How to Hack Wi-Fi: Getting Started with Terms & Technologies

Getting Started with Terms & Technologies

How to Hack Wi-Fi: Getting Started with Terms & Technologies

Welcome back, my hacker trainees!

A score of my readers have been begging for tutorials on how to hack Wi-Fi, so with this article, I'm initiating a new series dedicated to Wi-Fi hacks. This will probably be around 6-9 articles, starting with the basics of the technologies.

Image via Shutterstock

I can hear you all groan, but you need to know the basics before you get into more advanced hacking. Then hopefully, developing your own hacks.

Afterward, the following guides will cover wardriving, DOS attacks, password hacking (WEP, WPA, WPA2, WPS, and WPA-enterprise), rogue APs, evil twins, Wi-Fi MitM, and Wi-Fi snooping. Lastly, we'll examine how to hack Bluetooth (yes, I know, technically it's not Wi-Fi, but I think you'll find it interesting).

So, come along for this frequent and amplified ride of Wi-Fi hacking!

Step 1: Terminology

To really understand how to hack Wi-Fi, we need to dispense with basic terms and technology. First, let's address some terminology.

To begin, the access point that sends out the radio frequency (RF) signal is known as the AP. These APs are capable of sending out signals (between 2.4 and 5 Ghz) that comply with a number of different standards. These standards are known as 802.11a, 802.11b, 802.11g, and 802.11n. In the very near future, we'll see a new standard that's tentatively named 802.11ac.

The table below summarizes the key features of these Wi-Fi standards.

These standards are generally backwardly compatible, so that a wireless n adapter will also be able to pick up g and b signals. We will focus upon the most widely used of these standards— b, g, and n.

Step 2: Security Technology

From the perspective of the hacker, wireless security technologies are among the most pertinent features. Multiple security technologies have been deployed in Wi-Fi to make an inherently insecure technology secure. Our attack approach will depend upon which of these security technologies is being deployed.

So, let's take a quick look at them here.

WEP

WEP, or wired equivalent privacy, was the first wireless security scheme employed. As it name implies, it was designed to provide security to the end-user that was essentially equivalent to the privacy that was enjoyed in a wired environment. Unfortunately, it failed miserably.

For a number of reasons, WEP is extraordinarily easy to crack because of a flawed implementation of the RC4 encryption algorithm. It's not unusual to be able to crack WEP in less than 5 minutes. This is because WEP used a very small (24-bit) initialization vector (IV) that could be captured in the datastream, and this IV could then be used to discover the password using statistical techniques.

Despite this, I still find it being used in household and small business implementations, but seldom in an enterprise environment.

WPA

WPA was the response by the industry to the revealed weaknesses of WEP. It's often referred to as WPA1 to distinguish it from WPA2.

WPA used Temporal Key Integrity Protocol (TKIP) to improve the security of WEP without requiring new hardware. It still uses WEP for encryption, but it makes the statistical attacks used to crack WEP much more difficult and time-consuming.

WPA2-PSK

WPA2-PSK is the implementation of WPA2 for the home or small business user. As the name implies, it's the WPA2 implementation that uses a pre-shared key (PSK). It's this security standard that is used by most households today, and although it's far more secure, it's still vulnerable to various attacks.

A feature that was added in 2007 called Wi-Fi Protected Setup, or WPS, allows us to bypass the security in WP2-PSK . We'll look at a few attacks on WPA2-PSK in coming weeks.

WPA2-AES

WPA2-AES is the enterprise implementation of WPA2. It uses the Advanced Encryption Standard or AES to encrypt data and is the most secure. It's often coupled with a RADIUS server that is dedicated for authentication.

Although cracking it is possible, it significantly more difficult.

Step 3: Channels

Like our radio, wireless has multiple channels so that various communication streams don't interfere with each other. The 802.11 standard allows for channels ranging from 1 thru 14.

In the U.S., the FCC regulates wireless communication and devices for use in the states are only enabled to use channels 1 thru 11. Europe uses channels 1 thru 13 and Japan 1 thru 14. Other nations may also use the full range.

For the hacker, this can be useful information as a rogue AP using channel 12 thru 14 would be invisible to U.S.-made wireless devices and security professionals scanning for rogue access points.

Each channel has a width of 22 Mhz around its central frequency. To avoid interference, an AP can use any of these channels, but to avoid any overlap, channels 1, 6, and 11 are most often utilized in the U.S. The other channels can be used, but because you need five channels between the working channels to not overlap signals, with three or more channels, only 1, 6, and 11 will work.

Step 4: Datagrams and Frames

An understanding of the structure of wireless datagrams is critical for successful wireless hacking, but is beyond the scope of this introduction. I will introduce some of this information when necessary in future tutorials, but you may want to take some time to study wireless frames and datagrams from other sources.

Step 5: Signal Strength

In the U.S., the FCC regulates among other things, the strength of the wireless access point's signal. The FCC says that the access point's signal cannot exceed 27 dBm (500 milliwatts). Most access points have this limit built-in, but we can change and override this limitation, if the access point is capable of a stronger signal. This may be useful for the hacker in setting up evil twins and rogue access points where strength of signal is critical, among other techniques.

Step 6: Aircrack-Ng

For nearly all of our Wi-Fi hacking, we will be using aircrack-ng which is included in BackTrack. Even in those hacks where we use other tools such cowpatty or reaver, we will use the aircrack-ng suite of tools for some part of the hack, so we need to become familiar with it.

I'll probably do a dedicated tutorial on aircrack-ng suite in the very near future.

Step 7: WiFi Adapters

One of the crucial needs to becoming an effective Wi-Fi hacker is the Wi-Fi adapter. Generally, the Wi-Fi adapter on your laptop or desktop is insufficient for our purposes. The key capability we need is the ability to inject packets into the access point and most run-of-the-mill wireless adapters are incapable of packet injection. Aircrack-ng has a list of Wi-Fi adapters that can work with their suite of tools.

That having been said, I highly recommend Alfa AWUS036NH USB wireless adapter. This is what I use. It's available from several locations for between $30 to $50.

It does everything I need, is fast, has an external antenna, is recognized by BackTrack, and automatically loads its drivers. In addition, it come in 1000mw and 2000mw versions. That can be critical in rogue access point hacks, despite the fact that the FCC limits signal strength the 500mw.

Step 8: Attennas

Antennas come in two basic types, omni-directional and directional. Most APs and wireless adapters come with omni-directional antennas, meaning that they send and receive in all directions.

The Alfa card that I recommend comes with an external antenna that is omni-directional, but has a gain of 5dBi (gain is a measure when applied to antennas, of how much the antenna can increase the signal). This means that it can increase the signal by focusing the signal similar to that of a reflector on a flashlight. In addition, it can change position to better receive particular signals as well as a cable and suction cup adapter for mounting on a wall or window.

Directional antennas can also be useful for hacking when attempting to focus your exploits to a remote access point. The literature contains references to Wi-Fi signals that have been sent and received over 100 miles or about 160km using directional antennas. For most commercial directional antennas, you can expect to be able to pick up wireless communication up to 4km or 2.4 miles.

These can be obtained from a variety of sources usually for under $100 with a gain of between 15dBi and 20dBi. A Yagi antenna is an example of a directional antenna that is often used in hacking wireless over significant distances.

That's It... For Now

So, this begins our exciting journey into Wi-Fi hacking. Very soon, you will be able to hack nearly anyone's wireless internet, so keep coming back to expand your knowledge and skills in Wi-Fi hacking.

Cover image via Shutterstock

75 Comments

Hi,
There are a newest version of the adapter the : awus036nhR
Do u know if is it compatible too ?
Thanks and i'll buy

Patrick:

I don't know if its compatible, but I assume so.

OTW

Thank you for the lesson! I will definately stay tuned for more.

Nice Article on Wireless. I have a Question not Regarding Wireless,

Example: I Exploited a Server with any Exploit and i successfully Gained Root Access. And i have Completed My Objectives on it. Will Deleting Log File on server be Enough for Covering my Foot-Steps so they can't trace back my-ip address ???

Criss:

It depends. It depends upon whether other devices such as routers and IDS are logging. Also, the fact that the log file has been deleted is an indication that someone has hacked their system and may start a forensic analysis. Best to bounce your attack off another system.

