| Both sides previous revisionPrevious revisionNext revision | Previous revision | 
| links [2017/10/17 23:16]  – [Additional Papers] Added more papers mister_x | links [2019/04/14 22:43] (current)  – [Additional Papers] Added 2 papers from M. Vanhoef mister_x | 
|---|
| ===== Wireless Basics and Tutorials ===== | ===== Wireless Basics and Tutorials ===== | 
|  |  | 
| * [[http://www.mcafee.com/us/resources/white-papers/foundstone/wp-80211-attacks.pdf|802.11 Attacks]] by Brad Antoniewicz of Foundstone/McAfee. Provides a step by step walkthrough of popular wireless attacks. | * [[https://wiki-files.aircrack-ng.org/doc/others/wp-80211-attacks.pdf|802.11 Attacks]] by Brad Antoniewicz of Foundstone/McAfee. Provides a step by step walkthrough of popular wireless attacks. | 
| * [[http://technet.microsoft.com/en-us/library/cc757419(v=ws.10).aspx|How 802.11 Wireless Works]] (thanks to Microsoft) | * [[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc757419(v=ws.10)|How 802.11 Wireless Works]] (thanks to Microsoft) | 
| * [[http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1200-access-point/prod_white_paper09186a00800b469f.html|A Comprehensive Review of 802.11 Wireless LAN Security and the Cisco Wireless Security Suite]] | * [[https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1200-access-point/prod_white_paper09186a00800b469f.html|A Comprehensive Review of 802.11 Wireless LAN Security and the Cisco Wireless Security Suite]] | 
| * [[http://wow.eecs.berkeley.edu/ergen/docs/ieee.pdf|“IEEE 802.11 Tutorial” Mustafa Ergen, University of California Berkeley, June 2002.]] | * [[https://ptolemy.berkeley.edu/projects/ofdm/ergen/docs/ieee.pdf|“IEEE 802.11 Tutorial” Mustafa Ergen, University of California Berkeley, June 2002.]] | 
| * [[http://documentation.netgear.com/reference/fra/wireless/TOC.html|Wireless Basics (thanks to Netgear)]] | * [[https://web.archive.org/web/20070813043726/http://documentation.netgear.com:80/reference/fra/wireless/TOC.html|Wireless Basics (thanks to Netgear)]] | 
| * [[http://download.aircrack-ng.org/wiki-files/other/managementframes.pdf|Management Frames]] This is a really excellent one-page overview of management frames and error messages. | * [[https://download.aircrack-ng.org/wiki-files/other/managementframes.pdf|Management Frames]] This is a really excellent one-page overview of management frames and error messages. | 
| * [[http://en.wikipedia.org/wiki/Radiation_pattern|Radiation Patterns for wireless antennas and how to calculate it]] | * [[https://en.wikipedia.org/wiki/Radiation_pattern|Radiation Patterns for wireless antennas and how to calculate it]] | 
| * [[http://tldp.org/HOWTO/Wireless-HOWTO.html|Wireless Howto]] (TLDP) | * [[https://www.tldp.org/HOWTO/Wireless-HOWTO.html|Wireless Howto]] (TLDP) | 
| * [[http://www.willhackforsushi.com/papers/80211_Pocket_Reference_Guide.pdf|SANS Institute IEEE 802.11 | * [[http://www.willhackforsushi.com/papers/80211_Pocket_Reference_Guide.pdf|SANS Institute IEEE 802.11 | 
| Pocket Reference Guide]] | Pocket Reference Guide]] | 
| * [[http://www.airmagnet.com/assets/whitepaper/WP-802.11nPrimer.pdf|802.11n Primer by AirMagnet]] | * [[https://d2cpnw0u24fjm4.cloudfront.net/wp-content/uploads/802_11nPrimer_WP.pdf|802.11n Primer by AirMagnet]] | 
|  |  | 
|  |  | 
| This section covers papers which describe techniques incorporated into the aircrack-ng suite. | This section covers papers which describe techniques incorporated into the aircrack-ng suite. | 
|  |  | 
| * [[http://dl.aircrack-ng.org/wiki-files/doc/enhanced_tkip_michael.pdf|Enhanced TKIP Michael Attacks]] by Martin Beck. | * [[https://dl.aircrack-ng.org/wiki-files/doc/enhanced_tkip_michael.pdf|Enhanced TKIP Michael Attacks]] by Martin Beck. | 
| * [[http://dl.aircrack-ng.org/breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] by Martin Beck and Erik Tews | Describes advanced attacks on WEP and the first practical attack on WPA. | * [[https://dl.aircrack-ng.org/breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] by Martin Beck and Erik Tews | Describes advanced attacks on WEP and the first practical attack on WPA. | 
| * [[http://arstechnica.com/security/2008/11/wpa-cracked/1/|Battered, but not broken: understanding the WPA crack]] by Glenn Fleishman | Published: November 06, 2008 - 07:25PM CT . Provides a good explanation of the new WPA/TKIP exploit. | * [[https://arstechnica.com/security/2008/11/wpa-cracked/1/|Battered, but not broken: understanding the WPA crack]] by Glenn Fleishman | Published: November 06, 2008 - 07:25PM CT . Provides a good explanation of the new WPA/TKIP exploit. | 
| * [[http://download.aircrack-ng.org/wiki-files/doc/rc4_ksaproc.pdf|Weaknesses in the Key Scheduling Algorithm of RC4]] by Fluhrer, S. Mantin, I. and Shamir, A. in August 2001. This is the original paper on FMS.  Other links [[http://www.cs.umd.edu/~waa/class-pubs/rc4_ksaproc.ps|rc4_ksaproc.ps]]. | * [[https://download.aircrack-ng.org/wiki-files/doc/rc4_ksaproc.pdf|Weaknesses in the Key Scheduling Algorithm of RC4]] by Fluhrer, S. Mantin, I. and Shamir, A. in August 2001. This is the original paper on FMS.  Other links [[https://www.cs.umd.edu/~waa/class-pubs/rc4_ksaproc.ps|rc4_ksaproc.ps]]. | 
| * [[http://download.aircrack-ng.org/wiki-files/doc/using_FMS_attack.pdf|Using Fluhrer, Mantin, and Shamir Attack to Break WEP]] by Stubblefield, A. Ioannidis, J. and Rubin, A.  Another version of the same paper: [[http://download.aircrack-ng.org/wiki-files/doc/A_Key_Recovery_Attack_on_the_wep.pdf| A Key Recovery Attack on the 802.11b WEP]] | * [[https://download.aircrack-ng.org/wiki-files/doc/using_FMS_attack.pdf|Using Fluhrer, Mantin, and Shamir Attack to Break WEP]] by Stubblefield, A. Ioannidis, J. and Rubin, A.  Another version of the same paper: [[https://download.aircrack-ng.org/wiki-files/doc/A_Key_Recovery_Attack_on_the_wep.pdf| A Key Recovery Attack on the 802.11b WEP]] | 
| * [[http://download.aircrack-ng.org/wiki-files/doc/wepexp.txt|Practical Exploitation of RC4 Weaknesses in WEP Environments]] by David Hulton February 22, 2002. | * [[https://download.aircrack-ng.org/wiki-files/doc/wepexp.txt|Practical Exploitation of RC4 Weaknesses in WEP Environments]] by David Hulton February 22, 2002. | 
| * [[http://download.aircrack-ng.org/wiki-files/doc/sorwep.txt|Additional Weak IV Classes for the FMS Attack]] by Andrea Bittau September 12, 2003. | * [[https://download.aircrack-ng.org/wiki-files/doc/sorwep.txt|Additional Weak IV Classes for the FMS Attack]] by Andrea Bittau September 12, 2003. | 
| * [[http://download.aircrack-ng.org/wiki-files/doc/aircrack_reverse_engineer.pdf|Reverse Engineering of AirCrack Software]] by Roman, Fallet, Chandel and Nassif May 2005.  This describes the previous generation of aircrack. However the basics still apply. | * [[https://download.aircrack-ng.org/wiki-files/doc/aircrack_reverse_engineer.pdf|Reverse Engineering of AirCrack Software]] by Roman, Fallet, Chandel and Nassif May 2005.  This describes the previous generation of aircrack. However the basics still apply. | 
| * [[http://download.aircrack-ng.org/wiki-files/doc/Fragmentation-Attack-in-Practice.pdf|The Fragmentation Attack in Practice]] by Andrea Bittau September 17, 2005.  This paper provides a detailed technical description of the technique. A local copy of the presentation slides is located [[http://download.aircrack-ng.org/wiki-files/doc/Final-Nail-in-WEPs-Coffin.slides.pdf|here]].  Also see the paper "The Final Nail in WEP's Coffin" on this page. | * [[https://download.aircrack-ng.org/wiki-files/doc/Fragmentation-Attack-in-Practice.pdf|The Fragmentation Attack in Practice]] by Andrea Bittau September 17, 2005.  This paper provides a detailed technical description of the technique. A local copy of the presentation slides is located [[https://download.aircrack-ng.org/wiki-files/doc/Final-Nail-in-WEPs-Coffin.slides.pdf|here]].  Also see the paper "The Final Nail in WEP's Coffin" on this page. | 
| * [[http://lasecwww.epfl.ch/abstracts/abstract_wep.shtml|Break WEP Faster with Statistical Analysis]] by Rafik Chaabouni, June 2006.  This paper describes the Korek attacks in detail plus introduces a new one.  This is [[http://lasecwww.epfl.ch/pub/lasec/doc/cha06.pdf|link]] to the paper itself. | * [[https://lasec.epfl.ch/abstracts/abstract_wep.shtml|Break WEP Faster with Statistical Analysis]] by Rafik Chaabouni, June 2006.  This paper describes the Korek attacks in detail plus introduces a new one.  This is [[https://lasec.epfl.ch/pub/lasec/doc/cha06.pdf|link]] to the paper itself. | 
| * Chopchop technique description: [[http://www.informit.com/guides/printerfriendly.aspx?g=security&seqNum=196|Byte-Sized Decryption of WEP with Chopchop, Part 1]] and [[http://www.informit.com/guides/printerfriendly.aspx?g=security&seqNum=197|Byte-Sized Decryption of WEP with Chopchop, Part 2]] | * Chopchop technique description: [[https://dl.aircrack-ng.org/wiki-files/doc/others/Byte-Sized%20Decryption%20of%20WEP%20with%20Chopchop,%20Part%201.pdf|Byte-Sized Decryption of WEP with Chopchop, Part 1]] and [[https://dl.aircrack-ng.org/wiki-files/doc/others/Byte-Sized%20Decryption%20of%20WEP%20with%20Chopchop,%20Part%202%20-%20Inverse%20Arbaugh%20Attack.pdf|Byte-Sized Decryption of WEP with Chopchop, Part 2]] | 
| * [[http://download.aircrack-ng.org/wiki-files/doc/Vulnerabilities%20of%20IEEE%20802.11i%20Wireless%20LAN%20CCMP%20Protocol.pdf|Vulnerabilities of IEEE 802.11i Wireless LAN CCMP Protocol]]. | * [[https://download.aircrack-ng.org/wiki-files/doc/Vulnerabilities%20of%20IEEE%20802.11i%20Wireless%20LAN%20CCMP%20Protocol.pdf|Vulnerabilities of IEEE 802.11i Wireless LAN CCMP Protocol]]. | 
| * [[http://dl.aircrack-ng.org/wiki-files/doc/technique_papers/WPA_attack.pdf|Weaknesses in the WPA Temporal Key Hash]]. | * [[https://dl.aircrack-ng.org/wiki-files/doc/technique_papers/WPA_attack.pdf|Weaknesses in the WPA Temporal Key Hash]]. | 
| * [[http://eprint.iacr.org/2007/471|Attacks on the WEP protocol]] by Erik Tews, December 15, 2007. This thesis summarizes all major attacks on WEP. Additionally a new attack, the PTW attack, is introduced, which was partially developed by the author of this document. Some advanced versions of the PTW attack which are more suitable in certain environments are described as well. Currently, the PTW attack is fastest publicly known key recovery attack against WEP protected networks. | * [[https://eprint.iacr.org/2007/471|Attacks on the WEP protocol]] by Erik Tews, December 15, 2007. This thesis summarizes all major attacks on WEP. Additionally a new attack, the PTW attack, is introduced, which was partially developed by the author of this document. Some advanced versions of the PTW attack which are more suitable in certain environments are described as well. Currently, the PTW attack is fastest publicly known key recovery attack against WEP protected networks. | 
| * [[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=WPA_MIGRATION_MODE|WPA Migration mode: WEP is back to haunt you...]] by Leandro Meiners and Diego Sor. Migration mode, from Cisco, allows both WEP and WPA clients on the same AP. Besides the fact that the WEP key can be cracked easily, they also bypass the additional security settings offered by Cisco. Here is the [[http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=WPA_MIGRATION_MODE&file=Meiners%2C_Sor_-_WPA_Migration_Mode_WEP_is_back_to_haunt_you_-_slides.pdf|slides of the presentation]] and the [[http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=WPA_MIGRATION_MODE&file=Meiners%2C_Sor_-_WPA_Migration_Mode_WEP_is_back_to_haunt_you.pdf|paper]]. | * [[https://www.coresecurity.com/corelabs-research/publications/wpa-migration-mode-wep-back-haunt-you|WPA Migration mode: WEP is back to haunt you...]] by Leandro Meiners and Diego Sor. Migration mode, from Cisco, allows both WEP and WPA clients on the same AP. Besides the fact that the WEP key can be cracked easily, they also bypass the additional security settings offered by Cisco. Here is the [[https://dl.aircrack-ng.org/wiki-files/doc/others/Meiners,_Sor_-_WPA_Migration_Mode_WEP_is_back_to_haunt_you_-_slides.pdf|slides of the presentation]] and the [[https://dl.aircrack-ng.org/wiki-files/doc/others/Meiners,_Sor_-_WPA_Migration_Mode_WEP_is_back_to_haunt_you.pdf|paper]]. | 
| * [[http://infoscience.epfl.ch/record/186876|Smashing WEP in A Passive Attack]] by Sepehrdad, Pouyan; Susil, Petr; Vaudenay, Serge; Vuagnoux, Martin | * [[https://infoscience.epfl.ch/record/186876|Smashing WEP in A Passive Attack]] by Sepehrdad, Pouyan; Susil, Petr; Vaudenay, Serge; Vuagnoux, Martin | 
| * [[http://dl.aircrack-ng.org/wiki-files/doc/Encrypted_WiFi_packet_injection.pdf|Encrypted WiFi packet injection and circumventing wireless intrusion prevention systems]] by Tim de Waal | * [[https://dl.aircrack-ng.org/wiki-files/doc/Encrypted_WiFi_packet_injection.pdf|Encrypted WiFi packet injection and circumventing wireless intrusion prevention systems]] by Tim de Waal | 
|  |  | 
| ===== Additional Papers ==== | ===== Additional Papers ==== | 
| This section has papers where are referenced in the previous section or are just simply interesting in the context of wireless. | This section has papers where are referenced in the previous section or are just simply interesting in the context of wireless. | 
|  |  | 
| * [[http://eprint.iacr.org/2007/120.pdf|Breaking 104 bit WEP in less than 60 seconds]] by Erik Tews, Ralf-Philipp Weinmann and Andrei Pyshkin, April 1,2007.  The paper abstract is [[http://eprint.iacr.org/2007/120|here]].  The paper describes an active attack on WEP that requires extremely few packets.  The web page has a link to their tool which implements the technique. | * [[https://eprint.iacr.org/2007/120.pdf|Breaking 104 bit WEP in less than 60 seconds]] by Erik Tews, Ralf-Philipp Weinmann and Andrei Pyshkin, April 1,2007.  The paper abstract is [[https://eprint.iacr.org/2007/120|here]].  The paper describes an active attack on WEP that requires extremely few packets.  The web page has a link to their tool which implements the technique. | 
| * [[http://www.cs.umd.edu/~waa/attack/v3dcmnt.htm|An Inductive Chosen Plaintext Attack against WEP/WEP2]] by William A. Arbaugh, May 2001. Here is the [[https://mentor.ieee.org/802.11/dcn/01/11-01-0230-01-000i-an-inductive-chosen-plaintext-attack-against-wep-wep2.ppt|Powerpoint version]]. | * [[https://www.cs.umd.edu/~waa/attack/v3dcmnt.htm|An Inductive Chosen Plaintext Attack against WEP/WEP2]] by William A. Arbaugh, May 2001. Here is the [[https://mentor.ieee.org/802.11/dcn/01/11-01-0230-01-000i-an-inductive-chosen-plaintext-attack-against-wep-wep2.ppt|Powerpoint version]]. | 
| * [[http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf|Intercepting Mobile Communications: The Insecurity of 802.11]] by Nikita Borisov (UC berkeley) Ian Golderberg (Zero-knowledge systems) David Wagner (UC berkeley), July 2001. | * [[http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf|Intercepting Mobile Communications: The Insecurity of 802.11]] by Nikita Borisov (UC berkeley) Ian Golderberg (Zero-knowledge systems) David Wagner (UC berkeley), July 2001. | 
| * [[http://download.aircrack-ng.org/wiki-files/doc/technique_papers/bittau-wep.pdf|The Final Nail in WEP's Coffin]] by Andrea Bittau, Mark Handley and Josua Lackey, May 21, 2006.  A local copy of the presentation slides is located [[http://download.aircrack-ng.org/wiki-files/doc/Final-Nail-in-WEPs-Coffin.slides.pdf|here]]. | * [[https://download.aircrack-ng.org/wiki-files/doc/technique_papers/bittau-wep.pdf|The Final Nail in WEP's Coffin]] by Andrea Bittau, Mark Handley and Josua Lackey, May 21, 2006.  A local copy of the presentation slides is located [[https://download.aircrack-ng.org/wiki-files/doc/Final-Nail-in-WEPs-Coffin.slides.pdf|here]]. | 
| * [[https://www.rc4nomore.com/vanhoef-usenix2015.pdf|All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS]] by Mathy Vanhoef and Frank Piessens, Katholieke Universiteit Leuven. Slides can be found [[https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_vanhoef.pdf|here]] and the video of the presentation [[https://www.usenix.org/node/190889|here]]. | * [[https://www.rc4nomore.com/vanhoef-usenix2015.pdf|All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS]] by Mathy Vanhoef and Frank Piessens, Katholieke Universiteit Leuven. Slides can be found [[https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_vanhoef.pdf|here]] and the video of the presentation [[https://www.usenix.org/node/190889|here]]. | 
| * [[https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)|Pixie dust attack]] on WPS. Presentation available [[http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf|here]]. And they have a [[http://www.github.com/wiire/pixiewps|GitHub repository]]. | * [[https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)|Pixie dust attack]] on WPS. Presentation available [[http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf|here]]. And they have a [[https://github.com/wiire-a/pixiewps|GitHub repository]]. | 
| * [[http://www.slideshare.net/vanhoefm/predicting-and-abusing-wpa280211-group-keys|Predicting and Abusing WPA2/802.11 Group Keys]] by Mathy Vanhoef ([[http://papers.mathyvanhoef.com/33c3-broadkey-slides.pdf|PDF]] and [[https://github.com/vanhoefm/broadkey|code]]) | * [[https://www.slideshare.net/vanhoefm/predicting-and-abusing-wpa280211-group-keys|Predicting and Abusing WPA2/802.11 Group Keys]] by Mathy Vanhoef ([[https://papers.mathyvanhoef.com/33c3-broadkey-slides.pdf|PDF]] and [[https://github.com/vanhoefm/broadkey|code]]) | 
| * [[https://www.petsymposium.org/2017/papers/issue4/paper82-2017-4-source.pdf|A Study of MAC Address Randomization in Mobile Devices and When it Fails]] by Jeremy Martin, Travis Mayberry, Collin Donahue, Lucas Foppe, Lamont Brown, Chadwick Riggins, Erik C. Rye, and Dane Brown | * [[https://www.petsymposium.org/2017/papers/issue4/paper82-2017-4-source.pdf|A Study of MAC Address Randomization in Mobile Devices and When it Fails]] by Jeremy Martin, Travis Mayberry, Collin Donahue, Lucas Foppe, Lamont Brown, Chadwick Riggins, Erik C. Rye, and Dane Brown | 
| * [[http://papers.mathyvanhoef.com/asiaccs2016.pdf|Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms]], Mathy Vanhoef, C. Matte, M. Cunche, L. S. Cardoso, and F. Piessens | * [[https://papers.mathyvanhoef.com/asiaccs2016.pdf|Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms]], Mathy Vanhoef, C. Matte, M. Cunche, L. S. Cardoso, and F. Piessens | 
| * [[http://papers.mathyvanhoef.com/wisec2016.pdf|Defeating MAC Address Randomization Through Timing Attacks]], C. Matte, M. Cunche, F. Rousseau, and Mathy Vanhoef | * [[https://papers.mathyvanhoef.com/wisec2016.pdf|Defeating MAC Address Randomization Through Timing Attacks]], C. Matte, M. Cunche, F. Rousseau, and Mathy Vanhoef | 
| * [[http://papers.mathyvanhoef.com/phdthesis.pdf|A Security Analysis of the WPA-TKIP and TLS Security Protocols]], Mathy Vanhoef | * [[https://papers.mathyvanhoef.com/phdthesis.pdf|A Security Analysis of the WPA-TKIP and TLS Security Protocols]], Mathy Vanhoef | 
| * [[https://lirias.kuleuven.be/bitstream/123456789/572634/1/asiaccs2017.pdf|Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing]], Mathy Vanhoef, D. Schepers, and F. Piessens | * [[https://lirias.kuleuven.be/bitstream/123456789/572634/1/asiaccs2017.pdf|Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing]], Mathy Vanhoef, D. Schepers, and F. Piessens | 
| * [[http://papers.mathyvanhoef.com/blackhat2017.pdf, WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake]], Mathy Vanhoef | * [[https://papers.mathyvanhoef.com/blackhat2017.pdf|WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake]], Mathy Vanhoef | 
|  | * [[https://papers.mathyvanhoef.com/ccs2017.pdf|Key Reinstallation AttACK]], Mathy Vanhoef, Frank Piessens ([[https://papers.mathyvanhoef.com/ccs2017-slides.pdf|Slides]]). [[https://github.com/vanhoefm/krackattacks-scripts|GitHub repository]] with scripts to test if client or AP are vulnerable. | 
|  | * [[https://papers.mathyvanhoef.com/woot2018.pdf|Symbolic Execution of Security Protocol Implementations: | 
|  | Handling Cryptographic Primitives]] by Mathy Vanhoef and Frank Piessens | 
|  | * [[https://papers.mathyvanhoef.com/ccs2018.pdf|Release the Kraken: New KRACKs in the 802.11 Standard]], M. Vanhoef and F. Piessens | 
|  | * [[https://papers.mathyvanhoef.com/dragonblood.pdf|Dragonblood: A Security Analysis of WPA3’s SAE Handshake]], M. Vanhoef and E. Ronen | 
| ===== 802.11 Specifications ==== | ===== 802.11 Specifications ==== | 
|  |  | 
| Here are some links to learn more about WPA/WPA2: | Here are some links to learn more about WPA/WPA2: | 
|  |  | 
| * [[http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf|Brute forcing Wi-Fi Protected Setup]] by Stefan Viehböck. | * [[https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf|Brute forcing Wi-Fi Protected Setup]] by Stefan Viehböck. | 
| * [[http://download.aircrack-ng.org/wiki-files/doc/tkip_master.pdf|Cryptanalysis of IEEE 802.11i TKIP]] by Finn Michael Halvorsen and Olav Haugen, June 2009.  This is an excellent descriptions of both WEP and WPA. | * [[https://download.aircrack-ng.org/wiki-files/doc/tkip_master.pdf|Cryptanalysis of IEEE 802.11i TKIP]] by Finn Michael Halvorsen and Olav Haugen, June 2009.  This is an excellent descriptions of both WEP and WPA. | 
| * [[http://www.wi-fiplanet.com/tutorials/article.php/3667586| WPA PSK Crackers: Loose Lips Sink Ships]] By Lisa Phifer, March 23, 2007 | * [[http://www.practicallynetworked.com/security/041207wpa_psk.htm|WPA PSK Crackers: Loose Lips Sink Ships]] By Lisa Phifer, March 23, 2007 | 
| * [[http://sid.rstack.org/pres/0810_BACon_WPA2_en.pdf|Packn' the PMK]] by Cedric Blancher and Simon Marechal. | * [[https://wiki-files.aircrack-ng.org/doc/wpa_wpa2_information/0810_BACon_WPA2_en.pdf|Packn' the PMK]] by Cedric Blancher and Simon Marechal. | 
| * [[http://www.willhackforsushi.com/presentations/TKIP_Attack_Webcast_2008-11-17.pdf|Understanding the WPA/WPA2 Break]] by Joshua Wright. | * [[http://www.willhackforsushi.com/presentations/TKIP_Attack_Webcast_2008-11-17.pdf|Understanding the WPA/WPA2 Break]] by Joshua Wright. | 
| * [[http://www.hsc.fr/ressources/articles/hakin9_wifi/index.html.en|Wi-Fi Security - WEP, WPA and WPA2]]  This is the [[http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf|link]] to download the PDF directly. | * [[https://download.microsoft.com/download/5/7/7/577a5684-8a83-43ae-9272-ff260a9c20e2/WPA_Overview.doc|Wi-Fi Protected Access (WPA) Overview]] | 
| * [[http://download.microsoft.com/download/5/7/7/577a5684-8a83-43ae-9272-ff260a9c20e2/WPA_Overview.doc|Wi-Fi Protected Access (WPA) Overview]] |  | 
| * [[http://www.microsoft.com/technet/community/columns/cableguy/cg1104.mspx|Wi-Fi Protected Access Data Encryption and Integrity]] |  | 
| * [[http://technet.microsoft.com/Areas/Epx/Content/500_TechNet.htm?aspxerrorpath=/library/bb878096|Wi-Fi Protected Access 2 Data Encryption and Integrity]] |  | 
| * [[https://technet.microsoft.com/library/bb878054|Wi-Fi Protected Access 2 (WPA2) Overview]] | * [[https://technet.microsoft.com/library/bb878054|Wi-Fi Protected Access 2 (WPA2) Overview]] | 
| * [[http://www.informit.com/articles/printerfriendly.aspx?p=369221|Cracking Wi-Fi Protected Access (WPA), Part 1]] by Seth Fogie, March 4, 2005 | * [[https://technet.microsoft.com/en-us/library/bb878126.aspx|Wi-Fi Protected Access Data Encryption and Integrity]] | 
| * [[http://www.informit.com/articles/printerfriendly.aspx?p=370636|Cracking Wi-Fi Protected Access (WPA), Part 2]] by Seth Fogie, March 11, 2005 | * [[https://technet.microsoft.com/en-us/library/bb878096.aspx|Wi-Fi Protected Access 2 Data Encryption and Integrity]] | 
| * [[http://csrc.nist.gov/publications/nistpubs/800-97/SP800-97.pdf|NIST Special Publication 800-97 - Establishing Wireless Robust Security | * [[https://www.informit.com/articles/article.aspx?p=370636|Cracking Wi-Fi Protected Access (WPA), Part 1]] by Seth Fogie, March 4, 2005 | 
|  | * [[https://www.informit.com/articles/article.aspx?p=370636|Cracking Wi-Fi Protected Access (WPA), Part 2]] by Seth Fogie, March 11, 2005 | 
|  | * [[https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-97.pdf|NIST Special Publication 800-97 - Establishing Wireless Robust Security | 
| Networks: A Guide to IEEE 802.11i]] by National Institute of Standards and Technology, February 2007 | Networks: A Guide to IEEE 802.11i]] by National Institute of Standards and Technology, February 2007 | 
| * [[http://jorisvr.nl/wpapsk.html|WPA Key Calculation]] by Joris van Rantwijk.  It page allows you to calculate the Pairwise Master Key and explains how it is done. | * [[http://jorisvr.nl/wpapsk.html|WPA Key Calculation]] by Joris van Rantwijk.  It page allows you to calculate the Pairwise Master Key and explains how it is done. | 
| ===== Books ==== | ===== Books ==== | 
|  |  | 
| There are hundreds of books about wireless.  This section makes no attempt to list all the available books regarding wireless.  Rather, it lists books which will likely be of specific interest to the readers of the wiki.  If you have read books that you think should be included here, please post information about them to the [[http://forum.aircrack-ng.org/index.php|forum]]. | There are hundreds of books about wireless.  This section makes no attempt to list all the available books regarding wireless.  Rather, it lists books which will likely be of specific interest to the readers of the wiki.  If you have read books that you think should be included here, please post information about them to the [[https://forum.aircrack-ng.org/index.php|forum]]. | 
|  |  | 
| Please keep in mind that books are always dated to some degree.  If you are looking for 100% up to date material and information then the Internet is your friend. | Please keep in mind that books are always dated to some degree.  If you are looking for 100% up to date material and information then the Internet is your friend. | 
| A common question on the forums is how to compile a new kernel.  This section attempts to identify links to documents, HOWTOs and similar which you may find helpful in this regard. | A common question on the forums is how to compile a new kernel.  This section attempts to identify links to documents, HOWTOs and similar which you may find helpful in this regard. | 
|  |  | 
| * [[http://ubuntuforums.org/showthread.php?t=56835|Ubuntu HOWTO: Kernel Compilation for Newbies]] | * [[https://ubuntuforums.org/showthread.php?t=56835|Ubuntu HOWTO: Kernel Compilation for Newbies]] | 
| * [[http://www.howtoforge.com/kernel_compilation_ubuntu|Ubuntu kernel compilation]] | * [[https://www.howtoforge.com/kernel_compilation_ubuntu|Ubuntu kernel compilation]] | 
| * [[http://technowizah.com/2005/12/debian-how-to-custom-kernel-compile.html|Debian How To Compile a Custom Kernel]]  This describes the steps required and covers both Debian and Ubuntu. | * [[https://www.howtoforge.com/kernel_compilation_fedora|How To Compile A Kernel - The Fedora Way]] | 
| * [[http://www.howtoforge.com/kernel_compilation_fedora|How To Compile A Kernel - The Fedora Way]] |  | 
|  |  | 
| Another question that comes up is how to compile a single driver module.  Here are the basics: | Another question that comes up is how to compile a single driver module.  Here are the basics: | 
| ===== Other ===== | ===== Other ===== | 
|  |  | 
| * Channel Frequencies: http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 | * WEP Conversion tool in Java to convert WEP keys and WPA passphrases.  Thanks to LatinSuD: [[https://www.latinsud.com/wepconv.html|Click Here]] | 
| * WEP Conversion tool in Java to convert WEP keys and WPA passphrases.  Thanks to LatinSuD: [[http://www.latinsud.com/wepconv.html|Click Here]] |  | 
| * [[http://www.raulsiles.com/old/resources/wifi.html|Raúl Siles - WiFi: 802.11_ Wireless Networks]] This web site contains a vast quantity of whitepapers, tools, web sites, vulnerabilities, etc. | * [[http://www.raulsiles.com/old/resources/wifi.html|Raúl Siles - WiFi: 802.11_ Wireless Networks]] This web site contains a vast quantity of whitepapers, tools, web sites, vulnerabilities, etc. | 
| * [[http://en.wikipedia.org/wiki/Comparison_of_open_source_wireless_drivers|Comparison of open source wireless drivers (wikipedia)]] - Contains a lot of information about the different wireless chipsets and drivers and their capabilities on opensource OSes. | * [[https://en.wikipedia.org/wiki/Comparison_of_open_source_wireless_drivers|Comparison of open source wireless drivers (wikipedia)]] - Contains a lot of information about the different wireless chipsets and drivers and their capabilities on opensource OSes. | 
| * Very interesting site with a lot of information related to [[https://web.archive.org/web/20130809020855/http://aboba.drizzlehosting.com/IEEE|wireless]]. | * Very interesting site with a lot of information related to [[https://web.archive.org/web/20130809020855/http://aboba.drizzlehosting.com/IEEE|wireless]]. | 
| * [[https://wikidevi.com/wiki/Special:RunQuery/Wireless_adapter_query|WikiDevi]] helps you figure out the chipset of wireless adapters (and contains more info about A LOT of them. | * [[https://wikidevi.com/wiki/Special:RunQuery/Wireless_adapter_query|WikiDevi]] helps you figure out the chipset of wireless adapters (and contains more info about A LOT of them. | 
| * [[http://www.connect802.com/antennas.htm|Understanding 802.11 Antennas]] - Detailed explanation on how antennas works | * [[https://www.connect802.com/overview-of-wifi-antenna-operation?_rdr|Understanding 802.11 Antennas]] - Detailed explanation on how antennas works | 
|  |  | 
| ===== Live Distributions ===== | ===== Live Distributions ===== | 
|  |  | 
| * The most popular is [[http://www.kali.org/|Kali Linux]] since they have all the patched drivers and a full set of tools. | * The most popular is [[https://kali.org/|Kali Linux]] since they have all the patched drivers and a full set of tools. | 
| * [[http://www.pentoo.ch|Pentoo]] can be run off a CD or USB. It is based on Gentoo. | * [[https://pentoo.ch/|Pentoo]] can be run off a CD or USB. It is based on Gentoo. | 
