Chapter 25 Further Reading: Wireless Network Attacks

Essential Books

"802.11 Wireless Networks: The Definitive Guide" by Matthew Gast (O'Reilly) The comprehensive technical reference for IEEE 802.11 wireless networking. While somewhat dated in its coverage of newer standards, it remains the best resource for understanding the foundational protocols, frame types, and architecture that underpin all wireless security.

"Wi-Fi Security" by Stewart Miller A focused treatment of wireless security concepts, attack techniques, and defensive measures. Covers WEP, WPA/WPA2, and enterprise wireless security with practical examples.

"Hacking Exposed Wireless: Wireless Security Secrets and Solutions" by Joshua Wright and Johnny Cache A practical guide to wireless security testing covering Wi-Fi, Bluetooth, and other wireless protocols. Includes hands-on attack and defense techniques with current tool coverage.

"Real-World Bug Bounty and Wireless Penetration Testing" by Vivek Ramachandran Vivek Ramachandran, founder of SecurityTube and creator of the WiFi Pineapple-based training series, provides practical wireless penetration testing methodology with real-world examples.

Landmark Research Papers

"Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" by Mathy Vanhoef and Frank Piessens (CCS 2017) The original KRACK research paper. Essential reading for understanding the vulnerability, its implications, and the formal analysis methodology used to discover it. Available at papers.mathyvanhoef.com.

"Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd" by Mathy Vanhoef and Eyal Ronen (S&P 2020) The research paper documenting WPA3's initial vulnerabilities. Provides detailed technical analysis of side-channel attacks, downgrade attacks, and DoS vulnerabilities in the SAE handshake. Available at dragonblood.com.

"Fluhrer, Mantin, and Shamir (FMS) Attack on RC4/WEP" (2001) The seminal paper that first demonstrated practical key recovery attacks against WEP. Understanding FMS is essential for appreciating why WEP was fundamentally broken.

"Practical Attacks Against WEP and WPA" by Martin Beck and Erik Tews (2008) Extended WEP and WPA-TKIP attacks, including the PTW (Pyshkin, Tews, Weinmann) attack that significantly reduced the number of packets needed for WEP cracking.

"PMKID Hash Attack Against WPA/WPA2" by Jens Steube (2018) The hashcat developer's description of the PMKID attack, which enabled WPA/WPA2 cracking without capturing a full four-way handshake. Published on the hashcat forums.

Online Resources and Tools

Aircrack-ng Project Documentation The official aircrack-ng documentation (aircrack-ng.org) provides comprehensive guides for wireless monitoring, packet injection, handshake capture, and key cracking. The wiki includes tutorials, compatibility lists, and troubleshooting guides.

Kismet Wireless Documentation Kismet (kismetwireless.net) is the premier open-source wireless monitoring and intrusion detection tool. The documentation covers setup, configuration, and use for wireless security assessment and ongoing monitoring.

Hashcat Wiki: WPA/WPA2 Cracking The hashcat wiki provides detailed documentation on GPU-accelerated wireless password cracking, including hash extraction, rule-based attacks, and mask attacks for WPA/WPA2.

Mathy Vanhoef's Research Page mathyvanhoef.com hosts Vanhoef's wireless security research, including KRACK, Dragonblood, FragAttacks (2021 Wi-Fi fragmentation vulnerabilities), and related tools and publications.

WiFi Pineapple Documentation (Hak5) Documentation for the WiFi Pineapple hardware platform, including modules for evil twin attacks, client deauthentication, and wireless reconnaissance. Available at docs.hak5.org.

Bettercap Documentation Bettercap (bettercap.org) provides unified documentation for its Wi-Fi, BLE, and network attack modules. The tool serves as an all-in-one platform for wireless security testing.

Bluetooth and BLE Security

"A Practical Introduction to BLE Security" by Sultan Qasim Khan NCC Group's research on BLE security, including relay attacks against Tesla vehicles and smart locks. Available on NCC Group's research blog.

Bluetooth SIG Security Whitepapers The Bluetooth Special Interest Group publishes security specifications and implementation guidance at bluetooth.com. Essential for understanding the intended security model.

"BlueBorne: A New Class of Airborne Attacks" by Armis The original BlueBorne research documenting remote code execution vulnerabilities in Bluetooth implementations across platforms. Available at armis.com.

"KNOB Attack and BIAS Attack" Research Papers documenting the Key Negotiation of Bluetooth (KNOB) and Bluetooth Impersonation AttackS (BIAS) vulnerabilities. Available through the researchers' university publications.

Training Platforms and Certifications

Offensive Security Wireless Professional (OSWP) Offensive Security's wireless-focused certification covers practical wireless penetration testing with hands-on examination. Includes WPA/WPA2 cracking, evil twin attacks, and wireless security assessment methodology.

WiFi Pentesting Course by Vivek Ramachandran (SecurityTube) A comprehensive online course covering wireless security from fundamentals through advanced attacks, with hands-on lab exercises.

TryHackMe Wireless Security Rooms TryHackMe offers guided rooms covering wireless security concepts, tool usage, and attack techniques in a browser-based environment.

Hack The Box Wireless Challenges HTB provides wireless security challenges that test practical skills in handshake capture, cracking, and wireless protocol analysis.

Hardware Resources

Compatible Wireless Adapters for Security Testing The aircrack-ng project maintains a compatibility list of wireless adapters that support monitor mode and packet injection. Key considerations include chipset (Realtek, Atheros, MediaTek), band support (2.4/5 GHz), and driver maturity.

Proxmark3 for RFID/NFC Testing The Proxmark3 project (proxmark.com) provides documentation for the premier RFID/NFC security testing platform, covering both low-frequency (125 kHz) and high-frequency (13.56 MHz) card cloning and analysis.

Ubertooth One Open-source Bluetooth monitoring hardware with documentation at github.com/greatscottgadgets/ubertooth.

Community and Conferences

DEF CON Wireless Village The Wireless Village at DEF CON provides hands-on wireless security education, contests, and demonstrations. Past presentations and workshop materials are available online.

SharkFest (Wireshark Conference) Annual conference focused on packet analysis, including wireless protocol analysis workshops and presentations.

IEEE 802.11 Working Group The source of all 802.11 standards and amendments. Standards documents are available through IEEE (standards.ieee.org) and provide the authoritative specification for wireless protocol behavior.

Recommended Practice Sequence

1. Begin with aircrack-ng tutorials and practice WEP cracking on a lab network
2. Progress to WPA2 handshake capture and cracking with known weak passwords
3. Study KRACK and Dragonblood papers to understand protocol-level vulnerabilities
4. Practice evil twin attacks against your own test network
5. Explore BLE security using nRF Connect and basic BLE scanning
6. Study Kismet for wireless monitoring and intrusion detection
7. Consider the OSWP certification for formal skill validation