While the access points in organizations are usually under the protection of organization-wide security policies, home routers are less likely to be appropriately configured by their owners in absence of such central control. This provides a window of opportunity to neighboring Wi-Fi hackers. We talk about hacking a neighbor’s Wi-Fi since proximity to the access point is a must for wireless hacking—which is not an issue for a neighbor with an external antenna. With abundance of automated Wi-Fi hacking tools such as ‘Wifite’, it no longer takes a skilled attacker to breach Wi-Fi security. Chances are high that one of your tech-savvy neighbors would eventually exploit a poorly configured access point. The purpose may or may not be malicious; sometimes it may simply be out of curiosity. However, it is best to be aware of and secure your Wi-Fi against attacks from such parties.
Ethical Hacking Training – Resources (InfoSec)
Attacks Against Access Point Password
The choices of attack for a neighboring Wi-Fi hacker vary with different configurations of Wi-Fi access points. Specific Wi-Fi security standards are associated with particular security weaknesses that the attacker would target.
Although rare, open Wi-Fi access points are still extant in certain homes. When open access points are deployed in homes, it could be out of ‘generosity’ towards neighbors or sheer insouciance towards security, or both. It is observed that home users with unlimited bandwidth and data are more likely to leave their access point unsecured, unaware of the security implications.
Attack: Open Wi-Fi networks do not encrypt data packets over wireless channels. This means that anyone with a packet capture utility can read unencrypted HTTP, email, and FTP traffic. In this case, we captured the traffic pertaining to an open Wi-Fi on channel 1 using ‘Airodump-ng’, and analyzed the captured file in Wireshark, which revealed that a user on the network was logging into his (demo) bank account [Figure 1].
While it is highly unlikely today that a banking website would lack an HTTPS link, this is meant to demonstrate the dangers of using unencrypted Wi-Fi along with unencrypted protocols such as HTTP, FTP, SMTP, etc.
Defense: Never leave the access point ‘open’ or unsecured. Access the control panel of the wireless router and configure it to use a complex WPA2 key (explained later in this paper). If you insist on using an open access point, consider using ‘HTTPS Everywhere‘ while browsing.
WEP IV Collisions
WEP is an outdated security standard vulnerable to statistical attacks due to IV collisions. It offers a false sense of security, and in the wake of WPA2, it is hard to think of a reason why one would want to use it.
Attack: Since WEP cracking has been covered on myriad blogs and websites already, we will refrain from going into details of attacks against it. For the intricacies of how such attacks are performed, you may visit this page.
Defense: Since the use of WEP is now deprecated due to serious security flaws, you should use WPA2 (AES) instead.
WPS Based Attacks
WPS PIN is an 8 digit number pertaining to the wireless router. It was meant to liberate users from having to remember complex WPA passwords. The idea was that since WPA is susceptible to dictionary attacks, the user would set a complex WPA passphrase and deploy WPS in order to avoid having to remember the passphrase. After supplying the correct WPS PIN to the router, it would hand over the configuration details to the client—which includes the WPA password.
Brute forcing the WPS PIN
WPS was implemented incorrectly: Firstly, the last digit of the PIN was a checksum which means the effective size of a WPS PIN is only 7 digits. Moreover, the registrar (router) checks the PIN in 2 parts. This means the first part of 4 digits would have 10,000 possible combinations, and the second part of 3 digits would have 1,000 possible combinations. Hence, the attacker would require only 11,000 attempts, in the worst case, to brute force the PIN—which is very feasible. Here, during an experiment, we were able to crack the WPS PIN in under 6 hours using the popular tool ‘reaver’ [Figure 2].
Defense: Make sure you have the latest firmware installed and that your router has a WPS lockout policy (AP rate limiting) after a certain number of unsuccessful attempts. In absence of such lockout policy, turn off WPS in your router.
Known WPS PIN
The WPS PIN attack becomes incredibly effective and short if the attacker somehow has knowledge of a neighbor’s WPS PIN.
Attack: How does the hacker (in this case a neighbor) know the WPS PIN? The PIN is usually written on the bottom of the wireless router. The (evil) neighbor could quickly glance at it during a social visit. Additionally, access points may be left ‘open’ for a certain duration while the user is implementing some router configuration changes or performing a factory reset. This offers a window of opportunity to the attacker to quickly connect to the router, access the control panel (using default credentials), and take note of the WPS PIN [Figure 3].
Once the hacker gains knowledge of the PIN, it could be used to uncover a complex WPA passphrase in seconds.
Defense: Scrub off the WPS PIN on the bottom of the wireless router, and avoid leaving your access point ‘open’ at any time. Furthermore, most updated routers will allow the owner to change the WPS PIN from the control panel [Figure 4]. Generate a new WPS PIN periodically.
Dictionary Attacks on WPA Handshakes
As long as strong, complex WPA passphrases are used to protect the access points, dictionary attacks on WPA handshakes are not really a concern. However, every once in a while a user will configure a dictionary word as the WPA password for the sake of simplicity. This leads to successful recovery of passwords from the WPA 4-way handshakes using dictionary attacks.
Attack: The attacker seeks to capture the WPA 4-way handshake between a legitimate client and the access point. A dictionary attack is used to recover the plaintext passphrase from this WPA handshake. For the intricacies of this attack, you can visit this page.
Defense: Configure complex passphrases that are a combination of special characters, numbers, letters, etc. Never use personal information such as your phone number as the WPA passphrase, as it might be guessed.
When all else fails, social engineering could always be relied upon to exploit what is often the weakest link in the chain of security—the human element. Phishing is a type of social engineering attack where the user of the Wi-Fi access point could be tricked into revealing the password.
Attack: Traditionally, such phishing attacks are carried out over emails; however, in this case even a naïve user would get suspicious if the attacker asks for a WPA password over email. Hence, the best approach is to launch an evil twin attack, make the user join the fake access point, and ask for the password.
WiFiPhisher, a python tool, implements this approach. First, the tool prepares the attacker’s machine for the attack. This involves setting up the HTTP and HTTPS servers, detecting the wireless interfaces (wlan0 and wlan1), putting one of these interfaces in monitor mode, and managing DHCP services for IP address allotment [Figure 5].
The tool then detects the Wi-Fi access points in the vicinity and lists them for the attacker [Figure 6]. The attacker then specifies the access point to attack.
After the attacker chooses the access point, the tool clones the ESSID and attempts to jam the authentic access point. This is important since the attacker wants the users to get de-authenticated from the legitimate network and connect to the evil twin. If the users are not knocked off their authentic access point, or if the attacker’s evil twin access point is too far away for the users to get a strong signal from it, then the attack does not work, since no users will connect to the evil twin.
This evil twin access point is now waiting for clients to connect. When a client connects, the attacker is notified that an IP address is allocated to a client. In this case, we notice that an Android device has connected to the evil twin [Figure 7].
Now, it is just a matter of time before this client attempts to access a webpage online. When the client requests a webpage, our HTTP or HTTPS server would serve the phishing page instead. For instance, here the client, the Android device, requested to connect to www.google.com and was served the phishing page instead [Figure 8].
The attacker is notified of the client’s request for the web page and knows now that the client has been served the phishing page [Figure 9].
Moment of truth: either the user gets suspicious and closes the connection, or falls for the con and provides the WPA password as requested [Figure 8]. The user is redirected to an “upgrade-in-progress” page after he submits the WPA password [Figure 10].
Meanwhile, the password is revealed to the attacker over the console [Figure 11].
The user may end up revealing the password due to the following reasons:
The user surmises that he is connected to his own legitimate access point.
The phishing page is intentionally cloaked to appear as an authentic router page.
User has a curiosity towards the open access point with the same ESSID.
Defense: Always be wary of any page asking for a password. Avoid giving out the WPA password over shady pages.
Aftermath: The Hacker is in
Once the attacker has obtained the password and is connected to the access point, he would attempt to explore further. The first point of interest is the router’s control panel.
Default credentials: A surprising number of home users do not change the default credentials to their router’s management panel. Router default credentials can be obtained on the Internet, and subsequent access to this management console grants the hacker further privileges on the network.
Digging PIN and passwords: Once inside the Wi-Fi management panel, the hacker would note down the WPS PIN and any hidden password for future use. “Hidden” passwords behind asterisks are easy to uncover. For instance, we uncover the ‘admin’ and ‘user’ passwords germane to a router using ‘Inspect element’ in Chrome [Figure 12].
Exploiting clients: Since the attacker is now a part of the local network, he can initiate local scans to glean details of clients, services, ports etc. This allows the attacker to target vulnerabilities pertaining to clients connected to the network [Figure 13].
DNS Manipulation: If the attacker has secured access to the router’s control panel, he can modify the DNS configuration which has severe implications on security. For example, the attacker could plant a fake DNS entry to redirect clients using an online banking service to a rogue server serving phishing pages.
Maintaining Access: A persistent neighboring hacker requiring prolonged access to the Wi-Fi access point would want to ensure continued access even after the current password or security protocol is modified later by the owner. Accordingly, the hacker would access the router control panel and take note of the WPS PIN [Figure 4]. More advanced attackers would try to plant a backdoor in the router firmware, such as a master password, that would allow them to access the Wi-Fi at will in the future. However, this involves flashing custom firmware, such as DD-WRT, to the router. DD-WRT provides open source router firmware for numerous wireless router models. The attacker would download the appropriate DD-WRT firmware, modify the source code to include a master password or backdoor, and flash this firmware to the router using the router control panel DDW1 [Figure 14].
The purpose of this paper is not to condone hacking your neighbors’ Wi-Fi, rather to apprise owners of common security weaknesses in Wi-Fi configurations and suggest relevant mitigation.
“Since I have unlimited data and bandwidth, I do not mind if an unknown person is using my Wi-Fi.”
While this generosity is worthy of some appreciation, bandwidth and data usage are not the only concerns when your Wi-Fi is accessed by an unauthorized party. Consider the case where a neighbor attempted to indict the owners after cracking their WEP key and accessing child pornography websites. Since it is your network, the ISP and authorities turn to you while investigating illicit activities. Router manufacturers provide GUI control panels that make it easy for owners to configure their access points. It is best to utilize these interfaces for secure configuration of access points that are capable of thwarting attacks from neighbors.
|DD-WRT. DD-WRT. [Online]. http://www.dd-wrt.com/wiki/index.php/Development|
|Nikita Borisov, Ian Goldberg, and David Wagner. isaac.cs.berkeley.edu. [Online]. http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html|
|Sean Gallagher. (2014, January) ArsTechnica. [Online]. http://arstechnica.com/security/2014/01/backdoor-in-wireless-dsl-routers-lets-attacker-reset-router-get-admin/|