Today, most of us have wireless networks at home, it’s very convenient to get rid of all cables and we’re more mobile with tablets, phones and laptops that we do not want wires at all times.
We want to lie in bed or on the couch and surf or watch movies, it has become part of our everyday life
When we order broadband today, we often get a modem with built-in router function and with WiFi enabled, and it’s incredibly easy to plug in your devices today.
Wi-Fi has matured
The market and users have matured a lot, gone is the time when unprotected networks could be found in all houses and the insecure WEP authentication is soon to be justa memory.
In order to get an insight into it all, I’ll take a little quick reviewer of the history of breaking down wireless networks, but first of all, a bit of general knowledge.
To break Wi-Fi
As we know, all wireless data traffic is based on radio waves, and they are broadcast at different frequencies or as they are called in Wi-Fi, channels. All of us who have been in a Wi-Fi trafficed area have had problems with this sometimes, if too many networks broadcast at the same frequency, but today many access points have automatic channel switching to find the least-trafficed frequency.
As technology is based on radio waves, anyone with a radio receiver can sniff or “listen” the traffic sent there.
We can capture all devices via MAC addresses and isolate networks through access points or bssid, thus isolating the traffic we want to listen to, or capture and this information can be used to read your traffic, and in the long term, break your network.
WEP
WEP was probably the first-generation Wi-Fi authentication and it had a bug in its encryption that made it relatively easy to get your key.
WEP has a relatively short IV (initialization vector) only 24-bit and if you have picked up 2 pcs you can then calculate the keyword.
In essence, the attack went on to trick the network to yield enough IV for the same IV to be used 2 times and then you have a limited number of combinations (24-bit gives about 16 million combinations), and this was done through creating a large number of false authentications attempts against the access point and saving traffic in a cap file.
This file could later be used to calculate the key correctly.
The FBI made a demo where they cracked a WEP protected once every 3 minutes.
The only way to protect itself was to tunnel all its traffic through ssh or ipsec.
WPA / WPA2
<span title=“Idag har WEP nästan gått i graven och vi använder nästa uteslutande WPA eller WPA2 som kommer i 2 olika implementationer, wpa-psk och wpa-802.1x.
“>Today, WEP has almost gone into the grave and we use the next exclusively WPA or WPA2 that comes in 2 different implementations, wpa-psk and wpa-802.1x.
<span title=“wpa-802.1x är framtaget för företagsmiljöer och är rätt svårt att sätta upp, skall jag vara riktigt ärlig tror jag inte att jag någonsin kommit i kontakt med ett wpa-802.1x någon gång, så jag vågar inte uttala mig om säkerheten där.
“>The wpa-802.1x is designed for business environments and is quite difficult to put up, I’m really honest, I do not think I’ve ever come into contact with a wpa-802.1x at any time, so I do not dare say anything about security there.
<span title=“Wpa-psk däremot är den vanligaste autentiseringen idag, psk står för ”private shared key”.
“>Wpa-psk, on the other hand, is the most common authentication today, psk stands for “private shared key”.
<span title=“Detta bygger på ett lösenord som måste vara mellan 8 och 64 tecken, och wpa-psk anses vara säkert.
“>This is based on a password that must be between 8 and 64 characters, and wpa-psk is considered safe.
However, there have been 2 problems and I will list both, I start with the most vulnerable part.
<span title=“WPS
“>WPS
<span title=“Wps som står för ”Wi-Fi Protected Setup” togs fram 2007 för att förenkla för hemmaanvändare att koppla in sina trådlösa enheter, dessa metoder är ansluta via knapp, ansluta med pin-kod eller via fysisk nära kontakt.
“>WPS that stands for “Wi-Fi Protected Setup” was launched in 2007 to simplify for home users to plug in their wireless devices, these methods are connect by button, pin-pin or physical contact.
<span title=“Enligt standards skall alla routrar som stödjer WPS även stödja anslutning via pin-kod och det är just denna som är sårbar.
“>By default, all routers supporting WPS also support connection via pin code and that is precisely this one that is vulnerable.
The pin code is 8-digit, the last of which is a check digit calculated on the remaining 7 digits. <span title=“Detta ger 10⁷ kombinationer = 10 000 000 stycken.
“>This gives 10 7 combinations = 10,000,000 pieces.
<span title=“Dock verifieras koden med 4 tecken i taget, vilket förenklar det hela avsevärt.
“>However, the code is verified by 4 characters at a time, which greatly simplifies it.
<span title=“Den första delen (första 4 siffrorna) ger 10⁴ = 10.000 möjligheter och den andra 10³ = 1.000 (kom ihåg att sista siffran bara är en kontrollsiffra) och detta ger 11.000 kombinationer, något som en dator kan testa på några timmar.
“>The first part (first 4 digits) gives 10⁴ = 10,000 possibilities and the other 10³ = 1,000 (keep in mind that the last digit is just a check digit) and this gives 11,000 combinations, which a computer can test in a few hours.
<span title=“Vissa tillverkare har tagit detta till sig och byggt in vissa säkerhetsfunktioner, som t.ex automatisk nedstängning av pin-koden efter ett visst antal försök inom en viss tid.
“>Some manufacturers have taken this and built in certain security features, such as automatic shutdown of the pin code after a certain number of attempts within a certain time.
<span title=“På andra routrar kan man inte ens inaktivera pin-koden och nätverket är helt öppet för attack.
“>On other routers, you can not even disable the PIN and the network is completely open for attack.
A lockdown or shutdown of the service can discourage the most demanding attacks, but an experienced system attacker always does his homework before finding out which router he is working against and looking for information about what obstacles he can face on the road.
<span title=“Igenom att mixtra med pauser mellan attacker och antal sekunder man får vänta mellan att routern slutat svara kan man förhindra att systemet går i baklås.
“>By interfering with pauses between the attacks and the number of seconds you can wait between the router stopped responding, you can prevent the system from jamming.
An experienced cracker can easily find out which makes your router is through its unique hardware address, or MAC address as it’s called.
<span title=“Brute force mot lösenordet
“>Brute force against password
This technology requires a password list and that we have passwords between 8 to 64 characters long give us a lot of combinations and a good password