OTW

can we delete logs partially?

The Last Line Bounce your attack off another system i didn't understood it.

You can use another system as a proxy, so the attack looks like its coming from that system.

Thanks OTW. You're a great Master. I would like to talk to You But it Seems that IRC is Not Working For You

Thanks! i got a question though. if you want to gain remote access computer that is not on you're same wifi or whatever, would you need to hack into their wifi first? like if i want to gain remote access to a computer that's like a couple miles away, would i have to get a directional antenna and get in their wifi? also how would i be able to know which wifi is my target wifi in the event of long range wifi hijacking? sorry for so many questions, thanks anyways for all these tutorials and such!!!

Eightfo:

If you want to gain remote access to a machine not on your machine, there are a number of ways to do it. You could use social engineering, you could use a remote exploit or you could use wireless hacking.

To know which SSID to hack, simply do some wardriving past the victim's location and pick up the SSID.

OTW

Smart start, looking forward to the rest :-)

Hello OTW!

I got an ALFA NW adapter as advised, but after installation I get a diagnostic tool to check the ALFA adapter. The Local test passes but the Network test fails as follows:

ccx diagnostic test failed
Please advise..
Thanks

Absolute;

Are you running BT in a VM? When does the diagnostic tool come up? I've never seen it.

OTW

It is on Window.

I am running BT on a live CD, but I was hoping to check the hardware I bought and the device drivers on windows first. Once installation is finished, a diagnostic icon comes up on the lower right handside where current processes are shown.

The weird thing is I cannot see it now. When I go into the device and drivers section of windows it says the Railink Network adapter is working properly.

The first image below shows Local test and the second one a Network Test of the diagnostic tool.

Absolute:

It sounds like everything is working properly now?

Btw, checking the installation in windows will tell you little except whether the hardware is functioning. The drivers are entirely different in linux.

OTW

hi OTW:

Yes it seems ok now. Given Linux has a different directory structure and I am running a live DVD of BT atm, where do i store the linux drivers for installation while on the live DVD?

Fazal:

Go to the search window at the top and type in "How to hack wi-fi" and it will return the rest of the articles.

OTW

Thanks, It is the great start.

Is the Alfa AWUS036NH still your prefered wireless adapter?

Sir OTW, can i use this YAGI ANTENNA to my Alfa AWUS036nh?

Main Technical Specifications
Frequency:2400--2500MHz
Gain:25dBi
Polarization Type:Linear Vertical
Rated Power:30W
Input Impedance:50 Ohms nominal
Dimensions:44.4cm6.8cm1.6cm
Length:1.5M
Connector Type:RP-SMA
Weight of Antenna:230g

Is this really applicable with wireless adapters? or for wireless routers only.

Probably. Just make sure it will connect with the Alfa.

how do you connect a yagi antenna to the alfa adapter?
is it a coax cable to the alfa adapter from yagi antenna?

new user here..but have been reading alot on the topics...i was using batrack before,but i was not using it properly..going to start again and use some tips from you guys..

Kozel:

Great to have you here at Null Byte!

You might want to use Kali as BackTrack is no longer supported and I have switched over in all my tutorials to Kali.

OTW

firstly i need to get back ,backtrack on my system, the site is down were i downloaded it from the lasttime,,anyone has a link were i can download backtrack?

i was trying out a ethical hack,doing the old hacking facebook account trick..am useing 000webhost server and my site is just not loading....anyone has a guide and how to use ftp server effective on 000wehost server...something is wrong on there man.

@otw....i was reading a article,future bluetooth hacking tutorials..sounds interesting

i remember learning about cracking wep when i was about 15 but you have talked about so much that i didn't know.

i hope you write another post about making an evil twin and what you can do with it.

thank you so much.

Chris:

I have another post planned on using an evil twin to harvest credentials.

hey guys i just join and am impressed with you will be in touch

any idea how to hack a usb modem and using it for free even by using proxy

Aden:

I how no idea what you are asking here. Want to try asking it with more specifics?

OTW

Hey OTW,how would I set up my Alfa AWUS036NH,do I just simply install the drivers in my Windows OS and I'm done with it? Or is there anything else that I need to do?

