PowerCert Animated Videos
WPS originally, Wi-Fi Simple Config
Wi-Fi Protected Setup
Online brute-force attack
In December 2011, researcher Stefan Viehböck reported a design and implementation flaw that makes brute-force attacks against PIN-based WPS feasible to be performed on WPS-enabled Wi-Fi networks.
Also referred to as WPA-PSK (pre-shared key) mode, this is designed for home and small office networks and doesn’t require an authentication server. Each wireless network device encrypts the network traffic by deriving its 128-bit encryption key from a 256-bit shared key. This key may be entered either as a string of 64 hexadecimal digits, or as a passphrase of 8 to 63 printable ASCII characters. If ASCII characters are used, the 256-bit key is calculated by applying the PBKDF2 key derivation function to the passphrase, using the SSID as the salt and 4096 iterations of HMAC-SHA1. WPA-Personal mode is available with both WPA and WPA2.
Also referred to as WPA-802.1X mode, and sometimes just WPA (as opposed to WPA-PSK), this is designed for enterprise networks and requires a RADIUS authentication server. This requires a more complicated setup, but provides additional security (e.g. protection against dictionary attacks on short passwords). Various kinds of the Extensible Authentication Protocol (EAP) are used for authentication. WPA-Enterprise mode is available with both WPA and WPA2.
Wi-Fi Protected Setup (WPS)
This is an alternative authentication key distribution method intended to simplify and strengthen the process, but which, as widely implemented, creates a major security hole via WPS PIN recovery.
TKIP (Temporal Key Integrity Protocol)
The RC4 stream cipher is used with a 128-bit per-packet key, meaning that it dynamically generates a new key for each packet. This is used by WPA.
CCMP (CTR mode with CBC-MAC Protocol)
The protocol used by WPA2, based on the Advanced Encryption Standard (AES) cipher along with strong message authenticity and integrity checking is significantly stronger in protection for both privacy and integrity than the RC4-based TKIP that is used by WPA. Among informal names are “AES” and “AES-CCMP”. According to the 802.11n specification, this encryption protocol must be used to achieve fast 802.11n high bitrate schemes, though not all implementations[vague] enforce this. Otherwise, the data rate will not exceed 54 Mbit/s.
The Perils of Probe Requests
Crack WPA/WPA2 Wi-Fi Routers with Aircrack-ng and Hashcat
Everything Is Broken
802.11: Probe request/response packets?
The Probe Request frames (and the Probe Responses from the APs) are part of the active scanning process of wireless devices, which is used to determine and register the RSSI, SSID and other management stuff from nearby BSSIDs, and is crucial for the roaming process, as the STA has to know which APs are available for roaming, and which one provides the best signal.
Another option for the STA is passive scanning, where no Probe Request/Response frames are sent, and the client passively listens to the Beacon frame broadcasts to gather the required data. This is obligatory for the 5 GHz UNII bands 2 and up, where active scanning is not allowed due to DFS regulations.