====== Links, References and Other Learning Materials ====== This page will continue to be expanded to include a variety of reference material. ===== Wireless Basics and Tutorials ===== * [[https://wiki-files.aircrack-ng.org/doc/others/wp-80211-attacks.pdf|802.11 Attacks]] by Brad Antoniewicz of Foundstone/McAfee. Provides a step by step walkthrough of popular wireless attacks. * [[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc757419(v=ws.10)|How 802.11 Wireless Works]] (thanks to Microsoft) * [[https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1200-access-point/prod_white_paper09186a00800b469f.html|A Comprehensive Review of 802.11 Wireless LAN Security and the Cisco Wireless Security Suite]] * [[https://ptolemy.berkeley.edu/projects/ofdm/ergen/docs/ieee.pdf|“IEEE 802.11 Tutorial” Mustafa Ergen, University of California Berkeley, June 2002.]] * [[https://web.archive.org/web/20070813043726/http://documentation.netgear.com:80/reference/fra/wireless/TOC.html|Wireless Basics (thanks to Netgear)]] * [[https://download.aircrack-ng.org/wiki-files/other/managementframes.pdf|Management Frames]] This is a really excellent one-page overview of management frames and error messages. * [[https://en.wikipedia.org/wiki/Radiation_pattern|Radiation Patterns for wireless antennas and how to calculate it]] * [[https://www.tldp.org/HOWTO/Wireless-HOWTO.html|Wireless Howto]] (TLDP) * [[http://www.willhackforsushi.com/papers/80211_Pocket_Reference_Guide.pdf|SANS Institute IEEE 802.11 Pocket Reference Guide]] * [[https://d2cpnw0u24fjm4.cloudfront.net/wp-content/uploads/802_11nPrimer_WP.pdf|802.11n Primer by AirMagnet]] ===== Technique Papers ==== This section covers papers which describe techniques incorporated into the aircrack-ng suite. * [[https://dl.aircrack-ng.org/wiki-files/doc/enhanced_tkip_michael.pdf|Enhanced TKIP Michael Attacks]] by Martin Beck. * [[https://dl.aircrack-ng.org/breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] by Martin Beck and Erik Tews | Describes advanced attacks on WEP and the first practical attack on WPA. * [[https://arstechnica.com/security/2008/11/wpa-cracked/1/|Battered, but not broken: understanding the WPA crack]] by Glenn Fleishman | Published: November 06, 2008 - 07:25PM CT . Provides a good explanation of the new WPA/TKIP exploit. * [[https://download.aircrack-ng.org/wiki-files/doc/rc4_ksaproc.pdf|Weaknesses in the Key Scheduling Algorithm of RC4]] by Fluhrer, S. Mantin, I. and Shamir, A. in August 2001. This is the original paper on FMS. Other links [[https://www.cs.umd.edu/~waa/class-pubs/rc4_ksaproc.ps|rc4_ksaproc.ps]]. * [[https://download.aircrack-ng.org/wiki-files/doc/using_FMS_attack.pdf|Using Fluhrer, Mantin, and Shamir Attack to Break WEP]] by Stubblefield, A. Ioannidis, J. and Rubin, A. Another version of the same paper: [[https://download.aircrack-ng.org/wiki-files/doc/A_Key_Recovery_Attack_on_the_wep.pdf| A Key Recovery Attack on the 802.11b WEP]] * [[https://download.aircrack-ng.org/wiki-files/doc/wepexp.txt|Practical Exploitation of RC4 Weaknesses in WEP Environments]] by David Hulton February 22, 2002. * [[https://download.aircrack-ng.org/wiki-files/doc/sorwep.txt|Additional Weak IV Classes for the FMS Attack]] by Andrea Bittau September 12, 2003. * [[https://download.aircrack-ng.org/wiki-files/doc/aircrack_reverse_engineer.pdf|Reverse Engineering of AirCrack Software]] by Roman, Fallet, Chandel and Nassif May 2005. This describes the previous generation of aircrack. However the basics still apply. * [[https://download.aircrack-ng.org/wiki-files/doc/Fragmentation-Attack-in-Practice.pdf|The Fragmentation Attack in Practice]] by Andrea Bittau September 17, 2005. This paper provides a detailed technical description of the technique. A local copy of the presentation slides is located [[https://download.aircrack-ng.org/wiki-files/doc/Final-Nail-in-WEPs-Coffin.slides.pdf|here]]. Also see the paper "The Final Nail in WEP's Coffin" on this page. * [[https://lasec.epfl.ch/abstracts/abstract_wep.shtml|Break WEP Faster with Statistical Analysis]] by Rafik Chaabouni, June 2006. This paper describes the Korek attacks in detail plus introduces a new one. This is [[https://lasec.epfl.ch/pub/lasec/doc/cha06.pdf|link]] to the paper itself. * Chopchop technique description: [[https://dl.aircrack-ng.org/wiki-files/doc/others/Byte-Sized%20Decryption%20of%20WEP%20with%20Chopchop,%20Part%201.pdf|Byte-Sized Decryption of WEP with Chopchop, Part 1]] and [[https://dl.aircrack-ng.org/wiki-files/doc/others/Byte-Sized%20Decryption%20of%20WEP%20with%20Chopchop,%20Part%202%20-%20Inverse%20Arbaugh%20Attack.pdf|Byte-Sized Decryption of WEP with Chopchop, Part 2]] * [[https://download.aircrack-ng.org/wiki-files/doc/Vulnerabilities%20of%20IEEE%20802.11i%20Wireless%20LAN%20CCMP%20Protocol.pdf|Vulnerabilities of IEEE 802.11i Wireless LAN CCMP Protocol]]. * [[https://dl.aircrack-ng.org/wiki-files/doc/technique_papers/WPA_attack.pdf|Weaknesses in the WPA Temporal Key Hash]]. * [[https://eprint.iacr.org/2007/471|Attacks on the WEP protocol]] by Erik Tews, December 15, 2007. This thesis summarizes all major attacks on WEP. Additionally a new attack, the PTW attack, is introduced, which was partially developed by the author of this document. Some advanced versions of the PTW attack which are more suitable in certain environments are described as well. Currently, the PTW attack is fastest publicly known key recovery attack against WEP protected networks. * [[https://www.coresecurity.com/corelabs-research/publications/wpa-migration-mode-wep-back-haunt-you|WPA Migration mode: WEP is back to haunt you...]] by Leandro Meiners and Diego Sor. Migration mode, from Cisco, allows both WEP and WPA clients on the same AP. Besides the fact that the WEP key can be cracked easily, they also bypass the additional security settings offered by Cisco. Here is the [[https://dl.aircrack-ng.org/wiki-files/doc/others/Meiners,_Sor_-_WPA_Migration_Mode_WEP_is_back_to_haunt_you_-_slides.pdf|slides of the presentation]] and the [[https://dl.aircrack-ng.org/wiki-files/doc/others/Meiners,_Sor_-_WPA_Migration_Mode_WEP_is_back_to_haunt_you.pdf|paper]]. * [[https://infoscience.epfl.ch/record/186876|Smashing WEP in A Passive Attack]] by Sepehrdad, Pouyan; Susil, Petr; Vaudenay, Serge; Vuagnoux, Martin * [[https://dl.aircrack-ng.org/wiki-files/doc/Encrypted_WiFi_packet_injection.pdf|Encrypted WiFi packet injection and circumventing wireless intrusion prevention systems]] by Tim de Waal ===== Additional Papers ==== This section has papers where are referenced in the previous section or are just simply interesting in the context of wireless. * [[https://eprint.iacr.org/2007/120.pdf|Breaking 104 bit WEP in less than 60 seconds]] by Erik Tews, Ralf-Philipp Weinmann and Andrei Pyshkin, April 1,2007. The paper abstract is [[https://eprint.iacr.org/2007/120|here]]. The paper describes an active attack on WEP that requires extremely few packets. The web page has a link to their tool which implements the technique. * [[https://www.cs.umd.edu/~waa/attack/v3dcmnt.htm|An Inductive Chosen Plaintext Attack against WEP/WEP2]] by William A. Arbaugh, May 2001. Here is the [[https://mentor.ieee.org/802.11/dcn/01/11-01-0230-01-000i-an-inductive-chosen-plaintext-attack-against-wep-wep2.ppt|Powerpoint version]]. * [[http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf|Intercepting Mobile Communications: The Insecurity of 802.11]] by Nikita Borisov (UC berkeley) Ian Golderberg (Zero-knowledge systems) David Wagner (UC berkeley), July 2001. * [[https://download.aircrack-ng.org/wiki-files/doc/technique_papers/bittau-wep.pdf|The Final Nail in WEP's Coffin]] by Andrea Bittau, Mark Handley and Josua Lackey, May 21, 2006. A local copy of the presentation slides is located [[https://download.aircrack-ng.org/wiki-files/doc/Final-Nail-in-WEPs-Coffin.slides.pdf|here]]. * [[https://www.rc4nomore.com/vanhoef-usenix2015.pdf|All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS]] by Mathy Vanhoef and Frank Piessens, Katholieke Universiteit Leuven. Slides can be found [[https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_vanhoef.pdf|here]] and the video of the presentation [[https://www.usenix.org/node/190889|here]]. * [[https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)|Pixie dust attack]] on WPS. Presentation available [[http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf|here]]. And they have a [[https://github.com/wiire-a/pixiewps|GitHub repository]]. * [[https://www.slideshare.net/vanhoefm/predicting-and-abusing-wpa280211-group-keys|Predicting and Abusing WPA2/802.11 Group Keys]] by Mathy Vanhoef ([[https://papers.mathyvanhoef.com/33c3-broadkey-slides.pdf|PDF]] and [[https://github.com/vanhoefm/broadkey|code]]) * [[https://www.petsymposium.org/2017/papers/issue4/paper82-2017-4-source.pdf|A Study of MAC Address Randomization in Mobile Devices and When it Fails]] by Jeremy Martin, Travis Mayberry, Collin Donahue, Lucas Foppe, Lamont Brown, Chadwick Riggins, Erik C. Rye, and Dane Brown * [[https://papers.mathyvanhoef.com/asiaccs2016.pdf|Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms]], Mathy Vanhoef, C. Matte, M. Cunche, L. S. Cardoso, and F. Piessens * [[https://papers.mathyvanhoef.com/wisec2016.pdf|Defeating MAC Address Randomization Through Timing Attacks]], C. Matte, M. Cunche, F. Rousseau, and Mathy Vanhoef * [[https://papers.mathyvanhoef.com/phdthesis.pdf|A Security Analysis of the WPA-TKIP and TLS Security Protocols]], Mathy Vanhoef * [[https://lirias.kuleuven.be/bitstream/123456789/572634/1/asiaccs2017.pdf|Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing]], Mathy Vanhoef, D. Schepers, and F. Piessens * [[https://papers.mathyvanhoef.com/blackhat2017.pdf|WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake]], Mathy Vanhoef * [[https://papers.mathyvanhoef.com/ccs2017.pdf|Key Reinstallation AttACK]], Mathy Vanhoef, Frank Piessens ([[https://papers.mathyvanhoef.com/ccs2017-slides.pdf|Slides]]). [[https://github.com/vanhoefm/krackattacks-scripts|GitHub repository]] with scripts to test if client or AP are vulnerable. * [[https://papers.mathyvanhoef.com/woot2018.pdf|Symbolic Execution of Security Protocol Implementations: Handling Cryptographic Primitives]] by Mathy Vanhoef and Frank Piessens * [[https://papers.mathyvanhoef.com/ccs2018.pdf|Release the Kraken: New KRACKs in the 802.11 Standard]], M. Vanhoef and F. Piessens * [[https://papers.mathyvanhoef.com/dragonblood.pdf|Dragonblood: A Security Analysis of WPA3’s SAE Handshake]], M. Vanhoef and E. Ronen ===== 802.11 Specifications ==== * [[802_11_spec|802.11 specifications]] - An interesting part of it ===== WPA/WPA2 Information ===== Here are some links to learn more about WPA/WPA2: * [[https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf|Brute forcing Wi-Fi Protected Setup]] by Stefan Viehböck. * [[https://download.aircrack-ng.org/wiki-files/doc/tkip_master.pdf|Cryptanalysis of IEEE 802.11i TKIP]] by Finn Michael Halvorsen and Olav Haugen, June 2009. This is an excellent descriptions of both WEP and WPA. * [[http://www.practicallynetworked.com/security/041207wpa_psk.htm|WPA PSK Crackers: Loose Lips Sink Ships]] By Lisa Phifer, March 23, 2007 * [[https://wiki-files.aircrack-ng.org/doc/wpa_wpa2_information/0810_BACon_WPA2_en.pdf|Packn' the PMK]] by Cedric Blancher and Simon Marechal. * [[http://www.willhackforsushi.com/presentations/TKIP_Attack_Webcast_2008-11-17.pdf|Understanding the WPA/WPA2 Break]] by Joshua Wright. * [[https://download.microsoft.com/download/5/7/7/577a5684-8a83-43ae-9272-ff260a9c20e2/WPA_Overview.doc|Wi-Fi Protected Access (WPA) Overview]] * [[https://technet.microsoft.com/library/bb878054|Wi-Fi Protected Access 2 (WPA2) Overview]] * [[https://technet.microsoft.com/en-us/library/bb878126.aspx|Wi-Fi Protected Access Data Encryption and Integrity]] * [[https://technet.microsoft.com/en-us/library/bb878096.aspx|Wi-Fi Protected Access 2 Data Encryption and Integrity]] * [[https://www.informit.com/articles/article.aspx?p=370636|Cracking Wi-Fi Protected Access (WPA), Part 1]] by Seth Fogie, March 4, 2005 * [[https://www.informit.com/articles/article.aspx?p=370636|Cracking Wi-Fi Protected Access (WPA), Part 2]] by Seth Fogie, March 11, 2005 * [[https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-97.pdf|NIST Special Publication 800-97 - Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i]] by National Institute of Standards and Technology, February 2007 * [[http://jorisvr.nl/wpapsk.html|WPA Key Calculation]] by Joris van Rantwijk. It page allows you to calculate the Pairwise Master Key and explains how it is done. ===== Books ==== There are hundreds of books about wireless. This section makes no attempt to list all the available books regarding wireless. Rather, it lists books which will likely be of specific interest to the readers of the wiki. If you have read books that you think should be included here, please post information about them to the [[https://forum.aircrack-ng.org/index.php|forum]]. Please keep in mind that books are always dated to some degree. If you are looking for 100% up to date material and information then the Internet is your friend. ====CWNA: Certified Wireless Network Administrator Study Guide (Exam PW0-104) ==== * Authors: David D. Coleman, David A. Westcott * Paperback: 768 pages * Publisher: Sybex; 2nd edition (April 6, 2009) * Language: English * ISBN-10: 0470438908 * ISBN-13: 978-0470438909 === Comments === Although it is designed as a study guide, it is an excellent book to learn the theory of wireless. Having read and studied this book, you will have a really solid understanding of the various forms of wireless, types of packets and how everything works together. ====Wi-Foo: The Secrets of Wireless Hacking==== * Authors: by Andrew Vladimirov, Konstantin V. Gavrilenko, Andrei A. Mikhailovsky * Paperback: 592 pages * Publisher: Addison-Wesley Professional; 1st edition (June 28, 2004) * Language: English * ISBN-10: 0321202171 * ISBN-13: 978-0321202178 === Comments === Although many of the tools and some of the material in the book has become dated, it is still a great introduction to the subject. The focus is on practical application of the tools and concepts rather then lots of theory. Easy reading and still a worthwhile investment. ====802.11 Wireless Networks, The Definitive Guide==== * Author: Matthew S. Gast * Paperback: 656 pages * Publisher: O'Reilly Media; 2 edition (April 25, 2005) * Language: English * ISBN-10: 0596100523 * ISBN-13: 978-0596100520 === Comments === An excellent book about Wifi, from the physical layer to the different encryption protocols and going through details of the different frames that you might encounter on WiFi networks. ====Real 802.11 Security - Wi-Fi Protected Access and 802.11i==== * Author: Jon Edney and William A. Arbaugh * Paperback: 480 pages * Publisher: Addison-Wesley Professional; 1 edition (July 25, 2003) * Language: English * ISBN-10: 0321136209 * ISBN-13: 978-0321136206 === Comments === Very technical and detailed book about 802.11i. If you are just starting with WiFi, you might want to get //802.11 Wireless Networks, The Definitive Guide// first. ===== Compiling Kernels ===== A common question on the forums is how to compile a new kernel. This section attempts to identify links to documents, HOWTOs and similar which you may find helpful in this regard. * [[https://ubuntuforums.org/showthread.php?t=56835|Ubuntu HOWTO: Kernel Compilation for Newbies]] * [[https://www.howtoforge.com/kernel_compilation_ubuntu|Ubuntu kernel compilation]] * [[https://www.howtoforge.com/kernel_compilation_fedora|How To Compile A Kernel - The Fedora Way]] Another question that comes up is how to compile a single driver module. Here are the basics: First, cd to the directory which contains the source files to be compiled. It assumes you have patched the source if required. make CONFIG_ZD1211RW=m -C /lib/modules/`uname -r`/build M=`pwd` clean make CONFIG_ZD1211RW=m -C /lib/modules/`uname -r`/build M=`pwd` modules make CONFIG_ZD1211RW=m -C /lib/modules/`uname -r`/build M=`pwd` modules_install depmod -ae In the above: * "CONFIG_ZD1211RW=m" If the module is not "enabled" in the kernel config then you need to set the variable for that specific module to "m" for module. IE Enable it. It is not always required and must be changed to the specific driver you are trying to compile. * "-C" This has to be set to the location of your kernel source tree. "-C /lib/modules/`uname -r`/build" will typically work correctly. * "M=" This has to be set to the location of the source files to be compiled. If you have already changed to the directory containing the source files then "M=`pwd`" will typically work correctly. pwd specifies the current directory you are in. There are some considerations regarding installing a single module. You will need to ensure that the new module overwrites the existing one in /lib/modules. Sometimes it ends up being placed in a different location in the /lib/modules tree. If this happens then be sure to delete to the old version and run "depmod -ae". Alternatively, manually copy the newly created .ko kernel modules over the existing ones located in the /lib/modules tree. ===== Other ===== * WEP Conversion tool in Java to convert WEP keys and WPA passphrases. Thanks to LatinSuD: [[https://www.latinsud.com/wepconv.html|Click Here]] * [[http://www.raulsiles.com/old/resources/wifi.html|Raúl Siles - WiFi: 802.11_ Wireless Networks]] This web site contains a vast quantity of whitepapers, tools, web sites, vulnerabilities, etc. * [[https://en.wikipedia.org/wiki/Comparison_of_open_source_wireless_drivers|Comparison of open source wireless drivers (wikipedia)]] - Contains a lot of information about the different wireless chipsets and drivers and their capabilities on opensource OSes. * Very interesting site with a lot of information related to [[https://web.archive.org/web/20130809020855/http://aboba.drizzlehosting.com/IEEE|wireless]]. * [[https://wikidevi.com/wiki/Special:RunQuery/Wireless_adapter_query|WikiDevi]] helps you figure out the chipset of wireless adapters (and contains more info about A LOT of them. * [[https://www.connect802.com/overview-of-wifi-antenna-operation?_rdr|Understanding 802.11 Antennas]] - Detailed explanation on how antennas works ===== Live Distributions ===== * The most popular is [[https://kali.org/|Kali Linux]] since they have all the patched drivers and a full set of tools. * [[https://pentoo.ch/|Pentoo]] can be run off a CD or USB. It is based on Gentoo. * [[https://blackarch.org/|BlackArch]] * [[https://www.parrotsec.org|ParrotSec]] ===== Card and Antenna Connectors ===== Here is a series of URLs with pictures of the connectors used on wireless cards and antennas: * [[https://web.archive.org/web/20070624134513/http://wireless.gumph.org/content/3/7/011-cable-connectors.html|Common Wireless Antenna connectors]] * http://www.l-com.com/content/hyperlinkbrand.html * [[https://web.archive.org/web/20130927041848/http://www.seattlewireless.net/index.cgi/PigTail|PigTail]] * [[https://web.archive.org/web/20140413184204/http://www.wlanantennas.com/antenna_connectors.php|Wireless Antenna Connectors]] * https://www.solwise.co.uk/wireless_connectorssundries.htm Note: Reversed polarized version (R-SMA/RP-SMA) is where the female contact is in the plug and the male contact in the jack/receptacle. ===== Microsoft Windows Specific ===== This section is links to materials specifically related to injection and monitoring support. * [[https://www.codeproject.com/Articles/28713/802-11-Packet-Injection-for-Windows|"802.11 Packet Injection for Windows"]] by Ryan Grevious. The article describes how to inject packets under MS Vista and provides sample code. * [[https://download.aircrack-ng.org/wiki-files/doc/others/Vista_Wireless_Power_Tools-Wright.pdf|"Vista Wireless Power Tools for the Penetration Tester"]] by Joshua Wright. This paper is designed to illustrate the Vista tools useful for wireless penetration testing, the format of which is designed to be easy to read and utilize as a learning tool. Designed after the timeless work of "Unix Power Tools" by Sherry Powers, et al, this paper presents several "article-ettes" describing the requirements, Vista features and solutions for challenges faced by a penetration tester attacking wireless networks. This paper also presents two new tools, vistarfmon and nm2lp * [[https://nmap.org/npcap/|NPcap]] is Nmap's packet sniffing library for Windows, based on WinPCAP, Libpcap. Downloads are available on the [[https://github.com/nmap/npcap|GitHub]] repository.