Haktip 23 – WiFi 101: Probe Requests and Responses

Today we’re continuing our discussion on wireless management frames with probe requests and responses.

Download HD Download MP4 Download WMV

Probes come in two flavors; requests and responses. Let’s begin with the request.

A probe request is a special frame sent by a client station requesting information from either a specific access point, specified by SSID, or all access points in the area, specified with the broadcast SSID.

The information being requested in a probe includes the supported data rates, which are also included in the beacon frames typically broadcast from an access point.

The difference here being that by sending a probe request your wireless card is making an active scan of either a specific network or all networks in the area, where as simply listening for beacon frames in considered a passive scan

Today we’ll demonstrate an active scan and we’ll disect the probe requests and responses.

So this brings us to the responses. Typically when an access point hears a probe request frame, either directed at the specific access point or to all stations in the area using the broadcast SSID, it will send out a probe response.

Similar to a beacon frame, we’ll find that these probe responses contain much of the same information required for two stations to begin communicating.

To begin our demo we’ll start by once again bringing up our fake access point with airbase-ng. Start by bringing up the interface ifconfig wlan0 up and starting a monitor mode interface on channel 11 airmon-ng start wlan0 11. Now we’ll issue airbase-ng -c 11 -e haktip mon0

So to recap our configuration we have our first radio in monitor mode as interface mon0 and it is acting as an access point or base station with Airbase-ng

We’ll bring up our second wireless card in monitor mode with airmon-ng start wlan4 11 and that will create the new interface mon1 — this will be acting as our client or station.

Now if we start up wireshark& and begin sniffing our client, mon1, we’ll see all of the packets or frames going in and out of this card.Â

Immediately we’ll see there are plenty of beacons in the air, which we’ve discussed in previous sessions, so let’s filter those out. And while we’re at it lets also filter our any frame that isn’t address to or from our interface with the filter wlan.addr == 00:0f:04:b2:48:68 && wlan.fc.type_subtype != 0x08

Now in the terminal let’s tell our client card to do a passive scan of the area looking for available access points. Issue iw dev wlan4 scan passive | grep SSID and we should see plenty of SSIDs. If we go back to Wireshark we’ll see there aren’t any probes or reponses. This is because our client card here is reporting all of the nearby wireless networks based on a passive scan, meaning no data was sent out. Our card was completely silent and the data compiled was done so only using what was freely available in the air — in this case beacon frames. We can, and probably will get more sophistocated with this type of silent site-survey using the tool Kismet, but for now this will suffice in demonstrating what is available without transmitting a single frame.

So finally let’s go ahead and generate some Probes. In a terminal we’ll tell our client card to make an active scan of the area using the command iwlist wlan4 scan | grep ESSID.

If we come back over to Wireshark we’ll see plenty of probe requests and probe responses. Let’s take a look at the first probe request frame.

We can tell it’s a probe request as its subtype is 0x04. The source is our NICs MAC address and the destination address is Broadcast or ff:ff:ff:ff:ff:ff, meaning this probe request is meant for everyone who can hear it.

Wireshark already knows it is a management frame and under tagged paramaters we can see our supported data rates as well as the channel. Our first probe is set to channel 1. If we add to the filter && wlan.fc.type_subtype == 0x04 we’ll see that the next probe request was on channel 2, then 3, and so on.

Now if we flip our last filter from subtype 0x04, or Probe Request, to 0x05 we’ll see all of the probe responses. And much like the beacons we’ve seen before, these frames indicate the same capability information necessary for our stations to begin communicating.

What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up — [email protected] or leave a comment.

And be sure to check out our sister show, Hak5 for more great stuff just like this.

37 Comments

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>