| |
| |
Foreword | |
| |
| |
Acknowledgments | |
| |
| |
Introduction | |
| |
| |
| |
Overview | |
| |
| |
Case Study: BuzzCorp | |
| |
| |
Wireless Setup | |
| |
| |
Wireless Risks and Security Controls | |
| |
| |
| |
Wireless Security Overview | |
| |
| |
Use and Spread of Wireless Technologies | |
| |
| |
A Brief History of Wireless Technologies | |
| |
| |
Basics of Wireless Technologies | |
| |
| |
What Is Wireless? | |
| |
| |
Standardization and Regulation | |
| |
| |
Further Coverage | |
| |
| |
The Risks of Wireless Technologies | |
| |
| |
Advances in Wireless Security | |
| |
| |
Summary | |
| |
| |
| |
Radio Frequency | |
| |
| |
RF Terminology | |
| |
| |
Communications Systems | |
| |
| |
Radio Frequency Signals | |
| |
| |
Electromagnetic Waves | |
| |
| |
Units of Measure | |
| |
| |
Modulation | |
| |
| |
Spread Spectrum and Multiplexing | |
| |
| |
RF Hardware | |
| |
| |
Antennas | |
| |
| |
Amplifiers | |
| |
| |
Government Regulations | |
| |
| |
Wireless Standards | |
| |
| |
Wireless LAN (802.11 a/b/g/n) | |
| |
| |
Summary | |
| |
| |
| |
Hacking 802.11 Wireless Technology | |
| |
| |
Case Study: Riding the Insecure Airwaves | |
| |
| |
| |
Introduction to 802.11 | |
| |
| |
802.11 History | |
| |
| |
Wi-Fi vs. 802.11 | |
| |
| |
802.11 in a Nutshell | |
| |
| |
The 802.11 MAC | |
| |
| |
Features of the 802.11 MAC | |
| |
| |
802.11 Packet Types | |
| |
| |
Control Packets | |
| |
| |
Management Packets | |
| |
| |
Data Packets | |
| |
| |
Addressing in 802.11 Packets | |
| |
| |
Interesting Fields Across Packets | |
| |
| |
Finding and Connecting to Wireless Networks | |
| |
| |
Locating Wireless Networks | |
| |
| |
Connecting to a Wireless Network | |
| |
| |
WPA/802.11i Background | |
| |
| |
802.11i Groundwork | |
| |
| |
Extensible Authentication Protocol (EAP) | |
| |
| |
Introduction to RADIUS | |
| |
| |
802.1X: Bringing EAP to the LAN | |
| |
| |
802.11i: Putting It All Together | |
| |
| |
Authentication Using 802.11i | |
| |
| |
Confidentiality in 802.11i | |
| |
| |
Integrity in 802.11i | |
| |
| |
Replay Protection in 802.11i | |
| |
| |
Summary | |
| |
| |
| |
802.11 Discovery | |
| |
| |
Discovery Basics | |
| |
| |
Hardware and Drivers | |
| |
| |
Background | |
| |
| |
Chipsets | |
| |
| |
Cards | |
| |
| |
Drivers | |
| |
| |
Antennas | |
| |
| |
GPS | |
| |
| |
Sumnary | |
| |
| |
| |
Scanning and Enumerating 802.11 Networks | |
| |
| |
Choosing an Operating System | |
| |
| |
Windows | |
| |
| |
Linux | |
| |
| |
OS X | |
| |
| |
Windows Discovery Tools | |
| |
| |
NetStumbler | |
| |
| |
AiroPeek | |
| |
| |
Linux Discovery Tools | |
| |
| |
Kismet | |
| |
| |
Wellenreiter | |
| |
| |
OS X Discovery Tools | |
| |
| |
Kismac | |
| |
| |
MacStumbler | |
| |
| |
iStumbler | |
| |
| |
Kismet on OS X | |
| |
| |
Online Mapping Services (wigle, .kismac, Google Earth) | |
| |
| |
Network Identifiers | |
| |
| |
UNIX Sniffers | |
| |
| |
Displaying a Saved pcap File | |
| |
| |
Capturing Packets in Real-Time | |
| |
| |
Wireshark Colors | |
| |
| |
Summary | |
| |
| |
| |
Attacking 802.11 Networks | |
| |
| |
Basic Types of Attacks | |
| |
| |
Security Through Obscurity | |
| |
| |
Defeating WEP | |
| |
| |
802.11 Authentication Types | |
| |
| |
Shared Key Authentication | |
| |
| |
Open Authentication | |
| |
| |
802.1X Authentication | |
| |
| |
Advanced Attacks Against WEP | |
| |
| |
RC4 Encryption Primer | |
| |
| |
Rogue APs | |
| |
| |
How Windows Looks for Preferred Networks | |
| |
| |
Other KARMA Improvements | |
| |
| |
Attacking the Availability of Wireless Networks | |
| |
| |
RTS/CTS Attacks | |
| |
| |
Miscellaneous Wireless Attacks | |
| |
| |
Summary | |
| |
| |
| |
Attacking WPA-protected 802.11 Networks | |
| |
| |
Breaking WPA/802.11i | |
| |
| |
WPA/802.11i Background | |
| |
| |
Attacking WPA/802.11i Enterprise Authentication | |
| |
| |
EAP-TLS | |
| |
| |
LEAP | |
| |
| |
Tunneling EAP Techniques (PEAP/ EAP-TTLS) | |
| |
| |
Summary | |
| |
| |
| |
802.11 Defense | |
| |
| |
Direct 802.11 Defenses | |
| |
| |
WEP | |
| |
| |
Deploying WPA/WPA2 Securely | |
| |
| |
Avoiding Layer Two Security Altogether | |
| |
| |
VPN Protocol Overview | |
| |
| |
802.11 Intrusion Detection | |
| |
| |
Configuring PEAP and FreeRadius | |
| |
| |
Creating the Certificate Authority | |
| |
| |
Creating the RADIUS Server's Certificate | |
| |
| |
Configuring FreeRADIUS | |
| |
| |
Starting Up the RADIUS Server | |
| |
| |
Configuring the AP | |
| |
| |
Configuring Windows XP Clients | |
| |
| |
Configuring OS X Clients | |
| |
| |
Configuring Linux for PEAP Authentication | |
| |
| |
Common RADIUS Configuration Problems | |
| |
| |
Summary | |
| |
| |
| |
Hacking Additional Wireless Technologies | |
| |
| |
Case Study: PriorApproval | |
| |
| |
| |
Hacking Hotspots | |
| |
| |
Enumeration | |
| |
| |
Identifying Hotspot Clients | |
| |
| |
Hacking the Infrastructure | |
| |
| |
Client Attacks | |
| |
| |
Additional Resources | |
| |
| |
Summary | |
| |
| |
| |
The Potential Threat of Bluetooth | |
| |
| |
What Is Bluetooth? | |
| |
| |
How Far Does Bluetooth Reach? | |
| |
| |
What Sort of Functionality Does Bluetooth Have? | |
| |
| |
Problems with Bluetooth Security | |
| |
| |
Summary | |
| |
| |
| |
Advanced Attacks | |
| |
| |
Layer 2 Fragmentation | |
| |
| |
Breaking the Silence | |
| |
| |
Layer 2 and Layer 3 Resolution | |
| |
| |
IP | |
| |
| |
UDP | |
| |
| |
TCP | |
| |
| |
Device Driver Vulnerabilities | |
| |
| |
Summary | |
| |
| |
Index | |