In this HakTip from DEFCON 19 Darren is joined by Mark Wuergler of Immunity to demo Silica, a wireless security assessment tool he has been developing.

Download HD Download MP4 Download WMV

In the demo Wuergler uses Silica to launch a client side attack on an Android phone.

What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up — tips@hak5.org or leave a comment.

And be sure to check out our sister show, Hak5 for more great stuff just like this.

I want to take a minute to tell you about BustedTees. It doesn’t matter if you’re into video games, movies, science-fiction or just wrapping your torso with something weird, BustedTees literally has you covered. You may have seen a BustedTee or two pop up in movies and TV shows. Now you can grab one for yourself. Head on over to BustedTees dot com to find the shirt of your dreams — your bizarre, hilarious dreams. Enter the promo code “HAK5” and receive 20% off your order

Today we’re continuing our discussion on wireless management frames with probe requests and responses.

Download HD Download MP4 Download WMV

Probes come in two flavors; requests and responses. Let’s begin with the request.

A probe request is a special frame sent by a client station requesting information from either a specific access point, specified by SSID, or all access points in the area, specified with the broadcast SSID.

The information being requested in a probe includes the supported data rates, which are also included in the beacon frames typically broadcast from an access point.

The difference here being that by sending a probe request your wireless card is making an active scan of either a specific network or all networks in the area, where as simply listening for beacon frames in considered a passive scan

Today we’ll demonstrate an active scan and we’ll disect the probe requests and responses.

So this brings us to the responses. Typically when an access point hears a probe request frame, either directed at the specific access point or to all stations in the area using the broadcast SSID, it will send out a probe response.

Similar to a beacon frame, we’ll find that these probe responses contain much of the same information required for two stations to begin communicating.

To begin our demo we’ll start by once again bringing up our fake access point with airbase-ng. Start by bringing up the interface ifconfig wlan0 up and starting a monitor mode interface on channel 11 airmon-ng start wlan0 11. Now we’ll issue airbase-ng -c 11 -e haktip mon0

So to recap our configuration we have our first radio in monitor mode as interface mon0 and it is acting as an access point or base station with Airbase-ng

We’ll bring up our second wireless card in monitor mode with airmon-ng start wlan4 11 and that will create the new interface mon1 — this will be acting as our client or station.

Now if we start up wireshark& and begin sniffing our client, mon1, we’ll see all of the packets or frames going in and out of this card. 

Immediately we’ll see there are plenty of beacons in the air, which we’ve discussed in previous sessions, so let’s filter those out. And while we’re at it lets also filter our any frame that isn’t address to or from our interface with the filter wlan.addr == 00:0f:04:b2:48:68 && wlan.fc.type_subtype != 0×08

Now in the terminal let’s tell our client card to do a passive scan of the area looking for available access points. Issue iw dev wlan4 scan passive | grep SSID and we should see plenty of SSIDs. If we go back to Wireshark we’ll see there aren’t any probes or reponses. This is because our client card here is reporting all of the nearby wireless networks based on a passive scan, meaning no data was sent out. Our card was completely silent and the data compiled was done so only using what was freely available in the air — in this case beacon frames. We can, and probably will get more sophistocated with this type of silent site-survey using the tool Kismet, but for now this will suffice in demonstrating what is available without transmitting a single frame.

So finally let’s go ahead and generate some Probes. In a terminal we’ll tell our client card to make an active scan of the area using the command iwlist wlan4 scan | grep ESSID.

If we come back over to Wireshark we’ll see plenty of probe requests and probe responses. Let’s take a look at the first probe request frame.

We can tell it’s a probe request as its subtype is 0×04. The source is our NICs MAC address and the destination address is Broadcast or ff:ff:ff:ff:ff:ff, meaning this probe request is meant for everyone who can hear it.

Wireshark already knows it is a management frame and under tagged paramaters we can see our supported data rates as well as the channel. Our first probe is set to channel 1. If we add to the filter && wlan.fc.type_subtype == 0×04 we’ll see that the next probe request was on channel 2, then 3, and so on.

Now if we flip our last filter from subtype 0×04, or Probe Request, to 0×05 we’ll see all of the probe responses. And much like the beacons we’ve seen before, these frames indicate the same capability information necessary for our stations to begin communicating.

What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up — tips@hak5.org or leave a comment.

And be sure to check out our sister show, Hak5 for more great stuff just like this.

Thrillist sifts through the crap to find the best your city has to offer every day. Wanna know about a Star Wars Burlesque show, a beer garden that screens 80s flicks, or a new restaurant with a Sushi robot? Then sign up for Thrillists free daily emall at Thrillist.com/hak5

Don’t like Dropbox? We’ve got a cross-platform alternative. How does Google Maps find your location without GPS? And can it be spoofed? Random password scripts, bash tips and more this time on Hak5!

