"Vista Wireless Power Tools for the Penetration Tester", December 16, 2008, Joshua Wright.  Published by InGuardians, Inc.

  1. Summary: With the advent of NDIS 6, Microsoft has exposed new wireless functionality in Windows Vista hosts.  Through this programmatic functionality, and supplied tools in Windows Vista, a compromised Vista host becomes a valuable conduit for a penetration tester, allowing them to explore and exploit nearby wireless networks, and establish network backdoors for unrestricted access to internal networks.  This paper explores many of the new Vista Wireless features, from the perspective of a penetration tester.

Dispelling Common Bluetooth Misconceptions”, September 19, 2007, Joshua Wright.  Published in the SANS Technology Institute Security Laboratory.

  1. Summary: As a decidedly “ad-hoc” technology, Bluetooth devices are often utilized within organizations, outside of the control of IT management. Few organizations recognize the threat of Bluetooth technology, often due to misconceptions in the technology, and the threats of use. This white paper will dispel several common misconceptions regarding Bluetooth technology, allowing organizations to better assess their exposure to Bluetooth threats.

Five Wireless Threats You May Not Know”, August 28, 2007, Joshua Wright.  Published in the SANS Technology Institute Security Laboratory.

  1. Summary: Many organizations have turned to strong encryption and authentication protocols, leaving significantly deficient protocols such as WEP and LEAP behind.  However, many threats are still looming that affect wireless networks, requiring an ever-present diligence in the analysis and defense of wireless networks.

802.11b Firmware-Level Attacks”, September 29, 2006, Mike Kershaw, Joshua Wright.

  1. Summary: This paper describes a new style of DoS attack against 802.11 networks that abuses flaws in the firmware of popular 802.11 wireless cards. The impact of this attack is more damaging than other 802.11 DoS attacks, requiring as few as two packets from an attacker to deny service to all target users, often requiring a system restart to recover from the attack.

Applying Wired IDS History to Wireless IDS”, November 1, 2005, Joshua Wright.

  1. Summary: The Wireless IDS industry is still immature, and continues to perpetuate the mistakes made by wired IDS vendor many years ago.  This papers examines several flaws in wireless IDS technology that could have been avoided by learning from the mistakes of wired IDS vendors.

An Assessment of the Oracle Password Hashing Algorithm”, October 18 2005, Joshua Wright, Carlos Cid.  Published in the SANS Technology Institute Reading Room.

  1. Summary: In this paper the authors examine the mechanism used in Oracle databases for protecting users’ passwords.  We review the algorithm used for generating password hashes, and show that the current mechanism presents a number of weaknesses ...

Weaknesses in Wireless LAN Session Containment”, May 19, 2005, Joshua Wright.  Published by Network Magazine.

  1. Summary: This paper describes the characteristics of wireless LAN session containment techniques used to stop an unauthorized station from connecting to a monitored access point. Using the traffic analysis techniques described in this paper, an attacker can fingerprint the type of wireless LAN intrusion detection system deployed to monitor and protect the wireless network, and potentially evade the session containment functionality altogether.

Detecting Wireless LAN MAC Address Spoofing”, January 21, 2004, Joshua Wright.

  1. This paper describes some of the techniques attackers utilize to disrupt wireless networks through MAC address spoofing, demonstrated with captured traffic that was generated by the AirJack, FakeAP and Wellenreiter tools. Through the analysis of these traces, the author identifies techniques that can be employed to detect applications that are using spoofed MAC addresses. With this information, wireless equipment manufacturers could implement anomaly based intrusion detection systems capable of identifying MAC address spoofing to alert administrators of attacks against their networks.

Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection”, November 8, 2002, Joshua Wright.

  1. Wireless LAN discovery through the use of applications such as NetStumbler, DStumbler, Wellenreiter and others is an increasingly popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a "backdoor" into a network to stage an attack. This paper reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the MAC and LLC layers. This fingerprint information can then be incorporated into intrusion detection tools capable of analyzing data-link layer traffic.

Red Team Assessment of Parliament Hill Firewall”, October 3, 2001, Joshua Wright.  Published in the SANS Technology Institute Reading Room.

  1. A paper I wrote for my SANS GCIA practical examination, evaluating a firewall configuration and attacking it by exploiting a Cisco router.

Papers

Using PEAP for Wireless Authentication”, Network World, April 23 2007.

Issues with SSID Cloaking”, Network World, March 5 2007.

WiMAX Security Issues”, Network World, December 11, 2006.

Security Issues with pre-802.11n Wireless Gear”, Network World, November 13, 2006.

Explaining WPA2”, Network World, September 11, 2006.

Best EAP for an Enterprise Wireless LAN”, Network World, June 26, 2006.

How 802.11w will Improve Wireless Security”, Network World, May 29, 2006.

Articles

Wireless Threats and Practical Exploits”, presented at the Baton Rouge Infragard Forum, Baton Rouge, LA

Wireless IDS Challenges and Vulnerabilities”, presented at the RSA Conference 2007, San Francisco, CA

Extensible 802.11 Packet Flinging”, Joshua Wright and Mike Kershaw, presented at Shmoocon 2007, Washington DC

The Hidden Risks of Bluetooth”, presented at the SANS 2007 Conference, Orlando, FL

Risk and Rewards of WiFi and WiMax”, panel presentation at the BITS Wireless Security Forum, Washington DC

Wireless Security Strategies that Don’t Work: Lessons Learned Perspective”, presented at the BITS Financial Managers Forum

Reflections on the Motorola Canopy WLAN Product”, presented at the SANSFIRE Conference 2007, Washington DC

Wireless Device Fingerprinting: Techniques and Application”, presented to the MAP team at Dartmouth College, Lebanon, NH

Presentations

“Wireshark and Ethereal Packet Sniffing”, published by Syngress Press, Angela Orebaugh, et al.  I wrote two chapters for this book, chapter 6 on wireless analysis with Wireshark and chapter 9 on Wireshark accompanying tools (for command-line use).  My editor said I could give away the wireless chapter as the sample for free.

Books

Stairwell photograph courtesy of Mike Kershaw

2007

2006

Advancements and Challenges in WIDS Systems”, presented at the Joint Wireless Working Group (JWWG), Washington DC

Integrating Wired and Wireless IDS”, presented at the Aruba Airheads Conference, Miami, FL

Wireless IDS Challenges and Vulnerabilities”, presented at the CSI NetSec 2006 conference, Scottsdale, AZ

Older stuff

Four Ways to Monitor your Wireless LAN”, 2005, SANS Institute webcast

Migrating from WEP to WPA/WPA2”, 2005, SANS Institute webcast

Detecting Detectors: Layer 2 Wireless Intrusion Detection”, 2004, SANS 2004 conference

Attacking 802.11 Networks”, 2003, Lightreading Live! Conference, NY, NY

Weaknesses in LEAP Challenge/Response”, 2003, Defcon 11, Las Vegas NV

Cisco Routers as Targets”, 2003, MIT Security Camp, Boston MA

OTHER

802.11 Pocket Reference Guide”, a handy legal-sized PDF that you can printout as a quick cheat-sheet for Wireshark display filter references, IEEE 802.11 header data, and Kismet shortcuts.  This will be especially helpful to my SANS SEC617 students!

"PEAP: Pwned Extensible Authentication Protocol", presented with Brad Antoniewicz at Shmocon 4, Washington DC

"Wireless Threats and Practical Exploits", presented at the Virginia Tech SANS Conference, Blacksburg, VA.

"Security Implications of Pervasive Wireless Technology", presented at the Intel Security Conference, Portland, OR.

"Leveraging Wireshark for Wireless Network Analysis", presented by Mike Kershaw at SHARKFEST 2008, Los Altos Hilla, CA.

"High Speed Risks in 802.11n Networks", presented at RSA 2008, San Francisco, CA.

"Understanding the WPA/WPA2 Break", SANS Webcast.

2008