201112811 六、發明說明: 【發明所屬之技術領域】 [0001] 本發明涉及一種無線通訊方法,尤其是關於一種探測服 務網路之系統及方法。 【先前技術】 [㈤02] 站點(station)是無線網路中最基本的組成部分。而基 本服務單元(basic service set,BSS)是無線網路 中最基本的服務單元。最簡單的服務單元可以只由兩個 站點組成。服務單元識別碼..(..5uv4.c.e set identifi-er,SSID)是服務網路的標識,通常是透過接入點( access point ’ AP)廣播出來。一考說來,站點可以透 過自動探測功能看到服務區域:内务册減網路的SSID,選 s F ψψΐ ‘ 、 擇一個SSID從而連接至相對應的服務網]4。但是,如果 一個服務網路關閉了其SSID廣播,亦即隱藏了 SSID ’站 點只能透過手動設置SSID才能今释至;1¾對應的服務網路 ,這就要求站點首先必須我。 【發明内容】 f^fp [0003] 鑒於以上内容,有必要提供一種政备網路探測系統及方 法’可以查找出隱藏了服務單元識別碼的網路。 [0004] 一種服務網路探測系統,該系統運行於預先不知曉一個 接入點的服務單元識別碼的站點。該系統包括偵聽模組 、修改模組、發送模組及提取模組。偵聽模組用於偵聽 與一個接入點正常通訊的站點向該接入點傳送的加密資 料包。修改模組用於修改所述加密資料包中的資料’以 產生兩個消息完整性檢查值錯誤的加密資料包。發送模 098132639 表單編號A0101 第3頁/共16頁 0982055993-0 201112811 控=1:與•接入點正常通訊的站點的合法媒體訪問 :d所述兩個消息完整性檢查值錯誤的加密資 遠^戶斤述接入點,以中斷該接入點與所有站點的通訊 _餘’ 於聽原本細接人點正常通^ =向該接入點傳送的重新連接請求資料包,以及; 貞 …人點向原本與其正常通訊的站點回傳的重垃 Z資料包。提取模組用於從所述重新連接請求資料包 回應資料"提取該接入點的服務單元識別 :單^ 元識別碼至預先不知曉該接入點的服201112811 VI. Description of the Invention: [Technical Field] [0001] The present invention relates to a wireless communication method, and more particularly to a system and method for detecting a service network. [Prior Art] [(5)02] A station is the most basic component of a wireless network. The basic service set (BSS) is the most basic service unit in wireless networks. The simplest service unit can consist of only two sites. Service Unit Identifier.. (..5uv4.c.e set identifi-er, SSID) is the identity of the service network and is usually broadcast through the access point 'AP'. In the first test, the site can see the service area through the automatic detection function: the internal server reduces the SSID of the network, selects s F ψψΐ ‘ , selects an SSID to connect to the corresponding service network 4 . However, if a service network closes its SSID broadcast, it hides the SSID. The site can only be released by manually setting the SSID; 13⁄4 corresponds to the service network, which requires the site to be the first to me. SUMMARY OF THE INVENTION f^fp [0003] In view of the above, it is necessary to provide a policy network detection system and method 'to find a network that hides the service unit identification code. [0004] A service network detection system that operates at a site that does not know the service unit identification code of an access point in advance. The system includes a listening module, a modifying module, a sending module, and an extracting module. The listening module is configured to listen to encrypted packets transmitted by the station that normally communicates with an access point to the access point. The modifying module is configured to modify the data in the encrypted data packet to generate two encrypted data packets with incorrect message integrity check values. Sending Mode 098132639 Form No. A0101 Page 3 of 16 0982055993-0 201112811 Control=1: Legal Media Access to the Site Communicating Normally with the Access Point: d Encryption of the Two Message Integrity Check Values Wrong Far away from the user, the access point is interrupted to interrupt the communication between the access point and all the sites. _ _ Listen to the original fine-connected person's normal pass ^ = the re-connection request packet transmitted to the access point, and;贞...The person points back to the heavy Z package that was originally returned to the site that was normally communicating with it. The extraction module is configured to extract, from the reconnection request packet response data, a service unit identifier of the access point: a single identity identifier to a service that does not know the access point in advance
務单疋識別碼的站點,從而連接所述㈣不知曉該接入 點的服務單域別碼的站點至該接人點所在的服務網路 [0005] 一種服務網路探測方法,該方法包細下步驟:a site of the identification code, thereby connecting the (four) site that does not know the service single domain code of the access point to the service network where the access point is located [0005] a service network detection method, The method package details the steps:
播一個探崎求祕包,請求尋找料鱗;⑻ 隱藏了服務單元朗觸接人點單__回應資料包 或指不資料包;(Ο咖與所述接人點正常通訊的料 祕入點傳送的加_料包;(D)修改所述加 中的資料’產生兩個消息完整性檢查值錯誤的資料包 二)利用與所述接入點正常通訊的站點的合法媒:訪問 控制位址發送該兩_息完整性檢查值錯誤的資料包至 所述接人點’財斷_人點與所㈣_通訊連^ ; ⑴健與所述接人點原本正常通訊的站點向該接入點 發送的重新連接請求f料包,㈣接人點向與其原本正 常通訊的站點回傳的重新連接回應資料包;(⑺從所述 重新連接請求資料包或重新連接回應資料包中提取該^ 098132639 表單編號A0101 第4頁/共16頁 0982055993-0 201112811 [0006] 入點的服務單元識別碼’從而連接預先不知曉該接入點 的服務單元識別碼的站點至該接入點所在的服務網路。 相較於習知技術,本發明提供之服務網路探測系統及方 法可以探測出隱藏了服務單元識別碼的網路的服務單元 識別碼’從而連接站點至該網路。 【實施方式】 [0007] ❹ 如圖1所示’係本發明服務網路探測系統較佳實施例之應 用環境圖。首先,站點10廣播一個探測請求(probe request)資料包’請求尋找服務網路。接入點(access point , AP) 30 收到該 pr〇be request 資料包後 ’單播一個探測回應(probe response)資料包。.當然 ,AP 30也有可能每隔一段時間主動向其覆蓋區域内的所 有站點發送一個指示(beacon)資料包,告知這些站點 有這樣一個服務網路存在。但是,由於該pr〇be re Ο sponse 資料包或 beacon 資蛘 包 中的 SSID 為空, 只有事 | I R - 4 气 9 1 — 先知道SSID的指定站點,例如站點2〇才能與Ap 3〇通訊 ,不知道SSID的站點1〇無法得知Ap 3〇的%1]},從而不 能與AP 30建立通訊連接。所述站點1〇或2〇為一台電腦 或一組高速相連的電腦。 [0008] 在本實施例中,服務網路探測系統1〇〇安裝並運行於站點 10,如圖2所示,該服務網路探測系統1〇〇包括偵聽模組 110、修改模組120、發送模組13〇及提取模組14〇。 [0009] 债聽模組110舰與AP 3Q正常通賴㈣,例如站點2〇 向AP 30傳送的加密資料包,這裏的加密資料包通常為暫 098132639 時密鑰完整性協議(temp〇ral 表單編號 A0101 % 5 16 ^ key integrity pro- 0982055993-0 201112811 tocol,TKIP)資料包。Broadcast a Yuzaki secret package, request to find the scales; (8) Hide the service unit Lang contact person list __Response information package or refers to the data package; (Ο 与 与 与 与 与 与 与 与 与 与Adding a packet to the point; (D) modifying the data in the 'additional data packet 2 that generates two message integrity check value errors> using the legal medium of the site that normally communicates with the access point: access The control address sends the packet with the error of the two integrity check values to the access point 'debt_person's point and the (four)_communication link; (1) the station that normally communicates with the pick-up point a reconnection request f packet sent to the access point, (4) a reconnection response packet returned by the access point to the station that is normally communicating with the access point; ((7) requesting the repacking request packet or reconnecting the response data The package extracts the ^ 098132639 Form No. A0101 Page 4 / Total 16 Page 0982055993-0 201112811 [0006] The Incoming Service Unit Identifier 'and thus connects the site that does not know the service unit ID of the access point in advance to the The service network where the access point is located. Knowing the technology, the service network detecting system and method provided by the present invention can detect the service unit identifier ' of the network in which the service unit identifier is hidden to connect the station to the network. [Embodiment] [0007] 1 is an application environment diagram of a