 s ][ 2007-09-30 13:06 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:14:6C:04:57:9B 44 42 144 1 0 9 54 WEP WEP teddy 00:14:6C:7E:40:80 30 100 443 2 0 9 54 WEP WEP OPN teddy BSSID STATION PWR Rate Lost Packets Probes 00:14:6C:7E:40:80 00:14:6C:04:57:9B 45 0- 1 88 154 teddy
Requirements:
Observations:
All standard aircrack-ng attacks work. Make sure to not use any packet where To/From DS fields are both 1.
Although fake authentication does work, each BSSID can be used as an authenticated MAC on the other unit. So fake authentication is not required. However, using a separate MAC seems to yield better injection rates.
airtun-ng can inject plaintext and WEP packets into a WDS link. That's even possible when airtun-ng only sees one of the two WDS nodes! (Note that in this case only clients behind this node are reachable)
The following attacks do not work using WDS packets (To/FromDS both equal to 1):
This is list of software changes required to support WDS attacks:
Wireshark filter to select packets with To/FromDS both equal to 1: wlan.fc.ds == 0x03
Simply copy and paste this into the Wireshark “Filter” box and click apply. Then only packets where the To/FromDS field are both equal to 1 are displayed.
The following packet captures are provided to allow you to see what the packets typically look like. They are best viewed with Wireshark.
This capture shows the WDS AP authenticating and associating with the main AP. It contains the the typical probes followed by authentication and finally association.
A wired client attached to the main access point sends out an arp request packet. This arp request is broadcast by the main AP. It is also sent to the WDS AP (To/FromDS both equal to 1;4 addresses). The WDS AP broadcasts the arp request.
You would be able to use the arp request broadcast from each AP with the existing aircrack-ng tools.
A wired client attached to the WDS access point sends out an arp request packet. This arp request is broadcast by the WDS AP. It is also sent to the main AP (To/FromDS both equal to 1;4 addresses). The main AP broadcasts the arp request.
You would be able to use the arp request broadcast from each AP with the existing aircrack-ng tools.
A wired client attached to the main access point sends out a ping to a wired client attached to the WDS AP. Please note that an arp request/response previously took place and is not included in the capture. You can see the ping request and response go back and forth (To/FromDS both equal to 1;4 addresses).
The existing aircrack-ng tools can capture this and break the WEP key.