| Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
| links [2017/01/09 21:09] – [Live Distributions] Added BlackArch mister_x | links [2018/09/11 20:19] – [Additional Papers] Symbolic Execution of Security Protocol Implementations: Handling Cryptographic Primitives mister_x |
|---|
| * [[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=WPA_MIGRATION_MODE|WPA Migration mode: WEP is back to haunt you...]] by Leandro Meiners and Diego Sor. Migration mode, from Cisco, allows both WEP and WPA clients on the same AP. Besides the fact that the WEP key can be cracked easily, they also bypass the additional security settings offered by Cisco. Here is the [[http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=WPA_MIGRATION_MODE&file=Meiners%2C_Sor_-_WPA_Migration_Mode_WEP_is_back_to_haunt_you_-_slides.pdf|slides of the presentation]] and the [[http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=WPA_MIGRATION_MODE&file=Meiners%2C_Sor_-_WPA_Migration_Mode_WEP_is_back_to_haunt_you.pdf|paper]]. | * [[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=WPA_MIGRATION_MODE|WPA Migration mode: WEP is back to haunt you...]] by Leandro Meiners and Diego Sor. Migration mode, from Cisco, allows both WEP and WPA clients on the same AP. Besides the fact that the WEP key can be cracked easily, they also bypass the additional security settings offered by Cisco. Here is the [[http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=WPA_MIGRATION_MODE&file=Meiners%2C_Sor_-_WPA_Migration_Mode_WEP_is_back_to_haunt_you_-_slides.pdf|slides of the presentation]] and the [[http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=WPA_MIGRATION_MODE&file=Meiners%2C_Sor_-_WPA_Migration_Mode_WEP_is_back_to_haunt_you.pdf|paper]]. |
| * [[http://infoscience.epfl.ch/record/186876|Smashing WEP in A Passive Attack]] by Sepehrdad, Pouyan; Susil, Petr; Vaudenay, Serge; Vuagnoux, Martin | * [[http://infoscience.epfl.ch/record/186876|Smashing WEP in A Passive Attack]] by Sepehrdad, Pouyan; Susil, Petr; Vaudenay, Serge; Vuagnoux, Martin |
| * [[https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)|Pixie dust attack]] on WPS. Presentation available [[http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf|here]]. And they have a [[http://www.github.com/wiire/pixiewps|GitHub repository]]. | * [[http://dl.aircrack-ng.org/wiki-files/doc/Encrypted_WiFi_packet_injection.pdf|Encrypted WiFi packet injection and circumventing wireless intrusion prevention systems]] by Tim de Waal |
| * [[http://www.slideshare.net/vanhoefm/predicting-and-abusing-wpa280211-group-keys|Predicting and Abusing WPA2/802.11 Group Keys]] by Mathy Vanhoef ([[http://papers.mathyvanhoef.com/33c3-broadkey-slides.pdf|PDF]]) | |
| |
| ===== Additional Papers ==== | ===== Additional Papers ==== |
| * [[http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf|Intercepting Mobile Communications: The Insecurity of 802.11]] by Nikita Borisov (UC berkeley) Ian Golderberg (Zero-knowledge systems) David Wagner (UC berkeley), July 2001. | * [[http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf|Intercepting Mobile Communications: The Insecurity of 802.11]] by Nikita Borisov (UC berkeley) Ian Golderberg (Zero-knowledge systems) David Wagner (UC berkeley), July 2001. |
| * [[http://download.aircrack-ng.org/wiki-files/doc/technique_papers/bittau-wep.pdf|The Final Nail in WEP's Coffin]] by Andrea Bittau, Mark Handley and Josua Lackey, May 21, 2006. A local copy of the presentation slides is located [[http://download.aircrack-ng.org/wiki-files/doc/Final-Nail-in-WEPs-Coffin.slides.pdf|here]]. | * [[http://download.aircrack-ng.org/wiki-files/doc/technique_papers/bittau-wep.pdf|The Final Nail in WEP's Coffin]] by Andrea Bittau, Mark Handley and Josua Lackey, May 21, 2006. A local copy of the presentation slides is located [[http://download.aircrack-ng.org/wiki-files/doc/Final-Nail-in-WEPs-Coffin.slides.pdf|here]]. |
| | * [[https://www.rc4nomore.com/vanhoef-usenix2015.pdf|All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS]] by Mathy Vanhoef and Frank Piessens, Katholieke Universiteit Leuven. Slides can be found [[https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_vanhoef.pdf|here]] and the video of the presentation [[https://www.usenix.org/node/190889|here]]. |
| | * [[https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)|Pixie dust attack]] on WPS. Presentation available [[http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf|here]]. And they have a [[http://www.github.com/wiire/pixiewps|GitHub repository]]. |
| | * [[http://www.slideshare.net/vanhoefm/predicting-and-abusing-wpa280211-group-keys|Predicting and Abusing WPA2/802.11 Group Keys]] by Mathy Vanhoef ([[http://papers.mathyvanhoef.com/33c3-broadkey-slides.pdf|PDF]] and [[https://github.com/vanhoefm/broadkey|code]]) |
| | * [[https://www.petsymposium.org/2017/papers/issue4/paper82-2017-4-source.pdf|A Study of MAC Address Randomization in Mobile Devices and When it Fails]] by Jeremy Martin, Travis Mayberry, Collin Donahue, Lucas Foppe, Lamont Brown, Chadwick Riggins, Erik C. Rye, and Dane Brown |
| | * [[http://papers.mathyvanhoef.com/asiaccs2016.pdf|Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms]], Mathy Vanhoef, C. Matte, M. Cunche, L. S. Cardoso, and F. Piessens |
| | * [[http://papers.mathyvanhoef.com/wisec2016.pdf|Defeating MAC Address Randomization Through Timing Attacks]], C. Matte, M. Cunche, F. Rousseau, and Mathy Vanhoef |
| | * [[http://papers.mathyvanhoef.com/phdthesis.pdf|A Security Analysis of the WPA-TKIP and TLS Security Protocols]], Mathy Vanhoef |
| | * [[https://lirias.kuleuven.be/bitstream/123456789/572634/1/asiaccs2017.pdf|Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing]], Mathy Vanhoef, D. Schepers, and F. Piessens |
| | * [[http://papers.mathyvanhoef.com/blackhat2017.pdf|WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake]], Mathy Vanhoef |
| | * [[https://papers.mathyvanhoef.com/ccs2017.pdf|Key Reinstallation AttACK]], Mathy Vanhoef, Frank Piessens ([[https://papers.mathyvanhoef.com/ccs2017-slides.pdf|Slides]]). [[https://github.com/vanhoefm/krackattacks-scripts|GitHub repository]] with scripts to test if client or AP are vulnerable. |
| | * [[https://papers.mathyvanhoef.com/woot2018.pdf|Symbolic Execution of Security Protocol Implementations: |
| | Handling Cryptographic Primitives]] by Mathy Vanhoef and Frank Piessens |
| ===== 802.11 Specifications ==== | ===== 802.11 Specifications ==== |
| |
| ===== Microsoft Windows Specific ===== | ===== Microsoft Windows Specific ===== |
| |
| This section is links to materials specifically related to injection and monitoring support under Microsoft Vista. | This section is links to materials specifically related to injection and monitoring support. |
| |
| * [[http://www.codeproject.com/Articles/28713/802-11-Packet-Injection-for-Windows|"802.11 Packet Injection for Windows"]] by Ryan Grevious. The article describes how to inject packets under MS Vista and provides sample code. | * [[http://www.codeproject.com/Articles/28713/802-11-Packet-Injection-for-Windows|"802.11 Packet Injection for Windows"]] by Ryan Grevious. The article describes how to inject packets under MS Vista and provides sample code. |
| * [[http://www.inguardians.com/pubs/Vista_Wireless_Power_Tools-Wright.pdf|"Vista Wireless Power Tools for the Penetration Tester"]] by Joshua Wright. This paper is designed to illustrate the Vista tools useful for wireless penetration testing, the format of which is designed to be easy to read and utilize as a learning tool. Designed after the timeless work of "Unix Power Tools" by Sherry Powers, et al, this paper presents several "article-ettes" describing the requirements, Vista features and solutions for challenges faced by a penetration tester attacking wireless networks. This paper also presents two new tools, vistarfmon and nm2lp, both available on the [[http://www.inguardians.com/tools/index.html|InGuardians Tools page]]. | * [[http://www.inguardians.com/pubs/Vista_Wireless_Power_Tools-Wright.pdf|"Vista Wireless Power Tools for the Penetration Tester"]] by Joshua Wright. This paper is designed to illustrate the Vista tools useful for wireless penetration testing, the format of which is designed to be easy to read and utilize as a learning tool. Designed after the timeless work of "Unix Power Tools" by Sherry Powers, et al, this paper presents several "article-ettes" describing the requirements, Vista features and solutions for challenges faced by a penetration tester attacking wireless networks. This paper also presents two new tools, vistarfmon and nm2lp, both available on the [[http://www.inguardians.com/tools/index.html|InGuardians Tools page]]. |
| | * [[http://www.npcap.org|NPcap]] is Nmap's packet sniffing library for Windows, based on WinPCAP, Libpcap. Downloads are available on the [[https://github.com/nmap/npcap|GitHub]] repository. |
| |
