Security Is An Arms Race, The Only Way To Win, Is To Stay Ahead And Stay Knowledgeable.

unsecured-wireless-net

Securing your home wireless network is not a game, it is a serious business. If your network is not secured, an online cybercriminal will exploit it; it is just a matter of time. They will ‘listen’ to your traffic, retrieve sensitive data and/or take advantage of your network to launch malicious attacks. For this reason, learning how to exploit your home network before the cybercriminal does, is a very smart move.

Quick Overview On Wireless Security Options
WEP

  • Wired Equivalence Privacy
  • First 802.11 standard.
  • Very easily ‘hacked’ due to a 24 Bit Initialization Vector (IV) and weak encryption.
  • Uses RC4 Stream Cipher and 64 or 128 Bit keys.

Never use.

[A cyber attack executed against retailer T.J. Maxx in 2009 was traced back to WEP vulnerabilities.]

WPA

  • Wired Equivalence Privacy.
  • Implemented to address major WEP flaws.
  • Backwards compatible with WEP.
  • Personal and Enterprise Mode.
  • RC4 along with longer IV’s 256 Bit Keys.
  • Each user acquires new keys with TKIP.
  • Enterprise mode uses 802.1x & EAP

Only use if WPA2 is not available.

WPA2

  • Wired Equivalence Privacy.
  • Strongest standard.
  • Additionally, the Advanced Encryption does not affect performance.
  • Personal and Enterprise mode.
  • Replace both RC4 and TKIP with CCMP and AES algorithm for a strong authentication and encryption
  • Seamless roaming. Individuals can move from one AP to another on the same network without having to reauthenticate.

Most secure method.

There are fundamentally two types of vulnerabilities which can be found in the Wireless Home Network.  The most common one is poorly constructed configuration including weak passwords, no security settings, or using the ‘out of the box’ default configurations.

  • First things first, change the name of your Wi-Fi network, also known as the SSID (Service Set Identifier).
  • Your wireless router comes pre-set with a default password. That is very easy for a cybercriminal to guess it, especially if they can learn the manufacturer.
  • A strong password should be at least 8 characters and should include uppercase, lowercase, and special characters – like @#?%^&*.
  • Adding just one capital letter, and one special character changes the processing time for an 8 character password from 2.4 days to 2.10 centuries. Think about that!

passwords

  • The second vulnerability is using weak encryption including the security keys (WEP, WPA) to protect the wireless network.
  • The strongest encryption settings to increase your Wi-Fi protection is WPA2 AES.
    • AES is short for Advanced Encryption Standard and is used by governments around the world, including the US.
  • WPA2 AES is a standard security system now, so the majority of wireless networks should be compatible with it.
  • If you are using WPA2 personal. Disable WPS.
    • WPS stands for Wi-Fi Protected Set-up.  It is a wireless networking standard that makes connecting a router and wireless devices faster and easier. However, although WPS can make your life easier, it is very vulnerable to attacks. (See Fern Wi-Fi)

Quick Overview On Wireless Cracking and the Tools

Knowledge is powerful. Cybercriminals are powerful because they have the critical knowledge that leverages all other knowledge, the ability to solve that puzzle-known as your password and win that prize-known as your data. Beat them to the finish line.

Wireshark

If you enjoy networking and know your protocols, then you will so enjoy Wireshark as much as I do. Essentially, it is a network protocol analyzer tool. You can ‘live capture packets’ and analyze them in order to find various things related to your network and lets you see what’s happening at a microscopic level. This tool is available for Linux, Windows, OS X, Solaris and other platforms.

Aircrack-ng

This is one of the most widely-known, and many would say popular wireless password cracking tools.

Aircrack-ng is a complete suite of tools to assess your Wi-Fi network security. It focuses on different areas of WiFi security:

  • Monitoring: Packet capture and export of data to text files for further processing by third party tools.
  • Attacking: Replay attacks, deauthentication, fake access points and others via packet injection.
  • Testing: Checking Wi-Fi cards and driver capabilities (capture and injection).
  • Cracking: WEP and WPA-PSK (WPA 1 and 2).

All tools are command line which allows for heavy scripting.  It works primarily on Linux but also Windows, OS X, NetBSD, as well as Solaris and even eComStation 2.

Airsnort

Another popular wireless LAN password cracking tool and it can crack WEP keys of a Wi-Fi802.11b network. This tool passively monitors transmissions and then computes the encryption key when enough packets have been gathered. This tool works on Linux and Windows platform.

Kismet

This is yet another popular Wi-Fi 802.11 a/b/g/n layer 2 wireless network sniffer and intrusion detection system. It is available for Windows, Linux, OS X and other platforms. This tool is used in Wi-Fi troubleshooting and passively collects packets to identify the standard network and also detects the hidden networks. Built on a client-server modular architecture, this tool can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic.

Fern Wi-Fi

Fern Wi-Fi Wireless Cracker helps with network security by allowing you to see real-time network traffic and can identify hosts. It works with Apple, Windows and Linux platforms. It can run other network based attacks on wireless or Ethernet based networks. For WPA/WPA2, it uses WPS based on dictionary based attacks. For WEP, it uses Fragmentation, Chop-Chop, Caffe-Latte, ARP Request Replay or WPS attack.

inSSIDer

inSSIDer is the only tool that I use in which I pay for (19.99), But it is worth it. It is a very popular Wi-Fi scanner for both Microsoft Windows and OS X platforms. The Wi-Fi scanner can find open Wi-Fi access points, track signal strength, and save logs with GPS records. One of the best uses is to find issues in wireless networks. That alone is worth the money!

I learned how to use these tools through trial and error. My first target was my wireless home network, and I kept at it until I was able to strengthen my overall security. Then I focused on my family and friends (with their permission). Breaking into a wireless network without permission to gain access is a cyber-crime. Do not put yourself at risk.

I was able to turn this experience into an educational session for both my ‘test group’ and me. I was able to show them the importance of having a strong wireless network, and I proved to myself that I could ‘hack’ them.

Overall Results – 8 home wireless networks tested (Again, I stress, I had their permission)

  • 5 Set up their networks straight out of the box security – Fail
  • 1 Networks used WEP  – Fail
  • 1 Network had WPS enabled – Fail
  • 1 Network used a well-known password (hello…Not kidding) – Fail

Cybersecurity is a shared responsibility. Stop. Think. Connect.

What’s in a password?

images-3

So, why would we need to learn about password cracking techniques and the very cool tools used to do so? Password cracking plays a major role in cybersecurity. It is the processes of recovering passwords in order to breach the security of a computer system as both as a preventive measure and to locate weak links that may be vulnerable to an attack.


Brute-force attacks involve trying all possible keys including dictionary words and non-dictionary words too. Brute-force attacks can crack any password, once given the time to do so.

However, how long are you willing to wait for that password? For example, 128-bit key running at a billion keys per second equals 340,283,366,970,938,463,463,374… possible key combinations. In years, that’s just shy of 100,000,000,000,000. Brute-force can often be the last resort with the upside being that brute-force will always find the password. The downside is will you still be around when brute-force reveals the password.

Dictionary attacks use possibilities that are most likely to succeed derived from a dictionary software program. Dictionary attacks may not crack every key, but it is often faster than brute-force. However, although dictionary attacks remove the time-factor, the program will not be successful if the password is not in your dictionary file. For example, if your password is B#h$7yt, the simple addition of symbols and numbers can thwart the success of the attack.

Rainbow table attacks are by far the fastest method of password cracking, mainly because they come along with pre-computed hashes. For a basic example of hashing, say your password is Apple; After it is hashed it is transformed into 865948plpogh76542187629bd1. Woo Hoo, it is secure.

Not so fast, although hashing is a one-way function, meaning that you can never decrypt the hash unveiling the underlying clear text. That’s not the end of the story; basically, rainbow tables are humongous sets of pre-computed tables chock-full with hash values that are pre-matched to potential plaintext passwords.

Essentially, these tables allow anyone to reverse the hashing function in order to determine what the plaintext password might be. Additionally, it is possible for multiple different passwords to result in the same hash, pointing out that it is not important to find out what the original password was, just as long as it has the same hash. As long as the hash is matched, then it does not matter what the original password was.

The Very Cool Tools 

(There are other tools available. However, these are my favorites. I have included the links and descriptions so you can visit the sites, download the tools, explore them and learn.)

Cain and Abel

Cain and Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force, and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS and contains filters to capture credentials from a wide range of authentication mechanisms.

John the Ripper

John the Ripper is a well known and popular free and Open Source software. Ripper supports fifteen different platforms including Unix, Windows, DOS, BeOS, and OpenVMS. You can use this either to identify weak passwords or to crack passwords for breaking authentication. Including performs brute-force attack with all possible passwords by combining text and numbers. Additionally, you can also use it with a dictionary of passwords to perform dictionary attacks

Additionally, Ripper can be used to identify weak passwords or to crack passwords for breaking authentication; perform brute-force attacks with all possible passwords by combining text and numbers and/or use it with a dictionary of passwords to perform dictionary attacks

 RainbowCrack

Rainbow Crack is also a popular brute-forcing tool used for password cracking. It generates rainbow tables for using while performing the attack. In this way, it is different from other conventional brute-forcing tools. Rainbow tables are pre-computed. It helps in reducing the time in performing the attack.

Various organizations published the pre-computer rainbow tables for all Internet users. To save time, you can download those rainbow tables and use in your attacks.

This tool is still in active development. It is available for both Windows and Linux and supports all latest versions of these platforms.

Aircrack-ng

Aircrack-ng is a complete suite of tools to assess WiFi network security.  Aircrack-ng (the ng, refers to next generation) focuses on different areas of WiFi security including Monitoring: Packet capture and export of data to text files for further processing by third party tools;  Attacking: Replay attacks, deauthentication, fake access points and others via packet injection; Testing: Checking WiFi cards and driver capabilities (capture and injection) and Cracking: WEP and WPA-PSK (WPA 1 and 2).

The tools are command line which allows for heavy scripting.  It supports Linux primarily but also Windows, OS X, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.

THC Hydra

THC Hydra is often the tool of choice when you need to brute-force crack a remote authentication service. THC Hydra can perform rapid dictionary attacks against more than 50 protocols, including Telnet, FTP, HTTP, HTTPS, SMB, several databases, and much more.

This free-to-use tool allows pen testers, security analysts and others to learn how easy or difficult it would be to gain remote access to a system. This tool also lets you add new modules to increase the functionality. Via its GitHub page, you can also participate in the development process of THC Hydra. TCH Hydra supports Windows, Linux, Solaris, FreeBSD, and OS X platforms.

Cybersecurity is a shared responsibility. Stop. Think. Connect.