WEP-SHARED ============== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section <80211g_wep-shared_1>` * :ref:`Version Info <80211g_wep-shared_2>` * :ref:`Packet flow in WEP-SHARED mode <80211g_wep-shared_3>` * :ref:`Connection steps in wep-shared mode <80211g_wep-shared_4>` * :ref:`STEP 1: Bring up AP <80211g_wep-shared_5>` * :ref:`STEP 2: Bring up STA <80211g_wep-shared_6>` * :ref:`Wireshark capture <80211g_wep-shared_7>` * :ref:`Decrypting WEP-Encrypted Frames in Wireshark <80211g_wep-shared_8>` * :ref:`Wireshark capture Analysis <80211g_wep-shared_9>` .. _80211g_wep-shared_1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow * How to run wpa_supplicant and hostapd in wep-shared mode .. _80211g_wep-shared_2: .. tab-set:: .. tab-item:: Version Info =============================== ======================================= # Version =============================== ======================================= Supplicant wpa_supplicant 2.10 Hostapd hostapd 2.10 =============================== ======================================= .. _80211g_wep-shared_3: .. tab-set:: .. tab-item:: Packet flow in WEP-SHARED mode .. plantuml:: :scale: 130 % == Scanning == STA -> AP: **Probe Request** AP -> STA: **Probe Response** == Authentication == STA -> AP: **Authentication Request** AP --> STA: ACK AP -> STA: **Authentication Clear Text Challenge** STA --> AP: ACK STA -> AP: **Authentication WEP Encrypted Challenge** AP --> STA: ACK AP -> STA: **Authentication Response** STA --> AP: ACK == Association == STA -> AP: **Association Request** AP --> STA: ACK AP -> STA: **Association Response** STA --> AP: ACK == PING AP from STA == STA -> AP: **ARP Request** AP --> STA: ACK AP -> STA: **ARP Reply** STA --> AP: ACK STA -> AP: **ICMP Echo Request** AP --> STA: ACK AP -> STA: **ICMP Echo Reply** STA --> AP: ACK STA -> AP: **ICMP Echo Request** AP --> STA: ACK AP -> STA: **ICMP Echo Reply** STA --> AP: ACK STA -> AP: **ICMP Echo Request** AP --> STA: ACK AP -> STA: **ICMP Echo Reply** STA --> AP: ACK .. _80211g_wep-shared_4: .. tab-set:: .. tab-item:: Connection steps in wep-shared mode .. _80211g_wep-shared_5: .. tab-set:: .. tab-item:: STEP 1: Bring up AP using hostapd .. csv-table:: :file: ./wep-shared/wep_shared_ap_hostapd.csv :class: tight-table .. _80211g_wep-shared_6: .. tab-set:: .. tab-item:: STEP 2: Bring up STA using supplicant .. csv-table:: :file: ./wep-shared/wep_shared_station.csv :class: tight-table .. _80211g_wep-shared_7: .. tab-set:: .. tab-item:: Wireshark capture * Download file to check wireshark output :download:`Packet capture in WEP-SHARED mode <./wep-shared/802.11g_wep_shared_ping.pcapng>` .. _80211g_wep-shared_8: .. tab-set:: .. tab-item:: Decrypting WEP-Encrypted Frames in Wireshark * In this section- To analyze ARP and ICMP packets captured in a WEP/Shared 802.11g network, you must **decrypt the frames** in Wireshark. * This allows you to view the actual payload (ARP and ICMP data) instead of only seeing encrypted bytes. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Decrypting WEP-Encrypted Frames in Wireshark** 1. **Open the Capture File** * Launch Wireshark and open your `.pcap` or `.pcapng` file containing the captured 802.11 frames. * Ensure your capture includes **management, control, and data frames** from the shared key network. 2. **Enable Decryption** * Go to **Edit → Preferences → Protocols → IEEE 802.11**. * Check **“Enable decryption”**. * Click **“Edit”** under **Decryption Keys**. .. image:: ./wep-shared/decryption/decrypt_1.png :alt: Decryption1 in Wireshark :scale: 95 % 3. **Add the WEP Key** * Add your shared WEP key in the format: * Set **key type** as WEP and **key** as 123456789a. .. image:: ./wep-shared/decryption/decrypt_2.png :alt: Decryption2 in Wireshark :scale: 95 % 4. **Apply the Key and Refresh** * Click **OK** to save the key. * Wireshark will automatically decrypt frames that match the key. * You should now see **ARP and ICMP payloads** in plain text instead of encrypted bytes. .. _80211g_wep-shared_9: .. tab-set:: .. tab-item:: Wireshark capture Analysis * In this section, you will verify connectivity and frame exchange using the Wireshark capture. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Beacon Packet Analysis** 1. Check if AP is Beaconing * The Beacon Frame is periodically broadcast by the AP (every ~100 ms) to announce the presence of a network. * In WEP-Shared mode, the AP advertises WEP capability (Privacy bit = 1) and will require Shared-Key authentication for association if configured that way. * It includes parameters such as supported data rates, channel information, and capability info that STA uses to decide if it can join the network. 2. Verify the **Beacon Interval** (100 ms). * Indicates how frequently the AP transmits Beacon frames (typically 100 TU ≈ 102.4 ms). * Consistent Beacon intervals confirm stable AP operation. .. image:: ./wep-shared/802.11g_wep_shared_beacon/beacon_1.png :alt: Beacon interval (100ms) in Wireshark :scale: 95 % 3. Check the **Subtype** field in the Beacon frame. * The Subtype identifies the frame as a **Beacon** (Subtype = 8). * Correct Subtype ensures Wireshark is recognizing the management frame correctly. .. image:: ./wep-shared/802.11g_wep_shared_beacon/beacon_2.png :alt: Subtype check in Wireshark :scale: 95 % 4. Verify that the **Data Rate** includes **1 Mbps** (mandatory for 802.11g). * 802.11g requires at least 1 Mbps support for legacy devices. * If 1 Mbps is missing, some STAs may fail to connect. .. image:: ./wep-shared/802.11g_wep_shared_beacon/beacon_3.png :alt: Beacon frame data rate check in Wireshark :scale: 95 % 5. Check if the **Receiver Address (RA)** is **Broadcast address**. * Beacon frames are sent to the broadcast address **FF:FF:FF:FF:FF:FF** so that all nearby STAs can receive them. * This confirms that the beacon is not targeted to a specific STA but intended for all devices in range. * **No ACK is sent** for Beacon frames because they are broadcast. .. image:: ./wep-shared/802.11g_wep_shared_beacon/beacon_4.png :alt: Receiver address in Beacon frame :scale: 95 % 6. Verify **Supported Rates**. * 802.11g supports both legacy (1, 2, 5.5, 11 Mbps) and OFDM rates (6–54 Mbps). * Ensures AP compatibility with both 802.11b and 802.11g clients. .. image:: ./wep-shared/802.11g_wep_shared_beacon/beacon_5.png :alt: Supported rates in Beacon frame :scale: 95 % 7. Check the **Privacy bit** in the Capability Information field. * Privacy bit = 1 indicates WEP is enabled. * This distinguishes WEP-Shared mode from completely open (non-encrypted) mode. * Confirms that the AP is configured for encrypted data frames and (if configured) shared-key authentication. .. image:: ./wep-shared/802.11g_wep_shared_beacon/beacon_6.png :alt: Privacy bit in Beacon frame :scale: 95 % 8. Check the **DS Parameter Set (Channel Information)** * The DS Parameter Set indicates the channel number (e.g., Channel 6 at 2437 MHz). * Ensures that both AP and STA operate on the same frequency band. .. image:: ./wep-shared/802.11g_wep_shared_beacon/beacon_7.png :alt: DS Parameter Set in Beacon frame :scale: 95 % 9. Check the **SSID Tag** * The SSID field must match the configured network name. * Helps verify that the AP is correctly advertising your WEP-enabled SSID. .. image:: ./wep-shared/802.11g_wep_shared_beacon/beacon_8.png :alt: SSID Parameter in Beacon frame :scale: 95 % 10. Check the **ERP Information Element**. * **ERP Information** is unique to 802.11g and indicates: * **Non-ERP Present** (0 or 1) * **Use Protection** (0 or 1) * **Barker Preamble Mode** (0 