Nerds don't just happen to dress informally. They do it too consistently. Consciously or not, they dress informally as a prophylactic measure against stupidity.
Introduction:
In this article you will not only learn how to break into wireless networks, which involves:
Encryption
MAC Filtering
ESSID Broadcasting
DHCP Servers
But, also how to protect your wireless network from such intrusions. I will not go into ARP Cache Poisoning as sas01 has already written an article on that topic. Hopefully once you finish reading this article you will know how to protect yourself, and beat the protection put in place by others.
Hacking into a Wireless Network
How is it possible?
Well the reason it’s possible to hack into a wireless network is simply because, it’s wireless. All the data that gets sent between the wireless router and the connect clients gets sent ‘through the air’. All we have to do is grab it as it gets sent.
The problem is, the majority of wireless networks these days are encrypted. So that means we can’t just ‘grab’ the packets. You may be wondering, what are packets? Well, the term ‘packets’ is given to the data that gets sent and received by the two machines communicating. Whether it be router to computer, or computer to computer.
So how do we read encrypted packets? Well, we need to break the encryption. Once we do this, we are able to communicate with other machines on the network. That means, share data (files etc...) and an internet connection.
So how do we crack the encrypted packets? Well, it depends on the encryption itself. I’ll talk about this more later, but here’s a quick explanation. Firstly, it depends on the encryption. WEP has part of the encryption key attached to most of the packets that get sent, for verification purposes when they get received. So, if we catch enough of these packets, we can guess the key.
The other type of encryption is WPA. Now, WPA only transfers the key at one time. This is during the ‘handshake’. That’s basically when the two machines verify they know the encryption. So this is the only time we can grab it.
Encryptions:
What is it:
Setting an encryption on your wireless access point basically means you have it password protected. No one will be able to communicate with it unless they supply the correct key.
Open:
Having an open router means you don’t have any encryption set. You are basically shouting out to your neighbours 'Hey, I have fast internet you can use... Connect to me!’ All your network traffic is readable by anyone in connection distance so that means: Passwords, E-mails, and Messenger Conversations etc... You don't want this option.
WEP:
WEP is short for Wired Equivalent Privacy. It is a crappy old encryption technique that was, by design, flawed. A 3-byte vector (called an Initialization Vector or IV) is pre-pended onto packets that, is based on a pre-shared key that all your clients must know to connect. The reason WEP is so crappy is because of this IV. If it’s pre-pended onto almost every packet, then if you catch enough packets, you can crack the key. With packet injection and under the right conditions you used to be able to crack WEP in around 5-10 minutes. Now, it can be done in less than 60 seconds.
WPA:
WPA takes care of a lot of the vulnerabilities in WEP. It comes in two different flavours. RADIUS and PSK. PSK is hackable, RADIUS is not.
PSK uses the users password to initialize the TKIP (Temporal Key Integrity Protocol) The TKIP can only be cracked if you catch it during the authentication process (The Handshake).
Cracking: WEP:
As I have already mentioned, a 3-byte vector (IV) is pre-pended onto almost every packet your wireless router transmits. This means, if you capture enough of these packets, you can build up a better idea of what the key is and guess it. Or, as its more technically called, Bruteforce it.
The tools you will need to crack a WEP key are:
(You should do all your wireless attacks under Linux. Windows is teh suck at this...)
· Airodump - Catch IV's
· Aircrack-ptw - Crack the IV's
· Aireplay - Packet injection
· Kismet - Discover networks
Before we can crack the key, we will need to perform some enumeration on the network. We will need to know certain things about the network to make cracking possible.
Start up Kismet and write down the following things about your target network:
· Encryption Type (64-bit WEP, 128-bit WEP)
· The channel the network is on
· Access points IP address
· BSSID (MAC Address)
· ESSID (More commonly referred to as the SSIS)
Now we will need to start capturing the packets that the router transmits. The packets we want, are those that have an IV attached.
Start up Airodump with the following command:
CODE :
./Airodump <interface> <output prefix> <channel>
Example: ./Airodump ath0 crackme 7
· Interface - Your wireless interface (ath0 for example)
· Output Prefix - Filename for the dump file
· Channel - The channel your target router is on
Airodump will now sit there capturing packets. You may notice that it is also capturing the packets of other networks. This is no big deal... When we go to crack the key, we can choose which network we are attacking.
Packet Injection:
To crack a 128-bit WEP key, you used to need around 700,000 IV's. Without packet injection, this could take years. Now, due to some clever cryptologists, you only need around 60,000 IV's to crack the key. This could still take some time without packet injection. This is one of the reasons you will need to use Linux, as Windows does not support packet injection.
Packet injection is basically when you capture a certain type of packet the router transmits. You then send it back to the router. The router receives it, and responds. If you loop this, you will receive a lot of packets.
ARP Injection:
This is the most common way of producing more IV's from the access point. The reason its common is because, it almost always works.
To use this attack, you will need to know:
· The BSSID of the target network
· The BSSID of an associated client
If there are no clients, don’t fret. There is a trick to fake authenticate with the router. We will get to this shortly.
Start up Aireplay with the following command:
CODE :
./aireplay -3 -b <AP MAC Address> -h <Client MAC Address> ath0
· -3 - Tells Aireplay what attack we will be doing
· -b - Following this is the MAC address of the router
· -h - Following this is the MAC address of a client
· Ath0 - Your wireless card interface
Aireplay will now sit and wait for ARP requests. When it captures one, it will flood them back to the router forcing it to respond. You will see your Airodump window greatly increasing the amount of IV’s it has captured.
NOTE: You must leave Airodump running when using Aireplay. All Aireplay does is work to increase your captured packet count. You need Airodump running to capture said packets.
Fake Authentication:
If there are no associated clients on your target network, then you cannot use the above attack. So what we do to overcome this is, fake authentication. It does not increase your packet count so don’t expect to see Airodump flooding in with packets when doing this.
To use this attack, you will need to know:
· The ESSID of the target access point
· The BSSID of the target access point
· A fake MAC address. (Just make one up from the top of your head)
Start Aireplay with the following command:
CODE :
./aireplay -1 30 <essid> -a <bssid> -h <fake> ath0
Example: ./aireplay -1 30 home -a 00:11:00:11:00:11 -h 00:00:00:00:00:00 ath0
· -1 30 - Tells Aireplay we will be fake associating, and to do so every 30 seconds. The reason we use 30 seconds, is because most routers require you to reassociate in that time.
· ESSID - The ESSID of your target router
· BSSID - The BSSID of your target router
· FAKE - The fake MAC address you came up with. (You need to remember this when ARP Injecting if there are no real clients)
Cracking The Encryption:
Once you have captured around 60,000 IV’s, you can crack the key using Aircrack-ptw. If you don’t have Aircrack-ptw and you are using Aircrack-ng, you will need around 700,000 IV’s to capture a 128-bit WEP key.
Start up Aircrack with the following command:
CODE :
./Aircrack <options> <dumpfile>
Example: ./Aircrack -a 1 -b 00:00:00:00:00:00 -n 128 crackme.cap
The options you can use when cracking with Aircrack are:
· -a 1 - This forces a WEP attack. Using -a 2 will force a WPA attack.
· -b - This is the MAC address of the router. Using -e will allow you to use the ESSID of the router instead of the MAC.
· -n 128 - This is the length of the WEP key. If you don’t know it, leave it out.
This will now start cracking the key. If you leave Airodump running, then as it captures more IV’s, it will update the dump file and it will decrease the time it takes Aircrack to crack the key.
WPA
Capturing the Handshake:
NOTE: This is only about cracking PSK
The handshake is where the authentication takes place between the access point and the client. This is the only time the key is sent across the network. So this is your only chance to crack the key.
You will need to start up Airodump, just like you did for WEP cracking, and await the handshake.
Forcing the Handshake:
You don't want to have to be sitting around waiting for a client to associate with the access point, do you? So, what we do is disconnect a valid client, forcing it to re-associate. This way, you get your handshake.
To do this attack, you will need:
· The MAC address of the access point
· The MAC address of a valid client (We can’t fake this one, so don’t bother trying.)
Start up Aireplay with the following command:
CODE :
./Aireplay -0 5 -a <AP MAC> -c <CLIENT MAC> ath0
Example: ./aireplay -0 5 -a 192.168.1.1 -c 192.168.1.100 ath0
· -0 - Tells Airodump we are going to disconnect a client (The attack type)
· 5 - We will be disconnecting them every 5 seconds
· -a - Following this is the routers MAC address
· -c - Following this is the clients MAC address
· Ath0 - Your wireless interface
Cracking the Handshake:
This attack is called a 'Dictionary Attack'. It basically tries to compare a bunch of words to the encrypted key and see if they match. If they do, you've found your password.
To do this attack, you will need:
· Access points MAC address
· A good wordlist (One with a few million words would be nice)
Start up Aircrack with the following command:
CODE :
./Aircrack -a 2 -b <AP MAC> -w /path/to/wordlist.txt
Example: ./Aircrack -a 2 192.168.1.1 -1 /home/kane/wordlist.txt
· -a 2 - Forces a WPA attack. -a 1 Is a WEP attack.
· -w - This tells Aircrack where your wordlist file is.
This attack is either a hit or miss. If you manage to crack the key, great. If you don’t, bad luck.
DHCP Servers:
Most the time you are lucky enough to be given connection details via a DHCP server. But this isn't always the case. If you do an 'ipconfig' in command prompt and see how haven't been given DNS info, Gateway and an IP address, you will have to asign then manually.
Further down in this article I explain how to find an IP address and the Gateway. This is done by sniffing the network traffic. All we need now is the DNS info. Without this, we have no internet. To find your targets ISP DNS servers, you will need to sniff their traffic with WireShark. Once they make a request to a webserver (visit a website) they will receive a response from their DNS servers. You then take that address and stick it in your connection settings.
MAC Address Filtering:
This is a form of protection put in place to prevent access from communicating on the network. What it basically does is, create a white list of MAC addresses. If your MAC address isn’t on the list, your traffic gets dropped.
This is by no means going to prevent a skilled person from gaining access to your network. It will only slow them down.
In windows, you will need to download a program that will change your MAC address. But before I go into that, I will quickly tell you what a MAC address is.
A MAC address is basically your computers address. You may have heard of that description in terms of IP addresses. Well, that’s how ARP Cache Poisoning works. There is an ARP table (Address Resolution Protocol) on your computer that keeps a list of all networked computers IP addresses and their corresponding MAC addresses.
The program I will be using to change our MAC address is called ‘MacShift’ (Google it). The reason I use this program is because its free, and it works. It is a CLI program (Command Line Interface) so you will need to run it from your command prompt.
To change your MAC address, start up MacShift with the following commands:
CODE :
· -i - Your wireless card’s name. (This is the name given in Network Connections)
· -r - Use a random MAC address
· -d - Restores your original MAC address
Changing your MAC address under Linux is much simpler and does not require you downloading any special programs. You can do it right from your terminal.
Use the following command:
CODE :
ifconfig ath0 down hw 00:00:00:00:00:00
ifconfig ath0 up
Replace ath0 with your wireless interface
What you’re going to need to do is find a white listed MAC address so you can change yours to theirs. If Kismet hasn’t already told you the MAC address of valid clients (Done by pressing ‘c’) Then you can do it sniffing the network traffic using a program such as WireShark (Formally named Ethereal).
Start up WireShark and after about two minutes of sniffing (providing there is traffic on the network) you should see some packets being captured. If you look through it, you should see it say something like:
Dst: D-Link_50:57:ab (00:13:46:50:57:ab)
The number in the brackets is the MAC address of my router. Once you have found yourself a valid address, change yours and re-connect.
Disabled ESSID Broadcasting:
For some reason, people believe that if you disable your router from broadcasting your ESSID, people won’t be able to connect. I say ‘lol’ to that.
You should have already discovered the ESSID of your target network. Either in Airodump or Kismet. Both will tell you it.
Hidden IP Range:
Another form of silly security is hiding your IP range. The reason we need this is so we can set our Gateway and our own IP. Without it, we can’t communicate on the network.
If Kismet hasn’t already told you the IP of your target router then you can use WireShark once more to sniff the traffic thus finding the routers IP and the IP of some of the clients.
Protecting Yourself
As you may have already figured, the only real way to keep your wireless network safe is to use the WPA encryption with a strong passphrase. Something like ‘network’ could quite easily be cracked because it would be in just about every wordlist file. To keep your network truly safe, you would have to use a passphrase with a bunch of jumbled characters. Like this:
X;mGL@qR]`dzT;B+wUbbgw!ck|Y+!dH.O'+V+`)z"ylFgHQ}-H3rPtQ;Y7:Kd
As you can see, it is very unlikely that you would find that in a wordlist.
I myself use nothing more than a strong passphrase and WPA encryption to keep my wireless network safe. But, if you would like to go all the way, then using the following methods will give you that extra little bit of security.
· Disable ESSID Broadcasting
· Hide Your IP Range
· MAC Address Filtering
· Change Your Passphrase Often
Conclusion
That is all I have to say. I hope you learnt something and enjoyed my article. If you have any questions etc, comment or PM me and I’ll get back to you.
-Kane
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 16 comments.
HackThisSite is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.