How to catch hackers on your wireless network

[Lite]

Wireless networks are a wonderful invention. They give us the ability to easily deploy a complex network of computers without the need to physically wire them up.

However, this ease of use can also mean that, without proper precautions, neighbourhood parasites can leech bandwidth and generally use your network against your wishes. Trapping such people is easy with a little thought and some borrowed equipment.

What is wireless?

What's usually known as Wi-Fi belongs to a family of wireless networking technologies called IEE 802.11. These all use the same protocol for transmitting and receiving data over short distances.

Home wireless routers and hubs (commonly called wireless access points) conform to the 802.11g variant of the specification. This uses transmission frequencies centred on 2.4GHz. Each transmission channel gives a raw data throughput of either 54 or 65 Mbps, depending on your equipment.

However, the useful data transmission rate is more like 19 Mbps, with the rest of the available bandwidth being used for error correction, encryption and packet collision detection.

Wireless LANs operate on one of 13 channels. If you're getting low data transfer rates, it's worth switching your wireless access point to a different channel – the chances are that another network in the neighbourhood is using the same one. Using the same channel won't cause data leakage onto other networks, because each is also uniquely identified and should feature strong encryption.

Encrypt to survive

Encryption is vital for wireless networks. There are two main standards in popular use. The first, which is older and decidedly less secure, is Wired Equivalent Privacy (WEP).

The original idea behind WEP was that it would be as secure as using a wired network. However, it's been widely known for around half a decade that if you can capture enough data packets from a secure connection, WEP encryption can be cracked using freely available hacking tools.

After cracking WEP encryption on a target network, it's possible for a hacker to read the login credentials required to connect to that network. After that, he will discover and exploit whatever vulnerabilities can be found on the network to consolidate his hold over it, possibly by deploying a keylogger to snatch identities, as well as using your computers for the storage of files he doesn't want on his own network.

The core aim is to leech your bandwidth to download undesirable content. For this reason, WEP should no longer be used. In its place, your wireless network should support WPA (Wi-Fi Protected Access).

This features far stronger encryption and the tools used to crack it are still either at the proof-of-concept stage or take so long to run that updating your passwords regularly will mean that your wireless network remains a very slippery target indeed.

If your network still uses WEP, stop reading immediately, log into your wireless access point's web interface, go to the admin page and select WPA (or, if available, the stronger variant WPA2) and save the configuration. Now disconnect and reconnect your computers to the network and they'll begin using the stronger encryption.

That done, let's now explore your neighbourhood.

Network discovery

The first thing a hacker will do when scouting for Wi-Fi targets is check the networks in range to find the best one to attack. While you could simply use your PC's Wi-Fi connectivity software to discover local networks, there are better tools available online that will show you far more.

One such tool is the free Inssider from MetaGeek. Installation on a computer with a wireless network card is as simple as running the installation package and clicking 'Next' a couple of times.

You don't need to be a member of a wireless network to run Inssider. Run it and select your wireless network interface from the dropdown list at the top of the Inssider window. Click the 'Start Scanning' button and the interface will begin to fill with networks.

At the top of the screen is a table containing a line for each network that the program discovers. This contains information including the wireless access point device each network uses, the name (called the SSID) of the network, the signal strength and the type of security used.

In the lower section of the interface are real-time graphs showing the signal strengths of each network as they change over time. Water in the atmosphere absorbs radio waves, so if the weather's bad, signal strengths may be lower than on a bright, dry day. Such fluctuations in atmospheric interference will cause networks on the edge of the detectable range to occasionally pop up and disappear again.

On the right-hand pane is a chart showing the signal strengths as the height of a set of bell curves centred on the channels used. If you're not getting very good bandwidth, try changing the access point's channel to one that isn't in use by the networks around you, then reconnect.

As a general guide, the RSSI (Received Signal Strength Indication) column in the table is a useful measure of the distance between you and each network's base station. This can be used to get a rough idea of whose networks you can see if they've not been identifiable from their SSID.

The SSID is the 'service set ID'. This is the user-defined name of the network. When you buy a new wireless access point, the SSID will usually be set to a default. If you leave this as it is, it gives people a good indication that little if any configuration or security work has been done. If the network is also using WEP encryption (or worse, no encryption at all), it is open to easy abuse.

Inssider gives you a great way to see what Wi-Fi networks are in your neighbourhood. However, if you find a network that has no protection at all, don't be tempted to join it and leech bandwidth.

It may well be that an incompetent neighbour has set it up and doesn't realise that it's open to abuse, but it may equally have been set up like that deliberately. It's possible that someone may have set up a data collection utility such as Wireshark on the open network. If you connect to the network, the person who owns it will be able to see everything you do.

Catching a Wi-Fi hacker

So let's turn the tables. Let's use this technique to set a trap for anyone in the vicinity who may fancy exploring networks and leeching bandwidth that doesn't belong to them. You can also use this technique to monitor traffic on your own networks in general.

We're going to use what's known as a honeypot – a PC or network that appears unprotected. They're designed to tempt hackers and malware to explore and infect them. In reality, they're heavily monitored.

Researchers use them to detect new strains of malware, and we're going to use a honeypot wireless network to catch bandwidth leeches. The technique involves setting up a wireless network without any protection and then monitoring it for unauthorised connections.

The network is physically isolated, but anyone joining it illegally won't know that. It just looks like a juicy connection waiting to be exploited.

To set up a simple wireless honeypot, you first need a spare wireless access point for potential hackers and freeloaders to attempt to access. This is plugged into an old network hub.

The hub is important because whatever traffic it receives on one port, it automatically retransmits on all the others. This doesn't happen in a network switch, which is why we need a hub. We can plug a PC running a traffic-monitoring program into another port on the hub, begin collecting data and wait for the fun to begin.

The monitoring program we'll use is Wireshark. This app is used by network security professionals the world over and is very easy to set up and use.

Setting the trap

Go to www.wireshark.org and download the latest Windows version. This is compatible with all supported versions of Windows from XP onwards. Installation is a simple matter of running the downloaded executable and accepting the defaults.

Unlike Linux, Windows doesn't have the ability to put its network card into 'promiscuous' mode automatically (whereby it will accept all traffic, thus allowing Wireshark to monitor whatever flows past). To enable this, part of the Wireshark installation procedure will install a library called WinPcap.

Once installed, run Wireshark and select your wired network interface card from the interface list. This begins a collection session. You should start to see traffic being sent every few seconds by the wireless access point as it monitors and discovers resources, and finds out what machine has which IP address. You'll also see traffic from the PC on which Wireshark is running.

On the monitoring PC, log into the wireless access point's web-based management page and set security to 'none'. If there's a function for returning it to its factory settings, run this to reset all passwords.

Now test your handiwork by joining the network wirelessly from another PC. On the joining computer, open a command line and enter the command ipconfig/all.

Find the wireless network card's details in the morass of information that appears. Make a note of its IP address. If you now click the source or destination columns in Wireshark to sort the incoming information, you can easily find the traffic being generated by this IP address.

The traffic reveals a surprising amount of detail, including the machine's name and its MAC address. If, while monitoring, you find other computers joining the network, their machine's Windows name, MAC address and current IP address will be recorded by Wireshark.

If you picked up another PC, the owner was obviously scanning the neighbourhood looking for new networks to join. Why not have a little fun by letting him know you're on to him?

Try changing the name of the network to his PC's name or some other piece of identifying information, and crank the security up to WPA2 so he won't be able to do anything about it. Doing so may scare him sufficiently to leave you well alone in future.

Source

[myidisbb]

i see i have wpa and wpa2 both have presonal and enterprise and then there is tkip and aes and both together. the enterprise have radius server address also. what should i use then? using wep for now

[jalaffa]

Where I'm at there happen to be a wide open Wi-Fi connection. So instead of setting one up myself I'm using that for my Android. I don't feel very guilty about that. If someone leaves it set up like that they can't complain. But just for fun I'm tempted to test out this (creating an open spot and renaming it to the computers connecting to it) :D

[DKT27]

Nice to see Wireshark being mentioned here. In addition to that Wireshark can also help you catch the hacker who has sent you a keylogger, etc. ;)

My friend cracks WEP encryption in mins without any tool. Of course, never exploits it. ^_^

[Ahmad_Al_Hajaya]

Thank you for the information

I've changed my wireless encryption to this encryption: WPA-PSK [TKIP] + WPA2-PSK [AES]

[myidisbb]

reset mine to wpa2 aeg.

then i had to make the two Dsi's work with it. oh my god. it doesnt do ~, \ nor |. that was fun. went with caps and lower case letters and numbers instead for now. typing the correct letters can be fun too. after some time i figure out easiest way to do it. copy and paste the 63 key in notepad

example

KRkL8CJ2uM51gF7OHhJ1uQWSrzcEMhjI0w9yoOVRcj3O2xUrtw0ZPVW8YggGCL3

then for DSi i broke it done to look like

KRkL8CJ2uM51gF7OHhJ1uQWSrzcEMhjI0w9yoOVRcj3O2xUrtw0ZPVW8YggGCL3

1234567890123123456789012312345678901231234567890123123456789012

they are line up in notepad. after typing the key in DSi i looked at what i type on the DSi screen and retypei it on the notepad. therefor verifying i typie the key right. this trick should be able to use of your other stuff that you cann not copy and key the key straight too.

oh forgot use https://www.grc.com/passwords.htm to have a random key made each time you go there or refresh it.

[Anteus]

Nice to see Wireshark being mentioned here. In addition to that Wireshark can also help you catch the hacker who has sent you a keylogger, etc. ;)

My friend cracks WPE encryption in mins without any tool. Of course, never exploits it. ^_^

I would like to see him do it without any tool, aircrack-ng also counts as tool it's just without a GUI. Still not hard to do tho.

[Night Owl]

Wireless LANs operate on one of 13 channels.

In Canada and the United States we're limited to only 11 channels. And they're not really distinct channels, they're more like radio stations. Only channels 1, 6, and 11 in North America don't overlap one another.

I have used inSSIDer in the past, but just opening a command prompt and typing the following gives me all the information I really need:

netsh wlan show networks mode=bssid

[implague]

this is very help full info though i don't have Wi-Fi but someday it'll b there

[nightmoon]

thank you for nice subject i want tell what about Backtrack????

[implague]

[Hottwire]

I use WPA2 with DHCP Off and a wireless MAC blacklist/whitelist

This means even if they guess the WPA pass they have to be whitelisted by mac address on the router and even then find a suitable IP address in our tiny range set up to only allow our 7 machines on at one time and as they are all reserved to each pc, theres no way of finding a way into the wireless network ;)

[Anteus]

I use WPA2 with DHCP Off and a wireless MAC blacklist/whitelist

This means even if they guess the WPA pass they have to be whitelisted by mac address on the router and even then find a suitable IP address in our tiny range set up to only allow our 7 machines on at one time and as they are all reserved to each pc, theres no way of finding a way into the wireless network ;)

It's a easy task to pass by MAC blacklist/whitelist just clone a whitelisted one

[Hottwire]

I use WPA2 with DHCP Off and a wireless MAC blacklist/whitelist

This means even if they guess the WPA pass they have to be whitelisted by mac address on the router and even then find a suitable IP address in our tiny range set up to only allow our 7 machines on at one time and as they are all reserved to each pc, theres no way of finding a way into the wireless network ;)

It's a easy task to pass by MAC blacklist/whitelist just clone a whitelisted one

True but as we have the machines on all the time pretty much and at night we turn the router off theres a slim chance of getting in with all that protection.

[dert]

as for me I prefer to use ProteMac meter

[irefay]

The problems I have with encryption are that they can be a pain to set up when people visit and it costs BIG time on bandwith. Why loose 40% speed?

I live in a somewhat sparsely populated area and when Ive tested, my signal doesnt make it to the street. For me, I just use a MAC whitelist.

Given, the 40% speed loss is still probably within the range of your internet connection, but if you want to share files on the network between computers, you dont want to wait.

[Night Owl]

WEP is the hardest to crack right... any ideas as that is what i use :)

No, WEP is the easiest to crack.

WEP stands for Wired Equivalent Privacy. This encryption standard was the original encryption standard for wireless. As its name implies, this standard was intended to make wireless networks as secure as wired networks. Unfortunately, this never happened as flaws were quickly discovered and exploited.

WPA and WPA2 were invented because WEP is so easily cracked.

Source: Wikipedia's Wireless Security

[Night Owl]

Yes, WEP really has at most 40-bit keys. Anything more doesn't give you significant further protection.

[henz]

if you make a search, all would say WEP - easy to crack...

by the way, you need to know how to crack also :P