| Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
| links [2015/04/09 05:40] – [Technique Papers] Pixie dust attack mister_x | links [2018/09/11 20:19] – [Additional Papers] Symbolic Execution of Security Protocol Implementations: Handling Cryptographic Primitives mister_x |
|---|
| * Chopchop technique description: [[http://www.informit.com/guides/printerfriendly.aspx?g=security&seqNum=196|Byte-Sized Decryption of WEP with Chopchop, Part 1]] and [[http://www.informit.com/guides/printerfriendly.aspx?g=security&seqNum=197|Byte-Sized Decryption of WEP with Chopchop, Part 2]] | * Chopchop technique description: [[http://www.informit.com/guides/printerfriendly.aspx?g=security&seqNum=196|Byte-Sized Decryption of WEP with Chopchop, Part 1]] and [[http://www.informit.com/guides/printerfriendly.aspx?g=security&seqNum=197|Byte-Sized Decryption of WEP with Chopchop, Part 2]] |
| * [[http://download.aircrack-ng.org/wiki-files/doc/Vulnerabilities%20of%20IEEE%20802.11i%20Wireless%20LAN%20CCMP%20Protocol.pdf|Vulnerabilities of IEEE 802.11i Wireless LAN CCMP Protocol]]. | * [[http://download.aircrack-ng.org/wiki-files/doc/Vulnerabilities%20of%20IEEE%20802.11i%20Wireless%20LAN%20CCMP%20Protocol.pdf|Vulnerabilities of IEEE 802.11i Wireless LAN CCMP Protocol]]. |
| * [[http://www.nowires.org/Papers-PDF/WPA_attack.pdf|Weaknesses in the WPA Temporal Key Hash]]. | * [[http://dl.aircrack-ng.org/wiki-files/doc/technique_papers/WPA_attack.pdf|Weaknesses in the WPA Temporal Key Hash]]. |
| * [[http://eprint.iacr.org/2007/471|Attacks on the WEP protocol]] by Erik Tews, December 15, 2007. This thesis summarizes all major attacks on WEP. Additionally a new attack, the PTW attack, is introduced, which was partially developed by the author of this document. Some advanced versions of the PTW attack which are more suitable in certain environments are described as well. Currently, the PTW attack is fastest publicly known key recovery attack against WEP protected networks. | * [[http://eprint.iacr.org/2007/471|Attacks on the WEP protocol]] by Erik Tews, December 15, 2007. This thesis summarizes all major attacks on WEP. Additionally a new attack, the PTW attack, is introduced, which was partially developed by the author of this document. Some advanced versions of the PTW attack which are more suitable in certain environments are described as well. Currently, the PTW attack is fastest publicly known key recovery attack against WEP protected networks. |
| * [[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=WPA_MIGRATION_MODE|WPA Migration mode: WEP is back to haunt you...]] by Leandro Meiners and Diego Sor. Migration mode, from Cisco, allows both WEP and WPA clients on the same AP. Besides the fact that the WEP key can be cracked easily, they also bypass the additional security settings offered by Cisco. Here is the [[http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=WPA_MIGRATION_MODE&file=Meiners%2C_Sor_-_WPA_Migration_Mode_WEP_is_back_to_haunt_you_-_slides.pdf|slides of the presentation]] and the [[http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=WPA_MIGRATION_MODE&file=Meiners%2C_Sor_-_WPA_Migration_Mode_WEP_is_back_to_haunt_you.pdf|paper]]. | * [[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=WPA_MIGRATION_MODE|WPA Migration mode: WEP is back to haunt you...]] by Leandro Meiners and Diego Sor. Migration mode, from Cisco, allows both WEP and WPA clients on the same AP. Besides the fact that the WEP key can be cracked easily, they also bypass the additional security settings offered by Cisco. Here is the [[http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=WPA_MIGRATION_MODE&file=Meiners%2C_Sor_-_WPA_Migration_Mode_WEP_is_back_to_haunt_you_-_slides.pdf|slides of the presentation]] and the [[http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=WPA_MIGRATION_MODE&file=Meiners%2C_Sor_-_WPA_Migration_Mode_WEP_is_back_to_haunt_you.pdf|paper]]. |
| * [[http://infoscience.epfl.ch/record/186876|Smashing WEP in A Passive Attack]] by Sepehrdad, Pouyan; Susil, Petr; Vaudenay, Serge; Vuagnoux, Martin | * [[http://infoscience.epfl.ch/record/186876|Smashing WEP in A Passive Attack]] by Sepehrdad, Pouyan; Susil, Petr; Vaudenay, Serge; Vuagnoux, Martin |
| * [[http://www.wifislax.com/wps-pixie-dust-attack/|Pixie dust attack]] on WPS. Presentation available [[http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf|here]]. And they have a [[http://www.github.com/wiire/pixiewps|GitHub repository]]. | * [[http://dl.aircrack-ng.org/wiki-files/doc/Encrypted_WiFi_packet_injection.pdf|Encrypted WiFi packet injection and circumventing wireless intrusion prevention systems]] by Tim de Waal |
| |
| ===== Additional Papers ==== | ===== Additional Papers ==== |
| * [[http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf|Intercepting Mobile Communications: The Insecurity of 802.11]] by Nikita Borisov (UC berkeley) Ian Golderberg (Zero-knowledge systems) David Wagner (UC berkeley), July 2001. | * [[http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf|Intercepting Mobile Communications: The Insecurity of 802.11]] by Nikita Borisov (UC berkeley) Ian Golderberg (Zero-knowledge systems) David Wagner (UC berkeley), July 2001. |
| * [[http://download.aircrack-ng.org/wiki-files/doc/technique_papers/bittau-wep.pdf|The Final Nail in WEP's Coffin]] by Andrea Bittau, Mark Handley and Josua Lackey, May 21, 2006. A local copy of the presentation slides is located [[http://download.aircrack-ng.org/wiki-files/doc/Final-Nail-in-WEPs-Coffin.slides.pdf|here]]. | * [[http://download.aircrack-ng.org/wiki-files/doc/technique_papers/bittau-wep.pdf|The Final Nail in WEP's Coffin]] by Andrea Bittau, Mark Handley and Josua Lackey, May 21, 2006. A local copy of the presentation slides is located [[http://download.aircrack-ng.org/wiki-files/doc/Final-Nail-in-WEPs-Coffin.slides.pdf|here]]. |
| | * [[https://www.rc4nomore.com/vanhoef-usenix2015.pdf|All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS]] by Mathy Vanhoef and Frank Piessens, Katholieke Universiteit Leuven. Slides can be found [[https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_vanhoef.pdf|here]] and the video of the presentation [[https://www.usenix.org/node/190889|here]]. |
| | * [[https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)|Pixie dust attack]] on WPS. Presentation available [[http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf|here]]. And they have a [[http://www.github.com/wiire/pixiewps|GitHub repository]]. |
| | * [[http://www.slideshare.net/vanhoefm/predicting-and-abusing-wpa280211-group-keys|Predicting and Abusing WPA2/802.11 Group Keys]] by Mathy Vanhoef ([[http://papers.mathyvanhoef.com/33c3-broadkey-slides.pdf|PDF]] and [[https://github.com/vanhoefm/broadkey|code]]) |
| | * [[https://www.petsymposium.org/2017/papers/issue4/paper82-2017-4-source.pdf|A Study of MAC Address Randomization in Mobile Devices and When it Fails]] by Jeremy Martin, Travis Mayberry, Collin Donahue, Lucas Foppe, Lamont Brown, Chadwick Riggins, Erik C. Rye, and Dane Brown |
| | * [[http://papers.mathyvanhoef.com/asiaccs2016.pdf|Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms]], Mathy Vanhoef, C. Matte, M. Cunche, L. S. Cardoso, and F. Piessens |
| | * [[http://papers.mathyvanhoef.com/wisec2016.pdf|Defeating MAC Address Randomization Through Timing Attacks]], C. Matte, M. Cunche, F. Rousseau, and Mathy Vanhoef |
| | * [[http://papers.mathyvanhoef.com/phdthesis.pdf|A Security Analysis of the WPA-TKIP and TLS Security Protocols]], Mathy Vanhoef |
| | * [[https://lirias.kuleuven.be/bitstream/123456789/572634/1/asiaccs2017.pdf|Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing]], Mathy Vanhoef, D. Schepers, and F. Piessens |
| | * [[http://papers.mathyvanhoef.com/blackhat2017.pdf|WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake]], Mathy Vanhoef |
| | * [[https://papers.mathyvanhoef.com/ccs2017.pdf|Key Reinstallation AttACK]], Mathy Vanhoef, Frank Piessens ([[https://papers.mathyvanhoef.com/ccs2017-slides.pdf|Slides]]). [[https://github.com/vanhoefm/krackattacks-scripts|GitHub repository]] with scripts to test if client or AP are vulnerable. |
| | * [[https://papers.mathyvanhoef.com/woot2018.pdf|Symbolic Execution of Security Protocol Implementations: |
| | Handling Cryptographic Primitives]] by Mathy Vanhoef and Frank Piessens |
| ===== 802.11 Specifications ==== | ===== 802.11 Specifications ==== |
| |
| * The most popular is [[http://www.kali.org/|Kali Linux]] since they have all the patched drivers and a full set of tools. | * The most popular is [[http://www.kali.org/|Kali Linux]] since they have all the patched drivers and a full set of tools. |
| * [[http://www.pentoo.ch|Pentoo]] can be run off a CD or USB. It is based on Gentoo. | * [[http://www.pentoo.ch|Pentoo]] can be run off a CD or USB. It is based on Gentoo. |
| * Beini a really small live CD based on TinyCore Linux ([[http://forum.aircrack-ng.org/index.php?topic=6115.0|Forum Thread]]). | * [[http://www.wifiway.org/category/download/|WifiWay]]. See these two threads ( [[http://forum.aircrack-ng.org/index.php?topic=1696.0|thread]] or [[http://forum.aircrack-ng.org/index.php?topic=1985|thread]] ) regarding how to use it with the Aircrack-ng suite. |
| * [[http://www.wifiway.org/category/download/|WifiWay]]. See these two threads ( [[http://forum.aircrack-ng.org/index.php?topic=1696.0|thread]] or [[http://forum.aircrack-ng.org/index.php?topic=1985|thread]] ) regarding how to use it with the aircrack-ng suite. | * [[https://blackarch.org/|BlackArch]] |
| |
| ===== Card and Antenna Connectors ===== | ===== Card and Antenna Connectors ===== |
| ===== Microsoft Windows Specific ===== | ===== Microsoft Windows Specific ===== |
| |
| This section is links to materials specifically related to injection and monitoring support under Microsoft Vista. | This section is links to materials specifically related to injection and monitoring support. |
| |
| * [[http://www.codeproject.com/Articles/28713/802-11-Packet-Injection-for-Windows|"802.11 Packet Injection for Windows"]] by Ryan Grevious. The article describes how to inject packets under MS Vista and provides sample code. | * [[http://www.codeproject.com/Articles/28713/802-11-Packet-Injection-for-Windows|"802.11 Packet Injection for Windows"]] by Ryan Grevious. The article describes how to inject packets under MS Vista and provides sample code. |
| * [[http://www.inguardians.com/pubs/Vista_Wireless_Power_Tools-Wright.pdf|"Vista Wireless Power Tools for the Penetration Tester"]] by Joshua Wright. This paper is designed to illustrate the Vista tools useful for wireless penetration testing, the format of which is designed to be easy to read and utilize as a learning tool. Designed after the timeless work of "Unix Power Tools" by Sherry Powers, et al, this paper presents several "article-ettes" describing the requirements, Vista features and solutions for challenges faced by a penetration tester attacking wireless networks. This paper also presents two new tools, vistarfmon and nm2lp, both available on the [[http://www.inguardians.com/tools/index.html|InGuardians Tools page]]. | * [[http://www.inguardians.com/pubs/Vista_Wireless_Power_Tools-Wright.pdf|"Vista Wireless Power Tools for the Penetration Tester"]] by Joshua Wright. This paper is designed to illustrate the Vista tools useful for wireless penetration testing, the format of which is designed to be easy to read and utilize as a learning tool. Designed after the timeless work of "Unix Power Tools" by Sherry Powers, et al, this paper presents several "article-ettes" describing the requirements, Vista features and solutions for challenges faced by a penetration tester attacking wireless networks. This paper also presents two new tools, vistarfmon and nm2lp, both available on the [[http://www.inguardians.com/tools/index.html|InGuardians Tools page]]. |
| | * [[http://www.npcap.org|NPcap]] is Nmap's packet sniffing library for Windows, based on WinPCAP, Libpcap. Downloads are available on the [[https://github.com/nmap/npcap|GitHub]] repository. |
| |
