Links, References and Other Learning Materials

This page will continue to be expanded to include a variety of reference material.

• 802.11 Attacks by Brad Antoniewicz of Foundstone/McAfee. Provides a step by step walkthrough of popular wireless attacks.
• How 802.11 Wireless Works (thanks to Microsoft)
• A Comprehensive Review of 802.11 Wireless LAN Security and the Cisco Wireless Security Suite
• “IEEE 802.11 Tutorial” Mustafa Ergen, University of California Berkeley, June 2002.
• 802.11 Wireless LAN lecture notes
• Wireless Basics (thanks to Netgear)
• Management Frames This is a really excellent one-page overview of management frames and error messages.
• Radiation Patterns for wireless antennaes and how to calculate it
• Wireless Howto (TLDP)
• SANS Institute IEEE 802.11 Pocket Reference Guide

This section covers papers which describe techniques incorporated into the aircrack-ng suite.

• Practical attacks against WEP and WPA by Martin Beck and Erik Tews | Describes advanced attacks on WEP and the first practical attack on WPA.
• Battered, but not broken: understanding the WPA crack by Glenn Fleishman | Published: November 06, 2008 - 07:25PM CT . Provides a good explanation of the new WPA/TKIP exploit.
• Weaknesses in the Key Scheduling Algorithm of RC4 by Fluhrer, S. Mantin, I. and Shamir, A. in August 2001. This is the original paper on FMS. Other links rc4_ksaproc.ps, rc4_ksaproc.pdf.
• Using Fluhrer, Mantin, and Shamir Attack to Break WEP by Stubblefield, A. Ioannidis, J. and Rubin, A. Another version of the same paper: A Key Recovery Attack on the 802.11b WEP
• Practical Exploitation of RC4 Weaknesses in WEP Environments by David Hulton February 22, 2002. Another link is http://www.dachb0den.com/projects/bsd-airtools/wepexp.txt.
• Additional Weak IV Classes for the FMS Attack by Andrea Bittau September 12, 2003.
• Reverse Engineering of AirCrack Software by Roman, Fallet, Chandel and Nassif May 2005. This describes the previous generation of aircrack. However the basics still apply.
• The Fragmentation Attack in Practice by Andrea Bittau September 17, 2005. This paper provides a detailed technical description of the technique. A local copy is located here. A local copy of the presentation slides is located here. Also see the paper “The Final Nail in WEP's Coffin” on this page.
• Korek Attacks in the original Netstumbler thread.
• Break WEP Faster with Statistical Analysis by Rafik Chaabouni, June 2006. This paper describes the Korek attacks in detail plus introduces a new one. This is link to the paper itself.
• Chopchop Attack in the original Netstumbler thread.
• Chopchop technique description: Byte-Sized Decryption of WEP with Chopchop, Part 1 and Byte-Sized Decryption of WEP with Chopchop, Part 2
• Vulnerabilities of IEEE 802.11i Wireless LAN CCMP Protocol.
• Weaknesses in the WPA Temporal Key Hash.
• Attacks on the WEP protocol by Erik Tews, December 15, 2007. This thesis summarizes all major attacks on WEP. Additionally a new attack, the PTW attack, is introduced, which was partially developed by the author of this document. Some advanced versions of the PTW attack which are more suitable in certain environments are described as well. Currently, the PTW attack is fastest publicly known key recovery attack against WEP protected networks.
• Very interesting site with a lot of information related to wireless

This section has papers where are referenced in the previous section or are just simply interesting in the context of wireless.

• Breaking 104 bit WEP in less than 60 seconds by Erik Tews, Ralf-Philipp Weinmann and Andrei Pyshkin, April 1,2007. The paper abstract is here and the web page for the proof-of-concept the tool is here. The paper describes an active attack on WEP that requires extremely few packets. The web page has a link to their tool which implements the technique.
• An Inductive Chosen Plaintext Attack against WEP/WEP2 by William A. Arbaugh, May 2001. Here is the Powerpoint version.
• Intercepting Mobile Communications: The Insecurity of 802.11 by Nikita Borisov (UC berkeley) Ian Golderberg (Zero-knowledge systems) David Wagner (UC berkeley), July 2001.
• The Final Nail in WEP's Coffin by Andrea Bittau, Mark Handley and Josua Lackey, May 21, 2006. A local copy of the presentation slides is located here.

• 802.11 specifications - An interesting part of it

Here are some links to learn more about WPA/WPA2:

• Cryptanalysis of IEEE 802.11i TKIP by Finn Michael Halvorsen and Olav Haugen, June 2009. This is an excellent descriptions of both WEP and WPA.
• WPA PSK Crackers: Loose Lips Sink Ships By Lisa Phifer, March 23, 2007
• Packn' the PMK by Cedric Blancher and Simon Marechal.
• Understanding the WPA/WPA2 Break by Joshua Wright.
• Wi-Fi Security - WEP, WPA and WPA2 This is the link to download the PDF directly.
• Wi-Fi Protected Access (WPA) Overview
• Wi-Fi Protected Access Data Encryption and Integrity
• Wi-Fi Protected Access 2 Data Encryption and Integrity
• Wi-Fi Protected Access 2 (WPA2) Overview
• Cracking Wi-Fi Protected Access (WPA), Part 1 by Seth Fogie, March 4, 2005
• Cracking Wi-Fi Protected Access (WPA), Part 2 by Seth Fogie, March 11, 2005
• NIST Special Publication 800-97 - Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i by National Institute of Standards and Technology, February 2007
• WPA Key Calculation by Joris van Rantwijk. It page allows you to calculate the Pairwise Master Key and explains how it is done.

There are hundreds of books about wireless. This section makes no attempt to list all the available books regarding wireless. Rather, it lists books which will likely be of specific interest to the readers of the wiki. If you have read books that you think should be included here, please post information about them to the forum.

Please keep in mind that books are always dated to some degree. If you are looking for 100% up to date material and information then the Internet is your friend.

 CWNA: Certified Wireless Network Administrator Study Guide (Exam PW0-100)
 by David D. Coleman , David A. Westcott 
 
 Paperback: 576 pages
 Publisher: Sybex; 1st edition (August 25, 2006)
 Language: English
 ISBN-10: 0471789526
 ISBN-13: 978-0471789529

Comments: Although it is designed as a study guide, it is an excellent book to learn the theory of wireless. Having read and studied this book, you will have a really solid understanding of the various forms of wireless, types of packets and how everything works together.

 Wi-Foo: The Secrets of Wireless Hacking
 by Andrew Vladimirov, Konstantin V. Gavrilenko, Andrei A. Mikhailovsky 
 
 Paperback: 592 pages
 Publisher: Addison-Wesley Professional; 1st edition (June 28, 2004)
 Language: English
 ISBN-10: 0321202171
 ISBN-13: 978-0321202178

Comments: Although many of the tools and some of the material in the book has become dated, it is still a great introduction to the subject. The focus is on practical application of the tools and concepts rather then lots of theory. Easy reading and still a worthwhile investment.

A common question on the forums is how to compile a new kernel. This section attempts to identify links to documents, HOWTOs and similar which you may find helpful in this regard.

• Ubuntu HOWTO: Kernel Compilation for Newbies
• Ubuntu kernel compilation
• Debian How To Compile a Custom Kernel This describes the steps required and covers both Debian and Ubuntu.
• How To Compile A Kernel - The Fedora Way

Another question that comes up is how to compile a single driver module. Here are the basics:

First, cd to the directory which contains the source files to be compiled. It assumes you have patched the source if required.

 make CONFIG_ZD1211RW=m -C /lib/modules/`uname -r`/build M=`pwd` clean
 make CONFIG_ZD1211RW=m -C /lib/modules/`uname -r`/build M=`pwd` modules
 make CONFIG_ZD1211RW=m -C /lib/modules/`uname -r`/build M=`pwd` modules_install
 depmod -ae

In the above:

• “CONFIG_ZD1211RW=m” If the module is not “enabled” in the kernel config then you need to set the variable for that specific module to “m” for module. IE Enable it. It is not always required and must be changed to the specific driver you are trying to compile.
• ”-C” This has to be set to the location of your kernel source tree. ”-C /lib/modules/`uname -r`/build” will typically work correctly.
• “M=” This has to be set to the location of the source files to be compiled. If you have already changed to the directory containing the source files then “M=`pwd`” will typically work correctly. pwd specifies the current directory you are in.

There are some considerations regarding installing a single module. You will need to ensure that the new module overwrites the existing one in /lib/modules. Sometimes it ends up being placed in a different location in the /lib/modules tree. If this happens then be sure to delete to the old version and run “depmod -ae”.

Alternatively, manually copy the newly created .ko kernel modules over the existing ones located in the /lib/modules tree.

• Channel Frequencies: http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels then select the “Wifi Channel Selection and Channel Overlap” tab.
• WEP Conversion tool in Java to convert WEP keys and WPA passphrases. Thanks to LatinSuD: Click Here
• Raúl Siles - WiFi: 802.11_ Wireless Networks This web site contains a vast quantity of whitepapers, tools, web sites, vulnerabilities, etc.
• Wireless LAN security whitepaper by Cisco; a very good one.
• Comparison of open source wireless drivers (wikipedia) - Contains a lot of information about the different wireless chipsets and drivers and their capabilities on opensource OSes.

• Slitaz Aircrack-ng Distribution can be run off a CD or USB. The USB version also allows for persistent changes.
• chaox-ng can be run off a CD or USB. The USB version also allows for persistent changes.
• The most popular is Back|Track since it has all the patched drivers and a full set of tools.
• Pentoo can be run off a CD or USB. It is based on Gentoo.
• Beini, a really small live CD based on TinyCore Linux.
• WifiWay-x.x (x.x changes with each new version) with native support for injection with ipw3945, zd1211rw. See these two threads ( thread or thread ) regarding how to use it with the aircrack-ng suite.

Here is a series of URLs with pictures of the connectors used on wireless cards and antennas:

• http://wireless.gumph.org/content/3/7/011-cable-connectors.html
• http://www.flickr.com/photos/command-tab/443112161/
• http://www.hyperlinktech.com/web/connectors.php
• http://www.seattlewireless.net/index.cgi/PigTail
• http://www.wlanantennas.com/antenna_connectors.htm
• http://www.solwise.co.uk/wireless_connectorssundries.htm

Note: Reversed polarized version (R-SMA/RP-SMA) is where the female contact is in the plug and the male contact in the jack/receptacle.

This section is links to materials specifically related to injection and monitoring support under Microsoft Vista.

• "802.11 Packet Injection for Windows" by Ryan Grevious. The article describes how to inject packets under MS Vista and provides sample code.
• "Vista Wireless Power Tools for the Penetration Tester" by Joshua Wright. This paper is designed to illustrate the Vista tools useful for wireless penetration testing, the format of which is designed to be easy to read and utilize as a learning tool. Designed after the timeless work of “Unix Power Tools” by Sherry Powers, et al, this paper presents several “article-ettes” describing the requirements, Vista features and solutions for challenges faced by a penetration tester attacking wireless networks. This paper also presents two new tools, vistarfmon and nm2lp, both available on the InGuardians Tools page.