!""#$%&'# )#*+,&-.

!"#$%$&& ())*+,& " !"#$

#$ %$&






Nati Ahaioni

Bevon Keains

Thomas u'0tieppe ue Bouvette
Course Cverv|ew

The wiieless inuustiy continues to giow in leaps anu bounus with moie anu moie
gaugets evolving to be wiieless. Access points, meuia centeis, phones, anu even
secuiity systems aie commonplace in the aveiage householu. 0nfoitunately, the
secuiity that is implementeu on wiieless equipment is often lacking, iesulting in
seveie secuiity vulneiabilities.
In piactice, many companies anu oiganizations still use anu ueploy vulneiable
wiieless geai, often in theii uefault configuiations. This is most often uue to pooi
secuiity awaieness oi a lack of unueistanuing of the iisks anu iamifications.
This couise was cieateu in an attempt to oiganize anu summaiize touay's ielevant
Wi-Fi attacks anu will pioviue you with a soliu unueistanuing of wiieless
insecuiities along with the latest tools anu techniques useu to exploit these
insecuiities.
rerequ|s|tes

Please ieau the following veiy caiefully:
Theie aie BARBWARE pieiequisites foi this couise. Each stuuent is expecteu
to puichase oi pieviously own a wiieless access point anu a suitable
"injection capable" wiieless caiu. To ensuie haiuwaie compatibility, we
iecommenu the use of an access point that can be configuieu with
WPAWPA2 enciyption anu WEP enciyption with both open anu shaieu key
authentication. The ALFA Netwoiks SuumW 0SB caiu is also stiongly
iecommenueu. Please iefei to oui "iecommenueu haiuwaie" foi this couise
at the following: http:www.offensive-secuiity.comwifu_haiuwaie.php
Please note that 0ffensive Secuiity uoes not sell haiuwaie. We meiely
iecommenu the haiuwaie mouels that aie known to woik foi this couise.
A mouein laptop oi uesktop is iequiieu that can boot anu iun BackTiack.
The stuuent must have a soliu unueistanuing of TCPIP anu the 0SI mouel as
well as a ieasonable level of familiaiity with Linux in oiuei to complete the
couise.
A fast Inteinet connection is iequiieu to uownloau the couise viueos.
Course Descr|pt|on

0ffensive Secuiity Wiieless Attacks also know as "WiFu", is a couise uesigneu foi
penetiation testeis anu secuiity enthusiasts who neeu to leain to implement
vaiious active anu passive wiieless attacks.
It is vital that you meet the technical pieiequisites as stateu above; otheiwise you
might finu youiself lost as the couise piogiesses. In many cases, pievious
knowleuge is assumeu anu theoietical explanations aie shoiteneu oi iefeienceu
iathei than thoioughly explaineu.
Please note, we uo not have a iefunu policy - it is !"#$ iesponsibility to ensuie you
meet the mentioneu technical iequiiements. Bowevei, if you uo meet the technical
iequiiements, this couise will veiy quickly expose you to the woilu of wiieless
insecuiity anu teach you the innei woikings, tools, anu methouologies of mouein
uay attackeis.







Course Cb[ect|ves

The stuuent will gain insight into the wiieless offensive secuiity fielu, which
will expanu awaieness foi the neeu of $%&' )"$'* secuiity solutions.
The stuuent will leain to implement attacks against WEP enciypteu
netwoiks.
The stuuent will leain to implement attacks against WPA enciypteu
netwoiks.
The stuuent will leain to implement auvanceu attacks such as PRuA key
extiaction anu one-way packet injection.
The stuuent will leain alteinate WEP anu WPA ciacking techniques.
The stuuent will be intiouuceu to vaiious wiieless ieconnaissance tools anu
leain to implement uiffeient iogue access point attacks.
The stuuent will be familiaiizeu with the BackTiack wiieless tools
Cert|f|cat|on

Successful completion of the ceitification exam eains the stuuent the 0ffensive
Secuiity Wiieless Piofessional (0SWP) ceitification.
The ceitification exam iequiies the stuuent to connect to oui examination labs anu
attack WEP anu WPA netwoiks unuei vaiious haiueneu configuiations.
0pon successful completion of the exam, the stuuent will ieceive an 0SWP
ceitificate, which testifies theii competency in attack methous anu techniques in
WEP anu WPA enviionments.


Course Cut||ne
A Note from the Author
8efore we 8eg|n
1. ILLL 802.11
1.1 IEEE
!"!"! $%&&'(())*
1.1.2 IEEE 8u2.11
1.2 8u2.11 Stanuaius anu Amenuments
1.S Nain 8u2.11 Piotocols
!"+"! ,)(-'.)/ 01%(%2%. ,)*21'3('%4*
2. W|re|ess Networks
2.1 Wiieless 0peiating Noues
5"!"! 6471-*(182(81) 9)(:%1;
5"!"5 </=>%2 9)(:%1;
5"!"+ ?'1).)** ,'*(1'@8('%4 AB*()&
5"!"C D%4'(%1 D%/)
3. ackets and Network Interact|on
S.1 Wiieless Packets - 8u2.11 NAC Fiame
+"!"! >)-/)1
+"!"5 ,-(-
+"!"+ E$A
S.2 Contiol Fiames
+"5"! $%&&%4 E1-&)*
S.S Nanagement Fiames
+"+"! F)-2%4 E1-&)*
+"+"5 01%@) E1-&)*
+"+"5 <8(G)4('2-('%4
+"+"+ <**%2'-('%4HI)-**%2'-('%4
+"+"C ,'*-**%2'-('%4H,)-8(G)4('2-('%4
+"+"J <K6D
+"+"L <2('%4 E1-&)*
S.4 Bata Fiames
+"C"! D%*( $%&&%4 E1-&)*
S.S Inteiacting with Netwoiks
+"J"! 01%@)
+"J"5 <8(G)4('2-('%4
+"J"+ <**%2'-('%4
+"J"C M421B3('%4
4. Gett|ng Started
4.1 Choosing Baiuwaie
C"!"! </-3()1 KB3)*
C"!"5 /FN /F&N /F'N &?N ?
C"!"+ <4()44-*
4.2 Choosing a Wiieless Caiu
C"5"! <.7- <?OAP+L>
4.S Choosing an Antenna
C"+"! <4()44- 0-(()14*
S. L|nux W|re|ess Stack and Dr|vers
S.1 ieee8u211 vs. mac8u211
J"!"! ')))QP5!!
J"!"5 &-2QP5!!
S.2 Linux Wiieless Biiveis
J"5"! I)*%.R'4S <?OAP+L> 6**8)*
J"5"5 T%-/'4S -4/ O4.%-/'4S ,1'R)1*
J"5"+ &-2QP5!! D%4'(%1 D%/)
J"5"C ')))QP5!! D%4'(%1 D%/)
6. A|rcrack-ng Lssent|a|s
6.2 Aiimon-ng
L"5"! <'1&%4=4S O*-S)
L"5"5 <'1&%4=4S O*-S) MU-&3.)*
L"5"5 <'1&%4=4S T-@
6.S Aiiouump-ng
L"+"! <'1%/8&3=4S O*-S)
L"+"+ 01)2'*'%4 <'1%/8&3=4S A4'77'4S
L"+"C <'1%/8&3=4S K1%8@.)*G%%('4S
L"+"J <'1%/8&3=4S T-@
6.4 Aiieplay-ng
L"C"! <'1)3.-B=4S O*-S)
L"C"5 <'1)3.-B=4S K1%8@.)*G%%('4S
L"C"+ V3('&'W'4S <'1)3.-B=4S 64X)2('%4 A3))/*
6.S Injection Test
L"J"! 64X)2('%4 K)*( O*-S)
L"J"5 <'1)3.-B=4S T-@
7. Crack|ng WL w|th Connected C||ents
7.1 Initial Attack Setup
Y"!"! <'1&%4=4S
Y"!"5 <'1%/8&3=4S
7.2 Aiieplay-ng Fake Authentication Attack
Y"5"! E-;) <8(G)4('2-('%4 O*-S)
Y"5"5 E-;) <8(G)4('2-('%4 K1%8@.)*G%%('4S
Y"5"+ I844'4S (G) E-;) <8(G)4('2-('%4 <((-2;
Y"5"C E-;) <8(G)4('2-('%4 T-@
7.S Aiieplay-ng Beauthentication Attack
Y"+"! ,)-8(G)4('2-('%4 <((-2; O*-S)
Y"+"5 ,)-8(G)4('2-('%4 K1%8@.)*G%%('4S
