Cracking of wireless networks

Cracking of wireless networks is the penetration of wireless networks. A wireless network can be penetrated in a number of ways. These ways vary greatly in the level of computer skill and commitment they require. Once within a network, a skilled hacker can modify software, network settings, other security items and much more.^{[citation needed]} Precautions can be taken however.

Obtaining a WEP key is the main goal for some hackers.^{[citation needed]} Several methods are used to achieve this. A WEP key can be obtained within minutes.

Methods

Cracking of wireless networks typically begins with finding wireless networks, and then gathering as much information about them as possible. This is called network enumeration.^{[citation needed]} Wireless networks are often found while being mobile, using network discovery software such as Kismet or Network stumbler. Then more information is gathered by eavesdropping a selected network with a network analyzer or sniffer. A sniffer monitors the data packets transmitted by a wireless network. The information that sniffers yield include SSID's, IP's, number of computers transmitting on the network, types of encryption, and MAC addresses. Furthermore, network mappers may be used to identify the servers on the network and their operating systems.^{[citation needed]} SSIDSniff, Blade Software's IDS Informer, and commands such as ArPing may be used to gather IP addresses.^{[citation needed]} When information about the brand and model of the access point was found, the hacker can consult an online manual for the default SSID's and passwords of the device, resulting in access to the network when these settings were not altered. Websites that provide default settings include CIRT.net.^[1][2] Default settings can also be found with a search engine such as Google.

The next step is a vulnerability assessment.^{[citation needed]} This is done with a network scanner such as nessus, nmap, wireshark, or Mognet.^{[citation needed]} The vulnerability of the firmware of the access point may also be investigated using tools such as Pong.^{[citation needed]}

Based on the outcome of the vulnerability assessment, the hacker determines a way of entry. He or she may:

• Pose as a legitimate user, using a port/service that is open/available. This requires the wireless network's authentic SSID, BSSID, and WiFi-channel. These can be set with the package Wireless tools for Linux. It may also require a valid MAC address. This can be set with SMAC MAC Address Changer, or with commands such as iproute2 or ifconfig.^{[citation needed]}
• Use network encryption cracking software.
• Employ a man-in-the-middle attack.
• Use ARP spoofing.^{[citation needed]}
• Create a null session, provided that the operating system of the targeted computer is Windows. A null session is a connection to a freely accessible remote share called IPC$, providing read and write access with Windows NT/2000 and read access with Windows XP and 2003.^{[citation needed]}

After authenthication as a legitimate user, access to an entire network may not yet be achieved. To break into still secured parts of the network, the hacker may use password crackers.

Further reading

• Wireless Attacks and Penetration Testing by Jonathan Hassell, 2004 or later.
  • Part 1
  • Part 2
  • Part 3

Detection

When a hacker scans the radio channels destined for wireless networks for activity, this cannot be detected because the scanner only listens for signals. Only when the hacker inserts packets into the network he or she can be detected and his or her location can be investigated.

A hacker can only obtain limited information from sniffing a network. To gain more information he or she must start probing the network, making detection possible.^[3]

Further reading

• Wireless Intrusion Detection Systems by Jamil Farshchi, 2003.^[4]
• Guide to Intrusion Detection and Prevention Systems (IDPS) - Recommendations of the National Institute of Standards and Technology by Karen Scarfone and Peter Mell, 2007.

Prevention

An unprotected wireless network is extremely insecure. From anywhere within broadcast range, someone can eavesdrop or start using the network. Therefore, the IEEE 802.11 standard for wireless networks was accompanied with Wired Equivalent Privacy (WEP). This security protocol takes care of the following:

• authentication: assurance that all participants are who they state they are, and are authorized to use the network
• confidentiality: protection against eavesdropping
• integrity: assurance of data being unaltered

WEP has been criticized by security experts. Most experts regard it as ineffective by now.

In 2004 a draft for a better security protocol appeared, and it was included in the IEEE 802.11 standard in 2007. This new protocol, WPA2, uses an AES block cipher instead of the RC4 algorithm and has better procedures for authentication and key distribution. WPA2 is much more secure than WEP, but WEP was still in wide use in 2009.

Many wireless routers also support controlling the MAC addresses of computers that are authorized to use a wireless network. This measure can effectively stop a neighbour from using the network, but experienced intruders will not be stopped.^[5] MAC filtering can be attacked because a MAC address can be faked easily.

In the past, turning off the broadcasting of the SSID has also been thought to give security to a wireless network. This is not the case however. Freely available tools exist that quickly discover an SSID that is not broadcast. Microsoft has also determined that switching off the broadcasting of the SSID leads to less security. Details can be found in Non-broadcast Wireless Networks with Microsoft Windows.

Returning to encryption, the WEP specification at any encryption strength is unable to stand determined hacking. Therefore, Wi-Fi Protected Access (WPA) was derived from WEP. Software upgrades are often available. The latest devices that conform to the 802.11g or 802.11n standards also support WPA2. (WPA uses the TKIP encryption, WPA2 uses the stronger AES method.) It is recommended to use only hardware that supports WPA or WPA2.^[6]

Further reading

• Technical Guide to Information Security Testing and Assessment - Recommendations of the National Institute of Standards and Technology by Karen Scarfone, Murugiah Souppaya, Amanda Cody, and Angela Orebaugh, 2008.
• WPA vs. WPA2: Is WPA2 Really an Improvement on WPA? by Frank H. Katz, 2009.

Beyond cracking

The ultimate gratification for a network intruder always is to obtain administrator privileges for a network. When an intruder is inside, one of his or her first undertakings is often to install a so called rootkit on a target computer. This is a collection of programs to facilitate durable influence on a system. Some of these programs are used to compromise new user accounts or new computers on the network. Other programs are to obscure the presence of the intruder. These obscuring programs may include false versions of standard network utilities such as netstat, or programs that can remove all data from the log files of a computer that relate to the intruder. Yet other programs of a rootkit may be used to survey the network or to overhear more passwords that are travelling over it. Rootkits may also give the means to change the very operating system of the computer it is installed on.

The network intruder then proceeds with creating one or more so called back doors. These are access provisions that are hard to find for system administrators, and they serve to prevent the logging and monitoring that results from normal use of the network. A back door may be a concealed account or an account of which the privileges have been escalated. Or it may be a utility for remote access, such as Telnet, that has been configured to operate with a port number that is not customary.

The network intruder then proceeds with stealing files, or stealing credit card information, or preparing a computer to send spam emails at will. Another goal is to prepare for the next intrusion. A cautious intruder is protective against discovery of his or her location. The method of choice is to use a computer that already has been attacked as an intermediary. Some intruders use a series of intermediate computers, making it impracticable to locate them.^[7]

Further reading

• Rootkits: subverting the Windows kernel by Greg Hoglund and James Butler, Addison-Wesley Professional, 2006.
• The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System by Bill Blunden, Jones & Bartlett Learning, 2009.

Theoretical information

Theoretical information may be gathered from the following documents.

• Weaknesses in the Key Scheduling Algorithm of RC4 by Scott Fluhrer, Itsik Mantin, and Adi Shamir, 2001 or later.
• Detecting Wireless LAN MAC Address Spoofing by Joshua Wright, 2003.
• A Survey of 802.11a Wireless Security Threats and Security Mechanisms by Colonel Donald J. Welch, Ph.D. and Major Scott D. Lathrop, 2003.
• Weaknesses in the Temporal Key Hash of WPA by Vebjørn Moen, Håvard Raddum, and Kjell J. Hole, 2004.
• Attacks on the RC4 stream cipher by Andreas Klein, 2006.
• Break WEP faster with statistical analysis by Rafik Chaabouni, 2006.
• Wi-Fi Security - How to Break and Exploit by Hallvar Helleseth, 2006.
• Securing Wireless Networks from ARP Cache Poisoning by Roney Philip, 2007.
• Breaking 104 bit WEP in less than 60 seconds by Erik Tews, Ralf-Philipp Weinmann and Andrei Pyshkin, 2007.
• Attacks on the WEP protocol by Erik Tews, 2007.
• Practical attacks against WEP and WPA by Martin Beck and Erik Tews, 2008.
• WPA password cracking - Parallel Processing on the Cell BE by Martin Daniel, 2009.
• Cryptanalysis of IEEE 802.11i TKIP by Finn Michael Halvorsen and Olav Haugen, 2009.
• A Practical Message Falsification Attack on WPA by Toshihiro Ohigashi and Masakatu Morii, 2009 or later.

Practical information

Books

• Hacking Wireless Networks for Dummies, by Kevin Beaver and Peter T. Davis, Wiley Publishing Inc., 2005.
• Wireless Hacks, 2nd edition, by Rob Flickenger and Roger Weeks, O'Reilly, 2006. [1]
• Wireless Security Handbook by Aaron E. Earle, Auerbach Publications, 2006.
• Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing Inc., 2006.
• Wardriving & Wireless Penetration Testing by Chris Hurly and others, Syngress Publishing Inc., 2007.
• Security Power Tools by Bryan Burns and others, O'Reilly Media, 2007.
• Hacking - The art of exploitation, 2nd edition, by Jon Erickson, No Starch Press, 2008. [2]
• Nmap Network Scanning by Gordon "Fyodor" Lyon, Nmap Project, 2009. [3]
• Wireless Hacking Exposed, 2nd edition, by Johny Cash, Joshua Wright, and Vincent Liu, McGraw-Hill Osborne Media, 2010. [4]
• Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman, Devon Kearns, and Mati Aharoni, No Starch Press, 2011. [5]

Articles

• An Introduction to Arp Spoofing by Sean Whalen, 2001.
• Wireless Access Points and ARP Poisoning by Bob Fleck and Jordan Dimov, 2001 or later.
• Debunking the Myth of SSID Hiding by Robert Moskowitz, 2003.
• Hacking Techniques in Wireless Networks by Prabhaker Mateti, 2005.
• Sniffers by Prabhaker Mateti, 2010.
• Backdoors by Prabhaker Mateti, 2010.
• Port Scanning by Prabhaker Mateti, 2011.

Internet pages

• Overview of the ten major Linux distributions by Clement Lefebre, 2006.
• Top 100 Network Security Tools by sectools.org, 2006.
• WEP Cracking...Reloaded by Kevin Herring and Tim Higgins, 2007.
• How to Crack WEP by Humphry Cheung, 2008.
  • Part 1: Setup and Network Recon
  • Part 2: Performing the Crack
  • Part 3: Securing your WLAN
• How To Crack WPA / WPA2 by Brandon Teska, 2008.
• How To Attack a WEP/WPA Protected Wireless Network by Quequero, 2009.
• How to Crack WPA/WPA2 by darkAudax, 2010.
• Aircrack-ng for Windows by Wirelessdefence.org, 2010.
• 12 most recommended networking tools by Selena Frye, 2010.
• WPA2 Hole196 Vulnerability - FAQs by AirTight Networks Inc., 2011.
• Essential Wireless Hacking Tools by Daniel V. Hoffman, undated.
• Cool and Illegal Wireless Hotspot Hacks by Daniel V. Hoffman, undated.
• Hacking Online Banking and Credit Card Transactions – And How to Prevent It by Daniel V. Hoffman, undated.

Commercial information

• Managing WLAN Risks with Vulnerability Assessment by Lisa Phifer, undated.

Databases

• Packet storm (Vulnerability database)
• Securityfocus (Vulnerability database)
• The Exploit Database
• WiGLE (Wireless Geographic Logging Engine)

Software

• Aircrack-ng
• BackTrack 5 This latest release from Offensive Security is based on Ubuntu 10.04 LTS Linux. Three graphical desktop environments can be chosen from: Gnome, KDE, and Fluxbox. Over 300 application programs are included for penetration testing, such as network monitors and password crackers. But also Metasploit 3.7.0, an exploit framework. BackTrack 5 is a live distribution, but there is also an ARM version available for the Android operating system, allowing tablets and smartphones to be used for mobile penetration testing of Wi-Fi networks.^[8] BackTrack can be installed on hard disk, both alone and in dual boot configuration, on an USB flash drive, and in VMware.^[9]
• Mass WiFi WEP/WPA Key Cracking Tool
• Nmap
• SMAC 2.0 MAC Address Changer

Legality

The Netherlands

Making use of someone else's wireless access point or wireless router to connect to the internet -- without the owner's consent in any way -- is not punishable by criminal law in The Netherlands. This is true even if the device uses some form of access protection. To penetrate someone else's computer without the owner's consent is punishable by criminal law though.^[10][11]

Related articles

Cracking of wireless networks is opposed to securing them, causing the following articles to be related.

• Computer insecurity
• Intrusion detection system
• Intrusion prevention system
• Network security
• Wireless intrusion prevention system
• Wireless LAN security
• Wireless security

Cracking of wireless networks can result from several intentions, causing the following articles to be related.

• Hacker (computer security)
• Legality of piggybacking
• Piggybacking (internet access) (parasitic use of wireless networks to obtain internet access)

Cracking of wireless networks can be specialized in several ways, causing the following articles to be related.

• Brute-force attack
• Dictionary attack
• Evil twin (wireless networks) (rogue WiFi access point)
• Password cracking
• Spoofing attack

References