Wireless hacking

Poll without page-refresh

	del.icio.us
	Digg
	Furl
	Reddit
	Rojo
	Add to OnlyWire

In security breaches, wireless hacking is the unauthorized use or penetration of a wireless network. A wireless network can be penetrated in a number of ways. There are methods ranging from those that demand a high level of technological skill and commitment to methods that are less sophisticated and require minimal technological skill. Once within a network a skilled hacker can modify software, network settings, other security items and much more. To counter the security threat of an intrusion into a wireless network, there are many precautions available.

1 Wireless intrusion methods
2 Trivia
3 Other Means of Gaining Access
4 Security Measures
5 How-to information
6 See also
7 Sources

Wireless intrusion methods

The various methods used by hackers that enable them to exploit wireless connections typically begin with finding wireless networks to hack and gathering as much as possible information about it. This is called Network enumeration. ^[1] Finding the networks is often done by WarXing, through the use computer with a network discovery software program such as Kismet, Network stumbler, ... After this, more information is gathered from the network, by eavesdropping the network. This may be done by "sniffing", which is monitoring the data packets transmittted by the wireless network for passwords, ... Sniffing is done through network analyzers or "sniffer"s The information that sniffer programs make available include SSID's, IP's, amount of PC's connected to the network, encryption, MAC-adresses, ... Also, network mappers may be used to figure out which servers are running the network and what their operating system is. SSIDSniff, Blade Software IDS Informer, and commands such as ArPing, ... may be used to gather IP-adresses. This is especially useful if MAC-filtering is turned on. Also, the obtaining of sensitive information such as SSID's, passwords, ... may also accur through specialised searches through common search engines as Google. There are even programs created which can automate these specialised searches (eg SiteDigger) ^[2]

A next step is scanning for open ports, vulnerabilities, ... This is called a Vulnerability assessment. This is done through another network enumerator called a network scanner (eg nessus, fping, nmap, wireshark, Mognet, ...) Also, the vulnerability of the AP itself through its firmware may be looked into through tools such as Pong.

Depending on the outcome of this, the hacker has determined and will often chose the easiest means of entry. This may involve simply breaking the encryption through raw computing power (by network encryption-cracking software), through authentication as a legitimate user through any ports/services that are available/left open, creation of a null session (if the OS running is Windows), Man-in-the-middle attack, Queensland attack, ARP Poisoning, combined attacks (eg DoS-attacks through the use of Packet injectors on specific servers to relocate traffic, ...), ... Posing as a legitimate user requires the wireless network's authentic SSID, BSSID, WiFi-channel, ... ; this may be set using tools as Linux Wireless Extension and Wireless Tools. It may also require a valid MAC-adress which may be obtained via network analyzers, ... and altered through MAC-spoofers as SMAC, MAC Changer or even the ifconfig-command. Access to the entire system through authenthication as a legitimate user may not be available. To break into other (still restricted )parts of the network, Password crackers may be required. A null session is a connection to a freely accessible remote share called IPC$ and allows inmediate read and write access with Windows NT/2000 and read-access with Windows XP and 2003. Also, if the hacker has been able to recover info on the type of hardware used, he can look into online information booklets about the default settings of these devices, allowing (in some cases) access to the network. Websites offering such default settings information (SSID's, WEP-passwords, ...) include CIRT.net ^[3]^[4]^[5]^[6]

Trivia

Lists of miscellaneous information should be avoided. Please relocate any relevant information into appropriate sections or articles. (November 2008)

People and hackers surveying WLANs have already opened up GPS-locations of many WLANs. They have been posted on websites such as wigle.

When a hacker is passively scanning each radio channel that wireless networks are broadcast on to check for activity, they cannot be detected. This, as by passive scanning the presence of that scanner is not revealed since they are not actually transmitting any traceable material to the network at this point.

Detecting a wireless “sniffer” is extremely difficult. It is only after the hacker starts to probe and insert packets into the network that the location of the attacker or the device can be isolated. For some hackers the main goal of an intrusion is to obtain the WEP key. There are several methods that are used to achieve this. The main obstacle to intruders gaining the WEP key is a lack of computing power. The average home computer could take anywhere from hours to days to gain access through weak system frames.

The information that a hacker can collect from sniffing alone is limited; in order to gain all the information that they want hackers must then engage in actively probing a network. In actively probing a network a hacker increases the probability of detection. This risk comes as a result of the packets that are sent to the target in an effort to get back the desired information in return.

Other Means of Gaining Access

Other means available and used by hackers to gain access to a wireless network include virtually probing, lost password and social spying. These methods are not as technologically intensive as virtual intrusions but they nonetheless pose a high security threat.

A wireless probe is when hackers contact users on a network on the pretence of being a vendor that a company normally deals with. The hacker than asks for sensitive information concerning the wireless network. A commonly used example of this is when a hacker pretends to be conducting a survey. They then ask for information about the firewalls, or many other sensitive pieces of information.
The lost password method of intrusion is when the hacker obtains a password to get past an organizations firewall or intrusion detection system. Then the hacker will develop an account for himself so they can access any information they want at any time they want.
The social spying method of intrusion is when hackers spy on everyday people when they are entering passwords. The person targeted does not know that they are the target of the hacker. An example of this is when people enter their PIN while at the ATM, very few take the precaution of protecting this important information.

Although not technically hacking, PC's running the Windows operating system can be inadvertently connected to an unsecured wireless access points. Windows alerts the user when a new wireless access point is found by default, and if no encryption is employed, then it is simply a matter of clicking a single button.

Security Measures

In an effort to protect a wireless network there are several security measures that can be employed.

Encryption of all wireless traffic is the most secure way of reducing both hacking attempts, and successful breaches. There are several wireless encryption types available, including WEP, WPA and WPAv2. WEP is considered insecure, as given enough processing power, it can be broken. That said, WEP will still stop any passive scans, as well as casual hackers.
Altering the network from the manufacturer’s defaults can also discourage hackers. The information about network defaults is easily accessible and will render any security enhancements useless. Settings such as default SSID, default admin password, and disabled encryption are the main items that need addressing.
Data, especially passwords, should be encrypted when travelling over the network. A cracked system without encrypted passwords and other information is totally accessible to hackers.
As with most technology updating security protocols and other information is crucial to maintaining the security of the system.

It is a common misconception that disabling broadcasting of the SSID and enabling MAC filtering is a sufficient security configuration. This is not the case. Disabling the SSID broadcast merely prevents casual nearby wireless users from detecting the presence of your network - war drivers and those who are already aware of your wireless network will not be disadvantaged at all by a disabled SSID. Similarly, MAC address filtering will only prevent accidental connection from casual users - MAC addresses can be spoofed to appear to be that of an authorised workstation or laptop.

How-to information

"Wireless LAN resources for Linux", "Wireless Access Points and ARP Poisoning," "Official Wireless Howto" ^[7], etc. More info may be gathered from books as "Hacking Wireless Networks for Dummies", ... although they were originally meant to secure networks and for ethical hacking, meaning intrusion in order to protect the WLAN better afterwards.

There are also sites providing basic info on wireless hacking such as OLPC wiki, AirMagnet's Vulnerability paper and sites featuring videos on how WEP-protected APcracking is performed with specific (purpose-built) programs. ^[8] ^[9] ^[10] ^[11]

Sources

Peikari, Dr. Cyrus, Fogie, Seth (May 2004) Wireless Hacking Techniques. Maximum Wireless Security Retrieved on June 18, 2006 from http://www.computerworld.com/mobiletopics/mobile/story/0,10801,91313,00.html