Wi-Fi…the hacker’s best friend!

I have studied Wireless Internet (Wi-Fi – the shortened term of Wireless Fidelity) and Wireless Security for years. Wi-Fi is everywhere; in every city, in every country, it is convenient, it allows you to connect to networks without wires, but to me it is the #1 Security Risk in a network. Once someone has established a connection via Wi-Fi to your network, they own it!

I’ll explain…

If you have Wi-Fi enabled on your network, no matter how hardened you think your security is, if someone wants onto your network bad enough, they can and will gain access. It can take as little as 3 minutes to penetrate the network if you use the older WEP encryption, or longer to penetrate if you take precautions like: disable SSID broadcast, enable WPA2 encryption as well as enable MAC address filtering. These “preventative” measures will only deter a novice from entering your network. Honestly there is no such thing as a secure wireless network, all current security measures are only preventative and can be defeated!

Examples of how the above measures are easily defeated:

With WEP encryption, I can start one utility in Linux called WEPBUSTER and within minutes I will have the wireless key to your network. WEPBUSTER does all the work…just sit back and wait for your wireless key to appear. A 26 character WEP wireless key took me 2 minutes 38 seconds to crack with a 1GHz netbook.

Airodump-ng part of the Aircrack Suite that is included in Backtrack & Kali Linux will display “Hidden” SSIDS.

Airodump-ng will also display the MAC address of “clients” that are associated with an access point, thus letting you clone their MAC address.

MacChanger is a utility that will allow you to change the MAC address of your wireless adapter, so you can essentially clone the MAC address of a client that is connected to the network (discovered with Airodump-ng), thus defeating MAC filtering.

Using Airodump-ng (and a few other parts of the Aircrack Suite) you can capture a “handshake” with a WPA/WPA2 encrypted access point, once you have this handshake you can return to your “lair” and proceed to run this handshake against a compiled “dictionary” or even use “rainbow tables” to find the wireless key. It will take longer to find the wireless key, but if you really want to gain access to the wireless network, it can be accomplished. I once ran a handshake against several seriously large dictionary files, it took 14 days 6 hours and 13 minutes to get the wireless key, but I was able to get the wireless key. It took time, but I was able to get the wireless key from the comfort of my own “lair”.

There are also small Linux based “Live CDs” like Beini that are “click & crack” tools for those who have no desire to learn any Linux commands. Tools like this make it very easy for n00bs to get WEP & WPA/WPA2 wireless keys! You can run this as a virtual machine, boot to it from a CD or SD card, or even run from a USB drive!

Spookey isn’t it! These are only a few of many, many tools that can and will defeat Wi-Fi encryption. You do not have to be a Linux professional to learn how to use these tools. Youtube.com is full of “how to videos”. The Aircrack Suite has many tutorials on how to use their programs. When I started penetration testing Wi-Fi, I was “testing” after only a few hours of research!

What happens when someone gains access to your network…

Once someone has hoped onto your wireless network, the sky is the limit. They can access files, other computers, gain access to servers, and steal all of your data! What happens the most is what is referred to as a “Man in the Middle” attack. Once a “hacker” has infiltrated the wireless network, he or she can run Cain & Able and sit back and collect all of your network passwords, collect and view all of the websites visited as well as the website login credentials of your users, and much more. I’ve pen tested a state government’s wireless network using these tools (with permission of course) and was able to collect hundreds of email, banking, social media, and online shopping logins within a matter of hours.

With old equipment, or even a low powered netbook, it is very easy to boot up your favorite flavor of Linux (Backtrack is preferred but there is a new kid on the block Kali Linux). With any 32bit or 64bit Laptop you can easily boot up a virtual machine using VMware Player, Virtual Box or other similar software. Alternatively you can just boot your laptop using a “Live CD”, USB drive, or SD card. (check Pendrive Apps for tutorials and software to create bootable USB/SD cards). I can tell you that with a 1Ghz Compaq Mini Netbook that boots from an SD card with Backtrack is a powerful tool when it comes to accessing Wi-Fi. It does not take a lot of money to purchase equipment, you probably already own everything needed. If you don’t have the equipment it is very easy to obtain and inexpensive, and you can even make high power antennas out of metal food cans that are just as powerful as antennas that would cost you $200 or more!

My equipment…

I have several devices that I use for “penetration testing” purposes. I have several older computers (including an older XP tablet) and various laptops/netbooks/tablets that I use with external high powered USB Wi-Fi adapters that will accept external antennas. Some of these I will boot the machine to Linux that is either residing on an SD card or USB drive, others I will just boot up VMware Player. With these inexpensive pieces of equipment and free software, I can access Wi-Fi access points up to 1 mile a way (line of sight). My favorite external antenna is directional and cost less than $5 to make! I have picked up Wi-Fi SSID’s at close to a mile with this “cantenna” along with an Alfa Wireless Long Range USB Adapter. (I’ll post how to make the $5 Cantenna after this article!)