Hacking and jamming WiFi networks
This year I moved into a new apartment in the inner-city suburb of Friedrichshain, Berlin. When I was setting up my router I noticed over 30 WiFi networks in range of my MacBook’s internal WiFi antenna.
This seemed like an extraordinary number of networks so I decided to do some research. Wiggle.net is a open platform for sharing wireless network information. By installing apps on their phones members can passively triangulate and map wireless access points (APs) as they move about the city. Below, each dot represents an AP and by zooming in over my block we can see individual network names (ESSIDs).
With all these networks out there some are bound to have vulnerabilities. So, in order to learn more about network security I bought a more powerful wireless adapter and began experimenting.
Disclaimer: everything I’m about to describe was done for research purposes. Please don’t abuse these techniques as it may be illegal in your country.
WiFi manipulation is incredibly simple these days, all you need is a wireless adapter capable of monitor-mode and the appropriate software.
I choose an Alfa AWUS036H adapter and a USB-bootable live Kali Linux instance running on my MacBook. Monitor mode allows you to listen to all information being broadcast over the WiFi radio frequencies - not just the information that was intended for you. With this setup we can monitor all the devices communicating with each other within our antenna’s range.
My first step was to get information about the networks in my surroundings.
WiFi network access points have several important properties.
- BSSID: a hardware address for the access point. Just a very long number, here shown in hexadecimal couplets.
- Encryption method: when you connect to a WiFi network and enter a password you’re typically using WEP or WPA/WPA2 security algorithms to authenticate.
- ESSID: the name of the network.
Below is output from a basic network analysis run with airodump-ng.
In the first section I have highlighted my own network “Let’s Dance”. You can see its BSSID and encryption type. In the second section we can see clients (phones, computers etc) that are communicating with each access point. Near the highlighted section we can see two stations connected to my network. These were my phone and a second laptop, (the latter of which is highlighted).
The experiments that follow were performed on my own network but could just as easily be performed on other networks in my surroundings.
One quite surprising aspect of wireless networking is that its very easy to impersonate other devices. We can transmit packets to an access point and just say that it came from another station — without being connected to that network.
The 802.11 wireless protocol has many different management frames (packet types) used for establishing and authenticating connections. One such packet is the Deauthentication Frame, which is sent to an access point by a station wishing to disconnect. The funny thing is, there’s no way to authenticate the origin of the sender. (AP’s are very trusting).
Networks can be jammed by flooding the AP with Deauthentication Frames in what is know as a deauth-attack. By assuming the identity (MAC address) of a station on the network, the AP will deauthenticate the real station. The real station will then attempt to reauthenticate, but, it will never succeed due to our barrage of deauth-frames and its network access will be effectively blocked.
In the example above I used aireplay-ng to blast my AP (88:25:2C:B5:5E:AD) with Deauthentication Frames while impersonating my second laptop (DO:E1:40:90:59:30).
The result was a lost connection on my second laptop (and the incidental discovery of a hidden dinosaur game in Google Chrome). By omitting the client SSID we can jam the entire network.
Why would someone do this?
I can’t imagine any non-malicious application for this attack. You are denying clients access to an AP and blocking their internet connections. As we’ll see later this can be used to capture network authentication details.
In one scenario imagine two competing cafes with free WiFi access. One cafe could theoritically use a deauth-attack to disrupt the other cafe’s network, lowering customer satisfaction.
Interestingly, there are people that use similar techniques daily. For instance a man in Philadelphia who blocked cell phone connections each time he rode the bus.
The next experiment was gaining access to private networks. There are two main ways to secure a WiFi network: with WEP, or with WPA/WPA2.
WEP was introduced in 1999 and should now be considered completely insecure. If you are still using it today please upgrade to WPA. Due to flaws in it’s design the supposedly random Initialization Vector used to seed the RC4 encryption algorithm eventually repeats itself. This means that if an attacker listeners to WEP encrypted traffic long enough they can decode the network password in plain-text. Sometimes this requires only a few seconds.
Above we can see a collection of access points with their ESSIDs and encryption protocols. It also shows which networks have active clients. This was important for my next step.
WPA is a much more secure protocol. Instead of sending encrypted passwords a station sends a password in a salted-hashed state. Hashing is a non-reversible conversion of arbitrary digital data into a string of a fixed size.
8B1A9953C4611296A827ABF8C47804D7 = hello B9C8BE77AC164E79364F1A61C0B4A9A4 = AManAPlanACanalPanama
The reason that hashing makes WPA more secure is that hashes cannot be reversed. Instead, you need to hash every combination of characters until you find a hash that matches the hash you obtained. What makes this more complicated is salting. Salting adds a unique characteristic to a hashing function to prevent the sharing of hashed dictionaries, called rainbow tables. Without the salt we could collectively compile a list of hashed words and simply look the hash up in the chart.
A further level of complication is that the WPA hashing algorithm is purposefully slow and computationally expensive. It was designed this way to make the speed of hashing prohibitive. In fact, cracking an alphanumeric WPA password 8 characters in length with an i5 CPU would take 1481 years.
This is a pure brute-force attack that simply attempts every possible combination of characters. There are, however, smarter options. GPUs drastically increase performance, sometimes by an order of magnitude. When run in parallel on cloud computing systems cracking times can be reduced to a number of years. However, this time can be reduced again by using dictionaries.
Dictionaries are collections of common English words, phrases and passwords. By combining words instead of individual characters the amount of hash attempts needed can be greatly reduced. So much in fact that there is a cloud service dedicated entirely to WPA cracking. It can process 300 million word combinations in 20minutes and only costs $17.
So now, if we can obtain a hashed password we can send it to the cloud, make a cup of tea and wait for the result. If the administrator chose a weak password it should take less that an hour, if they chose a more random combination of characters it may be practically impossible.
Obtaining a hash
Getting a hash is simple. We just use our deauth-attack discussed above to bump a station off the network. When they try to reauthenticate using a WPA “handshake” we listen to the request and capture the hash.
Above is the handshake I captured between my AP and second laptop. I could now pay to crack its associated hash in the cloud but I didn’t bother.
Realistically, if you have a strong password your WPA network is secure. Breaking it would be a lot of effort and its more likely an attacker would move on and look for WEP encryption or open networks instead.
I had a lot of fun experimenting with wireless protocols. Once you do gain access to a private network then the real fun begins. I’ll talk more about that in my next post.
It’s worth remembering that networks are never safe. When you use your WiFi at home be aware that someone, somewhere could be listening or attempting to gain access. Use WPA encryption and if in doubt choose a more secure password. As the maps in the beginning of this piece suggest, if you use WEP, people will know about it.