How WPA wireless networks are hacked, and how to protect yourself
As wireless networks evolve, so does the security encryption needed to protect them. As usual, the methods to hack this encryption evolves just as fast, so let’s take a look at how its done and how to protect yourself from these types of threats.
WEP-based encryption was the first to be developed, and therefore first to be easily cracked and made vulnerable. Then came WPA-based encryption which took the security up a level and introduced some new methods. Let’s look at some differences between the two. WEP, or Wired Equivalent Privacy, is a basic form of wireless security where both the “WAP” and the user are configured with an encryption key of either 64 bits or 128 bits in HEX. When someone connects to the network, the access point issues a “random challenge.” The user inputs the key which is encrypted with the “challenge answer.” If the answer is correct, the user is granted access to the network. WEP is easy to crack because the network key required to gain access is static, and with very little effort can be figured out.
WPA-based encryption, or Wi-Fi Protected Access, is similar in theory to WEP but doesn’t use a static network key, but rather a “Temporal Key Integrity Protocol (TKIP),” which changes keys with every data packet sent or received. This by itself makes WPA a very secure method for wireless networks, but the problem is that in most home-based environments, a “shared pass phrase” is used to access the network. If this pass phrase is any word found in the dictionary, a hacker can crack it through what is known as a “brute force dictionary attack.” While it may take a long time, it can be done.
Since WEP can be easily cracked, we’ll focus on educating you on how your WPA-encrypted wireless network can be cracked and made vulnerable to attacks as well, and how to prevent this from happening, or at least lower your risk considerably. With WPA, there’s two different versions; PSK and RADIUS. In the simplest terms, PSK is hackable and RADIUS is not. PSK uses the TKIP process I mentioned above to authenticate the network, and therefore makes it vulnerable to cracking. While WPA is indeed much more secure than WEP, only WPA-RADIUS is un-crackable. Ninety percent of access points and home wireless routers don’t even support WPA-RADIUS, only advanced enterprise-based routers do, which leaves most WPA-secured home-based networks almost as vulnerable as WEP-secured networks.
The key to cracking a WPA wireless network is to sniff out the PMK, or Primary Master Key. To do this you have to capture certain packets of information being sent and received across the network and catch a certain “handshake” process. The “handshake” is the authentication between the client and the access point, which is still highly encrypted due to the method WPA secures itself but is still associated with the PMK. To automate this process, there’s freely available software called “Aircrack-ng,” which is a software suite of tools for sniffing and manipulating wireless networks. All someone has to do is run the software provided in Aircrack-ng, which will connect and sniff out a WPA-secured wireless network and find the “handshake” that is occurring. Once this is identified, its a matter of finding the word that is associated with this “handshake,” which is also the PMK to allow access to the network.
This is where it gets a little tricky. If the password is any word in the dictionary its likely it can be cracked. If the password is long, and contains symbols along with upper and lowercase letters, it’s likely the password can’t be figured out. 9 times out of 10 the password is an everyday word that’s easily found in any dictionary. For someone to figure this out, the process is again automated and fairly easy. All you have to do is find a dictionary in “.txt” form, which is fairly easy to find online, and input that list into the software provided in the Aircrack-ng suite. The software will go down the list and try each and every word. This process is known as a “Dictionary Brute Force Attack,” and is really the only way to crack a WPA-secure network. If the word is found, the network is cracked- so the longer and more complicated the password, the harder it is and longer it will take to crack.
Now that you know that it can be done, it’s time to learn how to protect yourself from these types of attacks in the future. Properly setting up your WPA-secured wireless network will make all the difference between someone being able to get in or not. Most people are ignorant to the fact that basic WPA-based setups are nearly as vulnerable as WEP-based setups and that with a few simple adjustments it could be almost unbreakable.
It all starts with your wireless router. If WEP-based security is the only option available on your router, it’s time to upgrade. Newer routers will likely have WPA-based encryption on several different levels. The normal variations are WPA and WPA2. Beyond that, there’s two different types of authentication; TKIP (as mentioned above) as well as “AES,” which is a newer and more secure method. AES and TKIP are the algorithms used during the sending and receiving of packets via the network. AES is more advanced and provides a higher level of protection. TKIP was really only developed to provide an “interim” solution until something better could be developed, which was eventually AES. Most routers that use WPA are setup to use TKIP by default, so simply logging into your router and changing the setting to AES can a make a world of difference.
If your router is only one to two years old, you may be able to find a firmware update online as well which would most likely give you the newest WPA-based security features, including AES. As a rule of thumb, the highest level of security is “WPA2-AES.” This is the level of encryption the US government uses, and is the highest available by today’s standards. If this isn’t available, basic WPA-encryption will suffice, just make sure the password is as long and complex as possible.
When it comes to securing a network via WPA, the password, or PMK, is the most important aspect. Include a combination of upper and lowercase letters, numbers and symbols in a phrase that’s as long as possible. The only way to crack WPA, as mentioned above, is to sniff out the password associated with the “handshake” authentication process, and if this password is extremely complicated, it will be almost impossible to crack. The only downside to this high-level of security is the fact that it will slow down the overall speed of your network, but in the long-run, it’s well worth it.
Related Posts:
February 8th, 2009
I use the below to generate WPA keys:
https://www.grc.com/passwords.htm
February 8th, 2009
I’d like to add that the use of aireplay-ng (should come in the suite) can be used to deauthenticate the client, resulting in a capture of a 4-way handshake significantly quicker.
On the note of actually cracking the key, I would suggest using a rainbow table. The Church of Wifi has a nice pre-computed hash file. You could certainly find them by searching any torrent site. (they’re upwards to 33 gig)
Also, if you knew the name of the network you were trying to hack (and yes you do) you could start churning out your own hash file before you even obtain the 4-way handshake.
Since the SSID is used as the salt of WPA, I would suggest (for security) changing the default SSID of your network (as the Church of Wifi had pre-computed hash files for the top 1000 most common SSIDs).
February 9th, 2009
The best bet for most home users is to use a phrase or slogan, take the spaces out and capitalize the first letter of what used to be words and sprinkle a number or two.
Of course they won’t be reading this.
April 11th, 2009
Kraven’s got the right idea, the keys generated at GRC are pretty decent. The problem with Ken’s idea is that he’s using words that will likely be in a dictionary… and if it’s a damn big dictionary file (the 33GB file you refer to is pretty massive but the last project I witnessed was taking up the entirety of a 160GB WD laptop drive, bar the OS) then it’s more likely to be subject to a successful attack. My advice is to go with Kraven and even if you don’t use GRC’s generated keys, make them as random as possible – Don’t use words.
June 12th, 2009
i want to access to my neighbors wireless Inet but I dont know the password!!!!
you can email me at rayver_cruz99@yahoo.com if you want to help me. Thanks
January 5th, 2010
I WANT TO GACK THIS NET WORK.
January 17th, 2010
Somthing I dont understand AIRCRACK-NG can do 700 K/s (passwords a second) but when i use AIROLIB-NG i only get about 130 pmk/s (precomputed pairwise master keys)
so why is airolib so slow if aircrack can do 700+ then surely airolib should be able to do more because it doesnt finish the crack by running the transiant key calculations …can any-one explain why this is….?
any answers would be greatly recieved
morbious@live.com
M0rbi0uS
March 24th, 2010
wat u all talkinG??
May 23rd, 2010
i want to access my school wireless and it has being password please any more?????????? if any software my email id is donnelwebb@yahoo.com
July 25th, 2010
I can work on 2000+ k/s using aircrack-ng on BT 4 :)
August 26th, 2010
Can you mail me the ways how can I hack WEP security to connect to the Internet. Is there any ways to hack WPA passwords ?
September 8th, 2010
plz how can i hack my wireless network the name of the network NETRYDA-5 PLZ HELP ME OUT PLZ…PLZ…PLZ
October 11th, 2010
I am not bothered about security. What may the reasons that make the internet connection speed very slower in wireless users than the wired clients in one LAN. Please mail me to cdereje@gmail.com
October 26th, 2010
Where can I find a dictionary online in .txt format?
I’ve tried and havent found anything
January 3rd, 2011
That being mentioned, let me state that this text is complete as a stand alone book and isn’t simply a boot camp prep document for the exam. It does on the other hand serve pretty nicely in that capacity. My point is that regardless of whether you will be pursuing the certification or not, the book belongs on the shelves of anyone planning, perusing or operating in the VOIP (voice over world wide web protocol) arena.
January 8th, 2011
All of you people asking for others to help you crack your neighbors password or your schools internet are idiots. First of all, did you even read the article above? And second, if you go to school there, shouldn’t you already know the password to the wireless internet?
January 13th, 2011
want to access to my neighbors wireless Inet but I dont know the password!!!!
you can email me at priyeshpathirikkat@gmail.com if you want to help me. Thanks
January 30th, 2011
There’s noticeably a bunch to realize about this. I’d love to thank you for that efforts you’ve complete in writing this good article. I’m hoping the equal best work from you in the future as well.
April 7th, 2011
As a website owner I believe the articles here is very excellent , regards for your efforts .
May 2nd, 2011
i want to hack wireless network and it has password what can i do? help me
July 23rd, 2011
dear friends i have no internet in my laptop but near my house . there ias a person who has internet providing wireless signels so, can anyone help me or not .
August 17th, 2011
Hey, I understand everything said here, But I have trouble learning it. Would someone possibly be willing to spare some time to “teach” me a little bit about what was said here?
My neighbor has a wireless router with WPA-TKIP security which I can play with. I just need help finding a good packet sniffer, and finding out how to use it effectively. Im running Windows 7 64bit OS, on a Acer Aspire with an Atheros Wireless Network adapter.
Im fair with computers and learn quick with anything.
If anyone would be able to help a young mind out and talk with me a little, my secondary email is tsrsdub8426@gmail.com
August 19th, 2011
Is this still working? Can anyone help me please? I want to access any secured wireless.. my email is astluv_03@yahoo.com.. thank you so much
October 13th, 2011
@DuB:you have to download and configure an aircrack-ng for windows version, or KISMET and Cain & Bel…
October 14th, 2011
Great article. Read your article about WEP cracking too. Great stuff. One question. Will this work on a mac…? For whatever reason linux and mac don’t like each other so it’d be easiest if I could just use mac. My wireless card is the Airport extreme. in firmware it says broadcom. I remember in the previous article it said broadcom is usually not compatible. So poo. Is there anything I can plug into the usb port that will work? Cause I’m not replacing that wireless card. Thanks everybody
my email kroseberry331@gmail.com
or submit a comment for all mac users out there :P :)
October 25th, 2011
I hacked wep password but i want hack wpa how it possible i have dictionary file but i couldn’t not please help me.rjshiwakoti@gmail.com
November 19th, 2011
Hey There. I found your weblog the usage of msn. This is a really well written article. I’ll make sure to bookmark it and come back to learn more of your useful info. Thanks for the post. I will certainly comeback.
December 9th, 2011
I’ve been exploring for a bit for any high quality articles or blog posts in this sort of space . Exploring in Yahoo I eventually stumbled upon this website. Reading this information So i’m happy to express that I have an incredibly just right uncanny feeling I discovered exactly what I needed. I such a lot definitely will make certain to don?t omit this website and give it a glance regularly.