How to use netlink to determine wifi protection WEP

How to use netlink to determine wifi protection WEP

[Thomas Thielemann]

Hello!

I need a solution to determine whether a WiFi is using WEP. I know there is a protection flag within MAC frame but do not know how to access.

To detect whether a WiFi i protected by WPA2 I found the following solution: 

Scan with

nl_sock* socket = nl_socket_alloc();
genl_connect(socket);
struct nl_msg* msg = nlmsg_alloc();
int driverId = genl_ctrl_resolve(socket, "nl80211"); 
genlmsg_put(msg, 0, 0, driverId, 0, 0, NL80211_CMD_TRIGGER_SCAN, 0);

and fetch with

genlmsg_put(msg, 0, 0, driverId, 0, NLM_F_DUMP, NL80211_CMD_GET_SCAN, 0);

Read the received structure using nl80211_bss:: NL80211_BSS_INFORMATION_ELEMENTS from nl80211.h and

examine the field RSN(id=48) (see IEEE802.11-2012.pdf, chapter 8.4.2 Information elements)

Which netlink command gives me the related data? Is it NL80211_CMD_GET_BEACON?

Regards,
Thomas

E-Mail: th-thielemann@web.de

Re: How to use netlink to determine wifi protection WEP

[Dan Williams]

On Wed, 2017-04-05 at 09:27 +0200, Thomas Thielemann wrote:
> Hello!
> 
> I need a solution to determine whether a WiFi is using WEP. I know
> there is a protection flag within MAC frame but do not know how to
> access.
> 
> To detect whether a WiFi i protected by WPA2 I found the following
> solution: 
> 
> Scan with
> 
> nl_sock* socket = nl_socket_alloc();
> genl_connect(socket);
> struct nl_msg* msg = nlmsg_alloc();
> int driverId = genl_ctrl_resolve(socket, "nl80211"); 
> genlmsg_put(msg, 0, 0, driverId, 0, 0, NL80211_CMD_TRIGGER_SCAN, 0);
> 
> and fetch with
> 
> genlmsg_put(msg, 0, 0, driverId, 0, NLM_F_DUMP, NL80211_CMD_GET_SCAN,
> 0);
> 
> Read the received structure using nl80211_bss::
> NL80211_BSS_INFORMATION_ELEMENTS from nl80211.h and
> 
> examine the field RSN(id=48) (see IEEE802.11-2012.pdf, chapter 8.4.2
> Information elements)
> 
> Which netlink command gives me the related data? Is it
> NL80211_CMD_GET_BEACON?

You want both the beacon (for the Privacy bit) and the information
elements.

If the privacy bit is set in beacon and there are no WPA/WPA2/RSN-
related information elements, then the AP is using WEP.  Unfortunately
you don't know whether it's WEP-40 or WEP-104, but that's another
topic.

If the privacy bit is set, and there are WPA/WPA2/RSN information
elements, then the AP *might* be using WEP in compatibility mode.  This
isn't very common though, so you can probably just ignore this case.

Dan

Re: How to use netlink to determine wifi protection WEP

[Thomas Thielemann]

Thanks!

If the sequence is the following:

 1. Prepare and execute NL80211_CMD_TRIGGER_SCAN
 2. Prepare and execute NL80211_CMD_GET_SCAN
 Together with NL80211_CMD_GET_SCAN a callback is registered. 
 In the callback the raw data are parsed as BSS. The IE's are parsed to.

When do I have to fetch the beacon to get the right beacon but without lost of the scan result?
After I fetched all scan results or immediately after the receive of every scan result?

Regards,
Thomas


> Am 05.04.2017 um 19:24 schrieb Dan Williams <dcbw@redhat.com>:
> 
> On Wed, 2017-04-05 at 09:27 +0200, Thomas Thielemann wrote:
>> Hello!
>> 
>> I need a solution to determine whether a WiFi is using WEP. I know
>> there is a protection flag within MAC frame but do not know how to
>> access.
>> 
>> To detect whether a WiFi i protected by WPA2 I found the following
>> solution: 
>> 
>> Scan with
>> 
>> nl_sock* socket = nl_socket_alloc();
>> genl_connect(socket);
>> struct nl_msg* msg = nlmsg_alloc();
>> int driverId = genl_ctrl_resolve(socket, "nl80211"); 
>> genlmsg_put(msg, 0, 0, driverId, 0, 0, NL80211_CMD_TRIGGER_SCAN, 0);
>> 
>> and fetch with
>> 
>> genlmsg_put(msg, 0, 0, driverId, 0, NLM_F_DUMP, NL80211_CMD_GET_SCAN,
>> 0);
>> 
>> Read the received structure using nl80211_bss::
>> NL80211_BSS_INFORMATION_ELEMENTS from nl80211.h and
>> 
>> examine the field RSN(id=48) (see IEEE802.11-2012.pdf, chapter 8.4.2
>> Information elements)
>> 
>> Which netlink command gives me the related data? Is it
>> NL80211_CMD_GET_BEACON?
> 
> You want both the beacon (for the Privacy bit) and the information
> elements.
> 
> If the privacy bit is set in beacon and there are no WPA/WPA2/RSN-
> related information elements, then the AP is using WEP.  Unfortunately
> you don't know whether it's WEP-40 or WEP-104, but that's another
> topic.
> 
> If the privacy bit is set, and there are WPA/WPA2/RSN information
> elements, then the AP *might* be using WEP in compatibility mode.  This
> isn't very common though, so you can probably just ignore this case.
> 
> Dan
> 

Re: How to use netlink to determine wifi protection WEP

[Dan Williams]

On Thu, 2017-04-06 at 16:27 +0200, Thomas Thielemann wrote:
> Thanks!
> 
> If the sequence is the following:
> 
>  1. Prepare and execute NL80211_CMD_TRIGGER_SCAN
>  2. Prepare and execute NL80211_CMD_GET_SCAN
>  Together with NL80211_CMD_GET_SCAN a callback is registered. 
>  In the callback the raw data are parsed as BSS. The IE's are parsed
> to.
> 
> When do I have to fetch the beacon to get the right beacon but
> without lost of the scan result?
> After I fetched all scan results or immediately after the receive of
> every scan result?

The scan results are essentially the beacons, so you just need to read
the GET_SCAN.  Then when parsing the "bss info" you get from the scan
results handler that you registered, you look for:

NL80211_BSS_CAPABILITY: the Privacy bit is in here
NL80211_BSS_INFORMATION_ELEMENTS: the IEs are obviously in here

Dan

> Regards,
> Thomas
> 
> 
> > Am 05.04.2017 um 19:24 schrieb Dan Williams <dcbw@redhat.com>:
> > 
> > On Wed, 2017-04-05 at 09:27 +0200, Thomas Thielemann wrote:
> > > Hello!
> > > 
> > > I need a solution to determine whether a WiFi is using WEP. I
> > > know
> > > there is a protection flag within MAC frame but do not know how
> > > to
> > > access.
> > > 
> > > To detect whether a WiFi i protected by WPA2 I found the
> > > following
> > > solution: 
> > > 
> > > Scan with
> > > 
> > > nl_sock* socket = nl_socket_alloc();
> > > genl_connect(socket);
> > > struct nl_msg* msg = nlmsg_alloc();
> > > int driverId = genl_ctrl_resolve(socket, "nl80211"); 
> > > genlmsg_put(msg, 0, 0, driverId, 0, 0, NL80211_CMD_TRIGGER_SCAN,
> > > 0);
> > > 
> > > and fetch with
> > > 
> > > genlmsg_put(msg, 0, 0, driverId, 0, NLM_F_DUMP,
> > > NL80211_CMD_GET_SCAN,
> > > 0);
> > > 
> > > Read the received structure using nl80211_bss::
> > > NL80211_BSS_INFORMATION_ELEMENTS from nl80211.h and
> > > 
> > > examine the field RSN(id=48) (see IEEE802.11-2012.pdf, chapter
> > > 8.4.2
> > > Information elements)
> > > 
> > > Which netlink command gives me the related data? Is it
> > > NL80211_CMD_GET_BEACON?
> > 
> > You want both the beacon (for the Privacy bit) and the information
> > elements.
> > 
> > If the privacy bit is set in beacon and there are no WPA/WPA2/RSN-
> > related information elements, then the AP is using
> > WEP.  Unfortunately
> > you don't know whether it's WEP-40 or WEP-104, but that's another
> > topic.
> > 
> > If the privacy bit is set, and there are WPA/WPA2/RSN information
> > elements, then the AP *might* be using WEP in compatibility
> > mode.  This
> > isn't very common though, so you can probably just ignore this
> > case.
> > 
> > Dan
> > 
> 
>