Table of Contents
Tutorial: How to crack WEP on a Wireless Distribution System (WDS)?
Version: 1.02.1 February 9, 2008
By: darkAudax
Files linked to this tutorial:
wds.authentication.cap
arp.request.from.ap.wired.client.cap
arp.request.from.wds.wired.client.cap
ap.wired.client.ping.wds.wired.client.cap
Introduction
A Wireless Distribution System is a system that enables the interconnection of access points and related clients wirelessly. This Wikipedia entry has an excellent description of WDS. I strongly encourage you to read the Wikipedia entry prior to reading this tutorial. It is important to understand what a WDS is and the number of variations.
WDS can be used to provide two modes of wireless AP-to-AP connectivity:
- Wireless Bridging in which WDS APs communicate only with each other and don't allow wireless clients or Stations (STA) to access them
- Wireless Repeating in which APs communicate with each other and with wireless STAs
This tutorial will be exploring the second mode above where APs communicate with each other and wireless stations. At this point in time, the aircrack-ng suite does not fully support all attacks on WDS. It is intended more to document observations about WDS and be a learning vehicle. As the aircrack-ng suite is enhanced specifically for WDS, then this tutorial will be updated.
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.
Please send any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
Solution
Assumptions used in this tutorial
- Your wireless rig is working and can inject packets.
- You have Wireshark installed and working. Plus you have a basic understanding of how to use it.
- You are using the latest aircrack-ng 1.0dev version or above.
Equipment used
Access Point
ESSID: teddy
MAC address: 00:14:6C:7E:40:80
Channel: 9
Note: This is the AP which is in AP mode
Wired client located on access point network
MAC address: 00:40:F4:77:F0:9B
WDS
ESSID: teddy
MAC address: 00:14:6C:04:57:9B
Channel: 9
Note: This is the AP which is in WDS mode.
Wired client located on WDS network
MAC address: 00:08:02:6A:1D:97
To/From DS Fields
This section provides some background information which is important to understand.
Each data frame contains four address fields and two individual To/From DS (Distribution System) fields. Each of the ToDS and FromDS fields can have a value of 0 or 1. Distribution system basically means the local LAN. Here is the meaning of these To/From DS fields.
To/From DS values | Meaning |
---|---|
To DS = 0, From DS = 0 | A data frame direct from one STA to another STA within the same IBSS, as well as all management and control type frames. |
To DS = 0, From DS = 1 | Data frame exiting the DS. |
To DS = 1, From DS = 0 | Data frame destined for the DS. |
To DS=1, From DS = 1 | Wireless distribution system (WDS) frame being distributed from one AP to another AP. |
The content of the Address fields of the data frame is dependent upon the values of the To DS and From DS bits and is defined below. Where the content of a field is shown as not applicable (N/A), the field is omitted. Note that Address 1 always holds the receiver MAC address of the intended receiver (or, in the case of multicast frames, receivers), and that Address 2 always holds the AMC address of the station that is transmitting the frame.
The following describes the contents of each address field depending on the To/From DS fields:
To DS | From DS | Address 1 | Address 2 | Address 3 | Address 4 |
---|---|---|---|---|---|
0 | 0 | RA = DA | TA = SA | BSSID | N/A |
0 | 1 | RA = DA | TA = BSSID | SA | N/A |
1 | 0 | RA = BSSID | TA = SA | DA | N/A |
1 | 1 | RA | TA | DA | SA |
Meaning
- RA - Receiver MAC Address (In the case of WDS, this is the MAC address of the receiving AP)
- TA - Transmitter MAC Address (In the case of WDS, this is the MAC address of the transmitting AP)
- DA - Destination MAC Address (In the case of WDS, this is the MAC address of the destination system)
- SA - Source MAC Address (In the case of WDS, this is the MAC address of the sending system)
WDS in action
We will start by looking at how a WDS looks like in airodump-ng:
CH 9 ][ Elapsed: 44 s ][ 2007-09-30 13:06 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:14:6C:04:57:9B 44 42 144 1 0 9 54 WEP WEP teddy 00:14:6C:7E:40:80 30 100 443 2 0 9 54 WEP WEP OPN teddy BSSID STATION PWR Rate Lost Packets Probes 00:14:6C:7E:40:80 00:14:6C:04:57:9B 45 0- 1 88 154 teddy
Requirements:
- Both the AP and WDS must have the same parameters: Channel, SSID, WEP key size and WEP key.