or 1) * Ensures proper coexistence with 802.11b devices and defines if protection frames are used. .. image:: ./wep-shared/802.11g_wep_shared_beacon/beacon_9.png :alt: ERP Information element in Beacon frame :scale: 95 % 11. Verify **Short Slot Time bit** in Capability Info. * Short Slot Time = 1 → shorter slot duration (9 µs) for improved efficiency. * 802.11b used long slot (20 µs). .. image:: ./wep-shared/802.11g_wep_shared_beacon/beacon_10.png :alt: Short Slot Time capability in Beacon frame :scale: 95 % 12. Check **Extended Supported Rates**. * Additional OFDM rates (12, 18, 24, 36, 48, 54 Mbps) appear in this field. * Confirms AP supports higher data throughput. .. image:: ./wep-shared/802.11g_wep_shared_beacon/beacon_11.png :alt: Extended supported rates in 802.11g Beacon :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Probe Request Packet Analysis** 1. Check if STA is sending Probe Request packet * A Probe Request frame is sent by the STA to actively discover available networks. * It contains information about what the STA supports (SSID, data rates, and capabilities). * APs receiving this may respond with Probe Response frames if the SSID matches or if the request is broadcast. 2. Check the **Frame Subtype** to confirm it is a **Probe Request**. * In Wireshark, the Frame Control field indicates the subtype. * Probe Request frames should have subtype **0x0004**. .. image:: ./wep-shared/802.11g_wep_shared_probe_req/probe_req_1.png :alt: Probe Request subtype in Wireshark :scale: 95 % 3. Verify the **Source Address** in the Probe Request. * Source Address should match the STA’s MAC address. * This ensures the frame is indeed coming from the correct STA. .. image:: ./wep-shared/802.11g_wep_shared_probe_req/probe_req_2.png :alt: Probe Request source address :scale: 95 % 4. Verify the **Receiver Address** in the Probe Request. * Receiver Address should be the **broadcast address** (FF:FF:FF:FF:FF:FF). * This allows all APs on the channel to receive the request. * **No ACK is expected** for broadcast Probe Requests. .. image:: ./wep-shared/802.11g_wep_shared_probe_req/probe_req_3.png :alt: Probe Request receiver address :scale: 95 % 5. Check the **SSID field** in the Probe Request. * For general network discovery, SSID should be set to **Wildcard SSID(empty)**. * A specific SSID can limit scanning to only that AP. .. image:: ./wep-shared/802.11g_wep_shared_probe_req/probe_req_4.png :alt: Probe Request SSID field :scale: 95 % 6. Verify **Supported Rates and Extended Capabilities**. * Ensure all expected rates are advertised by the STA (1, 2, 5.5, 11 Mbps for 802.11g and 6, 9, 12, ... Mbps for 802.11g/n). * Check additional parameters: Extended Supported Rates, HT Capabilities, VHT if STA is modern. * Confirms STA can support modern APs while maintaining backward compatibility. .. image:: ./wep-shared/802.11g_wep_shared_probe_req/probe_req_5.png :alt: Supported Rates and capabilities in Probe Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Probe Response Packet Analysis** 1. Check if AP is sending Probe Response packet * A Probe Response is sent by an AP in reply to a Probe Request received from a STA. * It contains detailed information about the AP’s capabilities, including SSID, supported rates, channel (DS Parameter), and whether the network is secure (Privacy bit) * It helps the STA decide which AP to associate with. * **Note:** Probe Responses are **unicast to the requesting STA**, so an ACK is expected from the STA. 2. Check the **Frame Subtype** to confirm it is a **Probe Response**. * Subtype identifies the frame as a **Probe Response** (Subtype = 5). * Ensures Wireshark is correctly capturing AP responses. .. image:: ./wep-shared/802.11g_wep_shared_probe_resp/probe_resp_1.png :alt: Probe Response subtype in Wireshark :scale: 95 % 3. Verify the **Source Address** in the Probe Response. * Source Address should be the MAC of the AP. * Confirms the frame is coming from the correct AP. .. image:: ./wep-shared/802.11g_wep_shared_probe_resp/probe_resp_2.png :alt: Source address in Probe Response :scale: 95 % 4. Verify the **Receiver Address** in the Probe Response. * Receiver Address should be the MAC of the requesting STA. * Confirms the response is unicast and directed to the correct STA. * Probe Responses are **unicast to the requesting STA**, so an ACK is expected from the STA. .. image:: ./wep-shared/802.11g_wep_shared_probe_resp/probe_resp_3.png :alt: Receiver address in Probe Response :scale: 95 % 5. Check the **SSID field** in the Probe Response. * SSID must match the AP configuration. * Confirms the AP is broadcasting the expected network name. .. image:: ./wep-shared/802.11g_wep_shared_probe_resp/probe_resp_4.png :alt: SSID in Probe Response :scale: 95 % 6. Check **Capability Information** field for **ESS=1** in the Probe Response. * ESS bit indicates the AP is part of an infrastructure BSS. * Must be set to 1 for proper STA-AP communication. .. image:: ./wep-shared/802.11g_wep_shared_probe_resp/probe_resp_5.png :alt: ESS bit in Capability Information in Probe Response :scale: 95 % 7. Check **Capability Information** field for **Privacy=1** in the Probe Response. * Privacy bit (bit 4) = 1 indicates WEP is enabled on this AP. * Since this is WEP-Shared mode, the AP will perform the challenge/response exchange for authentication. * Confirms that security is configured at the AP level. .. image:: ./wep-shared/802.11g_wep_shared_probe_resp/probe_resp_6.png :alt: Privacy bit in Capability Information in Probe Response :scale: 95 % 8. Verify **Supported Rates** in the Probe Response. * The Supported Rates element indicates the rates supported by the AP. * 802.11g supports both **legacy (1, 2, 5.5, 11 Mbps)** and **OFDM rates (6, 9, 12, 18, 24, 36, 48, 54 Mbps)**. * Confirms that both the AP and STA are using compatible DSSS data rates. .. image:: ./wep-shared/802.11g_wep_shared_probe_resp/probe_resp_7.png :alt: Supported Rates in Probe Response :scale: 95 % 9. Verify **DS Parameter Set** (channel assignment) in the Probe Response. * DS Parameter indicates the AP’s operating channel. * Confirms the STA knows which channel to use to associate with the AP. .. image:: ./wep-shared/802.11g_wep_shared_probe_resp/probe_resp_8.png :alt: DS Parameter Set (channel) in Probe Response :scale: 95 % 10. **Check ERP Information (New in 802.11g)** * The **ERP Information element** is unique to 802.11g and ensures **backward compatibility** with 802.11b. * It includes: * **Non-ERP Present bit** – Indicates if older 802.11b devices are in the network. * **Use Protection bit** – Enables CTS-to-Self or RTS/CTS when 802.11b stations are active. * **Barker Preamble bit** – Shows whether the AP supports short preamble. .. image:: ./wep-shared/802.11g_wep_shared_probe_resp/probe_resp_9.png :alt: ERP Information in Probe Response :scale: 95 % 11. **Check Extended Supported Rates** * If the **Supported Rates element** doesn’t include all 802.11g rates, an **Extended Supported Rates element** will. * Confirms full-rate coverage up to **54 Mbps**. .. image:: ./wep-shared/802.11g_wep_shared_probe_resp/probe_resp_10.png :alt: Extended Supported Rates in Probe Response :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Probe Response Packet Analysis** * After the **AP sends a Probe Response**, the **STA must acknowledge** it with an **Acknowledgement frame**. * This ACK confirms successful reception of the Probe Response. * The ACK is a **Control frame** (not Management or Data). * It is transmitted **immediately after a SIFS (Short Interframe Space)** interval. 