Monday, August 1, 2016

Things You Should Know : Wireless Hacking Basics

This is the first post in a new series of posts that don't involve any real hacking (and hence don't require that you have Kali installed on your system), but instead explain concepts in an interesting way (at least I hope so). If you have tried getting started into the world of hacking, but failed despite your best attempts, then this series will get you in a position where you'll find it easier to understand any tutorials you read in the future(on this site or any other). Note that I might use some technical jargon at some places, but would usually try to use laymen terms. Also, this guide is an oversimplification and hence factual precision is not it's strong suit, ease of understanding is.

Pre-requisites

You should know-
  • Nothing really.

Post-reading

You will know -
  • What are the different flavors of wireless networks you'll encounter and how difficult it is to hack each of them.
  • What are hidden networks, and whether they offer a real challenge to a hacker.
  • You'll have a very rough idea how each of the various 'flavors' of wireless networks is actually hacked.
(The last point would be covered in details in the next post)

Wireless Security Levels

Below is a (bad but hopefully helpful) analogue I'm using to explain various possible security implementations that a wireless network may have.
Suppose you are the owner of a club. There can be many possible scenarios as far as entry to the club is concerned :-


  • Open Entry

    Open networks- They don't require passwords to
    connect to the wireless router (access point).
    1. Open entry and unrestricted usage - Anyone can walk right in. They have unrestricted access to the dance floor, free beer, etc.
      This is open network. This is only used in public places (restaurants, etc.) which offer free Internet access to it's users (WiFi hotspots) . It's fairly uncommon to find such networks.
    2.  Open entry but restricted usage - Anyone can walk right in, but have to pay for drinks. For the router's security purposes, this is also an open network. However, connecting to the wireless router (entering the club) doesn't guarantee you unlimited access to the internet. There is another layer of authentication. These are seen in public places (airports, restaurants, fast food joints, shopping malls) where they let you connect to the wireless network without any password, but after that you have an additional layer between you and the internet. This layer usually restricts your ability to access the internet (either by bandwidth or by time). This layer can be used to charge you for the amount of data you use.
 The point to note in the discussion above is that wireless hacking usually refers to cracking the router's password. The additional layer which might be present between you and the internet after you login is something you'll have to deal with separately, and is not covered under wireless hacking. So, from wifi hacking perspective, both the networks above are the same, "open", and do not require any hacking.



  • Stupidly Guarded Entry (WEP)

    ISPs may require users to login to
    their accounts to access the internet.
    1. Password at door and unrestricted access - The member of the club pay a certain amount every month, and get access to free drinks. They have to say the password at the shady looking entrance to the club. Unfortunately, it's quite easy for anyone to overhear the password and get in. This is WEP protected network. For a person who has Kali Linux installed on his machine, hacking this kind of wireless network is a matter of minutes. These are easy targets. However, nowadays it's fairly uncommon to find WEP protected networks, because of the ease with which they can be hacked into. WPA and WPA-2 are more common. 
    2. Password at door but restricted access - Only members can enter, but they still have to pay for their drinks. This is the case when the network has password and an additional layer to get access to the internet. This is common in two cases - 
    3. Colleges often allocate student's IDs and
      passwords using which students can access
      Internet facilities offered by the institute.

      1. ISP requires login - Many ISP's require users to login to their account to access the internet. Often logging in provides an interface which lets the users see their bandwidth usage, details of their network plan, etc.
      2. Colleges/ Schools/ Offices - Many institutes provide users accounts which they use to access the institutes' network.  
Again, from the wireless hacking perspective,both the networks above are "WEP protected", and are rather simple to hack into.




  • Well Guarded Entry

    As far as the bifurcation into whether or not another layer of authentication is present once you have the wireless network password is concerned, WEP and WPA cases are the same. The only difference is that the college wireless routers have WPA instead of WEP (as a matter of fact, the two images in the section above are from my home network tikona and my college network, and both are WPA protected. Of course the login screen would be no different if the router was configured to be WEP protected, as these are two independent authentication steps, and so I included those images in WEP section). Thus, this doesn't merit further discussion. However, there's another subcategory in this that we will discuss.

    1. Fingerprint and retinal scan for entry - The entry to this club is secure enough for most purposes. Getting past this level of security takes a lot of time and efforts. Theoretically, if you're willing to do what it takes, you may still get it. But a heist (if I may call it that) of this magnitude will take a lot of planning, and even then, a lot depends on sheer luck. This is WPA secure network. The only way to crack this network with dictionary or bruteforce attacks. Bruteforce attacks may take forever (literally) depending on the length of the password, and dictionary attacks too will take days/weeks depending on size of dictionary, and still may fail (if the password is not in the dictionary). [More on this later]. So if you want to crack the password of a WPA network... get a new hobby.
    2. Fingerprint and retinal scan for entry, and a card which you can quickly swipe to avoid standing in a queue since the aforementioned scans take some time - By introducing this card the club created an alternate path for entry. While this saves time for the legitimate users, the card can be stolen. While it's not as easy as overhearing the password (WEP), or walking right in (open), pickpocketing a member is much easier than murder and mutilation (you really want to enter that club if you're going that far). This is WPA with WPS enabled. WPS has a vulnerability which allows a hacker to get a password in around 3 hours (can be more sometimes, up to 10-12 hours, but that figure is nothing compared to WPA). Just like WEP, WPS is now a well known weak point and new routers have either disabled WEP or added some measures (like rate limiting) which make it really hard to, well, pickpocket the members. 



  • Bonus : Hidden entry

    Any of the above clubs could have a secret entrance. Sounds cool, right? This is somewhat similar to what we call "Security Through Obscurity". How we you get in if you don't know where the club's entrance is? Well, while you don't know where the club entrance is, you know where the club is. You have two options-
    1. Passive method - You go to the roof of a nearby building, take your binoculars out, and try to find out how people enter the building. In wireless terms, you wait till a client connects to the network. This may take a lot of time, but it's relatively safer from a forensic viewpoint (by not doing anything, just watching patiently, you ensure that you don't leave any clues behind which may later be used to catch you).
    2. Active method - You cut off the electric/water supply to the building, or maybe somehow trigger the fire alarm. One way or the other, force the members to get out of the club. Once they find out that everything is fine, they'll swarm back in. You will know where the gate is. In wireless terms, you can de-authenticate the clients (you'll be doing this often, whether you're hacking a WEP network, or getting a WPA handshake [again, more on this later]). Off course, this method results in you leaving behind some traces, but at least you don't have to wait for hours.
    The analogue of hidden entry clubs are hidden networks. As long as the network has clients, it's quite easy to find out the name of the network (SSID to be precise, setting the network to hidden basically stops the access point from revealing it's SSID). However, when a client connects to the network, beacon frames (date packets) with SSID (in clear-text, i.e. unencrypted) are transmitted, which you can capture and get the SSID of the network. So, hidden networks don't really offer much protection to a network, and a WEP protected hidden network just means that instead of 10 mins it will take 15 mins to get the password. For a WPA network, making the SSID hidden doesn't really do a lot since WPA networks are practically uncrackable and a person who has the time and processing power to get past WPA encryption won't be stopped by the hidden SSID.


    Summary

    • There can be additional authentication steps (logins) or other barriers between you and internet even after you get access to the router. However, this is an entirely separate problem and not too relevant to the discussion of wireless hacking. Still it's something you must be aware of.
       
    • Wireless hotspots or open networks don't have any encryption. They can be accessed by anyone. Also, the data transmitted by you is not encrypted and can be read by anyone in the vicinity. Anything which you send to the destination server in plain-text (say, to google), will be transmitted from your machine to the wireless router in plain-text. Anyone in the vicinity can easily read it using Wireshark or any other similar tool. Of course, sensitive data is rarely sent in plain-text, so don't sit around wireless hotspots hoping to get someone's FB login credentials. However, lack of encryption in open networks should be considered seriously. As far as wireless hacking is concerned, not a lot to do here (other than sniffing at unencrypted data in the air).
    • WEP - This is where most of the stuff happens. Countless vulnerabilities, countless attacks, countless research papers listing the issues, countless tools to get the passwords. It doesn't take too much effort to learn how to hack these. If you are familiar with linux, then it takes practically no efforts at all. Just some terminal commands, and you're done (with wifite you don't even have to bother with that).
    • WPA - Don't want to mess with this guy. Theoretically there's a way to get in. Practically it will take forever. Dictionary attacks and bruteforce are the methods to get in. Will cover all this in the advanced version of this guide. PS: When I say WPA, I refer to both WPA and WPA-2. For the sake of this post, they are the same (actually they have a lot of difference, the common thing is neither is an easy target for hackers).
    • WPA with WPS - Tough guy with a weak spot. Hit him where it hurts and the 'it takes forever to get in' becomes a matter of hours. Not as easy as WEP, but still do-able. Unfortunately, you might encounter a guy who has a weak spot but has started learning his lessons and guards that spot properly (WPS but with rate-limiting or some other security measure).


I hope you now have a general idea about the various flavors of wireless security. I have a few advanced guides in mind too, which will touch the cryptographic specifics about these 'flavors', the vulnerabilities, and their exploits. As far as the practical hacking process is concerned, there are plenty of tutorials here on this website and elsewhere on the internet regarding that, so I am not covering that again. I hope that this time when you read a guide you are aware of what's going on, and don't end up trying an attack that works on WEP targets on a WPA network.

The next guide is here-
Things You Should Kow : Wireless Hacking Intermediate

14 comments:

  1. Exactly what happened to me, cracked weps, cracked my first wpa with wps in ten to twelve hours, couldn't bruteforce my way into any wpa/wpa2 router and felt disappointed i coudn't, but i'm feeling better that it isn't just me that finds it really hard to do. cool post

    ReplyDelete
    Replies
    1. WPA/WPA2 can easily take on the best of us, given the one who set the password isn't stupid.

      Delete
  2. hi!
    i've been following ur blog for quite sometime n i must say that u publish pretty awesome tutorials. I wanted to ask one thing - if we intercept a WPA/WPA2 network using MITM attack n the victim's pc is a windows machine (which usually is) can't we then simply exploit his machine using metasploit n get to know the network's password????

    ReplyDelete
    Replies
    1. Most recent operating systems are next to impossible to crack with common exploits (like the ones we had for XP). For exploiting them, we need a weak link somewhere (usually a vulnerable application installed in the system, like flash player). Exploiting an application will provide you access to the system, but usually with low privileges. Then you'll have to think of ways to escalate your priveleges. All that aside, what you say (obtaining the password by [kind of] infecting a client system that has information of the password) is quite possible, much tougher (as in complex), but definitely a lot faster than a bruteforce attack (which is a lot simpler and straightforward).

      The reason I (and most people) don't mention this is becuase when wireless hacking is discussed, in general, we tend to look at the weaknesses of the protocol. There's nothing that can be done about the fact that all the clients store the password in plain-text that can be accessed very easily by anyone with access to their systems. This problem will remain irrespective of how good the encryption scheme is. The aim of hacking is to find flaws so they may be fixed. The flaws with insecure system are discovered and fixed by pen-testors. The flaws with WEP were discovered by those who were attacking the WEP protocol.

      Hope that answers your query, and thanks for the appreciation. It's a good question so I'm going to include an excerpt in the next post in this series.

      Delete
    2. Just thought I'd let you know. I did write a tutorial achieving something similar to what you suggested (we didn't exploit the machine though, just tricked it into sending us the password). Take a look below:

      Hacking WPA/WPA-2 without dictionary/bruteforce : Fluxion

      Delete
    3. Hello world
      We Only Make - The boss

      Reseller :- Hacking Tools & Hacking services, Also Teach Hacking Methods Via teem weaver or Anydesk,
      Each Method Take minimum 1 hour to learn with vedio Tutorial And Hacking Tools ,

      How to Make Money With Method & luck ,

      - Spamming & Tools ,
      - Carding & Tools ,
      - Virus with control panal and Spy bot files,
      - Virus With Builder And Crypter ,
      - Scanners with Bruters ,
      - Crypters with Doc Exploits ,pdf Exploits ,TExtfile Exploits ,
      - PHP Exploits with shell and mailer
      - OTP verications Bypass with Bulletproof Scam-page and Otp control
      - Company Ceo or cfo leads Any country
      - Rat virus with builder
      - Cookies Stealers and Builder
      - keyloger and builder
      - Credit card Scam-pages
      - Bank login Scam-pages
      - debit card topup scam page
      - donation scam-page
      - dhl login and tracking scam-page
      - fedax login and tracking scam-page
      - Shipping Tools

      Place & Ground
      learners you will pay cheap $ for demo Tools & Method

      Business grounds

      Credit card Low Interest Services,

      - Credit card with Fullz Information - Minimum Investment 150$ - With 50k Credit limit And balance
      - Debit Card Topup AS per Card limit - Minimum Investment 200$ - With 8000$ balance
      - Dating scam Fresh male female Logins - Minimum Investment 80$ - Dating Login upto 30
      - Tex refund Scam leads - Minimum Investment 200$ - Result upto 5000 in 10 days
      - payments and Bills - Minimum Investment 300$ - upto 7000$
      - Wester union Minimum Transfer 2000$ - Transfer Fess 400$
      -----------------
      ABOUT US :
      Icq :-675452902
      Skype: rushr00t000
      email me:- hackitbackd00r@gmail.com


      Delete
  3. Hello everyone, i would have made the biggest mistake of my life marrying my former spouse but before the marriage after i saw his link from someones else testimonial. He is a professional that specializes in exposing cheating spouse
    and every other hacking and tracking related issues.He is truly a cyber genius , he helps catching cheating spouse by hacking and tracking their communications like call, whatsapp, Facebook, text, emails, Skype and many more.if you are having doubts in your affairs and relationship please i will advise you to contact him and know if He or she is true to you.
    contact: CYBERPROFESSIONALHACKER@GMAIL.COM

    ReplyDelete
  4. Hey, excellent read! I have a question for you. Are you still around?

    ReplyDelete
  5. All that's really left to do now is access the routers web interface and enter the parameters mentioned above.
    wireless routers reviews

    ReplyDelete

  6. BEST WAY TO HAVE GOOD AMOUNT TO START A GOOD BUSINESS or TO START LIVING A GOOD LIFE..... Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (williamshackers@hotmail.com) for how to get it and its cost . .......... EXPLANATION OF HOW THESE CARD WORKS.......... You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT $5,000, 2nd VAULT $10,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly... Done. ***NOTE: DON'T EVER MAKE THE MISTAKE OF CLICKING THE "ALL" OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. email (williamshackers@hotmail.com). We are located in USA.

    ReplyDelete

  7. BEST WAY TO HAVE GOOD AMOUNT TO START A GOOD BUSINESS or TO START LIVING A GOOD LIFE..... Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (williamshackers@hotmail.com) for how to get it and its cost . .......... EXPLANATION OF HOW THESE CARD WORKS.......... You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT $5,000, 2nd VAULT $10,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly... Done. ***NOTE: DON'T EVER MAKE THE MISTAKE OF CLICKING THE "ALL" OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. email (williamshackers@hotmail.com). We are located in USA.

    ReplyDelete
  8. Tekhnik Menyembuhkan Ayam Aduan Yang Terkena Lumpuh Klik Di Sini

    Agen Sabung Ayam Online Terbaik Dan Juga Terpercaya http://www.bakarayam.co

    Informasi Terlengkap Mengenai Sabung Ayam

    https://ayambakar33033.wordpress.com/2018/06/21/lebih-dari-satu-ciri-memaparkan-ayam-bangkok-aduan-super-yg-menakutkan/

    https://bakarayam33033.wordpress.com/2018/07/19/teknik-dalam-menjaga-ayam-toraja-lumpuh-serta-keram-serta-dikit-info-permainan-paramisi/

    ReplyDelete
  9. what things should we know to hack wifi ..with kali linux

    ReplyDelete
  10. I found this is an informative and interesting post so i think so it is very useful and knowledgeable. I would like to thank you for the efforts you have made in writing this article Joker123

    ReplyDelete

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC