Foundstone released a whitepaper describing all the new and previous 802.11 attacks. The paper gives good information about AP Impersonation, Rogue Access Points, Implementation Attacks (WEP, Dynamic WEP, WPA/WPA-2 cracking and the Cafe Latte attack). Even wireless client adapters and wireless DoS attacks are covered.
On another note, forget WEP or WPA-PSK cracking. WPA with Radius authentication or certificates might have its caveats if you misconfigure the client.
If you are running WPA Enterprise with PEAP, or EAP/TTLS its about time you take a serious look at your client configuration! This weekend at Shmoocon in Washington D.C, Josh Wright and I gave a presentation that demonstrated how a very common, but incorrect client supplicant configuration can lead to the compromise of certain wireless networks and in some cases, provide Windows domain access.
Our AP impersonation attack on PEAP and EAP/TTLS relies on the client failing to properly validate the authentication server’s (RADIUS) TLS certificate. By default, the Windows Zero Configuration (WZC) wireless supplicant performs this validation by putting the trust of the network in the client’s hands. WZC will prompt the client to either continue or cancel upon connecting to the wireless network (similar to the way your web browser prompts you when accessing certain websites over HTTPS). Furthermore, the client may be mislead by this message as it only contains the signing authorities’ name (i.e Verisign) rather then the actual certificate name. (McAfee Avertlabs)