1. Check the Acknowledgement - Frame Subtype * When the AP sends a unicast Probe Response, the STA sends an **ACK frame** * ACK frames have **Subtype = 13** in 802.11. .. image:: ./wep-shared/802.11g_wep_shared_probe_resp/probe_resp_11.png :alt: ACK frame subtype in Wireshark :scale: 95 % 2. Check the Acknowledgement - Receiver Address * Receiver Address of the ACK is the **AP’s MAC address** (i.e., the source of the Probe Response). * Confirms that the ACK is directed to the correct transmitting AP. .. image:: ./wep-shared/802.11g_wep_shared_probe_resp/probe_resp_12.png :alt: ACK receiver address in Wireshark :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **1st Authentication Request Packet Analysis (802.11g WEP-Shared Mode)** 1. Check if STA is sending **Authentication Request** packet * After receiving the Probe Response, the Station (STA) initiates authentication with the Access Point (AP). * In Shared-Key mode, authentication is a four-step exchange: 1. STA → AP: Authentication Request (Algorithm = 1, Sequence = 1) 2. AP → STA: Authentication Response (Challenge Text included, Sequence = 2) 3. STA → AP: Authentication Request (Encrypted Challenge Response, Sequence = 3) 4. AP → STA: Authentication Response (Status = Success/Fail, Sequence = 4) * The **first packet** in this exchange is an **Authentication Request** from STA to AP. * This frame indicates the STA’s intent to authenticate using **Shared Key** authentication (WEP encryption will be used later during the challenge). 2. Check the **Frame Subtype** * The Subtype identifies the frame as an **Authentication** frame (**Subtype = 11**). * Confirms that this packet is part of the authentication management exchange. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_1/auth_1_req_1.png :alt: Authentication Request frame subtype :scale: 95 % 3. Verify the **Source Address** in the Authentication Request packet. * The Source Address should be the **STA’s MAC address**. * Confirms the authentication initiation is coming from the STA. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_1/auth_1_req_2.png :alt: Authentication Request source address :scale: 95 % 4. Verify the **Receiver Address** in the Authentication Request packet. * The Receiver Address should be the **AP’s MAC address**. * This confirms the STA is directly targeting the AP for authentication. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_1/auth_1_req_3.png :alt: Authentication Request receiver address :scale: 95 % 5. Check the **Authentication Algorithm** field in the Authentication Request packet. * This field specifies which authentication algorithm is used. * For **WEP-Shared mode**, the value must be **1**. * Field meaning: - `0` → Open System Authentication - `1` → Shared Key Authentication * This confirms that the STA requests to use **WEP-Shared key mechanism**. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_1/auth_1_req_4.png :alt: Authentication Algorithm in Authentication Request :scale: 95 % 6. Check the **Authentication Sequence Number** in the Authentication Request packet. * This value identifies the sequence step in the authentication exchange. * For the **first authentication request**, the **Sequence Number = 1**. * It indicates the start of the authentication handshake. * The AP’s next response should have **Sequence Number = 2**. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_1/auth_1_req_5.png :alt: Authentication sequence number in Wireshark :scale: 95 % 7. Verify the **Status Code** in the Authentication Request packet. * The **Status Code** field in the Authentication Request is usually **0** or **not used**. * It is meaningful mainly in **responses**, but Wireshark may still display it as **0 (Successful)** by default. * This ensures that the STA is initiating authentication without reporting an error. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_1/auth_1_req_6.png :alt: Authentication status code :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Authentication Request Packet Analysis** * After the **STA sends an Authentication Request**, the **AP must acknowledge** it with an **ACK frame**. * This ACK confirms successful reception of the Authentication Request before the AP sends the **Authentication Response**. * The ACK is a **Control frame** (not Management or Data). * It is transmitted **immediately after a SIFS (Short Interframe Space)** interval. 1. Check the **ACK Frame Subtype**. * Since the Authentication Request is **unicast**, the AP responds with an **ACK frame**. * The ACK has **Subtype = 13** in 802.11. * Confirms that the AP successfully received the Authentication Request. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_1/auth_1_req_7.png :alt: ACK frame subtype for Authentication Request :scale: 95 % 2. Verify the **ACK Receiver Address**. * The ACK frame’s **Receiver Address** should match the **STA’s MAC address** (the source of the Authentication Request). * Confirms the AP has acknowledged the STA correctly. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_1/auth_1_req_8.png :alt: ACK receiver address for Authentication Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **2nd Authentication Response Packet Analysis (802.11g WEP-Shared Mode)** 1. Check if AP is sending Authentication Response * After receiving the STA’s first Authentication Request, the Access Point (AP) replies with an **Authentication Response** frame. * In **WEP-Shared mode**, this response contains a **Challenge Text** tag. * The STA must later encrypt this challenge using its WEP key to prove possession of the correct key. * This step confirms the **start of the shared key challenge-response mechanism**. 2. Check the **Frame Subtype** * The **Subtype field = 11** indicates it is an **Authentication frame**. * Ensures that the AP has correctly responded to the STA’s authentication attempt. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_2/auth_2_resp_1.png :alt: Authentication Response frame subtype :scale: 95 % 3. **Verify Source Address** * The **Source Address** should be the **AP’s MAC address**. * Confirms the Authentication Response is sent by the Access Point. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_2/auth_2_resp_2.png :alt: Source address of Authentication Response :scale: 95 % 4. Check the **Receiver Address** * The **Receiver Address** should be the **STA’s MAC address** (the device being authenticated). * Confirms that the AP is addressing the correct station. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_2/auth_2_resp_3.png :alt: Receiver address of Authentication Response :scale: 95 % 5. Check the **BSSID Field** * The **BSSID** must match the **AP’s MAC address**. * Confirms that this frame belongs to the correct Basic Service Set (BSS). * Useful when multiple APs operate on the same channel. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_2/auth_2_resp_4.png :alt: BSSID in Authentication Response :scale: 95 % 6. Check the **Authentication Algorithm Number** * The Authentication Algorithm field specifies the type of authentication used. * In **WEP-Shared mode**, this field must have a value of **1**. * Field meaning: - `0` → Open System Authentication - `1` → Shared Key Authentication * This confirms the AP is performing WEP-Shared key authentication. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_2/auth_2_resp_5.png :alt: Authentication Algorithm field :scale: 95 % 7. Check the **Authentication Sequence Number** * This field indicates the step number in the authentication process. * For the **2nd frame**, the **Sequence Number = 2**. * It confirms this message is the **challenge** sent by the AP to the STA. * The STA’s next encrypted response will use **Sequence Number = 3**. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_2/auth_2_resp_6.png :alt: Authentication Sequence Number field :scale: 95 % 8. Check the **Status Code** * The **Status Code** field indicates the success or failure of the authentication step. * For this challenge response, the **Status Code = 0 (Successful)**, as the AP is providing the challenge. * Non-zero codes indicate an error or failure. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_2/auth_2_resp_7.png :alt: Authentication Response Status Code :scale: 95 % 9. Check the **Tagged Parameters – Tag: Challenge Text** * In the WEP-Shared authentication sequence, this is the **critical field**. * The AP includes a **Challenge Text** tag to test the STA’s WEP key. **Tag Number:** * Field used to identify the type of tag. * Value: **16 (0x10)** → Indicates “Challenge Text” tag. **Tag Length:** * Specifies the number of bytes in the challenge text field. * Typically **128 bytes** or depends on implementation. **Challenge Text:** * Random binary data or ASCII sequence generated by the AP. * This challenge must be **encrypted using the shared WEP key** by the STA in the next frame. * The AP will later verify this encrypted challenge to confirm key validity. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_2/auth_2_resp_8.png :alt: Authentication Response Status Code :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Authentication Response Packet Analysis** * Once the **AP sends the Authentication Response**, the **STA acknowledges** it using an **ACK frame**. * This ensures reliable delivery of the Authentication Response before moving on to the Association stage. 1. Check the **ACK Frame Subtype**. * The ACK frame has **Subtype = 13**, identifying it as an acknowledgment. * Confirms the STA received the Authentication Response correctly. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_2/auth_2_resp_9.png :alt: ACK subtype after Authentication Response :scale: 95 % 2. Verify the **ACK Receiver Address**. * The **Receiver Address** should be the **AP’s MAC address** (source of the Authentication Response). * Confirms that the STA is acknowledging the correct transmitter. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_2/auth_2_resp_10.png :alt: Receiver address of ACK after Authentication Response :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **3rd Authentication Request (Encrypted Challenge) Packet Analysis (802.11g WEP-Shared Mode)** 1. Check if STA is sending **Encrypted Challenge Response** packet * After receiving the **Challenge Text** from the AP, the STA encrypts it using the configured **WEP key**. * The STA then sends this encrypted challenge back to the AP in the **third authentication frame**. * This frame is again an **Authentication Request** but includes the encrypted challenge as a tagged parameter. * The goal of this step is for the AP to verify that the STA has the correct shared key. 2. Check the **Frame Subtype** * The Subtype identifies the frame as an **Authentication** frame (**Subtype = 11**). * Confirms that this packet is part of the authentication management exchange. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_3/auth_3_req_1.png :alt: Authentication Request frame subtype :scale: 95 % 3. Verify the **Source Address** in the Authentication Request packet. * The Source Address should be the **STA’s MAC address**. * Confirms the authentication initiation is coming from the STA. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_3/auth_3_req_2.png :alt: Authentication Request source address :scale: 95 % 4. Verify the **Receiver Address** in the Authentication Request packet. * The Receiver Address should be the **AP’s MAC address**. * This confirms the STA is directly targeting the AP for authentication. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_3/auth_3_req_3.png :alt: Authentication Request receiver address :scale: 95 % 5. Check the **Authentication Algorithm** field in the Authentication Request packet. * This field specifies which authentication algorithm is used. * For **WEP-Shared mode**, the value must be **1**. * Field meaning: - `0` → Open System Authentication - `1` → Shared Key Authentication * This confirms that the STA requests to use **WEP-Shared key mechanism**. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_3/auth_3_req_4.png :alt: Authentication Algorithm in Authentication Request :scale: 95 % 6. Check the **Authentication Sequence Number** in the Authentication Request packet. * The **Sequence Number = 3**, indicating this is the **third message** in the authentication process. * This value confirms the STA’s encrypted challenge response step. * The next (final) frame from AP will use **Sequence Number = 4**. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_3/auth_3_req_5.png :alt: Authentication sequence number in Wireshark :scale: 95 % 7. Verify the **Status Code** in the Authentication Request packet. * The **Status Code** field in the Authentication Request is usually **0** or **not used**. * It is meaningful mainly in **responses**, but Wireshark may still display it as **0 (Successful)** by default. * This ensures that the STA is initiating authentication without reporting an error. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_3/auth_3_req_6.png :alt: Authentication status code :scale: 95 % 8. Analyze the **Tagged Parameters – Tag: Challenge Text** * This field contains the **Encrypted Challenge Text** generated by the STA. * It is the same challenge text provided by the AP earlier, but now **encrypted using the STA’s WEP key**. **Tag Number:** - Identifies the tag type. - **Value = 16 (0x10)** → “Challenge Text” tag. **Tag Length:** - Specifies the number of bytes of encrypted challenge data. - Typically matches the original challenge length (e.g., **128 bytes**). **Challenge Text:** - Contains the **WEP-encrypted version** of the AP’s challenge text. - This encryption uses the WEP key configured on the STA. - The AP will later decrypt and verify this in the final step. - This confirms the STA is proving possession of the shared WEP key. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_3/auth_3_req_7.png :alt: Authentication status code :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Authentication Request Packet Analysis** * After the **STA sends an Authentication Request**, the **AP must acknowledge** it with an **ACK frame**. * This ACK confirms successful reception of the Authentication Request before the AP sends the **Authentication Response**. * The ACK is a **Control frame** (not Management or Data). * It is transmitted **immediately after a SIFS (Short Interframe Space)** interval. 1. Check the **ACK Frame Subtype**. * Since the Authentication Request is **unicast**, the AP responds with an **ACK frame**. * The ACK has **Subtype = 13** in 802.11. * Confirms that the AP successfully received the Authentication Request. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_3/auth_3_req_8.png :alt: ACK frame subtype for Authentication Request :scale: 95 % 2. Verify the **ACK Receiver Address**. * The ACK frame’s **Receiver Address** should match the **STA’s MAC address** (the source of the Authentication Request). * Confirms the AP has acknowledged the STA correctly. .. image:: ./wep-shared/802.11g_wep_shared_auth_req_3/auth_3_req_9.png :alt: ACK receiver address for Authentication Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **4th Authentication Packet (Authentication Response) Analysis** 1. Check if AP is sending Authentication Response * This is the **final step** in the WEP-Shared authentication process. * After the STA encrypts the challenge text using the WEP key and sends it in the **3rd Authentication frame**, the AP verifies it by decrypting and comparing it with the original challenge. * If the challenge matches, the AP responds with an **Authentication Response (Sequence Number = 4)** and a **Status Code = 0 (Successful)**. * If verification fails, the AP sends **Status Code ≠ 0**, indicating authentication failure. 2. Check the **Frame Subtype** * The **Subtype field = 11** indicates it is an **Authentication frame**. * Ensures that the AP has correctly responded to the STA’s authentication attempt. * Since this is the 4th frame, it represents the **Authentication Response** completing the process. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_4/auth_4_resp_1.png :alt: Authentication Response frame subtype :scale: 95 % 3. **Verify Source Address** * The **Source Address** should be the **AP’s MAC address**. * Indicates the AP is responding after verifying the challenge text sent by the STA. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_4/auth_4_resp_2.png :alt: Source address of Authentication Response :scale: 95 % 4. Check the **Receiver Address** * The **Receiver Address** should be the **STA’s MAC address** (the device being authenticated). * Confirms that the AP is addressing the correct station. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_4/auth_4_resp_3.png :alt: Receiver address of Authentication Response :scale: 95 % 5. Check the **BSSID Field** * The **BSSID** must match the **AP’s MAC address**. * Confirms that this frame belongs to the correct Basic Service Set (BSS). * Useful when multiple APs operate on the same channel. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_4/auth_4_resp_4.png :alt: BSSID in Authentication Response :scale: 95 % 6. Check the **Authentication Algorithm Number** * The **Authentication Algorithm** field value is **1**, representing **WEP-Shared Key Authentication**. * This indicates that the authentication process used encryption and challenge-response mechanism. * Confirms the mode is **WEP-Shared**, not Open System. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_4/auth_4_resp_5.png :alt: Authentication Algorithm field :scale: 95 % 7. Check the **Authentication Sequence Number** * The **Sequence Number** is **4**, meaning this is the **final frame** in the four-step authentication exchange. * Sequence numbers help identify the correct stage of the authentication process: 1 → Request 2 → Response with Challenge 3 → Request with Encrypted Challenge 4 → Final Response (Success/Failure) * Confirms completion of the Shared Key authentication sequence. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_4/auth_4_resp_6.png :alt: Authentication Sequence Number field :scale: 95 % 8. Check the **Status Code** * The **Status Code** value is **0 (Successful)** if the challenge text matches after decryption by the AP. * If the challenge decryption fails, the Status Code will indicate failure (non-zero value). * This field is critical — it determines whether the STA is allowed to proceed to the **Association phase**. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_4/auth_4_resp_7.png :alt: Authentication Response Status Code :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Authentication Response Packet Analysis** * Once the **AP sends the Authentication Response**, the **STA acknowledges** it using an **ACK frame**. * This ensures reliable delivery of the Authentication Response before moving on to the Association stage. 1. Check the **ACK Frame Subtype**. * The ACK frame has **Subtype = 13**, identifying it as an acknowledgment. * Confirms the STA received the Authentication Response correctly. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_4/auth_4_resp_8.png :alt: ACK subtype after Authentication Response :scale: 95 % 2. Verify the **ACK Receiver Address**. * The **Receiver Address** should be the **AP’s MAC address** (source of the Authentication Response). * Confirms that the STA is acknowledging the correct transmitter. .. image:: ./wep-shared/802.11g_wep_shared_auth_resp_4/auth_4_resp_9.png :alt: Receiver address of ACK after Authentication Response :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Association Request Packet Analysis** 1. Check if STA is sending Association Request * After successful WEP-Shared authentication, the STA sends an **Association Request** frame to the AP. * This frame contains the STA’s capabilities, supported data rates, SSID, and encryption support (WEP). * It is a **Management frame** (Subtype = 0). * Privacy bit = 1, meaning encryption is enabled for subsequent data frames. * Being a **unicast frame**, it will be acknowledged by the AP. 2. Check the **Frame Subtype** * Subtype = 0 identifies the frame as an **Association Request**. * Ensures Wireshark captures the correct management frame. .. image:: ./wep-shared/802.11g_wep_shared_ass_req/ass_req_1.png :alt: Association Request Subtype :scale: 95 % 3. Verify **Source Address** * Source Address = STA MAC address. * Confirms the frame is sent by the correct STA. .. image:: ./wep-shared/802.11g_wep_shared_ass_req/ass_req_2.png :alt: Source address in Association Request :scale: 95 % 4. Check the **Receiver Address** * Receiver Address = AP MAC address. * Ensures the frame is targeted to the correct AP. .. image:: ./wep-shared/802.11g_wep_shared_ass_req/ass_req_3.png :alt: Receiver address in Association Request :scale: 95 % 5. Verify **BSSID** * BSSID = AP MAC address. * Confirms the frame is part of the correct Basic Service Set. .. image:: ./wep-shared/802.11g_wep_shared_ass_req/ass_req_4.png :alt: BSSID in Association Request :scale: 95 % 6. Check the **Capability Information – Privacy bit** * Privacy bit = 1 indicates WEP encryption is enabled. * This confirms that the STA supports encrypted data exchange after association .. image:: ./wep-shared/802.11g_wep_shared_ass_req/ass_req_5.png :alt: Privacy bit in Capability Information :scale: 95 % 7. Verify **Capability Information – Short Preamble bit** * Short Preamble bit indicates whether STA supports short preamble. * Helps verify compatibility with AP preamble configuration. .. image:: ./wep-shared/802.11g_wep_shared_ass_req/ass_req_6.png :alt: Short Preamble bit in Capability Information :scale: 95 % 8. Check the **Listen Interval** * Listen Interval defines how often the STA wakes to check for buffered frames at the AP. * Ensures power-saving and proper timing for STA-AP communication. .. image:: ./wep-shared/802.11g_wep_shared_ass_req/ass_req_7.png :alt: Listen Interval in Association Request :scale: 95 % 9. Verify **SSID Field** * SSID must match the AP’s network name. * Confirms that the STA is associating with the correct BSS. .. image:: ./wep-shared/802.11g_wep_shared_ass_req/ass_req_8.png :alt: SSID in Association Request :scale: 95 % 10. Check the **Supported Rates** * The **Supported Rates** field lists the data rates that the STA can transmit and receive. * For 802.11g, STA advertises both **DSSS rates (1, 2, 5.5, 11 Mbps)** and **OFDM rates (6, 9, 12, 18, 24, 36, 48, 54 Mbps)**. * Confirms STA and AP are compatible within 802.11g PHY specifications. .. image:: ./wep-shared/802.11g_wep_shared_ass_req/ass_req_9.png :alt: Supported Rates in Association Request :scale: 95 % 11. Verify **Extended Capabilities** * Extended Capabilities field lists additional STA features (e.g., HT support, QoS, etc.). * Ensures AP can understand STA capabilities. .. image:: ./wep-shared/802.11g_wep_shared_ass_req/ass_req_10.png :alt: Extended Capabilities in Association Request :scale: 95 % 12. Verify **Supported Operating Classes** * Supported Operating Classes indicate which frequency bands and channels the STA can operate on. * Helps AP confirm STA compatibility with its configured channel. .. image:: ./wep-shared/802.11g_wep_shared_ass_req/ass_req_11.png :alt: Supported Operating Classes in Association Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Association Request Packet Analysis** * Since the **Association Request** is a **unicast frame** from the STA to the AP,the AP responds with an **ACK frame** to confirm successful reception. * The ACK is a **Control frame** (Subtype = 13) and ensures reliable MAC-layer delivery. * This ACK is sent **immediately after a SIFS interval**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the AP received the Association Request correctly. .. image:: ./wep-shared/802.11g_wep_shared_ass_req/ass_req_12.png :alt: ACK subtype after Association Request :scale: 95 % 2. Verify the **ACK Receiver Address**. * The Receiver Address of the ACK should be the **STA’s MAC address** (source of the Association Request). * Confirms that the AP is acknowledging the correct station. .. image:: ./wep-shared/802.11g_wep_shared_ass_req/ass_req_13.png :alt: Receiver address of ACK after Association Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Association Response Packet Analysis** 1. Check if AP is sending Association Response * After receiving the STA’s Association Request, AP sends an **Association Response**. * Contains **Status Code** (success/failure) and assigns **AID**. * Privacy bit = 1 → encryption enabled for subsequent data frames. * Management frame (Subtype = 1), unicast to STA. 2. Check the **Frame Subtype** * Subtype = 1 identifies the frame as an **Association Response**. * Confirms that the AP has acknowledged the STA’s request to join the BSS. .. image:: ./wep-shared/802.11g_wep_shared_ass_resp/ass_resp_1.png :alt: Association Response Subtype :scale: 95 % 3. Verify **Source Address** * Source Address = AP MAC address. * Confirms the frame is transmitted from the AP. .. image:: ./wep-shared/802.11g_wep_shared_ass_resp/ass_resp_2.png :alt: Source address in Association Response :scale: 95 % 4. Check the **Receiver Address** * Receiver Address = STA MAC address. * Ensures the response is directed to the correct STA. .. image:: ./wep-shared/802.11g_wep_shared_ass_resp/ass_resp_3.png :alt: Receiver address in Association Response :scale: 95 % 5. Verify **BSSID** * BSSID = AP MAC address (same as Source). * Confirms that the response is part of the same BSS. .. image:: ./wep-shared/802.11g_wep_shared_ass_resp/ass_resp_4.png :alt: BSSID in Association Response :scale: 95 % 6. Check the **Capability Information – Privacy bit** * Privacy bit = 1 → indicates WEP encryption is enabled. * Confirms that subsequent data frames will use WEP protection. .. image:: ./wep-shared/802.11g_wep_shared_ass_resp/ass_resp_5.png :alt: Privacy bit in Association Response :scale: 95 % 7. Verify **Capability Information – Short Preamble bit** * Short Preamble bit indicates AP supports short preamble operation. * Confirms compatibility with STA’s preamble capabilities. .. image:: ./wep-shared/802.11g_wep_shared_ass_resp/ass_resp_6.png :alt: Short Preamble bit in Association Response :scale: 95 % 8. Check the **Status Code** * Status Code = 0 indicates **Successful Association**. * Other values indicate denial reasons (e.g., unsupported rates or capacity limits). .. image:: ./wep-shared/802.11g_wep_shared_ass_resp/ass_resp_7.png :alt: Status code in Association Response :scale: 95 % 9. Verify **Association ID (AID)** * AID uniquely identifies the STA within the BSS. * Typically a small integer (e.g., 1, 2, 3) assigned by the AP. * Confirms successful registration of the STA in the AP’s association table. * Used for managing buffered frames and identifying the STA in power-save mode. .. image:: ./wep-shared/802.11g_wep_shared_ass_resp/ass_resp_8.png :alt: Association ID in Association Response :scale: 95 % 10. Check the **Supported Rates** * STA and AP must agree on **DSSS + OFDM rates** (1,2,5.5,11 + 6,9,12,...54 Mbps). * Ensures both AP and STA agree on common rate sets for communication. .. image:: ./wep-shared/802.11g_wep_shared_ass_resp/ass_resp_9.png :alt: Supported Rates in Association Response :scale: 95 % 11. Verify **Extended Capabilities** * Indicates additional optional features (e.g., QoS, HT support if present) supported by the AP. * For 802.11g, this may be minimal or absent, confirming a basic DSSS connection. .. image:: ./wep-shared/802.11g_wep_shared_ass_resp/ass_resp_10.png :alt: Extended Capabilities in Association Response :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Association Response Packet Analysis** * The **Association Response** is a **unicast frame**, so the STA replies with an **ACK**. * This ensures the AP knows the STA successfully received its association confirmation. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Indicates successful MAC-layer acknowledgment from STA to AP. .. image:: ./wep-shared/802.11g_wep_shared_ass_resp/ass_resp_11.png :alt: ACK subtype after Association Response :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver Address = AP MAC address (sender of the Association Response). * Confirms ACK is directed to the correct device. .. image:: ./wep-shared/802.11g_wep_shared_ass_resp/ass_resp_12.png :alt: Receiver address of ACK after Association Response :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **ARP Request Packet Analysis** * The ARP Request in WEP-SHARED mode is sent inside an 802.11 Data frame encrypted using WEP with Shared Key authentication. * It may involve two flows: 1. STA → AP (STA initiates request) 2. AP → Broadcast (AP forwards to all stations) * Allows devices to resolve MAC addresses for given IPs. 1. Check if STA is sending ARP Request to AP * STA sends an ARP Request encapsulated in a **WEP-encrypted Data frame** (Subtype = 0, unicast to AP). * Frame fields include MAC addresses, IP addresses, and 802.11 headers. 1.1. Check the **Source Address** * MAC of the STA sending the ARP Request. * Identifies which device initiated the request. .. image:: ./wep-shared/802.11g_wep_shared_arp_req_1/arp_1_req_1.png :alt: STA to AP ARP Source Address :scale: 95 % 1.2. Verify **Destination Address** * Broadcast MAC: ff:ff:ff:ff:ff:ff * Data frame is intended for all devices in BSS to eventually deliver ARP. .. image:: ./wep-shared/802.11g_wep_shared_arp_req_1/arp_1_req_2.png :alt: STA to AP ARP Destination Address :scale: 95 % 1.3. Verify **Receiver Address** * Receiver = AP MAC address. * Confirms the AP is the frame’s immediate recipient. .. image:: ./wep-shared/802.11g_wep_shared_arp_req_1/arp_1_req_3.png :alt: STA to AP ARP Receiver Address :scale: 95 % 1.4. Verify **Transmitter Address** * Transmitter = STA MAC. * Indicates who physically transmitted the frame on the medium. .. image:: ./wep-shared/802.11g_wep_shared_arp_req_1/arp_1_req_4.png :alt: STA to AP ARP Transmitter Address :scale: 95 % 1.5. Verify **WEP Parameters** * **Initialization Vector (IV)**: * 24-bit random number prepended to WEP key for encryption. * Used by RC4 to combine with WEP key for encrypting payload. * Ensures each frame has a unique key stream. * **Key Index**: 0 * Indicates which WEP key (from the AP/STA configured set) is used to encrypt this frame. * **WEP Integrity Check Value (ICV)**: * CRC32 checksum applied to plaintext for integrity verification. * Encrypted along with the payload using WEP. * Ensures integrity of the encrypted payload. AP/STA verifies it to detect tampering. .. image:: ./wep-shared/802.11g_wep_shared_arp_req_1/arp_1_req_5.png :alt: WEP Parameters :scale: 95 % 1.6. Verify **Sender IP and MAC** * IP/MAC of the STA initiating the request * Identifies which device’s IP is being used to query the target. .. image:: ./wep-shared/802.11g_wep_shared_arp_req_1/arp_1_req_6.png :alt: STA to AP ARP Sender IP and MAC :scale: 95 % 1.7. Verify **Target IP and Target MAC** * IP of the device STA wants to reach. * Target MAC is unknown (00:00:00:00:00:00) in initial ARP Requests. .. image:: ./wep-shared/802.11g_wep_shared_arp_req_1/arp_1_req_7.png :alt: STA to AP ARP Target IP and MAC :scale: 95 % 2. Check if AP is forwarding ARP Request to Broadcast * This frame shows the AP forwarding the ARP Request from STA to all devices in the BSS (broadcast). * The AP sets Receiver Address = Broadcast so all stations can see it. * Still encapsulated in a 802.11 Data frame (Subtype = 0). 2.1. Check the **Source Address** * AP’s MAC address as the source of the forwarded ARP Request. * Shows that the AP is relaying the ARP. .. image:: ./wep-shared/802.11g_wep_shared_arp_req_2/arp_2_req_1.png :alt: AP to Broadcast ARP Source Address :scale: 95 % 2.2. Verify **Destination Address** * Broadcast MAC: ff:ff:ff:ff:ff:ff * Sent to all stations in the BSS. .. image:: ./wep-shared/802.11g_wep_shared_arp_req_2/arp_2_req_2.png :alt: AP to Broadcast ARP Destination Address :scale: 95 % 2.3. Verify **Receiver Address** * Broadcast: ff:ff:ff:ff:ff:ff * Confirms all stations are eligible to receive the ARP Request. .. image:: ./wep-shared/802.11g_wep_shared_arp_req_2/arp_2_req_3.png :alt: AP to Broadcast ARP Receiver Address :scale: 95 % 2.4. Verify **Transmitter Address** * Transmitter = AP MAC. * Indicates which device physically transmitted this broadcast. .. image:: ./wep-shared/802.11g_wep_shared_arp_req_2/arp_2_req_4.png :alt: AP to Broadcast ARP Transmitter Address :scale: 95 % 2.5. Verify **WEP Parameters** * **Initialization Vector (IV)**: * 24-bit random number prepended to WEP key for encryption. * Ensures each frame has a unique key stream. * **Key Index**: 0 * Indicates which WEP key is used for encryption. * **WEP Integrity Check Value (ICV)**: * CRC32 checksum applied to plaintext for integrity verification. * Encrypted along with the payload using WEP. * Indicates which device physically transmitted this broadcast. .. image:: ./wep-shared/802.11g_wep_shared_arp_req_2/arp_2_req_5.png :alt: WEP Parameters :scale: 95 % 2.6. Verify **Sender IP and MAC** * IP/MAC of the STA initiating the request (carried inside AP’s forwarded ARP). * AP forwards this information so other stations know who is requesting. .. image:: ./wep-shared/802.11g_wep_shared_arp_req_2/arp_2_req_6.png :alt: AP to Broadcast ARP Sender IP and MAC :scale: 95 % 2.7. Verify **Target IP and Target MAC** * IP of the device STA wants to reach. * Target MAC is unknown (00:00:00:00:00:00) in initial ARP Requests. .. image:: ./wep-shared/802.11g_wep_shared_arp_req_2/arp_2_req_7.png :alt: AP to Broadcast ARP Target IP and MAC :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **ARP Reply Packet Analysis** 1. Check if AP is sending ARP Reply * After the STA sends an ARP Request, the device owning the target IP responds with an ARP Reply. * This is usually unicast from the AP to the STA. * The reply provides the MAC address corresponding to the target IP so the STA can update its ARP table. 2. Verify **Source Address** * AP MAC (BSSID) — the sender of the ARP Reply. * Identifies which device owns the requested IP (192.168.1.10). .. image:: ./wep-shared/802.11g_wep_shared_arp_rep/arp_rep_1.png :alt: AP to STA ARP Reply Source Address :scale: 95 % 3. Verify **Destination Address** * STA MAC — unicast to the requesting STA. * Ensures only the requesting device receives this ARP Reply. .. image:: ./wep-shared/802.11g_wep_shared_arp_rep/arp_rep_2.png :alt: AP to STA ARP Reply Destination Address :scale: 95 % 4. Verify **Receiver Address** * STA MAC — confirms the intended recipient at the link layer. .. image:: ./wep-shared/802.11g_wep_shared_arp_rep/arp_rep_3.png :alt: AP to STA ARP Reply Receiver Address :scale: 95 % 5. Verify **Transmitter Address** * AP MAC — indicates who physically transmitted the frame. .. image:: ./wep-shared/802.11g_wep_shared_arp_rep/arp_rep_4.png :alt: AP to STA ARP Reply Transmitter Address :scale: 95 % 6. Verify **WEP Parameters** * **Initialization Vector (IV)**: * Ensures unique encryption for each reply frame. * **Key Index**: 0 * Indicates which WEP key is used for this reply. * **WEP Integrity Check Value (ICV)**: * Provides integrity verification for the ARP Reply payload. .. image:: ./wep-shared/802.11g_wep_shared_arp_rep/arp_rep_5.png :alt: WEP Parameters :scale: 95 % 7. Verify **Sender IP and MAC** * IP: Target IP (AP's IP) * MAC: AP’s MAC * Provides the requested mapping for the STA’s ARP table. .. image:: ./wep-shared/802.11g_wep_shared_arp_rep/arp_rep_6.png :alt: AP to STA ARP Reply Sender IP and MAC :scale: 95 % 8. Verify **Target IP and MAC** * IP: STA IP * MAC: STA MAC * Confirms the reply is directed to the original requester. .. image:: ./wep-shared/802.11g_wep_shared_arp_rep/arp_rep_7.png :alt: AP to STA ARP Reply Target IP and MAC :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after ARP Reply Packet Analysis** * The **ARP Reply** is a **unicast frame**, so the STA replies with an **ACK**. * This ensures the AP knows the STA successfully received its Reply packet. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the STA received the ARP Reply successfully. .. image:: ./wep-shared/802.11g_wep_shared_arp_rep/arp_rep_8.png :alt: ARP Reply ACK Subtype :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver Address = AP MAC address * Confirms the acknowledgment is directed to the AP. .. image:: ./wep-shared/802.11g_wep_shared_arp_rep/arp_rep_9.png :alt: ARP Reply ACK Receiver Address :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **ICMP Request Packet Analysis** 1. Check if STA is sending ICMP Echo (Ping) Request * The ICMP Echo Request is sent by the STA to the AP to test connectivity. * It is encapsulated inside an 802.11 Data frame and usually sent unicast to the AP. * This frame allows the STA to verify reachability and latency. 2. Verify **Data Rate** * Data Rate indicates the PHY rate used by the STA (e.g., 24 Mbps or 36 Mbps). * Confirms the speed of transmission for the ping request. .. image:: ./wep-shared/802.11g_wep_shared_icmp_req/icmp_req_1.png :alt: Data Rate in ICMP Echo Request :scale: 95 % 3. Verify **Channel** * Channel used for transmission (e.g., Channel 6 / 2437 MHz). * Ensures the ping uses the correct RF channel. .. image:: ./wep-shared/802.11g_wep_shared_icmp_req/icmp_req_2.png :alt: Channel in ICMP Echo Request :scale: 95 % 4. Verify **Source MAC** * STA MAC address (e.g., e8:6f:38:71:f1:e3). * Confirms the correct STA is sending the ping. .. image:: ./wep-shared/802.11g_wep_shared_icmp_req/icmp_req_3.png :alt: Source MAC in ICMP Echo Request :scale: 95 % 5. Verify **Receiver MAC** * AP MAC address. * Confirms the frame is directed to the correct AP. .. image:: ./wep-shared/802.11g_wep_shared_icmp_req/icmp_req_4.png :alt: Receiver MAC in ICMP Echo Request :scale: 95 % 6. Verify **Source and Destination IP** * Source IP: STA IP (e.g., 192.168.1.1) * Destination IP: AP IP (e.g., 192.168.1.10) * Ensures correct layer-3 addressing for ICMP. .. image:: ./wep-shared/802.11g_wep_shared_icmp_req/icmp_req_5.png :alt: Source and Destination IP in ICMP Echo Request :scale: 95 % 7. Verify **WEP Parameters** * **Initialization Vector (IV)**: * Ensures unique encryption for each ICMP request frame. * **Key Index**: 0 * Indicates the WEP key used to encrypt the ICMP payload. * **WEP Integrity Check Value (ICV)**: * Encrypted CRC32 checksum ensures the integrity of the ICMP Request. .. image:: ./wep-shared/802.11g_wep_shared_icmp_req/icmp_req_6.png :alt: WEP Parameters :scale: 95 % 8. Verify **Protocol** * Protocol = ICMP (0x01). * Confirms the packet is an ICMP message. .. image:: ./wep-shared/802.11g_wep_shared_icmp_req/icmp_req_7.png :alt: Protocol field in ICMP Echo Request :scale: 95 % 9. Verify **Type** * ICMP Type = 8 (Echo Request). * Identifies the frame as a ping request. .. image:: ./wep-shared/802.11g_wep_shared_icmp_req/icmp_req_8.png :alt: ICMP Type in Echo Request :scale: 95 % 10. Verify **IP Version** * Version = 4 (IPv4). * Confirms the ICMP packet uses IPv4. .. image:: ./wep-shared/802.11g_wep_shared_icmp_req/icmp_req_9.png :alt: IP Version in ICMP Echo Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after ICMP Echo Request Packet Analysis** * The **ICMP Request** is a **unicast frame**, so the AP replies with an **ACK**. * This ensures the STA knows the AP successfully received its Request packet. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the AP received the ICMP Request successfully. .. image:: ./wep-shared/802.11g_wep_shared_icmp_req/icmp_req_10.png :alt: ACK Subtype after ICMP Echo Request :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver MAC = STA MAC. * Confirms that the acknowledgment is sent back to the STA. .. image:: ./wep-shared/802.11g_wep_shared_icmp_req/icmp_req_11.png :alt: ACK Receiver Address after ICMP Echo Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **ICMP Reply Packet Analysis** 1. Check if AP is sending ICMP Echo (Ping) Reply * The ICMP Echo Reply is sent by the AP back to the STA in response to the Echo Request. * Encapsulated inside an 802.11 Data frame and typically sent unicast. * Confirms that the AP is reachable and the network path is functioning correctly. 2. Verify **Data Rate** * Data Rate indicates the PHY rate used by the AP (e.g., 36 Mbps). * Confirms the speed of transmission for the ping reply. .. image:: ./wep-shared/802.11g_wep_shared_icmp_rep/icmp_resp_1.png :alt: Data Rate in ICMP Echo Reply :scale: 95 % 3. Verify **Channel** * Channel used for transmission (e.g., Channel 6 / 2437 MHz). * Ensures the reply uses the correct RF channel. .. image:: ./wep-shared/802.11g_wep_shared_icmp_rep/icmp_resp_2.png :alt: Channel in ICMP Echo Reply :scale: 95 % 4. Verify **Source MAC** * AP MAC address (e.g., 0c:9a:3c:9f:17:71). * Confirms the reply originates from the correct AP. .. image:: ./wep-shared/802.11g_wep_shared_icmp_rep/icmp_resp_3.png :alt: Source MAC in ICMP Echo Reply :scale: 95 % 5. Verify **Receiver MAC** * STA MAC address. * Confirms the reply is delivered to the requesting STA. .. image:: ./wep-shared/802.11g_wep_shared_icmp_rep/icmp_resp_4.png :alt: Receiver MAC in ICMP Echo Reply :scale: 95 % 6. Verify **Source and Destination IP** * Source IP: AP IP (e.g., 192.168.1.10) * Destination IP: STA IP (e.g., 192.168.1.1) * Confirms correct layer-3 addressing for the ICMP reply. .. image:: ./wep-shared/802.11g_wep_shared_icmp_rep/icmp_resp_5.png :alt: Source and Destination IP in ICMP Echo Reply :scale: 95 % 7. Verify **WEP Parameters** * **Initialization Vector (IV)**: * Unique for each ICMP reply frame to prevent key reuse. * **Key Index**: 0 * Indicates which WEP key was used to encrypt this frame. * **WEP Integrity Check Value (ICV)**: * Encrypted checksum ensures payload integrity. .. image:: ./wep-shared/802.11g_wep_shared_icmp_rep/icmp_resp_6.png :alt: WEP Parameters :scale: 95 % 8. Verify **Protocol** * Protocol = ICMP (0x01). * Confirms that the packet is an ICMP message. .. image:: ./wep-shared/802.11g_wep_shared_icmp_rep/icmp_resp_7.png :alt: Protocol in ICMP Echo Reply :scale: 95 % 9. Verify **IP Version** * Version = 4 (IPv4). * Confirms the ICMP packet uses IPv4. .. image:: ./wep-shared/802.11g_wep_shared_icmp_rep/icmp_resp_8.png :alt: IP Version in ICMP Echo Reply :scale: 95 % 10. Verify **Type** * ICMP Type = 0 (Echo Reply). * Identifies the frame as a ping reply. .. image:: ./wep-shared/802.11g_wep_shared_icmp_rep/icmp_resp_9.png :alt: ICMP Type in Echo Reply :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after ICMP Echo Reply Packet Analysis** * The **ICMP Reply** is a **unicast frame**, so the STA replies with an **ACK**. * This ensures the AP knows the STA successfully received its Reply packet. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the STA received the ICMP Reply successfully. .. image:: ./wep-shared/802.11g_wep_shared_icmp_rep/icmp_resp_10.png :alt: ACK Subtype after ICMP Echo Reply :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver MAC = AP MAC. * Confirms that the acknowledgment is sent back to the AP. .. image:: ./wep-shared/802.11g_wep_shared_icmp_rep/icmp_resp_11.png :alt: ACK Receiver Address after ICMP Echo Reply :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Deauthentication Packet Analysis** 1. Check if STA is sending Deauthentication Frame * Deauthentication is a management frame sent by either the AP or STA to terminate an existing connection. * It contains information about why the device is being deauthenticated. * The frame is unicast and will be acknowledged by the recipient. 2. Verify **Frame Subtype** * Subtype = 12 identifies the frame as Deauthentication. * Ensures Wireshark captures the correct management frame. .. image:: ./wep-shared/802.11g_wep_shared_deauth/deauth_1.png :alt: Deauthentication Subtype :scale: 95 % 3. Verify **Source MAC Address** * MAC address of the device sending the deauthentication frame (AP or STA). * Confirms which device initiated the deauthentication. .. image:: ./wep-shared/802.11g_wep_shared_deauth/deauth_2.png :alt: Source MAC in Deauthentication :scale: 95 % 4. Verify **Receiver MAC Address** * MAC address of the recipient device. * Ensures the frame is targeted to the correct station or AP. .. image:: ./wep-shared/802.11g_wep_shared_deauth/deauth_3.png :alt: Receiver MAC in Deauthentication :scale: 95 % 5. Verify **Fixed Parameters** * Includes Reason Code (e.g., 0x0001: Unspecified reason). * Helps determine why the deauthentication occurred. .. image:: ./wep-shared/802.11g_wep_shared_deauth/deauth_4.png :alt: Fixed Parameters in Deauthentication :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Deauthentication Packet Analysis** * The **Deauthentication** is a **unicast frame**, so the AP replies with an **ACK**. * This ensures the STA knows the AP successfully received its Reply packet. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the recipient received the deauthentication frame. .. image:: ./wep-shared/802.11g_wep_shared_deauth/deauth_5.png :alt: ACK Subtype after Deauthentication :scale: 95 % 2. Verify the **ACK Receiver Address**. * Destination MAC = sender of the deauthentication frame. * Confirms the acknowledgment is directed back to the sender. .. image:: ./wep-shared/802.11g_wep_shared_deauth/deauth_6.png :alt: ACK Receiver Address after Deauthentication :scale: 95 %