Monday, January 23, 2012

Dumping Beacon frames using the WiFi Native API

Some time ago I released wwtool that was able to do some information gathering using wireless interface that work on Windows and I promise to add some features, one of this was to dump wireless frames to a pcap file.

I'm going to explain how we are able to reassemble Beacon frames using the WiFi Native API.

Before starting we need first to understand what a Beacon frame has inside. On the image below we are going to see the content of this frame.



To do the magic we are going to use the WlanGetNetworkBssList function that retrieves a list of BSS entries of the wireless network on a given wireless interface. This BSS entries are handed to us on the WLAN_BSS_ENTRY structure and we know that this information is gather through Beacon and Probe Response frames. This two frames are almost identical on their content, so we are going to treat all as Beacons because it would be almost impossible to distinguish one from other from the API.

Below we can see the declaration of the WLAN_BSS_ENTRY structure.

typedef struct _WLAN_BSS_ENTRY {
DOT11_SSID        dot11Ssid;
  ULONG             uPhyId;
  DOT11_MAC_ADDRESS dot11Bssid;
  DOT11_BSS_TYPE    dot11BssType;
  DOT11_PHY_TYPE    dot11BssPhyType;
  LONG              lRssi;
  ULONG             uLinkQuality;
  BOOLEAN           bInRegDomain;
  USHORT            usBeaconPeriod;
  ULONGLONG         ullTimestamp;
  ULONGLONG         ullHostTimestamp;
  USHORT            usCapabilityInformation;
  ULONG             ulChCenterFrequency;
  WLAN_RATE_SET     wlanRateSet;
  ULONG             ulIeOffset;
  ULONG             ulIeSize;
} WLAN_BSS_ENTRY, *PWLAN_BSS_ENTRY;

If we compare the content of the frame from the information we can get from the Windows API, we see that we are missing some portions of the frame.

We are able to assume the content of some fields and fix the value of others to reassemble the frames:

  • Frame Control Version is 0x0.
  • Frame Control Type is set to Management and Subtype to Beacon.
  • Frame Control Flags are always 0x0 on Beacon and Probe Response frames.
  • Duration is always 0x0.
  • Destination is set to broadcast as on the Beacon frames.
  • Source Address is the same as the BSSID and we can get this from the WLAN_BSS_ENTRY structure.
  • Management frames couldn't be fragment, so be set fragment field to 0.
  • We set sequence number to a fixed value of 0.
  • Timestamp, beacon interval and capabilities fields are available on the WLAN_BSS_ENTRY structure.
  • We get all the information elements of the frame using the ulIeOffset and ulIeSize from the WLAN_BSS_ENTRY structure.
Finally the only thing we are missing is to store this frames in a file using the Pcap file format (http://wiki.wireshark.org/Development/LibpcapFileFormat).

As we saw this is not so hard to do, and we are able to do some sort of "sniffing" with wireless interfaces on Windows platform.

To those that don't want to do all the coding I uploaded the source code to my GitHub repository(https://github.com/6e726d). The code can be build using Visual Studio Express Edition.

And the others that only want the binary file, you can download it from here.

18 comments:

  1. nice one....

    is there any way to retrieve the fields which u have assumed to fill the frame control fields in response??? using native APIS(other).

    can we set the IE fields in probe response during scan? or connect.

    Can we implement 802.11U amendment only through application without changing driver.

    can you tell me becoz i am working on that for windows

    ReplyDelete
  2. david preetham: Im not sure what you mean with "is there any way to retrieve the fields which u have assumed to fill the frame control fields in response??? using native APIS(other)."
    As far as I know the only way to get information from 802.11 managment frames is the one explained above, and this only gets information from beacons and probe response frames.
    I also have been working with the injection of IE on probe request frames, but this does'nt works all the time, it depends on the driver and hardware support of the wireless interface.

    ReplyDelete
  3. hi what is the destination address of beacon frame.....

    ReplyDelete
    Replies
    1. Beacon frames are broadcast, the destination address has to be FF:FF:FF:FF:FF:FF.

      Delete
  4. Hi, ¿is posible convert the code to vb.net?

    ReplyDelete
    Replies
    1. I'm pretty sure it can be ported to VB.net, I've used many functions of the WIFI Native API from C#.

      Delete
  5. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. I'm not sure I understand the problem, but if you want to find the WPS information element you need to parse the information elements list. Is your code open source or are you able to share it, so I can see if I'm able to help you.

      Delete
  6. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. To get the raw information elements from the beacon frame you need to access a byte array that's located on the address of WlanBssEntry + ieOffset. That byte array has the size of ieSize. Next you need to parse the information elements, check the following image for the structure.

      http://masters.donntu.edu.ua/2008/kita/handildi/library/oreilly/ch4_31.png

      Hope this helps you.

      Delete
  7. Great sample! But it seems to be that your code catches only packets from WiFi Access Point. I search for solution that registers beacon frames from mobile devices that works as WiFi clients.
    As far as I know, function that filters client beacon frames is implemented in the windows WiFi card driver.
    To solve this problem, CommView http://www.tamos.ru/products/commwifi/ installs its own drivers, and works perfect for me.
    Is it possible to get the WiFi client beacon frames with your solution? I tried with CommView WiFi card drivers but result is the same.

    ReplyDelete
    Replies
    1. I'm not sure of what happens when using it with the CommView drivers, but I can assume that you are going to receive the same beacons you receive when using the original driver.

      Probably the CommView drivers has some functions to get frames besides beacons, but probably the Windows Native Wifi API doesn't use this.

      Delete
  8. Hi, l'm not sure if you can help, but is it possible to mimic a beacon frame from IOS or Android? 802.11 or Bluetooth
    Thanks

    ReplyDelete
    Replies
    1. To be able to do this you need to jailbrake your device. Check the following link, https://github.com/tuter/monmob.

      Delete
  9. Thanks a lot for your help, this is very useful

    ReplyDelete
  10. Hi How can i access the Beacon timestamp field? code?
    and is it possble to access the WLAN chipset TSF timer??

    ReplyDelete
    Replies
    1. Using Windows WiFi Native API you are not going to be sure the data you are accessing is from a Beacon or a Probe Response. Besides that you can access the timestamp value reading the ullTimestamp member of the WLAN_BSS_ENTRY structure. You could guide yourself by reading the code from this article.
      I don't think you can access chipset information without interacting directly with the driver or firmware.

      Delete