Pluralsight blog Where devs, IT admins & creative pros go for news, tips, videos and more.
Supercharge your skills with expert-authored tech & creative training. Unlimited. Online. Get it now →
November 15, 2012

Ethical Hacking: Targeting Wireless Networks


Watch these Ethical Hacking videos, and you’ll understand skills like network sniffing, social engineering, intrusion detection, and more. With these tactics of ethical hacking you’ll learn security techniques through the mind of an attacker.


I am going to explain a little bit about wireless as a great target for us, and I’ve covered a few of these already, but I wanted to get a little bit deeper. Then I will show why administrators don’t really protect it very well, beyond the lack of knowledge and understanding. Wireless is a great target for us, not just because it’s getting widely deployed and its signal goes quite a ways, but also because that signal travels and we can sniff, attack and deny service from across the street, city or wherever we can really get signal and transmit signal.

There are lots of opportunities for us to do this type of attack: the sniffing, penetration testing and denial of service. Any of these attacks can be accomplished from a fairly decent distance so we are not going to get caught as easily. We don’t like going to jail and certainly this is one way to avoid going to jail.

They Retain Default Passwords

It may seem a little silly for me to say this, but in my experience, there are a lot of administrators out there that deploy wireless with the default settings. That sounds crazy until you’ve seen it a few million times and then you realize the default password for an access point is usually the password that’s in place. The default SSID, channel or crypto usually is the stuff that’s still in place when it’s deployed, mostly because the administrators don’t give it a lot of thought.

They Do Not Do Wireless Site Surveys

Very few administrators do wireless site surveys, although they should. Very few administrators focus beams and use directional antennas that keep the signal inside the building. They should but they don’t, which means the signal is leaked out to us as an attacker and we potentially have the ability to use these default settings, (look up the default password, identify the MAC, identify all the information and actually attack the network) in a very simple, straightforward and quick way.

That allows us to bring our strength against weakness; our strength of knowledge of wireless and understanding of the flaws in administration as well as the weakness is the administrators’ lack of understanding and lack of a thorough security approach to wireless.

There are some attacks that require a large amount of volume to go over wireless for us to appropriately mount an attack. Therefore, we have to sniff gigabytes and gigabytes and gigabytes of data in order to build up enough information to do a crack, like a brute force, against the wireless network. As more and more authentic data goes across the wireless network, we have so much more data that we can capture, examine and use in our brute force attack.

So actually it works in reverse: the administrators put more and more stuff on the wireless thinking that it’s more secure and easier. For an attacker that’s a benefit and a bonus. We’re just getting our attacks that much easier by bad administration or bad planning.

They Do Not Know Wireless Security

So, why don’t administrators protect wireless networking very well? Well, most of them don’t really know about wireless security at all. They don’t have a lot of training or skill in it, and they don’t go to four week classes on wireless networking in general, let alone wireless security. They may have a one hour or two hours of training on it from a vendor. That’s really most of it. In fact, many administrators don’t even have that much. That’s great for an ethical hacker because that ignorance allows us to mount an attack based on their knowledge gaps.

Wireless security is also a pain to implement, certainly in a way that makes users happy and makes things easy. For example, if users have to enroll for certificates and have to actually connect to the network and run scripts or do some kind of route policy work in order to get their devices on the wireless network that sets a fairly high bar for which clients can and cannot connect to wireless, which is almost defeating the purpose of having wireless.

They Are Not Tech Savy

Second of all, many users don’t have the technical wherewithal to do that kind of work, so they’re not going to. The administrator is left in a tough spot. Do I bounce the users that can’t connect, which could cause political ramifications, usability and lack of capability manipulation?

Or does the administrator balance on the side of usability and either weaken or remove the security on their wireless networks?

Interestingly enough, if you’re taking this course, you probably think they balance on the side of higher security and then if users don’t know how to deal with it, they should get off or they should ask.

It’s almost always the opposite. Typically speaking, administrators will weaken or eliminate wireless network security when necessary. I worked with a client not very long ago who literally stopped in the middle of a wireless security configuration project and backed everything out to open wireless networking because they didn’t know how to make the clients work properly.

Rather than shutting off the wireless or configuring the clients, they literally just made the wireless network open. Everyone can associate. Everyone can actually transmit and receive all data. That could be a problem, but not for us because we’re ethical hackers. Frankly, we like that.

Standards For Wireless Network Security

Finally, there are a lot of standards that go into wireless network security. WiFi security is actually quite a complex little thing. The number of standards, the complexity of the standards and how they interact makes it so that even an administrator that has training and does focus on this and concentrates in this area does have a bit of a challenging time getting this stuff fully understood so that they can properly analyze it, deploy it and then operate it.

Usually the “operate” is the difficult part. Many administrators can figure out how to plan it out and how to deploy it, but when things break, one of the first bits that goes is security. If something doesn’t work, if users can’t access something, in a wireless scenario, many times the first thing that goes is security. Turn that off. Let’s see if it works now. Oh, your television can’t connect? Or your new monitor can’t connect? Or your printer can’t connect? Well, shut off wireless security.

Maybe the intention is just to shut it off for a little while for troubleshooting. But if it doesn’t go back on, that’s a major problem. Or, if it goes off, even for testing or troubleshooting, while the ethical hacker is running their tests and probing, well, there we go. We’re into the network and we’re probably never going to be back out of the network.

About the Author

has worked in the IT field for more than 20 years. He is an award-winning author, public speaker, and instructor on a variety of technology topics including security, virtualization, cloud computing, wireless and wired networking, and IT lifecycle processes. His operations experience includes managing the Xbox LIVE operations team, the largest cloud computing operations team in the world, and consulting on operations efficiency with countless clients around the world. Mike has published several books (including two for O’Reilly) and numerous papers. He is a frequent conference speaker and classroom instructor on IT operations, computer security, and technology frameworks. Mike holds a number of certifications and accreditations including Certified Information Systems Security Professional (CISSP) practitioner and instructor.

Author's Website: