802.11b attacks on 802.11g

Posted by William
his is a follow up to the Aireplay injection blog post in which I explained how I was able to perform WEP cracking using aireplay by attacking an 802.11g network with an 802.11b card. My results were sporadic but soon I figured out why. The type of modulation used by an access point is the main factor that determines if will be able to see 802.11g station traffic on your 802.11b card. Both 802.11b and 802.11g use the same frequency and channels so the potential for a 802.11b station signal to collide with an 802.11g station signal exists. When an access point sees a mixed environment it will start to use protection mechanisms to prevent DSSS transmissions (802.11b) from colliding with OFDM transmissions (802.11g). A mode that can be used is DSSS-OFDM in which the preamble and PLCP low level headers are modulated using DBPSK or DQPSK and then the rest of the packet is sent in OFDM. 802.11b stations can now see the low level headers so no collisons will occur now. If only 802.11g stations exist ERP-OFDM will be used to modulate the entire packet in pure 802.11g networks and in this scenario a 802.11b sniffing will not see anything.

802.11g uses OFDM modulation to achieve 54mbps data rates while 802.11b utilizes DQPSK (Differential Quaternary Phase Shift Keying) to reach 11mbps rates with the proper encoding and DBPSK (Differential Binary Phase Shift Keying) for a rate of 1Mbps. The entire inner workings of 802.11 are a bit more complicated and this is just a simplified explanation.

Let say you use an SMC2532W-B or any other prism 2.5 based card to sniff on network with 802.11g stations. At first you will not see anything because all that exists are 802.11g stations and ERP-OFDM mode will be used, but lets say a 802.11b station associates to the access point. This will cause the access point to use DSSS-OFDM mode to prevent collisions and now your 802.11b station will see -only- the low level headers on the packet. If you were using aireplay to capture and reinject a packet you will see the packet but when you replay it will not work because you are only replaying headers. Now lets say more 802.11b stations associate, the access point may decide to switch to a different modulation scheme for maximum compatibility and less overhead such as DQPSK or DBPSK which will bring down the data rate of 802.11g stations on the same level as 802.11b stations and now your 802.11b running with aireplay will see the entire packet and injection will be successful. Another scenario in which you could sniff and 802.11g stations traffic would be if the station were far enough from the access point that it would have to drop data rates and use a more robust modulation technique such as DQPSK or DBPSK again your 802.11b card will sniff successfully.

If you were to use aireplay with a 802.11g card such as a Netgear WG511 and then replay the packet or chopchop it with a 802.11b prism card (SMC2532W-B is a good example) the 802.11b card will successfully inject or chopcop it because the packet was originally captured by a 802.11g card which captured the entire packet. I highly recommend that you all read about the modulating and encoding techniques of 802.11 to learn how 802.11 works at the physical layer.

I recommend the following two books as excellent resources:
802.11 (Wi-Fi) Networking Handbook
CWNA Official Study Guide

~William