The document is a comprehensive guide on wireless networking, detailing the fundamentals of Wireless LAN (WLAN), its security protocols like WEP and WPA, and common vulnerabilities. It covers topics such as wireless sniffing, authentication processes, and various attack methods including WPS attacks and advanced techniques like PixieWPS. The author also provides essential security tips to safeguard wireless networks and acknowledges various resources for further learning.

1. HACKING WIRELESS
NETWORKS
THE IN DEPTH STORY OF WHAT ARE WE HACKING
BY : MANDEEP SINGH JADON
( InfoSec enthusiastic)

2. WHO AM I ?
 Mandeep Singh jadon
 Unfortunate things about me :
 Doing a unique thing called “BTECH”
 From UPTU
 Fortunate things about me
 I troll 
 Founder at Ultimate 1337 trolls (https://www.facebook.com/1337trolls/)
 Am into the Infosec field
 Part time bug bounty hunter
 Eager to learn new stuff
 I am passionate about singing 
 I am a Facebook Addict 

3. What this session will cover
 What is WLAN .
 Basic Terminologies .
 Wireless Sniffing
 Details Of Wlan from a networking perspective
 Security Measures Like Mac SSID Hiding and Mac Filters
 Bypassing them
 WLAN Authentication
 WEP And WPA in detail
 Cracking Them
 Introduction to WPS Attack
 New trends in Wireless Attacks (Takeaways)
 Security tips
 And Trolls …. Lot Of Trolls ……

4. What is WLAN ??
 A Wireless local area network (WLAN) links two or more devices using
some wireless distribution method and usually providing a connection
through an access point to the wider Internet .
 Most modern WLANs are based on IEEE 802.11 standards, marketed under
the Wi-Fi brand name.

5. Terminologies in WLAN
Access Point (AP) - A network device that serves as a communications
"hub" for wireless clients. (basically known as router) .
Basic service set (BSS) - It is a set of all stations that can communicate with
each other. Every BSS has an identification (ID) called the BSSID, which is
the MAC address of the access point servicing the BSS.
SSID (Service Set Identity) - It is also known as the "wireless network
name", the SSID is a 32 character, case sensitive name given to a Basic Service
Set established by an access point.

6. Continued …
WEP (Wireless Encryption Protocol) - WEP is a mechanism for authenticating
WLAN clients and for end data encryption in 802.11wireless LANs.
WPA (Wi-Fi Protected Access) – It is introduced during 2006 by the Wi-
Fi Alliance, WPA employs techniques developed by Cisco and others, namely TKIP
and MIC, to generate unique and dynamic keys for WEP's RC4-based encryption.
Beacon frame - It is one of the management frames in IEEE 802.11 based
WLANs. It contains all the information about the network. Beacon frames are
transmitted periodically to announce the presence of a wireless LAN. Beacon
frames are transmitted by the Access Point (AP) in an infrastructure BSS.

7. Continued ..
 IEEE 802.11 – It is a set of media access control (MAC) and physical
layer (PHY) specifications for implementing wireless local area
network (WLAN)
 4 Way Handshake – It’s a cryptographic message exchange between the
AP and The client which authenticates the client to connect to the AP

8. SO WHY WIRELESS SECURITY????
• Everyday we’ve been using wifi for our day to day
work such as Social media , banking ,
development, research , education and endless
other things.
• Sensitive information is literally flowing in air
inviting hackers to intrude them .

9. The awful challenges in wireless !!
 You can’t see it , so how will you protect it :p
 With the arrival of wireless cards , the malicious guy can break into the
network miles away !!! (Passive)
 Very difficult to locate the attacker .
 (Directional Antennae )

10. Wireless Sniffing
 Exactly same as wired sniffing .
 “The promiscuous mode” 
 Listens all the traffic whether it is destined to that or not .
HOW DO WE DO ???
AIRMON-NG 
DEMO !!

11. The Band and Channel theory
 WLAN Operate following bands
 2.4 GHz (802.11b/g/n)
 3.6 GHz (802.11y)
 4.9 GHz (802.11y) Public Safety WLAN
 5 GHz (802.11a/h/j/n/ac)
 Each band is divided to various channels .
 AT ANY TIME YOUR WIRELESS INTERFACE CAN BE ONY AT ONE CHANNEL
 Problem ??? Lets Hop with airodump-ng 

12. Channel Ranges for the Bands

13. DEMO TIME

14. WLAN PACKET TYPES
 3 Types
i. Management
ii. Control
iii. Data
 Read more :
http://www.wildpackets.com/resources/compendium/wireless_lan/wlan_pa
cket_types
 In case you’re thirsty http://standards.ieee.org/about/get/802/802.11.html

15. Beacon frame
 Beacon frame is one of the management frames in IEEE 802.11 based WLANs. It
contains all the information about the network. Beacon frames are transmitted
periodically to announce the presence of a wireless LAN. Beacon frames are
transmitted by the Access Point (AP) in an infrastructure Basic service set (BSS).
(wikipedia)
 YES . . . . EVERYTHING IS IN PLAINTEXT

16. Demo time !!
ANALYSIS Of Beacon Frames
Analysis of Beacon Frames
Injecting Arbitrary Beacon frames in the
network (MDK)

17. AP AND CLIENT COMMUNICATION
The behind the scenes of whats
happening .
Courtesy : IEEE docs

18. Don’t believe until you see ….

19. Now we HACK !!!!!!!!! 
 Security measure : Hidden SSID
 Blocking the SSID broadcasting in the beacon frames
 But is it a security measure ? ? ?
 Really ??
 I mean really ?? :p
 Lets see a DEMO

20. Where is the actual problem ?
 The “probe request ” and “Probe response” contains the SSID
 Whenever a legitimate client connects to the AP it has previously
connected to , it will send these probe request packets .
 Airodump would see these packets and would figure out the things for us

 ATTACK SENARIO
a. Non violence type
b. Violence type
AGAIN DEMO 

21. Security Measure : Mac Filters
 In computer networking, MAC Filtering (or GUI filtering, or layer 2
address filtering) refers to a security access control method whereby the
48-bit address assigned to each network card is used to determine access
to the network. (wiki)
 How does it work in wireless ?
 Whitelisting the allowed mac in the AP .
but ……………
Are they really secure ….. Really ?? :p

22. The Problem
 Mac address cannot be changed , but can be spoofed very easily
 Since Mac will be the only auth mechanism in the current case , so once it
is spoofed we can enter the network .
 Mac addresses are visible in the WLAN Header so the attacker can easily
get the legitimate MAC .
 In the wireless world it simply does not make sense :p
 TWO ATTTACK scenarios
a) Gandhi Attack
b) Bhagat singh Attack

23. WLAN AUTHENTICATION
 Two types :
i. Open Auth
ii. Shared Auth
 OPEN AUTH
No auth at all
Simple 2 packet exchange between the client and the AP 

24. Shared Authentication

25. WEP ? Why care for it ?

26. WEP Algorithm !!
Two processes are applied to the plaintext data.
One encrypts the plaintext; the other protects the
data from being modified by unauthorized
personnel. The 40-bit secret key is connected with
a 24-bit Initialization Vector (IV) resulting in a 64-
bit total key size
The PRNG ( RC4 ) outputs a pseudo random key
sequence based on the input key. The resulting
sequence is used to encrypt the data by doing a
bitwise XOR.
To prevent unauthorized data modification,
an integrity algorithm , CRC-32 operates on the
plaintext to produce the ICV
1. WEP ENCRYPTION

27. The IV, plaintext, and ICV triplet forms the
actual data sent in the data frame.

28. 2. WEP Decryption
The IV of the incoming message is used to
generate the key sequence necessary to
decrypt the incoming message. Combining the
ciphertext with the proper key sequence will
give the original plaintext and ICV .
The decryption is verified by performing the
Integrity check algorithm on the recovered
plaintext and comparing the output of the ICV'
to the ICV submitted with the message.
If the ICV' is not equal to the ICV, the received
message is in error, and an error indication is
sent to the MAC management and back to the
sending station

29. WEP CRACKING
 The IVS are not all strong . Some are “Weak IV” (cryptographically) .
 So to crack WEP collect a large no. of these weak IVS (not uniformly
distributed) .
 DEMO TIME !!

30. WPA/WPA2 (The Current Trend)

31. Prerequisite ….
 PBKDF2 (Used to generate PSKs Dynamically each time the supplicant
connects to the authenticator )
 key = PBKDF2(passphrase, SSID, 4096, 256)
 It uses the HMAC algorithm to create a digest of the input.
http://www.ietf.org/rfc/rfc2898.txt :)

32. Yeah !!!! The 4 way handshake

33. Don’t believe until you see !!!
Lets see the 4 way handshake with
the eyes of wireshark !!

34. WPA PSK Cracking
Things we know :
 SNONCE 
 ANONCE 
 AP MAC 
 CLIENT MAC 
Things we don’t know
 The Damn Passphrase 
We’ll capture the handshake and generate our own
PTK and match with the PTK of the current session .
That’s it .

35. DEMO TIME (Cracking WPA/WPA2
PSK)
STEPS :
1. Start up the monitor mode .
2. Capture the air .
3. Get the handshake
4. Use aircrack to do the dictionary attack against the
handshake 

36. IF you are lucky : WPS enabled AP
 WPS stands for Wi-Fi Protected Setup and it is a wireless networking
standard that tries to make connections between a router and wireless
devices faster and easier. It works only for wireless networks that have WPA
Personal or WPA2 Personal security .
 How WPS Works
o Every router that supports WPS has a an eight-digit device pin printed on
the back. When you try to connect a wireless laptop or wireless printer to
your wireless network, it will ask you for that 8 digit pin
o They Split the 8 digits into 2 sets of 4. All that has to happen now is the first
4 have to be found first. 4 digits only have a 10,000 possible number
combination. Once the first 4 numbers are found, the router proclaims “
You've found the first four “ 
o Short Demo ……

37. Advanced Attacks … (Takeaways)
 The most recent one . PIXIEWPS (https://github.com/wiire/pixiewps) .
 Evil Twin attack .
 Rogue AP Attack .
 Jamming
 Cloud Cracking (eg using Amazon EC2 engine)

38. Safety Techniques .
Keep in mind you can be hacked Anytime …… :p
 Always use WPA2 PSK encryption accompanied by
Mac Filtering .
 Turn off WPS .
 Do keep an eye on the network in which you are
currently connected to .
 Keep a check on the connected clients .
 Periodically change the SSID as well as the Key .
 Change the Default Router Password .
 Laptop physical security should be maintained
 Use VPN in public WIFI .
 Disable DHCP if you can . (My personal tip  )

39. Acknowledgements .
 standards.ieee.org
 www.securitytube.net
 Wikipedia.org

40. Ways to reach me
 https://www.facebook.com/mandeep.jadon.5
 https://twitter.com/1337tr0lls
 https://www.linkedin.com/in/mandeepjadon
 https://github.com/mandeepjadon (I do a bit coding too  )
Feedbacks are always a motivational force 

41. THANKS 