本文深入探讨了RSN-IE(Robust Security Network Information Element)在802.11管理帧中的应用,包括Beacon、Probe Response、Association Request和Reassociation Request帧。详细介绍了Wireshark中过滤这些帧的方法,以及如何通过RSN-IE了解设备支持的加密套件(如CCMP、TKIP、WEP)和认证方法(如802.1X、PSK)。
RSN-IE (Robust Security Network Information Element) is an optional field of variable length that can be found in 802.11 management frames.RSN element has an element ID of 48 & present in below different management frames
1. Beacon frames.(send by AP)
2. Probe Response frames.(send by AP)
3. Association Request frames.(send by Client)
4. Reassociation Request frames (Send by client)
All 802.11 radios will use one cipher (pairwise) suit for unicast encryption & another cipher(group) for encrypting multicast/broadcast traffic. Below are the different cipher suite values.
00-0F-AC-04 (CCMP) is the default
00-0F-AC-02 (TKIP) is optional.
00-0F-AC-01 (WEP-40)
00-0F-AC-05 (WEP-104)
When station supports several ciphers, it always chooses the stronges one first (ie CCMP, TKIP, WEP-104, WEP-40)
RSN-IE also used to indicate what authentication methods are supported. The Authentication Key Management (AKM) suite indicate whether the station support 802.1X or PSK authentication. Below are the 3 different AKM suite values depend on the Authentication method used.
00-0F-AC-01 (802.1X)
00-0F-AC-02 (PSK)
00-0F-AC-03 (FT over 802.1X)
Here is the structure of RSN element.
Below shows sample wireless frame captures of those 4 different type of frames where RSN-IE field exists.
Here is a beacon frame.You can filter Beacon frames in wireshark using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x08) filter. As you can see below both Group & Pairwise cipher is CCM-AES (00-0F-AC-04) & AKM suite is PSK (00-0F-AC-02)
Here is a Probe Response frame. You can filter Probe Response frames using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x05) wireshark filter.
Here is a Association Request frame.You can filter Association Request frames using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x00) wireshark filter.
Here is a Reassociation Reuest frame. You can filter these frames using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x02) wireshark filter. As you can see it uses AKM suite of 00-0F-AC-01 (802.1X) & CCM-AES (00-0F-AC-04) encryption ciphers.
When you have multiple cipher suites (for mixed client support) Group Cipher should be always lowest denominator.(ie if CCMP, TKIP & WEP ciphers, group cipher should be WEP)
References.
1. http://www.my80211.com/8021x/2010/7/4/george-stefanick-cwsp-journey-chapter-5-rsn-post2-742010.html
2. CWSP-Official Study Guide (page 184-188)
后记:
作者这篇文章和家用路由器情景较比相近
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
