| |
| |
| Foreword | |
| |
| |
| Acknowledgments | |
| |
| |
| Introduction | |
| |
| |
| |
| Overview | |
| |
| |
| Case Study: BuzzCorp | |
| |
| |
| Wireless Setup | |
| |
| |
| Wireless Risks and Security Controls | |
| |
| |
| |
| Wireless Security Overview | |
| |
| |
| Use and Spread of Wireless Technologies | |
| |
| |
| A Brief History of Wireless Technologies | |
| |
| |
| Basics of Wireless Technologies | |
| |
| |
| What Is Wireless? | |
| |
| |
| Standardization and Regulation | |
| |
| |
| Further Coverage | |
| |
| |
| The Risks of Wireless Technologies | |
| |
| |
| Advances in Wireless Security | |
| |
| |
| Summary | |
| |
| |
| |
| Radio Frequency | |
| |
| |
| RF Terminology | |
| |
| |
| Communications Systems | |
| |
| |
| Radio Frequency Signals | |
| |
| |
| Electromagnetic Waves | |
| |
| |
| Units of Measure | |
| |
| |
| Modulation | |
| |
| |
| Spread Spectrum and Multiplexing | |
| |
| |
| RF Hardware | |
| |
| |
| Antennas | |
| |
| |
| Amplifiers | |
| |
| |
| Government Regulations | |
| |
| |
| Wireless Standards | |
| |
| |
| Wireless LAN (802.11 a/b/g/n) | |
| |
| |
| Summary | |
| |
| |
| |
| Hacking 802.11 Wireless Technology | |
| |
| |
| Case Study: Riding the Insecure Airwaves | |
| |
| |
| |
| Introduction to 802.11 | |
| |
| |
| 802.11 History | |
| |
| |
| Wi-Fi vs. 802.11 | |
| |
| |
| 802.11 in a Nutshell | |
| |
| |
| The 802.11 MAC | |
| |
| |
| Features of the 802.11 MAC | |
| |
| |
| 802.11 Packet Types | |
| |
| |
| Control Packets | |
| |
| |
| Management Packets | |
| |
| |
| Data Packets | |
| |
| |
| Addressing in 802.11 Packets | |
| |
| |
| Interesting Fields Across Packets | |
| |
| |
| Finding and Connecting to Wireless Networks | |
| |
| |
| Locating Wireless Networks | |
| |
| |
| Connecting to a Wireless Network | |
| |
| |
| WPA/802.11i Background | |
| |
| |
| 802.11i Groundwork | |
| |
| |
| Extensible Authentication Protocol (EAP) | |
| |
| |
| Introduction to RADIUS | |
| |
| |
| 802.1X: Bringing EAP to the LAN | |
| |
| |
| 802.11i: Putting It All Together | |
| |
| |
| Authentication Using 802.11i | |
| |
| |
| Confidentiality in 802.11i | |
| |
| |
| Integrity in 802.11i | |
| |
| |
| Replay Protection in 802.11i | |
| |
| |
| Summary | |
| |
| |
| |
| 802.11 Discovery | |
| |
| |
| Discovery Basics | |
| |
| |
| Hardware and Drivers | |
| |
| |
| Background | |
| |
| |
| Chipsets | |
| |
| |
| Cards | |
| |
| |
| Drivers | |
| |
| |
| Antennas | |
| |
| |
| GPS | |
| |
| |
| Sumnary | |
| |
| |
| |
| Scanning and Enumerating 802.11 Networks | |
| |
| |
| Choosing an Operating System | |
| |
| |
| Windows | |
| |
| |
| Linux | |
| |
| |
| OS X | |
| |
| |
| Windows Discovery Tools | |
| |
| |
| NetStumbler | |
| |
| |
| AiroPeek | |
| |
| |
| Linux Discovery Tools | |
| |
| |
| Kismet | |
| |
| |
| Wellenreiter | |
| |
| |
| OS X Discovery Tools | |
| |
| |
| Kismac | |
| |
| |
| MacStumbler | |
| |
| |
| iStumbler | |
| |
| |
| Kismet on OS X | |
| |
| |
| Online Mapping Services (wigle, .kismac, Google Earth) | |
| |
| |
| Network Identifiers | |
| |
| |
| UNIX Sniffers | |
| |
| |
| Displaying a Saved pcap File | |
| |
| |
| Capturing Packets in Real-Time | |
| |
| |
| Wireshark Colors | |
| |
| |
| Summary | |
| |
| |
| |
| Attacking 802.11 Networks | |
| |
| |
| Basic Types of Attacks | |
| |
| |
| Security Through Obscurity | |
| |
| |
| Defeating WEP | |
| |
| |
| 802.11 Authentication Types | |
| |
| |
| Shared Key Authentication | |
| |
| |
| Open Authentication | |
| |
| |
| 802.1X Authentication | |
| |
| |
| Advanced Attacks Against WEP | |
| |
| |
| RC4 Encryption Primer | |
| |
| |
| Rogue APs | |
| |
| |
| How Windows Looks for Preferred Networks | |
| |
| |
| Other KARMA Improvements | |
| |
| |
| Attacking the Availability of Wireless Networks | |
| |
| |
| RTS/CTS Attacks | |
| |
| |
| Miscellaneous Wireless Attacks | |
| |
| |
| Summary | |
| |
| |
| |
| Attacking WPA-protected 802.11 Networks | |
| |
| |
| Breaking WPA/802.11i | |
| |
| |
| WPA/802.11i Background | |
| |
| |
| Attacking WPA/802.11i Enterprise Authentication | |
| |
| |
| EAP-TLS | |
| |
| |
| LEAP | |
| |
| |
| Tunneling EAP Techniques (PEAP/ EAP-TTLS) | |
| |
| |
| Summary | |
| |
| |
| |
| 802.11 Defense | |
| |
| |
| Direct 802.11 Defenses | |
| |
| |
| WEP | |
| |
| |
| Deploying WPA/WPA2 Securely | |
| |
| |
| Avoiding Layer Two Security Altogether | |
| |
| |
| VPN Protocol Overview | |
| |
| |
| 802.11 Intrusion Detection | |
| |
| |
| Configuring PEAP and FreeRadius | |
| |
| |
| Creating the Certificate Authority | |
| |
| |
| Creating the RADIUS Server's Certificate | |
| |
| |
| Configuring FreeRADIUS | |
| |
| |
| Starting Up the RADIUS Server | |
| |
| |
| Configuring the AP | |
| |
| |
| Configuring Windows XP Clients | |
| |
| |
| Configuring OS X Clients | |
| |
| |
| Configuring Linux for PEAP Authentication | |
| |
| |
| Common RADIUS Configuration Problems | |
| |
| |
| Summary | |
| |
| |
| |
| Hacking Additional Wireless Technologies | |
| |
| |
| Case Study: PriorApproval | |
| |
| |
| |
| Hacking Hotspots | |
| |
| |
| Enumeration | |
| |
| |
| Identifying Hotspot Clients | |
| |
| |
| Hacking the Infrastructure | |
| |
| |
| Client Attacks | |
| |
| |
| Additional Resources | |
| |
| |
| Summary | |
| |
| |
| |
| The Potential Threat of Bluetooth | |
| |
| |
| What Is Bluetooth? | |
| |
| |
| How Far Does Bluetooth Reach? | |
| |
| |
| What Sort of Functionality Does Bluetooth Have? | |
| |
| |
| Problems with Bluetooth Security | |
| |
| |
| Summary | |
| |
| |
| |
| Advanced Attacks | |
| |
| |
| Layer 2 Fragmentation | |
| |
| |
| Breaking the Silence | |
| |
| |
| Layer 2 and Layer 3 Resolution | |
| |
| |
| IP | |
| |
| |
| UDP | |
| |
| |
| TCP | |
| |
| |
| Device Driver Vulnerabilities | |
| |
| |
| Summary | |
| |
| |
| Index | |