Workshops Hacking 802.11

This two day workshop covers most of the known and some less known techniques for gaining knowledge and access to 802.11 infrastructure. The workshop will not cover password cracking, network monitoring or known wps attacks. The workshop will cover details of firmware exploitation, remote and local access and data extraction. Attendees of the workshop are expected to have previous knowledge of GNU/Linux and Wi-Fi infrastructure. The first session cover local access and the second remote access, each session take 6 hours.

== Friday - Local (root) access ==

Console or TTL serial port Identify and set up known serial port interfaces for console access.

UBoot Explore UBoot environments and get to know the most common security issues used to gain local root access from a UBoot environment.

Qemu Using Qemu to boot an Access Point upgrade images and simulate internal functionality. By simulating the environment of a running AP in Qemu it is possible to extract run-time knowledge from the AP. By applying the proprietary images on top of a "working" OpenWRT image it is possible to port the AP run-time to a virtual environment and eventually port OpenWRT back to the AP.

JTAG and OpenOCD Set up and configure a OpenOCD server on the JTAG interface using a standard JTAG debugger (BusPirate or FTDI).

ARM GCC GDB Setting up a cross compiler to build your own code for the AP. Integrate GDB with the OpenOCD and gain internal knowledge and control of a running system using JTAG.

Demo Gaining local root on the Aruba AP series using console TTL or ethernet MITM access.

== Saturday - Remote access ==

Packet injection The Atheros 9k series drivers provice support for full MAC layer control in software (and open firmware). THe ATH9K_HTC driver have been altered numerous times to support flooding and packet injections for hostile purposes. Explore kernel module and firmware compilation for over the air attacks. For supported devices see: ( &

Radio jamming techniques A rundown on tried and known jamming techniques. CTS flooding, domino attack, greedy backoff and de-authentication flooding. Trial and error session under the faraday blanket. 802.11AC and MIMO training attack discussion and feasibility of distorted beamforms.

Radio jamming detection An overview of known preventive measures against known (layer2/MAC) jamming attacks.

Fuzzing the Wi-Fi baseband Trying out packetspammer.c to spawn custom 802.11 frames. Transfer packetspammer techniques to scapy and python for automated fuzzing. Try out firmware exploitation on broadcom BCM43** series. Firmware exploitation like project zero


  • Friday Aug. 25 10:30 - 16:30
  • Saturday Aug. 26 10:30 - 16:30