CWNA Summary Notes: Legacy 802.11 Security | Legacy Authentication

Posted on Updated on


Legacy Authentication

Legacy authentication methods were more of an authentication of capability (verification between two devices that they were valid 802.11 devices) and not so much an authentication of user identity.

They are of two types:

Open System Authentication

It provides authentication without performing any form of user verification

Involved a 2 way exchange between the client and the AP

  • Client sent an Authentication Request
  • AP replied with an Authentication response

Every client got authenticated and authorized into the network after association

This included an option to use static WEP for data frame encryption after association.

Lab – Open System Authentication without WEP

The aim of this lab is to study the packet exchange that occurs between an access point and a client when using Legacy Open System Authentication method.

In this Lab, I set my ASUS router (AsustekC) and my desktop (IntelCor) to allow for open system authentication and used Wireshark to capture communication between them.

Screenshot from 2015-06-21 01:45:37 Screenshot from 2015-06-21 01:47:39

Below is the whole conversation captured in Wireshark.

2015_06_22_21_25_59_Open_System_fromUbuntu.cap_Wireshark_1.12.5_v1.12.5_0_g5819e5b_from_master_

We should see 4 frames exchanges between the AP and the Client.

Authentication Request frame

Authentication request is sent by the station (laptop) to  (Asus Router). The request subtype is 1011 which indicates an Authentication frame. The Sequence number 1 indicates that it is a Request.

2015_06_22_21_31_05_234_8.815873000_IntelCor_6b_43_36_AsustekC_6d_f4_c8_802.11_66_Authentication_SN

Authentication Response frame

The router replies with an Authentication Response. The request subtype is 1011 which indicates an Authentication frame. The Sequence number 2 indicates that it is a Response.

2015_06_22_21_48_54_236_8.816795100_AsustekC_6d_f4_c8_IntelCor_6b_43_36_802.11_77_Authentication_SN

Association Request frame

Association request is sent by a station (IntelCor) to associate to a BSS (CaptainSugar). The request subtype is 0000 which indicates an Association Request frame.

2015_06_22_22_17_46_239_8.826824000_IntelCor_6b_43_36_AsustekC_6d_f4_c8_802.11_141_Association_Reque

The client also sends it’s capabilities to the router. It is associating to a BSS named CaptainSugar. The client supports rates from 1,2 up to 54 Mbps.

2015_06_22_22_23_29_239_8.826824000_IntelCor_6b_43_36_AsustekC_6d_f4_c8_802.11_141_Association_Reque

The Client also sends it’s capabilities for 802.11n and other Vendor specific information

2015_06_22_22_32_04_239_8.826824000_IntelCor_6b_43_36_AsustekC_6d_f4_c8_802.11_141_Association_Reque

Association Response frame

In response to an Association Request, the Router sends an association Response Frame. The response subtype is 0001 which indicates an Association Response frame. We can see that the Client has successfully associated.

2015_06_22_22_42_04_241_8.828692700_AsustekC_6d_f4_c8_IntelCor_6b_43_36_802.11_197_Association_Respo

The AP also sends it’s capabilities and Vendor specific parameters.

2015_06_22_22_45_43_241_8.828692700_AsustekC_6d_f4_c8_IntelCor_6b_43_36_802.11_197_Association_Respo

At this point, the AP can now freely use the network.

Shared Key Authentication

It used WEP to authenticate clients. The static key had to be configured on both the AP and client stations.

Involved a 4 way exchange between the client and the AP

  • Client sent an Authentication Request
  • AP replied with an clear text challenge in the Authentication Response
  • Client sent an Authentication Request containing an encrypted clear text challenge back to the AP using the static shared key
  • AP decrypted the message and compared it with the challenge that it had sent. It sends an authentication frame containing a success/failure message. 

If the keys did not match, authentication would not work.

The same static key would be used to encrypt the data after successful authentication.

This method is not recommended at all as it can be compromised by capturing the WEP key.

References:

  1. CWNA-106 Certified Wireless Network Administrator Study Guide by David D. Coleman and David A. Westcott.
  2. 802.11 frames : A starter guide to learn wireless sniffer traces
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s