[hide]This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages)
Cracking a wireless network is defeating the security of a wireless local-area network (wireless LAN). A commonly used wireless LAN is a Wi-Fi network. Wireless LANs have inherent security weaknesses from which wired networks are exempt.
Wireless cracking is an information network attack similar to a direct intrusion. Two frequent types of vulnerabilities in wireless LANs are those caused by poor configuration, and those caused by weak encryption or flawed security protocols.
- 1Wireless network basics
- 2Wireless network frames
- 3Reconnaissance of wireless networks
- 3.5Analysers of AirMagnet
- 4Penetration of a wireless network
- 4.1Encryption types and their attacks
- 4.1.1Wired Equivalent Privacy (WEP)
- 4.1.2Wi-Fi Protected Access (WPA/WPA2)
- 4.5MAC address filtering and its attack
- 4.1Encryption types and their attacks
- 5Reconnaissance of the local-area network
- 5.3Host scanning
- 6Port scanning
- 6.1Open ports
- 6.2Common ports
- 6.3Specifying ports
- 6.4Specifying targets
- 6.5Specifying scan type
- 6.5.1TCP SYN scan
- 6.5.2TCP connect scan
- 6.5.3TCP null scan
- 6.5.4UDP empty packet scan
- 6.5.5UDP application data scan
- 6.6Specifying scan speed
- 6.7Application identification
- 6.8Operating system identification
- 6.9Saving output
- 7Vulnerability scanning
- 8Exploitation of a vulnerability
- 9Maintaining control
- 9.1Back doors
- 9.3Further reading
- 10Prevention and Protection
- 10.1Further reading
- 11.1Further reading
- 12.1The Netherlands
- 13Crackers and society
- 13.1Naming of crackers
- 13.1.1See also
- 13.2Further reading
- 13.1Naming of crackers
- 14Theoretical information
- 15Practical information
- 15.3Commercial information
- 17See also
Wireless network basics
- Wireless local-area networks are based on IEEE 802.11. This is a set of standards defined by the Institute of Electrical and Electronics Engineers.
- 802.11 networks are either infrastructure networks or ad hoc networks. By default, people refer to infrastructure networks. Infrastructure networks are composed of one or more access points that coordinate the wireless traffic between the nodes and often connect the nodes to a wired network, acting as a bridge or a router.
- Each access point constitutes a network that is named a basic service set or BSS. A BSS is identified by a BSSID, usually the MAC address of the access point.
- Each access point is part of an extended service set or ESS, which is identified by an ESSID or SSID in short, usually a character string.
- A basic service set consists of one access point and several wireless clients. An extended service set is a configuration with multiple access points and roaming capabilities for the clients. An independent basic service set or IBSS is the ad hoc configuration. This configuration allows wireless clients to connect to each other directly, without an access point as a central manager.
- Access points broadcast a signal regularly to make the network known to clients. They relay traffic from one wireless client to another. Access points may determine which clients may connect, and when clients do, they are said to be associated with the access point. To obtain access to an access point, both the BSSID and the SSID are required.
- Ad hoc networks have no access point for central coordination. Each node connects in a peer-to-peer way. This configuration is an independent basic service set or IBSS. Ad hoc networks also have an SSID.
Wireless network frames
802.11 networks use data frames, management frames, and control frames. Data frames convey the real data, and are similar to those of Ethernet. Management frames maintain both network configuration and connectivity. Control frames manage access to the ether and prevent access points and clients from interfering with each other in the ether. Some information on management frames will be helpful to better understand what programs for reconnaissance do.
- Beacon frames are used primarily in reconnaissance. They advertise the existence and basic configuration of the network. Each frame contains the BSSID, the SSID, and some information on basic authentication and encryption. Clients use the flow of beacon frames to monitor the signal strength of their access point.
- Probe request frames are almost the same as the beacon frames. A probe request frame is sent from a client when it wants to connect to a wireless network. It contains information about the requested network.
- Probe response frames are sent to clients to answer probe request frames. One response frame answers each request frame, and it contains information on the capabilities and configurations of the network. Useful for reconnaissance.
- Authentication request frames are sent by clients when they want to connect to a network. Authentication precedes association in infrastructure networks. Either open authentication or shared key authentication is possible. After serious flaws were found in shared key authentication, most networks switched to open authentication, combined with a stronger authentication method applied after the association phase.
- Authentication response frames are sent to clients to answer authentication request frames. There is one answer to each request, and it contains either status information or a challenge related to shared key authentication.
- Association request frames are sent by clients to associate with the network. An association request frame contains much of the same information as the probe request contains, and it must have the SSID. This can be used to obtain the SSID when a network is configured to hide the SSID in beacon frames.
- Association response frames are sent to clients to answer an association request frame. They contain a bit of network information and indicate whether the association was successful.
- Deauthentication and disassociation frames are sent to a node to notify that an authentication or an association has failed and must be established anew.
Reconnaissance of wireless networks
Wardriving is a common method of wireless network reconnaissance. A well-equipped wardriver uses a laptop computer with a wireless card, an antenna mounted on the car, a power inverter, a connected GPS receiver, and can connect to the internet wirelessly. The purpose of wardriving is to locate a wireless network and to collect information about its configuration and associated clients.
The laptop computer and the wireless card must support a mode called monitor or rfmon.
Netstumbler is a network discovery program for Windows. It is free. Netstumbler has become one of the most popular programs for wardriving and wireless reconnaissance, although it has a disadvantage. It can be detected easily by most wireless intrusion detection systems, because it actively probes a network to collect information. Netstumbler has integrated support for a GPS unit. With this support, Netstumbler displays GPS coordinate information next to the information about each discovered network, which can be useful for finding specific networks again after having sorted out collected data.
The latest release of Netstumbler is of 1 April 2004. It does not work well with 64-bit Windows XP or Windows Vista.
inSSIDer is a Wi-Fi network scanner for the 32-bit and 64-bit versions of Windows XP, Vista, 7, Windows 8 and Android. It is free and open source. The software uses the current wireless card or a wireless USB adapter and supports most GPS devices (namely those that use NMEA 2.3 or higher). Its graphical user interfaceshows MAC address, SSID, signal strength, hardware brand, security, and network type of nearby Wi-Fi networks. It can also track the strength of the signals and show them in a time graph.
Kismet is a wireless network traffic analyser for OS X, Linux, OpenBSD, NetBSD, and FreeBSD. It is free and open source. Kismet has become the most popular program for serious wardrivers. It offers a rich set of features, including deep analysis of captured traffic.
Wireshark is a packet sniffer and network traffic analyser that can run on all popular operating systems, but support for the capture of wireless traffic is limited. It is free and open source. Decoding and analysing wireless traffic is not the foremost function of Wireshark, but it can give results that cannot be obtained with other programs. Wireshark requires sufficient knowledge of the network protocols to obtain a full analysis of the traffic, however.
Analysers of AirMagnet
AirMagnet Laptop Analyser and AirMagnet Handheld Analyser are wireless network analysis tools made by AirMagnet. The company started with the Handheld Analyser, which was very suitable for surveying sites where wireless networks were deployed as well as for finding rogue access points. The Laptop Analyser was released because the hand-held product was impractical for the reconnaissance of wide areas. These commercial analysers probably offer the best combination of powerful analysis and simple user interface. However, they are not as well adapted to the needs of a wardriver as some of the free programs.
Androdumpper is an Android APK that is used to test and hack WPS Wireless routers which have a vulnerability by using algorithms to hack into that WIFI network. It runs best on Android version 5.0+
Airopeek is a packet sniffer and network traffic analyser made by Wildpackets. This commercial program supports Windows and works with most wireless network interface cards. It has become the industrial standard for capturing and analysing wireless traffic. However, like Wireshark, Airopeek requires thorough knowledge of the protocols to use it to its ability.
KisMac is a program for the discovery of wireless networks that runs on the OS X operating system. The functionality of KisMac includes GPS support with mapping, SSID decloaking, deauthentication attacks, and WEP cracking.
Penetration of a wireless network
There are two basic types of vulnerabilities associated with WLANs: those caused by poor configuration and those caused by poor encryption. Poor configuration causes many vulnerabilities. Wireless networks are often put into use with no or insufficient security settings. With no security settings – the default configuration – access is obtained simply by association. Without sufficient security settings, networks can easily be defeated by cloaking and/or MAC address filtering. Poor encryption causes the remaining vulnerabilities. Wired Equivalent Privacy (WEP) is defective and can be defeated in several ways. Wi-Fi Protected Access (WPA) and Cisco’s Lightweight Extensible Authentication Protocol (LEAP) are vulnerable to dictionary attacks.
Encryption types and their attacks
Wired Equivalent Privacy (WEP)
This article’s factual accuracy may be compromised due to out-of-date information.(January 2013)
WEP was the encryption standard firstly available for wireless networks. It can be deployed in 64 and 128 bit strength. 64 bit WEP has a secret key of 40 bits and an initialisation vector of 24 bits, and is often called 40 bit WEP. 128 bit WEP has a secret key of 104 bits and an initialisation vector of 24 bits, and is called 104 bit WEP. Association is possible using a password, an ASCII key, or a hexadecimal key. There are two methods for cracking WEP: the FMS attack and the chopping attack. The FMS attack – named after Fluhrer, Mantin, and Shamir – is based on a weakness of the RC4 encryption algorithm . The researchers found that 9000 of the possible 16 million initialisation vectors can be considered weak, and collecting enough of them allows the determination of the encryption key. To crack the WEP key in most cases, 5 million encrypted packets must be captured to collect about 3000 weak initialisation vectors. (In some cases 1500 vectors will do, in some other cases more than 5000 are needed for success.) The weak initialisation vectors are supplied to the Key Scheduling Algorithm (KSA) and the Pseudo Random Generator (PRNG) to determine the first byte of the WEP key. This procedure is then repeated for the remaining bytes of the key. The chopping attack chops the last byte off from the captured encrypted packets. This breaks the Cyclic Redundancy Check/Integrity Check Value (CRC/ICV). When all 8 bits of the removed byte were zero, the CRC of the shortened packet is made valid again by manipulation of the last four bytes. This manipulation is: result = original XOR certain value. The manipulated packet can then be retransmitted. This method enables the determination of the key by collecting unique initialisation vectors. The main problem with both the FMS attack and the chopping attack is that capturing enough packets can take weeks or sometimes months. Fortunately, the speed of capturing packets can be increased by injecting packets into the network. One or more Address Resolution Protocol (ARP) packets are usually collected to this end, and then transmitted to the access point repeatedly until enough response packets have been captured. ARP packets are a good choice because they have a recognizable size of 28 bytes. Waiting for a legitimate ARP packet can take awhile. ARP packets are most commonly transmitted during an authentication process. Rather than waiting for that, sending a deauthentication frame that pushes a client off the network will require that client to reauthenticate. This often creates an ARP packet.
Wi-Fi Protected Access (WPA/WPA2)
WPA was developed because of the vulnerabilities of WEP. WPA uses either a pre-shared key (WPA-PSK) or is used in combination with a RADIUS server (WPA-RADIUS). For its encryption algorithm, WPA uses either the Temporal Key Integrity Protocol (TKIP) or the Advanced Encryption Standard (AES). WPA2 was developed because of some vulnerabilities of WPA-PSK and to strengthen the encryption further. WPA2 uses both TKIP and AES, and requires not only an encryption piece but also an authentication piece. A form of the Extensible Authentication Protocol (EAP) is deployed for this piece. WPA-PSK can be attacked when the PSK is shorter than 21 characters. Firstly, the four-way EAP Over LAN (EAPOL) handshake must be captured. This can be captured during a legitimate authentication, or a reauthentication can be forced by sending deauthentication packets to clients. Secondly, each word of a word-list must be hashed with the Hashed Message Authentication Code – Secure Hash Algorithm 1 and two so called nonce values, along with the MAC address of the client that asked for authentication and the MAC address of the access point that gave authentication. Word-lists can be found at. LEAP uses a variation of Microsoft Challenge Handshake Protocol version 2 (MS-CHAPv2). This handshake uses the Data Encryption Standard (DES) for key selection. LEAP can be cracked with a dictionary attack. The attack involves capturing an authentication sequence and then comparing the last two bytes of a captured response with those generated with a word-list. WPA-RADIUS cannot be cracked.However, if the RADIUS authentication server itself can be cracked, then the whole network is imperilled. The security of authentication servers is often neglected.WPA2 can be attacked by using the WPA-PSK attack, but is largely ineffective.
Aircrack-ng runs on Windows and Linux, and can crack WEP and WPA-PSK. It can use the Pychkine-Tews-Weinmann and KoreK attacks, both are statistical methods that are more efficient than the traditional FMS attack. Aircrack-ng consists of components. Airmon-ng configures the wireless network card. Airodump-ng captures the frames. Aireplay-ng generates traffic. Aircrack-ng does the cracking, using the data collected by airodump-ng. Finally, airdecap-ng decrypts all packets that were captured. Thus, aircrack-ng is the name of the suite and also of one of the components.
CoWPAtty automates the dictionary attack for WPA-PSK. It runs on Linux. The program is started using a command-line interface, specifying a word-list that contains the passphrase, a dump file that contains the four-way EAPOL handshake, and the SSID of the network.
Void11 is a program that deauthenticates clients. It runs on Linux.
MAC address filtering and its attack
MAC address filtering can be used alone as an ineffective security measure, or in combination with encryption. The attack is determining an allowed MAC address, and then changing the MAC address of the attacker to that address. EtherChange is one of the many programs available to change the MAC address of network adapters. It runs on Windows.
Penetration testing of a wireless network is often a stepping stone for penetration testing of the internal network. The wireless network then serves as a so-called entry vector. If WPA-RADIUS is in use at a target site, another entry vector must be investigated.
Reconnaissance of the local-area network
A ‘wireless’ sniffer can find IP addresses, which is helpful for network mapping.
Access points usually connect the nodes of a wireless network to a wired network as a bridge or a router. Both a bridge and a router use a routing table to forward packets.
Finding relevant and reachable IP addresses is the objective of the reconnaissance phase of attacking an organization over the Internet. The relevant IP addresses are determined by collecting as many DNS host names as possible and translating them to IP addresses and IP address ranges. This is called footprinting.
A search engine is the key for finding as much information as possible about a target. In many cases, organizations do not want to protect all their resources from internet access. For instance, a web server must be accessible. Many organizations additionally have email servers, FTP servers, and other systems that must be accessible over the internet. The IP addresses of an organization are often grouped together. If one IP address has been found, the rest probably can be found around it.
Name servers store tables that show how domain names must be translated to IP addresses and vice versa. With Windows, the command NSLookup can be used to query DNS servers. When the word help is entered at NSLookup’s prompt, a list of all commands is given. With Linux, the command dig can be used to query DNS servers. It displays a list of options when invoked with the option -h only. And the command host reverses IP addresses to hostnames. The program nmap can be used as a reverse DNS walker: nmap -sL 188.8.131.52-30 gives the reverse entries for the given range.
ARIN, RIPE, APNIC, LACNIC, and AFRINIC are the five Regional Internet Registries that are responsible for the assignment and registration of IP addresses. All have a website with which their databases can be searched for the owner of an IP address. Some of the Registries respond to a search for the name of an organization with a list of all IP address ranges that are assigned to the name. However, the records of the Registries are not always correct and are in most cases useless.
Probably most computers with access to the internet receive their IP address dynamically by DHCP. This protocol has become more popular over the last years because of a decrease of available IP addresses and an increase of large networks that are dynamic. DHCP is particularly important when many employees take a portable computer from one office to another. The router/firewall device that people use at home to connect to the internet probably also functions as a DHCP server.
Nowadays many router/DHCP devices perform Network Address Translation (NAT). The NAT device is a gateway between the local network and the internet. Seen from the internet, the NAT device seems to be a single host. With NAT, the local network can use any IP address space. Some IP address ranges are reserved for private networks. These ranges are typically used for the local area network behind a NAT device, and they are: 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, and 192.168.0.0 – 192.168.255.255.
The relevant IP addresses must be narrowed down to those that are reachable. For this purpose, the process of scanning enters on the scene.
Once access to a wireless network has been gained, it is helpful to determine the network’s topology, including the names of the computers connected to the network. Nmap can be used for this, which is available in a Windows and a Linux version. However, Nmap does not provide the user with a network diagram. The network scanner Network View that runs on Windows does. The program asks for one IP address or an IP address range. When the program has finished scanning, it displays a map of the network using different pictures for routers, workstations, servers, and laptops, all with their names added.
The most direct method for finding hosts on a LAN is using the program ping. When using a modern flavour of Unix, shell commands can be combined to produce custom ping-sweeps. When using Windows, the command-line can also be used to create a ping-sweep. Examples are given in the reference.
Ping-sweeps are also known as host scans. Nmap can be used for a host scan when the option -sP is added: nmap -n -sP 10.160.9.1-30 scans the first 30 addresses of the subnet 10.160.9, where the -n option prevents reverse DNS lookups.
Ping packets could reliably determine whether a computer was on line at a specified IP address. Nowadays these ICMP echo request packets are sometimes blocked by the firewall of an operating system. Although Nmap also probes TCP port 80, specifying more TCP ports to probe is recommended when pings are blocked. Consequently, nmap -sP -PS21,22,23,25,80,139,445,3389 10.160.9.1-30 can achieve better results. And by combining various options as in nmap -sP -PS21,22,23,25,80,135,139,445,1025,3389 -PU53,67,68,69,111,161,445,514 -PE -PP -PM 10.160.9.1-30, superb host scanning is achieved.
Nmap is available for Windows and most Unix operating systems, and offers graphical and command-line interfaces.
The purpose of port scanning is finding the open ports on the computers that were found with a host scan. When a port scan is started on a network without making use of the results of a host scan, much time is wasted when many IP addresses in the address range are vacant.
Most programs that communicate over the internet use either the TCP or the UDP protocol. Both protocols support 65536 so called ports that programs can choose to bind to. This allows programs to run concurrently on one IP address. Most programs have default ports that are most often used. For example, HTTP servers commonly use TCP port 80.
Network scanners try to connect to TCP or UDP ports. When a port accepts a connection, it can be assumed that the commonly bound program is running.
TCP connections begin with a SYN packet being sent from client to server. The server responds with a SYN/ACK packet. Finally, the client sends an ACK packet. When the scanner sends a SYN packet and gets the SYN/ACK packet back, the port is considered open. When a RST packet is received instead, the port is considered closed. When no response is received the port is either considered filtered by a firewall or there is no running host at the IP address.
Scanning UDP ports is more difficult because UDP does not use handshakes and programs tend to discard UDP packets that they cannot process. When an UDP packet is sent to a port that has no program bound to it, an ICMP error packet is returned. That port can then be considered closed. When no answer is received, the port can be considered either filtered by a firewall or open. Many people abandoned UDP scanning because simple UDP scanners cannot distinguish between filtered and open ports.
Although it is most thorough to scan all 65536 ports, this would take more time than scanning only the most common ports. Therefore, Nmap scans 1667 TCP ports by default (in 2007).
The -p option instructs Nmap to scan specified ports, as in nmap -p 21-25,80,100-160 10.150.9.46. Specifying TCP and UDP ports is also possible, as in nmap -pT:21-25,80,U:5000-5500 10.150.9.46.
Nmap always requires the specification of a host or hosts to scan. A single host can be specified with an IP address or a domain name. Multiple hosts can be specified with IP address ranges. Examples are 184.108.40.206, www.company.com, and 10.1.50.1-5,250-254.
Specifying scan type
TCP SYN scan
Nmap performs a TCP SYN scan by default. In this scan, the packets have only their SYN flag set. The -sS option specifies the default explicitly. When Nmap is started with administrator privileges, this default scan takes effect. When Nmap is started with user privileges, a connect scan is performed.
TCP connect scan
The -sT option instructs Nmap to establish a full connection. This scan is inferior to the previous because an additional packet must be sent and logging by the target is more likely. The connect scan is performed when Nmap is executed with user privileges or when IPv6 addresses are scanned.
