## Abstract
If you want to learn how to understand and compromise Wi-Fi networks, this is your course.
Learning modern Wi-Fi hacking can be a pain. There is lots of outdated material for technologies we rarely see deployed in the real world anymore. Numerous tools overly rely on automation, and leave you wondering when they don't work, because neither the fundamentals nor underlying attack is understood. Even worse, some popular attacks will rarely if ever work in the real world.
If you want to really understand what's going on, and master the attacks in such a way that you can vary them when you encounter real world complexities, this course will teach you what you need to know.
This course is highly practical, with concepts taught through theory delivered while your hands are on the keyboard, and semi-self directed practicals at the end of each section to reinforce the learning. The course is hosted in a "Wi-Fi in the cloud" environment we invented several years ago, which means no more fiddling with faulty hardware or turning the classroom into a microwave.
## Key Learning Objectives
* How Wi-Fi hacking fits into wider attack or defence objectives
* Important `physical and low level RF concepts` and how to reason through/debug strange situations
* Understanding how `monitor mode` works, when to use or not use it, and practical examples of what to do with collected frames or data
* Grokking the `WPA2 4-way handshake` and the numerous ways of recovering PSKs and what do with them
* First looks at `attacking WPA3's Dragonfly handshake` with downgrades
* Grokking EAP and `EAP vulnerabilities` relating to certificate validation, tunnelled mode key derivation and how to practically attack them with downgrades, relays and manipulating state
## Detailed Course Outline:
#### Module 1 – Introduction
* How and Why
* When and why to use Wi-Fi attacks
* Physical and Low Level
* Understanding spectrum, signals and propagation
* Peculiarities of crowded Wi-Fi spectrum and resulting behaviour in Tx & Rx
* Understanding hardware - cards, antennas. Practical recommendations
* Specifics of Wi-Fi signalling
#### Module 2 – Monitor Mode
* How it works. What you get. Why it isn't promiscuous.
* Prism/Radiotap headers and how driver implementations differ.
#### Module 3 - Probing, Tracking and Deanonymisation
* Management frames - beacons and probes
* Device probe'ing behaviour
#### Module 4 - WPA/2/3 PSK
* What it is
* IEEE and WEP history
* 4-way handshake crypto
* Handshakes
* Capturing, deauthing
* Broken handshake debugging
* PMKID attacks
* WPS attacks
* Advanced attacks
* Approaches and methodologies for the real world
* WPA3
* The Dragonfly handshake
* Other WPA3 improvements/defences
* Opportunistic Wireless Encryption (OWE) overview
#### Module 5 - EAP
* What it is
* Generic EAP flow
* Specific EAP types and how they work
* PEAP
* Deep inside the second tunnel
* CVE-2019-6203
* EAP-GTC downgrade attack (LootyBooty)
#### Module 6 - EAP-TLS
* What it is
* Understanding/breaking cert validation
#### Module 7 - Tunnelled EAP Relays
* What it is
#### HANDS ON lABS
A list of labs dispersed throughout the course:
1. Getting comfortable and understanding your tools
2. Learn to passively intercept and understand WiFi traffic.
3. Track a person based on their WiFi emissions.
4. Steal a person's login information
5. Learn to bypass captive portals.
6. Getting comfortable with 5GHz
7. How to capture, crack and use WPA/2 handshakes.
8. How to deal with difficult WPA/2 handshakes.
9. Attacking WPA/2 in the real world.
10. Attacking WPA/2 without any clients.
11. How to attack PEAP clients with WPE attacks.
12. How to attack EAP-TLS clients and why.
13. How to connect to PEAP networks without password cracking.
14. Identifying and understanding WPA/3 networks.
15. Tool compilation and online brute-force attacks.
16. Identifying and understanding OWE networks.
17. Identifying and understanding WEP networks.
18. A chance to play around and experiment.
Jacques is a security analyst at SensePost. He got his PhD in Information Technology from Nelson Mandela Metropolitan University in 2017, while also working at the university as a lecturer for undergraduate and postgraduate courses in the IT security department. He has worked in the IT audit industry for several years as both a private contractor and later as a member of one of the big five audit houses. During his tenure in audit, he encountered and assisted several multi-national corporations and small-to-medium sized organizations in addressing their IT security requirements (including obtaining ISO 27001 certification).
Since joining SensePost, he has performed numerous penetration tests for leading organizations in the automotive, finance, manufacturing, agriculture, education, and public sectors. These include web, API, mobile, internal, external and thick application assessments. He is also an active red team member within SensePost, well versed in the activities and techniques used by APT groups. He currently holds OSCP, CEH and CISA certifications.
#### TRAINING SCHEDULE
| | |
|------------------|-------------------|
| FEB 22 Tuesday | Live Lecture (3h) |
| FEB 23 Wednesday | Live Lecture (3h) |
| FEB 24 Thursday | Live Lecture (3h) |
##### Live Lecture Timings
| | |
|---------------|-----------------|
| 8 am - 11 am | US Pacific Time |
| 11 am - 2 pm | US Eastern Time |
| 4 pm - 7 pm | UK |
| 5 pm - 8 pm | CET |
#### TRAINING SCHEDULE
This training shall be conducted during
**EXACT LECTURE DATES SHALL BE ANNOUNCED SOON.**
Lecture Recordings
Recordings shall be made available
after each lecture, throughout the duration
of the course. ONLY FOR REGISTERED STUDENTS.