Download HD Download MP4 Download WMV

Spoofing the W3C Geolocation API

Google Maps “Show My Location” feature uses the W3C Geolocation API.

It’s an application programming interface designed by the World Wide Web Consortium as a standard for retrieving a client’s geographical location. The client will gather geographic information by IP address, WiFi access points, GSM and CDMA cells and GPS. The accuracy depends on the data available. If only IP address is known you’ll likely only narrow the location down to your town. If WiFi data is available you’re more likely to get within a block. GPS should be pretty spot on.

The API has been implemented in modern browsers; Firefox since version 3.5, Opera since 10.6, Internet Explorer since 9 and of course Google Chrome.

We can test the API with either some example javascript or the Google Maps feature “”Show My Location”"

Determining a location based on wireless access points is done by referencing a database of known wifi base stations and their characteristics, such as the unique BSSID or MAC address. The technique of collecting these databases is called War Driving and I’m sure you’re familiar with it. Our favorite tools for the job are NetStumbler for Windows, Kismet on Linux and Kismac on OSX.

On such company that collects and maintains WiFi station location databases is Skyhook. They provided the location information for the iPhone until iOS version 3.2, at which point Apple started using their own database.

Another database maintainer is Google, who formerly collected locations from Street View cars and currently using anonymous data captured by Android devices. The former is an opt-in feature of the Android OS.

Of course Skyhook, Apple and Google’s databases are for the most part proprietary. There is however an open database. Wigle.net maintains a huge map and database of wireless access points and cell stations submitted by community members wardrive findings.

With all of this in mind, today we’re attempting to spoof our location with faked access point information using a Faraday Cage and an MDK3 beacon flood.

SpiderOak, is it better than Dropbox?

Are you sick of using lame backup and recovery programs that cost way too much? Perhaps you’re just not a fan of the new terms of service with Dropbox? Well, I found one that might float your boat! SpiderOak is a tool made specifically for backing up, syncing, and recovering your files through Windows, Mac, and Linux. SpiderOak was made by geeks for geeks, especially for the hacker minded. It’s more customizable, storage is cheaper, and the privacy is much better than certain backup programs out there because they take a “”zero knowledge”" approach to all data. With that said, though, you’re screwed if you forget your password!

There are a lot of features to be had:

Storage Redundancy Savings- SpiderOak will detect redundant copies of the same file and the extra copies wont take up any extra space. For example, if you have the same song uploaded to SpiderOak from your home computer and your work computer, the second one won’t take any space.
Multi platform synchronization lets you sync files and data from several different types of computers and mobile devices.
It’ll save historical file versions, just in case you save over something important.

In place of FTP to share and upload files for family and friends, SpiderOak lets you make anything you want public, and you can create a ShareRoom to be accessed via a web URL.

You can retrieve files from any device that’s connected to the internets.
And my favorite, the comprehensive zero knowledge data encryption. Most online storage systems only encrypt your data during transmission, meaning anyone with physical access to the servers your data is stored on (such as the company’s staff) could have access to it. Or, even if your data is encrypted during storage, your password (or set of encryption keys) is often stored along with your data, thus making its easily decoded by anyone with local access to those servers. With SpiderOak, you create a password on you rPC, not a web form. The password is entrypted so even physical access does nothing. This is why if you lost your password, you’re screwed.

Now, pricing isn’t too bad. It’s less than other backup programs out there! 2 GB are free, or you can get 100 GB for $10 a month which increases per every 100 GB thereafter.

On to playing with the program! So there are several versions, including a 64 bit one. Just download the one that corresponds to your computer from the SpiderOak website. ”

I’m going to be playing with SpiderOak in this Ubuntu VM just to see how it works in Linux. I am going to download the 32bit version for Ubuntu and go through the installation process. So, as you can see, the installation process is plain and simple. Just follow the on screen instructions. You’ll find SpiderOak under Applications–>Internet folder. When you first open it, you’ll need to hop over to the website and create a new account. You’ll enter your username and verification code (which gets emailed to you) into the program. Then, from the program, you can create a password.

If you’ve already created your account you can choose Existing User and just enter your UN and PW. It may take a few seconds to completely let you log in because during this process your information is being decrypted.
Next you’ll be able to install a new device (which means you’ll name it, like mine is called Linux VM).

When you first log in, you’ll get this nice listing that basically divides all of your files into categories. I prefer advanced mode, so I can choose exactly what I want to back up… My photo can be found on the desktop, so I’ll choose it, then click save. Now, if I go to status I can watch the progress of the back up. Under the view tab, you can view all youre backups as well as view ongoing downloads with the downloads manager tool. The Sync tab will let you synchronize filetypes of your choice across various folders. This would be a good thing to use if you have a photo folder on your Linux computer and your Windows machine, and want to sync up both of the folderes to match so you don’t have to go from one comp to the other.

Last is the share option. First create a name for your new share folder. Then choose ‘New’ to create the Shared link. Go through the on screen instruction and you’ll see a link to the left side. This can be emailed, copied, and forwarded to other recipiants.
So you can tell that SpiderOak is generally a very easy to use program but it’s still packed with all the goodies that you’d need when uploading and syncing files.

Faraday Cages and Wireless Cards!

If you’re not familiar with a Faraday Cage it’s basically a metal or mesh box that blocks, among other things, radio waves. It was invented back in the 1836 by the English scientist Michael Faraday.

My little faraday cage here is built from an IKEA picture frame and before we get any further: Stand Down HAM Radio Operators!

MDK3 is a tool that exploits weaknesses in 802.11 protocols. It was created by ASPj with the help of the aircrack-ng team and libraries. MDK3 can be found at Pedro Larig’s homepage and is built in to the latest version of BackTrack from backtrack-linux.org

Using the MDK3 beacon flood attack mode and information gathered from the Wigle.net database for the old HakHouse in Williamsburg, VA we’ll attempt to spoof our location.

If you’re into Hak5 you’ll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!

Whether you’re a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let’s not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at feedback@hak5.org.

Being in IT and not using the right tools to get the best results for your clients ñ Is like a surgeon not using the best, most reliable medical equipmentÖHow can you expect your clients to work with you?
Thatís why I use GoToAssist Express by Citrix ñ the BEST remote support tool available. GoToAssist Express is designed with speed and usability in mind which makes it easy to get in, diagnose and resolve the problem ñ fast!
And with Unlimited Use ñ you can support all you want for one flat fee! Hak5 viewers can try GoToAssist Express FREE for 30 Days. For this special offer visit GoToAssist.com/Hak5.

If you want to build a video site or if your website has a play button, I recommend getting a dot TV domain. A dot TV website lets you showcase your original content and create a unique site, not just another YouTube channel.
Just go to domain.com and search for the perfect dot TV domain for your new idea. Then use coupon code Hak5 at checkout to save an extra 15%.
If you need to host your dot TV website, donít forget about Domain.comís web hosting plans. Theyíre less than six bucks a month and have everything you need to build, maintain, and promote your site.
Remember ñ when you think domain names, think domain.com.
Got a great idea? It all starts with a great domain. domain.com

Only suckers pay full price. If you love alternative apparel brands like Kidrobot, Hurley, and Stussy but hate wasting all your cash on them, listen up! You can score these premium brands at UP TO 80% OFF every day.
There’s a new invite-only shopping club just for guys called JackThreads, serving up street, skate, and surfwear brands at prices that will melt your brain. There’s a wait-list to join, but if you head to jackthreads.com/hak5 you’ll get instant access to all the killer hook-ups. GO NOW Oh, and did we mention that it’s free to join? Hit up JackThreads.com/hak5 and you’ll instantly start saving without having to leave the house.

Today we’ll be setting up an environment which will allow us to easily disect a beacon frame, as well as the other three types of management frames; probes, authentication and association. As you know we’ve covered the 3 types of wireless frames; management, control and data. Last week we went over one of the 4 types of management frames — the beacon.

Download HD Download MP4 Download WMV

To recap the demo we began by bringing up our NIC ifconfig wlan0 up and starting a monitor mode interface airmon-ng start wlan0 11 then using the MDK3 tool we can create beacon frames indicating our SSID of choice mdk3 mon0 b -c 11 -n haktip.

Now if we bring up an additional wireless interface ifconfig wlan5 up we can scan for nearby access points iwlist wlan5 scan | grep ESSID and see those beacon frames in action.

This week we’re going to be using airbase-ng and wireshark to put together a nice little wireless packet sniffing environment so that we can better understand management frames.

Airbase-ng is a script that comes bundled with the aircrack-ng suite of tools. Like many of the aircrack tools it is serves multiple purposes. This versatile little tool is mainly aimed at wireless client or stations rather than access points or base stations. It can be used in a wire array of wireless phishing attacks allowing one to obtain WPA handshakes or WEP keys. It can also cause all sorts of mayhem to access points and clients nearby so use with caution.

In todays example we’ll be using the most simple function, and that is mimicing a wireless access point.

You can find the full syntax of the tool by issuing airbase-ng –help. The only paramaters we’ll be specifying in our example will be the channel and ESSID. airbase-ng -c 11 -e haktip mon0

The first thing we see when using airbase-ng in this mode is the report “Created tap interface at0″

Everytime airbase-ng is started a tap interface is created. It isn’t brought up by default but simply issuing ifconfig ath0 up will bring it to life. The neat part about this interface is that even with WEP encryption enabled this tap interface will always show incoming packets after decryption. You can also send packets to this interface and they’ll go out encrypted, if the “-w” option is set.

