IEEE 802.11 Frames and How to Get Them


In the next months we will present some insights we got while analyzing devices that provide so-called industrial Wireless LAN. To get a general understanding of these devices some basic knowledge about Wi-Fi and the corresponding standards is vital. This post will provide an overview of the main properties of the 802.11 standard and will explain what kind of frames one can expect to see.

What is IEEE 802.11 anyway?

The first Wi-Fi standard was published by the IEEE in 1997, the 802.11 standard. Since then many improvements were made and the original standard has been superseded long time ago (see here for a timeline). The standard proposes a way to communicate wirelessly in a similar manner like other IEEE 802 standards, e.g. like the 802.3 did for wired Ethernet connections. Generally the most important objective of these standards is the management of the physical medium in use – in this case the air.

The air as a shared medium

Any communication system needs a medium to send signals through, e.g. the cable in the case of wired communication. Such medium is often restricted in its use in the way that only one party can send signals at a time. If two entities are emitting signals simoultaneously on the same medium they might disturb each other. This kind of communication systems are called half-duplex. One way to handle this problem is a mechanism in which the participants of a medium are cooperating to only send data while the medium is free to use.

Managing simultaneous communication is necessary for wired and wireless communication. However, the main challenge for latter is its transportation medium – the air. Since it is difficult to restrict its access, it is way more difficult to restrict and manage the corresponding communication. In contrast, access to a cable is easier limited to a few specific participants.

For wireless communication participants will send with different signal strength. As a consequence packets might get lost. This is seldom the case for wired communication. Another issue in wireless communication is that not all participants are aware of each … more

Writeup of the covfefe CTF


Writeup of the covfefe CTF

Capture the Flag (CTF) challenges offer a great opportunity to practice hacking skills in a controlled and legal environment. One of the most common places to look for such challenges is Vulnhub offers Virtual Machines that are configured in an insecure way, so that the user can learn new techniques.

A couple of days ago I stumbled upon the covfefe machine.

After setting up my environment I started with the initial recon phase. The recon phase is used to find as much information about the system as possible. This is done in the hope that outdated software is used which can be used for easy exploitation with known vulnerabilities.

Usually this is done with nmap. I used the command nmap -A -p- This scans all the ports and fingerprints them. So it's easy to find out what services and which versions are running.

The scan reveals the following:

root@kali:~# nmap -A Starting Nmap 7.60 ( ) at 2017-11-08 16:10 CET Nmap scan report for Host is up (0.00028s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10 (protocol 2.0) | ssh-hostkey: | 2048 d0:6a:10:e0:fb:63:22:be:09:96:0b:71:6a:60:ad:1a (RSA) | 256 ac:2c:11:1e:e2:d6:26:ea:58:c4:3e:2d:3e:1e:dd:96 (ECDSA) |_ 256 13:b3:db:c5:af:62:c2:b1:60:7d:2f:48:ef:c3:13:fc (EdDSA) 80/tcp open http nginx 1.10.3 |_http-server-header: nginx/1.10.3 |_http-title: Welcome to nginx! 31337/tcp open http Werkzeug httpd 0.11.15 (Python 3.5.3) | http-robots.txt: 3 disallowed entries |_/.bashrc /.profile /taxes |_http-server-header: Werkzeug/0.11.15 Python/3.5.3 |_http-title: 404 Not Found MAC Address: 08:00:27:CD:38:F1 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.28 ms OS and Service detection performed. Please report any incorrect results at . Nmap done: 1 IP address (1 host up) scanned in 11.75 seconds

What do we … more