| * [[http://www.wifiway.org/category/download/|WifiWay]]. See these two threads ( [[http://forum.aircrack-ng.org/index.php?topic=1696.0|thread]] or [[http://forum.aircrack-ng.org/index.php?topic=1985|thread]] ) regarding how to use it with the Aircrack-ng suite. |  | 
| * [[https://blackarch.org/|BlackArch]] | * [[https://blackarch.org/|BlackArch]] | 
|  | * [[https://www.parrotsec.org|ParrotSec]] | 
|  |  | 
| ===== Card and Antenna Connectors ===== | ===== Card and Antenna Connectors ===== | 
| Here is a series of URLs with pictures of the connectors used on wireless cards and antennas: | Here is a series of URLs with pictures of the connectors used on wireless cards and antennas: | 
|  |  | 
| * http://wireless.gumph.org/content/3/7/011-cable-connectors.html | * [[https://web.archive.org/web/20070624134513/http://wireless.gumph.org/content/3/7/011-cable-connectors.html|Common Wireless Antenna connectors]] | 
| * http://www.flickr.com/photos/command-tab/443112161/ |  | 
| * http://www.l-com.com/content/hyperlinkbrand.html | * http://www.l-com.com/content/hyperlinkbrand.html | 
| * http://www.seattlewireless.net/index.cgi/PigTail | * [[https://web.archive.org/web/20130927041848/http://www.seattlewireless.net/index.cgi/PigTail|PigTail]] | 
| * http://www.wlanantennas.com/antenna_connectors.php | * [[https://web.archive.org/web/20140413184204/http://www.wlanantennas.com/antenna_connectors.php|Wireless Antenna Connectors]] | 
| * http://www.solwise.co.uk/wireless_connectorssundries.htm | * https://www.solwise.co.uk/wireless_connectorssundries.htm | 
|  |  | 
| Note: Reversed polarized version (R-SMA/RP-SMA) is where the female contact is in the plug and the male contact in the jack/receptacle. | Note: Reversed polarized version (R-SMA/RP-SMA) is where the female contact is in the plug and the male contact in the jack/receptacle. | 
| This section is links to materials specifically related to injection and monitoring support. | This section is links to materials specifically related to injection and monitoring support. | 
|  |  | 
| * [[http://www.codeproject.com/Articles/28713/802-11-Packet-Injection-for-Windows|"802.11 Packet Injection for Windows"]] by Ryan Grevious.  The article describes how to inject packets under MS Vista and provides sample code. | * [[https://www.codeproject.com/Articles/28713/802-11-Packet-Injection-for-Windows|"802.11 Packet Injection for Windows"]] by Ryan Grevious.  The article describes how to inject packets under MS Vista and provides sample code. | 
| * [[http://www.inguardians.com/pubs/Vista_Wireless_Power_Tools-Wright.pdf|"Vista Wireless Power Tools for the Penetration Tester"]] by Joshua Wright.      This paper is designed to illustrate the Vista tools useful for wireless penetration testing, the format of which is designed to be easy to read and utilize as a learning tool. Designed after the timeless work of "Unix Power Tools" by Sherry Powers, et al, this paper presents several "article-ettes" describing the requirements, Vista features and solutions for challenges faced by a penetration tester attacking wireless networks.      This paper also presents two new tools, vistarfmon and nm2lp, both available on the [[http://www.inguardians.com/tools/index.html|InGuardians Tools page]]. | * [[https://download.aircrack-ng.org/wiki-files/doc/others/Vista_Wireless_Power_Tools-Wright.pdf|"Vista Wireless Power Tools for the Penetration Tester"]] by Joshua Wright.      This paper is designed to illustrate the Vista tools useful for wireless penetration testing, the format of which is designed to be easy to read and utilize as a learning tool. Designed after the timeless work of "Unix Power Tools" by Sherry Powers, et al, this paper presents several "article-ettes" describing the requirements, Vista features and solutions for challenges faced by a penetration tester attacking wireless networks.      This paper also presents two new tools, vistarfmon and nm2lp | 
| * [[http://www.npcap.org|NPcap]] is Nmap's packet sniffing library for Windows, based on WinPCAP, Libpcap. Downloads are available on the [[https://github.com/nmap/npcap|GitHub]] repository. | * [[https://nmap.org/npcap/|NPcap]] is Nmap's packet sniffing library for Windows, based on WinPCAP, Libpcap. Downloads are available on the [[https://github.com/nmap/npcap|GitHub]] repository. | 
|  |  |