WPA2 ====== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section <80211g_wpa2_1>` * :ref:`Version Info <80211g_wpa2_2>` * :ref:`Packet flow in WPA2 mode <80211g_wpa2_3>` * :ref:`Connection steps in wpa2 mode <80211g_wpa2_4>` * :ref:`STEP 1: Bring up AP <80211g_wpa2_5>` * :ref:`STEP 2: Bring up STA <80211g_wpa2_6>` * :ref:`Wireshark capture <80211g_wpa2_7>` * :ref:`Decrypting WPA2 Frames in Wireshark <80211g_wpa2_8>` * :ref:`Wireshark capture Analysis <80211g_wpa2_9>` .. _80211g_wpa2_1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow * How to run wpa_supplicant and hostapd in wpa mode .. _80211g_wpa2_2: .. tab-set:: .. tab-item:: Version Info =============================== ======================================= # Version =============================== ======================================= Supplicant wpa_supplicant 2.10 Hostapd hostapd 2.10 =============================== ======================================= .. _80211g_wpa2_3: .. tab-set:: .. tab-item:: Packet flow in WPA2 mode .. plantuml:: :scale: 130 % == Scanning == STA -> AP: **Probe Request** AP -> STA: **Probe Response** == Authentication == STA -> AP: **Authentication Request** AP --> STA: ACK AP -> STA: **Authentication Response** STA --> AP: ACK == Association == STA -> AP: **Association Request** AP --> STA: ACK AP -> STA: **Association Response** STA --> AP: ACK == EAPOL 4 way handshake == AP -> STA: **M1** STA --> AP: ACK STA -> AP: **M2** AP --> STA: ACK AP -> STA: **M3** STA --> AP: ACK STA -> AP: **M4** AP --> STA: ACK == PING AP from STA == STA -> AP: **ARP Request** AP --> STA: ACK AP -> STA: **ARP Reply** STA --> AP: ACK STA -> AP: **ICMP Echo Request** AP --> STA: ACK AP -> STA: **ICMP Echo Reply** STA --> AP: ACK STA -> AP: **ICMP Echo Request** AP --> STA: ACK AP -> STA: **ICMP Echo Reply** STA --> AP: ACK STA -> AP: **ICMP Echo Request** AP --> STA: ACK AP -> STA: **ICMP Echo Reply** STA --> AP: ACK .. _80211g_wpa2_4: .. tab-set:: .. tab-item:: Connection steps in wpa2 mode .. _80211g_wpa2_5: .. tab-set:: .. tab-item:: STEP 1: Bring up AP using hostapd .. csv-table:: :file: ./wpa2/wpa2_ap_hostapd.csv :class: tight-table .. _80211g_wpa2_6: .. tab-set:: .. tab-item:: STEP 2: Bring up STA using supplicant .. csv-table:: :file: ./wpa2/wpa2_station.csv :class: tight-table .. _80211g_wpa2_7: .. tab-set:: .. tab-item:: Wireshark capture * Download file to check wireshark output :download:`Packet capture in WPA2 mode <./wpa2/802.11g_wpa2_ping.pcapng>` .. _80211g_wpa2_8: .. tab-set:: .. tab-item:: Decrypting WPA2-Encrypted Frames in Wireshark * In this section- To analyze ARP and ICMP packets captured in a WPA2 secured 802.11g network, you must **decrypt the frames** in Wireshark. * Decryption allows you to view the **actual payload (ARP, ICMP, TCP, UDP, etc.)** instead of encrypted bytes. * Unlike WEP, WPA2/WPA2 uses **dynamic keys** generated during the 4-way handshake, so Wireshark needs either the **passphrase** and **EAPOL handshake** or a **PMK/PSK** to decrypt data. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Decrypting WPA2-Encrypted Frames in Wireshark** 1. **Open the Capture File** * Launch Wireshark and open your `.pcap` or `.pcapng` file containing the captured 802.11 frames. * Ensure your capture includes the **4-Way Handshake frames** between STA and AP. * Without these, Wireshark cannot derive the encryption key for decryption. 2. **Enable Decryption** * Go to **Edit → Preferences → Protocols → IEEE 802.11**. * Check **“Enable decryption”**. * Click **“Edit”** under **Decryption Keys**. .. image:: ./wpa2/decryption/decrypt_1.png :alt: Decryption1 in Wireshark :scale: 95 % 3. **Add the WPA2 Passphrase** * In the **Decryption Keys** dialog: * Click **“+”** to add a new key. * Choose **Key type: wpa2-pwd** * Enter your **passphrase** and **SSID** in this format: **wpa2-pwd:yourpassword:yourSSID** .. image:: ./wpa2/decryption/decrypt_2.png :alt: Decryption2 in Wireshark :scale: 95 % 4. **Apply the Key and Refresh** * Click **OK** to save the key. * Wireshark will automatically decrypt frames that match the key. * You should now see **decrypted data frames**, including **ARP, ICMP, and IP payloads**, in plain text. .. _80211g_wpa2_9: .. tab-set:: .. tab-item:: Wireshark capture Analysis * In this section, you will verify connectivity and frame exchange using the Wireshark capture. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Beacon Packet Analysis** 1. Check if AP is Beaconing * The Beacon Frame is periodically broadcast by the AP (every ~100 ms) to announce the presence of a network. * In **WPA2 mode**, the Beacon contains the **RSN (Robust Security Network) Information Element (Tag Number: 48)** * This indicates that the AP requires encryption and authentication for client associations. 2. Verify the **Beacon Interval** (100 ms). * Indicates how frequently the AP transmits Beacon frames (typically 100 TU ≈ 102.4 ms). * Consistent Beacon intervals confirm stable AP operation. .. image:: ./wpa2/802.11g_wpa2_beacon/beacon_1.png :alt: Beacon interval (100ms) in Wireshark :scale: 95 % 3. Check the **Subtype** field in the Beacon frame. * The Subtype identifies the frame as a **Beacon** (Subtype = 8). * Correct Subtype ensures Wireshark is recognizing the management frame correctly. .. image:: ./wpa2/802.11g_wpa2_beacon/beacon_2.png :alt: Subtype check in Wireshark :scale: 95 % 4. Verify that the **Data Rate** includes **1 Mbps** (mandatory for 802.11g). * 802.11g requires at least 1 Mbps support for legacy devices. * If 1 Mbps is missing, some STAs may fail to connect. .. image:: ./wpa2/802.11g_wpa2_beacon/beacon_3.png :alt: Beacon frame data rate check in Wireshark :scale: 95 % 5. Check if the **Receiver Address (RA)** is **Broadcast address**. * Beacon frames are sent to the broadcast address **FF:FF:FF:FF:FF:FF** so that all nearby STAs can receive them. * This confirms that the beacon is not targeted to a specific STA but intended for all devices in range. * **No ACK is sent** for Beacon frames because they are broadcast. .. image:: ./wpa2/802.11g_wpa2_beacon/beacon_4.png :alt: Receiver address in Beacon frame :scale: 95 % 6. Verify **Supported Rates**. * Tag: Supported Rates = **1(B), 2(B), 5.5(B), 11(B), 6, 9, 12, 18 Mbps** * Indicates both **802.11b (DSSS)** and **802.11g (OFDM)** rate support. * Ensures AP compatibility with both 802.11b and 802.11g clients. .. image:: ./wpa2/802.11g_wpa2_beacon/beacon_5.png :alt: Supported rates in Beacon frame :scale: 95 % 7. Check the **Privacy bit** in the Capability Information field. * Privacy bit = **1** → encryption is enabled (not open). * Indicates WPA2/WPA2 is active. * Unlike WEP, WPA2 uses dynamic key management and stronger encryption suites. .. image:: ./wpa2/802.11g_wpa2_beacon/beacon_6.png :alt: Privacy bit in Beacon frame :scale: 95 % 8. Check the **DS Parameter Set (Channel Information)** * The DS Parameter Set indicates the channel number (e.g., Channel 6 at 2437 MHz). * Ensures that both AP and STA operate on the same frequency band. .. image:: ./wpa2/802.11g_wpa2_beacon/beacon_7.png :alt: DS Parameter Set in Beacon frame :scale: 95 % 9. Check the **SSID Tag** * The SSID field must match the configured network name(e.g., “test_wpa2_g”). * Ensures the AP is broadcasting the correct SSID and the STA can identify it. .. image:: ./wpa2/802.11g_wpa2_beacon/beacon_8.png :alt: SSID Parameter in Beacon frame :scale: 95 % 10. Check the **ERP Information Element**. * The **ERP (Extended Rate PHY)** element is unique to 802.11g and provides compatibility with 802.11b. * It contains: - **Non-ERP Present (bit 0)** → indicates if 802.11b devices are detected. - **Use Protection (bit 1)** → enables protection (RTS/CTS) if mixed devices exist. - **Barker Preamble Mode (bit 2)** → ensures compatibility with older stations. * Helps the AP coordinate transmissions in mixed b/g networks. .. image:: ./wpa2/802.11g_wpa2_beacon/beacon_9.png :alt: ERP Information element in Beacon frame :scale: 95 % 11. Verify **Short Slot Time bit** in Capability Info. * Short Slot Time = 1 → shorter slot duration (9 µs) for improved efficiency. * 802.11b used long slot (20 µs). .. image:: ./wpa2/802.11g_wpa2_beacon/beacon_10.png :alt: Short Slot Time capability in Beacon frame :scale: 95 % 12. Check **Extended Supported Rates**. * Tag: Extended Supported Rates → **24, 36, 48, 54 Mbps** * Confirms support for higher OFDM data rates. * Completes the 802.11g data rate range. .. image:: ./wpa2/802.11g_wpa2_beacon/beacon_11.png :alt: Extended supported rates in 802.11g Beacon :scale: 95 % 13. Inspect the **RSN (Robust Security Network) Information Element** * Tag: RSN Information (Tag Number: 48), Length: 20 * Defines WPA2 security configuration: - **RSN Version:** 1 - **Group Cipher Suite:** 00:0f:ac → **AES (CCM)** - **Pairwise Cipher Suite Count:** 1 → **AES (CCM)** - **Auth Key Management (AKM) Suite Count:** 1 → **PSK (Pre-Shared Key)** - **RSN Capabilities: 0x0000** → Pre-Auth Disabled, No MFP, 1 Replay Counter per key * Confirms AP uses **WPA2-PSK with AES-CCMP encryption** (the most secure WPA2 mode). .. image:: ./wpa2/802.11g_wpa2_beacon/beacon_12.png :alt: RSN Information Element in Beacon :scale: 95 % 14. **Check Supported Operating Classes** * Indicates regulatory and operating class information for frequency bands. * Useful for determining region and supported channels. .. image:: ./wpa2/802.11g_wpa2_beacon/beacon_13.png :alt: Supported Operating Classes field :scale: 95 % 15. **Check Extended Capabilities** * Extended Capabilities field (8 bytes) may include optional features such as QoS, BSS transition, or 20/40 MHz coexistence. * Not critical for WPA2 operation but provides insight into AP capabilities. .. image:: ./wpa2/802.11g_wpa2_beacon/beacon_14.png :alt: Extended Capabilities field :scale: 95 % 16. **Verify TIM (Traffic Indication Map)** * Tag: TIM → **DTIM 1 of 2 bitmap** * TIM informs power-saving clients about buffered unicast/multicast data. * DTIM = 1 of 2 indicates one DTIM every two Beacon intervals. .. image:: ./wpa2/802.11g_wpa2_beacon/beacon_15.png :alt: TIM field in Beacon :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Probe Request Packet Analysis** 1. Check if STA is sending Probe Request packet * A Probe Request frame is sent by the STA to actively discover available networks. * It advertises the STA’s supported data rates, security capabilities, and other features. * APs that match the SSID (or accept broadcast requests) respond with **Probe Response** frames. 2. Check the **Frame Subtype** to confirm it is a **Probe Request**. * In Wireshark, the Frame Control field indicates the subtype. * Probe Request frames should have subtype **0x0004**. .. image:: ./wpa2/802.11g_wpa2_probe_req/probe_req_1.png :alt: Probe Request subtype in Wireshark :scale: 95 % 3. Verify the **Source Address** in the Probe Request. * Source Address should match the STA’s MAC address. * This ensures the frame is indeed coming from the correct STA. .. image:: ./wpa2/802.11g_wpa2_probe_req/probe_req_2.png :alt: Probe Request source address :scale: 95 % 4. Verify the **Receiver Address** in the Probe Request. * Receiver Address should be the **broadcast address** (FF:FF:FF:FF:FF:FF). * This allows all APs on the channel to receive the request. * **No ACK is expected** for broadcast Probe Requests. .. image:: ./wpa2/802.11g_wpa2_probe_req/probe_req_3.png :alt: Probe Request receiver address :scale: 95 % 5. Check the **SSID field** in the Probe Request. * For general network discovery, SSID should be set to **Wildcard SSID(empty)**. * A specific SSID can limit scanning to only that AP. .. image:: ./wpa2/802.11g_wpa2_probe_req/probe_req_4.png :alt: Probe Request SSID field :scale: 95 % 6. Verify **Supported Rates and Extended Supported Rates**. * **Supported Rates:** 1, 2, 5.5, 11, 6, 9, 12, 18 Mbps * **Extended Supported Rates:** 24, 36, 48, 54 Mbps * Confirms STA supports both legacy 802.11b and higher 802.11g data rates. .. image:: ./wpa2/802.11g_wpa2_probe_req/probe_req_5.png :alt: Supported Rates in Probe Request :scale: 95 % 7. Check **HT Capabilities (802.11n)** field. * Shows STA’s advanced features such as MCS support, A-MPDU, and channel width. * Example: - **HT Capabilities Info:** 0x19ef - **A-MPDU Parameters:** 0x13 - **Rx Supported MCS Set:** Indicates supported MCS indexes. * Confirms STA supports **802.11n (High Throughput)** features. .. image:: ./wpa2/802.11g_wpa2_probe_req/probe_req_6.png :alt: HT Capabilities in Probe Request :scale: 95 % 8. Inspect the **Extended Capabilities** tag. * Optional features are advertised here (QoS, 20/40 MHz coexistence, etc.). * For this frame: - **Tag length:** 11 octets - Example values: 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x40... * Indicates STA’s extended interoperability capabilities. .. image:: ./wpa2/802.11g_wpa2_probe_req/probe_req_7.png :alt: Extended Capabilities field :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Probe Response Packet Analysis** 1. Check if AP is sending Probe Response packet * The AP sends a Probe Response when it receives a Probe Request from a STA. * It announces its SSID, channel, supported rates, and security configuration. * In WPA2 mode, the **RSN Information Element** replaces the older WPA Vendor Specific tag. 2. Check the **Frame Subtype** to confirm it is a **Probe Response**. * Subtype identifies the frame as a **Probe Response** (Subtype = 5). * Ensures Wireshark is correctly capturing AP responses. .. image:: ./wpa2/802.11g_wpa2_probe_resp/probe_resp_1.png :alt: Probe Response subtype in Wireshark :scale: 95 % 3. Verify the **Source Address** in the Probe Response. * Source Address should be the MAC of the AP. * Confirms the frame is coming from the correct AP. .. image:: ./wpa2/802.11g_wpa2_probe_resp/probe_resp_2.png :alt: Source address in Probe Response :scale: 95 % 4. Verify the **Receiver Address** in the Probe Response. * Receiver Address should be the MAC of the requesting STA. * Confirms the response is unicast and directed to the correct STA. * Probe Responses are **unicast to the requesting STA**, so an ACK is expected from the STA. .. image:: ./wpa2/802.11g_wpa2_probe_resp/probe_resp_3.png :alt: Receiver address in Probe Response :scale: 95 % 5. Check the **SSID field** in the Probe Response. * SSID must match the AP configuration. * Confirms the AP is broadcasting the expected network name. .. image:: ./wpa2/802.11g_wpa2_probe_resp/probe_resp_4.png :alt: SSID in Probe Response :scale: 95 % 6. Check **Capability Information** field for **ESS=1** in the Probe Response. * ESS bit indicates the AP is part of an infrastructure BSS. * Must be set to 1 for proper STA-AP communication. .. image:: ./wpa2/802.11g_wpa2_probe_resp/probe_resp_5.png :alt: ESS bit in Capability Information in Probe Response :scale: 95 % 7. Check **Capability Information** field for **Privacy=1** in the Probe Response. * Privacy bit (bit 4) = 1 indicates WPA2 is enabled on this AP. * Confirms that security is configured at the AP level. .. image:: ./wpa2/802.11g_wpa2_probe_resp/probe_resp_6.png :alt: Privacy bit in Capability Information in Probe Response :scale: 95 % 8. Check **Capability Information** field for **Short Slot Time = 1** in the Probe Response. * Short Slot Time = 1 → Enabled for 802.11g high-rate operation. .. image:: ./wpa2/802.11g_wpa2_probe_resp/probe_resp_7.png :alt: Short slot time in Capability Information in Probe Response :scale: 95 % 9. Verify **Supported Rates** in the Probe Response. * Supported Rates: 1, 2, 5.5, 11, 6, 9, 12, 18 Mbps. * Indicates backward compatibility with 802.11b and support for OFDM modulation in 802.11g. .. image:: ./wpa2/802.11g_wpa2_probe_resp/probe_resp_8.png :alt: Supported Rates in Probe Response :scale: 95 % 10. Verify **DS Parameter Set** (channel assignment) in the Probe Response. * DS Parameter indicates the AP’s operating channel. * Confirms the STA knows which channel to use to associate with the AP. .. image:: ./wpa2/802.11g_wpa2_probe_resp/probe_resp_9.png :alt: DS Parameter Set (channel) in Probe Response :scale: 95 % 11. **Check ERP Information (New in 802.11g)** * The **ERP Information element** is unique to 802.11g and ensures **backward compatibility** with 802.11b. * It includes: * **Non-ERP Present bit** – Indicates if older 802.11b devices are in the network. * **Use Protection bit** – Enables CTS-to-Self or RTS/CTS when 802.11b stations are active. * **Barker Preamble bit** – Shows whether the AP supports short preamble. .. image:: ./wpa2/802.11g_wpa2_probe_resp/probe_resp_10.png :alt: ERP