Observations:
- When a WDS is running and is not connected to an AP, it does not send out any beacons. Beacons only start being sent once the WDS is connected to the main AP.
- The WDS sends out probe packets for the specific AP as well as “broadcast”. This continues, at least on these particular units, even after the WDS connects to the main AP. I suspect this is a type of keep alive process but this is not an authoritative explanation. I have seen other WDS implementations which do not continuously send probes.
- The client line above only reflects the probes and probe responses. Currently, the WDS traffic is not shown as client activity.
Attacks which work
All standard aircrack-ng attacks work. Make sure to not use any packet where To/From DS fields are both 1.
Although fake authentication does work, each BSSID can be used as an authenticated MAC on the other unit. So fake authentication is not required. However, using a separate MAC seems to yield better injection rates.
airtun-ng can inject plaintext and WEP packets into a WDS link. That's even possible when airtun-ng only sees one of the two WDS nodes! (Note that in this case only clients behind this node are reachable)
Attacks which do not work
The following attacks do not work using WDS packets (To/FromDS both equal to 1):
- chopchop
- fragmentation
- packet replay
Enhancements required
This is list of software changes required to support WDS attacks:
- aircrack-ng: Allow two BSSIDs to be defined to allow selection of both APs. As well, add a “netmask” function the same as currently exists in airodump-ng.
- airdecap-ng: Properly select SSID and BSSID. Allow two BSSIDs to be defined to allow selection of both APs.
- airodump-ng: Allow two BSSIDS to be defined to allow the selection of both APs. NOTE: In the interim, you can use the “netmask” function to achieve the same thing if they are all the same brand.
- airodump-ng: Change the logic to allow the WDS packets to be shown as client traffic. An arbitrary decision will need to be made as to which MAC is to be the BSSID and which is to be treated as the Client MAC.
- All tools: Ability to specify all four address fields on the command line
- aireplay-ng: Display all address fields based on context of To/FromDS bit combinations
- aireplay-ng: For arp request replay, recognize the arp request packet being sent from the other unit (using 4 addresses plus extra 6 bytes) and replay that.
Wireshark filters
Wireshark filter to select packets with To/FromDS both equal to 1: wlan.fc.ds == 0x03
Simply copy and paste this into the Wireshark “Filter” box and click apply. Then only packets where the To/FromDS field are both equal to 1 are displayed.
Packet analysis
The following packet captures are provided to allow you to see what the packets typically look like. They are best viewed with Wireshark.
wds.authentication.cap
This capture shows the WDS AP authenticating and associating with the main AP. It contains the the typical probes followed by authentication and finally association.
arp.request.from.ap.wired.client.cap
A wired client attached to the main access point sends out an arp request packet. This arp request is broadcast by the main AP. It is also sent to the WDS AP (To/FromDS both equal to 1;4 addresses). The WDS AP broadcasts the arp request.
You would be able to use the arp request broadcast from each AP with the existing aircrack-ng tools.
arp.request.from.wds.wired.client.cap
A wired client attached to the WDS access point sends out an arp request packet. This arp request is broadcast by the WDS AP. It is also sent to the main AP (To/FromDS both equal to 1;4 addresses). The main AP broadcasts the arp request.
You would be able to use the arp request broadcast from each AP with the existing aircrack-ng tools.
ap.wired.client.ping.wds.wired.client.cap
A wired client attached to the main access point sends out a ping to a wired client attached to the WDS AP. Please note that an arp request/response previously took place and is not included in the capture. You can see the ping request and response go back and forth (To/FromDS both equal to 1;4 addresses).
The existing aircrack-ng tools can capture this and break the WEP key.