Once again thank you for replying (Your tutorials are awesome by the way,so KUDOS to you.)

Depends on what you're using it for.
Linux just plug it in.
Windows follow the install directions. Which should be install drivers and plug it in.

Frank:

Some folks have been having problems with the Alfa AWUS036NH, so you might want to buy the Alfa AWUS036H. It's an older version, but works well.

I recommend using Linux for wifi hacking and it should be plug and play in Linux.

OTW

I woud buy that too,however the Alfa AWUS036H is not as strong as the Alfa AWUS036NH,should I try the Alfa AWUS036NH instead?Peace Out.

Depends on what you are using it for. If you are doing what they are teaching here. You want a reliable adapter.. "As strong" as in picking up more RFI? Deuces

I meant strong as in being able to pick up more AP and receive signals better and from a further range.And as you and OTW said it's Plug and Play so I don't think I have much to worry about right?And if there's no technical issues,I'll rather buy the Alfa AWUS036NH as I like the better range it provides.Thanks For Answering.Peace Out.

Cyberhitchhiker:

Will be buying the Alfa AWUS036NH either sooner or later,I'll update back here later when I buy it and tell you guys how it worked out.Awesome Community here,Thanks Cyber and OTW.Peace Out.

I using it for Kali Linux,so for Kali Linux (and linux in general) it's just plug and play?

I will be getting Alfa AWUS036NHR.......good choice?

Those Alfa cards are inexpensive and effective.

Now that we're using Kali Linux, what parts of this article are still relevant? I'm also a little confused about the whole Wifi adapter discussion that's going on. I don't want to buy anything that won't be useful, so what Wifi adapter should I buy if, at least right now, I only want to do the things that will be taught in these tutorials?

Priya:

Welcome to Null Byte!

Everything in this article is relevant. You will need a wifi adapter that is aircrack-ng compatible. You can see the compatibility list at www.aircrack-ng.org. Most people find the Alfa cards to be inexpensive and effective.

OTW

Is Aircrack-ng included in Kali, too? And are do all the articles that were created before the switch to Kali still apply?

Also, is a chipset and wifi adapter the same thing? Is the consensus that Alfa AWUS036H is the best adapter? Will this adapter also help with my awful wifi that tends to stop working every hour?

Thanks, and I look forward to being part of this community ;)

Aircrack-ng is included in Kali. The articles still apply.

Although the AWUS036H is not the best adapter, it is inexpensive and effective.

i dont know if you are already planning on it but i would like to read what you know about bluesnarfing with kali. i can't find very much info on it.

I'll do some tutorials on blusnarfing when I start on mobile hacking.

i bought a yagi antenna 25dbi. i have been researching how to set it up but i wanted to ask a pro as well. i have it pointing in the direction of most of the houses in my neighborhood but it is also facing the wall of my house. would that kill the connection much or should i be ok with picking up AP?

thanks in advance.

Chris:

Ideally, you want as few obstructions as possible between the antenna and AP.

do you know a lot about the wifi pineapple mark 5?

i am watching videos about it and wonder if it could be useful, or if just having the alfa adapter and antenna with kali is good enough?

Hi OTW:

First, thanks for your articles!

I would like to ask you if price was not an issue, which adapter you would prefer. I am in need of upgrading my Alfa AWUS036H and specially interested in evil twin attacks. The NH would be enough or you know of a better adapter?

T RuleZ;

Welcome to Null Byte!

Although there are other cards that will work with aircrack-ng, the Alfa cards appear to be the most stable. There have been driver issues with the AWUS036NH, but if you are skilled with downloading and installing drivers you will be rewarded with an evil twin that can produce 2000mw signal, 4x the legal limit.

OTW

Thanks! I am quite resourceful with drivers, so I shouldn't have any problems...

After several hours of research, do you know how it compares to the AWUS036NHA? I've read some very good things about it.

Greetz, What exactly is the question you have about the 3 adapters in question?

Basically which one is best: the NH or the NHA? I actually own a H right know.

hi OTW ,
Thanks for giving me hope that i can heck wifi with out money:)lol
my q is ,i have huawei modem E5220 orange,can i use this as wireless adopter?please reply

Is this discussion still live? I am unsure as to which Wifi adaptor to buy, the AWUS036H or the AWUS036NH. I have no idea about installing drivers in Linux etc but don't want to buy an adaptor that will reduce my future hacking capabilities (evil twins).

