SlideShare a Scribd company logo

You think your WiFi is safe?

Rob Gillen, profile picture
Rob Gillen

This document summarizes a presentation on wireless security testing and attacks. It describes tools like airodump-ng for packet sniffing, aireplay-ng for packet injection, and aircrack-ng for cracking wireless encryption keys. It demonstrates attacks like cracking WEP encryption, exploiting vulnerabilities in WPS, and performing man-in-the-middle attacks. The presentation emphasizes that these attacks would be illegal to perform without permission and stresses the importance of responsible disclosure.

Technology
1 of 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
You think your Wifi is Safe? Rob Gillen @argodev
CodeStock is proudly partnered with: RecruitWise and Staff with Excellence - www.recruitwise.jobs Send instant feedback on this session via Twitter: Send a direct message with the room number to @CodeStock d codestock 406 This session is great! For more information on sending feedback using Twitter while at CodeStock, please see the “CodeStock README” in your CodeStock guide.
what we do consulting training design debugging who we are Founded by top experts on Microsoft – Jeffrey Richter, Jeff Prosise, and John Robbins – our mission is to help our customers achieve their goals through advanced software-based consulting and training solutions. how we do it Training • On-site instructor-led training Consulting & Debugging • Virtual instructor-led training • Architecture, analysis, and design services • Devscovery conferences • Full lifecycle custom software development • Content creation Design • Project management • User Experience Design • Debugging & performance tuning • Visual & Content Design • Video & Animation Production wintellect.com
Don’t Be Stupid The following presentation describes real attacks on real systems. Please note that most of the attacks described would be considered ILLEGAL if attempted on systems that you do not have explicit permission to test and attack. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Please remember this basic guideline: With knowledge comes responsibility.
Disclaimer The content of this presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.
Overview • Pre-Requisite Knowledge • Various Security Approaches • Tools and Attacks
Required Gear • Network Adapter that supports “Monitor” mode. – Equivalent to promiscuous mode on a normal NIC • Windows, MAC, or Linux – Linux tools tend to be more readily available
Wireless Packet Frames • Management Frames • Control Frames – Authentication – Request to Send – De-authentication (RTS) – Association Request – Clear to Send (CTS) – Association Response – Acknowledgment (AWK) – Re-association • Data Frames Request – Re-association Response – Disassociation – Beacon – Probe Request – Probe Response
Packet Sniffing • Filters: – wlan.fc.type • == 0 (mgmt frames) • == 1 (control frames) • == 2 (data frames) – wlan.fc.subtype • == 8 (beacons) • (wlan.fc.type == 0) && (wlan.fc.subtype == 8)
Packet Sniffing • Determine the channel of the network we are interested in – required for sniffing data packets – airodump-ng • iwconfig mon0 channel 11 (demo pre/post)
Packet Injection • aireplay-ng – Inject packets onto a specific wireless network without specific association to that network – Can target specific channels, mask MAC addresses, etc. – Does not require association
Regulatory Issues • Available Channels • Radio Power Levels – iw reg set US – iw reg set BO
DEMO: HIDDEN SSID
DEMO: Hidden SSID • Show packet capture with the SSID • Hide SSID • Prove it is now hidden • Solve for X – Passive (wait for valid client) – wireshark filter – Use aireplay-ng to send deauth packet to force the discovery • Probe Request/Probe Response packets
DEMO: MAC FILTERS
DEMO: MAC Filters • Enable MAC Filtering on the WAP • Prove that a client cannot connect • Use airodump-ng to show associated clients • Use macchanger to spoof the whitelisted address and connect.
DEMO: SHARED KEY AUTHENTICATION
DEMO: Shared Key Authentication • Illustration (steal picture from Wikipedia/netgear?) • Configured AP for Shared Key/Update Client • Use airodump-ng to capture/log the authentication scheme + keystream – Wait for valid client or send deauth pkt • Use aireplay-ng to pass back the captured auth pkt • TIP: DOS by filling up AP tables (wrapper around airreplay-ng)
DEMO: WEP ENCRYPTION
DEMO: WEP Encryption • Capture data packets (ARP) from a known/trusted client (airodump-ng) • Replay them/re-inject between 10- 100,000 times (aireplay-ng) • Crack them (aircrack-ng) • “Guaranteed” crack
DEMO: WPA/2 ENCRYPTION
DEMO: WPA/2 Encryption • Vulnerable to dictionary attacks • Collect authentication handshake • Select dictionary file and run the cracker • Works for WPA, WPA2, AES, TKIP
Tools
Tools • Jasegar (Pineapple IV) • I can be anything you want me to be
Man-In-The-Middle
Man-In-The-Middle
Man-In-The-Middle
Man-In-The-Middle
Tools • Reaver Pro (WPS Exploit) • 4-10 hours and your network is mine
What is Safe? • Stop using Wi-Fi • Avoid open Wi-Fi networks • Always use SSL • Use VPN • Disable Auto-Connect… on *all* devices • Hard/complex network keys • WPA-Enterprise / RADIUS / PEAP / EAP-TTLS • Disable WPS!
Equipment List • Two Laptops • Any Wireless Access Point • Alfa Card http://www.amazon.com/gp/product/B002BFMZR8 • Yagi Antenna http://www.amazon.com/gp/product/B004L0TKW4 • Reaver Kit http://hakshop.myshopify.com/products/reaver -pro • WiFi Pinapple http://hakshop.myshopify.com/collections/fro ntpage/products/wifi-pineapple
Learning More • http://www.securityfocus.com • http://www.aircrack-ng.org • http://raulsiles.com/resources/wif i.html • http://www.willhackforsushi.com
Questions/Contact Rob Gillen rob@gillenfamily.net http://rob.gillenfamily.net @argodev

More Related Content

PDF
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
PPTX
Started In Security Now I'm Here
Christopher Grayson
 
PDF
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
PDF
Fuzzing and You: Automating Whitebox Testing
NetSPI
 
PDF
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
PDF
Thick Application Penetration Testing - A Crash Course
NetSPI
 
PDF
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Priyanka Aash
 
PPTX
Extracting Credentials From Windows
NetSPI
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
Started In Security Now I'm Here
Christopher Grayson
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Fuzzing and You: Automating Whitebox Testing
NetSPI
 
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Priyanka Aash
 
Extracting Credentials From Windows
NetSPI
 

What's hot (20)

PPTX
Introduction to LavaPasswordFactory
Christopher Grayson
 
PDF
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
PDF
Cumulonimbus fortification-secure-your-data-in-the-cloud
David Busby, CISSP
 
PPT
L27
NathannyabvureMapisa
 
PDF
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Websec México
 
PDF
Shmoocon 2015 - httpscreenshot
jstnkndy
 
ODP
Security and why you need to review yours.
David Busby, CISSP
 
PDF
Effective approaches to web application security
Zane Lackey
 
PPTX
Reverse_Engineering_Thick-clients
Steve Markey
 
PDF
Lares from LOW to PWNED
Chris Gates
 
PPTX
Pentest Apocalypse
Beau Bullock
 
PDF
Secure Coding in C/C++
Dan-Claudiu Dragoș
 
PDF
Naxsi, an open source WAF for Nginx
Positive Hack Days
 
PPTX
Lateral Movement with PowerShell
kieranjacobsen
 
PDF
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Apostolos Giannakidis
 
PPTX
Secure360 - Extracting Password from Windows
Scott Sutherland
 
PPTX
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
PPTX
Creating Havoc using Human Interface Device
Positive Hack Days
 
ODP
PLMCE - Security and why you need to review yours
David Busby, CISSP
 
PDF
Introduction to Windows Dictionary Attacks
NetSPI
 
Introduction to LavaPasswordFactory
Christopher Grayson
 
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
Cumulonimbus fortification-secure-your-data-in-the-cloud
David Busby, CISSP
 
L27
NathannyabvureMapisa
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Websec México
 
Shmoocon 2015 - httpscreenshot
jstnkndy
 
Security and why you need to review yours.
David Busby, CISSP
 
Effective approaches to web application security
Zane Lackey
 
Reverse_Engineering_Thick-clients
Steve Markey
 
Lares from LOW to PWNED
Chris Gates
 
Pentest Apocalypse
Beau Bullock
 
Secure Coding in C/C++
Dan-Claudiu Dragoș
 
Naxsi, an open source WAF for Nginx
Positive Hack Days
 
Lateral Movement with PowerShell
kieranjacobsen
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Apostolos Giannakidis
 
Secure360 - Extracting Password from Windows
Scott Sutherland
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
Creating Havoc using Human Interface Device
Positive Hack Days
 
PLMCE - Security and why you need to review yours
David Busby, CISSP
 
Introduction to Windows Dictionary Attacks
NetSPI
 
Ad

Similar to You think your WiFi is safe? (20)

PDF
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
ClubHack
 
PPTX
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
PPTX
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
jonmccoy
 
PDF
ContinuousSecurity, Beyond Automation.pdf
Neelu Tripathy
 
PDF
Too soft[ware defined] networks SD-Wan vulnerability assessment
Sergey Gordeychik
 
PDF
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB
 
PDF
MongoDB World 2018: Enterprise Cloud Security
MongoDB
 
PPTX
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
PPTX
DevLink - WiFu: You think your wireless is secure?
Rob Gillen
 
PPTX
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
PDF
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
PDF
idsecconf2010-hacking priv8 network
Ammar WK
 
PDF
y3dips hacking priv8 network
idsecconf
 
PDF
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
PPT
Chapter08
Muhammad Ahad
 
PPT
Material best practices in network security using ethical hacking
Desmond Devendran
 
PPTX
Open hours home security | Episode 70
Robert Wolff
 
PDF
Metasploitation part-1 (murtuja)
ClubHack
 
PPTX
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
Robert Conti Jr.
 
PPTX
SUGCON EU 2023 - Secure Composable SaaS.pptx
Vasiliy Fomichev
 
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
ClubHack
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
jonmccoy
 
ContinuousSecurity, Beyond Automation.pdf
Neelu Tripathy
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Sergey Gordeychik
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB
 
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
DevLink - WiFu: You think your wireless is secure?
Rob Gillen
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
idsecconf2010-hacking priv8 network
Ammar WK
 
y3dips hacking priv8 network
idsecconf
 
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Chapter08
Muhammad Ahad
 
Material best practices in network security using ethical hacking
Desmond Devendran
 
Open hours home security | Episode 70
Robert Wolff
 
Metasploitation part-1 (murtuja)
ClubHack
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
Robert Conti Jr.
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
Vasiliy Fomichev
 
Ad

More from Rob Gillen (20)

PDF
CodeStock14: Hiding in Plain Sight
Rob Gillen
 
PDF
What's in a password
Rob Gillen
 
PPTX
How well do you know your runtime
Rob Gillen
 
PPTX
Software defined radio and the hacker
Rob Gillen
 
PPTX
So whats in a password
Rob Gillen
 
PPTX
Hiding in plain sight
Rob Gillen
 
PPTX
ETCSS: Into the Mind of a Hacker
Rob Gillen
 
PPTX
Anatomy of a Buffer Overflow Attack
Rob Gillen
 
PPTX
Intro to GPGPU with CUDA (DevLink)
Rob Gillen
 
PPTX
AWS vs. Azure
Rob Gillen
 
PPTX
A Comparison of AWS and Azure - Part2
Rob Gillen
 
PPTX
A Comparison of AWS and Azure - Part 1
Rob Gillen
 
PPTX
Intro to GPGPU Programming with Cuda
Rob Gillen
 
PPTX
Scaling Document Clustering in the Cloud
Rob Gillen
 
PPTX
Hands On with Amazon Web Services (StirTrek)
Rob Gillen
 
PPTX
Windows Azure: Lessons From The Field
Rob Gillen
 
PPTX
Amazon Web Services for the .NET Developer
Rob Gillen
 
PPT
05561 Xfer Research 02
Rob Gillen
 
PPT
05561 Xfer Research 01
Rob Gillen
 
PPT
05561 Xfer Consumer 01
Rob Gillen
 
CodeStock14: Hiding in Plain Sight
Rob Gillen
 
What's in a password
Rob Gillen
 
How well do you know your runtime
Rob Gillen
 
Software defined radio and the hacker
Rob Gillen
 
So whats in a password
Rob Gillen
 
Hiding in plain sight
Rob Gillen
 
ETCSS: Into the Mind of a Hacker
Rob Gillen
 
Anatomy of a Buffer Overflow Attack
Rob Gillen
 
Intro to GPGPU with CUDA (DevLink)
Rob Gillen
 
AWS vs. Azure
Rob Gillen
 
A Comparison of AWS and Azure - Part2
Rob Gillen
 
A Comparison of AWS and Azure - Part 1
Rob Gillen
 
Intro to GPGPU Programming with Cuda
Rob Gillen
 
Scaling Document Clustering in the Cloud
Rob Gillen
 
Hands On with Amazon Web Services (StirTrek)
Rob Gillen
 
Windows Azure: Lessons From The Field
Rob Gillen
 
Amazon Web Services for the .NET Developer
Rob Gillen
 
05561 Xfer Research 02
Rob Gillen
 
05561 Xfer Research 01
Rob Gillen
 
05561 Xfer Consumer 01
Rob Gillen
 

Recently uploaded (20)

PDF
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PDF
How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdf
Artjoker Software Development Company
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdf
Artjoker Software Development Company
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 

You think your WiFi is safe?

  • 1. You think your Wifi is Safe? Rob Gillen @argodev
  • 2. CodeStock is proudly partnered with: RecruitWise and Staff with Excellence - www.recruitwise.jobs Send instant feedback on this session via Twitter: Send a direct message with the room number to @CodeStock d codestock 406 This session is great! For more information on sending feedback using Twitter while at CodeStock, please see the “CodeStock README” in your CodeStock guide.
  • 3. what we do consulting training design debugging who we are Founded by top experts on Microsoft – Jeffrey Richter, Jeff Prosise, and John Robbins – our mission is to help our customers achieve their goals through advanced software-based consulting and training solutions. how we do it Training • On-site instructor-led training Consulting & Debugging • Virtual instructor-led training • Architecture, analysis, and design services • Devscovery conferences • Full lifecycle custom software development • Content creation Design • Project management • User Experience Design • Debugging & performance tuning • Visual & Content Design • Video & Animation Production wintellect.com
  • 4. Don’t Be Stupid The following presentation describes real attacks on real systems. Please note that most of the attacks described would be considered ILLEGAL if attempted on systems that you do not have explicit permission to test and attack. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Please remember this basic guideline: With knowledge comes responsibility.
  • 5. Disclaimer The content of this presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.
  • 6. Overview • Pre-Requisite Knowledge • Various Security Approaches • Tools and Attacks
  • 7. Required Gear • Network Adapter that supports “Monitor” mode. – Equivalent to promiscuous mode on a normal NIC • Windows, MAC, or Linux – Linux tools tend to be more readily available
  • 8. Wireless Packet Frames • Management Frames • Control Frames – Authentication – Request to Send – De-authentication (RTS) – Association Request – Clear to Send (CTS) – Association Response – Acknowledgment (AWK) – Re-association • Data Frames Request – Re-association Response – Disassociation – Beacon – Probe Request – Probe Response
  • 9. Packet Sniffing • Filters: – wlan.fc.type • == 0 (mgmt frames) • == 1 (control frames) • == 2 (data frames) – wlan.fc.subtype • == 8 (beacons) • (wlan.fc.type == 0) && (wlan.fc.subtype == 8)
  • 10. Packet Sniffing • Determine the channel of the network we are interested in – required for sniffing data packets – airodump-ng • iwconfig mon0 channel 11 (demo pre/post)
  • 11. Packet Injection • aireplay-ng – Inject packets onto a specific wireless network without specific association to that network – Can target specific channels, mask MAC addresses, etc. – Does not require association
  • 12. Regulatory Issues • Available Channels • Radio Power Levels – iw reg set US – iw reg set BO
  • 14. DEMO: Hidden SSID • Show packet capture with the SSID • Hide SSID • Prove it is now hidden • Solve for X – Passive (wait for valid client) – wireshark filter – Use aireplay-ng to send deauth packet to force the discovery • Probe Request/Probe Response packets
  • 16. DEMO: MAC Filters • Enable MAC Filtering on the WAP • Prove that a client cannot connect • Use airodump-ng to show associated clients • Use macchanger to spoof the whitelisted address and connect.
  • 18. DEMO: Shared Key Authentication • Illustration (steal picture from Wikipedia/netgear?) • Configured AP for Shared Key/Update Client • Use airodump-ng to capture/log the authentication scheme + keystream – Wait for valid client or send deauth pkt • Use aireplay-ng to pass back the captured auth pkt • TIP: DOS by filling up AP tables (wrapper around airreplay-ng)
  • 20. DEMO: WEP Encryption • Capture data packets (ARP) from a known/trusted client (airodump-ng) • Replay them/re-inject between 10- 100,000 times (aireplay-ng) • Crack them (aircrack-ng) • “Guaranteed” crack
  • 22. DEMO: WPA/2 Encryption • Vulnerable to dictionary attacks • Collect authentication handshake • Select dictionary file and run the cracker • Works for WPA, WPA2, AES, TKIP
  • 23. Tools
  • 24. Tools • Jasegar (Pineapple IV) • I can be anything you want me to be
  • 29. Tools • Reaver Pro (WPS Exploit) • 4-10 hours and your network is mine
  • 30. What is Safe? • Stop using Wi-Fi • Avoid open Wi-Fi networks • Always use SSL • Use VPN • Disable Auto-Connect… on *all* devices • Hard/complex network keys • WPA-Enterprise / RADIUS / PEAP / EAP-TTLS • Disable WPS!
  • 31. Equipment List • Two Laptops • Any Wireless Access Point • Alfa Card http://www.amazon.com/gp/product/B002BFMZR8 • Yagi Antenna http://www.amazon.com/gp/product/B004L0TKW4 • Reaver Kit http://hakshop.myshopify.com/products/reaver -pro • WiFi Pinapple http://hakshop.myshopify.com/collections/fro ntpage/products/wifi-pineapple
  • 32. Learning More • http://www.securityfocus.com • http://www.aircrack-ng.org • http://raulsiles.com/resources/wif i.html • http://www.willhackforsushi.com