TCP null scan
The -sN option instructs Nmap to send packets that have none of the SYN, RST, and ACK flags set. When the TCP port is closed, a RST packet is sent in return. When the TCP port is open or filtered, there is no response. The null scan can often bypass a stateless firewall, but is not useful when a stateful firewall is employed.
UDP empty packet scan
The -sU option instructs Nmap to send UDP packets with no data. When an ICMP error is returned, the port can be assumed closed. When no response is received, the port can be assumed open or filtered. No differentiation between open and filtered ports is a severe limitation.
UDP application data scan
The -sU -sV options instruct Nmap to use application data for application identification. This combination of options can lead to very slow scanning.
Specifying scan speed
When packets are sent to a network faster than it can cope with they will be dropped. This leads to inaccurate scanning results. When an intrusion detection system or intrusion prevention system is present on the target network, detection becomes more likely as speed increases. Many IPS devices and firewalls respond to a storm of SYN packets by enabling SYN cookies that make appear every port to be open. Full speed scans can even wreak havoc on stateful network devices.
Nmap provides five templates for adjusting speed and also adapts itself. The -T0 option makes it wait for 5 minutes before the next packet is sent, the -T1 option makes it wait for 15 seconds, -T2 inserts 0.4 seconds, -T3 is the default (which leaves timing settings unchanged), -T4 reduces time-outs and retransmissions to speed things up slightly, and -T5 reduces time-outs and retransmissions even more to speed things up significantly. Modern IDS/IPS devices can detect scans that use the -T1 option. The user can also define a new template of settings and use it instead of a provided one.
The -sV option instructs Nmap to also determine the version of a running application.
Operating system identification
The -O option instructs Nmap to try to determine the operating systems of the targets. Specially crafted packets are sent to open and closed ports and the responses are compared with a database.
The -oX <filename> option instructs Nmap to save the output to a file in XML format.
A vulnerability is a bug in an application program that affects security. They are made public on places such as the BugTraq and the Full-Disclosure mailing lists. The Computer Emergency Response Team (CERT) brings out a statistical report every year. There were 8064 vulnerabilities counted in 2006 alone.
Vulnerability scanning is determining whether known vulnerabilities are present on a target.
Nessus is probably the best known vulnerability scanner. It is free and has versions for Windows, OS X, Linux, and FreeBSD. Nessus uses plug-ins to find vulnerabilities by sort. Updated plug-ins are regularly released.
Nessus offers a non-intrusive scan, an intrusive scan that can harm the target, and a custom scan. A scan requires the IP addresses or domain names of the targets. Nessus begins with a port scan to identify the programs that are running and the operating systems of the targets. It ends with a report that specifies all open ports and their associated vulnerabilities.
Nikto is a web scanner that can identify vulnerable applications and dangerous files. It is open source software and has versions for Windows and Linux. The program uses a command-line interface of the operating system.
Exploitation of a vulnerability
An exploit takes advantage of a bug in an application. This can take effect in the execution of arbitrary commands by inserting them in the execution path of the program. Escalation of privileges, bypass of authentication, or infringement of confidentiality can be the result.
The Metasploit framework was released in 2003. This framework provided for the first time:
- a single exploit database with easy updating,
- freely combining of an exploit with a payload,
- a consistent interface for setting options, and
- integrated encoding and evasion,
- an exploit is a code module that uses a particular vulnerability,
- a payload is code that is sent along with the exploit to take some action, such as providing a command-line interface,
- options are used to select variants of exploits and payloads,
- encoding is modifying the payload to circumvent limitations, whether they are caused by the logic of the vulnerability or an inadequate IPS, and
- evasion is bypassing security devices by employing evasion techniques.
The basic procedure of using Metasploit is: choose an exploit, choose a payload, set the IP address and port of the target, start the exploit, evaluate, and stop or repeat the procedure.
Metasploit is not suited for finding the vulnerabilities of a host; a vulnerability scanner is. Alternatively, when a port scanner has found an open port, all exploits for that port may be tried.
Metasploit 3.0 provides the following payloads:
- VNC injection. This payload for targets that run Windows gives a graphical user interface to the target that is synchronized with the graphical user interface of the target.
- File execution. This payload for targets that run Windows uploads a file and executes it.
- Interactive shell. This payload gives a command-line interface to the target.
- Add user. This payload adds a user with specified name and password that has administrator access.
- Meterpreter. This payload gives a rich command-line interface to targets that run Windows.
VNC connections need a relatively large bandwidth to be usable, and if someone is in front of the compromised computer then any interaction will be seen very quickly. The command-line interfaces of Linux and OS X are powerful, but that of Windows is not. The Meterpreter payload remedies these shortcomings. The reference gives a list of Meterpreter commands.
The ultimate gratification for a network intruder always is to obtain administrator privileges for a network. When an intruder is inside, one of his or her first undertakings is often to install a so-called rootkit on a target computer. This is a collection of programs to facilitate durable influence on a system. Some of these programs are used to compromise new user accounts or new computers on the network. Other programs are to obscure the presence of the intruder. These obscuring programs may include false versions of standard network utilities such as netstat, or programs that can remove all data from the log files of a computer that relate to the intruder. Yet other programs of a rootkit may be used to survey the network or to overhear more passwords that are travelling over it. Rootkits may also give the means to change the very operating system of the computer it is installed on.
The network intruder then proceeds with creating one or more so called back doors. These are access provisions that are hard to find for system administrators, and they serve to prevent the logging and monitoring that results from normal use of the network. A back door may be a concealed account or an account of which the privileges have been escalated. Or it may be a utility for remote access, such as Telnet, that has been configured to operate with a port number that is not customary.
The network intruder then proceeds with stealing files, or stealing credit card information, or preparing a computer to send spam emails at will. Another goal is to prepare for the next intrusion. A cautious intruder is protective against discovery of his or her location. The method of choice is to use a computer that already has been attacked as an intermediary. Some intruders use a series of intermediate computers, making it impracticable to locate them.
The purpose of a back door is to maintain a communication channel and having methods to control a host that has been gained entry to. These methods include those for file transfer and the execution of programs. It is often important to make sure that the access or communication remains secret. And access control is desirable in order to prevent others from using the back door.
Back Orifice 2000 was designed as a back door. The server runs on Windows, and there are clients for Windows, Linux and other operating systems. The server is configured easily with a utility. After configuration, the server needs to be uploaded to the target and then started. Back Orifice 2000 supports file transfer, file execution, logging of keystrokes, and control of connections. There is also an AES plug-in for traffic encryption and an STCPIO plug-in for further obfuscation of the traffic. The first plug-in adds security and the combination of these plug-ins makes it much harder for an IDS to relate the traffic to a back door. More information can be found at http://www.bo2k.com.
Rootkits specialize in hiding themselves and other programs.
Hacker Defender (hxdef) is an open source rootkit for Windows. It can hide its files, its process, its registry entries, and its port in multiple DLLs. Although it has a simple command-line interface as a back door, it is often better to use its ability to hide a more appropriate tool.
- Rootkits: subverting the Windows kernel by Greg Hoglund and James Butler, Addison-Wesley Professional, 2006.
- The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System by Bill Blunden, Jones & Bartlett Learning, 2009.
Prevention and Protection
An unprotected wireless network is extremely insecure. From anywhere within broadcast range, someone can eavesdrop or start using the network. Therefore, the IEEE 802.11 standard for wireless networks was accompanied with Wired Equivalent Privacy (WEP). This security protocol takes care of the following:
- authentication: assurance that all participants are who they state they are, and are authorized to use the network
- confidentiality: protection against eavesdropping
- integrity: assurance of data being unaltered
WEP has been criticized by security experts. Most experts regard it as ineffective by now.
In 2004 a draft for a better security protocol appeared, and it was included in the IEEE 802.11 standard in 2007. This new protocol, WPA2, uses an AES block cipher instead of the RC4 algorithm and has better procedures for authentication and key distribution. WPA2 is much more secure than WEP, but WEP was still in wide use in 2009.
Many wireless routers also support controlling the MAC addresses of computers that are authorized to use a wireless network. This measure can effectively stop a neighbour from using the network, but experienced intruders will not be stopped. MAC filtering can be attacked because a MAC address can be faked easily.
In the past, turning off the broadcasting of the SSID has also been thought to give security to a wireless network. This is not the case however. Freely available tools exist that quickly discover an SSID that is not broadcast. Microsoft has also determined that switching off the broadcasting of the SSID leads to less security. Details can be found in Non-broadcast Wireless Networks with Microsoft Windows.
Returning to encryption, the WEP specification at any encryption strength is unable to withstand determined hacking. Therefore, Wi-Fi Protected Access (WPA) was derived from WEP. Software upgrades are often available. The latest devices that conform to the 802.11g or 802.11n standards also support WPA2. (WPA uses the TKIP encryption, WPA2 uses the stronger AES method.) It is recommended to use only hardware that supports WPA or WPA2.
Installing updates regularly, disabling WPS, setting a custom SSID, requiring WPA2, and using a strong password make a wireless router more difficult to crack. Even so, unpatched security flaws in a router’s software or firmware may still be used by an attacker to bypass encryption and gain control of the device. Many router manufacturers do not always provide security updates in a timely manner, or at all, especially for more inexpensive models.
WPS currently has a severe vulnerability in which the 8 pin numbered (0-9) passwords being used can easily be split into two halves, this means that each half can be brute-forced individually and so the possible combinations are greatly lessened (10^4 + 10^4, as opposed to 10^8). This vulnerability has been addressed by most manufacturers these days by using a lock down mechanism where the router will automatically lock its WPS after a number of failed pin attempts (it can take a number of hours before the router will automatically unlock, some even have to be rebooted which can make WPS attacks completely obsolete). Without a lock down feature, a WPA2 router with WPS enabled can easily be cracked in 5 hours using a brute force WPS attack.
SSID’s are used in routers not only to identify them within the mass of 2.4, 3.6, 5 and 60 GHz frequencies which are currently flying around our cities, but are also used as a “seed” for the router’s password hashes. Standard and popular SSID’s such as “Netgear” can be brute forced through the use of rainbow tables, however, it should be noted that the use of a salt greatly improves security against rainbow tables. The most popular method of WPA and WPA2 cracking is through obtaining what’s known as a “4 way handshake”. when a device is connecting with a network there is a 4-stage authorization process referred to as a 4 way handshake. When a wireless device undergoes this process this handshake is sent through the air and can easily be monitored and saved by an external system. The handshake will be encrypted by the router’s password, this means that as opposed to communicating with the router directly (which can be quite slow), the cracker can attempt to brute force the handshake itself using dictionary attacks. A device that is connected directly with the router will still undergo this very process, however, the handshake will be sent through the connected wire as opposed to the air so it cannot be intercepted. If a 4 way handshake has already been intercepted, it does not mean that the cracker will be granted immediate access however. If the password used contains at least 12 characters consisting of both random upper and lower case letters and numbers that do not spell a word, name or have any pattern then the password will be essentially uncrackable. Just to give an example of this lets just take the minimum of 8 characters for WPA2 and suppose we take upper case and lower case letters, digits from 0-9 and a small selection of symbols, we can avail of a hefty choice of 64 characters. In an 8 character length password this is a grand total of 64^8 possible combinations. Taking a single machine that could attempt 500 passwords per second, this gives us just about 17,900 years to attempt every possible combination. Not even to mention the amount of space necessary to store each combination in a dictionary.
Note: The use of MAC filtering to protect your network will not work as MACs using the network can be easily detected and spoofed.
- Technical Guide to Information Security Testing and Assessment – Recommendations of the National Institute of Standards and Technology by Karen Scarfone, Murugiah Souppaya, Amanda Cody, and Angela Orebaugh, 2008.
- WPA vs. WPA2: Is WPA2 Really an Improvement on WPA? by Frank H. Katz, 2009.
A network scanner or sniffer is an application program that makes use of a wireless network interface card. It repeatedly tunes the wireless card successively to a number of radio channels. With a passive scanner this pertains only to the receiver of the wireless card, and therefore the scanning cannot be detected.
An attacker can obtain a considerable amount of information with a passive scanner, but more information may be obtained by sending crafted frames that provoke useful responses. This is called active scanning or probing. Active scanning also involves the use of the transmitter of the wireless card. The activity can therefore be detected and the wireless card can be located.
Detection is possible with an intrusion detection system for wireless networks, and locating is possible with suitable equipment.
Wireless intrusion detection systems are designed to detect anomalous behaviour. They have one or more sensors that collect SSIDs, radio channels, beacon intervals, encryption, MAC addresses, transmission speeds, and signal-to-noise ratios. Wireless intrusion detection systems maintain a registry of MAC addresses with which unknown clients are detected.
- Wireless Intrusion Detection Systems by Jamil Farshchi, 2003.
- Guide to Intrusion Detection and Prevention Systems (IDPS) – Recommendations of the National Institute of Standards and Technology by Karen Scarfone and Peter Mell, 2007.
Making use of someone else’s wireless access point or wireless router to connect to the internet – without the owner’s consent in any way – is not punishable by criminal law in The Netherlands. This is true even if the device uses some form of access protection. To penetrate someone else’s computer without the owner’s consent is punishable by criminal law though.
Crackers and society
There is consensus that computer attackers can be divided in the following groups.
- Adolescent amateurs. They often have a basic knowledge of computer systems and apply scripts and techniques that are available on the internet.
- Adult amateurs. Most of them are motivated by the intellectual challenge.
- Professionals. They know much about computers. They are motivated by the financial reward but they are also fond of their activity.
Naming of crackers
The term hacker was originally used for someone who could modify a computer for his or her own purposes. Hacking is an intrusion combined with direct alteration of the security or data structures of the breached system. The word hacking is often confused with cracking in popular media discourse, and obfuscates the fact that hacking is less about eavesdropping and more related to interference and alteration. However, because of the consistent abuse by the news media, in 2007 the term hacker was commonly used for someone who accesses a network or a computer without authorization of the owner.
In 2011, Collins Dictionary stated that the word hacker can mean a computer fanatic, in particular one who by means of a personal computer breaks into the computer system of a company, government, or the like. It also denoted that in that sense the word hacker is slang. Slang words are not appropriate in formal writing or speech.
Computer experts reserve the word hacker for a very clever programmer. They call someone who breaks into computers an intruder, attacker, or cracker.
- Hacker (term)
- Ethics in Internet Security by Prabhaker Mateti, 2010. This document contains a section called “The Hackers’ Code”, that gives a definition of hackers as a group.
- Symantec Report on Attack Kits and Malicious Websites by Symantec, 2010 or later. This thorough report gives both societal and technical information about attack toolkits and how to defend against them.
- Internet Security Threat Report – Trends for 2010 by Symantec Corporation, 2011. This concise report gives both societal and technical information about attack developments in 2010.
- 2011 Data Breach Investigations Report This report gives information about the absolute and relative effectiveness of cracking, regardless of whether a wireless network was used. It also gives information about the geographic distribution of crackers. And it gives advice for system administrators to prevent information theft.
- Weaknesses in the Key Scheduling Algorithm of RC4 by Scott Fluhrer, Itsik Mantin, and Adi Shamir, 2001 or later.
- Detecting Wireless LAN MAC Address Spoofing by Joshua Wright, 2003.
- A Survey of 802.11a Wireless Security Threats and Security Mechanisms by Colonel Donald J. Welch, Ph.D. and Major Scott D. Lathrop, 2003.
- Weaknesses in the Temporal Key Hash of WPA by Vebjørn Moen, Håvard Raddum, and Kjell J. Hole, 2004.
- Attacks on the RC4 stream cipher by Andreas Klein, 2006.
- Break WEP faster with statistical analysis by Rafik Chaabouni, 2006.
- Wi-Fi Security – How to Break and Exploit by Hallvar Helleseth, 2006.
- Philip, Roney (2007). “Securing Wireless Networks from ARP Cache Poisoning”. CiteSeerX .
- Breaking 104 bit WEP in less than 60 seconds by Erik Tews, Ralf-Philipp Weinmann and Andrei Pyshkin, 2007.
- Attacks on the WEP protocol by Erik Tews, 2007.
- Practical attacks against WEP and WPA by Martin Beck and Erik Tews, 2008.
- WPA password cracking – Parallel Processing on the Cell BE by Martin Daniel, 2009.
- Cryptanalysis of IEEE 802.11i TKIP by Finn Michael Halvorsen and Olav Haugen, 2009.
- A Practical Message Falsification Attack on WPA by Toshihiro Ohigashi and Masakatu Morii, 2009 or later.
- Hacking Wireless Networks for Dummies, by Kevin Beaver and Peter T. Davis, Wiley Publishing, Inc., 2005.
- Wireless Hacks, 2nd edition, by Rob Flickenger and Roger Weeks, O’Reilly, 2006. 
- Wireless Security Handbook by Aaron E. Earle, Auerbach Publications, 2006. – Extensive account of the history of WLAN vulnerabilities and how these vulnerabilities were fixed is presented on pages 181-184 and 208-211.
- Penetration Tester’s Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006.
- Wardriving & Wireless Penetration Testing by Chris Hurley and others, Syngress Publishing, Inc., 2007. – A brief account of the history of WLAN vulnerabilities is presented on pages 280-281.
- Security Power Tools by Bryan Burns and others, O’Reilly Media, Inc., 2007.
- Hacking – The art of exploitation, 2nd edition, by Jon Erickson, No Starch Press, 2008. 
- Nmap Network Scanning by Gordon “Fyodor” Lyon, Nmap Project, 2009. 
- Wireless Hacking Exposed, 2nd edition, by Johny Cash, Joshua Wright, and Vincent Liu, McGraw-Hill Osborne Media, 2010. 
- Metasploit: The Penetration Tester’s Guide by David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni, No Starch Press, 2011. 
- Wireless Access Points and ARP Poisoning by Bob Fleck and Jordan Dimov, 2001 or later.
- Debunking the Myth of SSID Hiding by Robert Moskowitz, 2003.
- Hacking Techniques in Wireless Networks by Prabhaker Mateti, 2005.
- Sniffers by Prabhaker Mateti, 2010.
- Backdoors by Prabhaker Mateti, 2010.
- Port Scanning by Prabhaker Mateti, 2011.
- Managing WLAN Risks with Vulnerability Assessment by Lisa Phifer, undated.
- Default Password List by phenoelit-us.org
- Default Passwords by CIRT.net
- Packet storm (vulnerability database)
- Securityfocus (vulnerability database)
- The Exploit Database
- WiGLE (Wireless Geographic Logging Engine)
- BackTrack 5 – This latest release from Offensive Security is based on Ubuntu 10.04 LTS Linux. Three graphical desktop environments can be chosen from: Gnome, KDE, and Fluxbox. Over 300 application programs are included for penetration testing, such as network monitors and password crackers, but also Metasploit 3.7.0, an exploit framework. BackTrack 5 is a live distribution, but there is also an ARM version available for the Android operating system, allowing tablets and smartphones to be used for mobile penetration testing of Wi-Fi networks. BackTrack can be installed on hard disk, both alone and in dual bootconfiguration, on a USB flash drive, and in VMware. Metasploit’s effectiveness is caused by the large number of exploits that are updated continually. In August 2011, there were 716 exploits for all usual operating systems together. Armitage is the GUI for Metasploit within BackTrack 5. This GUI can import files in XMLformat, and it supports Nmap, Nessus, and Metasploit-Express.
- Cracking of wireless networks can be specialized in several ways, causing the following articles to be related.
- ARP spoofing
- Brute-force attack
- MAC spoofing
- Password cracking
- Spoofing attack
- Cracking of wireless networks can be varied in several ways, causing the following articles to be related.
- Evil twin (wireless networks) (rogue Wi-Fi access point)
- Man-in-the-middle attack
- Cracking of wireless networks can result from several intentions, causing the following articles to be related.
- Hacker (computer security)
- Legality of piggybacking
- Piggybacking (internet access) (parasitic use of wireless networks to obtain internet access)
- Cracking of wireless networks is opposed to securing them, causing the following articles to be related.
- Computer insecurity
- Network security
- Wireless intrusion prevention system
- Wireless security