Forging an 802.11 beacon frame

Let’s assume the following use case: you’ve gathered enough frames containing a valid WPA handshake, but you missed the mgt frame containing the ESSID. If it happens to know the ESSID, but the AP doesn’t broadcast it, and you don’t have the patience to wait for another frame (assuming the attack is fully passive), you may forge a mgt frame. I picked a beacon frame as the structure is simple and it’s easy to please aircrack-ng and Hashcat with it.

As the file used by the above mentioned brute-forcing tools is a capture file, you need to forge:

  • A radiotap header
  • A 802.11 MAC header
  • The frame body containing the ESSID information
  • Optionally: the FCS (frame check sequence)

I haven’t found an easy method for computing the FCS and the cracking tools don’t require a valid FCS.

For creating a capture file from the byte representation itself, you need a tool which is part of the Wireshark suite: text2pcap. Also you need the od and xxd tools for manipulating the hex representation of the bytes in order to please text2pcap.

Any radiotap header may be used. Here’s a forged one:

00 00 27 00 2b 40 08 a0 20 08 00 00 00 00 00 00
00 00 00 00 00 00 00 00 10 00 6c 09 80 04 FF 00
00 00 00 00 00 FF 00

It translates to the following information:

forged-radiotap-header

The next part is the 802.11 MAC header:

80 00 00 00 FF FF FF FF FF FF AA BB CC DD EE FF
AA BB CC DD EE FF 10 00

This image explains the structure of the 802.11 frame:

802.11-frame

Address 4 is in use only in WDS, therefore not present in this header. The DS status is 00 in the frame control field, therefore the Address 1 field is the DA (ff:ff:ff:ff:ff:ff – the beacon frames are broadcasted), the Address 2 field is the SA, and Address 3 field is the BSSID (aa:bb:cc:dd:ee:ff -a forged MAC address for the purpose of demonstrating the concept). In this particular case, SA and BSSID is the same for obvious reasons. The last field is the sequence control which in this case indicates the fragment number 0 and the sequence number 1.

The frame body needs to contain the minimum information for the ESSID to be picked up by aircrack-ng.

You need 12 bytes for the fixed parameters field:

00 00 00 00 00 00 00 00 60 EA 11 04

Which translates to the following information:

frame-body-fixed-parameters

The next (and last) field is required for indicating the ESSID. It requires a variable number of bytes:

  • 1 byte for the tag number. 0 = SSID parameter set
  • 1 byte for the tag length. 0x00 – 0x20 range
  • 0 – 32 bytes for the SSID field – the number of bytes indicated by the previous field, encoding the ESSID string

An easy method for generating this field is to use echo and hexdump:

echo -n "foobar" | hexdump
0000000 66 6f 6f 62 61 72
0000006

You get in the output the encoded bytes for the ESSID and the length on the second line, which means that the tagged parameters field of the frame body is:

00 06 66 6f 6f 62 61 72

Putting all of the above knowledge into practice:

cat forged-beacon.txt
00 00 27 00 2b 40 08 a0 20 08 00 00 00 00 00 00
00 00 00 00 00 00 00 00 10 00 6c 09 80 04 FF 00
00 00 00 00 00 FF 00 80 00 00 00 FF FF FF FF FF
FF AA BB CC DD EE FF AA BB CC DD EE FF 10 00 00
00 00 00 00 00 00 00 60 EA 11 04 00 06 66 6f 6f
62 61 72
cat forged-beacon.txt | xxd -r -p | od -Ax -tx1 -v | \
text2pcap -l 127 - forged-beacon.cap
Input from: Standard input
Output to: forged-beacon.cap
Output format: PCAP
Wrote packet of 83 bytes.
Read 1 potential packet, wrote 1 packet (123 bytes).

You may check the capture with Wireshark. It should complain about the fact that the packet is malformed. You may ignore this error, or copy the computed FCS (0x954d6a59) and append the bytes to the forged-beacon.txt file.

Merging the capture with a previous capture containing the EAPOL messages is as simple as:

mergecap -a -F pcap -w handshake.cap forged-beacon.cap no-essid-eapol.cap

Leave a Reply

Your email address will not be published. Required fields are marked *