Stumbling and Sniffing
You
can use Wi-Fi stumblers to detect nearby access points and their
details, like the signal level, security type and media access control
address. You might find access points set with weak Wired Equivalent
Privacy security, which can be easily cracked, or possibly rogue access
points setup by employees or others that could be opening your network
up to attack. If there are access points set with a hidden or
non-broadcasted SSID (network name), Wi-Fi stumblers can quickly reveal it.
You
can use wireless sniffers to capture raw network packets sent over the
air. You could import the captured traffic into other tools, such as to
crack encryption. Or if you're connected to the network (or if it's not
encrypted), you could manually look for email and website passwords sent
in clear-text.
Here are a few Wi-Fi stumblers and sniffers:
Vistumbler is an open source Windows
application that displays the basic access point details, including the
exact authentication and encryption methods, and can even speak the
SSID and RSSI. It also displays graphs of signal levels. It's highly
customizable and offers flexible configuration options. It supports
access point names to help distinguish them, also helping to detect
rogue access points. It also supports GPS logging and live tracking
within the application using Google Earth.
Kismet is an open source Wi-Fi stumbler, packet sniffer, and intrusion-detection system that can run on Windows, Mac OS X, Linux,
and BSD. It shows the access point details, including the SSID of
"hidden" networks. It can also capture the raw wireless packets, which
you can then import into Wireshark, TCPdump, and other tools. In
Windows, Kismet only works with CACE AirPcap
wireless adapters due to the limitation of Windows drivers. It does,
however, support a variety of wireless adapters in Mac OS X and Linux.
Wifi Analyzer is a free Android
app you can use for finding access points on your Android-based
smartphone or tablet. It lists the basic details for access points on
the 2.4-GHz band, and on supported devices on the 5-GHz band as well.
You can export the access point list (in XML format) by sending it to
email or another app or take snapshot of the screens. It also features
graphs showing signals by channel, history, and usage rating and also
has a signal meter feature to help find access points.
WEP Key and WPA/WPA2-Personal Cracking
There
are many tools out there that can crack Wi-Fi encryption, either taking
advantage of WEP weaknesses or using brute-force dictionary-based
attacks on WPA/WPA2-Personal (PSK). Thus you should never use WEP
security.
WPA2 security with AES/CCMP encryption is the most
secure. And if you use the Personal or Pre-shared key (PSK) mode, use a
long 13+ character passphrase with mixed-case letters, numbers, and
special characters — any ASCII characters will do.
You can use these tools to understand the Wi-Fi encryption weaknesses or to test your current passwords:
Aircrack-ng
is an open source suite of tools to perform WEP and WPA/WPA2-Personal
key cracking, which runs on Windows, Mac OS X, Linux, and OpenBSD. It's
also downloadable as a VMware image and Live CD. You can capture data
packets, inject and replay traffic, and reveal the encryption keys once
enough packets have been captured.
CloudCracker
is a commercial online password cracking service, starting at $17 for
20 minutes. In addition to WPA/WAP2 PSKs, it can also be used to attempt
cracking of password hashes and password-protected documents. They use
huge dictionaries of 300 million words to perform the cracking and have
the computing power to do it quick. You just simply upload the handshake
file for WPA/WPA2 or PWDUMP file for the hashes or documents.
WPA/WPA2-Enterprise Cracking
Though the Enterprise mode of WPA/WPA2 security with 802.1X
authentication is more secure than the Personal (PSK) mode, it still
has vulnerabilities. Here's a tool to help you better understand these
attacks, how you can protect your network, and test your security:
WPS PIN Cracking
If you have a wireless router
instead of or in addition to access points, you should be aware of a
vulnerability publicly discovered in December. It involves the Wi-Fi
Protected Setup (WPS) feature found on most wireless routers and usually
activated by default when using WPA/WPA2-Personal (PSK) security. The
WPS PIN, which can be used to connect to the wireless router, can be
easily cracked within hours.
Here's one tool you can use to test your wireless routers against the WPS PIN weakness:
Reaver
is Linux program that performs brute force attacks against wireless
routers to reveal their WPS PIN and WPA/WPA2 PSK within four to 10
hours. They also offer an easy-to-use hardware solution, Reaver Pro,
with a graphical web interface.