The next thing listed is airbase-ng setting the MTU, or Maximum Transmission Unit, to 1500. This basically says the maximum size an IP packet can be before it gets split up into multiple packets. For ethernet v2 this is the highest setting possible. You may see MTUs of up to 9000 but only with Jumbo Frames on a gigabit lan.

Finally airbase-ng reports that the access point has been brought up using the BSSID of the NIC. If we want we can specify a different BSSID with the “-a” option or simply use macchanger beforehand.

Ok so we have our fake AP with the SSID “haktip” running so let’s copy the BSSID into our clipboard and startup wireshark&

We’ll select the mon0 interface to listen to and start. Now that we have a few packets lets stop sniffing and apply a filter.

To add a filter to Wireshark come up here to the filter bar and enter the expression. In this case I only want to see frames to or from the BSSID of our haktip access point so enter wlan.addr == BSSID and I’m only interested in beacon frames, so I’ll add && wlan.fc.type_subtype == 0×08

If we open the first frame we can see that it is in fact the type 0×08, or “Beacon”. The destination is Broadcast so it’s being sent out for everyone to hear. We have our source address and a sequence number. Wireshark also knows it’s a wireless management frame, so if we expand that we’ll see capability information under fixed and tagged paramaters. This beacon is saying, among other things, that it cannot support WEP, OFDM modulation isn’t allowed. Under tagged paramaters we’ll notice that the SSID is set to haktip, the support data rates are 1, 2, 5.5 and 11 Mb/s as well as rates 6, 9, 12, 18, 24, 36, 48 and 54 indicating that it’s an 802.11g network, and finally that the channel is set to 1.

And as always we value your feedback and suggestions. If you have a tip to share with me, email tips@hak5.org or leave a comment.

And be sure to check out our sister show, Hak5 for more great stuff just like this.

Midphase has been providing simple, smart and reliable webhosting since 2003. It features unlimited Disk Space & Bandwidth with an exclusive discount (6 months free) for Hak5 viewers. MidPhase provides 24×7 Premium Support via Phone, Live Chat, & Email, as well as a FREE Website builder & simple installs of WordPress, Drupal & Joomla. Also get $100 worth of Search Engine Credits from Google & Yahoo. Visit midphase.com/hak5 to get 6 FREE MONTHS web hosting through this exclusive Penn Point offer. Get your site transferred free (when you mention QuickSwitch).

Today we’re following up our discussion on 802.11 frames with an investigation of beacons and a practical example using BackTrack Linux and a technique known as raw frame injection.

Download HD Download MP4 Download WMV

As you recall from last time, the beacon frame is one of the four types of management frames. The other three being association, authentication and probes, which we’ll be getting into shortly.

Now the beacon frame is a special kind of management frame as it contains information about the network. This brings us to the terms:

Beacon frames or simple beacons are transmitted periodically by base stations or access points to announce the presence of wireless networks. The beacon frame is made up of several parts, including:

Whether the station is acting in ad-hoc or infrastructure mode (also known as managed mode)

The SSID or network name. We’ll be getting more into service sets of 802.11 networks but for now the SSID is a 32 character, typically human-readable string that uniquely identifies the network.

The Timestamp
The timestamp is quite simply a unit of time by which all associating stations synchronize to. It’s like that scene in the movie where all the spies synchronize their watches, except that it happens by hex in the blink of an eye.

And capability information such as

Channel Information

Supported data rates

Typically access points are setup the broadcast their beacons every 10 seconds. This can add quite a bit of overhead so for improved performance on networks where not a lot of clients are connecting and disconnecting, like a home network, this setting is often changed to be much higher.

MDK3 is a tool that exploits weaknesses in 802.11 protocols. It was created by ASPj with the help of the aircrack-ng team and libraries. MDK3 can be found at Pedro Larig’s homepage and is built in to the latest version of BackTrack from backtrack-linux.org

Today we’re using MDK3 in our practical example of transmitting and analyzing beacon frames.

To achieve this we’ll first we’ll need a card capable of raw frame injection. In order to test whether our card has this capability we’ll use the aireplay tool which is part of the aircrack-ng suite.

Aireplay-ng is a tool for injecting wireless frames and can accomplish 10 basic WiFi attacks, including deauthentication, fake authentication, fragmentation and more. We’ll be getting more in depth with the the aireplay-ng tool soon, but for today we’ll be using mode 9, also known as test mode.

Now before we can use either aireplay-ng or MDK3 we’ll need to bring up a monitor interface for our card, or set our card in monitor mode. If you recall from a previous episode the easiest way to do this is with the command airmon-ng start and our interface.

airmon-ng start wlan2

Now that our card has been set to monitor mode and we have the interface mon0 we can proceed to test our NIC.

