CS38, Security and Privacy, Spring 2005

This is a list of links concerning basic 802.11x architecture and security. The "Wi-Foo" book, on reserve at the library, provides a much more extensive summary (except for the physical layer, covered in the "Brief overview" below), and its website http://wi-foo.com mirrors a large number of various auditing and penetration testing utilities.

My current setup is based on the Auditor liveCD (see below in Tools).

You can borrow
  • a Prism2-based card,
  • an Atheros-based card,
  • a few Orinoco and Cisco 350 cards,
  • a USB flash drive (for saving your data and configs if you use a bootable liveCD such as Auditor),
  • Auditor, Helix and plain Knoppix liveCD,
  • a commodity Linksys AP/router (first come, first served).
for your wireless experiments.

See also: tips for using the Auditor CD and the cards for 802.11 frame injection.

Technology explained

  • The Comprehensive Guide to 802.11b Wireless Networks, dragorn
    http://hastingswireless.homeip.net/index.php?page=articles&author=2600&title=comprehensive_802.11_guide
    Published in the 2600 hacker quarterly, by the author of Kismet. Explains basic facts of 802.11b security for open and WEP networks.

  • Wireless Technologies Overview, Jean Tourrilhes
    http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Linux.Wireless.Overview.html
    Technical detail on the physical layer (Layer 1) of wireless networks. Explains a number of weird limitations that hardware/firmware exhibits when used in non-standard modes.

  • Wireless LAN Linux HOWTO, Jean Tourrilhes
    http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Wireless.html
    Cards, drivers and setup info

    Tool and paper collections

  • The Auditor bootable CD,
    http://new.remote-exploit.org/index.php/Auditor_main
    This is a Linux distro (modified Knoppix) bootable and runnable entirely from the CD, with the proper drivers already patched to work with monitoring and frame injection tools. I played with this ISO, and have it working with my Prism2 and Atheros based cards. The site has a weblog with some examples of tool usage. TomsNetworking has a review, which is not too deep, but has some screenshots and general info.

    Update: file2air and aireplay work, I could not get void11_penetration http://www.wlsec.net/void11/ to work with Prism2.

    Note 1: Booting your machine from a strange CD downloaded from the 'net is not exactly the kind of paranoid security attitude that I would like to advocate. I have not thoroughly checked it for any mischief, so use at your own risk.

    Note 2: Make sure you do not interfere with other people's normal use of the network. In Sudi, channel 11 is reserved for authorised wireless experiments, please limit your experiments to it.

  • The Shmoo group,
    http://www.shmoo.com/
    This is the home of Airsnort (a WEP cracker) and Airsnarf (a rogue AP suite), and other nifty tools

  • The Unofficial 802.11 Security Web Page,
    http://www.drizzle.com/~aboba/IEEE/
    A large collection of standards docs and vulnerabilities in wireless security protocols. WEP, WPA, 802.11i, EAP, LEAP etc. Very comprehensive.

    Attacks

  • 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions, John Bellardo and Stefan Savage
    http://ramp.ucsd.edu/~bellardo/pubs/usenix-sec03-80211dos-html/aio.html
    This paper details DOS attacks on an 802.11 wireless network. We can implement them with our tools.

  • Chapter on attacks from the "Wi-Foo" book, Andrei Mikhailovsky, Konstantin Gavrilenko, Andrew Vladimirov
    http://www.awprofessional.com/articles/printerfriendly.asp?p=353735  [local wi-foo-chapter.html]
    A very nice summary of various tools and attacks.

    WEP key cracking

  • WEP, Dead again , Michael Ossmann
    http://www.securityfocus.com/infocus/1814
     [http://www.securityfocus.com/printable/infocus/1814]  [http://www.securityfocus.com/printable/infocus/1824]
    A recent wrap-up on WEP cracking, vendor countermeasures, and more weaknesses. Good overview, covers almost all free current tools of interest. BTW, it recommends the Auditor CD.

  • Aircrack, Christophe Devine
    http://www.cr0.net:8040/code/network/aircrack/
    Linux and windows versions, explanations, setup tips. Works with different cards (Prism2, Atheros)

    Cheating at the MAC layer, benefits and detection.

  • MAC layer cheating and detection ,
    http://domino.epfl.ch/  [local domino.pdf]
    If you can change your 802.11b/g card behavior, how could you cheat the network? How would a sysadmin detect such behavior? This work clarifies the fine points of the wireless MAC protocols. The conference papers are at [http://lcawww.epfl.ch/Domino/Edomino_files/domino.pdf] , also [http://icawww.epfl.ch/Publications/raya/RayaHA04.pdf]

    Back to Dartmouth CS Home Page     Sergey Bratus