Uninformed: Informative Information for the Uninformed

Vol 2» 2005.Sept

The Results



The responses in table one varied all the way from never leaving stage 1 to successful redirection. The most interesting cases are the drivers that successfully made it to stage 3. There are three cases of this. The cases marked ORIGINAL_BSSID are what was initially expected from many devices, that they would simply ignore the redirect request and continue to transmit on the PAP BSSID. The REDIRECT_REASSOC case is a successful redirection with a small twist. The card transmits all data to VBSSID, however it periodically sends out reassociation requests to the PAP BSSID.

The SCHIZO case is the other case that made it into stage 3. In this case the card is listening on the PAP BSSID and then proceeds to transmit on the VBSSID. The device seems to ignore any data transmitted to it on the VBSSID.

As mentioned previously in table two, the possibilty of ignoring authentication reply's has been eliminated by not mangling fields until the association request. This opened up the possibilty for some interesting responses.

The Apple airport extreme card responded with a flood of deauthentication packets to the null BSSID with a destination of the AP (DEAUTH_FLOOD). The Atheros card is the only other card that sent a deauth, though it had a much more measured response, sending a single de-auth to the original BSSID (SIMPLE_DEAUTH_STA).

The other new response in table 2 is the DUAL_BSSID behavior. These cards seem to alternate intentionally between both BSSIDS on every other transmitted packet. It is unknown whether they continue to do this for the entire connection or if this is some sort of intentional behavior and they will choose whichever BSSID they receive data on first.

The experiment provided some very surprising results. Originaly it was suspected that many cards would simply never enter stage 3, or alternately just use the original BSSID they set out to. Quite a few cards can be convinced to go into dual BSSID behavior and might be susceptible to association redirection. Two drivers for the hermes chipset were successfuly redirected.