Jump to content

Cracking wireless networks

From Wikibooks, open books for an open world


Cracking a wireless network is defeating the security of a wireless local-area network. A commonly used wireless LAN is a Wi-Fi network. Wireless LANs have inherent security weaknesses from which wired networks are exempt.

Two frequent types of vulnerabilities in wireless LANs are those caused by poor configuration, and those caused by weak or flawed security protocols.


Wi-Fi basics

[edit | edit source]
Wi-Fi is brand name of family wireless LAN protocols based on IEEE 802.11 standards.
Service set is a group of wireless devices which share a service set identifier (SSID).
802.11 networks are either infrastructure networks or ad hoc networks. By default, people refer to infrastructure networks.
  • Infrastructure networks are composed of one or more access points (AP) that coordinate the wireless traffic between the nodes and often connect the nodes to a wired network, acting as a bridge or a router.
    Each access point constitutes a network that is named a basic service set or BSS. A BSS is identified by a BSSID, usually the MAC address of the access point.
    Each access point is part of an extended service set or ESS, which is identified by an ESSID or SSID in short, usually a character string.
    A basic service set consists of one access point and several wireless clients. An extended service set is a configuration with multiple AP and roaming capabilities for the clients. An independent basic service set or IBSS is the ad hoc configuration. This configuration allows wireless clients to connect to each other directly, without an access point as a central manager.
    AP broadcast a signal regularly to make the network known to clients. They relay traffic from one wireless client to another. AP may determine which clients may connect, and when clients do, they are said to be associated with the access point. To obtain access to an access point, both the BSSID and the SSID are required.
  • Ad hoc networks have no access point for central coordination. Each node connects in a peer-to-peer way. This configuration is an independent basic service set or IBSS. Ad hoc networks also have an SSID.


802.11 networks use data frames, management frames, and control frames. Data frames convey the real data, and are similar to those of Ethernet. Management frames maintain both network configuration and connectivity. Control frames manage access to the ether and prevent AP and clients from interfering with each other in the ether. Some information on management frames will be helpful to better understand what programs for reconnaissance do.

  • Beacon frames are used primarily in reconnaissance. They advertise the existence and basic configuration of the network. Each frame contains the BSSID, the SSID, and some information on basic authentication and encryption. Clients use the flow of beacon frames to monitor the signal strength of their access point.
  • Probe request frames are almost the same as the beacon frames. A probe request frame is sent from a client when it wants to connect to a wireless network. It contains information about the requested network.
  • Probe response frames are sent to clients to answer probe request frames. One response frame answers each request frame, and it contains information on the capabilities and configurations of the network. Useful for reconnaissance.
  • Authentication request frames are sent by clients when they want to connect to a network. Authentication precedes association in infrastructure networks. Either open authentication or shared key authentication is possible. After serious flaws were found in shared key authentication, most networks switched to open authentication, combined with a stronger authentication method applied after the association phase.
  • Authentication response frames are sent to clients to answer authentication request frames. There is one answer to each request, and it contains either status information or a challenge related to shared key authentication.
  • Association request frames are sent by clients to associate with the network. An association request frame contains much of the same information as the probe request contains, and it must have the SSID. This can be used to obtain the SSID when a network is configured to hide the SSID in beacon frames.
  • Association response frames are sent to clients to answer an association request frame. They contain a bit of network information and indicate whether the association was successful.
  • Deauthentication and disassociation frames are sent to a node to notify that an authentication or an association has failed and must be established anew.

Reconnaissance of wireless networks

[edit | edit source]

Reconnaissance is performed by network detectors and based on monitor mode aka rfmon of wireless network controller.


Wardriving is a common method of wireless network reconnaissance. A well-equipped wardriver uses a laptop computer with a wireless card, an antenna mounted on the car, a power inverter, a connected GPS receiver, and a way to connect to the Internet wirelessly. The purpose of wardriving is to locate a wireless network and to collect information about its configuration and associated clients.


Basic tools

[edit | edit source]
linssid - GUI
wavemon - TUI
iwlist scan
iw dev $w scan
nmcli dev wifi
airodump-ng $w

Bettercap

[edit | edit source]

Bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi and other networks.

https://www.bettercap.org/modules/wifi/
https://www.bettercap.org/modules/ble/
https://www.bettercap.org/modules/hid/

inSSIDer

[edit | edit source]

inSSIDer uses the current wireless card or a wireless USB adapter and supports most GPS devices (namely those that use NMEA 2.3 or higher). Its graphical user interface shows MAC address, SSID, signal strength, hardware brand, security, and network type of nearby Wi-Fi networks. It can also track the strength of the signals and show them in a time graph.

Kismet

[edit | edit source]

Kismet is a multi-platform wireless network traffic analyzer.

Wireshark

[edit | edit source]

Wireshark is a packet sniffer and network traffic analyser that can run on all popular operating systems, but support for the capture of wireless traffic is limited. It is free and open source. Decoding and analysing wireless traffic is not the foremost function of Wireshark, but it can give results that cannot be obtained with programs. Wireshark requires sufficient knowledge of the network protocols to obtain a full analysis of the traffic, however.[1]

Analysers of AirMagnet

[edit | edit source]

AirMagnet Laptop Analyser and AirMagnet Handheld Analyser are wireless network analysis tools made by AirMagnet. The company started with the Handheld Analyser, which was very suitable for surveying sites where wireless networks were deployed as well as for finding rogue access points. The Laptop Analyser was released because the hand-held product was impractical for the reconnaissance of wide areas. These commercial analysers probably offer the best combination of powerful analysis and simple user interface. However, they are not as well adapted to the needs of a wardriver as some of the free programs.[2]

Androdumpper is an Android APK that is used to test and hack WPS Wireless routers which have a vulnerability by using algorithms to hack into that WIFI network. It runs best on Android version 5.0 to 8.0

Airopeek

[edit | edit source]

Airopeek is a packet sniffer and network traffic analyser made by Wildpackets. This commercial program supports Windows and works with most wireless network interface cards. It has become the industrial standard for capturing and analysing wireless traffic. However, like Wireshark, Airopeek requires thorough knowledge of the protocols to use it to its ability.[3]

KisMac

[edit | edit source]

KisMac is a program for the discovery of wireless networks that runs on the OS X operating system. The functionality of KisMac includes GPS support with mapping, SSID decloaking, deauthentication attacks, and WEP cracking.[3]

Penetration to wireless networks

[edit | edit source]

There are two basic types of vulnerabilities associated with WLANs: those caused by poor configuration and those caused by poor encryption. Poor configuration causes many vulnerabilities. Wireless networks are often put into use with no or insufficient security settings. With no security settings – the default configuration – access is obtained simply by association. Without sufficient security settings, cloaking and MAC address filtering can easily be defeated. Poor encryption causes the remaining vulnerabilities. Wired Equivalent Privacy (WEP) is defective and can be defeated in several ways. Wi-Fi Protected Access (WPA) and Cisco's Lightweight Extensible Authentication Protocol (LEAP) are vulnerable to dictionary attacks. Some attacks starts from Wi-Fi deauthentication attack.


Recent attacks:

KrØØkWPA2 security vulnerability. Data in transmit buffers is sent with keys, zeroed by disassociation. Discovered in 2019.
KRACK — Key Reinstallation Attacks. Breaks WPA2 by forcing nonce reuse. Discovered in 2016.


Encryption types and their attacks

[edit | edit source]

Wired Equivalent Privacy (WEP)

[edit | edit source]

WEP [1997 — 2004] was the encryption standard firstly available for wireless networks. It can be deployed in 64 and 128 bit strength. 64 bit WEP has a secret key of 40 bits and an initialisation vector of 24 bits, and is often called 40 bit WEP. 128 bit WEP has a secret key of 104 bits and an initialisation vector of 24 bits, and is called 104 bit WEP. Association is possible using a password, an ASCII key, or a hexadr cracking WEP: the FMS attack and the chopping attack. The FMS attack – named after Fluhrer, Mantin, and Shamir – is based on a weakness of the RC4 encryption algorithm . The researchers found that 9000 of the possible 16 million initialisation vectors can be considered weak, and collecting enough of them allows the determination of the encryption key. To crack the WEP key in most cases, 5 million encrypted packets must be captured to collect about 3000 weak initialisation vectors. (In some cases 1500 vectors will do, in some other cases more than 5000 are needed for success.) The weak initialisation vectors are supplied to the Key Scheduling Algorithm (KSA) and the Pseudo Random Generator (PRNG) to determine the first byte of the WEP key. This procedure is then repeated for the remaining bytes of the key. The chopping attack chops the last byte off from the captured encrypted packets. This breaks the Cyclic Redundancy Check/Integrity Check Value (CRC/ICV). When all 8 bits of the removed byte were zero, the CRC of the shortened packet is made valid again by manipulation of the last four bytes. This manipulation is: result = original XOR certain value. The manipulated packet can then be retransmitted. This method enables the determination of the key by collecting unique initialisation vectors. The main problem with both the FMS attack and the chopping attack is that capturing enough packets can take weeks or sometimes months. Fortunately, the speed of capturing packets can be increased by injecting packets into the network. One or more Address Resolution Protocol (ARP) packets are usually collected to this end, and then transmitted to the access point repeatedly until enough response packets have been captured. ARP packets are a good choice because they have a recognizable size of 28 bytes. Waiting for a legitimate ARP packet can take awhile. ARP packets are most commonly transmitted during an authentication process. Rather than waiting for that, sending a deauthentication frame that pushes a client off the network will require that client to reauthenticate. This often creates an ARP packet.[4]

Wi-Fi Protected Access (WPA/WPA2)

[edit | edit source]

WPA was developed because of the vulnerabilities of WEP. WPA uses either a pre-shared key (WPA-PSK) or is used in combination with a RADIUS server (WPA-RADIUS). For its encryption algorithm, WPA uses either the Temporal Key Integrity Protocol (TKIP) or the Advanced Encryption Standard (AES). WPA2 was developed because of some vulnerabilities of WPA-PSK and to strengthen the encryption further. WPA2 uses both TKIP and AES, and requires not only an encryption piece but also an authentication piece. A form of the Extensible Authentication Protocol (EAP) is deployed for this piece.[5] WPA-PSK can be attacked when the PSK is shorter than 21 characters. Firstly, the four-way EAP Over LAN (EAPOL) handshake must be captured. This can be captured during a legitimate authentication, or a reauthentication can be forced by sending deauthentication packets to clients. Secondly, each word of a word-list must be hashed with the Hashed Message Authentication Code – Secure Hash Algorithm 1 and two so called nonce values, along with the MAC address of the client that asked for authentication and the MAC address of the access point that gave authentication. Word-lists can be found at.[6] LEAP uses a variation of Microsoft Challenge Handshake Protocol version 2 (MS-CHAPv2). This handshake uses the Data Encryption Standard (DES) for key selection. LEAP can be cracked with a dictionary attack. The attack involves capturing an authentication sequence and then comparing the last two bytes of a captured response with those generated with a word-list.[7] WPA-RADIUS cannot be cracked.[8] However, if the RADIUS authentication server itself can be cracked, then the whole network is imperilled. The security of authentication servers is often neglected.[9] WPA2 can be attacked by using the WPA-PSK attack, but is largely ineffective.[8]

See also

WPA security issues

Aircrack-ng

[edit | edit source]

Aircrack-ng runs on Windows and Linux, and can crack WEP and WPA-PSK. It can use the Pychkine-Tews-Weinmann and KoreK attacks, both are statistical methods that are more efficient than the traditional FMS attack. Aircrack-ng consists of components. Airmon-ng configures the wireless network card. Airodump-ng captures the frames. Aireplay-ng generates traffic. Aircrack-ng does the cracking, using the data collected by airodump-ng. Finally, airdecap-ng decrypts all packets that were captured. Thus, aircrack-ng is the name of the suite and also of one of the components.[10]

CoWPAtty

[edit | edit source]

CoWPAtty automates the dictionary attack for WPA-PSK. It runs on Linux. The program is started using a command-line interface, specifying a word-list that contains the passphrase, a dump file that contains the four-way EAPOL handshake, and the SSID of the network.[11]

Void11

[edit | edit source]

Void11 is a program that deauthenticates clients. It runs on Linux.[12]

MAC address filtering and its attack

[edit | edit source]

MAC address filtering can be used alone as an ineffective security measure, or in combination with encryption. The attack is determining an allowed MAC address, and then changing the MAC address of the attacker to that address.


See also Changing Your MAC Address

Conclusion

[edit | edit source]

Penetration testing of a wireless network is often a stepping stone for penetration testing of the internal network. The wireless network then serves as a so-called entry vector.[13][14] If WPA-RADIUS is in use at a target site, another entry vector must be investigated.[6]

Appendixes

[edit | edit source]

Prevention and Protection

[edit | edit source]

An unprotected wireless network is extremely insecure. From anywhere within broadcast range, someone can eavesdrop or start using the network. Therefore, the IEEE 802.11 standard for wireless networks was accompanied with Wired Equivalent Privacy (WEP). This security protocol takes care of the following:

  • authentication: assurance that all participants are who they state they are, and are authorized to use the network
  • confidentiality: protection against eavesdropping
  • integrity: assurance of data being unaltered

WEP has been criticized by security experts. Most experts regard it as ineffective by now.

In 2004 a draft for a better security protocol appeared, and it was included in the IEEE 802.11 standard in 2007. This new protocol, WPA2, uses an AES block cipher instead of the RC4 algorithm and has better procedures for authentication and key distribution. WPA2 is much more secure than WEP, but WEP was still in wide use in 2009.

Many wireless routers also support controlling the MAC addresses of computers that are authorized to use a wireless network. This measure can effectively stop a neighbour from using the network, but experienced intruders will not be stopped.[15] MAC filtering can be attacked because a MAC address can be faked easily.

In the past, turning off the broadcasting of the SSID has also been thought to give security to a wireless network. This is not the case however. Freely available tools exist that quickly discover an SSID that is not broadcast. Microsoft has also determined that switching off the broadcasting of the SSID leads to less security. Details can be found in Non-broadcast Wireless Networks with Microsoft Windows.

Returning to encryption, the WEP specification at any encryption strength is unable to withstand determined hacking. Therefore, Wi-Fi Protected Access (WPA) was derived from WEP. Software upgrades are often available. The latest devices that conform to the 802.11g or 802.11n standards also support WPA2. (WPA uses the TKIP encryption, WPA2 uses the stronger AES method.) It is recommended to use only hardware that supports WPA or WPA2.[16]

Installing updates regularly, disabling WPS, setting a custom SSID, requiring WPA2, and using a strong password make a wireless router more difficult to crack. Even so, unpatched security flaws in a router's software or firmware may still be used by an attacker to bypass encryption and gain control of the device. Many router manufacturers do not always provide security updates in a timely manner, or at all, especially for more inexpensive models.

WPS currently has a severe vulnerability in which the 8 pin numbered (0-9) passwords being used can easily be split into two sections, this means that each section can be brute-forced individually and so the possible combinations are greatly lessened (10^4 + 10^3, as opposed to 10^7). (WPS utilizes 7 digits + EAN8 checksum ;) This vulnerability has been addressed by most manufacturers these days by using a lock down mechanism where the router will automatically lock its WPS after a number of failed pin attempts (it can take a number of hours before the router will automatically unlock, some even have to be rebooted which can make WPS attacks completely obsolete). Without a lock down feature, a WPA2 router with WPS enabled can easily be cracked in 5 hours using a brute force WPS attack.

SSID's are used in routers not only to identify them within the mass of 2.4, 3.6, 5 and 60 GHz frequencies which are currently flying around our cities, but are also used as a "seed" for the router's password hashes. Standard and popular SSID's such as "Netgear" can be brute forced through the use of rainbow tables, however the use of a salt greatly improves security against rainbow tables. The most popular method of WPA and WPA2 cracking is through obtaining what's known as a "4 way handshake". when a device is connecting with a network there is a 4-stage authorization process referred to as a 4 way handshake. When a wireless device undergoes this process this handshake is sent through the air and can easily be monitored and saved by an external system. The handshake will be encrypted by the router's password, this means that as opposed to communicating with the router directly (which can be quite slow), the cracker can attempt to brute force the handshake itself using dictionary attacks. A device that is connected directly with the router will still undergo this very process, however, the handshake will be sent through the connected wire as opposed to the air so it cannot be intercepted. If a 4 way handshake has already been intercepted, it does not mean that the cracker will be granted immediate access however. If the password used contains at least 12 characters consisting of both random upper and lower case letters and numbers that do not spell a word, name or have any pattern then the password will be essentially uncrackable. Just to give an example of this, let's just take the minimum of 8 characters for WPA2 and suppose we take upper case and lower case letters, digits from 0-9 and a small selection of symbols, we can avail of a hefty choice of 64 characters. In an 8 character length password this is a grand total of 64^8 possible combinations. Taking a single machine that could attempt 500 passwords per second, this gives us just about 17,900 years to attempt every possible combination. Not even to mention the amount of space necessary to store each combination in a dictionary.

Note: The use of MAC filtering to protect your network will not work as MACs using the network can be easily detected and spoofed.

Detection

[edit | edit source]

A network scanner or sniffer is an application program that makes use of a wireless network interface card. It repeatedly tunes the wireless card successively to a number of radio channels. With a passive scanner this pertains only to the receiver of the wireless card, and therefore the scanning cannot be detected.

An attacker can obtain a considerable amount of information with a passive scanner, but more information may be obtained by sending crafted frames that provoke useful responses. This is called active scanning or probing. Active scanning also involves the use of the transmitter of the wireless card. The activity can therefore be detected and the wireless card can be located.

Detection is possible with an intrusion detection system for wireless networks, and locating is possible with suitable equipment.

Wireless intrusion detection systems are designed to detect anomalous behaviour. They have one or more sensors that collect SSIDs, radio channels, beacon intervals, encryption, MAC addresses, transmission speeds, and signal-to-noise ratios. Wireless intrusion detection systems maintain a registry of MAC addresses with which unknown clients are detected.[17]

Legality

[edit | edit source]

The Netherlands Making use of someone else's wireless access point or wireless router to connect to the internet – without the owner's consent in any way – is not punishable by criminal law in The Netherlands. This is true even if the device uses some form of access protection. To penetrate someone else's computer without the owner's consent is punishable by criminal law though.[18][19]

See also

Legality of piggybacking
Piggybacking (internet access) (parasitic use of wireless networks to obtain internet access)

Crackers and society

[edit | edit source]

There is consensus that computer attackers can be divided in the following groups.

  • Adolescent amateurs. They often have a basic knowledge of computer systems and apply scripts and techniques that are available on the internet.
  • Adult amateurs. Most of them are motivated by the intellectual challenge.
  • Professionals. They know much about computers. They are motivated by the financial reward but they are also fond of their activity.[20]

Naming of crackers

[edit | edit source]

The term hacker was originally used for someone who could modify a computer for his or her own purposes. Hacking is an intrusion combined with direct alteration of the security or data structures of the breached system. The word hacking is often confused with cracking in popular media discourse, and obfuscates the fact that hacking is less about eavesdropping and more related to interference and alteration.[21] However, because of the consistent abuse by the news media, in 2007 the term hacker was commonly used for someone who accesses a network or a computer without authorization of the owner.[22]

In 2011, Collins Dictionary stated that the word hacker can mean a computer fanatic, in particular one who by means of a personal computer breaks into the computer system of a company, government, or the like. It also denoted that in that sense the word hacker is slang. Slang words are not appropriate in formal writing or speech.[23]

Computer experts reserve the word hacker for a very clever programmer. They call someone who breaks into computers an intruder, attacker, or cracker.[24]


See also

Evil twin (wireless networks) — rogue Wi-Fi access point
Wireless intrusion prevention system
Wireless security
Mobile security
http://www.wigle.net/Wireless Geographic Logging Engine

References

[edit | edit source]
Penetration Tester's Open Source Toolkit. Various editions.
  1. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 117-118.
  2. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, page 126.
  3. a b Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, page 129.
  4. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, pages 284-288.
  5. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 285.
  6. a b Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 288.
  7. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 289.
  8. a b Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 281.
  9. Wireless Security Handbook by Aaron E. Earle, Auerbach Publications, 2006, page 196.
  10. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 226-227.
  11. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 306.
  12. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, pages 302-303.
  13. WarDriving & Wireless Penetration Testing by Chris Hurley and others, Syngress Publishing, Inc., 2007, page 150.
  14. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 311.
  15. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, pages 161-162.
  16. Upgrading and repairing PC's, 19th edition, by Scott Mueller, Pearson Education, Inc., 2010, pages 900-901.
  17. "Hacking Techniques in Wireless Networks by Prabhaker Mateti, 2005". Archived from the original on 24 August 2013. Retrieved 2 October 2014.
  18. PC Plus (Dutch computer magazine), issue 04/2011, page 60.
  19. "Dutch courts: Wi-Fi 'hacking' is not a crime by John Leyden, 2011". Retrieved 2 October 2014.
  20. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, page 376.
  21. Running Linux, 5th edition, by Matthias Kalle Dalheimer and Matt Welsh, O'Reilly Media, Inc., 2005, pages 829-830.
  22. WarDriving & Wireless Penetration Testing by Chris Hurley and others, Syngress Publishing, Inc., 2007, page 4.
  23. Collins Dictionary, 11th edition, HarperCollins Publishers, 2011, pages xi, 741.
  24. "Ethics in Internet Security by Prabhaker Mateti, 2010". Retrieved 2 October 2014.