Information in Probe Response :scale: 95 % 12. **Check Extended Supported Rates** * Extended Rates: 24, 36, 48, 54 Mbps. * Confirms full-rate support up to 54 Mbps (OFDM-based 802.11g operation). .. image:: ./wpa2/802.11g_wpa2_probe_resp/probe_resp_11.png :alt: Extended Supported Rates in Probe Response :scale: 95 % 13. Check the **RSN (Robust Security Network) Information Element**. * Replaces the old WPA Vendor Tag in WPA2 networks. * **Tag Number:** 48 (RSN Information) * **RSN Version:** 1 * **Group Cipher Suite:** AES (CCMP) * **Pairwise Cipher Suite:** AES (CCMP) * **Auth Key Management (AKM):** PSK (Pre-Shared Key) * **RSN Capabilities:** 0x0000 (No Management Frame Protection) * Confirms the AP is configured for **WPA2-PSK with AES encryption**. .. image:: ./wpa2/802.11g_wpa2_probe_resp/probe_resp_12.png :alt: RSN Information Element (WPA2) :scale: 95 % 14. **Check Extended Capabilities** * Advertises advanced features supported by the AP. * Common capabilities: QoS, BSS transition, Spectrum Management, etc. * Not directly part of WPA2 but indicates enhanced 802.11g functionality. .. image:: ./wpa2/802.11g_wpa2_probe_resp/probe_resp_13.png :alt: Extended Capabilities field :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Probe Response Packet Analysis** * After the **AP sends a Probe Response**, the **STA must acknowledge** it with an **Acknowledgement frame**. * This ACK confirms successful reception of the Probe Response. * The ACK is a **Control frame** (not Management or Data). * It is transmitted **immediately after a SIFS (Short Interframe Space)** interval. 1. Check the Acknowledgement - Frame Subtype * When the AP sends a unicast Probe Response, the STA sends an **ACK frame** * ACK frames have **Subtype = 13** in 802.11. .. image:: ./wpa2/802.11g_wpa2_probe_resp/probe_resp_14.png :alt: ACK frame subtype in Wireshark :scale: 95 % 2. Check the Acknowledgement - Receiver Address * Receiver Address of the ACK is the **AP’s MAC address** (i.e., the source of the Probe Response). * Confirms that the ACK is directed to the correct transmitting AP. .. image:: ./wpa2/802.11g_wpa2_probe_resp/probe_resp_15.png :alt: ACK receiver address in Wireshark :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Authentication Request Packet Analysis (WPA2 - 802.11g)** 1. Check if STA is sending **Authentication Request** packet * After receiving the **Probe Response**, the **Station (STA)** begins the authentication process with the **Access Point (AP)**. * In **WPA2 mode**, this step still uses **Open System Authentication** — there is no challenge–response or encryption yet. * Actual secure key exchange happens later in the **4-Way Handshake** after association. * The purpose of this frame is to confirm that both STA and AP are ready for higher-layer authentication. * Since it’s a **unicast** management frame, the **AP will send an ACK** immediately after receiving it. 2. Check the **Frame Subtype** * The Subtype identifies the frame as an **Authentication** frame (**Subtype = 11**). * Confirms that this packet is part of the authentication management exchange. .. image:: ./wpa2/802.11g_wpa2_auth_req/auth_req_1.png :alt: Authentication Request frame subtype :scale: 95 % 3. Verify the **Source Address** in the Authentication Request packet. * The Source Address should be the **STA’s MAC address**. * Confirms the authentication initiation is coming from the STA. .. image:: ./wpa2/802.11g_wpa2_auth_req/auth_req_2.png :alt: Authentication Request source address :scale: 95 % 4. Verify the **Receiver Address** in the Authentication Request packet. * The Receiver Address should be the **AP’s MAC address**. * This confirms the STA is directly targeting the AP for authentication. .. image:: ./wpa2/802.11g_wpa2_auth_req/auth_req_3.png :alt: Authentication Request receiver address :scale: 95 % 5. Check the **Authentication Algorithm** field in the Authentication Request packet. * The **Authentication Algorithm** field should be **0** for **Open System**. * WPA and WPA2 both use **Open System Authentication**, even though encryption is enabled later. * Actual encryption keys (PTK, GTK) are generated after the 4-Way Handshake. .. image:: ./wpa2/802.11g_wpa2_auth_req/auth_req_4.png :alt: Authentication Algorithm in Authentication Request :scale: 95 % 6. Check the **Authentication Sequence Number** in the Authentication Request packet. * **Sequence Number = 1** indicates this is the **Authentication Request** (first message). * The AP will respond with sequence number **2** (Authentication Response). * Ensures the correct ordering of authentication messages. .. image:: ./wpa2/802.11g_wpa2_auth_req/auth_req_5.png :alt: Authentication sequence number in Wireshark :scale: 95 % 7. Verify the **Status Code** in the Authentication Request packet. * The **Status Code** field in the Authentication Request is usually **0** or **not used**. * It is meaningful mainly in **responses**, but Wireshark may still display it as **0 (Successful)** by default. * This ensures that the STA is initiating authentication without reporting an error. .. image:: ./wpa2/802.11g_wpa2_auth_req/auth_req_6.png :alt: Authentication status code :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Authentication Request Packet Analysis** * After the **STA sends an Authentication Request**, the **AP must acknowledge** it with an **ACK frame**. * This ACK confirms successful reception of the Authentication Request before the AP sends the **Authentication Response**. * The ACK is a **Control frame** (not Management or Data). * It is transmitted **immediately after a SIFS (Short Interframe Space)** interval. 1. Check the **ACK Frame Subtype**. * Since the Authentication Request is **unicast**, the AP responds with an **ACK frame**. * The ACK has **Subtype = 13** in 802.11. * Confirms that the AP successfully received the Authentication Request. .. image:: ./wpa2/802.11g_wpa2_auth_req/auth_req_7.png :alt: ACK frame subtype for Authentication Request :scale: 95 % 2. Verify the **ACK Receiver Address**. * The ACK frame’s **Receiver Address** should match the **STA’s MAC address** (the source of the Authentication Request). * Confirms the AP has acknowledged the STA correctly. .. image:: ./wpa2/802.11g_wpa2_auth_req/auth_req_8.png :alt: ACK receiver address for Authentication Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Authentication Response Packet Analysis (WPA2 Mode)** 1. Check if AP is sending Authentication Response * After receiving the STA’s first **Authentication Request**, the **Access Point (AP)** sends an **Authentication Response** frame. * In **WPA2 mode**, this process still uses **Open System Authentication** (Algorithm = 0). * The actual **WPA2 security exchange** happens **after Association**, during the **4-Way Handshake**. * This frame simply acknowledges that the STA is permitted to associate with the AP. 2. Check the **Frame Subtype** * The **Subtype field = 11** indicates it is an **Authentication frame**. * Ensures that the AP has correctly responded to the STA’s authentication attempt. .. image:: ./wpa2/802.11g_wpa2_auth_resp/auth_resp_1.png :alt: Authentication Response frame subtype :scale: 95 % 3. **Verify Source Address** * The **Source Address** should be the **AP’s MAC address**. * Confirms the Authentication Response is sent by the Access Point. .. image:: ./wpa2/802.11g_wpa2_auth_resp/auth_resp_2.png :alt: Source address of Authentication Response :scale: 95 % 4. Check the **Receiver Address** * The **Receiver Address** should be the **STA’s MAC address** (the device being authenticated). * Confirms that the AP is addressing the correct station. .. image:: ./wpa2/802.11g_wpa2_auth_resp/auth_resp_3.png :alt: Receiver address of Authentication Response :scale: 95 % 5. Check the **BSSID Field** * The **BSSID** must match the **AP’s MAC address**. * Confirms that this frame belongs to the correct Basic Service Set (BSS). * Useful when multiple APs operate on the same channel. .. image:: ./wpa2/802.11g_wpa2_auth_resp/auth_resp_4.png :alt: BSSID in Authentication Response :scale: 95 % 6. Check the **Authentication Algorithm Number** * The **Authentication Algorithm = 0 (Open System)** even for WPA2. * WPA2 doesn’t use WEP’s Shared Key authentication; it relies on **802.1X/EAP** or **PSK** later. * This value only means that **open authentication is allowed** before secure key exchange. .. image:: ./wpa2/802.11g_wpa2_auth_resp/auth_resp_5.png :alt: Authentication Algorithm field :scale: 95 % 7. Check the **Authentication Sequence Number** * This indicates which step of the authentication process the frame represents. * For the second frame, **Sequence Number = 2**, confirming it’s the AP’s response to the STA. * The exchange completes here in WPA2 (2-step Open System Authentication). .. image:: ./wpa2/802.11g_wpa2_auth_resp/auth_resp_6.png :alt: Authentication Sequence Number field :scale: 95 % 8. Check the **Status Code** * The **Status Code** field indicates the success or failure of the authentication step. * For this challenge response, the **Status Code = 0 (Successful)**, as the AP is providing the challenge. * Non-zero codes indicate an error or failure. .. image:: ./wpa2/802.11g_wpa2_auth_resp/auth_resp_7.png :alt: Authentication Response Status Code :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Authentication Response Packet Analysis** * Once the **AP sends the Authentication Response**, the **STA acknowledges** it using an **ACK frame**. * This ensures reliable delivery of the Authentication Response before moving on to the Association stage. 1. Check the **ACK Frame Subtype**. * The ACK frame has **Subtype = 13**, identifying it as an acknowledgment. * Confirms the STA received the Authentication Response correctly. .. image:: ./wpa2/802.11g_wpa2_auth_resp/auth_resp_8.png :alt: ACK subtype after Authentication Response :scale: 95 % 2. Verify the **ACK Receiver Address**. * The **Receiver Address** should be the **AP’s MAC address** (source of the Authentication Response). * Confirms that the STA is acknowledging the correct transmitter. .. image:: ./wpa2/802.11g_wpa2_auth_resp/auth_resp_9.png :alt: Receiver address of ACK after Authentication Response :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Association Request Packet Analysis** 1. Check if STA is sending Association Request * After successful WPA2 authentication, the **STA** sends an **Association Request** frame to the AP. * This frame contains the STA’s capabilities, supported rates, SSID, and **WPA2 RSN Information Element**. * It is a **Management frame** (Subtype = 0). * Privacy bit = 1, indicating WPA2 encryption is supported. * Being a **unicast frame**, it will be acknowledged by the AP. 2. Check the **Frame Subtype** * Subtype = 0 identifies the frame as an **Association Request**. * Ensures Wireshark captures the correct management frame. .. image:: ./wpa2/802.11g_wpa2_assoc_req/assoc_req_1.png :alt: Association Request Subtype :scale: 95 % 3. Verify **Source Address** * Source Address = STA MAC address. * Confirms the frame is sent by the correct STA. .. image:: ./wpa2/802.11g_wpa2_assoc_req/assoc_req_2.png :alt: Source address in Association Request :scale: 95 % 4. Check the **Receiver Address** * Receiver Address = AP MAC address. * Ensures the frame is targeted to the correct AP. .. image:: ./wpa2/802.11g_wpa2_assoc_req/assoc_req_3.png :alt: Receiver address in Association Request :scale: 95 % 5. Verify **BSSID** * BSSID = AP MAC address. * Confirms the frame is part of the correct Basic Service Set. .. image:: ./wpa2/802.11g_wpa2_assoc_req/assoc_req_4.png :alt: BSSID in Association Request :scale: 95 % 6. Check the **Capability Information – Privacy bit** * Privacy bit = 1 indicates WPA2 encryption is enabled. * This confirms that the STA supports encrypted data exchange after association .. image:: ./wpa2/802.11g_wpa2_assoc_req/assoc_req_5.png :alt: Privacy bit in Capability Information :scale: 95 % 7. Verify **Capability Information – Short Preamble bit** * Short Preamble bit indicates whether STA supports short preamble. * Helps verify compatibility with AP preamble configuration. .. image:: ./wpa2/802.11g_wpa2_assoc_req/assoc_req_6.png :alt: Short Preamble bit in Capability Information :scale: 95 % 8. Check the **Listen Interval** * Listen Interval defines how often the STA wakes to check for buffered frames at the AP. * Ensures power-saving and proper timing for STA-AP communication. .. image:: ./wpa2/802.11g_wpa2_assoc_req/assoc_req_7.png :alt: Listen Interval in Association Request :scale: 95 % 9. Verify **SSID Field** * SSID must match the AP’s network name. * Confirms that the STA is associating with the correct BSS. .. image:: ./wpa2/802.11g_wpa2_assoc_req/assoc_req_8.png :alt: SSID in Association Request :scale: 95 % 10. Check the **Supported Rates** and **Extended Supported Rates** * **Supported Rates** field lists the data rates that the STA can transmit and receive. * For 802.11g, STA advertises both **DSSS rates (1, 2, 5.5, 11 Mbps)** and **OFDM rates (6, 9, 12, 18, 24, 36, 48, 54 Mbps)**. * Extended Supported Rates: **24, 36, 48, 54 Mbps** * Confirms STA and AP are compatible within 802.11g PHY specifications. .. image:: ./wpa2/802.11g_wpa2_assoc_req/assoc_req_9.png :alt: Supported Rates in Association Request :scale: 95 % 11. Verify **Extended Capabilities** * Extended Capabilities field lists additional STA features (e.g., QoS, 20/40 MHz, Radio Measurement, etc.). * Ensures AP can understand STA capabilities. .. image:: ./wpa2/802.11g_wpa2_assoc_req/assoc_req_10.png :alt: Extended Capabilities in Association Request :scale: 95 % 12. Verify **Supported Operating Classes** * Indicates which frequency bands and channels the STA can operate on. * Helps AP confirm STA compatibility with its configured channel. .. image:: ./wpa2/802.11g_wpa2_assoc_req/assoc_req_11.png :alt: Supported Operating Classes in Association Request :scale: 95 % 13. Check the **RSN Information Element (WPA2 Security)** * Tag Number = 48 → Identifies this as an RSN (Robust Security Network) IE. * Confirms the AP supports **WPA2 encryption** and **PSK (Pre-Shared Key) authentication**. * Group Cipher Suite: AES (CCM) → Defines the encryption algorithm used for multicast/broadcast frames. * Pairwise Cipher Suite: AES (CCM) → Defines the encryption algorithm used for unicast frames between AP and STA. * Authentication Key Management (AKM): PSK → Indicates pre-shared key is used for authentication. * RSN Capabilities: May include options like PMF (Protected Management Frames) support, pre-authentication, and replay protection. * Ensures secure communication using WPA2, preventing eavesdropping and unauthorized access. .. image:: ./wpa2/802.11g_wpa2_assoc_req/assoc_req_12.png :alt: WPA2 Information Element in Association Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Association Request Packet Analysis** * Since the **Association Request** is a **unicast frame** from the STA to the AP,the AP responds with an **ACK frame** to confirm successful reception. * The ACK is a **Control frame** (Subtype = 13) and ensures reliable MAC-layer delivery. * This ACK is sent **immediately after a SIFS interval**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the AP received the Association Request correctly. .. image:: ./wpa2/802.11g_wpa2_assoc_req/assoc_req_13.png :alt: ACK subtype after Association Request :scale: 95 % 2. Verify the **ACK Receiver Address**. * The Receiver Address of the ACK should be the **STA’s MAC address** (source of the Association Request). * Confirms that the AP is acknowledging the correct station. .. image:: ./wpa2/802.11g_wpa2_assoc_req/assoc_req_14.png :alt: Receiver address of ACK after Association Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Association Response Packet Analysis** 1. Check if AP is sending Association Response * After receiving the STA’s Association Request, AP sends an **Association Response**. * Contains **Status Code** (success/failure) and assigns **AID**. * Privacy bit = 1 → indicating that encryption (WPA2) is required for data frames. * Management frame (Subtype = 1), unicast to STA. 2. Check the **Frame Subtype** * Subtype = 1 identifies the frame as an **Association Response**. * Confirms that the AP has acknowledged the STA’s request to join the BSS. .. image:: ./wpa2/802.11g_wpa2_assoc_resp/assoc_resp_1.png :alt: Association Response Subtype :scale: 95 % 3. Verify **Source Address** * Source Address = AP MAC address. * Confirms the frame is transmitted from the AP. .. image:: ./wpa2/802.11g_wpa2_assoc_resp/assoc_resp_2.png :alt: Source address in Association Response :scale: 95 % 4. Check the **Receiver Address** * Receiver Address = STA MAC address. * Ensures the response is directed to the correct STA. .. image:: ./wpa2/802.11g_wpa2_assoc_resp/assoc_resp_3.png :alt: Receiver address in Association Response :scale: 95 % 5. Verify **BSSID** * BSSID = AP MAC address (same as Source). * Confirms that the response is part of the same BSS. .. image:: ./wpa2/802.11g_wpa2_assoc_resp/assoc_resp_4.png :alt: BSSID in Association Response :scale: 95 % 6. Check the **Capability Information – Privacy bit** * Privacy bit = 1 → indicates WPA2 encryption is enabled. * Confirms that subsequent data frames will use WPA2 protection. .. image:: ./wpa2/802.11g_wpa2_assoc_resp/assoc_resp_5.png :alt: Privacy bit in Association Response :scale: 95 % 7. Verify **Capability Information – Short Preamble bit** * Short Preamble bit indicates AP supports short preamble operation. * Confirms compatibility with STA’s preamble capabilities. .. image:: ./wpa2/802.11g_wpa2_assoc_resp/assoc_resp_6.png :alt: Short Preamble bit in Association Response :scale: 95 % 8. Check the **Status Code** * Status Code = 0 indicates **Successful Association**. * Other values indicate rejection (e.g., unsupported authentication or cipher). * Confirms that the STA is now allowed to proceed with WPA2 4-way handshake. .. image:: ./wpa2/802.11g_wpa2_assoc_resp/assoc_resp_7.png :alt: Status code in Association Response :scale: 95 % 9. Verify **Association ID (AID)** * AID uniquely identifies the STA within the BSS. * Typically a small integer (e.g., 1, 2, 3) assigned by the AP. * Confirms successful registration of the STA in the AP’s association table. * Used for managing buffered frames and identifying the STA in power-save mode. .. image:: ./wpa2/802.11g_wpa2_assoc_resp/assoc_resp_8.png :alt: Association ID in Association Response :scale: 95 % 10. Check the **Supported Rates ,Extended Supported Rates** * STA and AP must agree on **DSSS + OFDM rates** (1,2,5.5,11 + 6,9,12,...54 Mbps). * Ensures both AP and STA agree on common rate sets for communication. * Extended Rates: **24, 36, 48, 54 Mbps** * Confirms full OFDM data rate support under 802.11g. .. image:: ./wpa2/802.11g_wpa2_assoc_resp/assoc_resp_9.png :alt: Supported Rates in Association Response :scale: 95 % 11. Verify **Extended Capabilities** * Length = 11 octets. * Indicates additional optional features (e.g., QoS, HT support if present) supported by the AP. * For 802.11g, this may be minimal or absent, confirming a basic DSSS connection. .. image:: ./wpa2/802.11g_wpa2_assoc_resp/assoc_resp_10.png :alt: Extended Capabilities in Association Response :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Association Response Packet Analysis** * The **Association Response** is a **unicast frame**, so the STA replies with an **ACK**. * This ensures the AP knows the STA successfully received its association confirmation. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Indicates successful MAC-layer acknowledgment from STA to AP. .. image:: ./wpa2/802.11g_wpa2_assoc_resp/assoc_resp_11.png :alt: ACK subtype after Association Response :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver Address = AP MAC address (sender of the Association Response). * Confirms ACK is directed to the correct device. .. image:: ./wpa2/802.11g_wpa2_assoc_resp/assoc_resp_12.png :alt: Receiver address of ACK after Association Response :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Message 1 of 4 – EAPOL Key from AP to STA** 1. Check if AP is sending Message 1 of 4 – EAPOL Key * After successful **authentication** and **association**, the WPA2 4-Way Handshake begins. * Its main purpose is to derive and confirm encryption keys between the **Access Point (AP)** and **Station (STA)**. * This process uses: - **Pairwise Master Key (PMK):** Derived from the pre-shared key (PSK) or 802.1X authentication. - **Pairwise Transient Key (PTK):** Generated from PMK + Nonces + MAC addresses. - **Group Temporal Key (GTK):** Used for broadcast and multicast traffic. * The handshake involves four messages * The AP sends ANonce to STA to initiate key generation. * The STA will use this ANonce, its own SNonce, and the shared PSK to derive PTK. 2. Check the **Frame Subtype** * Type = 2 → Data frame * Subtype = 0 → Standard Data * Flags = 0x02 → Indicates **Protected Frame**, meaning payload is encrypted under WPA2. .. image:: ./wpa2/802.11g_wpa2_message1/message_1_1.png :alt: Message 1 Subtype :scale: 95 % 3. Verify **Source Address** * Source Address = AP MAC address. * Confirms the frame is transmitted from the AP. .. image:: ./wpa2/802.11g_wpa2_message1/message_1_2.png :alt: Source address in Message 1 :scale: 95 % 4. Check the **Receiver Address** * Receiver Address = STA MAC address. * Ensures the response is directed to the correct STA. .. image:: ./wpa2/802.11g_wpa2_message1/message_1_3.png :alt: Receiver address in Message 1 :scale: 95 % 5. Verify **BSSID** * BSSID = AP MAC address (same as Source). * Confirms that the response is part of the same BSS. .. image:: ./wpa2/802.11g_wpa2_message1/message_1_4.png :alt: BSSID in Message 1 :scale: 95 % 6. Check the **EAPOL Version and Type** * Version = 802.1X-2004 (2) * Type = Key (3) → Indicates that this is an EAPOL-Key frame used for key management. .. image:: ./wpa2/802.11g_wpa2_message1/message_1_5.png :alt: EAPOL version and type in Message 1 :scale: 95 % 7. Verify the **Key Descriptor Type** * Value = 2 → EAPOL RSN Key (WPA2). * Confirms that WPA2 key exchange is being performed. .. image:: ./wpa2/802.11g_wpa2_message1/message_1_6.png :alt: Key Descriptor Type in Message 1 :scale: 95 % 8. Check the **Key Information Field** * **Key Descriptor Version:** 2 → Uses AES Cipher, HMAC-SHA1 MIC. * **Key Type:** Pairwise → The key is for one STA, not for broadcast. * **Install:** Not set → STA should not install PTK yet. * **Key ACK:** Set → AP expects acknowledgment from STA. * **Key MIC:** Not set → No MIC because PTK not yet derived. * Secure = Not set .. image:: ./wpa2/802.11g_wpa2_message1/message_1_7.png :alt: Key Information field in Message 1 :scale: 95 % 9. Verify the **Replay Counter** * Value = 1 → Used to prevent replay attacks. Must increase with each new handshake message. .. image:: ./wpa2/802.11g_wpa2_message1/message_1_8.png :alt: Replay counter in Message 1 :scale: 95 % 10. Check the **ANonce (Authenticator Nonce)** * Random 32-byte number generated by the AP. * Used by STA to derive the Pairwise Transient Key (PTK). * Ensures key uniqueness per session. .. image:: ./wpa2/802.11g_wpa2_message1/message_1_9.png :alt: ANonce in Message 1 :scale: 95 % 11. Verify the **Key Data Length** * Value = 0 → No additional data present. * Confirms this is the first message containing only ANonce. .. image:: ./wpa2/802.11g_wpa2_message1/message_1_10.png :alt: Key Data Length in Message 1 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Message 1 Packet Analysis** * The STA immediately sends an **ACK frame** after receiving Message 1. * Confirms correct reception of ANonce by STA. * ACK frames are control frames with **no payload**. * Ensures reliable delivery before next message is sent. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Indicates successful MAC-layer acknowledgment from STA to AP. .. image:: ./wpa2/802.11g_wpa2_message1/message_1_11.png :alt: ACK subtype after Message 1 :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver Address = AP MAC address (sender of the Association Response). * Confirms ACK is directed to the correct device. .. image:: ./wpa2/802.11g_wpa2_message1/message_1_12.png :alt: Receiver address of ACK after Message 1 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Message 2 of 4 – EAPOL Key from STA to AP** 1. Check if STA is sending Message 2 of 4 – EAPOL Key * STA sends SNonce and MIC to AP. * AP verifies MIC using PTK and confirms both sides share the same key material. * This message ensures STA participates in PTK derivation and confirms key agreement. 2. Check the **Frame Subtype** * Type = 2 → Data frame * Subtype = 0 → Standard Data * Flags = 0x02 → Indicates **Protected Frame**, meaning payload is encrypted under WPA2. .. image:: ./wpa2/802.11g_wpa2_message2/message_2_1.png :alt: Message 2 Subtype :scale: 95 % 3. Verify **Source Address** * Source Address = STA MAC address. * Confirms the frame is transmitted from the STA. .. image:: ./wpa2/802.11g_wpa2_message2/message_2_2.png :alt: Source address in Message 2 :scale: 95 % 4. Check the **Receiver Address** * Receiver Address = AP MAC address. * Ensures the response is directed to the correct AP. .. image:: ./wpa2/802.11g_wpa2_message2/message_2_3.png :alt: Receiver address in Message 2 :scale: 95 % 5. Verify **BSSID** * BSSID = AP MAC address. * Confirms that the response is part of the same BSS. .. image:: ./wpa2/802.11g_wpa2_message2/message_2_4.png :alt: BSSID in Message 2 :scale: 95 % 6. Check the **EAPOL Version and Type** * Version = 802.1X-2001 (1) * Type = Key (3) * Indicates that this is an EAPOL-Key frame used for key management. .. image:: ./wpa2/802.11g_wpa2_message2/message_2_5.png :alt: EAPOL version and type in Message 2 :scale: 95 % 7. Verify the **Key Descriptor Type** * Value = 254 → Identifies this as a WPA2 Key frame. * Confirms that WPA2 key exchange is being performed. .. image:: ./wpa2/802.11g_wpa2_message2/message_2_6.png :alt: Key Descriptor Type in Message 2 :scale: 95 % 8. Check the **Key Information Field** * **Key Descriptor Version:** 2 → Uses AES Cipher, HMAC-SHA1 MIC * **Key Type:** Pairwise → The key is for one STA, not for broadcast. * **Install:** Not set → STA should not install PTK yet. * **Key ACK:** Not Set → since STA does not expect acknowledgment * **Key MIC:** set → STA includes MIC for message integrity check. * Secure = Not set .. image:: ./wpa2/802.11g_wpa2_message2/message_2_7.png :alt: Key Information field in Message 2 :scale: 95 % 9. Verify the **Replay Counter** * Value = 1 * Matches Message 1 counter. * Ensures synchronization between AP and STA. .. image:: ./wpa2/802.11g_wpa2_message2/message_2_8.png :alt: Replay counter in Message 2 :scale: 95 % 10. Check the **SNonce (Supplicant Nonce)** * Random 32-byte number generated by the STA. * Used along with ANonce, MAC addresses, and PSK to derive PTK. .. image:: ./wpa2/802.11g_wpa2_message2/message_2_9.png :alt: SNonce in Message 2 :scale: 95 % 11. Verify the **MIC Field** * Message Integrity Code generated using the derived PTK. * Proves STA has successfully calculated the PTK and knows the correct PSK. .. image:: ./wpa2/802.11g_wpa2_message2/message_2_10.png :alt: MIC verification in Message 2 :scale: 95 % 12. Check the **Key Data (WPA2 Information Element)** * Contains WPA2 version, supported cipher suites (TKIP), and AKM (PSK). * Helps AP confirm STA’s supported encryption capabilities. .. image:: ./wpa2/802.11g_wpa2_message2/message_2_11.png :alt: WPA2 Key Data in Message 2 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Message 2 Packet Analysis** * The AP sends an **ACK** confirming successful reception of STA’s response. * ACK ensures reliable exchange before sending Message 3. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Indicates successful MAC-layer acknowledgment from STA to AP. .. image:: ./wpa2/802.11g_wpa2_message2/message_2_12.png :alt: ACK subtype after Message 2 :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver Address = AP MAC address (sender of the Association Response). * Confirms ACK is directed to the correct device. .. image:: ./wpa2/802.11g_wpa2_message2/message_2_13.png :alt: Receiver address of ACK after Message 2 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Message 3 of 4 – EAPOL Key from AP to STA** 1. Check if AP is sending Message 3 of 4 – EAPOL Key * AP instructs STA to install PTK and provides GTK for group traffic. * STA installs both keys and prepares to send final confirmation. 2. Check the **Frame Subtype** * Type = 2 → Data frame * Subtype = 0 → Standard Data * Flags = 0x02 → Indicates **Protected Frame**, meaning payload is encrypted under WPA2. .. image:: ./wpa2/802.11g_wpa2_message3/message_3_1.png :alt: Message 3 Subtype :scale: 95 % 3. Verify **Source Address** * Source Address = AP MAC address. * Confirms the frame is transmitted from the AP. .. image:: ./wpa2/802.11g_wpa2_message3/message_3_2.png :alt: Source address in Message 3 :scale: 95 % 4. Check the **Receiver Address** * Receiver Address = STA MAC address. * Ensures the response is directed to the correct STA. .. image:: ./wpa2/802.11g_wpa2_message3/message_3_3.png :alt: Receiver address in Message 3 :scale: 95 % 5. Verify **BSSID** * BSSID = AP MAC address (same as Source). * Confirms that the response is part of the same BSS. .. image:: ./wpa2/802.11g_wpa2_message3/message_3_4.png :alt: BSSID in Message 3 :scale: 95 % 6. Check the **EAPOL Version and Type** * Version = 802.1X-2004 (2) * Type = Key (3) * Indicates that this is an EAPOL-Key frame used for key management. .. image:: ./wpa2/802.11g_wpa2_message3/message_3_5.png :alt: EAPOL version and type in Message 3 :scale: 95 % 7. Verify the **Key Descriptor Type** * Value = 2 → Identifies this as a EAPOL RSN Key (WPA2) * Confirms that WPA2 key exchange is being performed. .. image:: ./wpa2/802.11g_wpa2_message3/message_3_6.png :alt: Key Descriptor Type in Message 3 :scale: 95 % 8. Check the **Key Information Field** * **Key Descriptor Version:** 2 → Uses AES Cipher, HMAC-SHA1 MIC * **Key Type:** Pairwise → The key is for one STA, not for broadcast. * **Install:** set → STA should install PTK now. * **Key ACK:** Set → AP expects acknowledgment. * **Key MIC:** set → STA includes MIC for message integrity check. * Secure = Set → Key Data is encrypted (GTK included) .. image:: ./wpa2/802.11g_wpa2_message3/message_3_7.png :alt: Key Information field in Message 3 :scale: 95 % 9. Verify the **Replay Counter** * Value = 2 * Increments from previous message. .. image:: ./wpa2/802.11g_wpa2_message3/message_3_8.png :alt: Replay counter in Message 3 :scale: 95 % 10. verify the **ANonce** * Same ANonce as in Message 1 → Confirms handshake continuity. * Used again for PTK confirmation. .. image:: ./wpa2/802.11g_wpa2_message3/message_3_9.png :alt: SNonce in Message 3 :scale: 95 % 11. Verify the **MIC Field** * Ensures the message is authentic and not altered. * AP computes MIC using PTK and includes it here. .. image:: ./wpa2/802.11g_wpa2_message3/message_3_10.png :alt: MIC verification in Message 3 :scale: 95 % 12. Check the **Key Data Field** * Contains Group Temporal Key (GTK). * GTK used for encrypting broadcast and multicast traffic. * Includes RSN Information Element (cipher suites, AKM) and GTK KDE. .. image:: ./wpa2/802.11g_wpa2_message3/message_3_11.png :alt: WPA2 Key Data in Message 3 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Message 3 Packet Analysis** * STA sends **ACK** confirming receipt of the GTK and installation instruction. * Confirms that STA has installed the PTK successfully. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Indicates successful MAC-layer acknowledgment from STA to AP. .. image:: ./wpa2/802.11g_wpa2_message3/message_3_12.png :alt: ACK subtype after Message 2 :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver Address = AP MAC address (sender of the Association Response). * Confirms ACK is directed to the correct device. .. image:: ./wpa2/802.11g_wpa2_message3/message_3_13.png :alt: Receiver address of ACK after Message 2 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Message 4 of 4 – EAPOL Key from STA to AP** 1. Check if STA is sending Message 4 of 4 – EAPOL Key * STA confirms successful installation of PTK and GTK. * The 4-way handshake is complete, and encrypted data transfer can now begin. 2. Check the **Frame Subtype** * Type = 2 → Data frame * Subtype = 0 → Standard Data * Flags = 0x02 → Indicates **Protected Frame**, meaning payload is encrypted under WPA2/WPA2. .. image:: ./wpa2/802.11g_wpa2_message4/message_4_1.png :alt: Message 4 Subtype :scale: 95 % 3. Verify **Source Address** * Source Address = STA MAC address. * Confirms the frame is transmitted from the STA. .. image:: ./wpa2/802.11g_wpa2_message4/message_4_2.png :alt: Source address in Message 4 :scale: 95 % 4. Check the **Receiver Address** * Receiver Address = AP MAC address. * Ensures the response is directed to the correct AP. .. image:: ./wpa2/802.11g_wpa2_message4/message_4_3.png :alt: Receiver address in Message 4 :scale: 95 % 5. Verify **BSSID** * BSSID = AP MAC address. * Confirms that the response is part of the same BSS. .. image:: ./wpa2/802.11g_wpa2_message4/message_4_4.png :alt: BSSID in Message 4 :scale: 95 % 6. Check the **EAPOL Version and Type** * Version = 802.1X-2001 (1) * Type = Key (3) * Indicates that this is an EAPOL-Key frame used for key management. .. image:: ./wpa2/802.11g_wpa2_message4/message_4_5.png :alt: EAPOL version and type in Message 4 :scale: 95 % 7. Verify the **Key Descriptor Type** * Value = 2 → Identifies this as a EAPOL RSN Key (WPA2) * Confirms that WPA2 key exchange is being performed. .. image:: ./wpa2/802.11g_wpa2_message4/message_4_6.png :alt: Key Descriptor Type in Message 4 :scale: 95 % 8. Check the **Key Information Field** * **Key Descriptor Version:** 2 → Uses AES Cipher, HMAC-SHA1 MIC * **Key Type:** Pairwise → The key is for one STA, not for broadcast. * **Install:** Not set → STA should not install PTK yet. * **Key ACK:** Not Set → since STA does not expect acknowledgment * **Key MIC:** set → STA includes MIC for message integrity check. * Secure = Set → Confirms encryption of Key Data (if present) .. image:: ./wpa2/802.11g_wpa2_message4/message_4_7.png :alt: Key Information field in Message 4 :scale: 95 % 9. Verify the **Replay Counter** * Value = 2 * Matches Message 3 counter. * Ensures synchronization between AP and STA. .. image:: ./wpa2/802.11g_wpa2_message4/message_4_8.png :alt: Replay counter in Message 4 :scale: 95 % 10. Verify the **MIC Field** * Confirms the final message is valid and unmodified. * Proves the STA successfully installed the PTK and GTK. .. image:: ./wpa2/802.11g_wpa2_message4/message_4_9.png :alt: MIC verification in Message 4 :scale: 95 % 11. Check the **Key Data Length** * Value = 0 → No additional key data included. * Confirms this message is only an acknowledgment. .. image:: ./wpa2/802.11g_wpa2_message4/message_4_10.png :alt: WPA2 Key Data in Message 4 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Message 4 Packet Analysis** * AP sends **ACK** confirming the final EAPOL message. * Both devices now share the same PTK and GTK, and can begin encrypted communication. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Indicates successful MAC-layer acknowledgment from STA to AP. .. image:: ./wpa2/802.11g_wpa2_message4/message_4_11.png :alt: ACK subtype after Message 4 :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver Address = AP MAC address (sender of the Association Response). * Confirms ACK is directed to the correct device. .. image:: ./wpa2/802.11g_wpa2_message4/message_4_12.png :alt: Receiver address of ACK after Message 4 :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **ARP Request Packet Analysis** * The ARP Reply in WPA2 mode is sent inside an 802.11 **Data frame** protected using **CCMP (AES)**. * It may involve two flows: 1. STA → AP (STA initiates request) 2. AP → Broadcast (AP forwards to all stations) * Used by devices to discover the MAC address corresponding to a target IP. 1. Check if STA is sending ARP Request * STA sends an ARP Request encapsulated in a **WPA2-encrypted Data frame**. * WPA2 uses **AES-CCMP** for encryption and integrity protection. 1.1. Check the **Source Address** * MAC of the STA sending the ARP Request. * Identifies which device initiated the request. .. image:: ./wpa2/802.11g_wpa2_arp_req/arp_req_1.png :alt: STA to AP ARP Source Address :scale: 95 % 1.2. Verify **Destination Address** * Broadcast MAC: ff:ff:ff:ff:ff:ff * Data frame is intended for all devices in BSS to eventually deliver ARP. .. image:: ./wpa2/802.11g_wpa2_arp_req/arp_req_2.png :alt: STA to AP ARP Destination Address :scale: 95 % 1.3. Verify **Receiver Address** * Receiver = AP MAC .. image:: ./wpa2/802.11g_wpa2_arp_req/arp_req_3.png :alt: STA to AP ARP Receiver Address :scale: 95 % 1.4. Verify **Transmitter Address** * Transmitter = STA MAC. * Indicates who physically transmitted the frame on the medium. .. image:: ./wpa2/802.11g_wpa2_arp_req/arp_req_4.png :alt: STA to AP ARP Transmitter Address :scale: 95 % 1.5. Verify **WPA2 CCMP Parameters** * **CCMP Ext. Initialization Vector (PN)**: 0x00000000001B → ensures per-frame uniqueness * **Key Index**: 0 → indicates which pairwise key is used * **TK (Temporal Key)**: db3fb8bd336519d2fbc60536943cb399 * **PMK (Pairwise Master Key)**: 5a62cbe806170c6e2090ae65eb29a29d357db4660d93751ac0dbe5e54a5d52da * **MIC**: ensures integrity and authenticity of ARP payload .. image:: ./wpa2/802.11g_wpa2_arp_req/arp_req_5.png :alt: WPA2 Parameters :scale: 95 % 1.6. Verify **Sender IP and MAC** * IP/MAC of the STA initiating the request * Identifies which device’s IP is being used to query the target. .. image:: ./wpa2/802.11g_wpa2_arp_req/arp_req_6.png :alt: STA to AP ARP Sender IP and MAC :scale: 95 % 1.7. Verify **Target IP and Target MAC** * IP of the device STA wants to reach. * Target MAC is unknown (00:00:00:00:00:00) in initial ARP Requests. .. image:: ./wpa2/802.11g_wpa2_arp_req/arp_req_7.png :alt: STA to AP ARP Target IP and MAC :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **ARP Reply Packet Analysis** 1. Check if AP is sending ARP Reply * After the STA sends an ARP Request, the device owning the target IP responds with an ARP Reply. * This is usually unicast from the AP to the STA. * The reply provides the MAC address corresponding to the target IP so the STA can update its ARP table. 2. Verify **Source Address** * AP MAC (BSSID) — the sender of the ARP Reply. * Identifies which device owns the requested IP (192.168.1.10). .. image:: ./wpa2/802.11g_wpa2_arp_resp/arp_resp_1.png :alt: AP to STA ARP Reply Source Address :scale: 95 % 3. Verify **Destination Address** * STA MAC — unicast to the requesting STA. * Ensures only the requesting device receives this ARP Reply. .. image:: ./wpa2/802.11g_wpa2_arp_resp/arp_resp_2.png :alt: AP to STA ARP Reply Destination Address :scale: 95 % 4. Verify **Receiver Address** * STA MAC — confirms the intended recipient at the link layer. .. image:: ./wpa2/802.11g_wpa2_arp_resp/arp_resp_3.png :alt: AP to STA ARP Reply Receiver Address :scale: 95 % 5. Verify **Transmitter Address** * AP MAC — indicates who physically transmitted the frame. .. image:: ./wpa2/802.11g_wpa2_arp_resp/arp_resp_4.png :alt: AP to STA ARP Reply Transmitter Address :scale: 95 % 6. Verify **WPA2 TKIP Parameters** * **CCMP Ext. Initialization Vector (PN)**: → ensures per-frame uniqueness * **Key Index**: 0 * **TK (Temporal Key)**: db3fb8bd336519d2fbc60536943cb399 * **PMK (Pairwise Master Key)**: 5a62cbe806170c6e2090ae65eb29a29d357db4660d93751ac0dbe5e54a5d52da * **MIC**: ensures integrity and authenticity of ARP payload .. image:: ./wpa2/802.11g_wpa2_arp_resp/arp_resp_5.png :alt: WEP Parameters :scale: 95 % 7. Verify **Sender IP and MAC** * IP: Target IP (AP's IP) * MAC: AP’s MAC * Provides the requested mapping for the STA’s ARP table. .. image:: ./wpa2/802.11g_wpa2_arp_resp/arp_resp_6.png :alt: AP to STA ARP Reply Sender IP and MAC :scale: 95 % 8. Verify **Target IP and MAC** * IP: STA IP * MAC: STA MAC * Confirms the reply is directed to the original requester. .. image:: ./wpa2/802.11g_wpa2_arp_resp/arp_resp_7.png :alt: AP to STA ARP Reply Target IP and MAC :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after ARP Reply Packet Analysis** * The **ARP Reply** is a **unicast frame**, so the STA replies with an **ACK**. * This ensures the AP knows the STA successfully received its Reply packet. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the STA received the ARP Reply successfully. .. image:: ./wpa2/802.11g_wpa2_arp_resp/arp_resp_8.png :alt: ARP Reply ACK Subtype :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver Address = AP MAC address * Confirms the acknowledgment is directed to the AP. .. image:: ./wpa2/802.11g_wpa2_arp_resp/arp_resp_9.png :alt: ARP Reply ACK Receiver Address :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **ICMP Request Packet Analysis** 1. Check if STA is sending ICMP Echo (Ping) Request * The ICMP Echo Request is sent by the STA to the AP to test connectivity. * It is encapsulated inside an 802.11 Data frame and protected using **WPA2 AES-CCMP** * usually sent unicast to the AP. * This frame allows the STA to verify reachability and latency. 2. Verify **Data Rate** * Data Rate indicates the PHY rate used by the STA (e.g., 24 Mbps or 36 Mbps). * Confirms the speed of transmission for the ping request. .. image:: ./wpa2/802.11g_wpa2_icmp_req/icmp_req_1.png :alt: Data Rate in ICMP Echo Request :scale: 95 % 3. Verify **Channel** * Channel used for transmission (e.g., Channel 6 / 2437 MHz). * Ensures the ping uses the correct RF channel. .. image:: ./wpa2/802.11g_wpa2_icmp_req/icmp_req_2.png :alt: Channel in ICMP Echo Request :scale: 95 % 4. Verify **Source MAC** * STA MAC address (e.g., e8:6f:38:71:f1:e3). * Confirms the correct STA is sending the ping. .. image:: ./wpa2/802.11g_wpa2_icmp_req/icmp_req_3.png :alt: Source MAC in ICMP Echo Request :scale: 95 % 5. Verify **Receiver MAC** * AP MAC address. * Confirms the frame is directed to the correct AP. .. image:: ./wpa2/802.11g_wpa2_icmp_req/icmp_req_4.png :alt: Receiver MAC in ICMP Echo Request :scale: 95 % 6. Verify **Source and Destination IP** * Source IP: STA IP (e.g., 192.168.1.1) * Destination IP: AP IP (e.g., 192.168.1.10) * Ensures correct layer-3 addressing for ICMP. .. image:: ./wpa2/802.11g_wpa2_icmp_req/icmp_req_5.png :alt: Source and Destination IP in ICMP Echo Request :scale: 95 % 7. Verify **WPA2 CCMP Parameters** * CCMP Ext. Initialization Vector: 0x00000000001C * Key Index: 0 * Temporal Key (TK): db3fb8bd336519d2fbc60536943cb399 * Pairwise Master Key (PMK): 5a62cbe806170c6e2090ae65eb29a29d357db4660d93751ac0dbe5e54a5d52da * MIC ensures message integrity and authenticity. .. image:: ./wpa2/802.11g_wpa2_icmp_req/icmp_req_6.png :alt: WPA2 Parameters :scale: 95 % 8. Verify **Protocol** * Protocol = ICMP (0x01). * Confirms the packet is an ICMP message. .. image:: ./wpa2/802.11g_wpa2_icmp_req/icmp_req_7.png :alt: Protocol field in ICMP Echo Request :scale: 95 % 9. Verify **Type** * ICMP Type = 8 (Echo Request). * Identifies the frame as a ping request. .. image:: ./wpa2/802.11g_wpa2_icmp_req/icmp_req_8.png :alt: ICMP Type in Echo Request :scale: 95 % 10. Verify **IP Version** * Version = 4 (IPv4). * Confirms the ICMP packet uses IPv4. .. image:: ./wpa2/802.11g_wpa2_icmp_req/icmp_req_9.png :alt: IP Version in ICMP Echo Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after ICMP Echo Request Packet Analysis** * The **ICMP Request** is a **unicast frame**, so the AP replies with an **ACK**. * This ensures the STA knows the AP successfully received its Request packet. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the AP received the ICMP Request successfully. .. image:: ./wpa2/802.11g_wpa2_icmp_req/icmp_req_10.png :alt: ACK Subtype after ICMP Echo Request :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver MAC = STA MAC. * Confirms that the acknowledgment is sent back to the STA. .. image:: ./wpa2/802.11g_wpa2_icmp_req/icmp_req_11.png :alt: ACK Receiver Address after ICMP Echo Request :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **ICMP Reply Packet Analysis** 1. Check if AP is sending ICMP Echo (Ping) Reply * The ICMP Echo Reply is sent by the AP back to the STA in response to the Echo Request. * Encapsulated inside an 802.11 Data frame with **AES-CCMP** and typically sent unicast. * Confirms that the AP is reachable and the network path is functioning correctly. 2. Verify **Data Rate** * Data Rate indicates the PHY rate used by the AP (e.g., 36 Mbps). * Confirms the speed of transmission for the ping reply. .. image:: ./wpa2/802.11g_wpa2_icmp_resp/icmp_resp_1.png :alt: Data Rate in ICMP Echo Reply :scale: 95 % 3. Verify **Channel** * Channel used for transmission (e.g., Channel 6 / 2437 MHz). * Ensures the reply uses the correct RF channel. .. image:: ./wpa2/802.11g_wpa2_icmp_resp/icmp_resp_2.png :alt: Channel in ICMP Echo Reply :scale: 95 % 4. Verify **Source MAC** * AP MAC address (e.g., 0c:9a:3c:9f:17:71). * Confirms the reply originates from the correct AP. .. image:: ./wpa2/802.11g_wpa2_icmp_resp/icmp_resp_3.png :alt: Source MAC in ICMP Echo Reply :scale: 95 % 5. Verify **Receiver MAC** * STA MAC address. * Confirms the reply is delivered to the requesting STA. .. image:: ./wpa2/802.11g_wpa2_icmp_resp/icmp_resp_4.png :alt: Receiver MAC in ICMP Echo Reply :scale: 95 % 6. Verify **Source and Destination IP** * Source IP: AP IP (e.g., 192.168.1.10) * Destination IP: STA IP (e.g., 192.168.1.1) * Confirms correct layer-3 addressing for the ICMP reply. .. image:: ./wpa2/802.11g_wpa2_icmp_resp/icmp_resp_5.png :alt: Source and Destination IP in ICMP Echo Reply :scale: 95 % 7. Verify **WPA2 Encryption Parameters** * CCMP Ext. IV: 0x000000000002 * Key Index: 0 * Temporal Key (TK): db3fb8bd336519d2fbc60536943cb399 * Pairwise Master Key (PMK): 5a62cbe806170c6e2090ae65eb29a29d357db4660d93751ac0dbe5e54a5d52da .. image:: ./wpa2/802.11g_wpa2_icmp_resp/icmp_resp_6.png :alt: WPA2 Parameters :scale: 95 % 8. Verify **Protocol** * Protocol = ICMP (0x01). * Confirms that the packet is an ICMP message. .. image:: ./wpa2/802.11g_wpa2_icmp_resp/icmp_resp_7.png :alt: Protocol in ICMP Echo Reply :scale: 95 % 9. Verify **IP Version** * Version = 4 (IPv4). * Confirms the ICMP packet uses IPv4. .. image:: ./wpa2/802.11g_wpa2_icmp_resp/icmp_resp_8.png :alt: IP Version in ICMP Echo Reply :scale: 95 % 10. Verify **Type** * ICMP Type = 0 (Echo Reply). * Identifies the frame as a ping reply. .. image:: ./wpa2/802.11g_wpa2_icmp_resp/icmp_resp_9.png :alt: ICMP Type in Echo Reply :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after ICMP Echo Reply Packet Analysis** * The **ICMP Reply** is a **unicast frame**, so the STA replies with an **ACK**. * This ensures the AP knows the STA successfully received its Reply packet. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the STA received the ICMP Reply successfully. .. image:: ./wpa2/802.11g_wpa2_icmp_resp/icmp_resp_10.png :alt: ACK Subtype after ICMP Echo Reply :scale: 95 % 2. Verify the **ACK Receiver Address**. * Receiver MAC = AP MAC. * Confirms that the acknowledgment is sent back to the AP. .. image:: ./wpa2/802.11g_wpa2_icmp_resp/icmp_resp_11.png :alt: ACK Receiver Address after ICMP Echo Reply :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Deauthentication Packet Analysis** 1. Check if STA is sending Deauthentication Frame * Deauthentication is a management frame sent by either the AP or STA to terminate an existing connection. * It contains information about why the device is being deauthenticated. * The frame is unicast and will be acknowledged by the recipient. 2. Verify **Frame Subtype** * Subtype = 12 identifies the frame as Deauthentication. * Ensures Wireshark captures the correct management frame. .. image:: ./wpa2/802.11g_wpa2_deauth/deauth_1.png :alt: Deauthentication Subtype :scale: 95 % 3. Verify **Source MAC Address** * MAC address of the device sending the deauthentication frame (AP or STA). * Confirms which device initiated the deauthentication. .. image:: ./wpa2/802.11g_wpa2_deauth/deauth_2.png :alt: Source MAC in Deauthentication :scale: 95 % 4. Verify **Receiver MAC Address** * MAC address of the recipient device. * Ensures the frame is targeted to the correct station or AP. .. image:: ./wpa2/802.11g_wpa2_deauth/deauth_3.png :alt: Receiver MAC in Deauthentication :scale: 95 % 5. Verify **Fixed Parameters** * Includes Reason Code (e.g., 0x0001: Unspecified reason). * Helps determine why the deauthentication occurred. .. image:: ./wpa2/802.11g_wpa2_deauth/deauth_4.png :alt: Fixed Parameters in Deauthentication :scale: 95 % .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Acknowledgement after Deauthentication Packet Analysis** * The **Deauthentication** is a **unicast frame**, so the AP replies with an **ACK**. * This ensures the STA knows the AP successfully received its Reply packet. * The ACK is a **Control frame (Subtype = 13)** and follows a **SIFS interval (~10 µs)**. 1. Check the **ACK Frame Subtype**. * Subtype = 13 identifies the frame as an **ACK**. * Confirms the recipient received the deauthentication frame. .. image:: ./wpa2/802.11g_wpa2_deauth/deauth_5.png :alt: ACK Subtype after Deauthentication :scale: 95 % 2. Verify the **ACK Receiver Address**. * Destination MAC = sender of the deauthentication frame. * Confirms the acknowledgment is directed back to the sender. .. image:: ./wpa2/802.11g_wpa2_deauth/deauth_6.png :alt: ACK Receiver Address after Deauthentication :scale: 95 %