Just how hard is it to install drivers and why are the required drivers not already installed with the upgraded NH?

Get the AWUS036H. It is plug and play on Kali.

Thanks for that OTW. I have just ordered the AWUSO36H from EBay. I now need a good antenna as I live in a remote area. I have looked on EBay at the Yagi range (as mentioned on this site). However, there seem to be quite a few models to chose from. Some starting at a low £6 ($10) and one or two at just over £60 ($100).

I am happy to spend big bucks to get the right equipment. I'm just not sure what represents a good antenna. Found this one on EBay. What do you think?

Frequency:
2400-2500 MHz
RF Sensitivity:
-10dBW
HP Beam Width:
Approx. 56 deg.
Impedance:
50 Ohm
VSWR
<1.5:1 avg.
Standard:
IEEE-802.11b/g and IEEE-802.11n
Bus Type:
USB2.0 Type A
Modulation:
OFDM with BPSK, QPSK, 16QAM, 64QAM (11g), BPSK, QPSK, CCK (11b)
Radio Technology:
Direct Sequence Spread Spectrum (DSSS)
Data Rate:
300 /150 / 54 / 48 / 36 / 24 / 18 / 12 / 11 / 9 / 6 / 5.5 / 2 / 1Mbps auto fallback
Advanced PCU:
R6880hp
Security:
64/128/256-bit WEP Encryption, WPA, WPA2 (TKIP, IEEE 802.1x) and AES
Drivers:
Windows 8/7/VISTA/XP X86 64bit, Linux, MAC OS X 10.4 10.5 10.6 10.7 10.8, 10.9 Mavericks

Image via danets.com

Hi mate, I discovered your blog in the latest days and it's incredible!
However, I'm going to order the WiFi adapter : searching on Amazon.it I've found both the :

1) AWUS036NH http://www.amazon.it/802-11g-guadagno-antenna-wireless-Strongest/dp/B0035APGP6/ref=sr_1_1?ie=UTF8&qid=1432564433&sr=8-1&keywords=awus036nh

2) AWUS036NHR http://www.amazon.it/Alfa-Awus036Nhr-High-Gain-Wireless-Wireless-N/dp/B005ETA5K2/ref=sr_1_5?ie=UTF8&qid=1432564433&sr=8-5&keywords=awus036nh

3) AWUS036H http://www.amazon.it/AWUS036H-Aggiornato-802-11b-Wireless-Long-Rang/dp/B000WXSO76/ref=sr_1_3?ie=UTF8&qid=1432563577&sr=8-3&keywords=awus036nh

Prices are very similar, do you advise me always to buy the NH?

In the Italian page of it I've found a question in which some users said that its chipset ralink rt3070 works without problems on Kali, also using the LiveCD version http://www.amazon.it/Funziona-direttamente-bisogna-installare-drivers/forum/Fx2ZUUTZKZFL2EZ/Tx1AWQDUFJB1JM9/1/ref=cm_cd_dp_aar_al_a?_encoding=UTF8&asin=B0035APGP6

I have for you a last question : if it wouldn't be plug and play, could I install the properly drivers following this way http://askubuntu.com/questions/178009/how-do-i-install-drivers-for-the-alfa-awus036h-usb-wireless-adapter ?

EDIT : I've found in the page of the NHR http://www.amazon.it/scheda-migliore-Awus036NH-lhacking-sniffing/forum/Fx1AB8LHSC46HVG/Tx1N9ZGFOFHJHEF/1/ref=cm_cd_ql_tlc_al?_encoding=UTF8&asin=B005ETA5K2 that standing at 3 months ago it still hasn't the full support , instead of the NH that supports all the Linux distros with their pentesting ways : so I'll order the last one.

Does the Alfa support drivers for the current Kali? Is the current kali distro Linux 2.4-2.6?

what is dbi? Does higher dbi means longer range?

plz explain can i hack wi-fi without using wifi adapter.....
i have a reliance wi-pod,is that a wifi adapter?

Share Your Thoughts

  • Hot
  • Latest