Hacking wifi wpa security with BackTrack 3

Wifi networks have more weaknesses than wired networks. Currently wifi very significant technological developments in line with the needs of mobile information systems. Many wireless service providers such as commercial hotspot, ISP, internet cafes, campuses and offices will have started to use the wifi on each network, but very little attention to security of data communications on the wireless network. This makes the hacker be interested to mengexplore keamampuannya to perform various activities which are usually illegal to use wifi.
In this article will discuss various types of activities conducted and methods that hackers wireless or the beginner in doing wardriving. Wardriving is an activity or activities to obtain information about a wifi network and gain access to the wireless network. Generally aim to get an internet connection, but many also do for certain purposes ranging from curiosity, try try, research, practical tasks, and other crimes.

Wireless Weaknesses
Weaknesses of wireless networks can generally be divided into 2 types, namely the weakness on the configuration and weakness on the type of encryption used. One example of the causes for weaknesses in the current configuration to build a wireless network quite easily. Many vendors that provide facilities that enable the user or admin so often found in wireless networks are still using the default wireless configuration congenital vendors. Writers often find a wireless network installed in still using the default settings congenital vendors such as SSID, IP Address, remote management, DHCP is enabled, frequency channels, without encryption and even user / password for the wireless administration.
WEP (Wired Equivalent Privacy), which became standard for wireless security before, when this can be easily solved with the various tools that are available for free on the internet. WPA-PSK, and LEAP are considered to be a solution to replace WEP, now also has to be solved by using an offline dictionary attack.


Several events and activities being undertaken to mengamanan wireless networks, among others:
1. SSID Hiding
Many administrators hid Services Set Id (SSID) wireless network with the intention that they only know the SSID can be connected to their networks. This is not true, because the hidden SSID may not actually be perfect. At certain times or in particular when the client will connect (associate) or when it will decide itself (deauthentication) of a wireless network, then the client will still send the SSID in the form of plain text (although the use of encryption), so if we mean to bug it, can easily find that information. Some tools that can be used to get the ssid which dihidden among others, kismet (kisMAC), ssid_jack (airjack), aircrack, void11 and much more.

2. Wireless security with WEP key
WEP is a security & encryption standard first used in wireless, WEP has several weaknesses, among others:

* The problem of weak keys, RC4 algorithm used can be solved.
* WEP uses a static key
Problem initialization vector (IV) WEP
* Problems Cyclic Redundancy Check the integrity of the message (CRC-32)

WEP consists of two levels, namely 64-bit key and 128 bits. Actually, the secret key on 64 bit WEP key is only 40 bits, while 24bit is an Initialization Vector (IV). Similarly, the 128-bit WEP key, secret key consists of 104bit.
The attacks on the weaknesses of WEP, among others:

* The attack on the weaknesses of the initialization vector (IV), often called the FMS attack. FMS stands for the third name the inventor of weakness IV Fluhrer, Mantin, and Shamir. This attack was done by collecting a weak IV as much as possible. The more weak IV is obtained, the more quickly find the key that is used (www.drizzle.com/ ~ aboba/IEEE/rc4_ksaproc.pdf)
* Obtain a unique IV data obtained through the packet to be processed for the process of cracking the WEP key more quickly. This method is called chopping attack, first discovered by h1kari. This technique only requires a unique IV thus reducing the need for a weak fourth in doing WEP cracking.
* The above attack requires considerable time and packet, to shorten the time, hackers usually do traffic injection. Traffic Injection is often done by collecting the ARP packet and then sent back to the access point. This resulted in the collection of the initial vector easier and faster. Unlike the first and second attack, attack traffic for injection, required specification of tools and applications that start rarely found in stores, ranging from 2chipset, firmware version, and versions of drivers, and not infrequently have to do patching of drivers and applications.

3. Only with a key wireless security WPA-PSK or WPA2-PSK
WPA is a temporary security technology designed to replace WEP key. There are two types ie, WPA Personal (WPA-PSK) and WPA-RADIUS. Currently already be on crack are WPA-PSK, namely the method of offline brute force attack. Using brute force trial and error a lot of words from a dictionary. This attack will succeed if the passphrase is used in wireless is indeed terapat on dictionary words that are used to the hacker. To prevent any attacks against wireless security using WPA-PSK, use a passphrase that is long enough (one sentence). Well-known tools used to do this attack is CoWPAtty (http://www.churchofwifi.org/) and aircrack (http://www.aircrack-ng.org). These tools require a list of words or wordlist, can be taken from http://wordlist.sourceforge.net/

4. MAC Filtering
Almost every wireless access point or router MAC filtering is facilitated by the security. This is actually not much help in securing wireless communications, because the MAC address is very easy dispoofing or even altered. Tools ifconfig in OS Linux / Unix or a variety of tools such as network utilities, regedit, smac, machange on OS windows with easy to use for MAC address spoofing or replace.
The author is still often find wifi in offices and even the ISP (which is usually used by the cafe-cafe) that only use MAC filtering protection. By using wardriving applications like kismet / aircrack kisMAC or tools, we can obtain information on the MAC address of each client that is connected to an Access Point. After getting this information, we can connect to the access point by changing the MAC in accordance with this client. In wireless networks, duplication of the MAC Address does not lead to conflicts. It merely requires a different IP client earlier.

5. Captive Portal
Captive Portal infrastructure originally designed for the purposes of community that enables all people can connect (open network). Captive portal is actually a router or gateway machine which does not protect or allow the traffic until the user making the registration / authentication. Here's how the captive portal:

1. user with a wireless client is allowed to connect wireless to get the IP address (DHCP)
2. block all traffic except those leading to a captive portal (Registration / Web-based Authentication), which is located on the cable network.
3. or belokkan redirect all web traffic to a captive portal
4. after a user to register or login, allow access to the network (Internet)


Some things to note, that the captive portal client connection tracking only based on IP and MAC address after authenticating. This makes is possible to use a captive portal with no authentication for IP and MAC Address can dispoofing. Attacks by spoofing IP and MAC. MAC Address Spoofing, as already explained in section 4 above. Medium to IP spoofing, more efforts are needed to utilize the ARP cache poisoning, we can redirect traffic from a client who has been connected before.
Other attacks are fairly easy to do is to use the Rogue APs, namely setting up an Access Point (usually using HostAP) which uses the same components such information as the target AP SSID, BSSID to the frequency channel is used. So when there is a client that will connect to the AP made us, can we divert traffic to the actual AP. Not infrequently the captive portal built on a hotspot has a weakness in its network configuration or design. For example, authentication is still using plain text (HTTP), network management can be accessed via wireless (located on one network), and many more. Another weakness of the captive portal is that the communication traffic data or when it is authenticating (connected network) will be sent is still not encrypted, thus easily intercepted by hackers. For that we need to be careful to connect to the hotspot network, so try using a secure communications protocol such as https, pop3s, ssh, imaps ff.