Here are some Wi-Fi hacking techniques and the tools — nearly all free — you can use for penetration testing. These tools will help you uncover rogue access points, weak Wi-Fi passwords, and spot other weaknesses and security holes before someone else does. (See How to hack a parking meter.)
Stumbling and Sniffing
You can use Wi-Fi stumblers to detect nearby access points and their details, like the signal level, security type and media access control address. You might find access points set with weak Wired Equivalent Privacy security, which can be easily cracked, or possibly rogue access points setup by employees or others that could be opening your network up to attack. If there are access points set with a hidden or non-broadcasted SSID (network name), Wi-Fi stumblers can quickly reveal it.
You can use wireless sniffers to capture raw network packets sent over the air. You could import the captured traffic into other tools, such as to crack encryption. Or if you're connected to the network (or if it's not encrypted), you could manually look for email and website passwords sent in clear-text.
Here are a few Wi-Fi stumblers and sniffers:
Vistumbler is an open source Windows application that displays the basic access point details, including the exact authentication and encryption methods, and can even speak the SSID and RSSI. It also displays graphs of signal levels. It's highly customizable and offers flexible configuration options. It supports access point names to help distinguish them, also helping to detect rogue access points. It also supports GPS logging and live tracking within the application using Google Earth.
Kismet is an open source Wi-Fi stumbler, packet sniffer, and intrusion-detection system that can run on Windows, Mac OS X, Linux, and BSD. It shows the access point details, including the SSID of "hidden" networks. It can also capture the raw wireless packets, which you can then import into Wireshark, TCPdump, and other tools. In Windows, Kismet only works with CACE AirPcap wireless adapters due to the limitation of Windows drivers. It does, however, support a variety of wireless adapters in Mac OS X and Linux.
Wifi Analyzer is a free Android app you can use for finding access points on your Android-based smartphone or tablet. It lists the basic details for access points on the 2.4-GHz band, and on supported devices on the 5-GHz band as well. You can export the access point list (in XML format) by sending it to email or another app or take snapshot of the screens. It also features graphs showing signals by channel, history, and usage rating and also has a signal meter feature to help find access points.
WEP Key and WPA/WPA2-Personal Cracking
There are many tools out there that can crack Wi-Fi encryption, either taking advantage of WEP weaknesses or using brute-force dictionary-based attacks on WPA/WPA2-Personal (PSK). Thus you should never use WEP security.
WPA2 security with AES/CCMP encryption is the most secure. And if you use the Personal or Pre-shared key (PSK) mode, use a long 13+ character passphrase with mixed-case letters, numbers, and special characters — any ASCII characters will do.
You can use these tools to understand the Wi-Fi encryption weaknesses or to test your current passwords:
Aircrack-ng is an open source suite of tools to perform WEP and WPA/WPA2-Personal key cracking, which runs on Windows, Mac OS X, Linux, and OpenBSD. It's also downloadable as a VMware image and Live CD. You can capture data packets, inject and replay traffic, and reveal the encryption keys once enough packets have been captured.
CloudCracker is a commercial online password cracking service, starting at $17 for 20 minutes. In addition to WPA/WAP2 PSKs, it can also be used to attempt cracking of password hashes and password-protected documents. They use huge dictionaries of 300 million words to perform the cracking and have the computing power to do it quick. You just simply upload the handshake file for WPA/WPA2 or PWDUMP file for the hashes or documents.
Though the Enterprise mode of WPA/WPA2 security with 802.1X authentication is more secure than the Personal (PSK) mode, it still has vulnerabilities. Here's a tool to help you better understand these attacks, how you can protect your network, and test your security:
FreeRadius-WPE is a patch for the open source FreeRADIUS server designed to perform man-in-the-middle attacks against users of wireless networks using 802.1X authentication. It modifies the server to accept all network-attached storage devices and EAP types and logs the username and challenge/response from the unsuspecting users that connect to the fake wireless network. Then the challenge/response can be inputted into another Linux program, asleap, to crack the encrypted password.
WPS PIN Cracking
If you have a wireless router instead of or in addition to access points, you should be aware of a vulnerability publicly discovered in December. It involves the Wi-Fi Protected Setup (WPS) feature found on most wireless routers and usually activated by default when using WPA/WPA2-Personal (PSK) security. The WPS PIN, which can be used to connect to the wireless router, can be easily cracked within hours.
Here's one tool you can use to test your wireless routers against the WPS PIN weakness:
Reaver is Linux program that performs brute force attacks against wireless routers to reveal their WPS PIN and WPA/WPA2 PSK within four to 10 hours. They also offer an easy-to-use hardware solution, Reaver Pro, with a graphical web interface.
Evil Twin APs and Wi-Fi Honey Pots
One technique Wi-Fi hackers can use to get unsuspecting people to connect to them is by setting up a fake access point, aka an evil twin access point or wireless honey pot. Once someone connects to the access point the hacker can then, for example, capture any email or FTP connections or possibly access the user's file shares. They could also use a captive portal or spoofed DNS caching to display a fake website mirroring a hotspot or website login page in order to capture the user's login credentials.
Here are tools to find vulnerable wireless clients on your network:
WiFish Finder is an open source Linux program that passively captures wireless traffic and performs active probing to help identify wireless clients vulnerable to attacks, like evil twin access points, honey pots, or man-in-the-middle attacks.
It builds a list of network names that wireless clients are sending probe requests for and detects the security type of that desired network. Thus you can identify clients probing for unencrypted networks, which would be easily susceptible to evil twins or honey pots attacks, or those probing for a WPA/WPA2-Enterprise network that could be susceptible to man-in-the-middle attacks.
Jasager (based on KARMA) is Linux-based firmware offering a set of Linux tools to identify vulnerable wireless clients, like WiFish Finder, but can also perform evil twin or honey pot attacks. It can run on FON or WiFi Pineapple routers. It can create a soft access point set with the SSIDs nearby wireless adapters are probing for and run a DHCP, DNS, and HTTP server so clients can connect. The HTTP server can then redirect all requests to a web site. It can also can capture and display any clear-text POP, FTP, or HTTP login performed by the victim. Jasager features a web-based and command-line interface.
Fake AP runs on Linux and BSD and generates thousands of simulated access points by transmitting SSID beacon frames. It could be used by attackers to confuse IT staff or intrusion-detection systems, or even used by you to confuse the attacks of wardrivers.
Wireless Driver Vulnerabilities
Here's a tool to help find weaknesses with certain device drivers of wireless adapters that could make attacks on your network easier:
WiFiDEnum (WiFi Driver Enumerator) is a Windows program that helps identify vulnerable wireless network drivers that are risk to wireless driver exploit attacks. It scans the wired or wireless network for Windows workstations, collects details about their wireless network adapter drivers, and identifies possible vulnerabilities.
General Network Attacks
Here are a few tools to demonstrate eavesdropping and attacks that we've seen on wired networks for years, which also can work via Wi-Fi:
Nmap (as in Network Mapper) is an open source TCP/IP scanner you can use to identify hosts and clients on the network, available on Linux, Windows, and Mac OS X with a GUI or a command-line. It reports what operating system they're using, services they're using or offering, what type of packet filters or firewalls they're using, and many other characteristics. This can help you find insecure hosts and ports that may be susceptible to hacking.
Cain and Abel is a password recovery, cracker, and sniffer tool for Windows. Use it to demonstrate, for example, the ability to sniff clear-text passwords sent over the network.
Firesheep is Firefox add-on that performs HTTP session hijacking, aka sidejacking. It monitors the network for logins from users on sites that exchange the login cookie without using full SSL encryption. Once a cookie is detected, it lists a shortcut to the protected website that an attacker can visit without having to login.
Pen Testing Linux Distributions
If you're serious about penetration testing, consider using a Linux distribution dedicated to it. One of the most popular is BackTrack, which offers more than 320 preinstalled penetration testing tools you can use for playing around with networks, web servers and more. You can install BackTrack to a hard drive or boot it from a Live DVD or USB flash drive.
Eric Geier is a freelance tech writer. He's also the founder of NoWiresSecurity that helps businesses protect their Wi-Fi with enterprise (802.1X) security and On Spot Techs that provides on-site computer services.
Read more about anti-malware in Network World's Anti-malware section.