Wi-Fi Security Testing Tools
Attempting to “hack” into your own wireless network can help you better understand Wi-Fi security vulnerabilities and how to protect against them. Here are some Wi-Fi hacking techniques and the tools — nearly all free — you can use for penetration testing. These tools will help you uncover rogue access points, weak Wi-Fi passwords, and spot other weaknesses and security holes before someone else does.
Stumblers and Sniffers: Vistumbler
Wi-Fi stumblers can detect nearby APs and their details, like the signal level, security type, and MAC address. You might find APs set with weak WEP security, which can be easily cracked, or possibly rogue APs setup by employees or others that could be opening your network up to attack. You can use wireless sniffers to capture raw network packets sent over the air. You could import the captured traffic into other tools, such as to crack encryption. Vistumbler is an open source Windows application that displays the basic AP details, including the exact authentication and encryption methods, and can even speak the SSID and RSSI. It also displays graphs of signal levels. It's highly customizable and offers flexible configuration options. It supports AP names...
Stumblers and Sniffers: Kismet
Kismet is an open source Wi-Fi stumbler, packet sniffer, and intrusion-detection system that can run on Windows, Mac OS X, Linux, and BSD. It shows the AP details, including the SSID of "hidden" networks. It can also capture the raw wireless packets, which you can then import into Wireshark, TCPdump, and other tools. In Windows, Kismet only works with CACE AirPcap wireless adapters due to the limitation of Windows drivers. It does, however, support a variety of wireless adapters in Mac OS X and Linux.
Stumblers and Sniffers: Wifi Analyzer
Wifi Analyzer is a free Android app you can use for finding APs on your Android-based smartphone or tablet. It lists the basic details for APs on the 2.4-GHz band, and on supported devices on the 5-GHz band as well. You can export the AP list (in XML format) by sending it to email or another app or take snapshot of the screens. It also features graphs showing signals by channel, history, and usage rating and also has a signal meter feature to help find APs.
WEP Key and WPA/WPA2 Cracking: Aircrack-ng
There are many tools out there that can crack Wi-Fi encryption, either taking advantage of WEP weaknesses or using brute-force dictionary-based attacks on WPA/WPA2-Personal (PSK). Thus you should never use WEP security. WPA2 security with AES/CCMP encryption is the most secure. And if you use the Personal or Pre-shared key (PSK) mode, use a long 13+ character passphrase with mixed-case letters, numbers, and special characters — any ASCII characters will do. You can use these tools to understand the Wi-Fi encryption weaknesses or to test your current passwords: Aircrack-ng is an open source suite of tools to perform WEP and WPA/WPA2-Personal key cracking, which runs on Windows, Mac OS X, Linux, and OpenBSD. It’s also downloadable as a VMware image and Live CD.
CloudCracker is a commercial online password cracking service, starting at $17 for 20 minutes. In addition to WPA/WAP2 PSKs, it can also be used to attempt cracking of password hashes and password-protected documents. They use huge dictionaries of 300 million words to perform the cracking and have the computing power to do it quick. You just simply upload the handshake file for WPA/WPA2 or PWDUMP file for the hashes or documents.
Though the Enterprise mode of WPA/WPA2 security with 802.1X authentication is more secure than the Personal (PSK) mode, it still has vulnerabilities. Here’s a tool to help you better understand these attacks, how you can protect your network, and test your security: FreeRadius-WPE is a patch for the open source FreeRADIUS server designed to perform man-in-the-middle attacks against users of wireless networks using 802.1X authentication. It modifies the server to accept all NAS devices and EAP types and logs the username and challenge/response from the unsuspecting users that connect to the fake wireless network. Then the challenge/response can be inputted into another Linux program, asleap, to crack the encrypted password.
WPS PIN Cracking: Reaver
If you have a wireless router instead of or in addition to APs, you should be aware of a vulnerability publicly discovered in December. It involves the Wi-Fi Protected Setup (WPS) feature found on most wireless routers and usually activated by default when using WPA/WPA2-Personal (PSK)security. The WPS PIN, which can be used to connect to the wireless router, can be easily cracked within hours. Here’s one tool you can use to test your wireless routers against the WPS PIN weakness: Reaver is Linux program that performs brute force attacks against wireless routers to reveal their WPS PIN and WPA/WPA2 PSK within 4 - 10 hours. They also offer an easy-to-use hardware solution, Reaver Pro, with a graphical web interface.
Evil Twins and Honey Pots: WiFish Finder
One technique Wi-Fi hackers can use is by setting up a fake AP, aka an evil twin AP or wireless honey pot. Once someone connects to the AP the hacker can then capture any email or FTP connections or possibly access the user’s file shares. They could also use a captive portal or spoofed DNS caching to display a fake website mirroring a hotspot or website login page in order to capture the user’s login credentials. WiFish Finder is an open source Linux program that passively captures wireless traffic and performs active probing to help identify wireless clients vulnerable toattacks. It builds a list of network names that wireless clients are sending probe requests for and detects the security type of that desired network.
Evil Twins and Honey Pots
Jasager (based on KARMA) is Linux-based firmware offering a set of Linux tools to identify vulnerable wireless clients, like WiFish Finder, but can also perform evil twin or honey pot attacks. It can run on FON or WiFi Pineapple routers. It can create a soft AP set with the SSIDs nearby wireless adapters are probing for and run a DHCP, DNS, and HTTP server so clients can connect. The HTTP server can then redirect all requests to a website. It can also capture and display anyclear-text POP, FTP, or HTTP login performed by the victim. Jasager features a web-based and command-line interface.
Fake AP runs on Linux and BSD and generates thousands of simulated APs by transmitting SSID beacon frames. It could be used by attackers to confuse IT staff or intrusion-detection systems, or even used by you to confuse the attacks of wardrivers.
Here’s a tool to help find weaknesses with certain device drivers of wireless adapters that could make attacks on your network easier: WiFiDEnum (WiFi Driver Enumerator) is a Windows program that helps identify vulnerable wireless network drivers that are at risk to wireless driver exploit attacks. It scans the wired or wireless network for Windows workstations, collects details about their wireless network adapter drivers, and identifies possible vulnerabilities.
General Network Attacks: Nmap
Here are a few tools to demonstrate eavesdropping and attacks that we’ve seen on wired networks for years, which also can work via Wi-Fi: Nmap (as in Network Mapper) is an open source TCP/IP scanner you can use to identify hosts and clients on the network, available on Linux, Windows, and Mac OS X with a GUI or a command-line. It reports what OS they’re using, services they’re using or offering, what type of packet filters or firewalls they’re using, and many other characteristics. This can help you find insecure hosts and ports that may be susceptible to hacking.
Cain and Abel
Cain and Abel is a password recovery, cracker, and sniffer tool for Windows. Use it to demonstrate, forexample, the ability to sniff clear-text passwords sent over the network.
Firesheep is Firefox add-on that performs HTTP session hijacking, aka sidejacking. It monitors the network for logins from users on sites that exchange the login cookie without using full SSL encryption. Once a cookie is detected, it lists a shortcut to the protected website that an attacker can visit without having to login.
Pen Testing Linux Distros: BackTrack
If you’re serious about penetration testing, consider using a Linux distribution dedicated to it. One of the most popular is BackTrack, which offers over 320 preinstalled penetration testing tools you can use for playing around with networks, web servers, and more. You can install BackTrack to a hard drive or boot it from a Live DVD or USB flash drive.
Eric Geier is a freelance tech writer. He’s also the founder of NoWiresSecurity that helps businesses protect their Wi-Fi with enterprise (802.1X) security and On Spot Techs that provides on-site computer services.