What happens when you get caught hacking WiFi


The following story is real and serves as a startling reminder of what happens to those who get caught WiFi hacking without authorization. Now, let’s dive in!

Years ago, a young black hat hacker sat at home, devising an elaborate scheme to troll his school. He loaded BackTrack 3 on his laptop, armed with an Atheros wireless adapter, and went to work.

Within minutes, he cracked the password and started moving laterally across the network. He found the server with all the important files used by the administration and unleashed a nasty piece of malware, which brought the network to its knees.

The cyberattack was so devastating the FBI was called in to investigate. They made mirror images of the affected hard disks and began to forensically analyze the artifacts left behind by the hacker.

That’s when they discovered his MAC address in the ARP cache along with a timestamp of his illicit connection. This told the FBI one thing: the intruder launched the attack locally in the vicinity.

That’s how they found him like a smoking gun. After scanning of the 802.11 frequencies traveling within the local airwaves, sure enough, they found his device and the corresponding MAC address on an open WiFi network only a few houses down from the school.

Let that be a lesson to those of you who want to perform WiFi penetration testing without authorization. With that out of the way, let’s begin and travel down the rabbit hole of wireless hacking.

Why this is important

First off, let me start by saying that every company that deals with customer information, products, or provides a service should have a dedicated red team in conjunction with incident responders. If you’re operating in commerce, then you have more to protect than yourself since data breaches can result in lawsuits by the affected parties.

While this article focuses less on incident response and more on the tools and techniques of the trade for conducting wireless security auditing, I cannot stress enough the importance of protecting your assets from intruders and not leaving your security to chance.

This is why red teaming is so important: wireless security auditing can reveal just how secure your local assets truly are.

Overview of basic terminologies

Before we get down to the nitty-gritty, let’s familiarize ourselves with some terms so we can understand the context and each component. The functions described below have a broad scope, so I have provided summaries.

  • Red teaming: relates to a group of individuals whose sole function is to assume the role of the attacker, testing your organization’s defenses in a simulated and controlled environment while using actual attack methods. This is a proactive approach to improving your organization’s security, rather than having to find out the hard way, and then taking measures after a catastrophic fallout.
  • Blue teaming: corresponds to another group of people whose role is monitoring, detecting, and responding to security incidents as well as providing remedies for security issues. They analyze data to create a baseline of network behavior and maintain the overall integrity of the network.
  • Purple teaming: is a collaboration of both red and blue teams since these individual teams usually operate independently. This means they work together to plan, coordinate, and respond to simulated and real incidents and deploy fixes.
  • ARP cache: short for Address Resolution Protocol cache, stores the associations between IP addresses and their corresponding MAC addresses for devices on the same local network. To retrieve your system’s ARP cache on a Windows device, just open CMD and enter: arp -a. Alternatively, you can enter the following command to export the log onto your desktop. arp -a > C:\Users\your-user-name\Desktop\arp_cache.txt
wifi redteam 1
  • MAC: is an acronym that stands for Media Access Card. Every device that connects to a network has a unique identifier assigned to its network interface controller (NIC), which allows it to communicate on the physical network.

Setting up the attack: hardware requirements

You’re going to need a couple of prerequisites before you are ready to launch your penetration test.

Start with a wireless adapter that supports monitor mode and packet injection. This will allow you to sniff wireless traffic, capture data packets, see hidden networks, spoof, and manipulate network traffic via packet injection, even if you aren’t connected to that network.

Packet injection is an inalienable part of wireless attacks, which is why you must do your research in selecting the right wireless adapter. This gives the red team in attack position the ability to inject forged de-authentication frames that disconnect a target device’s connection to the wireless network.

Then, as the device attempts to reconnect to the wireless access point during the secured WPA/WPA2 4-way handshake, the reauthentication packets are captured and cracked by the red team, allowing them to authenticate on the wireless network.

You can find a listing of supporting WiFI adapters here.

wifi redteam 2

However, my WiFi adapter of choice will always be the MK7AC which is available on Amazon on the developer’s website, Hak5.

wifi redteam 3

You’ll obviously need a PC (preferably a laptop for mobility), but literally any laptop or PC that can run a live version of Kali Linux or your favorite flavor of Linux on a USB thumb drive will do the job. Kali is perfectly equipped with wireless penetration tools.

wifi redteam 4

Software: choose your poison

For the simplest approach to simulating a quick and effective wireless security audit, I recommend using Wifite2. This is because Wifite2 is a completely autonomous tool and requires little user input, which saves time by minimizing the number of steps taken by a manual approach.

The power behind Wifite2 is that it has over a dozen dependencies working the backend, which is why it cuts like butter through wireless security. Here’s an example of what’s happening behind the scenes:

  • Aircrack-ng - a complete suite of wireless security auditing tools.
  • Macchanger - spoofing MAC address
  • Bully - performs WPS Pixie-Dust & brute-force attacks
  • Reaver - performs WPS Pixie-Dust & brute-force attacks
  • Pyrit - used for detecting WPA/WPA2 4-way handshakes
  • Hashcat - used for cracking PMKID hashes
  • John - For CPU (OpenCL)/GPU cracking passwords
  • Iproute2 - for controlling and monitoring different aspects of networking.
  • Cowpatty - used for detecting WPA/WPA2 4-way handshakes
  • Hcxdumptool - capturing PMKID hashes
  • Tshark - used for detecting WPS networks and analyzing handshake captures.
  • Hcxtools - used for converting PMKID packet captures into hashcat format for cracking.
  • Wireshark-cli - used for detecting WPS-enabled networks and inspecting handshake captures.

Open a Linux terminal and run WIfite with the following command to kill any conflicting processes: sudo wifite –kill. Select your wireless interface and start the scanning process. Be sure to only select your wireless access point from the list of available networks to target, for legality purposes.

wifi redteam 5

At first glance, Wifite2 displays detected wireless access points, which channel they are broadcasting on, the type of encryption it uses, its signal strength, whether or not it uses a WPS key, and how many clients are connected to the access point.

If a wireless access point does not have WPS (WiFi Protected Setup) enabled, the attack will automatically shift to brute-forcing the 4-way handshake keys using a dictionary attack. This could theoretically take a long time, depending on the complexity of the password and whether the password in question is in fact in the dictionary list itself.

To maximize your success at cracking the WPA password, you can modify the dictionary file in Wifite2 and add or replace it with a more updated version, based on a list of the most commonly used WPA/WPA2 passwords.

However, if an access point has WPS enabled, the attack could finish in a matter of seconds. It is, by all definitions, a wireless router’s greatest vulnerability, and disabling it is an absolute must.

When you culminate all the information I have detailed herein, this is by far the easiest approach to wireless security auditing.

I haven’t even touched on some of the hardware I own that streamlines wireless penetration testing on a whole different level, like the WiFi Pineapple by Hak5, but introducing that wireless “super weapon” is better suited for its own article. However, it is a must-have for any serious red teamer interested in wireless security.