Issuing aireplay-ng -9 (or –test) and our wireless interface (which in our case is wlan2) we can test to see whether or not our radio can handle raw frame injection.

aireplay-ng -9 wlan2

Our test is complete and we can see that aireplay-ng reports “injection is working”

Now on to MDK3, which is capable of performing many modes of attack. Issuing mdk3 at the command prompt will display a brief description of them.

mdk3 | more

Today we’re focusing on the beacon flood mode. For more information on any mode issue mdk3 –help and the mode. So we’ll issue

mdk3 –help b

Alternatively we could issue mdk3 –fullhelp for information on all attack modes.

So now finally to craft our beacon flood we can see here that the options -f will read SSIDs from a text file, -g will show that they’re using the 802.11g protocol at 54 Mbps, -a will show them as having WPA enabled using AES encryption, and -c will let us specify a channel.

Thankfully I already have a text file full of SSIDs handy so let’s just issue

mdk3 mon0 b -f ssid.list -g -a -c 11

Now as you can see mdk3 is transmitting hundreds of beacons on channel 11 for the access points I’ve specified.

We can verify this using our other wireless interface by scanning for all nearby networks with the command:

iwlist wlan0 scan | grep ESSID

Now Similar to fuzzing, this sort of attack can sometimes break wifi scanners or network interface drivers. And with a specially crafted ssid list I’m sure you can come up with your own fun.

Mind you all of these BSSIDs or mac addresses are random and there’s no chance of anyong actually associating with these base stations. At least not now.

What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up — tips@hak5.org

And be sure to check out our sister show, Hak5 for more great stuff just like this.

Squarespace is a publishing system for anyone looking to build a blog, portfolio or any kind of website. Squarespace offers a uniquely flexible tool for just about anyone (no coding experience required) to build high end websites with that same functionality that you will find on some of the highest trafficked pages on the web. Squarespace also has amazing iPhone and iPad apps so you can easily update your blog and manage comments on the go. Go to www.squarespace.com to get a 2-week free trial and 10% off when you sign up in July. Just enter coupon code hak57.

Today we’re diving into the do-dads that make up 802.11, or to be more specific we’ll be going over WiFi frames. It is with careful use or abuse of these frames we’re able to acomplish some pretty nifty tricks.

Download HD Download MP4 Download WMV

If you’re not familiar a frame is simply a data packet. For example, on an Ethernet network a frame is a bunch of data sent from a network card consisting of a header, a payload, and an integrity check of some sort.

The payload itself is simply a protocol packet, typically of the IP variety but it could be anything. The payload is encapsulated, or enclosed, within elements that make up the frame overhead. For example, an 802.3 ethernet frame will begin with the source and destination MAC addresses, as well the EtherType, which is basically a field that defines what kind of protocol is inside. Think of it as the envelope on a letter. The frame will end with a Frame Check Sequence which is a special checksum of the frame. The receiving party uses the Frame Check Sequence to verify the integrity of the frame as a whole. If something gets borked — due to, say, interference on the line — the receiving party will ask for the sender to resend the frame.

Now for the most part 802.11 frames, or WiFi frames, work very similarly and it is with careful use or abuse of these frames we’re able to acomplish some pretty nifty tricks. So, as always, on to the terms.

Now without getting into every octet or bit within a frame, suffice it to say that WiFi frames are made up of the same kind of stuff as Ethernet frames. They contain source and destination MAC addresses. They’ll also contain control fields for specifying what version of the 802.11 protocol they’re using. Again the payload could be anything, like the millions of TCP or UDP packets that make up this video, then they finally end with a frame check sequence.

There are three major kinds of frames in 802.11. Management frames, Control Frames, and Data frames.

Let’s begin with Management frames. There are four types of management frames: Beacon, Probe, Association and Authentication.

A beacon frame is one that an access point or base station preiodically sends out announcing its presence to the world. It will include things like the SSID or service set identifier. We’ll get into the specifics of these in greater detail soon.

The next type of management frame is a probe. Probes come in two flavors: requests and responses. A probe request is one that usually comes from a client. Think of it as your laptop or iphone calling out for an access point, asking whether it’s within range, or trying to get details from an access point it has seen a beacon from.

The probe request is typically followed by a probe response. The access point will send one of these when it hears a probe request. The response will include data pertinent to establishing a connection, such as what data rates that the station supports.

The next type of management frame is association. These come in three flavors: association requests, association responses and disassociation frames.

Association requests are simply that. It’s a frame sent from one station to another asking if they can be friends. They’ll say, among other things, “hey, can you allocate some memory for me” and “let’s synchronize our watches so we can more effectively communicate.”

