Tutorial: How to crack WEP on a Wireless Distribution System (WDS)?
- Introduction
- Solution

Tutorial: How to crack WEP on a Wireless Distribution System (WDS)?

Version: 1.02.1 February 9, 2008
By: darkAudax

Files linked to this tutorial:
wds.authentication.cap
arp.request.from.ap.wired.client.cap
arp.request.from.wds.wired.client.cap
ap.wired.client.ping.wds.wired.client.cap

Introduction

A Wireless Distribution System is a system that enables the interconnection of access points and related clients wirelessly. This Wikipedia entry has an excellent description of WDS. I strongly encourage you to read the Wikipedia entry prior to reading this tutorial. It is important to understand what a WDS is and the number of variations.

WDS can be used to provide two modes of wireless AP-to-AP connectivity:

Wireless Bridging in which WDS APs communicate only with each other and don't allow wireless clients or Stations (STA) to access them
Wireless Repeating in which APs communicate with each other and with wireless STAs

This tutorial will be exploring the second mode above where APs communicate with each other and wireless stations. At this point in time, the aircrack-ng suite does not fully support all attacks on WDS. It is intended more to document observations about WDS and be a learning vehicle. As the aircrack-ng suite is enhanced specifically for WDS, then this tutorial will be updated.

It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.

Please send any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.

Solution

Assumptions used in this tutorial

Your wireless rig is working and can inject packets.
You have Wireshark installed and working. Plus you have a basic understanding of how to use it.
You are using the latest aircrack-ng 1.0dev version or above.

Equipment used

Access Point

ESSID: teddy
MAC address: 00:14:6C:7E:40:80 Channel: 9 Note: This is the AP which is in AP mode

Wired client located on access point network

MAC address: 00:40:F4:77:F0:9B

WDS

ESSID: teddy
MAC address: 00:14:6C:04:57:9B Channel: 9 Note: This is the AP which is in WDS mode.

Wired client located on WDS network

MAC address: 00:08:02:6A:1D:97

To/From DS Fields

This section provides some background information which is important to understand.

Each data frame contains four address fields and two individual To/From DS (Distribution System) fields. Each of the ToDS and FromDS fields can have a value of 0 or 1. Distribution system basically means the local LAN. Here is the meaning of these To/From DS fields.

To/From DS values	Meaning
To DS = 0, From DS = 0	A data frame direct from one STA to another STA within the same IBSS, as well as all management and control type frames.
To DS = 0, From DS = 1	Data frame exiting the DS.
To DS = 1, From DS = 0	Data frame destined for the DS.
To DS=1, From DS = 1	Wireless distribution system (WDS) frame being distributed from one AP to another AP.

The content of the Address fields of the data frame is dependent upon the values of the To DS and From DS bits and is defined below. Where the content of a field is shown as not applicable (N/A), the field is omitted. Note that Address 1 always holds the receiver MAC address of the intended receiver (or, in the case of multicast frames, receivers), and that Address 2 always holds the AMC address of the station that is transmitting the frame.

The following describes the contents of each address field depending on the To/From DS fields:

To DS	From DS	Address 1	Address 2	Address 3	Address 4
0	0	RA = DA	TA = SA	BSSID	N/A
0	1	RA = DA	TA = BSSID	SA	N/A
1	0	RA = BSSID	TA = SA	DA	N/A
1	1	RA	TA	DA	SA

Meaning

RA - Receiver MAC Address (In the case of WDS, this is the MAC address of the receiving AP)
TA - Transmitter MAC Address (In the case of WDS, this is the MAC address of the transmitting AP)
DA - Destination MAC Address (In the case of WDS, this is the MAC address of the destination system)
SA - Source MAC Address (In the case of WDS, this is the MAC address of the sending system)

WDS in action

We will start by looking at how a WDS looks like in airodump-ng:

 CH  9 ][ Elapsed: 44 s ][ 2007-09-30 13:06                                         
                                                                                                            
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                            
  00:14:6C:04:57:9B   44  42      144        1    0   9  54  WEP  WEP         teddy                           
  00:14:6C:7E:40:80   30 100      443        2    0   9  54  WEP  WEP    OPN  teddy                            
 
 BSSID              STATION            PWR   Rate  Lost  Packets  Probes                                      
                                                                                                            
  00:14:6C:7E:40:80  00:14:6C:04:57:9B   45   0- 1    88      154  teddy

Requirements:

Both the AP and WDS must have the same parameters: Channel, SSID, WEP key size and WEP key.

Observations:

When a WDS is running and is not connected to an AP, it does not send out any beacons. Beacons only start being sent once the WDS is connected to the main AP.
The WDS sends out probe packets for the specific AP as well as “broadcast”. This continues, at least on these particular units, even after the WDS connects to the main AP. I suspect this is a type of keep alive process but this is not an authoritative explanation. I have seen other WDS implementations which do not continuously send probes.
The client line above only reflects the probes and probe responses. Currently, the WDS traffic is not shown as client activity.

Attacks which work

All standard aircrack-ng attacks work. Make sure to not use any packet where To/From DS fields are both 1.

Although fake authentication does work, each BSSID can be used as an authenticated MAC on the other unit. So fake authentication is not required. However, using a separate MAC seems to yield better injection rates.

airtun-ng can inject plaintext and WEP packets into a WDS link. That's even possible when airtun-ng only sees one of the two WDS nodes! (Note that in this case only clients behind this node are reachable)

Attacks which do not work

The following attacks do not work using WDS packets (To/FromDS both equal to 1):

chopchop
fragmentation
packet replay

Enhancements required

This is list of software changes required to support WDS attacks:

aircrack-ng: Allow two BSSIDs to be defined to allow selection of both APs. As well, add a “netmask” function the same as currently exists in airodump-ng.
airdecap-ng: Properly select SSID and BSSID. Allow two BSSIDs to be defined to allow selection of both APs.
airodump-ng: Allow two BSSIDS to be defined to allow the selection of both APs. NOTE: In the interim, you can use the “netmask” function to achieve the same thing if they are all the same brand.
airodump-ng: Change the logic to allow the WDS packets to be shown as client traffic. An arbitrary decision will need to be made as to which MAC is to be the BSSID and which is to be treated as the Client MAC.
All tools: Ability to specify all four address fields on the command line
aireplay-ng: Display all address fields based on context of To/FromDS bit combinations
aireplay-ng: For arp request replay, recognize the arp request packet being sent from the other unit (using 4 addresses plus extra 6 bytes) and replay that.

Wireshark filters

Wireshark filter to select packets with To/FromDS both equal to 1: wlan.fc.ds == 0x03

Simply copy and paste this into the Wireshark “Filter” box and click apply. Then only packets where the To/FromDS field are both equal to 1 are displayed.

Packet analysis

The following packet captures are provided to allow you to see what the packets typically look like. They are best viewed with Wireshark.

wds.authentication.cap

This capture shows the WDS AP authenticating and associating with the main AP. It contains the the typical probes followed by authentication and finally association.

arp.request.from.ap.wired.client.cap

A wired client attached to the main access point sends out an arp request packet. This arp request is broadcast by the main AP. It is also sent to the WDS AP (To/FromDS both equal to 1;4 addresses). The WDS AP broadcasts the arp request.

You would be able to use the arp request broadcast from each AP with the existing aircrack-ng tools.

arp.request.from.wds.wired.client.cap

A wired client attached to the WDS access point sends out an arp request packet. This arp request is broadcast by the WDS AP. It is also sent to the main AP (To/FromDS both equal to 1;4 addresses). The main AP broadcasts the arp request.