3

I have recently setup a wireless network for a friend's business, and he asked me if there was any way someone could "hack" it. I assured him it would be extremely difficult once I setup a WPA2 key.

This got me thinking, how can I really be sure that no one could perform some type of hack? I know what types of hacks are out there, but I have no experience in actually performing them. I understand essentially what has to happen in order to perform, for example, a man-in-the-middle attack, but how does one actually fool a victim's ARP component into thinking that the attacker's machine is the gateway? This seems like it would require access to the victim's machine.

John Rasch
  • 163
  • 4
  • 10

4 Answers4

4

I've implemented a WEP attack against my own private AP to see how this funcitons and to determine if my wireless home setup was secure. Not surprisingly, the encryption failed, and I decided to run wires everywhere until I can get a newer AP with better security.

And the answer is:

Well...it all depends. Never say never, as you're trusting the fact that everything really is secure, when maybe it isn't. I would seriously look at attempting a penitration test with your own equipment against the AP you're using before going much further. It sounds like WPA-PSK can be broken under certain circumstances - like when the AP doesn't implement it properly.

I would say that using a reasonably long password, along with a very long SSID name, should provide you with the security you're after. The reason the SSID name length is important is that it appears to influence the encryption process. If you're really paranoid, do two things:

  1. add a second factor, like RADIUS or certificates, to at least keep people out of the rest of the network...
  2. look for strange parked cars with people gleefully typing away at laptops
Avery Payne
  • 14,326
  • 1
  • 48
  • 87
4

ARP poisoning is such a trivial thing to accomplish, it should scare most normal people away from wireless. Of course, you could ARP poison a wired network also, but in theory, your wired network isn't open to just anyone walking around in, or around, your building.

Have a look at Cain (one popular tool used in ARP poisoning)

GregD
  • 8,713
  • 1
  • 23
  • 35
  • Your answer is in 2009, not sure what WIFI protocol then. But in today's WPA2 protected network, arp poisoning is only useful and possible if you are inside and authenticated in the same WPA2 protected wifi network, ie, you have passed the 4 way handshake setup by WPA2 protocol. – Peter Teoh May 02 '18 at 08:58
  • @PeterTeoh I make no assertions that my answers here, or elsewhere, is at all relevant 8 years later...which is like 50 years in IT time. – GregD May 07 '18 at 14:46
2

Using a *nix box (assuming you have already aircracked your way to the wireless), you can use a set of utils called dsniff, then the arpspoof command to make the lan hosts think your machine is the gateway (it sends out ARP X.X.X.X is here AAAA:BBBB:CCCC responses to the network, fooling the hosts into inserting your machine into their arp caches), from there you can intercept/redirect/mirror any connection attempt, i.e. a request to google can be redirected using iptables/ipfw to your local apache server for further mischief.

make sure you have [ gateway_enable="YES" ] for freebsd set in your rc.conf, or [ echo "1" > /proc/sys/net/ipv4/ip_forward ] for debian (may be true for other linux distro's) , so your machine will route the packets out to the real gateway after its done having fun with them.

Bruce Grobler
  • 146
  • 1
  • 5
2

Over an unencrypted network, you would use two WiFi antennas and a patched version of AirPwn.

With WPA2 and a strong passphrase (WPA-PSK), there is NO WAY to perform a MitM attack. When I say strong password, I tend toward something like you get at https://www.grc.com/passwords.htm. The only way to atack WPA2-PSK is to guess the passphrase, which can be made very difficult.

Magus
  • 911
  • 6
  • 7