Evil Twin APs and Wi-Fi Honey Pots
One
technique Wi-Fi hackers can use to get unsuspecting people to connect
to them is by setting up a fake access point, aka an evil twin access
point or wireless honey pot. Once someone connects to the access point
the hacker can then, for example, capture any email or FTP connections
or possibly access the user's file shares. They could also use a captive
portal or spoofed DNS caching to display a fake website mirroring a
hotspot or website login page in order to capture the user's login
credentials.
WiFish Finder
is an open source Linux program that passively captures wireless
traffic and performs active probing to help identify wireless clients
vulnerable to attacks, like evil twin access points, honey pots, or
man-in-the-middle attacks.
It builds a list of network names that
wireless clients are sending probe requests for and detects the security
type of that desired network. Thus you can identify clients probing for
unencrypted networks, which would be easily susceptible to evil twins
or honey pots attacks, or those probing for a WPA/WPA2-Enterprise
network that could be susceptible to man-in-the-middle attacks.
Jasager (based on KARMA)
is Linux-based firmware offering a set of Linux tools to identify
vulnerable wireless clients, like WiFish Finder, but can also perform
evil twin or honey pot attacks. It can run on FON or WiFi Pineapple
routers. It can create a soft access point set with the SSIDs nearby
wireless adapters are probing for and run a DHCP, DNS, and HTTP server
so clients can connect. The HTTP server can then redirect all requests
to a web site. It can also can capture and display any clear-text POP,
FTP, or HTTP login performed by the victim. Jasager features a web-based
and command-line interface.
Fake AP
runs on Linux and BSD and generates thousands of simulated access
points by transmitting SSID beacon frames. It could be used by attackers
to confuse IT staff or intrusion-detection systems, or even used by you
to confuse the attacks of wardrivers.
Wireless Driver Vulnerabilities
Here's
a tool to help find weaknesses with certain device drivers of wireless
adapters that could make attacks on your network easier:
WiFiDEnum
(WiFi Driver Enumerator) is a Windows program that helps identify
vulnerable wireless network drivers that are risk to wireless driver
exploit attacks. It scans the wired or wireless network for Windows
workstations, collects details about their wireless network adapter
drivers, and identifies possible vulnerabilities.
General Network Attacks
Here
are a few tools to demonstrate eavesdropping and attacks that we've
seen on wired networks for years, which also can work via Wi-Fi:
Nmap
(as in Network Mapper) is an open source TCP/IP scanner you can use to
identify hosts and clients on the network, available on Linux, Windows,
and Mac OS X with a GUI or a command-line. It reports what operating
system they're using, services they're using or offering, what type of
packet filters or firewalls they're using, and many other
characteristics. This can help you find insecure hosts and ports that
may be susceptible to hacking.
Cain and Abel
is a password recovery, cracker, and sniffer tool for Windows. Use it
to demonstrate, for example, the ability to sniff clear-text passwords
sent over the network.
Firesheep
is Firefox add-on that performs HTTP session hijacking, aka
sidejacking. It monitors the network for logins from users on sites that
exchange the login cookie without using full SSL encryption. Once a
cookie is detected, it lists a shortcut to the protected website that an
attacker can visit without having to login.
Pen Testing Linux Distributions
If you're serious about penetration testing, consider using a Linux distribution dedicated to it. One of the most popular is BackTrack,
which offers more than 320 preinstalled penetration testing tools you
can use for playing around with networks, web servers and more. You can
install BackTrack to a hard drive or boot it from a Live DVD or USB
flash drive.
Eric Geier is a freelance tech writer. He's also the founder of NoWiresSecurity that helps businesses protect their Wi-Fi with enterprise (802.1X) security and On Spot Techs that provides on-site computer services
Saturday, November 15, 2014
How to hack your own Wi-Fi network
Attempting to "hack" into your own wireless network can help you spot potential Wi-Fi security vulnerabilities and figure out ways to protect against them.
Here are tools to find vulnerable wireless clients on your network:
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment