List of Figures
-
Figure 2-1: Block diagram of basic communications system
-
Figure 2-2: The process of upconverting a modulated baseband signal into a modulated RF signal
-
Figure 2-3: Time-domain waveform of a sinusoidal voltage
-
Figure 2-4: Phase shift between two sinusoids
-
Figure 2-5: Time-domain plot of RF voltage (envelope)
-
Figure 2-6: Frequency-domain plot of 802.11a 54-Mbit/sec signal
-
Figure 2-7: Baseband audio signal
-
Figure 2-8: Resulting AM modulated RF signal
-
Figure 2-9: Baseband input signal
-
Figure 2-10: Resulting FM modulated RF signal
-
Figure 2-11: Process of dividing a digital bitstream into individual symbols using 16-QAM modulation
-
Figure 2-12: Constellation diagram showing the transition between symbols
-
Figure 2-13: Constellation diagrams for BPSK (on left) and QPSK (on right)
-
Figure 2-14: Constellation diagrams for 16-QAM and 64-QAM signals
-
Figure 2-15: Using different channels for different signals
-
Figure 2-16: The temporal multiplexing scheme used in TDMA
-
Figure 2-17: Azimuth radiation plot
-
Figure 2-18: Elevation radiation plot
-
Figure 2-19: Graphical depiction of every frequency allocation in the United States (http://www.ntia.doc.gov/osmhome/allochrt.pdf)
-
Figure 4-1: A directed probe request-note the addition of an SSID parameter.
-
Figure 4-2: A typical broadcast probe request packet
-
Figure 4-3: Wi-Spy in action. Note the relative quiet at the high end of the spectrum-the area that represents traffic on channels 12 and 13. There is nothing on these channels because this screenshot was taken inside the U.S. where these channels cannot be used.
-
Figure 4-4: Antenna and pigtail connectors
-
Figure 4-5: Configuring a 2.6 Linux kernel for a Garmin GPS or KeySpan USB-to-serial converter support
-
Figure 4-6: Windows successfully detecting a KeySpan USB converter
Chapter 5: Scanning and Enumerating 802.11 Networks
-
Figure 5-1: NetStumbler's main window
-
Figure 5-2: Using a different driver, the hidden networks no longer show up in NetStumbler.
-
Figure 5-3: NetStumbler's SNR display. The current card uses arbitrary units, not dBm.
-
Figure 5-4: HyperTerminal shows the serial port and GPS device are working correctly.
-
Figure 5-5: A basic map made with StumbVerter
-
Figure 5-6: NetStumbler's main configuration dialog
-
Figure 5-7: The Broadcom configuration client is in a good state for war driving. Your own client may look different.
-
Figure 5-8: This dialog, accessed via Control Panel, will let you disable TCP/IP temporarily.
-
Figure 5-9: Kismet in action
-
Figure 5-10: GpsDrive is successfully communicating with Kismet.
-
Figure 5-11: Wellenreiter in action. The interface has clearly been influenced by NetStumbler.
-
Figure 5-12: MacStumbler at work. Note that the networks it currently detects are exactly the same ones that you would see by clicking the airport logo and viewing the surrounding networks.
-
Figure 5-13: Ethereal with customized colors enabled
Chapter 6: Attacking 802.11 Networks
-
Figure 6-1: aircrack's main display. The low numbers for the votes means that aircrack doesn't have a good idea what the key is yet.
-
Figure 6-2: Even though Windows says this user is not connected, he is.
Chapter 7: Attacking WPA-Protected 802.11 Networks
-
Figure 7-1: A successful four-way handshake, using a PMK derived from a passphrase
-
Figure 7-2: A generic WPA enterprise authentication exchange. The AP must proxy authentication packets between the client and RADIUS server.
-
Figure 7-3: Example PEAP authentication exchange
-
Figure 7-4: Overview of a PEAP certificate authentication failure attack
-
Figure 7-5: Setting the RADIUS shared secret for an AP. Make sure it's a good one.
-
Figure 8-1: A typical configuration for a Linksys AP. The Shared Key here is the shared RADIUS secret
-
Figure 8-2: PEAP has been configured to not validate the user's certificate and not use any automatic authentication methods. Be sure to re-enable certificate validation once you are done debugging
