Haktip 23 – WiFi 101: Probe Requests and Responses
Today we’re continuing our discussion on wireless management frames with probe requests and responses.
Download HD Download MP4 Download WMV
Probes come in two flavors; requests and responses. Let’s begin with the request.
A probe request is a special frame sent by a client station requesting information from either a specific access point, specified by SSID, or all access points in the area, specified with the broadcast SSID.
The information being requested in a probe includes the supported data rates, which are also included in the beacon frames typically broadcast from an access point.
The difference here being that by sending a probe request your wireless card is making an active scan of either a specific network or all networks in the area, where as simply listening for beacon frames in considered a passive scan
Today we’ll demonstrate an active scan and we’ll disect the probe requests and responses.
So this brings us to the responses. Typically when an access point hears a probe request frame, either directed at the specific access point or to all stations in the area using the broadcast SSID, it will send out a probe response.
Similar to a beacon frame, we’ll find that these probe responses contain much of the same information required for two stations to begin communicating.
To begin our demo we’ll start by once again bringing up our fake access point with airbase-ng. Start by bringing up the interface ifconfig wlan0 up and starting a monitor mode interface on channel 11 airmon-ng start wlan0 11. Now we’ll issue airbase-ng -c 11 -e haktip mon0
So to recap our configuration we have our first radio in monitor mode as interface mon0 and it is acting as an access point or base station with Airbase-ng
We’ll bring up our second wireless card in monitor mode with airmon-ng start wlan4 11 and that will create the new interface mon1 — this will be acting as our client or station.
Now if we start up wireshark& and begin sniffing our client, mon1, we’ll see all of the packets or frames going in and out of this card.Â
Immediately we’ll see there are plenty of beacons in the air, which we’ve discussed in previous sessions, so let’s filter those out. And while we’re at it lets also filter our any frame that isn’t address to or from our interface with the filter wlan.addr == 00:0f:04:b2:48:68 && wlan.fc.type_subtype != 0x08
Now in the terminal let’s tell our client card to do a passive scan of the area looking for available access points. Issue iw dev wlan4 scan passive | grep SSID and we should see plenty of SSIDs. If we go back to Wireshark we’ll see there aren’t any probes or reponses. This is because our client card here is reporting all of the nearby wireless networks based on a passive scan, meaning no data was sent out. Our card was completely silent and the data compiled was done so only using what was freely available in the air — in this case beacon frames. We can, and probably will get more sophistocated with this type of silent site-survey using the tool Kismet, but for now this will suffice in demonstrating what is available without transmitting a single frame.
So finally let’s go ahead and generate some Probes. In a terminal we’ll tell our client card to make an active scan of the area using the command iwlist wlan4 scan | grep ESSID.
If we come back over to Wireshark we’ll see plenty of probe requests and probe responses. Let’s take a look at the first probe request frame.
We can tell it’s a probe request as its subtype is 0x04. The source is our NICs MAC address and the destination address is Broadcast or ff:ff:ff:ff:ff:ff, meaning this probe request is meant for everyone who can hear it.
Wireshark already knows it is a management frame and under tagged paramaters we can see our supported data rates as well as the channel. Our first probe is set to channel 1. If we add to the filter && wlan.fc.type_subtype == 0x04 we’ll see that the next probe request was on channel 2, then 3, and so on.
Now if we flip our last filter from subtype 0x04, or Probe Request, to 0x05 we’ll see all of the probe responses. And much like the beacons we’ve seen before, these frames indicate the same capability information necessary for our stations to begin communicating.
What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up — [email protected] or leave a comment.
And be sure to check out our sister show, Hak5 for more great stuff just like this.
David Moore
It’s the FCS Filter.
It is the FCS Filter.
Wireshark filter is
“wlan.fcs_bad” and “wlan.fcs_good”
wlan.fcs_bad and
wlan.fcs_good
wlan.fcs:
wlan.fcs_bad
wlan.fcs_good
https://www.wireshark.org/docs/dfref/w/wlan.html
Bad ====> wlan.fcs_bad
Good ====> wlan.fcs_good
wlan.fcs_good
wlan.fcs_bad
wlan.fcs_good and wlan.fcs_bad
it’s the wlan.fcs filter with either _bad, or _good tacked on at the end depending upon which you wanted filtered.
wlan.fcs_good
wlan.fcs_bad
wlan.fcs:
wlan.fcs_bad (bad)
wlan.fcs_good (good)
FCS FILTER THANKS FOR YOUR TIME & TIPS
FCS filter:
wlan.fcs_good
wlan.fcs_bad
wlan.fcs_good and
wlan.fcs_bad
wlan.fcs_good and wlan.fcs_bad
the filters for wireshark are:
wlan.fcs_good
wlan.fcs_bad
wlan.fcs_bad
wlan.fcs_good
FCS filter
FCS filter:
wlan.fcs_good
wlan.fcs_bad
Nice show!
Wireless Frame Check Sequence good = wlan.fcs_good
Wireless Frame Check Sequence bad = wlan.fcs_bad
wlan.fcs:
wlan.fcs_bad
wlan.fcs_good
wlan.fcs:
wlan.fcs_bad
wlan.fcs_good
Its the FCS Filter
Displayed as
FCS filter:
wlan.fcs_good
wlan.fcs_bad
The filter is wlan.fcs.
wlan.fcs_bad and wlan.fcs_good
What happens if we change the Source MAC address in probe requests?
NEAR= PNB PAWAL ROAD LIC OFFICE KHAIR ALIGARH
Hello there, I found your web site by the use of Google whilst looking for a comparable subject,
your web site came up, it looks good. I have bookmarked
it in my google bookmarks.
Hi there, simply changed into aware of your weblog via Google, and found that it’s
truly informative. I’m gonna watch out for brussels.
I will be grateful when you proceed this in future. Many other folks
might be benefited from your writing. Cheers!
???? ?????? ????? ???????,???? ????? ??????? ???????,???? ??????
?????,???? ???? ?????? ?????,
???? ?????? ????? ?? ??????,
???? ?? ????? ???????,
???? ???? ?????? ??????? ???????,???? ???? ??????
??????? ?? ??????,???? ???? ?????? ????? ???????,
????? ?????? ??????? ???????,???? ??????
???????,????? ?????? ???????
Fastidious response in return of this matter with genuine arguments and describing the
whole thing concerning that.
Basicall?, I managed everything before Team – Lab software.
Utilizing a focused server to run their internet site f?om is by far
the most popular motive ?rganizations use them; but ther? is an additional cause why organizations may well opt fo? the dedicated hosting.
The ho?t implement? researc? team has been beneficial, economical and beneficial to al the players in the
indu?try today. F?r instance, a website selling adult materials could be hosted on the same ?erver as a business selling children’s to?s.
One must bear in mind that a shared hosting ?lan utilizes all th? CPU time, memory and disk space.
Typically, shared hosting plans start at $5 – $20 per month.
You can mess up you? production system if you incorrectly install software or fail to patch a s?curity update in time.
Through the phrase ?irtual committed server Inte?net site
hosting it is often obvious which the solitary actual hosting server is basically cut ?traight into a number of Virtual
Private Ser?ers after which accessible to consumers using tiny amount of info exchange,
Memory as properly as disk space. A server is a computing
dev?c? that manages the resou?ces of a computer network.
If y?u a?e st?rting a ne? w?bsite ?r a web based product then t?is hosting p?ckage woul? ?e most preferred to you b?cau?e it costs the lowest.
Your article has inspired me. It’s interesting, thoughtful, compelling and well-written. You are a very talented writer with great skills and original thoughts. Your viewpoints match mine in many ways.
Cheap Authentic Sports Jerseys ?Cheap Authentic Sports Jerseys, ?t Wholesale Prices.
AJFL. Cheap Authentic Sports Jerseys
What’s up friends, how is all, and what you would like to say concerning this article,
in my view its in fact remarkable in favor
of me.
Hi, i believe that i saw you visited my web site thus i got
here to go back the prefer?.I’m attempting to to find
things to improve my website!I suppose its ok to use some of your ideas!!
I c?uldn’t refrain from commenting. Exceptionally ?ell ?ritten!
An improved score is but one with the biggest factors companies
look for given it shows the opportunity applicant’s determination to get a greater financial standing Vallie Oesterling now that
i continued my loan calculator, your next-generation finance calculator sketched your
auto loan payment calculator.
I love your blog.. very nice colors & theme. Did you make this website yourself or
did you hire someone to do it for you? Plz respond as I’m
looking to create my own blog and would like to find out where u got this from.
thanks