6.
Wireless hacking
Wireless network refers to any type of computer network which is wireless, and is commonly
associated with a network
whose interconnections between nodes e.g. Laptops, Desktops, Printers etc is implemented without
the use of wires.
The popularity in Wireless Technology is driven by two major factors: convenience and cost. A
Wireless Local
Area Network (WLAN) allows workers to access digital resources without being locked to their desks.
Mobile users can
connect to a Local Area Network (LAN) through a Wireless (Radio) connection.
Demand for wireless access to LANs is fueled by the growth of mobile computing devices, such as
laptops and personal
digital assistants, and by users’ desire for continuous network connections without physically having
to plug into wired
systems.
For the same reason that WLANs are convenient, their open broadcast infrastructure, they are
extremely vulnerable to
intrusion and exploitation. Adding a wireless network to an organization’s internal LAN may open a
backdoor to the
existing wired network.
1|Page
�The IEEE 802.11 standard refers to a family of specifications for wireless local area networks
(WLANs) developed by a
working group of the Institute of Electrical and Electronics Engineers (IEEE). This standards effort
began in 1989, with the
focus on deployment in large enterprise networking environments, effectively a wireless equivalent
to Ethernet. The IEEE
accepted the specification in 1997. Standard 802.11 specifies an over-the-air interface between a
mobile device wireless
client and a base station or between two mobile device wireless clients.
Wireless Standards
• WAP (Wireless Access Point):
Wireless Access Point is the point from where the Wireless network are generated. Like the Wireless
Routers or
Switches.
•SSID (Service Set Identifier):
An SSID is the name of a wireless local area network (WLAN). All wireless devices on a WLAN must
employ the same
SSID in order to communicate with each other. SSID is also known as ESSID (Extended Service Set
Identifier).
• BSSID (Basic Service Set Identifier):
A BSSID is the MAC Address (Media Access Control) or Physical Address of the Wireless Access Point
or the Wireless
Router. This is a unique 48 bit key provided by the manufacturer of the device. It can be in the form
of Hexadecimal
i.e. 0-9 , A-F.
2|Page
�E.g. [Link]
• For checking your card’s MAC Address:
Start > Run > CMD
Write “getmac” in Command Prompt.
• Beacons:
These are the Wireless Packets which are broadcasted to maintain the connectivity with the
Wireless Access
Point and Client systems. The Wireless Access point broadcasts beacon frames from time to time to
check
connectivity with the systems.
• Channel:
It is the frequency at with the Wireless Signal travels through air.
• Data Packets:
These are the packets which sent and received for the transfer of data between Wireless Access
Point and
Client systems. All the data communicated between two Computers travels in the form of Data
Packets.
• Data Packets:
These are the packets which sent and received for the transfer of data between Wireless Access
Point and
Client systems. All the data communicated between two Computers travels in the form of Data
Packets.
Services provided by Wireless Networks
• Association:
It establishes wireless links between wireless clients and access points in infrastructure networks.
3|Page
�• Re-association:
This action takes place in addition to association when a wireless client moves from one Basic
Service Set
(BSS) to another, such as in Roaming.
• Authentication:
This process proves a client’s identity through the use of the 802.11 option, Wired Equivalent Privacy
(WEP). In WEP, a shared key is configured into the access point and its wireless clients. Only those
devices with a valid shared key will be allowed to be associated with the access point.
•Privacy:
In the 802.11 standard, data are transferred in the clear by default. If confidentiality is desired, the
WEP
option encrypts data before it is sent wirelessly. The WEP algorithm of the 802.11 Wireless LAN
Standard
uses a secret key that is shared between a mobile station (for example, a laptop with a wireless
Ethernet
card) and a base station access point to protect the confidentiality of information being transmitted
on
the LAN.
Standard Wireless Security Solution
Wireless Security policies are developed or enhanced to accommodate the wireless environment.
Primary issues will be
ownership and control of the wireless network, controlling access to the network, physically securing
access points,
encrypting, auditing, and the procedures for detecting and handling rogue access points or
networks. User security
4|Page
�awareness policies should be implemented.
SSID Solution
Wireless equipment manufacturers use a default Service Set ID (SSID) in order to identify the
network to wireless clients.
All access points often broadcast the SSID in order to provide clients with a list of networks to be
accessed. Unfortunately,
this serves to let potential intruders identify the network they wish to attack. If the SSID is set to the
default manufacturer
setting it often means that the additional configuration settings (such as passwords) are at their
defaults as well.
Good security policy is to disable SSID broadcasting entirely. If a network listing is a requirement for
network users then
changing the SSID to something other than the default that does not identify the company or
location, is a must? Be sure
to change all other default settings as well to reduce the risk of a successful attack.
MAC address filtering
Some 802.11 access point devices have the ability to restrict access to only those devices that are
aware of a specific
identification value, such as a MAC address. Some access point devices also allow for a table of
permitted and denied
MAC addresses, which would allow a device administrator to specify the exact remote devices that
are authorized to
make use of the wireless service. Client computers are identified by a unique MAC address of its IEEE
5|Page
�802.11 network
card. To secure an access point using MAC address filtering, each access point must have a list of
authorized client MAC
address in its access control list.
WEP key encryption
The IEEE 802.11b standard defines an optional encryption scheme called Wired Equivalent Privacy
(WEP), which creates a
mechanism for securing wireless LAN data streams. WEP was part of the original IEEE 802.11
wireless standard. These
algorithms enable RC4-based, 40-bit data encryption in an effort to prevent an intruder from
accessing the network and
capturing wireless LAN traffic.
WEP’s goal is to provide an equivalent level of security and privacy comparable to a wired Ethernet
802.3 LAN. WEP uses a
symmetric scheme where the same key and algorithm are used for both encryption and decryption
of data. WEP is
disabled by default on most wireless network equipment.
Wireless security Overview
Two methods exist for authenticating wireless LAN clients to an access point: Open system or Shared
key authentication.
1. Open system does not provide any security mechanisms but is simply a request to make a
connection to the network.
2. Shared key authentication has the wireless client hash a string of challenge text with the WEP key
6|Page
�to authenticate to
the network.
Wireless Attacks
Broadcast Bubble :
One of the problems with wireless is that the radio waves that connect network devices do not
simply stop
once they reach a wall or the boundary of a business. They keep traveling into parking lots and other
businesses in an expanding circle from the broadcast point, creating a ‘bubble’ of transmission
radiation.
This introduces the risk that unintended parties can eavesdrop on network traffic from parking areas
or any
other place where a laptop can be set up to intercept the signals.
War Driving :
War Driving is finding out the Wireless Networks present around the Wireless Card. common war
driving
exploits find many wireless networks with WEP disabled and using only the SSID for access control.
This
vulnerability makes these networks susceptible to the parking lot attack, where an attacker has the
ability to
gain access to the target network a safe distance from the building’s perimeter.
WAR Driving is of two types:
1. Active War Driving
2. Passive War Driving
Active War Driving :
Active War Driving is detecting the Wireless Networks whose SSIDs are broadcasted or the Wireless
7|Page
�Networks which are shown to all the Wireless Adapters. It can be done through any Wireless Card.
Passive War Driving :
Passive War Driving is detecting the Wireless Networks whose SSIDs are not Broadcasted or the
Hidden
Wireless Networks. The Wireless card should support the Monitor Mode for the Passive War Driving.
MAC spoofing
Even if WEP is enabled, MAC addresses can be easily sniffed by an attacker as they appear in the
clear format, making
spoofing the MAC address also fairly easy.
MAC addresses are easily sniffed by an attacker since they must appear in the clear even when WEP
is enabled. An
attacker can use those “advantages” in order to masquerade as a valid MAC address, by
programming the wireless card or
using a spoofing utility, and get into the wireless network.
WEP cracking
• Wired Equivalent Privacy (WEP) was the first security option for 802.11 WLANs. WEP is used to
encrypt data on the
WLAN and can optionally be paired with shared key authentication to authenticate WLAN clients.
WEP uses an RC4 64-bit
or 128-bit encryption key.
• WEP was fairly quickly found to be crack able. WEP is vulnerable because of relatively short and
weak encryption. The
security of the WEP algorithm can be compromised.
8|Page
�Countermeasures for Wireless attacks
Hide the Wireless Network:
Do not broadcast the SSID of the Wireless Network. This will help you in protecting your
Wireless being invisible to the people who do not know about Passive War Driving
Use a Secured Key :
You can use the WEP Key protection on your Wireless Network to protect your Wireless
Network Connection.
Although this is not the ultimate security measure but will help you a lot against the Script
Kiddies who do not know how to break into the WEP Protection.
WPA: Wi-Fi Protected Access
•WPA employs the Temporal Key Integrity Protocol (TKIP)—which is a safer RC4 implementation—
for data encryption
and either WPA Personal or WPA Enterprise for authentication.
•WPA Enterprise is a more secure robust security option but relies on the creation and more
complex setup of a RADIUS
server. TKIP rotates the data encryption key to prevent the vulnerabilities of WEP and, consequently,
cracking attacks.
Mac Filtering
An early security solution in WLAN technology used MAC address filters: A network administrator
entered a list of valid
MAC addresses for the systems allowed to associate with the Wireless Access Point.
Choosing the Best Key
Always use a long WPA Key with lower as well as upper case letters including numbers and special
characters.
Sample Key: 12345@abcde&FGHI
9|Page
�Facebook Tanyaradzwa Slim Passville (Sir Warlock) or Walllock Cyber Security WCS
EMAL. tanyahslim3@[Link]
Walllockcybersec@[Link]
10 | P a g e