Welcome to our site, my dear greenhorn hackers!
Some readers of our Romanian blog (blackweb.ro) have asked me to focus on guides on hacking Wi-Fi, and with this article, I start a new series of tutorials dedicated to Wi-Fi hacks. You can expect at least ten quality guides, starting of course with the basics.
I know that some of you are experts, but many of us need to know the basics until we move on to more advanced things. Then you can develop your hacks.
Step 1: Terminology
To understand how to hack Wi-Fi, we need to know a few basic terms.
For starters, the access point that sends the radio frequency (RF) signal is known as the AP. These APs can send signals (between 2.4 and 5 Ghz), which meet several different standards. These standards are known as 802.11a, 802.11b, 802.11g, and 802.11n. A new standard being worked on is 802.11ac.
The table below shows the main features of these Wi-Fi standards.
These standards are generally compatible, so a wireless n adapter will also be able to receive g and b signals. We will focus on the most common of these standards – b, g, and n.
Step 2: Security technologies
From the hacker’s perspective, wireless security technologies are among the most relevant features. Many security technologies have been implemented in Wi-Fi to ensure the security of the inherent technology. Our approach to attack will depend on these security technologies.
So let’s take a quick look at them.
WEP (wired equivalent privacy) was the first wireless security system used. As the name suggests, it was designed to provide users with security, which was equivalent to the privacy they enjoyed in a wired environment. Unfortunately, it failed miserably.
For several reasons, WEP is extraordinarily easy to crack, due to an erroneous implementation of the RC4 encryption algorithm. It is not uncommon to break WEP in less than 5 minutes. This is because WEP used a very small (24-bit) initialization vector (IV) that could be captured in the data stream and this IV could then be used to discover the password using statistical techniques.
Despite this, they are still used in household and small business implementations, but rarely in large corporations.
WPA was the industry’s response to the weaknesses found in WEP. It is often referred to as WPA1 to be distinct from WPA2.
WPA used the TKIP (Temporal Key Integrity Protocol) to improve WEP security without the need for new hardware. It still uses WEP for encryption, but it makes the statistical attacks that are used to crack WEP much more difficult to implement.
WPA2-PSK is the implementation of WPA2 for home users or small businesses. As the name suggests, it is the WPA2 implementation that uses a pre-shared key (PSK). This security standard is used by most Internet users, but although it is much more secure, it is still vulnerable to various attacks.
A feature that was added in 2007, called Wi-Fi Protected Setup or WPS, allows us to bypass security in WP2-PSK. We will look at some attacks on WPA2-PSK in the coming weeks.
WPA2-AES is the implementation of WPA2 for enterprises. It uses AES (Advanced Encryption Standard) to encrypt data and is considered the most secure. It is often paired with a dedicated RADIUS server for authentication.
Although crack is possible, it is much more difficult.
Step 3: Channels
Like our radio, there are multiple channels on a wireless, so the communication flows are different to not interfere with each other.
The 802.11 standard allows channels to range from 1 to 14.In the U.S., the FCC regulates wireless communication to be enabled only for the use of channels 1 to 11. Europe uses channels 1 to 13 and Japan uses 1 to 14. Other nations may also use the full range.
For a hacker this can be useful information, because a rogue AP that uses channels 11-13 would be invisible both to wireless devices in Romania and to security professionals who scan access points.
Each channel has a width of 22 Mhz around its main frequency. To avoid interference, an AP can use any of these channels, but to avoid any overlap, channels 1, 6 and 11 are most often used. Other channels can be used, but because you need five channels between the work channels so the signals do not overlap, with three or more channels, only 1, 6 and 11 will work.
Step 4: Datagrams and frames
An understanding of the structure of wireless datagrams is essential to the success of wireless hacking, but it goes beyond the scope of this introduction. I will introduce some of this information when needed in future tutorials, but you may need some time to study wireless frames and datagrams from other sources, as I will not go into too much detail.
Step 5: Signal strength
For example, in the U.S., the FCC regulates, among other things, the signal strength of a wireless access point. The FCC says the access point signal cannot exceed 27 dBm (500 milliwatts). Most access points have this built-in limit, but we can change and override this limitation if the access point is capable of a stronger signal. This can be useful for the hacker in creating an evil twin, where signal strength is critical, among other techniques.
For almost all of our Wi-Fi hacks, we will use aircrack-ng which is included in BlackWeb OS. Even in those hacks where we use other software, such as cowpatty or reaver, we will use aircrack-ng, so we need to get acquainted with it.
I will probably do a dedicated aircrack-ng tutorial in the very near future.
Step 7: Wi-fi adapters
One of the essential necessities to become an effective Wi-Fi hacker is the Wi-Fi adapter. In general, the Wi-Fi adapter on your laptop or desktop is insufficient for our purposes. The basic capacity we need is the ability to inject packets into the access point and most running wireless adapters are unable to inject packets. Aircrack-ng has a list of recommended Wi-Fi adapters.
That being said, I highly recommend the Alfa AWUS036NH wireless adapter. That’s what I use. Its price varies between 30 and 50 dollars. At the moment, it benefits from a small discount, because it is around $ 39, compared to the price I bought it for.
Do whatever it takes. It is fast, has an external antenna, is recognized by BlackWeb OS and automatically loads drivers. It can be essential in wireless hacks, due to the signal strength it has.
Step 8: Antennas
Antennas come in two basic types, omnidirectional and directional. Most wireless access points and adapters come with omnidirectional antennas, which means they send and receive in all directions.
The earlier recommended Alpha adapter comes with an external omnidirectional antenna. It can increase the signal by focusing the signal, similar to that of a spotlight on a flashlight. In addition, you can change the position to better receive special signals.
Directional antennas can be useful for hacking when trying to focus your operations on a remote access point. We found references to Wi-Fi signals that were sent and received up to over 160 km using directional antennas. For most commercial directional antennas, you can expect to catch wireless communications up to 4 km away.
They can be obtained from a variety of sources, usually under $ 100. A Yagi antenna is an example of a very good directional antenna, which is often used to break wireless networks over significant distances. Such an antenna is priced at about $ 40.
That’s all, folks… for now
So, this article opens our journey into breaking Wi-Fi networks. Don’t forget to return to Blackweb-Security.org, for more details.