I hacked my secure wireless network: here’s how it’s done

[Undeath]

Wireless networks are everywhere; they are widely available, cheap, and easy to setup. To avoid the hassle of setting up a wired network in my own home, I chose to go wireless. After a day of enjoying this wireless freedom, I began thinking about security. How secure is my wireless network? I searched the Internet for many days, reading articles, gathering information, and participating on message boards and forums. I soon came to the realization that the best way for me to understand the security of my wireless network would be to test it myself. Many sources said it was easy, few said it was hard.

How a wireless network works

A wireless local area network (WLAN) is the linking of 2 or more computers with Network Interface Cards (NICs) through a technology based on radio waves. All devices that can connect to a wireless network are known as stations. Stations can be access points (APs), or clients.

Access points are base stations for the wireless network. They receive and transmit information for the clients to communicate with.

The set of all stations that communicate with each other is referred to as the Basic Service Set (BSS). Every BSS has an Identification known as a BSSID, also known as the MAC address, which is a unique identifier that is associated with every NIC.

For any client to join a WLAN, it should know the SSID of the WLAN; therefore, the access points typically broadcast their SSID to let the clients know that an AP is in range.

Data streams, known as packets, are sent between the Access Point, and it’s clients. You need no physical access to the network or its wires to pick up these packets, just the right tools. It is with the transmission of these packets that pose the largest security threat to any wireless network.

Wireless Encryption

The majority of home and small business networks are encrypted using the two most popular methods:

WEP

WEP – Wired Equivalent Privacy – comes in 3 different key lengths: 64, 128, and 256 bits, known as WEP 64, WEP 128, and WEP 256 respectively. WEP provides a casual level of security but is more compatible with older devices; therefore, it is still used quite extensively. Each WEP key contains a 24 bit Initialization Vector (IV), and a user-defined or automatically generated key; for instance, WEP 128 is a combination of the 24 bit IV and a user entered 26 digit hex key. ((26*4)+24=128)

WEP also comes in WEP2 and WEP+, which are not as common and still as vulnerable as the standard WEP encryption.

WPA

WPA – WiFi Protected Access – comes in WPA and WPA2, and was created to resolve several issues found in WEP. Both provide you with good security; however, they are not compatible with older devices and therefore not used as widely. WPA was designed to distribute different keys to each client; however, it is still widely used in a (not as secure) pre-shared key (PSK) mode, in which every client has the same passphrase.

To fully utilize WPA, a user would need an 802.1x authentication server, which small businesses and typical home users simply cannot afford. WPA utilizes a 48 bit Initialization Vector (IV), twice the size of WEP, which combined with other WEP fixes, allows substantially greater security over WEP.

Packets and IVs

It’s all in the packets. The bottom line is – while you may be able to employ several security features on your WLAN – anything you broadcast over the air can be intercepted, and could be used to compromise the security on your network. If that frightens you, start stringing wires throughout your home.

Every encrypted packet contains a 24 or 48 bit IV, depending on the type of encryption used. Since the pre-shared key is static and could be easily obtained, the purpose of the IV is to encrypt each packet with a different key. For example, to avoid a duplicate encryption key in every packet sent, the IV is constantly changing. The IV must be known to the client that received the encrypted packet in order to decrypt it; therefore, it is sent in plaintext.

The problem with this method is that the Initialization Vectors are not always the same. In theory, if every IV was different, it would be nearly impossible to obtain the network key; this is not the case. WEP comes with a 24 bit IV; therefore, giving the encryption 16 million unique values that can be used. This may sound like a large number, but when it comes to busy network traffic, it’s not.

Every IV is not different; and this is where the issues arise. Network hackers know that all the keys used to encrypt packets are related by a known IV (since the user entered WEP part of the key is rarely changed); therefore, the only change in the key is 24 bits. Since the IV is randomly chosen, there is a 50% probability that the same IV will repeat after just 5,000 packets; this is known as a collision.

If a hacker knows the content of one packet, he can use the collision to view the contents of the other packet. If enough packets are collected with IV matches, your network’s security can be compromised.

The Setup

My wireless network was powered by a Linksys WRT54G v6 wireless router; It is well known that this model is the most widely used wireless router. Out of the box, the Linksys router came with 1 CD which was nothing more than a visual step by step, what you should do to connect it.

A few things concern me with this router. There was no part in the setup that allowed me, or even told me to change my router’s default password. To change the password, I had to go into the router’s web-based setup utility; this was accessible via the IP address 192.168.1.1 in my Internet browser. The default username and password was admin. If someone was able to compromise the security on my network, they could have easily done this for me; and locked me out of my own network. Sure, I could have performed a hard reset on the router, but I’d have little luck without the Internet or any documentation to help.

If you’re looking to find your default username and password, there is quite a comprehensive list located at PHENOELIT My advice is to change this immediately, for it may save you some trouble down the road.

Being my first time, I decided to go easy; I set my router up with a basic WEP 64 encryption; it required a 10 digit hex key. I entered the key into the 2 other computers in my home, and I was ready to start.

Hardware

Out of everything I’ve experienced over the last couple weeks, this was the hardest obstacle, by far. I started with a Dell Latitude C610 notebook with a Linksys WPC54GS Wireless-G notebook adapter (Broadcom chipset) running Windows XP Pro; looking back, it was a bad choice.

When selecting hardware, be warned, not all network cards are the equal. It turns out that nearly 99% of the software used to crack network keys are not compatible with notebook cards that have a Broadcom chipset; the ones that were just didn’t work.

9 out of every 10 articles I read boasted the Orinoco Gold PCMCIA network card by Lucent was the absolute best pick and most compatible will all the good software. A trip to E-Bay, $30 later, and I was ready.

The software we will be using is strictly dependent on the chipset of the WNIC, and unfortunately, the operating system. Your best approach would be to research what software you will be using, and then find a card based on the chipset the software is compatible with.

There are many types of chipsets; too many, in fact, to mention. Linux-wlan.org has an unbelievably comprehensive list of WNICs and their corresponding chipset.

All the best programs are made for Linux; windows is certainly a drag when it comes to WLAN penetrating software, but if you don’t have Linux, don’t be too concerned.

It may be in your best interest to invest in a wireless card that has an external antenna jack. The Orinoco Gold WNIC I purchased has one, but since I’m compromising my own network in a short range, it won’t be necessary.

Click for more (@2009 but useful)

Edited November 6, 2013 by Undeath

[yo20063]

Don't want to be an critic, but there is a section here with wireless, and all about this is explained there.

Truly the WEP protection is weak, and can be "hacked" by capturing packets, but nowdays you will find that 90% of routers use WPA, wich needs a handshake and dictionary atack to get the key. You should post about WPS, wich is included in most routers today, and can be bruteforce more easily because it is an 8 digits key.