Page 1 of 4
Page 1 of 4
Sponsored by:
This story appeared on Network World at
How to hack your own Wi-Fi network
15 free (or almost free) Wi-Fi penetration testing tools
By Eric Geier, Network World
April 23, 2012 07:03 AM ET
Sponsored by:
Network World - Attempting to "hack" into your own
wireless network can help you spot potential Wi-Fi security
vulnerabilities and figure out ways to protect against them.
15 free (or almost free) Wi-Fi security testing tools
Here are some Wi-Fi hacking techniques and the tools —
nearly all free — you can use for penetration testing. These
tools will help you uncover rogue access points, weak WiFi passwords, and spot other weaknesses and security holes
before someone else does. (See How to hack a parking
Stumbling and Sniffing
You can use Wi-Fi stumblers to detect nearby access points
and their details, like the signal level, security type and
media access control address. You might find access points set with weak Wired Equivalent Privacy security,
which can be easily cracked, or possibly rogue access points setup by employees or others that could be opening
your network up to attack. If there are access points set with a hidden or non-broadcasted SSID (network name),
Wi-Fi stumblers can quickly reveal it.
You can use wireless sniffers to capture raw network packets sent over the air. You could import the captured
traffic into other tools, such as to crack encryption. Or if you're connected to the network (or if it's not
encrypted), you could manually look for email and website passwords sent in clear-text.
Here are a few Wi-Fi stumblers and sniffers:
Vistumbler is an open source Windows application that displays the basic access point details, including the
exact authentication and encryption methods, and can even speak the SSID and RSSI. It also displays graphs of
signal levels. It's highly customizable and offers flexible configuration options. It supports access point names to
Page 2 of 4
help distinguish them, also helping to detect rogue access points. It also supports GPS logging and live tracking
within the application using Google Earth.
Kismet is an open source Wi-Fi stumbler, packet sniffer, and intrusion-detection system that can run on
Windows, Mac OS X, Linux, and BSD. It shows the access point details, including the SSID of "hidden"
networks. It can also capture the raw wireless packets, which you can then import into Wireshark, TCPdump,
and other tools. In Windows, Kismet only works with CACE AirPcap wireless adapters due to the limitation of
Windows drivers. It does, however, support a variety of wireless adapters in Mac OS X and Linux.
Wifi Analyzer is a free Android app you can use for finding access points on your Android-based smartphone or
tablet. It lists the basic details for access points on the 2.4-GHz band, and on supported devices on the 5-GHz
band as well. You can export the access point list (in XML format) by sending it to email or another app or take
snapshot of the screens. It also features graphs showing signals by channel, history, and usage rating and also
has a signal meter feature to help find access points.
WEP Key and WPA/WPA2-Personal Cracking
There are many tools out there that can crack Wi-Fi encryption, either taking advantage of WEP weaknesses or
using brute-force dictionary-based attacks on WPA/WPA2-Personal (PSK). Thus you should never use WEP
WPA2 security with AES/CCMP encryption is the most secure. And if you use the Personal or Pre-shared key
(PSK) mode, use a long 13+ character passphrase with mixed-case letters, numbers, and special characters —
any ASCII characters will do.
You can use these tools to understand the Wi-Fi encryption weaknesses or to test your current passwords:
Aircrack-ng is an open source suite of tools to perform WEP and WPA/WPA2-Personal key cracking, which
runs on Windows, Mac OS X, Linux, and OpenBSD. It's also downloadable as a VMware image and Live CD.
You can capture data packets, inject and replay traffic, and reveal the encryption keys once enough packets have
been captured.
CloudCracker is a commercial online password cracking service, starting at $17 for 20 minutes. In addition to
WPA/WAP2 PSKs, it can also be used to attempt cracking of password hashes and password-protected
documents. They use huge dictionaries of 300 million words to perform the cracking and have the computing
power to do it quick. You just simply upload the handshake file for WPA/WPA2 or PWDUMP file for the
hashes or documents.
WPA/WPA2-Enterprise Cracking
Though the Enterprise mode of WPA/WPA2 security with 802.1X authentication is more secure than the
Personal (PSK) mode, it still has vulnerabilities. Here's a tool to help you better understand these attacks, how
you can protect your network, and test your security:
FreeRadius-WPE is a patch for the open source FreeRADIUS server designed to perform man-in-the-middle
attacks against users of wireless networks using 802.1X authentication. It modifies the server to accept all
network-attached storage devices and EAP types and logs the username and challenge/response from the
unsuspecting users that connect to the fake wireless network. Then the challenge/response can be inputted into
another Linux program, asleap, to crack the encrypted password.
WPS PIN Cracking
If you have a wireless router instead of or in addition to access points, you should be aware of a vulnerability
publicly discovered in December. It involves the Wi-Fi Protected Setup (WPS) feature found on most wireless
routers and usually activated by default when using WPA/WPA2-Personal (PSK) security. The WPS PIN, which
can be used to connect to the wireless router, can be easily cracked within hours.
Page 3 of 4
Here's one tool you can use to test your wireless routers against the WPS PIN weakness:
Reaver is Linux program that performs brute force attacks against wireless routers to reveal their WPS PIN and
WPA/WPA2 PSK within four to 10 hours. They also offer an easy-to-use hardware solution, Reaver Pro, with a
graphical web interface.
Evil Twin APs and Wi-Fi Honey Pots
One technique Wi-Fi hackers can use to get unsuspecting people to connect to them is by setting up a fake
access point, aka an evil twin access point or wireless honey pot. Once someone connects to the access point the
hacker can then, for example, capture any email or FTP connections or possibly access the user's file shares.
They could also use a captive portal or spoofed DNS caching to display a fake website mirroring a hotspot or
website login page in order to capture the user's login credentials.
Here are tools to find vulnerable wireless clients on your network:
WiFish Finder is an open source Linux program that passively captures wireless traffic and performs active
probing to help identify wireless clients vulnerable to attacks, like evil twin access points, honey pots, or manin-the-middle attacks.
It builds a list of network names that wireless clients are sending probe requests for and detects the security type
of that desired network. Thus you can identify clients probing for unencrypted networks, which would be easily
susceptible to evil twins or honey pots attacks, or those probing for a WPA/WPA2-Enterprise network that
could be susceptible to man-in-the-middle attacks.
Jasager (based on KARMA) is Linux-based firmware offering a set of Linux tools to identify vulnerable
wireless clients, like WiFish Finder, but can also perform evil twin or honey pot attacks. It can run on FON or
WiFi Pineapple routers. It can create a soft access point set with the SSIDs nearby wireless adapters are probing
for and run a DHCP, DNS, and HTTP server so clients can connect. The HTTP server can then redirect all
requests to a web site. It can also can capture and display any clear-text POP, FTP, or HTTP login performed by
the victim. Jasager features a web-based and command-line interface.
Fake AP runs on Linux and BSD and generates thousands of simulated access points by transmitting SSID
beacon frames. It could be used by attackers to confuse IT staff or intrusion-detection systems, or even used by
you to confuse the attacks of wardrivers.
Wireless Driver Vulnerabilities
Here's a tool to help find weaknesses with certain device drivers of wireless adapters that could make attacks on
your network easier:
WiFiDEnum (WiFi Driver Enumerator) is a Windows program that helps identify vulnerable wireless network
drivers that are risk to wireless driver exploit attacks. It scans the wired or wireless network for Windows
workstations, collects details about their wireless network adapter drivers, and identifies possible vulnerabilities.
General Network Attacks
Here are a few tools to demonstrate eavesdropping and attacks that we've seen on wired networks for years,
which also can work via Wi-Fi:
Nmap (as in Network Mapper) is an open source TCP/IP scanner you can use to identify hosts and clients on the
network, available on Linux, Windows, and Mac OS X with a GUI or a command-line. It reports what operating
system they're using, services they're using or offering, what type of packet filters or firewalls they're using, and
many other characteristics. This can help you find insecure hosts and ports that may be susceptible to hacking.
Page 4 of 4
Cain and Abel is a password recovery, cracker, and sniffer tool for Windows. Use it to demonstrate, for
example, the ability to sniff clear-text passwords sent over the network.
Firesheep is Firefox add-on that performs HTTP session hijacking, aka sidejacking. It monitors the network for
logins from users on sites that exchange the login cookie without using full SSL encryption. Once a cookie is
detected, it lists a shortcut to the protected website that an attacker can visit without having to login.
Pen Testing Linux Distributions
If you're serious about penetration testing, consider using a Linux distribution dedicated to it. One of the most
popular is BackTrack, which offers more than 320 preinstalled penetration testing tools you can use for playing
around with networks, web servers and more. You can install BackTrack to a hard drive or boot it from a Live
DVD or USB flash drive.
Eric Geier is a freelance tech writer. He's also the founder of NoWiresSecurity that helps businesses protect
their Wi-Fi with enterprise (802.1X) security and On Spot Techs that provides on-site computer services.
Read more about wireless & mobile in Network World's Wireless & Mobile section.
All contents copyright 1995-2013 Network World, Inc.