Cracking of wireless networks

Wireless local-area networks – also called Wi-Fi networks or WLANs – are very popular. They are installed in offices, hotels, cofee-shops and homes. Wireless networks provide convenience, mobility, and are cheaper to realize than wired networks in many cases. The convenience, productivity gains, and cost savings of wireless networks are accompanied with a new set of vulnerabilities.[1]

A brief account of the history of WLAN vulnerabilities is presented on pages 280-281 of the book Penetration Tester's Open Source Toolkit by Johnny Long and others. An extensive account of the history of WLAN vulnerabilities and how these vulnerabilities were fixed is presented on pages 181-184 and 208-211 of the book Wireless Security Handbook by Aaron E. Earle. These books are accessible in the section on practical information.

Cracking is a form of attack that most people associate with security. Sensitive data is often stored on network-accessible computers by companies and institutions. Hacking is a general term that means to program, to fiddle with, or to be interested in something intensely. The word hacking is often used by the popular media when cracking is meant.[2]

This article not only covers the cracking of wireless networks in detail, it also covers the subsequent cracking of all 'wireless' and 'wired' computers of a local-area network. Furthermore, it covers detection, prevention, and societal aspects.

Contents

Wireless network basics

Wireless network frames

802.11 networks use data frames, management frames, and control frames. Data frames convey the real data, and are similar to those of Ethernet. Management frames maintain both network configuration and connectivity. Control frames manage access to the ether and prevent access points and clients to interfere with each other in the ether. Some information on management frames will be helpful to better understand what programs for reconnaissance do.

Reconnaissance of wireless networks

The purpose of wireless reconnaissance is to locate a wireless network and to collect information about its configuration and associated clients. Equipping a car with a laptop and then drive around, what is known as wardriving, is the most practical way to find wireless networks.

A well-equipped wardriver uses a laptop computer with a wireless card, an antenna mounted on the car, a power inverter, a connected GPS receiver, and can connect to the internet wirelessly.

The laptop computer and the wireless card must support a mode called monitor or rfmon.[8]

Netstumbler

Netstumbler is a network discovery program for Windows. It is free and easy to use. Netstumbler has become one of the most popular programs for wardriving and wireless reconnaissance, although it has a disadvantage. It can be detected easily by most wireless intrusion detection systems, because it actively probes a network to collect information. Netstumbler has integrated support for GPS. This makes it easy to find networks again after sorting collected data.[9]

Kismet

Kismet is a wireless network traffic analyser for OS X, Linux, OpenBSD, NetBSD, and FreeBSD. It is free and open source. Kismet has become the most popular program for serious wardrivers. It offers a rich set of features, including deep analysis of captured traffic.[10]

Wireshark

Wireshark is a packet sniffer and network traffic analyser that can run on all popular operating systems, but support for the capture of wireless traffic is limited. It is free and open source. Decoding and analysing wireless traffic is not the foremost function of Wireshark, but it can give results that cannot be obtained with other programs. Wireshark requires sufficient knowledge of the network protocols to obtain a full analysis of the traffic, however.[11]

Analysers of AirMagnet

AirMagnet Laptop Analyser and AirMagnet Handheld Analyser are wireless network analysis tools made by AirMagnet. The company started with the Handheld Analyser, which was very suitable for surveying sites where wireless networks were deployed as well as for finding rogue access points. The Laptop Analyser was released because the hand-held product was unpractical for the reconnaissance of wide areas. These commercial analysers probably offer the best combination of powerful analysis and simple user interface. However, they are not as well adapted to the needs of a wardriver as some of the free programs.[12]

Airopeek

Airopeek is a packet sniffer and network traffic analyser made by Wildpackets. This commercial program supports Windows and works with most wireless network interface cards. It has become the industrial standard for capturing and analysing wireless traffic. However, like Wireshark, Airopeek requires thorough knowledge of the protocols to use it to its ability.[13]

KisMac

KisMac is a program for the discovery of wireless networks that runs on the OS X operating system. The functionality of KisMac includes GPS support with mapping, SSID decloaking, deauthentication attacks, and WEP cracking.[14]

Penetration of a wireless network

There are two basic types of vulnerabilities associated with WLANs: those caused by poor configuration and those caused by poor encryption.

Poor configuration causes many vulnerabilities. Wireless networks are often put into use with no or insufficient security settings. With no security settings – the default configuration – access is obtained simply by association. With insufficient security settings as cloaking and/or MAC address filtering, security is easily defeated.

Poor encryption causes the remaining vulnerabilities. Wired Equivalent Privacy (WEP) is defective and can be defeated in several ways. Wi-Fi Protected Access (WPA) and Cisco's Lightweight Extensible Authentication Protocol (LEAP) are vulnerable to dictionary attacks.[15]

Encryption types and their attacks

Wired Equivalent Privacy (WEP)

WEP was the encryption standard firstly available for wireless networks. It can be deployed in 64 and 128 bit strength. 64 bit WEP has a secret key of 40 bits and an initialisation vector of 24 bits, and is often called 40 bit WEP. 128 bit WEP has a secret key of 104 bits and an initialisation vector of 24 bits, and is called 104 bit WEP. Association is possible using a password, an ASCII key, or a hexadecimal key.

There are two methods for cracking WEP: the FMS attack and the chopping attack.

The FMS attack – named after Fluhrer, Mantin, and Shamir – is based on a weakness of the RC4 encryption algorithm . The researchers found that 9000 of the possible 16 million initialisation vectors can be considered weak, and collecting enough of them allows the determination of the encryption key. To crack the WEP key in most cases, 5 million encrypted packets must be captured to collect about 3000 weak initialisation vectors. (In some cases 1500 vectors will do, in some other cases more than 5000 are needed for success.) The weak initialisation vectors are supplied to the Key Scheduling Algorithm (KSA) and the Pseudo Random Generator (PRNG) to determine the first byte of the WEP key. This procedure is then repeated for the remaining bytes of the key.

The chopping attack chops the last byte off from the captured encrypted packets. This breaks the Cyclic Redundancy Check/Integrity Check Value (CRC/ICV). When all 8 bits of the removed byte were zero, the CRC of the shortened packet is made valid again by manipulation of the last four bytes. This manipulation is: result = original XOR certain value. The manipulated packet can then be retransmitted. This method enables the determination of the key by collecting unique initialisation vectors.

The main problem with both the FMS attack and the chopping attack is that capturing enough packets can take weeks or sometimes months. Fortunately, the speed of capturing packets can be increased by injecting packets into the network. One or more Address Resolution Protocol (ARP) packets are usually collected to this end, and then transmitted to the access point repeatedly until enough response packets have been captured. ARP packets are a good choice because they have a recognizable size of 28 bytes.

Waiting for a legitimate ARP packet can take awhile. ARP packets are most commonly transmitted during an authentication process. Rather than waiting for that, sending a deauthentication frame that pushes a client off the network will require that client to reauthenticate. This often creates an ARP packet.[16]

Wi-Fi Protected Access (WPA/WPA2)

WPA was developed because of the vulnerabilities of WEP. WPA uses either a pre-shared key (WPA-PSK) or is used in combination with a RADIUS server (WPA-RADIUS). For its encryption algorithm, WPA uses either the Temporal Key Integrity Protocol (TKIP) or the Advanced Encryption Standard (AES).

WPA2 was developed because of some vulnerabilities of WPA-PSK and to strengthen the encryption further. WPA2 uses both TKIP and AES, and requires not only an encryption piece but also an authentication piece. A form of the Extensible Authentication Protocol (EAP) is deployed for this piece.[17]

WPA-PSK can be attacked when the PSK is shorter than 21 characters. Firstly, the four-way EAP Over LAN (EAPOL) handshake must be captured. This can be captured during a legitimate authentication, or a reauthentication can be forced by sending deauthentication packets to clients. Secondly, each word of a word-list must be hashed with the Hashed Message Authentication Code – Secure Hash Algorithm 1 and two so called nonce values, along with the MAC address of the client that asked for authentication and the MAC address of the access point that gave authentication. Word-lists can be found at http://ftp.se.kde.org/pub/security/tools/net/Openwall/wordlists/.[18]

LEAP uses a variation of Microsoft Challenge Handshake Protocol version 2 (MS-CHAPv2). This handshake uses the Data Encryption Standard (DES) for key selection. LEAP can be cracked with a dictionary attack. The attack involves capturing an authentication sequence and then comparing the last two bytes of a captured response with those generated with a word-list.[19]

WPA-RADIUS cannot be cracked. This is the equivalent of WPA-Enterprise or WPA2-Enterprise. This is correct with two caveats: 1. As long as the private key for the RADIUS [20] service certificate [21] is not compromised or stolen (social engineering and/or network penetration through email or other means; more likely to work against inexperienced wireless users and administrators). 2. The hash algorithm used for the RADIUS certificate must be considered strong. E.g., not SHA-1 since it has been successfully attacked.[22]

WPA2 can be attacked by using the WPA-PSK attack, but is largely ineffective.[23][24]

Aircrack-ng

Aircrack-ng runs on Windows and Linux, and can crack WEP and WPA-PSK. It can use the FMS attack and the KoreK attack, the latter being a statistical method that is more efficient. Aircrack-ng consists of components. Airmon-ng configures the wireless network card. Airodump-ng captures the frames. Aireplay-ng generates traffic. Aircrack-ng does the cracking, using the data collected by airodump-ng. Finally, airdecap-ng decrypts all packets that were captured. Thus, aircrack-ng is the name of the suite and also of one of the components.[25]

CoWPAtty

CoWPAtty automates the dictionary attack for WPA-PSK. It runs on Linux. The program is started using a command-line interface, specifying a word-list that contains the passphrase, a dump file that contains the four-way EAPOL handshake, and the SSID of the network.[26]

Void11

Void11 is a program that deauthenticates clients. It runs on Linux.[27]

MAC address filtering and its attack

MAC address filtering can be used alone as an ineffective security measure, or in combination with encryption. The attack is determining an allowed MAC address, and then changing the MAC address of the attacker to that address.[28]

EtherChange is one of the many programs available to change the MAC address of network adapters. It runs on Windows.[29]

Reconnaissance of the local-area network

A 'wireless' sniffer can find IP addresses, which is helpful for network mapping.[30]

Alternatively, IP addresses of the target must be determined by collecting as many DNS host names as possible and translating them to a list of IP addresses and IP address ranges.[31] This internet research is elaborated in chapter 1 of the book Penetration Tester's Open Source Toolkit by Johnny Long and others, which is accessible in the section on practical information.

Once access to a wireless network has been gained, it is helpful to determine the network's topology, including the names of the computers connected to the network. The excellent program Nmap can be used for this, which is available in a Windows and a Linux version. However, Nmap does not provide the user with a network diagram. The network scanner Network View that runs on Windows does. The program asks for one IP address or an IP address range. When the program has finished scanning, it displays a map of the network using different pictures for routers, workstations, servers, and laptops, all with their names added.[32]

The most direct method for finding hosts on a LAN is using the program ping. When using a modern flavour of Unix, shell commands can be combined to produce custom ping-sweeps. When using Windows, the command-line can also be used to create a ping-sweep. Examples are given in the reference.[33]

Ping-sweeps are also known as host scans. Nmap can be used for a host scan when the option -sP is added: nmap -n -sP 10.160.9.1-30 scans the first 30 addresses of the subnet 10.160.9, where the -n option prevents reverse DNS lookups.

