Wireless Hacking

Wireless Hacking

DOI: 10.4018/978-1-5225-7628-0.ch009


Wired networks add to cost and space required to setup while wireless networks are easy to expand without adding complexity of cables. Most organizations implement wireless networks as an extension to an existing wired connection by installing multiple access points at various locations to cover larger area. The wi-fi network users can be assigned limited and restricted access to the actual wired network and organizational resources. Although less reliable, wireless networks offer mobility, flexibility, ease of deployment, scalability with reduced cost of implementation. However, besides these many advantages, wireless network expands the security threat level by offering ease of intercepting network traffic to the hackers via open networks. Hence, there is a need to determine the potential wi-fi security threats, attacks, attacking tools, and possible countermeasures to be used to secure organizational wireless networks. This chapter focuses on different IEEE 802.11 wireless standards, authentication and association processes in 802.11, and WLAN frame structure. This chapter explains different wireless attacks like war-driving, war-chalking, wi-fi signal jamming, denial of service (DOS) attack, rogue access point attack, wireless traffic analysis, MAC spoofing, de-authentication attack, man-in-the-middle attack, evil twin attack, cracking wi-fi encryptions, spectrum analysis, bluetooth devices attacks, etc. The chapter also discusses different tools used for carrying out wireless attacks or auditing wireless security like NetStumbler, Kismet, Aircrack, insider, KisMAC, WEPWedgie, WIDZ, and Snort-wireless. The chapter also discusses countermeasures against these attacks.
Chapter Preview


Figure 1 shows a typical architecture for implementing wireless network access in any organization. The wireless access points are connected to the IEEE 802.3 ether network via Ethernet switches and wireless clients are connected to the network via this access point using IEEE 802.11 network. Clients on wired network are connected to the ether switches directly. The internal network is protected from public network using gateway and firewall.

Figure 1.

Wireless Network Access


The technical specification for the functioning of a wireless network is specified in standard IEEE 802.11 (IEEE_A, 2018). In this specification, client computer/laptop/mobile is referred to as a station and two or more stations that communicate with each other forms a Basic Service Set (BSS) using access point (AP) as shown in Figure 2.

Figure 2.

IEEE 802.11 Network


Many such BSS's are generally interconnected to the network using a Distribution System (DS) in case of Wi-Fi infrastructure mode of working. The physical area covered via this Wi-Fi network is called as Hotspot. The MAC address or the physical address of the AP becomes BSSID (Basic Service Set Identifier). Wireless AP sends beacon frame on a regular basis for broadcasting Station Set Identifier (SSID) of the wireless networks. SSID defines the name of the wireless network that all the wireless clients associate with. The destination address field in the beacon frame will have a value of “ff:ff:ff:ff:ff:ff”, indicating that the packet is to be send to all stations. Beacon frame also consist of BSS ID (Basic Station System ID) field which contains the MAC address for the wireless side of the access point. The sequence number field in beacon frame is incremented by one every time the wireless station emits a packet.

A wireless station STA will try to connect to a particular SSID, will send a probe request to wireless AP; which in turn will send a probe response as shown in Figure 3.

Figure 3.

802.11 Authentication and Association


Next, authentication request/response packets and association request/response packets will be exchanged between wireless station and wireless AP, so that the wireless station can start sending and receiving packets over the wireless network. Security parameters will be produced by STA to AP during authentication process. A station can only be associated with one AP and this ensures that the DS always knows where the station is. The station can switch its association from one AP to another using re-association. Both association and re-association are initiated by the station. Either party can disassociate or terminate the association between the station and the AP. A disassociated station cannot send or receive data.

The default insecure authentication protocol for the IEEE 802.11 standard is Open System Authentication (OSA), where AP generates and sends a random authentication code (valid only for that particular session) in response to client’s request as shown in Figure 4.

Figure 4.

802.11 Open System Shared Key Authentication


Complete Chapter List

Search this Book: