Wireless networks or Wi-Fi have a number of key advantages over wired networks as they increase efficiency, access and availability, and even has cost saving perks too; However, these networks are targeted by hackers because of some of these advantages. Here are the steps an attacker or security professional might take when trying to exploit these networks.
1. Discovering Wi-Fi networks – This is the first step in trying to compromise a Wi-Fi network. In this step, various Wi-Fi discovery tools (like NetStumbler, NetSurveyor, and so on) are used to scan the available networks within range.
2. Wireless traffic analysis – This step involves setting up the correct hardware and software for Wi-Fi hacking. Some operating systems, like Windows, allow you to listen to traffic but do not permit you to inject Wi-Fi traffic, while others, like Linux, allow both. Also, some essential tools used in Wi-Fi hacking like Aircrack-ng work only with specific Wireless adapters. Once the right hardware and software have been set up, tools like Wireshark can be used to analyze wireless traffic.
3. Execute attacks – Once the initial reconnaissance has been done, it’s time to execute attacks on the target wireless network.
- Fragmentation attack - By launching a successful fragmentation attack, we can obtain up to 1500 bytes of PRGA (Pseudo Random Generation Algorithm). This attack doesn’t reveal the WEP key but fetches the PRGA. Once the PRGA is obtained, it can be used to generate packets that are then used for various wireless injection attacks.
- MAC-spoofing - Many access points have MAC filtering enabled. This means only those devices whose MAC ID is in the access point’s whitelist can connect to the wireless network. To bypass this, MAC address spoofing can be used to change the MAC address of a wireless adapter to the one matching the access point’s MAC whitelist. SMAC is one such tool on Windows that helps change the MAC address of network adapters.
- De-authentication attack - This type of attack is used to forcefully disconnect users who are actively connected to the target access point. This is a type of denial-of-service attack.
- Man-in-the-middle attack - In this type of attack, the attacker first deauthorizes a valid active user from the access point, then forces the victim user to connect to a fake access point, and finally intercepts all the data that the victim sends and receives during the session.
- Evil twin attack - In this type of attack, the attacker sets up an access point that pretends to be legitimate by imitating another genuine access point within the area. Users connect to the rogue access point, which is exactly the twin of the original access point. Once the users are associated with the rogue access point, the attacker can intercept and tamper all network traffic passing through it.
4. Break Wi-Fi encryption - The next step, involves finding the encryption key used in the target wireless network. The Aircrack toolset, which includes tools like airmon-ng, airodump-ng, aireplay-ng, and aircrack-ng, can be effectively used to crack the encryption key.