Y"+"+ I844'4S (G) ,)-8(G)4('2-('%4 <((-2;
Y"+"C ,)-8(G)4('2-('%4 T-@
7.4 Aiieplay-ng ARP Request Replay Attack
Y"C"! ?G-( '* <I0Z
Y"C"5 <I0 I)[8)*( I)3.-B O*-S)
Y"C"+ I844'4S (G) <I0 I)[8)*( I)3.-B <((-2;
Y"C"C <I0 I)[8)*( I)3.-B <((-2; T-@
7.S Aiiciack-ng
Y"J"! <'121-2;=4S !P!
Y"J"5 <'121-2;=4S O*-S)
Y"J"+ <'121-2;=4S K1%8@.)*G%%('4S
Y"J"C I844'4S <'121-2;=4S
Y"J"J <'121-2;=4S T-@
7.6 Classic WEP Ciacking Attack Summaiy
8. Crack|ng WL v|a a C||ent
8.1 Attack Setup
Q"!"! <((-2; A)(83 T-@
8.2 Aiieplay-ng Inteiactive Packet Replay Attack
Q"5"! 9-(81-. 0-2;)( A).)2('%4
Q"5"5 D%/'7')/ 0-2;)( I)3.-B
Q"5"+ I844'4S (G) 64()1-2('R) 0-2;)( I)3.-B <((-2;
Q"5"C 64()1-2('R) 0-2;)( I)3.-B T-@
8.S Ciacking the WEP Key
Q"+"! T-@
8.4 Ciacking WEP via a Client Attack Summaiy
9. Crack|ng C||ent|ess WL Networks
9.1 Attack Assumptions
9.2 Attack Setup
\"5"! <((-2; A)(83 T-@
9.S Aiieplay-ng Fiagmentation Attack
\"+"! E1-S&)4(-('%4 <((-2; O*-S)
\"+"5 E1-S&)4(-('%4 <((-2; K1%8@.)*G%%('4S
\"+"+ I844'4S (G) E1-S&)4(-('%4 <((-2;
\"+"C E1-S&)4(-('%4 <((-2; T-@
9.4 Packetfoige-ng
\"C"! 0-2;)(7%1S)=4S O*-S)
\"C"5 I844'4S 0-2;)(7%1S)=4S
\"C"+ 0-2;)(7%1S)=4S T-@
9.S Aiieplay-ng KoieK ChopChop Attack
\"J"! $G%3$G%3 KG)%1B
\"J"5 <'1)3.-B=4S ]%1)] $G%3$G%3 O*-S)
\"J"+ I844'4S (G) ]%1)] $G%3$G%3 <((-2;
\"J"C ]%1)] $G%3$G%3 <((-2; T-@
9.6 Inteiactive Packet Replay anu Aiiciack-ng
\"L"! 64()1-2('R) 0-2;)( I)3.-B
9.7 Clientless WEP Ciacking Lab
9.8 Clientless WEP Ciacking Attack Summaiy
10. 8ypass|ng WL Shared key Authent|cat|on
1u.2 Attack Setup
!P"5"! <((-2; A)(83 T-@
1u.S Aiieplay-ng Shaieu Key Fake Authentication
!P"+"! ,)-8(G)4('2-() - $%44)2()/ $.')4(
!P"+"5 AG-1)/ ])B E-;) <8(G)4('2-('%4
!P"+"+ I844'4S (G) AG-1)/ ])B E-;) <8(G)4('2-('%4
!P"+"C AG-1)/ ])B E-;) <8(G)4('2-('%4 T-@
1u.4 ARP Request Replay anu Aiiciack-ng
!P"C"! <I0 I)[8)*( I)3.-B
!P"C"5 <'121-2;=4S
1u.S Bypassing WEP Shaieu Key Authentication Lab
1u.6 WEP Shaieu Key Authentication Attack Summaiy
11. Crack|ng WA]WA2 Sk w|th A|rcrack-ng
11.1 Attack Setup
!!"!"! <((-2; A)(83 T-@
11.2 Aiieplay-ng Beauthentication Attack
!!"5"! E%81=:-B >-4/*G-;) K1%8@.)*G%%('4S
!!"5"5 ,)-8(G)4('2-('%4 <((-2; T-@
11.S Aiiciack-ng anu WPA
!!"+"! ^9% R-.'/ ?0< G-4/*G-;)* 7%84/_
!!"+"5 <'121-2;=4S -4/ ?0< T-@
11.4 Aiiolib-ng
!!"C"! <'1%.'@=4S O*-S)
!!"C"5 O*'4S <'1%.'@=4S
!!"C"+ <'1%.'@=4S T-@
11.S Ciacking WPA Attack Summaiy
12. Crack|ng WA w|th I1k and A|rcrack-ng
12.1 Attack Setup
!5"!"! <((-2; A)(83 T-@
12.2 Euiting }ohn the Rippei Rules
!5"5"! ?%1/ D-4S.'4S T-@
12.S 0sing Aiiciack-ng with }ohn the Rippei
12.4 }ohn the Rippei Lab
12.S Aiiciack-ng anu }TR Attack Summaiy
13. Crack|ng WA w|th coWAtty
1S.1 Attack Setup
!+"!"! <((-2; A)(83 T-@
1S.2 coWPAtty Bictionaiy Noue
1S.S coWPAtty Rainbow Table Noue
1S.4 coWPAtty Lab
1S.S coWPAtty Attack Summaiy
14. Crack|ng WA w|th yr|t
14.1 Attack Setup
!C"!"! <((-2; A)(83 T-@
14.2 Pyiit Bictionaiy Attack
14.S Pyiit Batabase Noue
14.4 Pyiit Lab
14.S Pyiit Attack Summaiy
1S. Add|t|ona| A|rcrack-ng 1oo|s
1S.1 Aiiuecap-ng
!J"!"! <'1/)2-3=4S O*-S)
!J"!"5 I)&%R'4S ?'1).)** >)-/)1*
!J"!"+ ,)21B3('4S ?M0 $-3(81)*
!J"!"C ,)21B3('4S ?0< $-3(81)*
!J"!"J <'1/)2-3=4S T-@
1S.2 Aiiseiv-ng
!J"5"! <'1*)1R=4S O*-S)
!J"5"5 O*'4S <'1*)1R=4S
!J"5"+ <'1*)1R=4S K1%8@.)*G%%('4S
!J"5"C <'1*)1R=4S T-@
1S.S Aiitun-ng
!J"+"! <'1(84=4S O*-S)
!J"+"5 <'1(84=4S :6,A
!J"+"+ <'1(84=4S ?M0 64X)2('%4
!J"+"C <'1(84=4S 0I`< 64X)2('%4
!J"+"J $%44)2('4S (% K:% <22)** 0%'4(* :'(G <'1(84=4S
!J"+"L <'1(84=4S I)3)-()1 D%/)
!J"+"Y <'1(84=4S 0-2;)( I)3.-B D%/)
!J"+"Q <'1(84=4S T-@
16. W|re|ess keconna|ssance
16.1 Aiigiaph-ng
!L"!"! $<0I
!L"!"5 $0`
16.2 Kismet
16.S uISKismet
16.4 Wiieless Reconnaissance Lab
17. kogue Access o|nts
17.1 Aiibase-ng
!Y"!"! <'1@-*)=4S O*-S)
!Y"!"5 <'1@-*)=4S AG-1)/ ])B $-3(81)
!Y"!"+ <'1@-*)=4S ?0< >-4/*G-;) $-3(81)
17.2 Kaimetasploit
17.2 Kaimetasploit Configuiation
17.S Nan in the Niuule Attack
17.4 Rogue Access Points Lab
Append|x A: Crack|ng WL v|a a C||ent - A|ternate So|ut|ons
A.1 Pulling Packets fiom Captuieu Bata
A.2 Cieating a Packet fiom a ChopChop Attack
Append|x 8: Ak Amp||f|cat|on
B.1 Equipment 0seu
B.2 0ne foi 0ne ARP Packets
B.S Two foi 0ne ARP Packets
B.4 Thiee foi 0ne ARP Packets