Awesome

awesome-wifi-security

A collection of (not-so, yet) awesome resources related to 802.11 security, tools and other things

Table of Contents

TKIP Security

Practical attacks against WEP and WPA (2008)

An Improved Attack on TKIP (2009)

Cryptanalysis of IEEE 802.11i TKIP

Enhanced TKIP Michael Attacks (2010)

Plaintext Recovery Attacks Against WPA/TKIP (2013)

Practical verification of WPA-TKIP vulnerabilities (2013)

On the security of RC4 in TLS (USENIX, 2013)

All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS (USENIX, 2015)

A Security Analysis of the WPA-TKIP and TLS Security Protocols (PhD Thesis, 2016)

Predicting and Abusing WPA2/802.11 Group Keys (2016)

WiFi Protected Setup (WPS)

Papers

Brute forcing Wi-Fi Protected Setup (2011)

An Investigation into the Wi-Fi Protected Setup PIN of the Linksys WRT160N v2 (2012)

Offline bruteforce attack on wifi protected setup (Pixie dust attack, 2014)

Tools

Pixiewps: An offline WPS bruteforce utility

Reaver-wps-fork-t6x: community edition of Reaver (which includes the Pixie Dust attack)

Bully: new implementation of the WPS brute force attack, written in C.

Online Cracking Services for PSK

• Crackq: online distributed GPU-accelerated password cracker designed to help penetration testers and network auditors identify weak passwords

• http://www.onlinehashcrack.com/

• http://wpa.darkircop.org/

• https://www.gpuhash.me/

• https://hashcrack.org/

• Database of vulnerable Wi-Fi Network: router-db.com

WPA3

Dragonblood: A Security Analysis of WPA3’s SAE Handshake (2019)

WPA-Enterprise

Eduroam

MITM Attack Model against eduroam (2013)

A Practical Investigation of Identity Theft Vulnerabilities in Eduroam (2015)

Server Certificate Practices in Eduroam (2015): Best practice document

Evil Twin Vulnerabilities in Wi-Fi Networks (Bachelor Thesis, 2016)

eduroam FreeRADIUS Docker

Authentication protocols that DO support hashed passwords (FreeRADIUS mailing list)

EAP-PWD: Extensible Authentication Protocol (EAP) Authentication Using Only a Password

Attacks

KARMA

Attacking automatic Wireless network selection (2005)

Why do Wi-Fi Clientes disclose their PNL for Free Still Today? (2015)

Instant KARMA might still gets you (2015)

Evil Twin

Infernal twin

Evil Twin vulnerabilities in Wi-Fi networks (Master Thesis, 2016)

Wireless Routers

Scrutinizing WPA2 Password Generating Algorithms in Wireless Routers (WOOT, 2015) Keyspace List for WPA on Default Routers

Rogue AP

Documentation

Manna from heaven: Improving the state of rogue AP attacks (2015):

• Video
• Slides

Tools

hostapd-mana: hostapd with the attacks described in Defcon 22, and with the ability to rogue EAP access points.

Privacy

Tracking

Tracking unmodified smartphones using Wi-Fi monitors (2012)

Show me your SSIDs; I will show who you are (2012)

Signals from the Crowd: Uncovering Social Relationships through Smartphone Probe (2013, SIGCOM)

I know who you will meet this evening! Linking wireless devices using Wi-Fi probe requests (2012)

Is Your Android Device Telling the World Where You've Been? (2014)

How talkative is your mobile device?: an experimental study of Wi-Fi probe requests (2015)

• Paper
• Slides

MAC Adress Randomization

Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms (2016)

A Study of MAC Address Randomization in Mobile Devices and When it Fails (2017)