preferred embodiment of the service network detection system of the present invention. First, the station 10 broadcasts a probe request packet requesting to find a service network. , AP) 30 After receiving the pr〇be request packet, 'unicast a probe response packet. Of course, AP 30 may also actively send a message to all sites in its coverage area at regular intervals. A beacon packet telling these sites that such a service network exists. However, since the SSID in the pr〇be re Ο sponse package or beacon package is empty, only things | IR - 4 gas 9 1 — Knowing the designated site of the SSID first, for example, the site 2〇 can communicate with the Ap 3〇, and the site of the SSID cannot know the %1]} of the ASP 3〇, so that communication with the AP 30 cannot be established. The station 1〇 or 2〇 is a computer or a group of high speed connected computers. [0008] In this embodiment, the service network detecting system 1〇〇 is installed and runs on the station 10, as shown in the figure. As shown in Fig. 2, the service network detecting system 1 includes a listening module 110, a modifying module 120, a transmitting module 13A, and an extracting module 14A. [0009] The debt listening module 110 ship and the AP 3Q are normal. Depends on (4), for example, the encrypted packet transmitted by the site 2 to the AP 30, where the encrypted data packet is usually the key integrity protocol of the temporary 098132639 (temp〇ral form number A0101 % 5 16 ^ key integrity pro- 0982055993- 0 201112811 tocol, TKIP) package.
[0010] 為了保證資訊在無線網路中傳輸的過程中不被窺探,資 料包通常採用加密保護。有線等效加密(^^(16911卜 valent privacy,WEP)和ΤΚΙΡ是無線網路中常用的兩 種加密協定,WEP是一種對稱加密演算法,加密密鑰與解 密密鑰相同,並且所有的WEP資料包使用相同的密鑰加密 。TK IP在WEP的基礎上進行了改進,增加了密鑰的長度, 並且每個資料包使用不同的密鑰加密。此外,TKIP使用 加了消息完整性檢查(message integrity check ’ MIC)來檢測被重放攻擊或偽造的資料包,通訊雙方必須 各自執行函數計算來驗證消息的完整性。舉例來說,站 點20首先使用一種演算法計算一個資料包的消息檢查和A ,然後將計算消息檢查和A封裝進該資料包中加密一起發 送至AP 30 ; AP 30對所接收的資料包解密後,對其中的 資料執行計算得出消息檢查和B,並將B與A進行比較。如 果資料包在傳輸中遭篡改致使B與A不一致,AP 30丟棄該 資料包。在收到第一個受損的資料包時,使用TKIP的AP 30通常會向站點20傳輸一個錯誤報告。如果在60秒内收 到了第二個受損的資料包,AP 30通常會再關閉所有連接 1分鐘,然後再為包括站點20在内的原本與AP 30正常通 訊的站點重新分配新的密鑰。 [0011] 修改模組120修改上述加密資料包中的資料,例如修改模 組1 2 0利用比特翻轉(b i t f 1 i pp i ng,BF )的方式修改 上述加密資料包中的一個或多個比特值,將0改為1或1改 為0,以產生兩個修改後的加密資料包。 098132639 表單編號A0101 第6頁/共16頁 0982055993-0 201112811 [0012] 發送模組130利用與AP 30正常通訊的站點,例如站點20 f 的合法媒體訪問控制(media access control,MAC) 位址在1秒鐘内發送上述修改後得到的加密資料包至AP 30。AP 30利用預先儲存的密鑰解密1秒鐘内接收到的合 法MAC位址發送的兩個加密資料包,計算得到兩個資料包 各自的MIC值,並分別與各資料包中封裝的相對應MIC值 進行比較,發現MIC值錯誤後,會關閉所有的連接1分鐘 ,即中斷包括站點20在内的原本與AP 30正常通訊的站點 之間的通訊1分鐘。 〇 V [0013] 偵聽模組110還用於偵聽原本與AP 30正常通訊的站點, 例如站點20發現通訊中斷後向AP 30傳送的重新連接請求 (reassociation request)資料包,以及偵聽AP 30 收到reassociation request資料包後’向原本與AP 30正常通訊的站點(例如站點20)回傳的重新連接回應 (reassociation reponse)資料包。因為站點2〇先前 與AP 30正常通訊連接’所供站點20發送的reassoci- 〇 ation request必然包括4P 衣0的SSID。同理,AP 30 | ^ |ί > ( 向站點20回傳的reassociation reponse也包括ΑΡ 30 的SSID。 [0014] 提取模組140從所述reassociation request資料包或 reassociation reponse資料包中提取Ap 3〇的ssid, 並儲存該SSID至站點1〇。這樣,站點1〇可以與Ap 3〇建 立通訊連接了。 [0015] 如圖3所示,係本發明服務網路探測方法較佳實施例之流 程圖。 098132639 表單編號A0101 第7頁/共16頁 ^ 0982055993-0 201112811 [0016] 步驟S301 ’站點1〇廣播一個以。]^ request資料包,請 求尋找服務網路。 [0017] 步驟S302,AP 30收到該probe request資料包後,向 站點1 〇單播一個probe response資料包。當然,AP 30 也有可能每隔一段時間主動向其覆蓋區域内的所有站點 發送一個beacon資料包,告知這些站點有這樣一個服務 網路存在。但是,由於該probe response資料包或 beacon資料包中的SSID為空,所以即使站點1〇收到該 Probe response資料包或beacon資料包,也無法與AP 30建立通訊連接^ [0018] 步驟S303 ’站點1〇的偵聽模釭110偵聽與AP 3〇正常通訊 的站點,例如站點2 〇向AP 30傳送的加密資料包,例如 TKIP資料包A,修改模組利用bit flipping方式修改 TKIP資料包A資料中的一個或多個比特值,將〇改為1或1 改為〇,產生兩個《〇(:值錯誤的111?資料包^1、入2。 [0019] 步驟S304,發送模組130利用與AP 30正常通訊的站點, 例如站點2〇的合法Mac位址在1秒鐘内發送兩個μ ic值錯 誤的ΤΚΙΡ資料包Α1、Α2至ΑΡ 30,使得ΑΡ 30中斷與所 有站點的通訊連接。 [0020] 步驟S305,偵聽模組11〇偵聽原本與ΑΡ 3〇正常通訊的站 點,例如站點20發現通訊中斷後向ΑΡ 30傳送的reass〇一 ciation request資料包,以及偵聽AP 30收到reas_ sociation request資料包後,向原本與AP 3〇正常通 訊的站點’例如站點20回傳的reassociation reponse 098132639 表單編號A0101 第8頁/共16頁 0982055993-0 201112811 [0021] [0022] G [0023] [0024] [0025] Ο [0026] [0027] [0028] [0029] [0030] [0031] 貧料包β 步驟S306,提取模組140從所述reassociation request資料包及reassociat ion reponse資料包中提 取AP 30的SSID,並儲存該SSID至站點1〇 ’從而建立站 點10與AP 30之間的通訊連接。 以上所述僅為本發明之較佳實施例而已,且已達廣泛之 使用功效,凡其他未脫離本發明所揭示之精神下所完成 之均等變化或修飾,均應包含在下述之申請專利範圍内 〇 【圖式簡單說明】 圖1係本發明服務網路探測系統較佳實施例之應用環境圖 圖2係本發明服務網路探測系統較佳實施例之功能模組圖 〇 | !'% 4Fl r5'. I 1 %. : ·1 ·! h 9 u 圖3係本發明服務網路探測方法較佳實施例之流程圖。 κ f | 、 ·:ΐι'{ J -Λs . If · 【主要元件符號說明】 * ^ '5&·. 'W!, 站點10、20 接入點30 服務網路探測系統100 偵聽模組110 修改模組120 發送模組130 098132639 表單編號A0101 第9頁/共16 1 0982055993-0 201112811 [0032] 提取模組140 [0033] 站點1 0廣播一個probe request資料包,請求尋找服務 網路S301 [0034] 站點10接收一個AP傳送之beacon或probe response資 料包,該資料包中的SSID為空S302 [0035] 偵聽與AP 30正常通訊的站點(例如站點20)向AP 30傳送 的加密資料包A,修改資料包A資料中的一個或多個比特 值,產生兩個1«1(:值錯誤的資料包41、人2 330 3 [0036] 利用站點20的合法MAC位址發送兩個MIC值錯誤的資料包 A1、A2至AP以中斷AP與所有站點的通訊連接S304 [0037] 偵聽站點20向AP傳送之reassociation request資料 包及AP向站點20傳送之reassociation response資料 包 S305 [0038] 站點 1 0從reassociat ion request 資料包或reasso-ciation response資料包中提取AP之SSID,並儲存該 AP之SSID S306 0982055993-0 098132639 表單編號A0101 第10頁/共16頁[0010] In order to ensure that information is not snooped during transmission in the wireless network, the data packet is usually protected by encryption. Wired Equivalent Privacy (^^(16911) valent privacy (WEP) and ΤΚΙΡ are two encryption protocols commonly used in wireless networks. WEP is a symmetric encryption algorithm with the same encryption key and decryption key, and all WEP The data packets are encrypted using the same key. The TK IP is improved on the basis of WEP, the length of the key is increased, and each data packet is encrypted with a different key. In addition, the TKIP uses a message integrity check ( Message integrity check 'MIC' to detect a replayed attack or forged packet, the communication parties must each perform a function calculation to verify the integrity of the message. For example, station 20 first uses an algorithm to calculate a packet message. Checking and A, and then sending the calculation message check and A encapsulation into the data packet and sending it to the AP 30; after decrypting the received data packet, the AP 30 performs calculation on the data to obtain a message check and B, and B compares with A. If the packet is tampered with in transmission causing B to be inconsistent with A, AP 30 discards the packet. Upon receipt of the first corrupted packet, AP 30 using TKIP will typically transmit an error report to site 20. If a second compromised packet is received within 60 seconds, AP 30 will typically close all connections for another minute and then include site 20. The site that is originally in normal communication with the AP 30 redistributes the new key. [0011] The modification module 120 modifies the data in the encrypted data packet, for example, the modification module 120 uses bit flip (bitf 1 i pp) i ng, BF ) modify one or more bit values in the above encrypted data packet, and change 0 to 1 or 1 to 0 to generate two modified encrypted data packets. 098132639 Form number A0101 Page 6 / Total 16 pages 0982055993-0 201112811 [0012] The sending module 130 transmits the normal access control (MAC) address of the station 20 f by using a station that normally communicates with the AP 30 within 1 second. The encrypted data packet obtained by the above modification is sent to the AP 30. The AP 30 decrypts the two encrypted data packets sent by the legal MAC address received within one second by using the pre-stored key, and calculates the MIC value of each of the two data packets. And separately with each data The corresponding MIC values of the packages are compared. When the MIC value is incorrect, all connections are closed for 1 minute, that is, the communication between the stations including the station 20 and the normal communication with the AP 30 is interrupted for 1 minute. [0013] The listening module 110 is further configured to listen to a station that normally communicates with the AP 30, for example, the re-connection request packet transmitted by the station 20 to the AP 30 after the communication interruption is found, and the interception After receiving the reassociation request packet, the AP 30 returns a reassociation response (reassociation reponse) packet to the site that originally communicated with the AP 30 (for example, the site 20). Since the site 2 〇 previously communicated with the AP 30 normally, the reassociation request sent by the site 20 necessarily includes the SSID of the 4P 衣0. Similarly, AP 30 | ^ | ί > (re-association reponse returned to site 20 also includes the SSID of ΑΡ 30. [0014] The extraction module 140 extracts Ap from the reassociation request packet or the reassociation reponse packet 3〇 ssid, and store the SSID to the site 1〇. Thus, the station 1〇 can establish a communication connection with the Ap 3〇. [0015] As shown in FIG. 3, the method for detecting the service network of the present invention is better. Flowchart of the embodiment. 098132639 Form number A0101 Page 7 of 16^0982055993-0 201112811 [0016] Step S301 'Site 1〇 broadcasts a .]^ request packet, requesting to find a service network. [0017 Step S302, after receiving the probe request data packet, the AP 30 unicasts a probe response data packet to the station 1. Of course, the AP 30 may also actively send one to all the sites in the coverage area at intervals. The beacon package tells these sites that such a service network exists. However, since the SSID in the probe response packet or beacon packet is empty, even if the site receives the Probe response packet, Or a beacon packet, nor can it establish a communication connection with the AP 30. [0018] Step S303 'The listening module 110 of the station 1 listens to the station that normally communicates with the AP 3, for example, the station 2 to the AP 30 The transmitted encrypted data package, such as TKIP data package A, the modified module uses the bit flipping method to modify one or more bit values in the TKIP data packet A data, and changes the 〇 to 1 or 1 to 〇, resulting in two "〇" (: value error 111? packet ^1, enter 2. [0019] Step S304, the sending module 130 utilizes a site that normally communicates with the AP 30, for example, the legitimate Mac address of the site 2 is within 1 second. Sending two packets with the wrong μ ic value Α 1, Α 2 to ΑΡ 30, so that ΑΡ 30 interrupts the communication connection with all stations. [0020] Step S305, the listening module 11 〇 listens to the original and ΑΡ 3 〇 normal The communication station, for example, the station 20 finds the reass〇ciation request packet transmitted to the ΑΡ 30 after the communication interruption, and the station that normally communicates with the AP 3 after the AP 30 receives the reas_ sociation request packet. Point 'for example, site 20 returning reassociation reponse 098132639 form No. A0101 Page 8 / 16 pages 0982055993-0 201112811 [0022] [0022] [0024] [0025] [0028] [0028] [0030] [0030] [0031] poor material Packet β step S306, the extraction module 140 extracts the SSID of the AP 30 from the reassociation request packet and the reassociation ion reponse packet, and stores the SSID to the site 1〇 to establish a relationship between the site 10 and the AP 30. Communication connection. The above is only the preferred embodiment of the present invention, and has been used in a wide range of applications. Any other equivalent changes or modifications which are not departing from the spirit of the present invention should be included in the following claims. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is an application environment diagram of a preferred embodiment of a service network detection system of the present invention. FIG. 2 is a functional module diagram of a preferred embodiment of the service network detection system of the present invention. 4Fl r5'. I 1 %. : ·1 ·! h 9 u Figure 3 is a flow chart of a preferred embodiment of the service network detecting method of the present invention. κ f | , ·:ΐι'{ J -Λs . If · [Main component symbol description] * ^ '5&·. 'W!, Site 10, 20 Access Point 30 Service Network Detection System 100 Listening Mode Group 110 Modification Module 120 Transmitter Module 130 098132639 Form Number A0101 Page 9/Total 16 1 0982055993-0 201112811 [0032] Extraction Module 140 [0033] Site 1 broadcasts a probe request packet requesting a service network Road S301 [0034] The station 10 receives a beacon or probe response data packet transmitted by the AP, and the SSID in the data packet is empty S302 [0035] Listening to the station (for example, station 20) that normally communicates with the AP 30 to the AP 30 transmitted encrypted data packet A, modified one or more bit values in the data packet A data, resulting in two 1 «1 (: value error packet 41, person 2 330 3 [0036] using the site 20 legal The MAC address sends two packets A1, A2 to AP with incorrect MIC values to interrupt the communication connection between the AP and all stations. S304 [0037] The reconnaissance request packet and the AP to the station 20 transmitted by the intercepting station 20 to the AP Transmission reassociation response packet S305 [0038] Site 1 0 from the reassociation ion request packet reasso-ciation extracted response data packet in the SSID of the AP, the AP and storing the SSID S306 0982055993-0 098132639 Form Number A0101 page 10/16 Total