How to Win a Thousand Internets
Recently, a friend of mine (and no, not me) decided to make a bet with someone we mutually knew. He told his friend that it was incredibly easy to gain access to any wireless access point you wanted, regardless of whether or not it was encrypted. Furthermore, it's often easy to take over said access point once you get in.
You may think my friend has a lot of nerve, and you'd be right. But he also knows what he's talking about, to some degree.
It is true that the process of gaining entry into a wireless router and getting free internet is pretty simple under the right conditions, but depending on the router and the owner's knowledge of their product it may be a hard task to take over the network wholesale.
Today I am going to peel back the layers of complexity and give you a brief non-technical history and outline as to how it is possible to achieve some of these goals. This is not an endorsement of practising nefarious techniques in an effort to pull off that idea in Superman III , but rather a way for the well-rounded netizen to see how secure their own home networks are.
In layman's terms...
This information is not to be used in a harmful and destructive manner.
It is illegal to attack a network without prior consent from the owner.
So, how easy is it to test your own network to see if you're vulnerable to internet moochers, or possibly worse?
Surprisingly, very...for your seasoned console jockey.
Actually, I had a lot of success with my iBook G3 and Kismac, many years ago. However, today, as times have changed and I've delved deeper into my Linux fetish, I've successfully demonstrated an attack against a router I keep up and running.
While I have a basic background in networking, my Cisco Certification isn't quite necessary for you to successfully pull off an attack today. You do however need to feel comfortable typing in a boxy window, though, and having a great imagination to visualize what is going on certainly goes a long way too.
So, What is it I Need?
Here's a short list:
- Computer (preferably a mobile one.)
- Linux (I recommend BackTrack4 for this in particular)
- High Powered Wireless Card that supports "Packet Injection."
 | They're not kidding. It is rather strong. Amazon Price: $27.99 List Price: $99.98 |
Where Do I Get Them?
It's pretty easy to get this stuff.
BackTrack4 is free and available here. It's a complete Linux operating system, and it's a simple process to burn it to DVD and run it "live" from there, without the need to install it on the machine you're using it on.
A high powered wireless card does wonders, and one that supports packet injection isn't too hard to find. I've included the very one I purchased from Amazon to the right.
Not only does this particular card work extremely well (I went from 2-3 bars of signal to full power on my own router) it also tends to pick up a signal from yards away, making it very useful when you're in a situation where the wifi signal in your house is very weak or further away than optimal for your wireless device now.
It's a simple matter to install too--just plug it into the USB port and BackTrack4 immediately recognizes it for what it is and what it can do. It'll work under Windows, Mac OS X, and virtually any newer Linux version, too.
While I already run Linux myself on both my desktop (and k@ri has allowed me to switch her over from Vista on her laptop) it's a much simpler affair to just use BackTrack4 as it is fully loaded with all the software you need to pull off an attack, as well as the correct (hacked/patched) drivers for the Alfa wireless card, among others.
You can use a lot of other cards, but the one I have in particular has been fully tested and used by many wardrivers.
Okay, I got Everything, Now What?
Now that your plan has begun to come together, it's just a matter of booting into BackTrack4, starting up the network, and opening up some console sessions to type in some commands to a particular program called the aircrack-ng suite.
I'll include a basic step-by-step walk through that works well on routers that have your standard WEP security, but I highly recommend you RTFM. So, click here to delve into the aircrack-ng wiki.
Before I show you those magical commands, however, allow me to share a little history for our non-technical readers.
In The Beginning...
As described in an aussie accent above, war driving comes from war dialing. This was a standard practice for bored pimply faced youth and curious hackers back when bulletin board systems and modem based computer-to-computer communication was the main entryway into long distance information, a time before the internet had a world wide web to stumble on all day.
The enterprising user of particular software would enter a range of phone numbers and set it to dial, waiting to hear that loud obnoxious handshake modems do when they connect. After the connection is made, the person is then free to login to the system and do whatever they need to. That's assuming they're supposed to be connected and they know the machine, of course.
Otherwise, people would often write down the number and try to figure out what the machine was running and how to control it. How this is done is beyond the scope of this article, though--not that I'm speaking from experience.
War driving today involves travelling around and looking at the surrounding landscape in terms of wireless access points. Many are open, but many more today are closed. The open ones are often increasingly pay-to-surf setups, so encrypting the signal would make it difficult for your average user to fork over cash.
Today routers offer encryption as a standard, and many offer so many kinds mom and dad just don't know what to do. They're confused by a plethora of acronyms like WEP, WPA, WPA2, and more.
WEP encryption, first introduced in 1997, has had plenty of time to be cracked. And cracked it has been. This makes it trivial today for many people, with the right know how and technology to gain access to free wireless or more, even if the network is believed to be closed by the operator.
It works because WEP is a tad bit flawed, so to speak. While it does a great job of data encryption, it actually transmits a 24-bit code that changes very often and quickly. However, 24-bits isn't much. If a network is very busy, the same code can be re-transmitted after 5,000 packets or so. This may seem like a high number, but when you're streaming video from YouTube or playing FarmVille, it's not a very large number at all.
Between this, and the fact the other part of the cipher (the encryption method is called RC4) is shared among the router and all users, it's easy to eaves drop on a network's traffic and capture enough data to crack both parts of the WEP code, with the end result being a valid key to enter the network.
So, What Am I Going to Do Exactly?
Basically, with the equipment and software displayed on this page you're going to have the ability to look for available wireless access points around you, decide which one to try (yours, of course!), listen into the traffic, capture said traffic, then decrypt the net result.
When this is done it'll spit out a hexadecimal value--something like 76:C8:B8:C1:DB:64:5B:BA:AA:43:45:CE:2B, which after taking out the colons becomes a WEP key.
Note that this only works on routers that use WEP encryption, cracking newer forms of access point security can be largely more difficult.
So, here's those magic commands:
1.Open A Console, Type in: ifconfig wlan0 down (this makes the wireless adapter available for aircrack-ng) 2. Then type: aireplay-ng -9 wlan2 3. Open new console, then type: airmon-ng start wlan0 (channel of router) 4. Open another console, type: airodump-ng mon0 -w /tmp/WEP --channel (router channel) --bssid (router bssid) 5. Open another console, type: aireplay-ng -1 0 -a bssid (router's bssid) mon0 6. Yet another new console, type: aireplay-ng -3 -b (router's bssid) mon0 Now wait.
What's Going On?!
Okay, by now your screen is filled with a bunch of boxes with words you typed into them. What does all of this mean, and what did you do exactly?
Well, I'll explain. You'll notice a lack of visuals here because I believe that this whole process would make a boring picture book, and if you're not able to visualize this much you may be in over your head for now. (But I encourage you to still try!)
- 1. First we told the computer to take the wireless card offline. This means that it is not going to be interrupted by some random process on the computer and allows us to control it in a fine tuned manner using aircrack-ng.
- 2. The second line basically tests to see if aircrack-ng can inject, what type of access points are around you, what their BSSIDs are, and what channel they're broadcasting on.
- 2.2 You'll note that a router generally has two IDs. Often the first one, known as an ESSID, is something like "linksys" or "netgear" by default. The second is generally the MAC address of the router in a home networking situation.
- 3. The third console and command we issued turned on a signal monitoring program and told it to watch a certain channel.
- 4. The fourth step is pretty useful and crucial, this tells another part of aircrack to begin recording everything that it intercepts and saves it for later.
- 5. The fifth step tries to authenticate with the router, using packet injection. If successful, you're online.
- 6. Finally, this command begins to listen to ARP requests and saves the information for later, just like airodump did with our other traffic.
After all this is done, and everything is going great all you need to do is wait. While some people tell you to wait for a certain threshold of replies, I'm going to give you a roundabout number that generally works on a busy network---10 minutes.
Obviously, this is a long wait, and it can be done in less (I've done it in three minutes, others in one.) but since it's your own router and you're just trying to see if it can be done, ten minutes is more than enough time to gather a lot of information.
When the time has passed, all you have to do is close all the consoles you've opened, open a new one, and type in:
aircrack-ng /tmp/WEP-01.cap If you've saved enough data, you'll see a bunch of stuff happening on the screen, and then something like: KEY FOUND! [ 12:34:56:78:90 ]
Further Reading
Obviously, I just may have opened up a whole bag of worms here. BackTrack4 it's self is a set of software designed to be used in what is called "penetration testing," which otherwise means someone you hire to see if they can't get into your network and stay there.
Businesses and governments the world over are in need of these sort of tests, but there's always two sides to every coin. The wrong person could very easily take the information here and use it for some dark reasons.
I've left this tutorial a bit vague for that fact alone.
But, I know you wouldn't do anything you're not supposed to, right?
If you're interested in this topic, here's some good links to feed your hungry mind.
P.S.
Don't get too involved, showering is a good thing.
- How Do I Get Started?
A good introduction to all of this, compliments of the aircrack-ng team. - Linux Wireless Drivers
This package, called combat-wireless, installs the cutting edge wireless drivers onto your computer. Useful for making your wireless card work with this tutorial. - aircrack-ng.org: Simple WEP Crack
Another, more detailed version of this tutorial from aircrack-ng's wiki.
Beep
No comments yet.
