Quick Links

It's important to secure your wireless network with WPA2 encryption and a strong passphrase. But what sorts of attacks are you actually securing it against? Here's how attackers crack encrypted wireless networks.

This isn't a "how to crack a wireless network" guide. We're not here to walk you through the process of compromising a network -- we want you to understand how someone might compromise your network.

Spying on an Unencrypted Network

Related: Why You Shouldn't Host an Open Wi-Fi Network Without a Password

First, let's start with the least secure network possible: An open network with no encryption. Anyone can obviously connect to the network and use your Internet connection without providing a passphrase. This could put you in legal danger if they do something illegal and it's traced back to your IP address. However, there's another risk that's less obvious.

When a network is unencrypted, traffic travels back and forth in plaintext. Anyone within range can use packet-capturing software that activates a laptop's Wi-Fi hardware and captures the wireless packets from the air. This is generally known as putting the device in "promiscuous mode," as it captures all nearby wireless traffic. The attacker could then inspect these packets and see what you're doing online. Any HTTPS connections will be protected from this, but all HTTP traffic will be vulnerable.

Google took some heat for this when they were capturing Wi-Fi data with their Street View trucks. They captured some packets from open Wi-Fi networks, and those could contain sensitive data. Anyone within range of your network can capture this sensitive data -- yet another reason to not operate an open Wi-Fi network.

Wireshark can be used for packet inspecting.

Finding a Hidden Wireless Network

Related: Don't Have a False Sense of Security: 5 Insecure Ways to Secure Your Wi-Fi

It's possible to find "hidden" wireless networks with tools like Kismet, which show nearby wireless networks. The wireless network's SSID, or name, will be displayed as blank in many of these tools.

This won't help too much. Attackers can send a deauth frame to a device, which is the signal an access point would send if it were shutting down. The device will then attempt to connect to the network again, and it will do so using the network's SSID. The SSID can be captured at this time. This tool isn't even really necessary, as monitoring a network for an extended period of time will naturally result in the capture of a client attempting to connect, revealing the SSID.

This is why hiding your wireless network won't help you. In fact, it can actually make your devices less secure because they'll attempt to connect to the hidden Wi-Fi network at all times. An attacker nearby could see these requests and pretend to be your hidden access point, forcing your device to connect to a compromised access point.

view-nearby-networks-with-kismet

Changing a MAC Address

Network analysis tools that capture network traffic will also show devices connected to an access point along with their MAC address, something that's visible in the packets traveling back and forth. If a device is connected to the access point, the attacker knows that the device's MAC address will work with the device.

The attacker can then change their Wi-Fi hardware's MAC address to match the other computer's MAC address. They'd wait for the client to disconnect or deauth it and force it to disconnect, then connect to the Wi-Fi network with their own device.

deauth

Cracking WEP or WPA1 Encryption

Related: The Difference Between WEP, WPA, and WPA2 Wi-Fi Passwords

WPA2 is the modern, secure way to encrypt your Wi-Fi. There are known attacks that can break the older WEP or WPA1 encryption (WPA1 is often referred to just as "WPA" encryption, but we use WPA1 here to emphasize that we're talking about the older version of WPA and that WPA2 is more secure).

The encryption scheme itself is vulnerable and, with enough traffic captured, the encryption can be analyzed and broken. After monitoring an access point for about a day and capturing about a day's worth of traffic, an attacker can run a software program that breaks the WEP encryption. WEP is fairly insecure and there are other ways to break it more quickly by tricking the access point. WPA1 is more secure, but is still vulnerable.

aircrack

Exploiting WPS Vulnerabilities

Related: Wi-FI Protected Setup (WPS) is Insecure: Here's Why You Should Disable It

An attacker could also break into your network by exploiting Wi-Fi Protected Setup, or WPS. With WPS, your router has an 8-digit PIN number that a device can use to connect rather than providing your encryption passphrase. The PIN is checked in two groups -- first, the router checks the first four digits and tells the device if they're right, and then the router checks the last four digits and tells the device if they're right. There are a fairly small number of possible four-digit numbers, so an attacker can "brute force" the WPS security by trying each four-digit number until the router tells them they've guessed the correct one.

You can protect against this by disabling WPS. Unfortunately, some routers actually leave WPS enabled even when you disable it in their web interface. You may be safer if you have a router that doesn't support WPS at all!

reaver-wps-attack

Brute-Forcing WPA2 Passphrases

Related: Brute-Force Attacks Explained: How All Encryption is Vulnerable

Modern WPA2 encryption has to be "brute-forced" with a dictionary attack. An attacker monitors a network, capturing the handshake packets that are exchanged when a device connects to an access point. This data can be easily captured by deauthorizing a connected device. They can then attempt to run a brute-force attack, checking possible Wi-Fi passphrases and seeing if they will successfully complete the handshake.

For example, let's say the passphrase is "password." WPA2 passphrases must be between eight and 63 digits, so "password" is perfectly valid. A computer would start with a dictionary file containing many possible passphrases and try them one by one. For example, it would try "password," "letmein,1" "opensesame," and so on. This sort of attack is often called a "dictionary attack" because it requires a dictionary file containing many possible passwords.

We can easily see how common or simple passwords like "password" will be guessed within a short time frame, whereas the computer may never get around to guessing a longer, less obvious passphrase like ":]C/+[[ujA+S;n9BYq9<kM5'W+fc`Z#*U}G(/W~@q>z>T@J#5E=g}uwF5?B?Xyg." This is why it's important to have a strong passphrase with a reasonable length.

Tools of the Trade

If you want to see the specific tools an attacker would use, download and run Kali Linux. Kali is the successor to BackTrack, which you may have heard about. Aircrack-ng, Kismet, Wireshark, Reaver, and other network-penetration tools are all preinstalled and ready to use. These tools may take some knowledge (or Googling) to actually use, of course.

kali-linux-menu

All these methods require an attacker to be within physical range of the network, of course. If you live in the middle of nowhere, you're less at risk. If you live in an apartment building in New York City, there are quite a few people nearby who might want an insecure network they can piggy-back on.

Image Credit: Manuel Fernando Gutiérrez on Flickr