Helping you balance your online life

May 14th


Life of a Hacker- A Hacker's Toolkit

There are many tools available that hackers can use to access your private communication in WiFi hotspots. This article by Jared Howe, Private WiFi's Senior Manager of Product Marketing Communications discusses some of the most well-known WiFi hacking tools.

Free wifi area sign on a latte coffee

Unfortunately, individuals don't have to look very hard to find all they need to know regarding how to hack. For example:
  • K**** L**** is one of the best known hacking tool collections, and they provides many how-to hacking links.
  • YouTube has more than 100,000 videos on WiFi hacking, some with millions and millions of views.
  • There are many other hacking websites out there, but since many of them are dubious and may have malware installed on them, we do not want to link to them as they may put you at risk.
Serious hackers usually use Linux-based open source penetration test tools from which to launch their attacks. This section details some of the more popular tools that can be used to search out and hack WiFi networks.
  • Aircrack-ng: This suite of tools includes 802.11 WEP and WPA-PSK key cracking programs that can capture wireless packets and recover keys once enough information been captured. Aircrack-ng supports newer techniques that make WEP cracking much faster. This software has been downloaded over 20,000 times.
  • Airjack: An 802.11 packet injection tool, Airjack was originally used as a development tool to capture and inject or replay packets. In particular, Airjack can be used to inject forged deauthentication packets, a fundamental technique used in many denial-of-service and Man-in-the-Middle attacks. Repeatedly injecting deauthentication packets into a network wreaks havoc on the connections between wireless clients and access points.
  • AirSnort: AirSnort is wireless LAN (CLAN) tool which recovers WEP encryption keys. AirSnort works by passively monitoring transmissions, and then computing the encryption key when enough packets have been gathered. After that point, all data sent over the network can be decrypted into plain text using the cracked WEP key.
  • Cain & Able: This is a multi-purpose tool that can intercept network traffic, using information contained in those packets to crack encrypted passwords using dictionary, brute-force and cryptanalysis attack methods, record VoIP conversations, recover wireless network keys, and analyze routing protocols. Its main purpose is the simplified recovery of passwords and credentials. This software has been downloaded over 400,000 times.
  • CommView for WiFi: This commercial product is designed for capturing and analyzing wifi network packets. CommView for WiFi uses a wireless adapter to capture, decode, and analyze packets sent over a single channel. It allows hackers to view the list of network connections and vital IP statistics and examine individual packets.
  • ElcomSoft Wireless Security Auditor: This is an all-in-one cracking solution that automatically locates wireless networks, intercepts data packets, and uses cryptanalysis techniques to crack WPA/WPA2 PSKs. This software displays all available wireless networks, identified by channel number, AP MAC address, SSID, speed, load, and encryption parameters. While these capabilities can be found in open source tools, ElcomSoft provides a more polished product for professional use by wireless security auditors.
  • Ettercap: Ettercap can be used to perform man-in-the-middle attacks, sniff live connections, and filter intercepted packets on the fly. It includes many features for network and host analysis. This shareware has been downloaded nearly 800,000 times.
  • Firesheep: This is a plug-in to the Firefox browser that allows the hacker to capture SSL session cookies sent over any unencrypted network (like an open WiFi network) and use them to possibly steal their owner's identities. It is extremely common for websites to protect user passwords by encrypting the initial login with SSL, but then never encrypt anything else sent after login, which leaves the cookie (and the user) vulnerable to "sidejacking." When a hacker uses Firesheep to grab these cookies, he may then use the SSL-authenticated session to access the user's account.
  • Hotspotter: Like KARMA, Hotspotter is another wireless attack tool that mimics any access point being searched for by nearby clients, and then dupes users into connecting to it instead.
  • IKECrack: This is an open source IPsec VPN authentication cracking tool which uses brute force attack methods to analyze captured Internet Key Exchange (IKE) packets to find valid VPN user identity and secret key combinations. Once cracked, these credentials can be used to gain unauthorized access to an IPsec VPN.
  • KARMA: This evil twin attack listens to nearby wireless clients to determine the name of the network they are searching for and then pretends to be that access point. Once a victim connects to a KARMA evil twin, this tool can be used to redirect web, FTP, and email requests to phone sites in order to steal logins and passwords.
  • Kismet: Kismet takes an intrusion detection approach to wireless security, and can be used to detect and analyze access points within radio range of the computer on which it is installed. This software reports SSIDs (Service Set Identifiers – used to distinguish one wireless network from another) advertised by nearby access points, whether or not the access point is using WEP, and the range of IP addresses being used by connected clients.
  • NetStumbler: This tool turns any WiFi-enabled Windows laptop into an 802.11 network detector. NetStumbler and dozens of similar "war driving" programs can be used with other attack tools to find and hack into discovered wifi networks.
  • WireShark: WireShark is a freeware LAN analyzer that can be used to passively capture 802.11 packets being transmitted over a wifi network. This software has been downloaded millions of times.

For hackers that prefer a turn-key package, there are also hardware wireless hacking tools available. We've highlighted one called WiFi Pineapple. It's a simple, small, portable device that can be carried into any hotspot and used to attract any laptop trying to find a WiFi access point. The Pineapple uses a technique called an Evil Twin attack. Hackers have used tools like KARMA to do the same thing for years, but with Pineapple, now you can buy a piece of hardware for only $100 that allows you to become a hacker without downloading or installing any software.
Here's what their website says: "Of course all of the Internet traffic flowing through the pineapple such as e-mail, instant messages and browser sessions are easily viewed or even modified by the pineapple holder."

Hacking Countermeasures
Fortunately, there are resources that you can use to help combat these threats.
  • Download Private WiFi to help protect your computer with the same proven encryption technology used by banks and government agencies. PRIVATE WiFi™ protects your identity and sensitive information by encrypting everything you send and receive while using a public WiFi hotspot.
  • Hacking Exposed: Network Security Secrets & Solutions, by Joel Scambray. This book talks about security from an offensive angle and includes a catalog of the weapons hackers use. Readers see what programs are out there, quickly understand what the programs can do, and benefit from detailed explanations of concepts that most system administrators do not understand in detail. Hacking Exposed wastes no time in explaining how to implement the countermeasures that will render known attacks ineffective. Taking on the major network operating systems and network devices one at a time, the authors tell you exactly what UNIX configuration files to alter, what Windows NT Registry keys to change, and what settings to make in NetWare.
  • Wi-Foo: The Secrets of Wireless Hacking, by A. Vladimirov, K. Gavrilenko, and A. Mikhailovsky. This book is the first practical and realistic book about 802.11 network penetration testing and hardening, based on a daily experience of breaking into and securing wireless LANs. Rather than collecting random wireless security news, tools, and methodologies, Wi-Foo presents a systematic approach to wireless security threats and countermeasures starting from the rational wireless hardware selection for security auditing and describes how to choose the optimal encryption ciphers for the particular network you are trying to protect.
The following list includes common WiFi terms discussed in this white paper.

Encryption is the translation of data into a secret code. To read encrypted data, you must have access to the secret key or password that was used to translate the data into cipher text. That same key or password enables you to decrypt cipher text back into the original plain text. Encryption is the most effective way to achieve data security, but depends on using keys known only by the sender and intended recipient. If a hacker can guess (crack) the key, data security is compromised.

Evil Twin
This is a rogue WiFi access point that appears to be a legitimate one, but actually has been set up by a hacker to intercept wireless communications. An Evil Twin is the wireless version of the "phishing" scam: an attacker fools wireless users into connecting their laptop or mobile phone by posing as a legitimate access point (such as a hotspot provider). When a victim connects to the Evil Twin, the hacker can launch man-in-the-middle attacks, listening in on all Internet traffic, or just ask for credit card information in the standard pay-for-access deal. Tools for setting up an evil twin are easily available (e.g., Karma and Hotspotter). One recent study found that over 56% of laptops were broadcasting the name of their trusted WiFi networks, and that 34% of them were willing to connect to highly insecure WiFi networks – which could turn out to be Evil Twins.

Hypertext Transfer Protocol Secure (HTTPS) combines the Hypertext Transfer Protocol used by browsers and websites with the SSL/TLS protocol used to provide encrypted communication and web server authentication. HTTPS connections are often used to protect payment transactions on the Internet so that anyone that might intercept those packets cannot decipher sensitive information contained therein.

Man-In-the-Middle Attacks
A man-in-the-middle attack is a form of active eavesdropping in which the attacker makes independent connections a communication source and destination and relays messages between them, making those victims believe that they are talking directly to each other, when in fact the entire conversation is being controlled by the attacker. The attacker must be able to intercept all messages exchanged between the two victims. For example, an attacker within reception range of an unencrypted WiFi access point can insert himself as a man-in-the-middle by redirecting all packets through an Evil Twin. Or an attacker can create a phishing website that poses as an online bank or merchant, letting victims sign into the phishing server over a SSL connection. The attacker can then log onto the real server using victim-supplied information, capturing all messages exchanged between the user and real server – for example, to steal credit card numbers.

Sidejacking is a web attack method where a hacker uses packet sniffing to steal a session cookie from a website you just visited. These cookies are generally sent back to browsers unencrypted, even if the original website log-in was protected via HTTPS. Anyone listening can steal these cookies and then use them access your authenticated web session. This recently made news because a programmer released a Firefox plug-in called Firesheep that makes it easy for an intruder sitting near you on an open network (like a public wifi hotspot) to sidejack many popular website sessions. For example, a sidejacker using Firesheep could take over your Facebook session, thereby gaining access to all of your sensitive data, and even send viral messages and wall posts to all of your friends.

Packet sniffers allow eavesdroppers to passively intercept data sent between your laptop or smartphone and other systems, such as web servers on the Internet. This is the easiest and most basic kind of wireless attack. Any email, web search or file you transfer between computers or open from network locations on an unsecured wireless network can be captured by a nearby hacker using a sniffer. Sniffing tools are readily available for free on the web and there are at least 184 videos on YouTube to show budding hackers how to use them. The only way to protect yourself against WiFi sniffing in most public WiFi hotspots is to use a VPN to encrypt everything sent over the air.

A Netscape-defined protocol for securing data communications – particularly web transactions - sent across computer networks. The Secure Sockets Layer (SSL) protocol establishes a secure session by electronically authenticating the server end of any connection, and then using encryption to protect all subsequent transmissions. The Transport Layer Security (TLS) protocol refers to the Internet standard replacement for SSL. Websites that are addressed by URLs that begin with https instead of http use SSL or TLS.

WEP and WPA are security protocols used to protect wireless networks. Wired Equivalent Privacy (WEP) is a deprecated security protocol for IEEE 802.11 wireless networks. Because all wireless transmissions are susceptible to eavesdropping, WEP was introduced as part of the original 802.11 standard in 1997. It was intended to provide confidentiality comparable to that of a traditional wired network. Since 2001, several serious weaknesses in the protocol have been identified so that today a WEP connection can be cracked within minutes. In response to these vulnerabilities, in 2003 the Wi-Fi Alliance announced that WEP had been superseded by Wi-Fi Protected Access (WPA). Wi-Fi Protected Access versions 1 and 2 (WPA and WPA2) refer to certification programs that test WiFi product support for newer IEEE 802.11i standard security protocols that encrypt data sent over the air, from WiFi user to WiFi router.

Original Article: