Wireless hacking
Encyclopedia
Cracking of wireless networks is the penetration of wireless networks
Wireless network
Wireless network refers to any type of computer network that is not connected by cables of any kind. It is a method by which homes, telecommunications networks and enterprise installations avoid the costly process of introducing cables into a building, or as a connection between various equipment...

. A wireless network can be penetrated in a number of ways. These ways vary greatly in the level of computer skill and commitment they require. Once within a network, a skilled hacker
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...

 can modify software, network settings, other security items and much more. Precautions can be taken however.

Obtaining a WEP
Wired Equivalent Privacy
Wired Equivalent Privacy is a weak security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in September 1999, its intention was to provide data confidentiality comparable to that of a traditional wired network...

 key is the main goal for some hackers. Several methods are used to achieve this. A WEP key can be obtained within minutes.

Methods

Cracking of wireless networks typically begins with finding wireless networks, and then gathering as much information about them as possible. This is called network enumeration. Wireless networks are often found while being mobile, using network discovery software such as Kismet or Network stumbler. Then more information is gathered by eavesdropping
Eavesdropping
Eavesdropping is the act of secretly listening to the private conversation of others without their consent, as defined by Black's Law Dictionary...

 a selected network with a network analyzer
Network analyzer
Network analyzer may mean:* Packet analyzer, used on a computer data network* Network analyzer , a type of electronic test equipment...

 or sniffer. A sniffer monitors the data packets transmitted by a wireless network. The information that sniffers yield include SSID's, IP
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...

's, number of computers transmitting on the network, types of encryption, and MAC
Media Access Control
The media access control data communication protocol sub-layer, also known as the medium access control, is a sublayer of the data link layer specified in the seven-layer OSI model , and in the four-layer TCP/IP model...

 addresses. Furthermore, network mappers may be used to identify the servers on the network and their operating systems. SSIDSniff, Blade Software's IDS Informer, and commands such as ArPing may be used to gather IP addresses. When information about the brand and model of the access point
Wireless access point
In computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...

 was found, the hacker can consult an online manual for the default SSID's and passwords of the device, resulting in access to the network when these settings were not altered. Websites that provide default settings include CIRT.net. Default settings can also be found with a search engine such as Google
Google
Google Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...

.

The next step is a vulnerability assessment
Vulnerability assessment
A vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply...

. This is done with a network scanner such as nessus
Nessus
Nessus can have a number of meanings:* Nessus , a famous centaur from Greek mythology* The Tunic or Shirt of Nessus, the poisoned shirt of the centaur Nessus, in the story of Hercules...

, nmap
Nmap
Nmap is a security scanner originally written by Gordon Lyon used to discover hosts and services on a computer network, thus creating a "map" ofthe network...

, wireshark
Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education...

, or Mognet. The vulnerability of the firmware of the access point may also be investigated using tools such as Pong.

Based on the outcome of the vulnerability assessment, the hacker determines a way of entry. He or she may:
  • Pose as a legitimate user, using a port/service that is open/available. This requires the wireless network's authentic SSID, BSSID, and WiFi-channel. These can be set with the package Wireless tools for Linux
    Wireless tools for Linux
    Wireless tools for Linux is a package of Linux commands intended to support and facilitate the configuration of wireless devices using the Linux Wireless Extension...

    . It may also require a valid MAC address. This can be set with SMAC MAC Address Changer, or with commands such as iproute2
    MAC spoofing
    MAC spoofing is a technique for changing a factory-assigned Media Access Control address of a network interface on a networked device.- Motivation :...

     or ifconfig
    MAC spoofing
    MAC spoofing is a technique for changing a factory-assigned Media Access Control address of a network interface on a networked device.- Motivation :...

    .
  • Use network encryption cracking software.
  • Employ a man-in-the-middle attack
    Man-in-the-middle attack
    In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...

    .
  • Use ARP spoofing
    ARP spoofing
    ARP spoofing, also known as ARP cache poisoning or ARP poison routing , is a technique used to attack a local-area network . ARP spoofing may allow an attacker to intercept data frames on a LAN, modify the traffic, or stop the traffic altogether...

    .
  • Create a null session
    Null session
    A null session is an anonymous connection to a freely accessible network share called IPC$ on Windows-based servers. It allows immediate read and write access with Windows NT/2000 and read-access with Windows XP and 2003....

    , provided that the operating system of the targeted computer is Windows. A null session is a connection to a freely accessible remote share called IPC$, providing read and write access with Windows NT/2000 and read access with Windows XP and 2003.


After authenthication as a legitimate user, access to an entire network may not yet be achieved. To break into still secured parts of the network, the hacker may use password crackers
Password cracking
Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password...

.

Further reading

  • Wireless Attacks and Penetration Testing by Jonathan Hassell, 2004 or later.

Detection

When a hacker scans the radio channels destined for wireless networks for activity, this cannot be detected because the scanner only listens for signals. Only when the hacker inserts packets into the network he or she can be detected and his or her location can be investigated.

A hacker can only obtain limited information from sniffing a network. To gain more information he or she must start probing the network, making detection possible.

Further reading


Prevention

An unprotected wireless network is extremely insecure. From anywhere within broadcast range, someone can eavesdrop or start using the network. Therefore, the IEEE 802.11
IEEE 802.11
IEEE 802.11 is a set of standards for implementing wireless local area network computer communication in the 2.4, 3.6 and 5 GHz frequency bands. They are created and maintained by the IEEE LAN/MAN Standards Committee . The base version of the standard IEEE 802.11-2007 has had subsequent...

 standard for wireless networks was accompanied with Wired Equivalent Privacy
Wired Equivalent Privacy
Wired Equivalent Privacy is a weak security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in September 1999, its intention was to provide data confidentiality comparable to that of a traditional wired network...

 (WEP). This security protocol takes care of the following:
  • authentication: assurance that all participants are who they state they are, and are authorized to use the network
  • confidentiality: protection against eavesdropping
  • integrity: assurance of data being unaltered

WEP has been criticized by security experts. Most experts regard it as ineffective by now.

In 2004 a draft for a better security protocol appeared, and it was included in the IEEE 802.11 standard in 2007. This new protocol, WPA2
IEEE 802.11i-2004
IEEE 802.11i-2004 or 802.11i, implemented as WPA2, is an amendment to the original IEEE 802.11. The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks. It replaced the short Authentication and privacy clause of the original standard with...

, uses an AES
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...

 block cipher instead of the RC4
RC4
In cryptography, RC4 is the most widely used software stream cipher and is used in popular protocols such as Secure Sockets Layer and WEP...

 algorithm and has better procedures for authentication and key distribution. WPA2 is much more secure than WEP, but WEP was still in wide use in 2009.

Many wireless routers also support controlling the MAC addresses of computers that are authorized to use a wireless network. This measure can effectively stop a neighbour from using the network, but experienced intruders will not be stopped. MAC filtering can be attacked because a MAC address can be faked easily.

In the past, turning off the broadcasting of the SSID
Service set (802.11 network)
A service set is all the devices associated with a local or enterprise IEEE 802.11 wireless local area network .-Service set identifier :...

 has also been thought to give security to a wireless network. This is not the case however. Freely available tools exist that quickly discover an SSID that is not broadcast. Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...

 has also determined that switching off the broadcasting of the SSID leads to less security. Details can be found in Non-broadcast Wireless Networks with Microsoft Windows.

Returning to encryption, the WEP specification at any encryption strength is unable to stand determined hacking. Therefore, Wi-Fi Protected Access
Wi-Fi Protected Access
Wi-Fi Protected Access and Wi-Fi Protected Access II are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks...

 (WPA) was derived from WEP. Software upgrades are often available. The latest devices that conform to the 802.11g
IEEE 802.11g-2003
IEEE 802.11g-2003 or 802.11g is an amendment to the IEEE 802.11 specification that extended throughput to up to 54 Mbit/s using the same 2.4 GHz band as 802.11b. This specification under the marketing name of Wi-Fi has been implemented all over the world...

 or 802.11n standards also support WPA2. (WPA uses the TKIP encryption, WPA2 uses the stronger AES method.) It is recommended to use only hardware that supports WPA or WPA2.

Further reading


Beyond cracking

The ultimate gratification for a network intruder always is to obtain administrator privileges for a network. When an intruder is inside, one of his or her first undertakings is often to install a so called rootkit
Rootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...

on a target computer. This is a collection of programs to facilitate durable influence on a system. Some of these programs are used to compromise new user accounts or new computers on the network. Other programs are to obscure the presence of the intruder. These obscuring programs may include false versions of standard network utilities such as netstat
Netstat
netstat is a command-line tool that displays network connections , routing tables, and a number of network interface statistics...

, or programs that can remove all data from the log files of a computer that relate to the intruder. Yet other programs of a rootkit may be used to survey the network or to overhear more passwords
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....

 that are travelling over it. Rootkits may also give the means to change the very operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...

 of the computer it is installed on.

The network intruder then proceeds with creating one or more so called back doors. These are access provisions that are hard to find for system administrators, and they serve to prevent the logging and monitoring that results from normal use of the network. A back door may be a concealed account or an account of which the privileges have been escalated. Or it may be a utility for remote access, such as Telnet
TELNET
Telnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communications facility using a virtual terminal connection...

, that has been configured to operate with a port number that is not customary.

The network intruder then proceeds with stealing files, or stealing credit card information, or preparing a computer to send spam emails at will. Another goal is to prepare for the next intrusion. A cautious intruder is protective against discovery of his or her location. The method of choice is to use a computer that already has been attacked as an intermediary. Some intruders use a series of intermediate computers, making it impracticable to locate them.

Further reading


Theoretical information

Theoretical information may be gathered from the following documents.

Books


Articles


Internet pages


Commercial information


Databases

  • Packet storm (Vulnerability database
    Vulnerability Database
    A Vulnerability Database is a platform aimed at collecting, maintaining, and disseminating information about discovered vulnerabilities targeting real computer systems. Currently, there are many vulnerabilities databases that have been widely used to collect data from different sources on software...

    )
  • Securityfocus (Vulnerability database)
  • The Exploit Database
  • WiGLE (Wireless Geographic Logging Engine
    WiGLE (WiFi)
    WiGLE, or Wireless Geographic Logging Engine, is a website for collecting information about the different wireless hotspots around the world...

    )

Software

  • Aircrack-ng
    Aircrack-ng
    Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g...

  • BackTrack 5 This latest release from Offensive Security is based on Ubuntu
    Ubuntu (operating system)
    Ubuntu is a computer operating system based on the Debian Linux distribution and distributed as free and open source software. It is named after the Southern African philosophy of Ubuntu...

     10.04 LTS Linux. Three graphical desktop environments
    Desktop environment
    In graphical computing, a desktop environment commonly refers to a style of graphical user interface derived from the desktop metaphor that is seen on most modern personal computers. These GUIs help the user in easily accessing, configuring, and modifying many important and frequently accessed...

     can be chosen from: Gnome
    GNOME
    GNOME is a desktop environment and graphical user interface that runs on top of a computer operating system. It is composed entirely of free and open source software...

    , KDE
    KDE
    KDE is an international free software community producing an integrated set of cross-platform applications designed to run on Linux, FreeBSD, Microsoft Windows, Solaris and Mac OS X systems...

    , and Fluxbox
    Fluxbox
    Fluxbox is a stacking window manager for the X Window System, which started as a fork of Blackbox 0.61.1, with the same aim to be lightweight. Its user interface has only a taskbar, a pop-up menu accessible by right-clicking on the desktop, and minimal support for graphical icons...

    . Over 300 application programs are included for penetration testing
    Penetration test
    A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...

    , such as network monitors and password crackers. But also Metasploit
    Metasploit Project
    The Metasploit Project is an open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development....

     3.7.0, an exploit framework. BackTrack 5
    BackTrack
    BackTrack is an operating system based on the Ubuntu GNU/Linux distribution aimed at digital forensics and penetration testing use. It is named after backtracking, a search algorithm...

     is a live distribution
    Live CD
    A live CD, live DVD, or live disc is a CD or DVD containing a bootable computer operating system. Live CDs are unique in that they have the ability to run a complete, modern operating system on a computer lacking mutable secondary storage, such as a hard disk drive...

    , but there is also an ARM
    ARM architecture
    ARM is a 32-bit reduced instruction set computer instruction set architecture developed by ARM Holdings. It was named the Advanced RISC Machine, and before that, the Acorn RISC Machine. The ARM architecture is the most widely used 32-bit ISA in numbers produced...

     version available for the Android operating system, allowing tablets
    Tablet computer
    A tablet computer, or simply tablet, is a complete mobile computer, larger than a mobile phone or personal digital assistant, integrated into a flat touch screen and primarily operated by touching the screen...

     and smartphones
    Smartphone
    A smartphone is a high-end mobile phone built on a mobile computing platform, with more advanced computing ability and connectivity than a contemporary feature phone. The first smartphones were devices that mainly combined the functions of a personal digital assistant and a mobile phone or camera...

     to be used for mobile penetration testing of Wi-Fi
    Wi-Fi
    Wi-Fi or Wifi, is a mechanism for wirelessly connecting electronic devices. A device enabled with Wi-Fi, such as a personal computer, video game console, smartphone, or digital audio player, can connect to the Internet via a wireless network access point. An access point has a range of about 20...

     networks. BackTrack can be installed on hard disk, both alone and in dual boot configuration, on an USB flash drive
    USB flash drive
    A flash drive is a data storage device that consists of flash memory with an integrated Universal Serial Bus interface. flash drives are typically removable and rewritable, and physically much smaller than a floppy disk. Most weigh less than 30 g...

    , and in VMware
    VMware
    VMware, Inc. is a company providing virtualization software founded in 1998 and based in Palo Alto, California, USA. The company was acquired by EMC Corporation in 2004, and operates as a separate software subsidiary ....

    .
  • Mass WiFi WEP/WPA Key Cracking Tool
  • Nmap
  • SMAC 2.0 MAC Address Changer

The Netherlands

Making use of someone else's wireless access point or wireless router to connect to the internet -- without the owner's consent in any way -- is not punishable by criminal law in The Netherlands. This is true even if the device uses some form of access protection. To penetrate someone else's computer without the owner's consent is punishable by criminal law though.

Related articles

Cracking of wireless networks is opposed to securing them, causing the following articles to be related.
  • Computer insecurity
    Computer insecurity
    Computer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...

  • Intrusion detection system
  • Intrusion prevention system
  • Network security
    Network security
    In the field of networking, the area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources...

  • Wireless intrusion prevention system
  • Wireless LAN security
  • Wireless security
    Wireless security
    Wireless security is the prevention of unauthorized access or damage to computers using wireless networks.Many laptop computers have wireless cards pre-installed. The ability to enter a network while mobile has great benefits. However, wireless networking is prone to some security issues...


Cracking of wireless networks can result from several intentions, causing the following articles to be related.
  • Hacker (computer security)
    Hacker (computer security)
    In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...

  • Legality of piggybacking
    Legality of piggybacking
    Laws regarding "unauthorized access of a computer network" exist in many legal codes, including the U.S. federal government, all 50 U.S. states, and other countries, though the wording and meaning differ from one to the next...

  • Piggybacking (internet access)
    Piggybacking (internet access)
    Piggybacking on Internet access is the practice of establishing a wireless Internet connection by using another subscriber's wireless Internet access service without the subscriber's explicit permission or knowledge. It is a legally and ethically controversial practice, with laws that vary by...

     (parasitic use of wireless networks to obtain internet access)

Cracking of wireless networks can be specialized in several ways, causing the following articles to be related.
  • Brute-force attack
  • Dictionary attack
    Dictionary attack
    In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...

  • Evil twin (wireless networks)
    Evil twin (wireless networks)
    Evil twin is a term for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up by a hacker to eavesdrop on wireless communications among Internet surfers....

     (rogue WiFi access point)
  • Password cracking
    Password cracking
    Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password...

  • Spoofing attack
    Spoofing attack
    In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.- Spoofing and TCP/IP :...

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK