This is an old revision of the document!
Table of Contents
Links, References and Other Learning Materials
This page will continue to be expanded to include a variety of reference material.
Wireless Basics and Tutorials
- 802.11 Attacks by Brad Antoniewicz of Foundstone/McAfee. Provides a step by step walkthrough of popular wireless attacks.
- How 802.11 Wireless Works (thanks to Microsoft)
- Management Frames This is a really excellent one-page overview of management frames and error messages.
- Wireless Howto (TLDP)
This section covers papers which describe techniques incorporated into the aircrack-ng suite.
- Enhanced TKIP Michael Attacks by Martin Beck.
- Practical attacks against WEP and WPA by Martin Beck and Erik Tews | Describes advanced attacks on WEP and the first practical attack on WPA.
- Battered, but not broken: understanding the WPA crack by Glenn Fleishman | Published: November 06, 2008 - 07:25PM CT . Provides a good explanation of the new WPA/TKIP exploit.
- Weaknesses in the Key Scheduling Algorithm of RC4 by Fluhrer, S. Mantin, I. and Shamir, A. in August 2001. This is the original paper on FMS. Other links rc4_ksaproc.ps.
- Using Fluhrer, Mantin, and Shamir Attack to Break WEP by Stubblefield, A. Ioannidis, J. and Rubin, A. Another version of the same paper: A Key Recovery Attack on the 802.11b WEP
- Practical Exploitation of RC4 Weaknesses in WEP Environments by David Hulton February 22, 2002.
- Additional Weak IV Classes for the FMS Attack by Andrea Bittau September 12, 2003.
- Reverse Engineering of AirCrack Software by Roman, Fallet, Chandel and Nassif May 2005. This describes the previous generation of aircrack. However the basics still apply.
- The Fragmentation Attack in Practice by Andrea Bittau September 17, 2005. This paper provides a detailed technical description of the technique. A local copy of the presentation slides is located here. Also see the paper “The Final Nail in WEP's Coffin” on this page.
- Break WEP Faster with Statistical Analysis by Rafik Chaabouni, June 2006. This paper describes the Korek attacks in detail plus introduces a new one. This is link to the paper itself.
- Chopchop technique description: Byte-Sized Decryption of WEP with Chopchop, Part 1 and Byte-Sized Decryption of WEP with Chopchop, Part 2
- Attacks on the WEP protocol by Erik Tews, December 15, 2007. This thesis summarizes all major attacks on WEP. Additionally a new attack, the PTW attack, is introduced, which was partially developed by the author of this document. Some advanced versions of the PTW attack which are more suitable in certain environments are described as well. Currently, the PTW attack is fastest publicly known key recovery attack against WEP protected networks.
- WPA Migration mode: WEP is back to haunt you... by Leandro Meiners and Diego Sor. Migration mode, from Cisco, allows both WEP and WPA clients on the same AP. Besides the fact that the WEP key can be cracked easily, they also bypass the additional security settings offered by Cisco. Here is the slides of the presentation and the paper.
- Smashing WEP in A Passive Attack by Sepehrdad, Pouyan; Susil, Petr; Vaudenay, Serge; Vuagnoux, Martin
This section has papers where are referenced in the previous section or are just simply interesting in the context of wireless.
- Breaking 104 bit WEP in less than 60 seconds by Erik Tews, Ralf-Philipp Weinmann and Andrei Pyshkin, April 1,2007. The paper abstract is here. The paper describes an active attack on WEP that requires extremely few packets. The web page has a link to their tool which implements the technique.
- An Inductive Chosen Plaintext Attack against WEP/WEP2 by William A. Arbaugh, May 2001. Here is the Powerpoint version.
- Intercepting Mobile Communications: The Insecurity of 802.11 by Nikita Borisov (UC berkeley) Ian Golderberg (Zero-knowledge systems) David Wagner (UC berkeley), July 2001.
- The Final Nail in WEP's Coffin by Andrea Bittau, Mark Handley and Josua Lackey, May 21, 2006. A local copy of the presentation slides is located here.
- All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS by Mathy Vanhoef and Frank Piessens, Katholieke Universiteit Leuven. Slides can be found here and the video of the presentation here.
- Pixie dust attack on WPS. Presentation available here. And they have a GitHub repository.
- Predicting and Abusing WPA2/802.11 Group Keys by Mathy Vanhoef (PDF and code)
- A Study of MAC Address Randomization in Mobile Devices and When it Fails by Jeremy Martin, Travis Mayberry, Collin Donahue, Lucas Foppe, Lamont Brown, Chadwick Riggins, Erik C. Rye, and Dane Brown
- Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms, Mathy Vanhoef, C. Matte, M. Cunche, L. S. Cardoso, and F. Piessens
- Defeating MAC Address Randomization Through Timing Attacks, C. Matte, M. Cunche, F. Rousseau, and Mathy Vanhoef
- Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing, Mathy Vanhoef, D. Schepers, and F. Piessens
- Key Reinstallation AttACK, Mathy Vanhoef, Frank Piessens (Slides). GitHub repository with scripts to test if client or AP are vulnerable.
- Symbolic Execution of Security Protocol Implementations: Handling Cryptographic Primitives by Mathy Vanhoef and Frank Piessens
- 802.11 specifications - An interesting part of it
Here are some links to learn more about WPA/WPA2:
- Brute forcing Wi-Fi Protected Setup by Stefan Viehböck.
- Cryptanalysis of IEEE 802.11i TKIP by Finn Michael Halvorsen and Olav Haugen, June 2009. This is an excellent descriptions of both WEP and WPA.
- WPA PSK Crackers: Loose Lips Sink Ships By Lisa Phifer, March 23, 2007
- Packn' the PMK by Cedric Blancher and Simon Marechal.
- Understanding the WPA/WPA2 Break by Joshua Wright.
- Cracking Wi-Fi Protected Access (WPA), Part 1 by Seth Fogie, March 4, 2005
- Cracking Wi-Fi Protected Access (WPA), Part 2 by Seth Fogie, March 11, 2005
- NIST Special Publication 800-97 - Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i by National Institute of Standards and Technology, February 2007
- WPA Key Calculation by Joris van Rantwijk. It page allows you to calculate the Pairwise Master Key and explains how it is done.
There are hundreds of books about wireless. This section makes no attempt to list all the available books regarding wireless. Rather, it lists books which will likely be of specific interest to the readers of the wiki. If you have read books that you think should be included here, please post information about them to the forum.
Please keep in mind that books are always dated to some degree. If you are looking for 100% up to date material and information then the Internet is your friend.
CWNA: Certified Wireless Network Administrator Study Guide (Exam PW0-104)
- Authors: David D. Coleman, David A. Westcott
- Paperback: 768 pages
- Publisher: Sybex; 2nd edition (April 6, 2009)
- Language: English
- ISBN-10: 0470438908
- ISBN-13: 978-0470438909
Although it is designed as a study guide, it is an excellent book to learn the theory of wireless. Having read and studied this book, you will have a really solid understanding of the various forms of wireless, types of packets and how everything works together.
Wi-Foo: The Secrets of Wireless Hacking
- Authors: by Andrew Vladimirov, Konstantin V. Gavrilenko, Andrei A. Mikhailovsky
- Paperback: 592 pages
- Publisher: Addison-Wesley Professional; 1st edition (June 28, 2004)
- Language: English
- ISBN-10: 0321202171
- ISBN-13: 978-0321202178
Although many of the tools and some of the material in the book has become dated, it is still a great introduction to the subject. The focus is on practical application of the tools and concepts rather then lots of theory. Easy reading and still a worthwhile investment.
802.11 Wireless Networks, The Definitive Guide
- Author: Matthew S. Gast
- Paperback: 656 pages
- Publisher: O'Reilly Media; 2 edition (April 25, 2005)
- Language: English
- ISBN-10: 0596100523
- ISBN-13: 978-0596100520
An excellent book about Wifi, from the physical layer to the different encryption protocols and going through details of the different frames that you might encounter on WiFi networks.
Real 802.11 Security - Wi-Fi Protected Access and 802.11i
- Author: Jon Edney and William A. Arbaugh
- Paperback: 480 pages
- Publisher: Addison-Wesley Professional; 1 edition (July 25, 2003)
- Language: English
- ISBN-10: 0321136209
- ISBN-13: 978-0321136206
Very technical and detailed book about 802.11i. If you are just starting with WiFi, you might want to get 802.11 Wireless Networks, The Definitive Guide first.
A common question on the forums is how to compile a new kernel. This section attempts to identify links to documents, HOWTOs and similar which you may find helpful in this regard.
Another question that comes up is how to compile a single driver module. Here are the basics:
First, cd to the directory which contains the source files to be compiled. It assumes you have patched the source if required.
make CONFIG_ZD1211RW=m -C /lib/modules/`uname -r`/build M=`pwd` clean make CONFIG_ZD1211RW=m -C /lib/modules/`uname -r`/build M=`pwd` modules make CONFIG_ZD1211RW=m -C /lib/modules/`uname -r`/build M=`pwd` modules_install depmod -ae
In the above:
- “CONFIG_ZD1211RW=m” If the module is not “enabled” in the kernel config then you need to set the variable for that specific module to “m” for module. IE Enable it. It is not always required and must be changed to the specific driver you are trying to compile.
- “-C” This has to be set to the location of your kernel source tree. “-C /lib/modules/`uname -r`/build” will typically work correctly.
- “M=” This has to be set to the location of the source files to be compiled. If you have already changed to the directory containing the source files then “M=`pwd`” will typically work correctly. pwd specifies the current directory you are in.
There are some considerations regarding installing a single module. You will need to ensure that the new module overwrites the existing one in /lib/modules. Sometimes it ends up being placed in a different location in the /lib/modules tree. If this happens then be sure to delete to the old version and run “depmod -ae”.
Alternatively, manually copy the newly created .ko kernel modules over the existing ones located in the /lib/modules tree.
- WEP Conversion tool in Java to convert WEP keys and WPA passphrases. Thanks to LatinSuD: Click Here
- Raúl Siles - WiFi: 802.11_ Wireless Networks This web site contains a vast quantity of whitepapers, tools, web sites, vulnerabilities, etc.
- Comparison of open source wireless drivers (wikipedia) - Contains a lot of information about the different wireless chipsets and drivers and their capabilities on opensource OSes.
- Very interesting site with a lot of information related to wireless.
- WikiDevi helps you figure out the chipset of wireless adapters (and contains more info about A LOT of them.
- Understanding 802.11 Antennas - Detailed explanation on how antennas works
- The most popular is Kali Linux since they have all the patched drivers and a full set of tools.
- Pentoo can be run off a CD or USB. It is based on Gentoo.
Card and Antenna Connectors
Here is a series of URLs with pictures of the connectors used on wireless cards and antennas:
Note: Reversed polarized version (R-SMA/RP-SMA) is where the female contact is in the plug and the male contact in the jack/receptacle.
Microsoft Windows Specific
This section is links to materials specifically related to injection and monitoring support.
- "802.11 Packet Injection for Windows" by Ryan Grevious. The article describes how to inject packets under MS Vista and provides sample code.
- "Vista Wireless Power Tools for the Penetration Tester" by Joshua Wright. This paper is designed to illustrate the Vista tools useful for wireless penetration testing, the format of which is designed to be easy to read and utilize as a learning tool. Designed after the timeless work of “Unix Power Tools” by Sherry Powers, et al, this paper presents several “article-ettes” describing the requirements, Vista features and solutions for challenges faced by a penetration tester attacking wireless networks. This paper also presents two new tools, vistarfmon and nm2lp