Comp [34]49 Week 5, Sept 25, LT 412 error-correcting codes collision-avoidance kismet & drivers ====================================================================================== ====================================================================================== Chapter 8: error detection (not started week 4) Parity 2-D parity as an ECC CRC; demo of bitstring.java file Example 8.3 Basic framework of block error-correction codes: §8.2 k = # of data bits n = # of bits transmitted, n>=k n-bit blocks are called codewords n-k = # of check bits Hamming distance; Example 8.6 n=2 k=5 dist from 00000 from 00111 from 11001 00 00000 01 00111 3 10 11001 3 4 11 11110 4 3 3 calculate Hamming distance between all pairs of codewords (above) Min distance = 3. Any 1-bit error will be at distance 1, so if we KNOW we have only a 1-bit error we can find the nearest valid codeword, by tedious lookup. Stallings has an exhaustive analysis here (pp 203-204) === simplified Hamming code 2^m data bits, m or m+1 check bits ith code bit: parity bit for data bits in position j, where if we write the index j in binary, j's ith digit is 1 ========================= ======================== Association The AP *must* know who is associated! So that it can communicate this to the Distribution System, so packets can be delivered as you move from BSS to BSS within an ESS Frame types: good article by Jim Geier at www.wi-fiplanet.com/tutorials/article.php/1447501 Authentication frames: sent by station to AP open authentication: just a single frame. WEP/WPA: key exchange Deauthentication frame: Association request/response frames Reassociation request/response frames See IEEE AbsPage 40, §5.7.2, or Geier article Association frames are sent on first "connection" to an AP in an ESS. reassociation frames are exchanged when a station roams within the ESS. Disassociation frames are sent to disconnect. Beacon frames Probe request/response frames Linux: ifconfig eth1 essid loyola ifconfig eth1 ap 00:0B:85:70:A2:AA both *initiate the Association process* ====================================================================================== I tried snort -vd -i eth1 Nothing happened. Why? Because I wasn't "connected" to an access point. wifi monitor modes: Access Point (= Master) Station (=Managed, or Client) Ad-hoc Mesh not really used! Nobody knows how Repeater rare Monitor (=RFMON) Inside of Station mode, the adapter can be put into "promiscuous" mode, to forward all received packets. However, we still first have to ASSOCIATE with the acces point. Monitor mode: we receive ALL packets. single-channel capability, at least on my card. Many cards, and nearly all windoze drivers, do not support monitor mode. Note that in promiscuous or monitor mode we do NOT send wifi ACKs. ====================================================================================== ====================================================================================== Kismet From my office: ESSID=loyola 00:0B:85:70:9D:0A 00:0B:85:70:A2:AA -48dB 5th floor office cisco Airespace 00:0B:85:70:BB:9A 00:0B:85:73:6A:0A 00:0B:85:74:17:EA -77dB 00:0B:85:74:19:DA 00:0B:85:74:0E:8A 00:0B:85:7B:6A:EA 00:0B:85:94:63:5A 00:0B:85:95:38:FA 00:0B:85:95:F6:BA -78dB linux lab 00:0B:85:95:F8:8A -77dB 4th floor office?? 00:0B:85:96:0D:2A -74dB windows lab?? 00:13:1A:2A:A4:85 -77dB cisco 00:13:1A:2A:A0:75 -77dB 00:15:F9:A6:E2:F5 no manufacturer listed 00:16:46:48:91:E5 no manufacturer listed 00:16:46:2B:6A:75 00:16:CB:02:6C:C1 Apple 00:19:E3:10:A2:15 no manufacturer listed 00:1C:B3:40:5D:94 no manufacturer listed Kismet demo examination of log files looking at hidden/masked SSIDs