Wireless technology hit the American market more than 60 years
ago during World War I and World War II
Today its the IEEE 802.11 standard, also known as
“Wi-Fi,” - not be confused with its cousin Bluetooth (IEEE
802.15.1), which was developed in September 1998
The 802.11 networks currently transmit on the 2.4GHz and 5GHz
bands. There are different versions now starting from 802.11a, b,
g, n and now ac on up to ax versions on the market
802.11 Uses a 2.4 GHZ Bandwidth Spectrum Speed is 2 to 11
MBPS and wireless radio frequencies are in the range of 3 Hz to
300 GHz.– The Distance covered goes from 100 to 300 feet.
There are 5GHz wireless networks now, but 2.4 GHZ still is the
standard.
The 802.11 platform which was developed quickly and includes
the Wired Equivalent Privacy (WEP) algorithm to encrypt data,
has numerous, cracks in its security structure making it a
hackers dream
Foot Printing
Wireless networks or access points (APs) are some of the easiest
targets to footprint
There is a lot of sophisticated tools on the market now that one can
use with a multiple band high-powered antenna to help you create a
footprint of wireless networks in your area.
If you every heard the term war-driving! Its a simple means driving
around your town with your new antenna and laptop looking for
wireless devices, particularly AP broadcast signals.
There is different ways of scanning for wireless networks. One is a
passive approach, and the other is a more active method. Passive
tools monitor airwaves on given channels, example: what clients are
talking to which AP. Active tools send out probe request trying to get
responses. Passive is the more effective method, but depends on the
target and the hardware/software setup you have installed.
Wireless Cards and Chipsets
There are many different types of wireless cards on the market.
Here is just a few things to look for when selecting a card.
Can the card be put in RFMON or what is generally called
monitor mode. In addition, you need a card that lets you do
packet injection and can read prism headers.
The software, and hardware setup you use, along with drivers
installed will effect what you can scan for and what you will pick-up
within the different frequencies in the 802.11 structure.
In picking a Wireless Card look at the chipset inside first, and what
operating system your working on; Windows, UNIX, Linux, or OS
X platforms.
Finally: Three main things to consider when picking a card.
1) Transmitting Power 2) Sensitivity 3) Antenna Support
Antennas
There are three types of antennas one can use for finding wireless
networks: directional, multidirectional, and omni-directional.
Directional Antennas
In general, directional antennas are used when
communicating or targeting a specific area and are not
very effective for war-driving
Directional antennas are also the type of antennas that are
most effective in long-range packet capturing because the
power and waves are tightly focused in one direction.
Multidirectional antennas
Are similar to directional antennas in the sense that both use
highly concentrated and focused antennas for their
transceivers. In most cases, multidirectional antennas are
bidirectional (a front and back configuration) or quaddirectional.
Omnidirectional antennas
Are what most think of when they think of antennas. An omnidirectional
antenna is the most effective in close city driving because it transmits
and receives signals from all directions, thereby providing the largest
angular range.
How to distinguish a good antenna from a bad
one. The wireless term gain describes the
energy of a directionally focused antenna.
Realize that all transceiver antennas have gain
in at least two directions: the direction they are
sending information and the direction they are
receiving it. If your goal is to communicate over
long distances, you will want a narrow focus,
high-gain antenna.
Yet, if you do not require a long link, you may
want a wide focus, low-gain antenna (omni).
Very few antennas are completely unidirectional
because in most cases this would involve a
stationary device communicating with another
stationary device
Omnidirectional antennas
High Power 500mW Dual Band AC Wi-Fi USB Adapter
This is one of the newer Antennas that can
also pick up the new AC channel.
• 3X the range and speed of standard Wi-Fi
adapters
• High power amplifiers and high gain antennas
• Next generation, ultra-fast AC1200 Wi-Fi
speeds provide fast HD streaming and instant
data transfers
• Works with all brands of 802.11a/b/g/n/ac
2.4GHz or 5.0GHz networks
GPS Device
A global positioning system (GPS) is the wireless equivalent of using a networkmapping tool or application on wired network assessments. Most GPS devices
wrap into the war-driving software via timestamp comparisons. The GPS
software keeps a real-time log of the device’s position by mapping the longitude
and latitude coordinates of all the AP locations you find in your war driving
adventure.
Acronyms
Wireless technology acronyms, including WEP, SSID, MAC, IV and WPA.
Wired Equivalent Privacy (WEP) is a standard derived by the IEEE to
provide an Open System Interconnection (OSI)
The Service Set Identifier (SSID) is used as an identifier to distinguish one
access point from another. You can think of it as something similar to a
domain name for wireless networks.
The Media Access Control (MAC) address is the unique address that
identifies each node of a network. In WLANs, it can be used as a source
for client access control.
The Initialization Vector (IV) of a Wired Equivalent Privacy (WEP) packet
is included after the 802.11 header and is used in combination with the
shared secret key to encrypt the packet’s data.
Wi-Fi Protected Access (WPA), a Wi-Fi standard that was designed to
improve upon the security features of WEP. The technology is designed to
work with existing Wi-Fi products that have been enabled with WEP.
WEP Protocol
Wired Equivalent Privacy (WEP) is a standard derived by the IEEE to provide an OSI
Layer 2 protection schema for 802.11 wireless networks.
The goal of WEP is not to completely secure the network but rather to protect the data from others
passively and unknowingly eavesdropping on the WLAN. Many people mistake the WEP algorithm
for a security solution that encompasses secure authentication and encryption, a goal that the
802.11 standard did not intend to address.
The WEP algorithm relies on a secret key that is shared between the AP and the client
node, most commonly a wireless card on a laptop. WEP then uses that shared secret to
encrypt all data between the nodes. The common misconception is that WEP provides
network authentication via the use of a shared secret. If a WLAN is enforcing WEP, then
any party that does not obtain that shared secret may not join that network.
Therefore, the network is thought to be secure. The WEP algorithm does not encrypt the 802.11
header, nor does it encrypt the Initialization Vector (IV)
or ID portions of the packet
IEEE 802.11 packet structure
SNAP stands for Sub-Network Attachment Point
and is part of the LLC 802 standard and is the
layer between the Network layer and the MAC
layer. It hold bytes of org code and 2 bytes of
message type which indicates the type of data
being sent.
The WEP protocols major flaw was you could use a
replay attack to gain access to the wireless network.
IEEE 802.11 packet structure
SSID
The Service Set Identifier (SSID) is used as an identifier to distinguish one
access point from another. You can think of it as something similar to a domain
name for wireless networks.
Its a 32-character unique identifier attached to the header of packets sent over a
WLAN that acts as a password when a mobile device tries to connect to the
Basic Service Set (BSS).
The SSID differentiates one WLAN from another, so all access points and all
devices attempting to connect to a specific WLAN must use the same SSID. A
device will not be permitted to join the BSS unless it can provide the unique
SSID.
Because an SSID can be sniffed in plain text from a packet it does not supply
any security to the network.
Basic Service Set is a component of the IEEE 802.11 WLAN architecture. This
network architecture is built around a Basic Service Set (BSS), which is actually
a set of STAs (the component that connects to the wireless medium such as a
network adapter or NIC) that communicate with each other. When one access
points (AP) is connected to wired network and a set of wireless stations it is
referred to as a Basic Service Set (BSS).
MAC – Access Control
The Media Access Control (MAC) address is the unique address that
identifies each node of a network. In WLANs, it can be used as a source
for client access control.
Its a hardware address that uniquely identifies each node of a network. In IEEE 802
networks, the Data Link Control (DLC) layer of the OSI Reference Model is divided
into two sub-layers: the Logical Link Control (LLC) layer and the Media Access
Control (MAC) layer.
The MAC layer interfaces directly with the network medium. Consequently, each
different type of network medium requires a different MAC layer.
On networks that do not conform to the IEEE 802 standards but do conform to the
OSI Reference Model, the node address is called the Data Link Control (DLC)
address.
OSI - Open Systems Interconnection
Initialization Vector (IV)
The Initialization Vector (IV) of a Wired Equivalent Privacy (WEP) packet
is included after the 802.11 header and is used in combination with the shared
secret key to encrypt the packet’s data.
In cryptography, an initialization vector (IV) is a block of bits that is required to allow a
stream cipher or a block cipher to be executed in any of several modes of operation to
produce a unique stream independent from other streams produced by the same
encryption key, without having to go through a (usually lengthy) re-keying process.
The size of the IV depends on the encryption algorithm and on the cryptographic protocol
in use and is normally as large as the block size of the cipher or as large as the
encryption key.
The IV must be known to the recipient of the encrypted information to be able to decrypt
it. This can be ensured in a number of ways: by transmitting the IV along with the ciphertext, by agreeing on it beforehand during the key exchange or the handshake (used in
hardware authentication tokens such as RSA SecurID, VASCO Digipass, etc.),
IDs such as sender's and/or recipient's address or ID, file ID, the packet, sector or cluster
number, etc. A number of variables can be combined or hashed together, depending on
the protocol.
WPA Protocol
How does WPA and WPA-PSK Work?
WPA resolves the issue of weak WEP headers, which are called initialization vectors
(IV), and provides a way of insuring the integrity of the messages passed through MIC
(called Michael or message integrity check) using TKIP (the Temporal Key Integrity
Protocol) to enhance data encryption. WPA-PSK is a special mode of WPA for home
users without an enterprise authentication server and provides the same strong
encryption protection.
In simple terms, WPA-PSK is extra-strong encryption where encryption keys are
automatically changed (called rekeying) and authenticated between devices after a
specified period of time, or after a specified number of packets has been transmitted.
This is called the rekey interval. WPA-PSK is far superior to WEP and provides stronger
protection for the home/SOHO user for two reasons.
The process used to generate the encryption key is very rigorous and the rekeying (or
key changing) is done very quickly. This stops even the most determined hacker from
gathering enough data to break the encryption.
The Temporal Key Integrity Protocol (TKIP) takes over after the initial shared secret
is entered in your wireless devices and handles the encryption and automatic rekeying.
Hacking Equipment
Standard Wireless Hackers Setup
Professionals Setup
Software
NetStumbler
- (http://www.netstumbler.com)
Is a Windows-based war-driving tool that will detect wireless networks and mark their relative position with a
GPS. NetStumbler uses an 802.11 Probe Request sent to the broadcast destination address which causes
all access points in the area to issue an 802.11 Probe Response containing network configuration
information, such as their SSID and WEP status. When hooked up to a GPS, NetStumbler will record a GPS
coordinate for the highest signal strength found for each access point.
Weakness is that it relies on one form of wireless network
detection, the Broadcast Probe Request. Wireless equipment vendors will usually offer
an option to disable this 802.11 feature
Kismet -
(http://www.kismetwireless.net)
Is a Linux- and BSD-based wireless sniffer that has war-driving functionality. It allows you to track
wireless access points and their GPS locations like NetStumbler, but it offers many other features as
well. Kismet is a passive network-detection tool that cycles through available wireless channels
looking for 802.11 packets that indicate the presence of a wireless LAN, such as Beacons and
Association Requests.
Weakness there aren’t many. Kismet is currently the best
war-driving tool available and will find networks that NetStumbler routinely misses
Software
AirCrack – for windows/Linux - http://aircrack-ng.org/
Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough
data packets have been captured. It implements the standard FMS attack along with some optimizations like
KoreK attacks.
WireShark - https://www.wireshark.org/
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis,
software and communications protocol development, and education. It runs on Linux, OS X, BSD, Solaris,
some other Unix-like operating systems, and Microsoft Windows.
LORCON (Loss Of Radio connectivity)
Lorcon is an open source network tool. It is a library for injecting 802.11 (WLAN) frames, capable of injecting
via multiple driver frameworks, without the need to change the application code.
Airjack
AirJack is a device driver (or suit of device drivers) for 802.11(a/b/g) raw frame injection and
reception. It’s a development tool or 802.11 applications that need to access the raw protocol
Backtrack 5 – Linux, and Windows on a VM box.
Very good for penetration testing and security auditing, and it also has many features one can use for hacking
ranging from port scanning, forensics, privilege escalation, Stress testing to Reverse Engineering…etc.
There are other software/drivers on the market - this list is just the top players to get you started…!
Gaining Access – Packet Analysis
After you have gone war-driving, identified target access points, and captured loads of WEP, WPA-encrypted
and non-encrypted packets with your new antenna and software.
It is time to start the next stage of the hacking process - packet
analysis..!
Is the most technically demanding aspect of wireless hacking because it requires you to be able to use and
understand a packet sniffer and, in some cases, decipher the transmission itself. Initially the single most
important piece of data you should have about your identified access point is its SSID. In just about all cases
this is how you will reference the identified AP.
After you gain the SSID, the next goal is to determine and classify the types of data you’ve sniffed off the
WLAN.
The data can be logically divided by access point and then further subdivided by AP client.
During packet analysis, you will quickly notice if the data you received from the initial war-drive is encrypted.
If so, you must determine whether the data is encrypted via a WEP or WPA-implementation scheme, such as
SSL over HTTP.
If a WEP/WPA-based encryption scheme is being used, the next step is identifying the length of the key. In
most cases, the length is either 64-bit (sometimes referred to as 40-bit) or 128, but some implementations
allow for stronger keys, such as 256, 1024, or 2048. Here are the basic encryption options in most WAPs
today:
Gaining Access
In the realm of wireless and 802.11, gaining system access is significantly different
when compared to “wired” systems. In most cases, this is due to a lack of strong WEP- or
WPA-enforced encryption, thereby allowing the attacker to crack weak keys and obtain
pertinent transmitted data.
If the attacker has gained access to the AP’s WEP key, the WLAN is all but Hacked..!
Once you have the SSID name, you’ll need to reconfigure your wireless interface to use it. On
Windows operating systems, the card vendor will usually provide a utility to reconfigure the card
settings or an interface to change the name of the Linksys of the SSID network you want to connect
too.
All SMC wireless card and its driver settings will let you change the network name to Linksys, which
is the SSID of the network we wish to connect to.
Most drivers will support the iwconfig interface. iwconfig is a wireless version of the ifconfig
command used to configure basic 802.11 network parameters such as the SSID.
Summary the basics – Part 1
Now with your new equipment , tools, and knowledge
You will quickly be able to determine whether a system is without security or
considered to be an “Open system,” A NICE PLACE TO VISIT..!
You learned about the types of equipment you need to get started.
You learned key sling words used in wireless systems.
You also learned about the key components that make up a IEEE packet.
You learned the key acronyms used to describe and connect to a WLAN.
Some of the software you will need, along with info on selecting a wireless card.
The type of skill-set required to hack a wireless network.
Lets go HACKING…..!
What’s Next - Part 2
Part 2 will dive even more into frequency analysis, coding techniques,
hardware and software setups.
Just what to look for when analyzing the data returned from your
scans.
Defenses against the far side.
Hacking your favorite coffee shops wireless network?
Smart Phones…things that go bump on the network.
Run Silent Go Deep..!