English Portuguese

On Setting Up a WiFi Hacking Environment

I haven't been playing on wifi hacking for some time, so I wanted to put my skills to the test once again. For my surprise, to set up the environment is more than complicated than I thought that would be. I ended up in many forums, went through a lot of troubleshooting procedures and took two days to make it work. For your benefit, I'd like to share with you how to avoid the trouble that I went through.

The Basics

In short, to perform WiFi hacking, there are 2 (extremely) macro steps:

  1. Choose a WiFi adapter
  2. Dive into hacking

That's how I divided my efforts. The adapter part is much more troublesome and took me much more time. Hacking itself means knowing concepts, tools, have patience and proper authorization before attacking other people networks.

Choosing an adapter

A good adapter needs to:

Diving into hacking

After the hard part of choosing your adapter and making it work, you need to understand how WEP and WPA works, how break each of them and how to use the right tools to support your attack. I won't go into specific commands because you can see them in this article and many others in the internet. After all tools change more often than concepts.

On breaking Wired Equivalent Privacy (WEP): it was deemed vulnerable because it makes use of a broken algorithm called RC4 and repeated Initialization Vectors after every 5000 packets with a probability of 50%. In other words it is possible to break WEP networks in minutes by analyzing captured packets. Such attack was demonstrated since 2001. So, to hack such networks, you only need to put your interface in the monitor mode, capture many packets and analyze them. All those tools come out of the box on aircrack-ng suite, although there are other tools as well.

On breaking Wi-Fi Protected Access (WPA/WPA2): secure against the previous flaw on WEP, WPA and WPA2 can only be attacked for now using brute force. The attacker must put his interface on monitor mode and capture the four-way authentication handshake in its entirety (can't miss a package here) and use some wordlist to bruteforce the encrypted secret. So the password strength matters a lot here. May not be possible to break through, but a vulnerability on Wireless Protected Setup (WPS), an attempt to make easy for laymans to set up their wireless network, introduced 3 vulnerabilities that eases the exploitation. The oldest and more popular is the online PIN brute force vulnerability that allows attackers to gain access to the network. To exploit such vulnerability, Reaver was developed. But was discontinued in that repository and was embraced by the community here. In short you can scan networks with WPS enabled and attack them using Reaver. Unfortunately it's not always possible to disable WPS, from a defense perspective that is. Depends on each vendor, but it's worth the time to verify if you could lock WPS. That could be verified using the wash command that comes with Reaver or using Reaver directly. It's also possible that your router automatically rate limit requests that aim to hack WPS. Again, depends on each vendor. I recommend you to check for yourself.

That's all I have for now. Stay tuned and sign up below if you liked this article :)


Share the knowledge :)

Share on Twitter Share on Facebook Share on Google Plus Share on LinkedIn Share on Hacker News