Ping packets could reliably determine whether a computer was on line at a specified IP address. Nowadays these ICMP echo request packets are sometimes blocked by the firewall of an operating system. Although Nmap also probes TCP port 80, specifying more TCP ports to probe is recommended when pings are blocked. Consequently, nmap -sP -PS21,22,23,25,80,139,445,3389 10.160.9.1-30 can achieve better results. And by combining various options as in nmap -sP -PS21,22,23,25,80,135,139,445,1025,3389 -PU53,67,68,69,111,161,445,514 -PE -PP -PM 10.160.9.1-30, superb host scanning is achieved.

Nmap is available for Windows and most Unix operating systems, and offers graphical and command-line interfaces.[34]

Port scanning

[The body of this section has not been written yet.]

Vulnerability scanning

[The body of this section has not been written yet.]

Exploitation of a vulnerability

[The body of this section has not been written yet.]

Maintaining control

The ultimate gratification for a network intruder always is to obtain administrator privileges for a network. When an intruder is inside, one of his or her first undertakings is often to install a so called rootkit on a target computer. This is a collection of programs to facilitate durable influence on a system. Some of these programs are used to compromise new user accounts or new computers on the network. Other programs are to obscure the presence of the intruder. These obscuring programs may include false versions of standard network utilities such as netstat, or programs that can remove all data from the log files of a computer that relate to the intruder. Yet other programs of a rootkit may be used to survey the network or to overhear more passwords that are travelling over it. Rootkits may also give the means to change the very operating system of the computer it is installed on.

The network intruder then proceeds with creating one or more so called back doors. These are access provisions that are hard to find for system administrators, and they serve to prevent the logging and monitoring that results from normal use of the network. A back door may be a concealed account or an account of which the privileges have been escalated. Or it may be a utility for remote access, such as Telnet, that has been configured to operate with a port number that is not customary.

The network intruder then proceeds with stealing files, or stealing credit card information, or preparing a computer to send spam emails at will. Another goal is to prepare for the next intrusion. A cautious intruder is protective against discovery of his or her location. The method of choice is to use a computer that already has been attacked as an intermediary. Some intruders use a series of intermediate computers, making it impracticable to locate them.[35]

Further reading

Detection

When a hacker scans the radio channels destined for wireless networks for activity, this cannot be detected because the scanner only listens for signals. Only when the hacker inserts packets into the network he or she can be detected and his or her location can be investigated.

A hacker can only obtain limited information from sniffing a network. To gain more information he or she must start probing the network, making detection possible.[36]

Further reading

Prevention

An unprotected wireless network is extremely insecure. From anywhere within broadcast range, someone can eavesdrop or start using the network. Therefore, the IEEE 802.11 standard for wireless networks was accompanied with Wired Equivalent Privacy (WEP). This security protocol takes care of the following:

WEP has been criticized by security experts. Most experts regard it as ineffective by now.

In 2004 a draft for a better security protocol appeared, and it was included in the IEEE 802.11 standard in 2007. This new protocol, WPA2, uses an AES block cipher instead of the RC4 algorithm and has better procedures for authentication and key distribution. WPA2 is much more secure than WEP, but WEP was still in wide use in 2009.

Many wireless routers also support controlling the MAC addresses of computers that are authorized to use a wireless network. This measure can effectively stop a neighbour from using the network, but experienced intruders will not be stopped.[37] MAC filtering can be attacked because a MAC address can be faked easily.

In the past, turning off the broadcasting of the SSID has also been thought to give security to a wireless network. This is not the case however. Freely available tools exist that quickly discover an SSID that is not broadcast. Microsoft has also determined that switching off the broadcasting of the SSID leads to less security. Details can be found in Non-broadcast Wireless Networks with Microsoft Windows.

Returning to encryption, the WEP specification at any encryption strength is unable to stand determined hacking. Therefore, Wi-Fi Protected Access (WPA) was derived from WEP. Software upgrades are often available. The latest devices that conform to the 802.11g or 802.11n standards also support WPA2. (WPA uses the TKIP encryption, WPA2 uses the stronger AES method.) It is recommended to use only hardware that supports WPA or WPA2.[38]

Further reading

Theoretical information

Theoretical information may be gathered from the following documents.

Practical information

Books

Articles

Internet pages

Commercial information

Databases

Software

Legality

The Netherlands

Making use of someone else's wireless access point or wireless router to connect to the internet -- without the owner's consent in any way -- is not punishable by criminal law in The Netherlands. This is true even if the device uses some form of access protection. To penetrate someone else's computer without the owner's consent is punishable by criminal law though.[41][42]

Crackers and society

There is consensus that computer attackers can be divided in the following groups.

Further reading

Related articles

References

  1. ^ Hacking Wireless Networks For Dummies by Kevin Beaver and Peter T. Davis, Wiley Publishing, Inc., 2005, pages 9-10.
  2. ^ Running Linux, 5th edition, by Matthias Kalle Dalheimer and Matt Welsh, O'Reilly Media, Inc., 2005, page 830.
  3. ^ Hacking Wireless Networks For Dummies by Kevin Beaver and Peter T. Davis, Wiley Publishing, Inc., 2005, page 9.
  4. ^ Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 102-103.
  5. ^ Hacking Wireless Networks For Dummies by Kevin Beaver and Peter T. Davis, Wiley Publishing, Inc., 2005, pages 179-181.
  6. ^ Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 102-103.
  7. ^ Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 103-105.
  8. ^ Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 101-102.
  9. ^ Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 105-107.
  10. ^ Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 107-108, 116.
  11. ^ Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 117-118.
  12. ^ Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, page 126.
  13. ^ Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, page 129.
  14. ^ Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, page 129.
  15. ^ Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 279.
  16. ^ Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, pages 284-288.
  17. ^ Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 285.
  18. ^ Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 288.
  19. ^ Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 289.
  20. ^ [RADIUS, http://en.wikipedia.org/wiki/RADIUS]
  21. ^ [Public key certificate, http://en.wikipedia.org/wiki/Public_key_certificate]
  22. ^ SHA-1, http://en.wikipedia.org/wiki/SHA-1
  23. ^ Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 281.
  24. ^ December 27, 2011: Wi-Fi Protected Setup PIN brute force vulnerability, by Stefan Viehböck
  25. ^ Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 226-227.
  26. ^ Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 306.
  27. ^ Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, pages 302-303.
  28. ^ Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 301.
  29. ^ Wireless Security Handbook by Aaron E. Earle, Auerbach Publications, 2006, pages 319-320.
  30. ^ Wireless Security Handbook by Aaron E. Earle, Auerbach Publications, 2006, page 301.
  31. ^ Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, pages 3, 6.
  32. ^ Wardriving & Wireless Penetration Testing by Chris Hurly and others, Syngress Publishing, Inc., 2007, pages 112-115.
  33. ^ Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 87-88.
  34. ^ Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 34-37.
  35. ^ Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, pages 87, 275, 376-377, 385.
  36. ^ Hacking Techniques in Wireless Networks by Prabhaker Mateti, 2005, sections 3.5, 5, and 5.3.
  37. ^ Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, pages 161-162.
  38. ^ Upgrading and repairing PC's, 19th edition, by Scott Mueller, Pearson Education, Inc., 2010, pages 900-901.
  39. ^ Linux Magazine (Dutch computer magazine), issue 04 of 2011, page 60.
  40. ^ BackTrack Howtos by BackTrack Linux
  41. ^ PC Plus (Dutch computer magazine), issue 04/2011, page 60.
  42. ^ Dutch courts: Wi-Fi 'hacking' is not a crime by John Leyden, 2011.
  43. ^ Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, page 376.