Wednesday, November 6, 2019

Aruba InstantOS 8.5 - Finding the Default Password (Serial Number)

Recently I was doing some lab work with some AP’s running InstantOS 6.4.2 and decided to upgrade them to Instant 8.5. Going through the upgrade was quick and painless. However, once I was up to Instant 8.5, I decided to clear the configuration on the AP’s in order to remove any of the prior lab configurations that I had done. When the AP’s came back up, I was surprised to find out that the default password was no longer working. It turns out that with InstantOS 8.5 the default password is now the Serial Number of the AP. This put me in a bit of a predicament because the AP’s I was working with were remotely located. Due to this, I had no way of physically finding the Serial Number of the AP.

To get around this you need to be able to console into the AP and power cycle the AP (disabling then re-enabling PoE on the port works.) As soon as the AP begins to boot watch for the below to appear.

Monday, February 11, 2019

AccelTex Accelerator Battery - Review / Thoughts

Recently AccelTex unveiled their latest product, their Accelerator battery. Although battery packs are not novel to the world, there are only a few that are designed for Wireless Site Surveys, which is exactly what the Accelerator was designed for.
Listed at a scant 1.32 pounds, the Accelerators form factor is perfect for travel. Rather than slogging around with a battery the weight of a cinderblock, Acceltex has been able to pack the perfect amount of run time into a nice little form factor. I’ve been comparing its size to people as about half of a paperback novel. If you want to get technical about it, its 5.3” long, 3.9” wide, and 1.7” tall.
As for runtime the 7500mAh should provide you with enough power for almost a full day of surveying. Many of the reports I’ve seen on Twitter have shown it to provide about 6 hours of power for a modern AP. It also charges quickly, I found it jumped about 40% during a quick one hour “lunch charge.” Going from 35% up to 74%. A full recharge will only take 4 hours as well. Which, all things considered is pretty quick.
The layout of the battery is close to perfect, with only a few minor quibbles. First, on the right hand side you’ll find two barrel plugs. One is the charging port while the other is a 12V out. When I asked about the 12V out, AccelTex told me they have used this to power Cradlepoint routers. Although I’m sure there are a number of other uses as well. Also on the right hand side, you’ll find the LAN input. On the opposite side of the battery you’ll find two RJ45 ports on either side of a toggle switch. One is a typical 802.3af/at PoE output, and the second is a 24V PoE output. The 24V was the first thing that jumped out at me when I started looking at the unit. There are a few Access Point manufacturers that utilize 24V PoE such as Ubiquiti, as well as some security camera manufacturers as well. This, coupled with the 12V barrel output make it a very flexible platform. Nestled between the two RJ45 ports is a simple toggle switch. When in the middle the unit is off. Then, if you push it towards one side or the other it will turn on the power for the indicated port (either 802.3af/at or 24V PoE.) On this same side of the battery you will also find a 5V USB A Output. As you will see in the photos, I was able to power my WLAN pi through this as well as a Cisco 2702I with no issues. On the front of the unit is the display. It’s a very simple LCD display with a battery indicator, and battery percentage. Under the display is a small button that you can push to toggle the battery percentage to Voltage. That is, if you can actually push the button.
Right hand side
Left hand side

With all that out of the way, lets delve a bit more into my thoughts and opinions on the unit. First, a couple of caveats that should be taken into account. AccelTex was kind enough to supply me with a unit for testing. They provided absolutely no requirements for me to review, blog, or even talk about the battery. Further, I was sent one of the first production units. As such, there were a few concerns I had that AccelTex has already addressed, but I will still point them out here.
AccelTex includes a nice case (as cases go) with the battery. It has just enough room for the battery itself, its charging cord and an additional 12V jumper cable. This will help keep everything together when travelling. I’ve also already found that it helps me remember to bring along the charging cable, which by itself is invaluable.
Case - Scratch marks and finger prints show up easily

One of the first things you’ll notice about the unit (and its case) is the texture and color. Both are fairly sleek, with a matte black look. However this texture does seem to pick up dust and fingerprints very easily. When I brought this up with AccelTex they actually mentioned that more often than not, the battery won’t be “naked” like I’ve had it. But they now have a form fitting case for the battery that contains connectors and straps so that you can attach the battery directly to your survey tripod. I have not received a case yet, but the photos that I’ve seen look great and make it that much more versatile.
The first thing I did when taking it out of the box was go to charge it. Well, at least I tried to anyway. The charging cable is only 36” long. I understand that this may seem like I’m looking for things to be critical about, but I found this irksome. Due to the great form factor of the unit, I can see a lot of people leaving these attached to their survey rigs. So having a longer charging cable that allows you to do so would be fairly important.
The second thing I did was look at the display. There is nothing like the nice warm glow of a lit up green LCD. My only concerns with the display were that it never shuts off, even when the unit is off, which could lead you to accidently leaving the battery on. As the only indicator that the battery is on (other than the switch) is the small indicator on the RJ45 port that’s being powered. I also found the button to change from Battery Percentage to Voltage to be a bit small and hard to push. Although it’s certainly doable, and quite frankly, how often are you going to need to toggle between the two?
Gotta love a lit green LCD

In my notes I actually wrote in two different places how I keep expecting it to weigh more. I don’t know if it’s that the form factor is a bit “brick-like,” and that’s what makes me think it’s going to be heavier. But it really is remarkably light for its size.
The last of my nitpicking is with the name itself. I mean, I get it, it’s a play-off of AccelTex. But… meh. Maybe it’s the fact that there’s the word "The" in front of it. “The Accelerator” The same thing annoys me when people say they went to “The Ohio State University.” Also the name itself (the full name, including “the”) is written on the top of the battery in what appears to just be just italicized Times New Roman. I suggested that they rename it the DCR-1, which I think in almost any font would look good. But for whatever reason they have yet to take me up on that suggestion.
Final thoughts
I think AccelTex really hit it out of the park with this one. I have a few minor gripes with it, but all in all it’s a great battery. Especially when you consider that MSRP is only $299.95. With the addition of the 12V barrel output and 24V PoE, it’s a very versatile solution. It has a great run time considering its weight and form factor. As well as a quick recharge time. It’s certainly going to be the platform that I suggest moving forward.

Friday, March 2, 2018

Chapter 2 - Inter Frame Space (IFS)

Shortest to Longest: RIFS, SIFS, PIFS, DIFS, AIFS, EIFS

Mnemonic to help remember: Really Super Powerful Dog Ate Everything

***EXAM*** The above (Shortest to longest) could be on the exam. The below are notes from my CWDP notes

SIFS (Shortest Inter Frame Space) - Used with all of the coordination functions. SIFS is the shortest of the IFS for 802.11-2007. Used prior to ACK and CTS frames. As well as in between MPDU's of a fragment burst. For 802.11n a shorter IFS (RIFS) was introduced.

RIFS (Reduced Inter Frame Space) - Introduced with 802.11n to help improve efficiency for transmissions that do not require a SIFS to a single receiver. Such as a transmission burst (CFB-Contention Free Burst.) 802.11n uses RIFS and Block ACK. RIFS is *only* used when Block ACK is enabled. When Block ACK are used data frames of a CFB can be sent continuously without stopping for an ACK. At the end of the CFB, the TX STA will send a BAR (Block ACK Request) and will/should receive a single Block ACK (BA)

DIFS (Distributed Inter Frame Space) - When a STA wants to transmit a data frame (MPDU) or a management frame (MMPDU) for the first time in a DCF (Distributed Coordination Function) network, the duration of the DIFS must be observed after the previous frames completion. DIFS are longer than SIFS and PIFS.
DIFS = SIFS + 2x SlotTime
SlotTime for 802.11a/n/ac (5 GHz) = 9μS
SlotTime for 802.11g/n (2.4 GHz – HT or ERP) = 9μS with short preamble
SlotTime for 802.11g/n (2.4 GHz – HT or ERP) = 20μS with long preamble
SlotTime for 802.11b/g/n (2.4 GHz – DSS ) = 20μS

EIFS (Extended Inter Frame Space) - EIFS are used by STA's that have received a frame that contained errors. By using the longer IFS, the transmitting station will have enough time to recognize the frame was no received correctly before the receiving station commences transmission. If, during the EIFS duration the STA receives a frame correctly (regardless of intended recipient), it will resume using DIFS or AIFS, as appropriate. 
 - EIFS does Have a drawback. STA's near to the AP can cause problems for STA's further away from the AP. This is because STA's close to the AP are using higher data rates, and as such higher modulation mechanisms. The STA's further away cannot demodulate these, and due to this interpret it as a corrupted frame. Making it stay quiet for the EIFS. Providing the near STA's to use DIFS or AIFS and giving it priority and getting more opportunity to transmit while the far station will remain quiet.
EIFS (in DCF) = SIFS + DIFS + ACK_Tx_Time
EIFS 802.11b/g/n devices using DSS = 364μS
EIFS 802.11g/n devices using OFDM = 160μS
EIFS 802.11a/n devices (5GHz) = 160μS
EIFS (in EDCA) = SIFS + AIFS[AC] + ACK_Tx_Time

AIFS (Arbitration Inter Frame Space) - The AIFS shall be used by QoS STAs to transmit all data frames (MPDUs), all management frames (MMPDUs), and the following control frames: PS-Poll, RTS, CTS (when not transmitted as a response to the RTS), BlockAckReq, and BlockAck (when not transmitted as a response to the BlockAckReq).
The number of slot times used in the AIFS is called the Arbitration Inter Frame Space Number (AIFSN). 802.11e specifies 4 access categories (AV_VO : Voice, AC_VI : Video, AC_BE : Best Effort & AC_BK : Background). Voice & Videocategory use 2 slottimes by default. Best Effort category use 3 slottimes where as Background traffic use 7 slottimes by default.
Below is the formula to calcluate AIFS for a given Access Category (AC)
AIFS[AC] = AIFSN[AC] × SlotTime + SIFSTime

Chapter 3 - Security Communications Brief

WPA and WPA2

It's important to remember that these are certifications by the WiFi Alliance and not from the 802.11 standard. This means that they validate that a device uses portions of the security that 802.11 provides. They both come in two forms, Personal and Enterprise. Personal is known as Pre Shared Key because it uses a PSK.

WPA has been depreciated and as such its use should be as well. It used TKIP/RC4 and again, as such, TKIP/RC4 should no longer be used either.

The Enterprise version of both WPA and WPA2 both use the 802.1x framework for authentication and key management. This framework has three primary components.
1.) Supplicant (Client STA)
2.) Authenticator (AP or Controller)
3.) Authentication Server (This is normally your RADIUS server)

The EAPoL protocol is used for communication between the Supplicant and Authenticator, and RADIUS is used between the Authenticator and the Authentication Server.

The process looks something like this

  • Client Authenticates and Associates to an AP
  • Open System Authentication takes place
  • EAP Authentication using the RADIUS server
  • 4-way handshake generates encryption keys for STA and AP
  • Encrypted communications commence.
Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.


RADIUS - Remote Authentication Dial-In User Service

RADIUS Process
  1. Access Request - Username/Password or Certificate
  2. Access Challenge
  3. Access Accept/Reject

Chapter 3 - Important 802.11 Frames

We touched a bit on these in the "Type" field but this portion of the chapter goes into them a bit deeper

Beacon Frames - We touched on these in Chapter 2 as well as other assorted places. These are used to announce BSS's for STA's that are looking for something to connect to. Beacons are transmitted (by default) every 100 time units (TU's.) A TU is typically 1024 microseconds which, when you do the math means that every 102.4 milliseconds a Beacon is being transmitted. Remember that a Beacon frame is transmitted for *every* SSID being broadcast. As such, the more SSID's you have, the more Beacon overhead you are creating. Beacon Frames are a Management Frame and as such, use the Management Frame Format. It should be noted that Beacon Frames contain a lot of information about the SSID and radio being used to broadcast it. Some of the most important of this information is the SSID name itself, the capabilities of the device (there are a few things here) and supported rates.

Beacons are sent at a target beacon transmission time (TBTT) which by default is every 100 Tus. That said, with how heavily utilized the wireless medium is, that target is often not possible, and the beacon will be sent as soon as possible after the 100 TU's has passed. It's important to remember that Beacon frames have to wait for the air to be clear before transmission as well.

Beacon filter in wireshark
wlan.fc.type_subtype == 0x08

To filter beacon frames *out* of the display use the Wireshark filter
Wlan.fc.type_subtype != 0x08

Probe Request and Probe Response Frames

Remember in active scanning, a STA will send a Probe Request, which will be answered with a Probe Response by an AP. If the probe request is sent with a broadcast SSID, any and all AP's on that channel being probed will respond with a Probe Response. Thus allowing STA's to quickly gather a view of all of the SSID's available on that channel.

Probe Request and Response Wireshark Filter
Wlan.fc.type_subtype == 0x4 *OR* wlan.fc.type_subtype == 0x5

To filter out Probe Request/Response Frames
Wlan.fc.type_subtype != 0x4 and
Wlan.fc.type_subtype != 0x5

Remember that just because a client is connected does not mean that it will stop probing. Client roaming algorithms will have a certain threshold where they will begin probing for a better AP. For example last I knew Apple iOS devices would start their probe requests at -67dBm. Now that doesn't mean that it will automatically move to something that’s stronger than -67dBm. That could result in flapping from AP to AP. Instead it requires the new AP to have a stronger connection of a certain threshold. In the iOS case (again last I knew) the new AP had to be 8dB stronger than the AP that the STA is currently connected to. That means that even if the STA had a -72dBm connection, it would  not roam unless the new AP had a signal strength of -64dBm or stronger. Unfortunately these roaming algorithms are unique to the devices. So the probing threshold and roaming threshold of each client may vary. Its important to keep this in mind when designing.

Authentication and Deauthentication Frames

Authentication frames are frames used by STA's to enter into the Authenticated State with an AP. To do so, a STA sends a single frame to the AP, which will answer back with a single frame of its own. This is the method that WPA2 uses

Deauthentication frames are used to remove a STA from an authenticated state. This can be done by either the STA or the AP. Remember that an STA cannot be associated if its not authenticated

Wireshark filter for Authentication frames
Wlan.fc.type_subtype == 0xb

To filter them out
Wlan.fc.type_subtype !=0xb

Association and Disassociation Frames

These frames are used for the STA to enter into an associated state after they have been authenticated. It's done through a four-frame exchange
-Authentication request
-Authentication response

From this point if Open System Auth is being used, then the STA can begin to use the network. If they are using 802.1X, then that process will begin at this point.

Disassociation frames will remove STA from an associated state, placing it into an Authenticated not associated state. Disassociation frmaes will include a reason for the disassociation, a smattering of vendor-specific information, and an integrity check if/when management frame protection is in use.

Wireshark Filter
Wlan.fc.type_subtype == 0x0 or 0x1

To filter them out
Wlan.fc.type != 0x0 or 0x1

Reassociation Request and Response Frames

These are used when roaming from one AP to another within the same ESS. They can also be used to reconnect to an AP which the STA was briefly connected. Only if the AP still has authentication information about the STA however. Request frames contain a plethora of information.

Wireshark filters
Wlan.fc.type_subtype == 0x2 or 0x3

To filter them out
Wlan.fc.type_subtype != 0x2 or 0x3

Request to Send (RTS) and Clear to Send (CTS) Frames

These are used to clear the PHY for the transmission of "larger" frames. When a STA wants to send a larger frame it sends a RTS. A CTS is used to respond.

Both frame types include a duration field, which is very important as it lets everyone know how long the air will be busy. The duration of a request field is made up by the data *or* management frame duration + CTS duration + one ACK duration + three SIFS

The CTS response frame also has a duration that’s measured in microseconds made up of the value of the duration field of the RTS frame - CTS duration - one SIFS

CTS-to-Self is a CTS frame that is sent without a RTS frame before it. These frames have the RA field set as their own address. These are helpful because all STAs within range will hear the frame and set their NAV timers using the duration field from the CTS frame. This is made up by the Data or management frame duration + two SIFS + one ACK

Wireshark filters for RTS/CTS frames
Wlan.fc.type_subtype == 0x1b or 0x1c

To filter them out
Wlan.fc.type_subtype != 0x1b or 0x1c

ACK Frames

These are sent to inform the transmitting device that the frame was received and are sent immediatily following data and management frames. If an ACK frame is not returned then the transmitter assumes the frame was lost and will retransmit the frame. With each retransmission the random backoff timer length is increased with a maximum of 1023. This maximum backoff timer length keeps STA's from continuously retransmitting without shifting to a lower data rate. As the book points out, its fair better to send a frame at 54Mbps and have it be received than it is to send it five times at 150Mbps before its received.

An ACK frame is a fairly simple frame. Consisting of only Frame Control, Duration, RA, and FCS subfields. It actually uses the address of the STA that sent the acknowledged frame in the RA subfield and not the address of the STA sending the ACK Frame.

Wireshark Filter
Wlan.fc.type_subtype == 0x1d

To filter them out
Wlan.fc.type_subtype != 0x1d

Null Data and PS-Poll Frames

These are used to notify an AP that the STA is awake and now able to receive frames. These are called Null Data frames since they are simply a Data frame containing no data.

Wireshark filter
Wlan.fc.type_subtype == 0x24

PS-Poll is short for Power Save Poll. These frames are also used to notify the AP that the client is awake and available for buffered frames. These include an AID.

STAs using power management will set their PM bit to 1, meaning that it will go in and out of awake and dozing states. When dozing the AP will buffer any traffic that is destined for the STA.

Client devices have a Listen Interval at the end of which the client will wake up and listen for Beacon Frames. If the client hears a beacon with its AID containing a 1 bit it will send a PS-Poll frame requesting that the AP send it its buffered data. Which it will do one frame at a time. If there is more data the More Data bit will be set to 1. Each time the client will send a new PS-Poll until there are no more buffered frames at which point the Client STA can return to a sleep state.

Rather than send a PS-Poll back to the AP to request each individual frame that is buffered, clients can also flip the PM bit to 0. This will cause the AP to send all of its buffered data down to the STA as if it was a normal client. Once this transmission is complete, it will flip its PM bit back to 1 and go back to sleep. This is *not* a 802.11 standard operation, but is an operation that is used by many client devices which reduced a lot of unnecessary airtime eaten up by the PS-Poll frames.

In a WMM Power Save queue frames are downloaded using a Trigger-and-delivery mechanism. WMM-PS is set for each AC separately. This allows for more frequent data transmission for those applications that require them.

Trigger frames are actually data frames that are ACK'd by the AP. This means that a STA can send data to the AP while at the same time triggering the delivery of any buffered frames that the AP may have for the client device.

If the AP has multiple buffered frames for the client, the AP can send those frames during an EDCA transmit opportunity that has interleaved ACK's. Meaning that a burst of frames can be sent down rather than individual.

PS-Poll Wireshark filter
Wlan.fc.type_subtype == 0x1a

To filter them out
Wlan-fc-type_subtype !=0x1a

Chapter 3 - 802.11 Frame Types

Management Frames - These frames are aptly named since they are used to help manage the air. They do so by announcing  information regarding the WLAN, and also have certain actions that they can perform. Below is a list of management frames and a description to go along with them.
  • Beacon - This is used by the AP to advertise information about the BSS
  • Probe - This is used by clients so that they can actually find a BSS/SSID to connect to.
  • Association - A client uses an association frame to go associate to an AP and therefore start communicating through it.
  • Disassociation - The opposite of association.
  • Reassociation - If a client is already associated to an AP, it can reassociate to another AP on the same ESS.
  • Authentication - These frames come prior to association and are used to authenticate a STA to an AP.
  • Deauthentication - The opposite of authentication.
  • Action - These frames can trigger various actions within the cell they are being broadcast on.

Control Frames - You might be sitting there thinking… wait, whats the difference between Management and Control. Don't those two words mean vaguely the same thing? Well, you're not wrong. But you can differentiate it as - Management frames mangage the WLAN, where Control frames orchestrate the air itself. Take a look at some of the common Control Frame types below and I think you'll understand what I'm saying.
  • ACK - These are your normal ACKs, acknowledging the receipt of a frame
  • RTS - Request To Send
  • CTS - Clear to Send - These frames are used to clear the PHY for the transmission of another frame.
  • BlockAckReq - This is a type of frame used to request a block ACK
  • BlockAck - Rather then send an ACK for every individual frame, a BlockAck can acknowledge multiple frames that were sent in a row.
  • Control Wrapper - These are frames that include an HT Control Frame while carrying other Control Frames as well

Data Frames - For the most part these carry data. They will have a the entire header for whatever MAC/PHY is being used, and then the MSDU. There are however some "Null Data" frames, that quite literally mean there is 0 data contained. These are used for various control functions relating to power management. Further, there are data frames that do not have QoS and use standard DCF, as well as QoS Data frames, which utilize EDCA.

PCF Frames - As we've noted a couple of times, PCF isn't actually in use. However this frame type is documented in the standard. The book calls out the fact that for the exam you should know that the 802.11n standard brought with it the ability to use a CF-End frame to show that despite owning the TxOP it has no more data to send.

Chapter 3 - 802.11ac Frame Fields

802.11ac Frame Format

Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.

Duration/ID - As implied by its name, this field actually has two purposes. The first is that it can contain the duration of the frame itself. The duration is used to set the NAV timer by other clients. The AID is used when PS-Poll frames are transmitted to tell the AP that the transmitting STA is awake and that it can send any buffered frames the STA has waiting.

Address 1, 2, 3, 4 - Depending on if the frame is being transmitted with an IBSS, from an AP to a STA, STA to an AP, or as part of a mesh network, these addresses can indicated different things as shown below.

Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016

In the table above RA is the Receiver Address, and DA is the Destination Address. TA is the Transmitting Address, and SA is the Source Address. It may seem like some of these are redundant. However remember that the MAC address of the AP radio is often going to be different than the BSSID. Or in the case of a mesh, the RA is the next "hop" in the mesh, where the DA is the intended final recipient of the frame.

Sequence Control - This is a 16-bit field that’s used to help orchestrate fragmented frames in a transmission to help alleviate duplicate frames in the case that they arrive. It's made up of two parts. First is the 4-bit fragment number and second is a 12-bit sequence number. The sequence number remains the same for every fragmented MSDU, giving each frame making up that fragmented MSDU the same sequence number *but* a different fragment number. This allows the receiving device to know what MSDU the frame is from, and if it has already received that piece of the puzzle and know what order they should go in as sometimes they can be received out of order. The Sequence numbers start at 0, and for every fragmented MSDU that needs breaking up and transmitting, it goes up by 1 until it reaches 4095 and then it just starts again.

QoS Control - This is another 16-bit field that classifies the frames category for queuing. The first three bits in this field map to a value of 0 to 7 which signifies the 802.11e User Priority (UP) for the frame. This field is also called the Traffic Indicator (TID). Remember that the eight UP's map to the 4 Access Cateories (AC) set forth by the WiFi Alliances WMM Certification. Also remember that The lower the number, the lower the priority. For example 1 and 2, are AC_BK (WMM Background) which is the lowest prioity. Fun fact, the lowest of the numbers (0) maps to Best Effort which is a step above Background. This is because in making the mapping, they wanted it to be backwards compatible with non-QoS devices, but not completely hamstring them just because they weren't QoS capable.

HT Control - This 16-it field specifies certain HT and VHT capabilities. Such as antenna selection and beamforming.

Frame Body - This field contains the actual payload (MSDU) that’s being transmitted. When the field is encrypted, it will add overhead to the field. Either 20 or 16 bytes of overhead depending on if TKIP/RC4 (20 bytes) or CCMP/AES (16 bytes) is being used.

FCS - Frame Check Sequence - This field is used to detect if there have been issues in the communication of the frame. A Cyclic Redundancy Check (CRC) is used over the entire MAC Header and Frame Body. The receiving STA will run a CRC and should come up with the same FCS to determine if anything has gone wrong during transmission.