An association request frame is typically followed by an association response frame, which will either be acceptance — “Sure, let’s be friends!” or rejection.

When two stations want to say “peace out yo” they send a disassociation frame. It’s a polite thing to do as it allows the other party to unallocate memory and other such clean up functions.

The final kind of management frame is authentication. These come in two flavors, authentication and deauthentication.

The aptly named authentication or auth frames begin the process of authentication. In the case of an open access point only two auth frames are exchanged, one asking for access and one saying “come on in ‘pardner”. In the case of the pathetically weak WEP authentication standard the client will send an auth frame asking for access, the station will respond with an auth frame containing bit of text. This is known as a challenge. And finally the client will send a version of that text back having encrypted it with the WEP key.

The authentication process for WPA and WPA2 are a lot more complex and we’ll get to those as this series progresses.

This brings us to the last management frame: deauthentication or deauth. A deauth frame is sent from one station to another to terminate a secure session. The stations may still be associated, but effectively they’re not speaking to one another.

With Management frames covered, let’s go over the last two types of frames: Control and Data.

Control frames come in three varities: Request to Send, Clear to Send, and Acknowledgement frames.

A request to send or RTS fame, as the name would imply, is a short little frame that one station sends to another asking if it can send a data frame. It’s the first part of the two-way handshake that make up tbe beginning of any data transmission.

The second part of the handshake is the Clear to Send or CTS frame. If the station isn’t busy doing other things it’ll send one of these in response to an RTS. The neat thing about this frame is that it’ll specify an amount of time for which the two stations can communicate. The other stations in the area observe this and wait patiently. This minimizes interruptions that would otherwise cause interference resulting in resends and an overall degradation of network performance.

And finally after the RTS / CTS handshake has taken place and the data frames have been sent the receiving station will issue an Acknowledgement or ACK frame. This lets the sender know that everything was received in good condition. If the receiver checks the integrity of the data frames and something is borked it will simply withhold the ACK frame, causing the sender to retry.

And the last frame, as we just mentioned, is the data frame. Containing anything you like inside, these guys are the workhorses of WiFi. Of course they wouldn’t exist without the diligent work of the management and control frames, so, good job everyone. Let’s have some cake!

What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up — tips@hak5.org

And be sure to check out our sister show, Hak5 for more great stuff just like this.

With more than 23 million members, Netflix is the world’s largest subscription service instantly streaming TV episodes and movies over the Internet. For one low monthly price, Netflix unlimited members can instantly watch TV episodes & movies streaming to their TVs and computers. With Netflix you can cancel anytime. Netflix unlimited members can instantly watch thousands of titles on a vast array of devices streaming TV episodes and movies like Microsoft’s Xbox 360, Sony’s PS3 game console and the Nintendo Wii console. Find movies you love – easily! As a Netflix unlimited member you can instantly watch as many movies as you want anytime you want for one low monthly price! You can cancel anytime. Get your FREE Trial membership. Go to netflix.com/hak5 and sign up NOW. Be sure to use this URL so that they know we sent you!

Today we’ve following up with our discussion on 802.11 standards with today’s latest and greatest, 802.11n.

Download HD Download MP4 Download WMV

802.11n or IEEE 802.11n-2009 to be more correct is the latest generation wireless networking standard that incorporates vast improvements over 802.11a and G. The most substantial of which in an increase from 54 Mbps to a theretical maximum of 600 Mbps.

To achieve this throughput the standard uses the a technique known as MIMO to combine up to 4 channels, using 4 separate antennas. And as opposed to previous protocols, 802.11n can use 40 MHz wide channels in both 2.4 and 5 GHz bands.

MIMO stands for Multiple-input and Multiple-output and is a technology that uses multiple antennas for transmit and receive simultaneously.

The math gets pretty complex but suffice it to say an access point with two transmitters and 2 receivers isn’t going to have as much theretical throughput as a 3 by 3.

MIMO also uses such technologies as Precoding, Spatial Multiplexing and Diversity Coding which is a wonderful rathole that leads into beamforming and space-time coding but I promise I won’t make a left at Albuquerque here.

In short MIMO rocks. It’s the reason your WiFi N gear has multiple antennas and while it’s heritage goes back to the 70s it’s a reletively new technology for wireless communications. The first commercial system was developed in 2001. Then in 2005 and 2006 several companies started building MIMO OFDM devices (you remember OFDM from last HakTip — right?). It’s this that led to the WiFi Alliance officially certifying devices based on draft specs in 2007, until finally, after 11 drafts, the 802.11n standard was approved in 2009.

And thankfully for you and I 802.11n is backwards compatible with previous standards much like 802.11g is with B.

So how does 802.l1n stack up against the previous standards? Well, between the use of 2.4 and 5 GHz frequencies, 20 and 40 MHz of bandwidth and data rates between 7.2 and 150 Mbps I’d say it’s quite the standard. The 4 MIMO streams alone make it incredibly sexy, and coupled with the same robust modulation technology as 802.11A it’s able to obtain approximately twice the range of previous lettered standards. It’s really intersting to see how the 802.11 standard has grown since 1997.

And N isn’t where it ends either. Plenty more standards are under development, like 802.11ac, which would provide even higher throughput with up to 8 MIMO spatial streams, 80 and 160MHz channels and even better modulation techniques offering a theretical 6.93 Gbps.

As always we value your feedback and suggestions. If you have a tip to share with me, email tips@hak5.org. And be sure to check out our sister show Hak5 for more great stuff, just like this. I’ll be there reminding you to trust your technolust.

Today as we continue on our WPA cracking adventure it’s all about WiFi Channels and a little fun with a 2.4 GHz Spectrum Analyzer, BackTrack 5 Linux and a microwave.

Download HD Download MP4 Download WMV

In terms of WiFi a Channel is merely a band of spectrum. Whether it’s A, B, G or N the basic idea is that a range of frequencies are allocated to a channel and seperated from their neighbor channels just a bit, typically just a few MHz, which we refer to as whitespace.

For example in the case of 802.11 protocols using the 2.4ghz spectrum the channel width is 22 MHz. Each of these channels or bands, with the exception of channel 14, are separated by 5 MHz of unused spectrum.

For instance Channel 1 is centered at 2.412 GHz and since it’s 22 MHz wide it begins at exactly 2.400 GHz and ends at 2.422 GHz. Then channel 2 centered at 2.417 GHz so it begins just 5 MHz past where Channel 1 started. This continues ever 5 MHz with Channel 3 being centered at 2.422 GHz, and so on, and so on. Until channel 14 that is, which has a 12 MHz spacing.

And as you can see there is quite a bit of overlap so the general recommendation is to use channels 1, 6, 11 and 14 as they are discrete — that is to say they do not overlap each other at all.

Now channel availability is regulated by country. Here in North America we’re supposed to use channels 1 through 11 while the rest of the world get channels 1 through 13. Japan is special, because, well, they’re Japan — so they get all 14 channels.

Watch the video for a spectrum analyzer demonstration of microwave interference on the 2.4ghz band.

The Ubertooth One is available in our HakShop.

Last week I asked “what 802.11b channel is only allowed in Japan?” and youtube commenter markpinegar answered: “Channel 14 is the 802.11b channel that can only be used in Japan, but only in direct-sequence spread spectrum (DSSS) and complementary code keying (CCK)? modes.” Thanks for answering and look out for a direct message so we can send you our favorite USB WiFi radio.

This week I’d like to know what 802.11 standard enables high powered WiFi equipment to operate, with license in the United States, on the 3.6 GHz spectrum.

Answer in the comments to be randomly selected to receive the radio I use here on HakTip.

And as always we value your feedback and suggestions. If you have a tip to share with me, email tips@hak5.org. And be sure to check out our sister show Hak5 for more great stuff, just like this. I’ll be there reminding you to trust your technolust.

Today as we continue on our WPA cracking adventure we’ll learn some more fundamentals of these ubiquitous wireless protocols including some 802.11 history, the WiFi Alliance and the lettered protocols B, A and G.

Download HD Download MP4 Download WMV

WiFi as we know it is standard for wireless communications. The actual term WiFi is a trademark of the Wi-Fi Alliance — a trade association that promotes wireless LAN technologies and certifies products.

The actual term Wi-Fi was adopted in 1999 as a branding term as it’s a bit catchier than “IEEE 802.11″. It’s considered an acronym for Wireless Fidelity. The alliance actually used the phrase as an advertising slogan “back in the day” but quit using it early on.

If you’ve seen the WiFi Certified logo on a device that means it has completed the WiFi Alliance interoperability certification.

Of course WiFi is synonymous with IEEE 802.11, which comes in many flavors, but first let’s take a moment to understand how they came to be.

The story of WiFi or IEEE 802.11 actually began, well, based on our viewer survey, before half of you were born

Back in 1985 the FCC released what is known as the ISM band for unlicensed use. This means anyone could use these frequencies. The ISM stands for Industrial, Scientific and Medical and is a radio band reserved all over the world for those purposes.

A microwave for instance creates a lot of electromagnetic interference so they’re reserved to these specific frequencies. This is also why microwaves interfere with WiFi.

Now the two ranges that interest us are 902 to 928 MHz and 2.4 to 2.5 GHz. The former is only unlicensed in what the ITU, or International Telecommunication Union designates as Region 2 — basically North America, South America, Greenland and the eastern Pacific Islands.

So with this spectrum available our favorite corporation, AT&T, began working on a wireless technology in 1991. WaveLAN — now known as WaveLAN Classic — operated in the 900 MHz spectrum. It was developed in the Netherlands initially as a technology for cashier systems and supported 1 and 2 Mbps data rates.

It wasn’t until 1997 that the first actual 802.11 protocol made its debut. Appropriately named 802.11-1997 or sometimes referred to as 802.11 legacy, it too only supported 1 and 2 Mbps data rates and is in effect obsoltete.

Of course this brings us to the lettered protocols we know and love today.

In 1999 two protocols, 802.11A and 802.11B hit the scene.

Both A and B offered much higher data rates than their predecessor the former clocking in at 54 Mbps while the later a mere 11. Another major differentiator are the frequencies used by the technologies. B takes advantage of the commonly used 2.4 GHz spectrum while A avoids congestion at 5 GHz.

802.11a aka 802.11a-1999

802.11 A is a pretty beefy protocol. It’s more resiliant to poor channel conditions as it uses the Orthogonal Frequency-Division Multiplexing method. This is the very same method used today in ADSL lines, power-line communication, WiMAX, digital cable TV and a bunch of other technologies we take for granted today.

Now due to complexities in manufacturing processes, 802.11A products were considered late to market. And while the technology offers higher datarates than 802.11 B, the signal rage was at first much shorter due to the smaller wavelengths of the 5 GHz band. 802.11 A was mostly adopted in enterprises who needed the higher data rates, though today it is quite common to see dual-band or dual-mode access points supporting the A protocol as well as B and G.

802.11b aka 802.11b-1999

802.11b was widely adopted all over the world in mid 1999 and is considered the first mainstream wireless networking protocol.

Unlike 802.11a however, 802.11b uses the same media access method as 802.11-legacy which is known as CSMA/CA.

So while 802.11b has a maximum data rate of 11 Mbps the added protocol overhead means that best one can achieve with normal TCP streams are just under 6 Mbps, or just over 7 Mbps for UDP.

What’s CSMA/CA? It stands for Carrier Sense Multiple Access with Collision Avoidance, and basically it’s a means for multiple stations to communicate with an access point without talking all over each other.

Carrier Sense Multiple Access is a Media Access Control protocol that uses probabilities to make a best guess at when a radio should talk.

Carrier Sensing means the radio listens for signals from other stations transmitting and waits for them to finish before it begins. Multiple Access is just that, it’s a protocol for more than two parties. And Collision Avoidance is a modification that uses less of the channel if it notices a lot of traffic. How sweet?

802.11g aka 802.11g-2003

In 2003 802.11g was ratified, bringing best of both worlds between 802.11a and b. This new standard takes advantage of the 2.4GHz band while using the more robust Orthogonal Frequency-Division Multiplexing transmission scheme. With a maximum data rate of 54Mbps and backwards compatability with 802.11b the G protocol was adopted in droves by consumers at the start of 2003 before ratification was even complete.

802.11g isn’t without its issues. As part of backwards compatability, transmissions from an 802.11b station will reduce the network as a whole down to the older 11Mbps speeds. The 2.4GHz band is still susceptible to interference from microwaves, bluetooth devices, baby monitors and other junk in the spectrum. And the protocols high popularity is also a bit of a problem in densely populated areas as only three of the channels — in the US that is — don’t overlap. But we’ll get into channels later.

Next week we’ll wrap up the protocols with our new favorite, 802.11n, as well as going over channels and finally dig into the actual frames with a lesson on BSSIDs, ESSIDs and a practical example with a fun tool in BackTrack Linux.

I hope you enjoyed learning a little of the backstory here. I find that while I could spend 5 minutes telling you what to type to crack a key it’s so much more important to understand why those commands do what they do.

Now before I get going it’s time for the giveaway. Last week I asked for the manufacturer of my favorite USB WiFi device based on the OUI and youtube commenter JokingTiger was the first to answer with Realtek Semiconductor Corp, so we’ll get your information and have one of these puppies sent out right away.

This week I’d like to know what 802.11b channel is only allowed in Japan? Be the first to answer in the comments and the radio I use on HakTip is yours.

And as always we value your feedback and suggestions. If you have a tip to share with me, email tips@hak5.org. And be sure to check out our sister show Hak5 for more great stuff, just like this. I’ll be there reminding you to trust your technolust.

We all know that most guys hate shopping for clothes. Luckily, now there’s JackThreads. JackThreads is a members-only online shopping club that does the dirty work for you and saves you a boatload of cash. Each day, JackThreads serves up the hottest brands at up to 80% off what you’d pay in a store. Now, JackThreads is a private club, but luckily, Hak5’s got the hookup. Oh, and did we mention that it’s free to join? Hit up JackThreads.com/hak5 and you’ll instantly start saving without having to leave the house.