Hacking And Securing Wireless Networks – A Brief Guide

There are many advantages to using wireless networking. However, this kind of technology comes with a host of threats and vulnerabilities that hackers can take advantage of.

Since information is sent over the air via radio frequencies, it is easier for hackers to intercept it compared to wired connections. This is more so when the information being sent isn’t encrypted, or the encryption algorithm is pretty weak.

Wireless networks consists of 4 basic elements:

• A wireless access point that connects to the network Data being transmitted via radio frequencies The Client device used, such as a laptop, tablet, etc.
• The users every one of these elements can be targeted by a hacker to compromise at least one of the three major objectives of a secure network: availability, integrity, and confidentiality.

Wireless Network attacks

1. Accidental association

It is possible for a wireless network to be hacked accidentally. In some cases, one wireless network overlaps with another, thus enabling any user to jump into another unintended network accidentally.

This may seem benign but a malicious hacker can take advantage of this and gain access to information that should not have been exposed in such a manner. If the overlapping networks belong to organizations, then the link can be used to steal proprietary data.

2. Malicious Association

This occurs when malicious hackers gain access to a private network using their own device rather than through the legitimate access point (AP).

A hacker can create a “soft AP,” which can be a laptop with software that makes its wireless network card appear to be a genuine access point. This allows the hacker to steal passwords, attack computers, or send users Trojan horse programs. A hacker can effectively have full control of every computer that joins the fake network.

3. Ad-hoc Networks

These are networks between two wireless computers with no access point separating them. Such networks can be attacked quite easily since they rarely have adequate protection.

4. Non-traditional networks

These include Bluetooth devices, wireless printers, handheld PDAs, and barcode readers. These kinds of networks are rarely secured by IT personnel since all the focus is usually on laptops or access points. This makes them fair game for malicious hackers.

5. MAC Spoofing

This is a form of identity theft where a hacker monitors network traffic in order to identify which computer has network privileges. The aim is to steal the MAC (Media Access Control) address of that particular computer within the network.

The majority of wireless systems have a MAC filter that allows only specific computers with specific MAC addresses to access and use the network. A hacker may get software that is able to “sniff” the network to find these authorized computers and their IDs, and then employ other software that allow the hacker’s computer to use these stolen MAC addresses.

6. Man-in-the-middle Attacks

This occurs when a malicious hacker sets up their laptop as a soft access point and then lures other users to use it. The hacker then connects the soft access point to a genuine access point using a different wireless card, thus forcing users to go through the fake AP to reach the real one.

This enables the hacker to sniff out whatever information they want from the traffic. This type of attack has been made easier by software such as Air Jack and LAN jack. Wireless Hotspots are a great place to launch this kind of attacks since there is hardly any meaningful security on such networks.

7. Denial of Service Attacks

This is where a hacker continuously sends numerous requests, commands, and messages to a specific access point until the network crashes, or just to prevent genuine users from getting onto the network.

8. Network Injection Attack

A malicious hacker injects counterfeit networking re-configuration commands into an access point that doesn’t filter traffic. These fake commands bring down the entire network or switches, routers, and hubs, forcing a reboot or reprogramming of every networking device.

Wireless Network Authentication

Wireless networks are designed to be accessible to anyone who has a wireless-enabled device. For this reason, most networks are protected using passwords. There are two common authentication techniques used: WEP and WPA.

1. WEP

This stands for Wired Equivalent Privacy and was developed to provide users with the same level of privacy as wired networks. It adheres to IEEE 802.11 WLAN standards.

WEP encrypts data that is being sent over a network to prevent eavesdropping.

WEP vulnerabilities

There are significant flaws in the design of this type of authentication technique:

1. It uses Cyclic Redundancy Check 32 to verify the integrity of packets. The problem with CRC32 is that a hacker only needs to capture two packets to crack into the network. They can also modify the checksum and encrypted stream to force the system to accept the packet.
2. It uses an RC4 encryption algorithm to make stream ciphers composed of a secret key and an Initial Value (IV). The IV length is fixed at 24 bits but the secret key can be 40 to 104 bits in length. If a secret key of lower length is used, the network becomes easier to hack.
3. Since it is a password-based authentication technique, a hacker can successfully deploy a dictionary attack.
4. It does not have a central key management system, thus making it very difficult to change keys in big networks.

Due to the numerous security flaws, WEP has fallen out of favor and replaced by WPA.

How to crack WEP networks

Exploiting the numerous security vulnerabilities on a WEP network is possible either through passive attacks or active cracking. If a passive attack is launched, the network traffic is not affected until WEP authentication has been successfully cracked. This makes it harder to detect. Active cracking tends to increase the load on the network, thus making it easier to detect, though it is also more effective.

The tools that can be used for cracking WEP include:

• Aircrack – This is also a network sniffer.
• Kismet – this multi-purpose tool can sniff network packets, detect invisible and visible networks, and even identify intrusions.
• WEPCrack – this open-source tool can crack secret keys.
• WebDecrypt – it cracks WEP keys using dictionary attack and generates its own keys.

2. WPA

This stands for Wi-Fi Protected Access and was developed to cover the vulnerabilities that were discovered in WEP. WPA uses greater IV than WEP — 48 bits to be precise. Packets are encrypted using temporal keys.

WPA vulnerabilities

1. Hackers can easily overcome it using denial of service attacks.
2. Its keys rely on passphrases, and if weak passphrases are used, a dictionary attack can be successfully launched.

How to crack WPA networks Since WPA uses passphrases to authenticate user logins, a well-coordinated dictionary attack makes it vulnerable, especially if short passphrases are used. The tools for cracking WPA include:

• Cain and Abel – It is used to decode files that have been sniffed by other programs like Wireshark.
• CowPatty – This is a brute force attack tool that cracks pre-shared keys.

How to crack network WPA and WEP keys

You are going to need the right software, hardware, and patience in order to crack the keys to a wireless network. However, successfully doing so is dependent on the activity levels of users within the network you have targeted.

Backtrack is a great security operating system that is based on Linux. It contains many well-known tools that are very effective for collecting data, evaluating weaknesses, and exploiting networks. Some of these tools include Metasploit, Ophcrack, Wireshark, NMap, and Aircrack-ng.

Cracking network authentication keys requires the following:

• Wireless network adapter able to inject packets.
• Kali Linux Operating system
• Proximity to the network radius.
• Adequate know-how of Linux OS and how to use the scripts in Air-crack.
• Patience, as there are factors that you may not be able to control. Remember, the greater the number of people actively accessing the network, the faster this will work.

How to perform MAC spoofing

In order to carry out MAC spoofing, you will have to bypass the MAC filtering that the target network is using. MAC filtering is commonly used to lock out MAC addresses that have not been authorized to connect to a wireless network.

This is usually an effective way to prevent people who may somehow acquire the password from connecting to the network. However, MAC filtering is not an effective security measure when it comes to locking out hackers.

The steps below will show you exactly how to go about spoofing the MAC address of a client who is authorized to connect to the network.

The Wi-Fi adapter should be in monitoring mode. Airodump-ng on kali Linux will be used to recover the MAC address. After this, Macchanger program will be used to do the spoofing, bypass the filter, and connect to the network.

Instructions:

1. Make sure your Wi-Fi adapter is in monitoring mode. To find the wireless network that is being targeted as well as any clients connected to it, enter this command:

Command: airodump-ng -c [channel] –bssid [target router MAC Adders]-i wlanOmon

A window will open up displaying a list of clients who are connected to the network. Their white listed MAC addresses will also be shown. These are the addresses you need to spoof in order to enter the network.

2. Pick one of the white listed MAC addresses from the list to use to spoof your own address. Before you are able to perform the spoofing, you must take down the monitoring interface.

Command: airmon-ng stop wlan0mon

3. The next step is to take down the wireless interface of the MAC address you intend to spoof.

Command: ifconfig wlan0 down

4. Then you use the Macchanger software to change the address. Enter the command:

Command: macchanger -m [New MAC Address] wlan0

5. Remember, you had taken down the wireless interface in step 3. Now it is time to bring it back up.

Command: ifconfig wlan0 up

Now that the MAC address of your wireless adapter has been changed to that of an authorized user, test and see if the network will authenticate your login. You should be able to connect to the wireless network.

Securing Wireless Transmissions

Hacking of wireless networks poses three main threats: Disruption, Alteration, and Interception. In order to prevent malicious hackers from eavesdropping on a wireless transmission, you can use:

Signal-hiding methods — Before a malicious hacker is able to intercept wireless transmissions, they first have to locate the wireless access point.

An organization can make this more difficult by switching off the SSID (service set identifier) being broadcast by the access point, assigning a cryptic name to the SSID, lowering signal strength to provide just enough requisite coverage, or stationing access points away from exterior walls and windows.

There are also more effective but expensive techniques, such as employing directional antennas to restrict the signal within a specific area or using TEMPEST (a technique to block emission of wireless signals).

Stronger encryption of all wireless traffic — This is very important especially for organizations that must protect the confidentiality of their information being broadcast wirelessly.

This measure reduces the risks of a man-in-the-middle attack.

Stronger authentication procedures — This should apply to users as well as their devices. This minimizes man-in-the-middle attacks. Countermeasures against Denial of Service Attacks Malicious hackers may at times attempt to bring down the servers of a particular organization, but in some cases, a DoS attack may be unintentional.

There are certain steps that can be taken to minimize the risks of this form of attack:

• Performing site surveys carefully to determine the location of signals emanating from other devices. This should be used as a guide in deciding where the access points should be located.
• Conducting regular audits of network performance and activity to determine areas with problems. If there are any offending devices, they should be removed. Measures should also be taken to enhance signal coverage and strength in problem areas, Securing Wireless Access Points Wireless access points that are poorly configured are a major vulnerability and may allow malicious hackers unauthorized access to confidential information. To secure wireless access points, the following countermeasures must be taken:
• Eliminate all rogue access points — The best way to do this is to use 802.1x to prevent any rogue devices from plugging into and connecting to the wireless network.
• Ensure all authentic access points are properly configured — Make sure that all default settings are changed since they are publicly available and hackers can easily exploit them.
• Authenticate every device using 802.1x protocol — a strong authentication system will prevent unauthorized devices from setting up backdoors. This protocol ensures stringent authentication before assigning any device an IP address.

Securing Wireless Devices

There are two perspectives when it comes to assessing the security threats against wireless devices: Theft/Loss and Compromise.

Laptops and PDAs usually contain a lot of confidential and sensitive information, and therefore must be protected from theft or loss. Wireless client devices can also be compromised when a malicious hacker gains access to stored data in the device. Hackers can also use the device to launch attacks on other systems and networks.

Securing Wireless Networks

• Encryption – this is the best way to secure a wireless network. Most base stations, access points, and wireless routers come with inbuilt encryption mechanisms that enable scrambling of network communications. Always make sure that the router you buy comes with an encryption feature. Most manufacturers turn this feature off, so ensure that you manually turn it on before you start using your router.
• Anti-spyware, anti-virus, and firewalls – Make sure that your wireless network is protected in the same way as a wired connection. Keep all your software updated and always check whether your firewall is switched on.
• Switch off your router’s identifier broadcasting – This is the mechanism that a wireless router uses to broadcast its presence in an area. However, there is no need to announce the presence of a network if the users know that it is already there. Malicious hackers tend to search for the identifier broadcast to zero in on potential targets. If your router allows disabling of the identifier broadcasting, do it.
• Change default identifier – Every router has a default ID given to it by its manufacturer. You may have switched off the identifier broadcaster, but hackers can still attack the network if they find out the default ID, which is publicly accessible. Change the identifier and don’t forget to configure the new ID into your computer.
• Change the default password – Every router is assigned a default password by the manufacturer to allow a user to initially set up the device. These default passwords are easy to find, so make sure that you change your router password to something that will be very difficult to crack. Also, try to make your password as long as possible.
• Specify the devices authorized to connect to the network – Configure your router to only allow specific Mac addresses to connect to the network. However, don’t rely on this technique alone as Mac spoofing is still possible.
• Shut the network down when unused – whenever a wireless network is not being used, make sure that it is switched off. This will limit the window of opportunity that hackers can use to penetrate the network.
• Be vigilant in Wi-Fi hotspots – most people love to use the free Wi-Fi at airports, cafes, hotels, and other public places. These wireless networks are rarely secured, so do not assume that they are.

Securing the Users

There is no greater way to secure a wireless network than educating and training all users. Users are not just people who connect to the network but IT personnel and administrators as well.

It is very important to teach people how to behave in a way that will maintain the security of the wireless network. This user training and education must be a periodic endeavor.

Let’s face it. It is not possible to completely eliminate every risk that a wireless network comes with. Sooner or later, a hacker will get through.

However, there are actions that can be taken to maintain a reasonable level of general security. This is possible through the use of systematic risk evaluation and management techniques. Every component of a wireless network must be considered when establishing countermeasures against malicious hackers.

You may also like:

• How To Easily Crack Wi-Fi Password
• Securing Your Wireless – Best Practices for Wi-Fi Security
• Wireless Vulnerability Assessment Process – A Brief Guide
• The Pros and Cons of Wireless Data
• 20 Essential Tips for a Secure and Efficient Wireless Network
• Top 6 Different Modes of Wireless Network Adapters in Kali Linux
• 150+ Important Wireless Networking Abbreviations
• Wireless Security Standards – A Brief Guide
• 200+ Wireless Multiple Choice Questions and Answers
• Wireless Sniffing with Fake Access Point (WPA2) – A Practical Demonstration