Introduction to Hacking Wireless Networks
Wireless networks come with excellent advantages- connectivity beyond walls, wireless connection, easy to access internet even in areas where laying cables is difficult, speed and sharing. But, wireless networks have a few disadvantages, the major issue being- the questionable security.
Access Point: The point where the mobile device, computers connect to the wireless network.
SSID: Service Set Identifier identifies the access point, it is a human-readable text which when broadcasted leads to the identification of an access point.
BSSID: Mac address of the Access point.
Bandwidth: Amount of information that can be transferred over the connection.
There are various standards for wireless transmission:
When a client wants to connect to an open access point he/she sends a probe request, and the AP sends a probe response; the client then sends an authentication request. Upon receiving a response, the client establishes an association with the AP.
Shared Key Authentication Process:
Here, the client sends a probe request, and the access point sends the probe response; then, the client requests for an authentication request, the AP sends an authentication challenge to the client. The client needs to send the shared key as authentication challenge response. AP, then, verifies the client and authenticates him/her, who then establishes a connection with the access point.
In the corporate environment, instead of an Access point verifying client’s authentication details, a centralised server does the job of verifying the client. RADIUS is a centralised authentication server which verifies clients who want to connect with the access point.
WEP: Wired Equivalent Privacy
It is the simple encryption technique which used the 40-bit key with the 24-bit initialisation vector and utilized the RC4 algorithm for encryption. It also used CRC-32 for integrity check mechanism; because the initialisation vector was very small, there was a possibility that the IV’s getting reused. This weakness caused the algorithm to be broken easily.
WPA: Wi-Fi Protected Access
This algorithm uses 48 bit IV and is based on the 802.11i standard. The RC4 algorithm used temporal keys of 128-bit size and 64 bit MIC check which made the encryption stronger than WEP. Here 128-bit temporal keys, mixed with 48 bit IV and MAC address of the sender create the key stream to encrypt the data using RC4. Temporal keys are changed every 10,000 packets.
WPA2: Wi-fi Protected Access with EAP
This is for enterprise use with strong data protection and network access control. Here, instead of RC4, AES (Advanced encryption standard) is used for encryption with temporal keys. The key size is 128-bit keys. It makes use of centralised RADIUS server for authentication.
Major Wi-fi attacks are done by setting up a rogue Access Point.
Evil Twin attack:
Here the attacker sets up a fake access point with a similar name to that of a corporate AP near the company premises. When an employee unknowingly connects to this access point thinking that to be the genuine AP of the company, he/she gives away the authentication details of the original access point. The attacker, thus, is able to compromise the connection.
An attacker can disrupt the network connection by jamming the signal, there are functioning tools for this purpose also called as creating noise.
If a router is set up using the default configuration, weak credentials, weak encryption algorithms, then the attacker can easily break into the network.
Honey spot Attack:
An attacker can set up fake access points/hotspots with the same SSID as that of a public wi-fi AP; thus, he can set traps for the users who connect to these AP’s.
Unauthorised/Ad-Hoc connection attacks:
An attacker can enable an AD-HOC connection in a user’s system utilizing Trojan, malware, or if an employee is already using an AD-HOC connection to share the internet with peers. The attacker can compromise the connection operating in AD-HOC mode since this mode does not provide stronger encryption to the connection.
An attacker has to find out the wireless devices through methods like war-walking, warchalking, war-driving. There are tools like NetStumbler, Kismet to find out wireless access points and capture the traffic.
Once he captures the traffic of that connection, he has to analyse the traffic using protocol analysers to identify the authentication method used, SSID, and connected devices and how to compromise the connection.
Depending upon the protocol used for encryption, he has to follow different tools/methods to break into the network and gain access to the unauthorised network.
Always use WPA/WPA2 encryption.
Do not share your credentials.
Do not open untrusted emails.
Use IDS/Firewalls to filter the connections.
Change the default configurations.
Enable MAC-address filtering.
Use centralised server for authentication.
Do not connect to untrusted/public wifi hotspots.