Friday 5 July 2013

Cracking WPA-PSK

Okay, so today i got my wireless card through, i know i normally do a post every Wednesday, but i decided to get a post up today due to the massive amount of readers I've had (about 1,000 in the last 2 days) and the wireless card arriving.

The Target

The target for this wireless security penetration test is my spare Netgear N600 router running DD-WRT firmware. The router operates over all the 802.11 standards up to N. (both 2.4GHz and 5GHz).

The tools

  • Software
    • Aircrack-ng
    • OS : Backbox
  • hardware
    • Thinkpad x201t (i7+8GB)
    • Atheros AR9271 Wireless Card
    • Client : HTC One XL


The test

First off, we need a monitor interface, luckily, airmon-ng (part of aircrack-ng) can virtualise a monitor interface from our managed wlan0 interface.

If you can't see, i ran the command
airmon-ng start wlan0

This provided us with our monitor interface mon0.

Next we need to check our wireless network is in range, so run
airodump-ng mon0

This should provided a screen similar to the one below.

Before we proceed, I'm just going to briefly explain the screen above. You should be able to see 2 dynamic tables (that being tables which the values are not stationary and keep altering). The top table is all the routers in range, this is our main table for now, the bottom table is of all the devices talking to routers and what routers that they are talking to. To keep it brief, the main 2 columns on the top table we are interested in are the BSSID, the ENC and CH. These are the MAC address of the router, the encryption and the channel.

Our next command is based on the last, but we are going to narrow down to the specific network we are testing to easily see what devices are connected. The command is formatted as the following
airodump-ng --bssid {bssid of the router} --channel {channel the router is operating on} {interface}

So for me it was
airodump-ng --bssid 20:4E:7F:A5:2A:DC --channel 1 mon0

This gave me a output like the following screen shot

Now we can see the device connected, the bottom table is now the important one, the BSSID is still the routers MAC address, but the STATION is now the clients MAC address. We should be getting a decent number in the packets field as well for this to work. It shows we have a decent connection to both devices.
Quickly before we continue, re run the airodump-ng command with the -w option before the interface, after -w put the name of the file you wish to save to.
Now we can really begin, remember in the post about WPA, we talked a lot about the handshake, well now we are going to grab it. The only problem we have is that the connection between client and AP is already made, so we need to disconnect them. Since we are working in our own environment we could do it manually, but my phone is the other side of the room and i'm a lazy person, so we will use another part of the aircrack-ng suite, aireplay-ng.
aireplay-ng requires only a couple of parameters for this operation, first off, -0 (this is the number not the letter). This tells the program we are going to be de-authenticating clients from routers, next a number of times to send the de-authentication packets. I choose 100 as i can stop it when i begin to get results, which i did. Next we need the MAC address of the access point using the -a then the MAC address, then the MAC Address using the -c and then the MAC address. Finally we need the interface. Just to clear it up here's a example
aireplay-ng -0 {number of times to try} -a {AP MAC address} -c {client MAC address} {interface}

Which for me became
aireplay-ng -0 100 -a 20:4E:7F:A5:2A:DC -c E8:99:C4:A1:8E:7E mon0


In the screen above, at the end of the top line, it says we have a handshake, this should be on your screen as well if you have succeeded.
Now to find the files we captured, just to ensure they are there.

Now to crack it, and get the password back, if you want to know how this process will work, refer to my prior post on WPA encryption algorithms.
To do this we will use the final part of the aircrack-ng suite for today. This is aircrack-ng itself. aircrack-ng is a massive cracking application which will pick out the correct EAPOL packets and find the MIC+ANounce+SNounce etc. this can work on both WPA and WEP. So we need to build a command for it, the basic formation of the command is
aircrack-ng -a 2 -w {wordlist file} {your .cap file}

Mine was:
aircrack-ng -a 2 -w /home/spectr3/Desktop/wordlists/rockyoualtered.txt blogcap.cap

This wordlist i inserted the password into on line 440. aircrack-ng took less than a second to get to the password, try it and find it as correct. giving me this screen:

As you can see the password was "Haxx4Lulz".

Hopefully this week you have enjoyed the session, if you want to message me, my email is martyncprice@gmail.com (there is also a paypal account linked to it if anyone wants to donate for some 802.11ac equipment so i can test if "beam forming" has any effect on cracking WPA networks).
Hope to see you all again on Wednesday.
-Spectr3

Wednesday 3 July 2013

WPS

Hey all, i know im taking ages with this wireless card but it turns out i had it sent to my old residence the other side of Britain, so while i sort that out, i thought i would talk about WPS(Wi-Fi simple config or Wireless protected setup).

What is it?

A secure WPA/WPA2 password is a random sequence of numbers and letters, not a word (dictionary attacks can get them). This as you can imagine can be hard to remember, try remembering 3F4KJ5R7 for the next few days, you will forget by the end of the week unless you have a eidetic memory. To keep the story short, a bright spark came up with WPS.

For those of you who are un-aware what WPS is, its a feature in some routers where by to connect you can just type a 8 digit number into the computer that is on the router. There is a massive flaw in this as the router tells the user when you have the first 4 digits correct, essentially cutting the time to find the key substantially. Originally to break into a router, due to a optional lockdown, which not all routers implemented, it can take 6.3 years if you had to get all 8 digits, but with only having to get 2 groups of 4 digits, this time comes down to about a day (commonly more around 6-10 hours in practise). The lockdown basically tells the router to stop accepting WPS keys for 60 seconds after every 3 failed attempts.

How to break it

This is purely for the purposes of education, i personally believe in the freedom of educational knowledge, and if you know something you should share it, i do not encourage breaking into someone elses router, if you do, more fool you, its illegal and if you are caught you will be locked up, yes you can tell your friends you where "hacking" but this is not true hacking, there is no programming involved, no clever tricks, just logic.

Anyway, so now i have covered myself against stupid people doing illegal things and getting caught, we shall proceed to breaking it. I've already told you how it can be broken, but im going to go over it very quickly, but first a few tools, if you know them, please feel free to skip over.

Aircrack-ng suite

The aircrack-ng suite is a beautiful suite and a wireless "hackers" best friend, it has almost everything we need for this attack, i would advise getting it pre-installed in a distribution of linux. My personal recommendation is different from the norm, it used to be backtrack (now kali), but as BT5r3 was based on ubuntu 10.10 LTS it can be unstable if you play about too much, i personally recommend backbox. This distribution i find to be clean and enjoyable to use, its based off ubuntu 12.04 LTS (xbuntu to be exact due to xfce).

Reaver

The last tool is reaver. This is the main tool we will be using. To install just open terminal and type
apt-get install reaver
This will install reaver for you, if you get a error try
sudo apt-get install reaver
And type in your password (basically sudo gives you the ability to over rule lack of permissions, like "run as administrator" on windows.
Once we have both of these installed, we are ready.

Lets get attacking

All of the following happens in terminal, so put away your GUI, its CLI time :D
First of all we need to bring up a monitor mode interface, so run
iwconfig
You should be able to see your wireless card as wlan0.
Next type
airmon-ng start wlan0
This will bring your wireless card into a monitor mode (there are seven wireless modes, for more info check my first post about wireless) and this monitor mode should be a new interface called mon0, run iwconfig if you want to check it' there.
Now type in
airodump-ng mon0
This will start a program which will display all your wireless networks in range on the top area, in the bottom, it will show all the connections visible between client and access point.
When you can see your wireless network to attack, press ctrl+c to stop the program. Next you should have on your screen atleast one wireless network, this is the one you are going to attack, so copy the MAC address, it should look like XX:XX:XX:XX:XX:XX (note. you cannot ctrl+c or ctrl+x in terminal, they are reserved for other things, so instead you must right click > copy).
hopefully you now have your MAC address to attack in your clipboard (the place your computers stores the copied text).
Final step, the actual attack using reaver.
Reaver requires 2 arguements, these are the interface (mon0) and the MAC address of the access point to attack, to execute, type the following, substituting where appropriate
reaver -i mon0 -b <MAC address here>
And thats the entire command finished, now just sit back and wait.

Hopefully this is enough for today, ill be back next week (hopefully ill have this wireless card issue resolved).
-Spectr3

Wednesday 26 June 2013

Assembly Language starter

Hello to all, my wireless card still hasn't arrived, so i'm going to do a quick post on what i am currently working on.

Background

Although i do a lot of wireless, i still don't understand how it works, how one pulse of current travels from one device and ends up at the other, my eventual aim is to be able to create my own wireless communication device out of very basic parts using a arduino. As a result i have been looking into assembly programming, which is what i'm going to do some of today.

Take yourself back about 40 years, computers where at their births, for the first time there where teams of people striving to advance the technology within, but they still used machine code {0+1}, which is great to a computer because a computer only understands machine code, but what human can flawlessly and quickly? As a result, assembly language was born, now assembly language is the most basic of computer languages, there are no print commands and conditional statements like if statements and for loops.

Assembly language statements

Assembly language is key to every other language, it is the foundation stone, and it converts directly into machine code. By this i mean that every statement in assembly has a machine code equivalent that is run on the processor.
As a result it is the closest to machine code we have to understand today. All HLL (high level languages like C, C++, C#, Fortran, Pascal, VB, COBALT etc.) are converted into assembly by the compiler(this is not the only thing the compiler does, but it is all i am interested in in this post). But what are the statements?
Computers where created by mathematicians for solving complex maths in little time. A calculation which takes us about 5 minutes takes a computer nano-seconds. It is for this reason a lot of the commands are mathematics based.
  • ADD : This merely adds one memory address to another
  • MOV : This command moves the bits from one memory address to another
  • CMP : This compares two memory addresses.
  • JLE : This jumps if the address is less than or equal to.
  • INC : This increments the memory locations content.


These are just a few basic commands, if you wish to, there is a book i highly recommend from Jon Erickson called "Hacking: Art of exploitation" which is worth its weight in gold just for the sections on assembly, providing a very in depth, interactive look at assembly language.

Hopefully this post has made a few people think about learning assembly language (or at least partially). If nothing else it will look brilliant on a CV for a computer based job.
-Spectr3

Friday 21 June 2013

Wireless Card Broke

Wireless card broke!



Okay, so first of all, apologies to everyone, this post was supposed to go up last Wednesday, but a very close friend of mine was involved in a very serious traffic collision on his way home from my house. As a result, I've been preoccupied
I was going to do a post on using aircrack-ng to break into a home made wireless WPA network, but my card appears to have died (it belongs in the bottom of my laptop rucksack and as a result endures alot of punishment. As a result, i will be taking some time away and will post again once my new card comes through the post (approx. 1week3days.)
Again, apologies all, this weeks feels like i have let you down alot, but do not despair, the next post will include the capture files i use so you can follow along aswell :).
-Spectr3

Wednesday 12 June 2013

Wireless Part 6

4-Way handshake


So this week i thought i would continue on with handshakes, and more importantly the most important handshake in wireless you would ever learn which is the 4-Way handshake. Now the 4-way handshake is merely the connection between the wireless client and the wireless AP, but its incredibly important when we get into WPA (which will be done in more detail than WEP as it is seen more, making it more important to understand, it also gives the basis of WPA-Enterprise).

There are 5 parts of the handshake, that's 5 important bit sequences
  • ANounce
  • Snounce
  • MIC
  • GTK
  • Ack


These are absolutely key for our understanding, they are the main blocks of the handshake.
The handshake itself is just 4 EAPOL packets. The structure is as follows
  1. AP sends client ANounce
  2. Client uses this to construct the PTK (pairwise transient key), replying with a SNounce + MIC
  3. AP uses this to construct a PTK, replying with GTK + MIC
  4. Client replies with Ack
  5. Connection Made!


So what happened?
The client attempts to connect with the access point, and has a pre-shared key to use to connect.
The client can now send the pre-shared key it has been told. To do this, the client applys PBKDF2 to create a 256-bit pre-shared key. PDKDF2, is a hashing algorithm, using 4 inputs, the pre-shared key, SSID (and SSID length), then 2 numbers, 4096 + 256. The 4096 is important as the passphrase is hashed 4096 times, making it completely one way, and 256 is the size of the output. The AP already has its own version.

But this key cannot be sent yet, so first of all, ANounce, all the ANounce is, is the authenticator (AP) Nounce (Nounce being a large random value). This is sent by the AP to the client. The client, or supplicant, can then create a SNounce, which is just a Supplicant Nounce. These are both used to create a PTK (pair-wise transient key). This is a dynamic key (making this handshake more secure as it is not guessable).

Now the PTK must be derived. It is just a function using the 256-bit pre-shared key from before, the ANounce, the SNounce, the Authenticator MAC and the Supplicant MAC. This is kept for later.

Next is message 2, this is just the SNounce and MIC, being sent to the AP. The MIC is the message integrity check, which is basically a checksum on the PTK.

At this stage, both the client and the AP both know the 256-bit pre-shared key, the SNounce, the ANounce, the Authenticator (AP) MAC address and the Supplicant (Client) MAC address. As a result, both can create the exact same PTK. As a result, when the authenticator creates its own MIC (based on the Authenticators PTK), the resulting MIC should be the same if the connection is legitimate. Thus, the pre-shared key should be the same.

If the connection is legitimate, the key installation is done, and finally, the key install is acknowledged with a ACK.

I don't think that until now i have properly explained, that was the connection in a WPA environment. Its nothing complex. I personally like to imagine it like 2 spies talking to eachother, checking if the other has the same information without saying what that information is (but i'm abit strange like that).

Anyway, I think that that is enough for this week, so i shall see you all next week for another installment.
-Spectr3

Wednesday 5 June 2013

Wireless Part 5

Hey all, welcome back to part 5 of my wireless hacking set. Last week we looked at breaking WEP, so today i thought i would show how the handshake worked. Handshakes are key, they are the agreement and connection between the AP and the client. Without them there would be no connection at all.

Ethernet Frames

First important thing to understand is Ethernet frames. In a Ethernet packet (either wireless or wired), you have a number of sections.
  • Preamble

    This is 7 bytes and is for bit synchronization.
  • Start frame delimiter

    A single byte, used as a flag, and is the start of the frame
  • Destination Address

    48-bits, this is the MAC address for the packet's end point, used by routers to determine exactly what device for the packet to end up at.
  • Source address

    48-bits, this is the MAC address for the packets start point, so the end point knows who sent it. Also this is used so if the packet is corrupted or the endpoint is not found, a message can be sent to the sender so the sender isn't waiting for a reply forever.
  • Length/Ethernet Type

    This gives the ethernet type (Ethernet or Ethernet II). In 802.3(Ethernet), this would give the length of the data section (maximum 1500 bytes).
  • Data

    Exactly what it sounds like, this is the data being sent, up to 1500 bytes, in WEP which we talked about over the last few weeks, this would be the WEP packet we spoke of, so the IV + cypher text.
  • Padding

    For reasons related to CSMA/CD (which i won't get into today), a packet must be at least 64 bytes in total. If the data field + other fields do not fulfill this requirement, the padding is used to make sure the packet meets it minimum required length.
  • Checksum

    The Checksum, the saving grace of any packet of data, this is the answer to a simple one way algorithm run on the data to ensure when it reaches its end point it is still correct, and there are no 1's becoming 0's and vice versa.


Now as part of the start frame delimiter, there are some flags, these are just little extra bits that are sent in the frame, each is just a 1 or 0, indicating yes or no, just a couple of flags are SYN, ACK, RST and FIN, today we will focus on SYN and ACK.

The basic TCP handshake

For short, SYN is synchronize and ACK for acknowledge.

The 3-way TCP handshake is very simple, as as a result i am leaving it as the first handshake we will cover, and is the basis i used to learn the 4-Way Handshake. The basis of the hand shake is as follows
SYN
SYN,ACK
ACK

All this is is a ask, a reply and a acknowledgement that the reply has been received.

I'm going to leave this here for this week as i am extremely tired from doing my CBT earlier today (british compulsory bike training, so i can get a motorbike, which of course will have a Yagi antenna strapped to it for a bit of war driving :) ).
-Spectr3

Tuesday 28 May 2013

Wireless Part 4

Okay, so last time we saw exactly how WEP was working, and hopefully you will have noticed where some of the vulnerabilities are. In this post we will be looking a bit at some of them and exactly where they are and how we can get past them.

IV's

So the first major vulnerability is the IV's. If anyone here has ever done some wireless WEP cracking in the past using a program to do it for you will have heard of IV's before, basically a program from your perspective gets a lot of these then does some calculation and spits back a password. This isn't the real case. As we saw IV's are the randomized initialization vector's put into the RC4 algorithm to generate the key stream to be XOR'ed to the plain text data. Then so the AP can view the data, the secret key + IV from the packet is run through RC4 by the router and the key stream and the data and checksum are worked out. This is the vulnerability you use when your capturing IV's. What vulnerability is there you might ask, well allow me to explain.

The only 2 things being kept secret in WEP is the data + secret key. Now the beauty of RC4 is every time you run that operation you will always get the same result. So if you separate the key stream from the data, you have the result of RC4. Now RC4 read in 2 items of information, the IV and the secret key and we have the IV. Using thousands of these calculation results we can begin to reverse the hash function, and thus we have our secret key, and this is exactly what is going on behind the scenes on a WEP cracking program, the key streams are being captured, then thousands of IV's are being used with their keystreams to reverse the RC4 algorithm to get the secret key, simple really.

This is the basic method used from 2001 onwards. Now i know this post was very short but as i am still unpacking from moving and trying to get a job i don't have a lot of time to spare at current, although you can still email me questions to martyncprice@gmail.com (yes my real name is Martyn Price, anybody who has decided to follow me on twitter should have found this out already @Spectr3Sec ), or you can ask in the comments section, until next week, hack well and prosper
-Spectr3

Wednesday 22 May 2013

Back in a week

Hey all, i know i have normally posted by now, but its going to have to be next week as i am so busy moving houses, see you all in a week

-Spectr3

Wednesday 15 May 2013

Wireless Part 3

WEP (Wired Equivalent Privacy)

In September 1999 802.11(legacy) was released. This was the beginning of wireless LAN communications, but required some security, otherwise anybody could intercept/sniff passwords, usernames or any other data which was desired out the the airwaves. Thus WEP was created, with the intention of privacy, allowing for a passkey to encrypt wireless traffic. The major problem with WEP was it was broken before it was implemented, in other words it was never secure, when it was first proposed their were papers being published talking about flaws.

How it works

WEP uses RC4 algorithm which is a symmetric key algorithm, meaning that both parties have identical keys which are used to encrypt and decrypt the data. It is also worth noting that due to things like this, WEP was very low resource usage on the device which was using it, allowing for basic hardware to run it, thus it is still used today in some cases.

WEP is only used in the frame body of a packet. This frame body is split into 3 parts, IV, Data and ICV. IV or initialization vector is a non-encrypted part (which we will come to why later), which begins to show some vulnerability. One of the fields of this was for key id's and was 2-bits large, allowing for 4 different pass phrases to be used. Finally the IV was 24-bits large (important in a minute).

The next part was the data. This is just the data which you wish to send (nothing majorly important here for the purposes of cracking WEP.

Finally we have the ICV. This is the Integrity Check Value. This is also encrypted in WEP. The ICV merely acts as a check-sum to verify that the data has been sent/received correctly.

The steps of WEP

  1. First the IV is generated at random, this is a 24-bit value. This is added to the WEP key which can be either 40-bits or 104-bits. This provides us with a value of 64-bits or 128-bits (which is why its length being 24-bits was important before). This is then inputted into the RC4 algorithm, giving us a random key stream.
  2. At the same time, CRC-32 is applied to the data. This is a basic algorithm using a 32-bit chunk of data and applying a mathematical operation to give a value, which is then appended to the data.
  3. Finally with a key stream the same size as the data to be sent + the ICV, a XOR operation is applied to both the result of step 1 and the result of step 2. This gives us our final cipher text. Now this data should be completely impossible to read, whether your the AP or client, which is a problem, so the IV is put infront of the cipher text, giving us the completed data set for the frame body.


Now if that was abit hard to keep up with, don't fret as there is a diagram incoming :)

This image was lifted from another blogger called Zero-Krangkaian

I think this is enough for this week, and next week I shall begin the basics on where the vulnerabilities are exactly, and how to get past them.

As always thanks for reading :) - Spectr3

Wednesday 8 May 2013

Wireless Part 2

So last time we left off with saying about the different areas of the 802.11 IEEE protocol, a/b/g/n/ac etc. But all those protocols have a story, and here it is...

In June 1997 the first wireless protocol was released, this is what we now know as "legacy". At the time more and more people were beginning to use laptops as they become more and more portable, gone were the laptops that required you to haul around a box bigger than a suitcase, and in came computer the size of brief cases, and with more portable devices, a more portable connection to the internet was wanted. A connection that didn't require you having to plug your device into a switch or hub. Thus someone came up with the idea of wireless local area communications. The first implementation would transfer data at 2MB/s and used FHSS and DSSS modulation. With a range of 100m it allowed for a certain amount of cable-free portability.

Then in September 1999 two new wireless protocols were released, aimed to expand their its predecessor. One protocol was called 802.11a, its purpose was to increase the speed mainly and range of the network, and it did, using a different type of modulation (OFDM) it reached 54MB/s and a range of 120m. The other was 802.11b, its purpose was to increase range primarily, stretching to 140m, but sacrifices speed in comparison to 802.11a, having only 11MB/s maximum transfer rates.

As with all invention, progress was desired, and in June 2003, a standard was released which unified the best parts of 802.11a and 802.11b, this protocol was called 802.11g. This protocol had the range (140m) from 802.11b and the speed (54MB/s) from 802.11a. This protocol used both ODFM and DSSS to achieve this.

Next, something new was needed, and 802.11n was the answer. It had almost double the range of 802.11g (250m) and triple the maximum speed (150MB/s). The speed of this however is often quoted as being 300MB/s or 600MB/s. This is because it has the ability to use multiple streams at once, but dispute this the maximum throughput to a single device is 150MB/s.

Finally, we come to 802.11ac, this protocol was released December 2012, and allowed for speeds of nearly 900MB/s, with up to 8 streams, giving it a maximum throughput of 6.8GB/s (but no one device will see those speeds).

802.11ac also gives a new safety measure, which will be covered when we talk about specific attacks, called beam-forming. This means that the router knows approximately where the client is and the client knows approximately where the router is. Due to this, the devices can send traffic in the direction of each other, so MITM (man in the middle) becomes much harder, you will now need to be close to the targets to capture traffic from the air, but all this will be covered later.

Channels

With most wireless devices being on the 2.4GHz wave band, there is a lot of interference, so to tackle this, channels are used. So far I have been careful to call them wavebands, because 2.4GHz is not a select frequency, it is split into multiple wavebands.

The wavebands in 2.4GHz band are commonly 22MHz, meaning that a band contains 22 different frequencies. The following image is lifted from taurus2.co.uk and demonstrates perfectly.
As we can see, there are 14 channels, channel 14 is Japan only, and 12/13 are banned in the USA. Each channel uses a specific band, spanning 22MHz, allowing for multiple channels on the 2.4GHz band, that do not overlap and thus have very little interference. The most commonly used are 1,6 and 11, as these channels cannot interfere with each other.

And now for the end to todays session, next week ill start on WEP, how it was implemented and why, so we can start looking at breaking things :) - Spectr3

Wednesday 1 May 2013

Wireless Part 1

Hey so as i hope you know, i'm Spectr3 - Hi :D - and i'm currently a first year at university, but i love wireless. My personal background that got me into wireless security was when WEP got broken. So i want to do a set of blog posts on wireless security. More specifically i want to show you how to break it properly.

What this will be about:


Its all well and good to know how to break it, saying "and type this in and you should get something that looks like this" without you knowing what is actually going on. So in this series, i'm going to be using my personal knowledge i have built up over the years to explain different wireless methods, and different attacks in as much detail as i know it at at the time of writing.

What is a wireless network


Wireless network means just that a network without wires. We use a radio frequency (either 2.4GHz or 5GHz and soon 60GHz) to transmit the bit patterns. This is a post set on wireless security and not on signal multiplexing etc. so i wont go into that here.

Issues arising


The problem there is for many people and business's is in metaphor you are throwing paper airplanes of information into a bin (or wireless access point). This is great, but anybody could come and grab those planes as they glide towards the bin, and even worse, not all will get there, some will miss. As a result wireless security is incredibly useful.

Wireless Bands


So we have mentioned that the wireless networking (802.11) uses different wave bands (2.4GHz, 5GHz, etc.) but how does this work?

You have different wireless types, there the a/b/g/n/y/ac/ad. These all have different properties, here's a quick table.


Wireless type Range Maximum Rated speed Waveband
Legacy 100m 2MB/s 2.4GHz
802.11a 120m 54MB/s 5GHz
802.11b 140m 11MB/s 2.4GHz
802.11g 140m 54MB/s 2.4GHz
802.11n 250m 150MB/s 2.4GHz and 5GHz
802.11ac Unknown 900MB/s 5GHz

I think that will be it for today, next time ill go through a very brief history of wireless and how we get more speed out of 802.11n than what in the table. Thanks for reading, please comment so i know how i'm doing and know what to change for next time :)

-Spectr3