Why strong Wi-Fi encryption is crucial

How to hack Wi-Fi
Use BackTrack Linux to test your Wi-Fi security before a real hacker does

Think you're secure with basic WEP? You're not. We're going to demonstrate exactly why you need to tighten up your Wi-Fi security by showing you how easy it is to hack a relatively unprotected network.

We'll give a working demonstration of the weaknesses in your network's security and how they can be exploited. It's the best way of creating the incentive to shore up that security by using tougher encryption.

In this case, we're going to crack wide open the WEP security that far too many home users still rely on. Whether this is through a lack of knowledge or the belief that they have no assets worth stealing is neither here nor there. WEP is insecure, as we'll show you.

Before we begin, however, we have to make it absolutely clear that this is not a technique you should try in the wild. Doing so is illegal and we do not condone hacking of any kind. The tools we will be demonstrating are not toys and can wreak havoc in the wrong hands.

Backtracking

backtrack 2

For this demonstration, we're going to use some of the tools that come bundled with the Swiss Army Knife of online security: BackTrack Linux.

This contains all the security tools that the network security professional and hardened hacker alike need to carry out a completely exhaustive examination of a network. Everything we need is installed, configured and ready to go.

Being Linux, it's also open source and therefore free to download. The developers have just released a new version called BackTrack 5.2. You can download the ISO file from backtrack-linux.org/downloads.

This is designed to run from the DVD drive as a live CD, so copy it to a fresh DVD using your ISO burner. If you don't have one, you can download and install ImgBurn free from imgburn.com.

After creating the BackTrack DVD, boot it from a computer with a wireless networking card. When the Boot: prompt appears, press [Enter]. Select the default text-only version from the bootup menu, and when it finishes booting you should be met with a # prompt and a cursor. Type the word startx and press [Enter] to load the graphical desktop.

At the top of the screen you'll see a menu bar with a picture of a terminal. Click this and a terminal window appears. Enter the command iwconfig and a list of network interfaces appears.

One of these should be called wlan0. This indicates that the wireless drivers supplied with BackTrack can see your wireless network card.

The utilities we'll use are all compatible with several industry standard Wi-Fi chipsets - namely rtl8187, rt2570 and rt73. This means that just about all modern wireless cards should be okay to use. However, if wlan0 doesn't show up, you could try booting BackTrack on a different computer instead. Otherwise, borrow a USB Wi-Fi dongle to see if BackTrack recognises it.

Collecting data

backtrack 3

The standard advice is never to use WEP to secure a Wi-Fi network, but why is this?

Put simply, it's because when given enough packets to analyse, cracking software can recover the password (called a passphrase in Wi-Fi speak) to join such a network, as we'll now demonstrate.

Any hacker worth their salt begins by passively collecting data about potential targets, and this is exactly how we'll begin.

In a terminal window enter the command airmonng start wlan0. This command begins collecting data about nearby wireless networks and sending it to a special dump where other programs can pick it up and use it.

When you type in the command, you may get a warning about DHCP. Ignore this and look instead for the message 'Monitor mode enabled on mon0', which indicates that everything is running as it should be in the background.

We'll now find out what is being recorded to this mysterious mon0 by entering the command airodump-ng mon0. Note the extra letter 'o' in the airodump-ng command that wasn't present in airmon-ng. This catches many people out.

The screen begins to fill with a list of networks. The BSSID (basic service set identification) column contains the globally unique hardware MAC address of each router or base station within range. The ESSID (extended service set identification) column is the given, friendly name of each of the networks.

Below this is a shorter list of connections being made to those networks by individual computers. The networks to which they're connecting are displayed in the BSSIC column, and the MAC addresses are also displayed in the Station column. Usefully, the Probe column gives the name of the network currently being accessed.

If you live in an area with lots of Wi-Fi networks and plenty of activity, both lists will expand and contract often, making them difficult to read. To prevent this, with the terminal selected, press the [R] key twice. This switches off the auto sort facility. Pressing [R] again will switch it back on again.

You can also cycle through the columns and have the program sort by these using the [S] key. To stand any chance of gaining access to a WEP network, there must be a current connection to it.

On the basis that you're cracking your own network, connect a computer to it and it will appear as a station in the lower portion of aidodump-ng's output. Make a note of the station MAC address. Leave the utility running for a few minutes until all networks within range are recorded, then press [Ctrl]+[C] to stop the program.

Homing in

backtrack 4

Next, we need to collect data running between just the router in question and the computer connected to it. To do so, we re-run airodump-ng, but with some filtering switches in place:

airodumpng -c -w --bssid mon0.

is the channel number of the router in question and is a filename in which to store the captured packets (use 'dump' or something similar for the name). is the MAC address of the router.

By running this command, you only see your router and the computer connecting to it. The collected data is also captured in the dump file (actually more than one dump file, but we don't need to worry about that).

As the command runs, pay special attention to the #Data column in the top of airodump-ng's output. These are the actual packets going between the computer and the router, and they contain the WEP passphrase. The problem is that we need between 5,000 and 25,000 packets to crack the passphrase.

We need to generate a large number of packets, and luckily BackTrack contains another utility that will do this for us. Enter the following command, where is the MAC address of the router and is the MAC address of the computer connected to it:

#aireplay-ng --arpreplay -b -h mon0.

Note the double dash before arpreplay. Aireplay-ng generates packets that are faked to seem to have come from a particular computer and spewed to the router. You define the MAC address of the source PC with the -h switch. In this case, it's the computer connected to the router.

Every packet sent from the router contains an encrypted version of the WEP passphrase. The reason for generating lots of extra packets is that with a large enough sample of encrypted passphrases, we can use another utility to analyse the captured data and start to make a statistical guess at what the underlying plain text might be.

Aireplay-ng might be slow to get going, but after a few minutes it suddenly begins generating plenty of extra traffic. Let it keep on going until airodump-ng shows something over about 5,000 in the #Data column, after which time you can stop it using [Ctrl]+[C].

You can also stop the arpdump-ng command at this point. It doesn't matter if you massively exceed the number of packets. In fact, more data makes it easier to crack the passphrase.

Note that while you're generating these packets, the WLAN light on the router should usually be flashing to say that data is being sent and received. As the associated internet light isn't also flashing to signal through traffic, the target of the packets must be the router itself. This serves as a quick method of telling if someone is attempting this kind of attack against your own network, even (or rather, especially) when none of your own computers are connected at the time.

Getting in

With the results of bombarding the router with packets containing the encrypted WEP passphrase stored in a temporary file, we can finally attempt to crack it. To do so, we use the aircrackng utility. There's no guarantee that this will work first time, but if it fails, you just need to collect more than the previous 5,000 or so packets.

To run aircrack-ng, enter the following command:

#aircrack-ng -z -b dump*.cap.

Again, is the MAC address of the router. The argument dump*.cap enables aircrack-ng to read all the files that airodump-ng created in the current directory, which you can see by entering the command ls. If Aircrack fails to recover the passphrase, it will tell you and give a recommendation for the number of packets it believes it will need to make a guess with 100 per cent certainty.

A WEP passphrase of 'hello' took nearly 15,000 packets to crack, but once aircrack-ng had these at its disposal, the whole process took 10 seconds. With 30,000 packets, this time dropped to just four seconds.

So, now we have the passphrase to the WEP router, we have compromised it to the point where we can join the network from Windows just like any legitimate user. Once joined, open a command prompt and type the command ipconfig to check your network connection.

You can surf through the compromised WEP network, use a network mapping utility like our old friend Zenmap to find other computers on the network and, in some cases, even mount network shares to read the information they contain or deploy a network traffic sniffer to possibly capture some useful username and password pairs.

This is why WEP security is no security at all. If, during the process of working through this tutorial, you discover one or more WEP protected networks in your vicinity, it would be illegal to hack them, but the act of a good neighbour would be to knock on the door and help bring the owner into the 21st century.