Exploiting wireless device drivers on windows Co-written with skape and hd, this paper describes in great detail how to go from a blue-screened wireless driver to EIP to reliable code execution. Includes 3 case studies and an explanation of how the metasploit ring0 shellcode works.
fingerprinting 802.11 devices My Masters thesis. Covers two successful fingerprinting techniques.
Fingerprinting 802.11 Implementations via Statistical Analysis of the Duration Field This is a subset of my thesis work. code is available as well.
Hacking Exposed: Wireless I co-wrote this one.
Defcon device drivers presentation for those who couldnt make it to the talk
Device drivers FAQ For anyone who wonders 'did we get root?'
802.11 association redirection
The goal of this paper is to introduce the reader to a technique that could be used to implement something analogous to VLANs found in wired media into a typical IEEE 802.11 environment. What makes this technique interesting is that it can be accomplished without breaking the IEEE 802.11 standard on the client side, and requires only minor changes made to the Access Point (AP). No modifications are made to the 802.11 MAC.