Pluralsight blog Where devs, IT admins & creative pros go for news, tips, videos and more.
Supercharge your skills with expert-authored tech & creative training. Unlimited. Online. Get it now →
November 15, 2012

Ethical Hacking: How Wireless Security Attacks Work


Watch these Ethical Hacking videos, and you’ll understand skills like intrusion detection, social engineering, tools of the trade, and more. With these tactics of ethical hacking you’ll learn security techniques through the mind of an attacker.


The wireless security attack methodology is almost identical to wired attacks in that we start by taking a look at the big picture. I start by footprinting the network and looking around to see what’s out there. Is there a wireless network in my target at all? If there is, what are the access points? What is the identifier there? Then I’ll start sniffing the wireless traffic just like I would with wired traffic. The only difference is I’ll typically need a special wireless network adapter that will allow me to sniff traffic that I’m not supposed to get, (so the promiscuous mode side of things).

Those adapters are a little bit different, but they’re very readily available. The same wireless network sniffing tools like Wireshark actually work just fine on wireless networks as long as the right adapter is in place.

Analyze the Traffic

Then, you analyze the traffic using the same techniques, automated or manual, doing searches, doing filters and so forth, to actually look for vulnerabilities, sensitive data and clear text passwords. All things like that can easily come out of a network analysis on the wired side.
Those same bits of data, those same vulnerabilities and opportunities do present themselves on the wireless side as well.

Wired Equivalent Privacy

I told you earlier that WEP, or Wired Equivalent Privacy, has been cracked. It’s actually been cracked for quite a while. It’s an easy compromise. There are easy vulnerabilities to exploit there, and most commonly what I’ll simply do is look for the newest, coolest techniques, or fastest, most efficient ways to crack WEP right before I’ll do an attack.

In this screenshot all I did was type WEP crack into Google, and you’ll see that I got 4.85 million results, give or take. A lot of them are videos. A lot of them are step by step guides with some deep information. Many of them are updated for the newest versions of software or cracking tools. Many of them are updated with new techniques and approaches. That’s fantastic stuff.

BackTrack Linux Distribution

I do recommend that if you’re going to do any WEP cracking and if you find WEP in your target environment and want to bring an attack against that, you just have to take a look at the most current techniques by just googling it. My favorite tool for this typically is the BackTrack Linux distribution. You’ll see here there are 384,000 hits, give or take, when using BackTrack specifically to crack WEP.

If WEP is what is protecting the wireless I can often crack it in six or seven minutes with virtually no extra hardware. Therefore the hardware and the software are free. In fact, this is a screenshot of a recent attack that I did as proof of concept. You’ll see that in the screenshot on the left, I’ve actually hacked or cracked the WEP using brute‑force attack, and it took about six and half minutes from the beginning.

Actually, literally from the time I booted up BackTrack to the time I was able to get the key and it says decrypted correctly 100 percent just under seven minutes.

On the right side, you could actually see BackTrack showing all of the BSSIDs, SSIDs and channels that are in use. You could actually see the cipher and authentication displayed very easily for you. You don’t really need commodity hardware, expensive software or wireless survey gear.

That’s great for administrators. That’s great for planners and wireless networking experts. But for attacking this, you don’t really need much more than a free Linux distribution and an inexpensive network card that does this kind of attack within BackTrack. You can crack WEP in six to seven minutes or so, depending on your signal strength, and depending on the target access points.

Access Points

Some access points are a little bit more resistant to these types of attacks and some are simply not. This one in particular was not. It was a real easy crack. Rather than showing you the animation, take a look at the steps on the Web. It’s about seven or eight steps, and it’s fairly long, type, type, type, type, type and then wait. It’s not very difficult to do. It’s just following the steps exactly.

Once the network is compromised, it actually depends entirely on what’s going on here. Typically speaking, what I’ll do is get on the wireless network, however I am going to get on the wireless network, and then continue to capture traffic and sniff.

Typically, it makes it easier for me to get back into the wireless network by reconfiguring the access points, looking for access controllers, and trying to hack those. If the access point itself doesn’t have the default password, oftentimes the access controller for the wireless network does have the default password.

Those are things that enable me to get back in forever until I present my report and recommend very strongly that the passwords get changed and get managed properly.

Associate With the Network

Once I have that point of reentry, I will associate with the network. I will continue the attack by penetrating other systems, penetrating servers and punching holes out. Once I’m inside the wireless network firewalls and intrusion detection systems, typically speaking, are not pointed in my direction.

They are not going to be looking for an attack from this side, so I can conduct a lot of attacks such as, denial of service and vulnerability scans that can’t be conducted from outside the network or even from the DMZ, (they can be conducted from the wireless network). That’s fantastic, and if not, I’ll certainly use the wireless network to attack a system that will be in a trusted place that can then conduct the attacks on my behalf.

Finally what I’ll do is I’ll pray that they’re not using 802.1X and WPA2 because if they’ve have a really solid 802.1X and WPA2 deployment the wireless network is not going to be very vulnerable. It’s going to be a very lengthy, difficult process and I am probably going to be miserable at the end because it’s not going to be successful.

These technologies, when properly planned and implemented, are extremely resilient against an attack.

About the Author

has worked in the IT field for more than 20 years. He is an award-winning author, public speaker, and instructor on a variety of technology topics including security, virtualization, cloud computing, wireless and wired networking, and IT lifecycle processes. His operations experience includes managing the Xbox LIVE operations team, the largest cloud computing operations team in the world, and consulting on operations efficiency with countless clients around the world. Mike has published several books (including two for O’Reilly) and numerous papers. He is a frequent conference speaker and classroom instructor on IT operations, computer security, and technology frameworks. Mike holds a number of certifications and accreditations including Certified Information Systems Security Professional (CISSP) practitioner and instructor.

Author's Website: