Chapter 4: Wireless Network Hacking

Wireless Hacking

There are many advantages to using wireless networking. However, this
kind of technology comes with a host of threats and vulnerabilities that
hackers can take advantage of. Since information is sent over the air via
radio frequencies, it is easier for hackers to intercept it compared to wired
connections. This is more so when the information being sent is not
encrypted or the encryption algorithm is weak.
Wireless networks consist of for basic elements:
A wireless access point that connects to the network
Data being transmitted via radio frequencies
The Client device used, such as a laptop, tablet, etc.
The users
Every one of these elements can be targeted by a hacker to compromise at
least one of the three major objectives of a secure network: availability,
integrity and confidentiality.

Wireless Network attacks

1. Accidental association
It is possible for a wireless network to be hacked accidentally. In some
cases, one wireless network overlaps with another, thus enabling any user
to jump into another unintended network accidentally. This may seem
benign, but a malicious hacker can take advantage of this and gain access
to information that should not have been exposed in such a manner. If the
overlapping networks belong to organizations, then the link can be used to
steal proprietary data.
2. Malicious Association
This occurs when malicious hackers gain access to a private network using
their own device rather than through the legitimate access point (AP). A
hacker can create a "soft AP," which can be a laptop with software that
makes its wireless network card appear to be a genuine access point. This
allows the hacker to steal passwords, attack computers or send users
Trojan horse programs. A hacker can effectively have full control of every
computer that joins the fake network.
3. Ad-hoc Networks
These are networks between two wireless computers with no access point
separating them. Such networks can be attacked quite easily since they
rarely have adequate protection.
4. Non-traditional networks
These include Bluetooth devices, wireless printers, handheld PDAs and
barcode readers. These kinds of networks are rarely secured by IT
personnel since all the focus is usually on laptops or access points. This
makes them fair game for malicious hackers.
5. MAC Spoofing
This is a form of identity theft where a hacker monitors network traffic to
identify which computer has network privileges. The aim is to steal the
MAC (Media Access Control) address of that computer within the
network. Many wireless systems have a MAC filter that allows only
specific computers with specific MAC addresses to access and use the
network. A hacker may get software that is able to "sniff" the network to
find these authorized computers and their IDs and then employ other
software that allows the hacker's computer to use these stolen MAC
addresses.
6. Man-in-the-middle Attacks
This occurs when a malicious hacker sets up their laptop as a soft access
point and then lures other users to use it. The hacker then connects the soft
access point to a genuine access point using a different wireless card, thus
forcing users to go through the fake AP to reach the real one. This enables
the hacker to sniff out whatever information they want from the traffic.
This type of attack has been made easier by software such as AirJack and
LANjack. Wireless Hotspots are a great place to launch this kind of attack
since there is hardly any meaningful security on such networks.
7. Denial of Service Attacks
This is where a hacker continuously sends numerous requests, commands
and messages to a specific access point until the network crashes or just to
prevent genuine users from getting onto the network.
8. Network Injection Attack
A malicious hacker injects counterfeit networking re-configuration
commands into an access point that does not filter traffic. These fake
commands bring down the entire network or switches, routers and hubs,
forcing a reboot or reprogramming of every networking device.

Wireless Network Authentication

Wireless networks are designed to be accessible to anyone who has a
wireless-enabled device. For this reason, most networks are protected
using passwords. There are two common authentication techniques used:
WEP and WPA.

WEP

This stands for Wired Equivalent Privacy and was developed to provide
users with the same level of privacy as wired networks. It adheres to IEEE
802.11 WLAN standards. WEP encrypts data that is being sent over a
network to prevent eavesdropping.

WEP vulnerabilities

There are significant flaws in the design of this type of authentication
technique:
1. It uses Cyclic Redundancy Check 32 to verify the integrity of packets.
The problem with CRC32 is that a hacker only needs to capture two
packets to crack into the network. They can also modify the checksum and
encrypted stream to force the system to accept the packet.
2. It uses an RC4 encryption algorithm to make stream ciphers composed
of a secret key and an Initial Value (IV). The IV length is fixed at 24 bits,
but the secret key can be 40 to 104 bits in length. If a secret key of a lower
length is used, the network becomes easier to hack.
3. Since it is a password-based authentication technique, a hacker can
successfully deploy a dictionary attack.
4. It does not have a central key management system, thus making it very
difficult to change keys in big networks.
Due to the numerous security flaws, WEP has fallen out of favor and
replaced by WPA.

How to crack WEP networks

Exploiting the numerous security vulnerabilities on a WEP network is
possible either through passive attacks or active cracking. If a passive
attack is launched, the network traffic is not affected until WEP
authentication has been successfully cracked. This makes it harder to
detect. Active cracking tends to increase the load on the network, thus
making it easier to detect, though it is also more effective.
The tools that can be used for cracking WEP include:
Aircrack — This is also a network sniffer and can be downloaded from
www.aircrack-ng.org/
Kismet — This multi-purpose tool can sniff network packets, detect
invisible and visible networks and even identify intrusions. It can be
downloaded from www.kismetwireless.net/
WEPCrack — This open-source tool can crack secret keys and can be
downloaded at www.wepcrack.sourceforge.net/
WebDecrypt — It cracks WEP keys using a dictionary attack and
generates its own keys. Get it at www.wepdecrypt.sourceforge.net

WPA

WPA is an abbreviation for Wi-Fi Protected Access. It was primarily
developed to mitigate the weaknesses of WEP. WPA uses greater IV than
WEP, 48 bits to be precise. Packets are encrypted using temporal keys.

WPA vulnerabilities

1. Hackers can easily overcome it using denial of service attacks.
2. Its keys rely on passphrases and if weak passphrases are used, a
dictionary attack can be successfully launched.

How to crack WPA networks

Since WPA uses passphrases to authenticate user logins, a wellcoordinated dictionary attack makes it vulnerable, especially if short
passphrases are used. The tools for cracking WPA include:
Cain and Abel — It is used to decode files that have been sniffed by other
programs like Wireshark.
CowPatty — This is a brute force attack tool that cracks pre-shared keys.
Download from wirlessdefenc.org/Contents/coWPAttyMain.htm

How to crack network WPA and WEP keys

You are going to need the right software, hardware and patience in order to
crack the keys to a wireless network. However, successfully doing so is
dependent on the activity levels of users within the network you have
targeted.
Backtrack is a great security operating system that is based on Linux. It
contains many well-known tools that are very effective for collecting data,
evaluating weaknesses and exploiting networks. Some of these tools
include Metasploit, Ophcrack, Wireshark, Nmap and Aircrack-ng.
Cracking network authentication keys requires the following:
Wireless network adapter able to inject packets.
Backtrack OS, downloadable from backtracklinux.org/downloads/
Proximity to the network radius.
Adequate knowledge of Linux OS and how to use the scripts in
Aircrack.
Patience, as there are factors that you may not be able to
control.
Remember, the greater the number of people actively accessing the
network, the faster this will work.

How to perform MAC spoofing

To carry out MAC spoofing, you will have to bypass the MAC filtering
that the target network is using. MAC filtering is commonly used to
lockout MAC addresses that have not been authorized to connect to a
wireless network. This is usually an effective way to prevent people who
may somehow acquire the password from connecting to the network.
However, MAC filtering is not an effective security measure when it
comes to locking out hackers.
The steps below will show you exactly how to go about spoofing the MAC
address of a client who is authorized to connect to the network. The Wi-Fi
adapter should be in monitoring mode. Airodump-ng on Kali Linux will be
used to recover the MAC address. After this, the Macchanger program will
be used to do the spoofing, bypass the filter and connect to the network.

Instructions:

1. Make sure your Wi-Fi adapter is in monitoring mode. To find the
wireless network that is being targeted as well as any clients connected to
it, enter this command:
Airodump-ng—c [channel]-bssid [target router MAC Addres]-l wlan0mon
A window will open up, displaying a list of clients who are connected to
the network. Their whitelisted MAC addresses will also be shown. These
are the addresses you need to spoof to enter the network.
2. Pick one of the whitelisted MAC addresses from the list to use to spoof
your own address. Before you can perform the spoofing, you must take
down the monitoring interface. Enter the command:
Airmon-ng stop wlan0mon
3. The next step is to take down the wireless interface of the MAC address
you intend to spoof. Enter the command:
Ifconfig wlan0 down
4. Then you use the Mcchanger software to change the address. Enter the
command:
Macchanger —m [New MAC Address] wlan0
5. Remember, you had taken down the wireless interface in step 3. Now it
is time to bring it back up. Use the command:
Ifconfig wlan0 up
Now that the MAC address of your wireless adapter has been changed to
that of an authorized user, test and see if the network will authenticate
your login. You should be able to connect to the wireless network.

Transmissions

Hacking of wireless networks poses three main threats: Disruption,
Alteration and Interception. To prevent malicious hackers from
eavesdropping on wireless transmission, you can use:

Signal-hiding methods — Before a malicious hacker can intercept
wireless transmissions, they first have to locate the wireless access point.
An organization can make this more difficult by switching off the SSID
(service set identifier) being broadcast by the access point, assigning a
cryptic name to the SSID, lowering signal strength to provide just enough
requisite coverage or stationing access points away from exterior walls
and windows. There are also more effective but expensive techniques,
such as employing directional antennas to restrict the signal within a
specific area or using TEMPEST (a technique to block the emission of
wireless signals)

Stronger encryption of all wireless traffic —This is very important,
especially for organizations that must protect the confidentiality of their
information being broadcast wirelessly. This measure reduces the risks of
a man-in-the-middle attack.

Stronger authentication procedures — This should apply to users as
well as their devices. This minimizes man-in-the-middle attacks.

Countermeasures against Denial of Service Attacks — Malicious hackers may, at times, attempt to bring down the servers of an
organization, but in some cases, a DOS attack may be unintentional. There
are certain steps that can be taken to minimize the risks of this form of
attack:
Performing site surveys carefully to determine the location of
signals emanating from other devices. This should be used as a
guide in deciding where the access points should be located.
Conducting regular audits of network performance and activity
to determine areas with problems. If there are any offending
devices, they should be removed. Measures should also be
taken to enhance signal coverage and strength in problem areas.

Access Points

Wireless access points that are poorly configured are a major vulnerability
and may allow malicious hackers unauthorized access to confidential
information. To secure wireless access points, the following
countermeasures must be taken:
Eliminate all rogue access points — The best way to do this is
to use 802. Ix to prevent any rogue devices from plugging into
and connecting to the wireless network.
Ensure all authentic access points are properly configured —
Make sure that all default settings are changed since they are
publicly available and hackers can easily exploit them.
Authenticate every device using 802. Ix protocol — a strong
authentication system will prevent unauthorized devices from
setting up backdoors. This protocol ensures stringent
authentication before assigning any device to an IP address.

Devices

There are two perspectives when it comes to assessing security threats
against wireless devices: Theft/Loss and Compromise. Laptops and PDAs
usually contain a lot of confidential and sensitive information and
therefore must be protected from theft or loss. Wireless client devices can
also be compromised when a malicious hacker gains access to stored data
in the device. Hackers can also use the device to launch attacks on other
systems and networks.

Networks

Encryption — This is the best way to secure a wireless network.
Most base stations, access points and wireless routers come
with inbuilt encryption mechanisms that enable scrambling of
network communications. Always make sure that the router you
buy comes with an encryption feature. Most manufacturers turn
this feature off, so ensure that you manually turn it on before
you start using your router.
Anti-spyware, anti-virus and firewalls — Make sure that your
wireless network is protected in the same way as a wired
connection. Keep all your software updated and always check
whether your firewall is switched on.
Switch off your router's identifier broadcasting - This is the
mechanism that a wireless router uses for broadcasting its
presence in an area. However, there is no need to announce the
presence of a network if the users know that it is already there.
Malicious hackers tend to search for the identifier broadcast to
zero in on potential targets.
Change default identifier — Every router has a default ID given
to it by its manufacturer. You may have switched off the
identifier broadcaster, but hackers can still attack the network if
they find out the default ID, which is publicly accessible.
Change the identifier and do not forget to configure the new ID
into your computer.
Change the default password — Every router is assigned a
default password by the manufacturer. This is for purposes of
configuring the device initially. These default passwords are
easy to find, so make sure that you change your router password
to something that will be very difficult to crack. Also, try to
make your password as long as possible.
Specify the devices authorized to connect to the network —
Configure your router to only allow specific Mac addresses to
connect to the network. However, do not rely on this technique
alone, as Mac spoofing is still possible.
Shut the network down when unused — Whenever a wireless
network is not being used, make sure that it is switched off.
This will limit the window of opportunity that hackers can use
to penetrate the network.
Be vigilant in W-Fi hotspots — Most people love to use the free
Wi-Fi at airports, cafes, hotels and other public places. These
wireless networks are rarely secured, so do not assume that they
are.

The Users

There is no greater way to secure a wireless network than educating and
training all users. Users are not just people who connect to the network but
IT personnel and administrators as well. It is very important to teach
people how to behave in a way that will maintain the security of the
wireless network. This user training and education must be a periodic
endeavor.
Let us face it. It is not possible to completely eliminate every risk that a
wireless network comes with. Eventually, a hacker will get through.
However, there are actions that can be taken to maintain a reasonable level
of general security. This is possible using systematic risk evaluation and
management techniques. Every component of a wireless network must be
considered when establishing countermeasures against malicious hackers.