Information transmitted via wireless networks travels through the air. Anyone within radio frequency range of the transmitting AP is able to capture the wireless packets and potentially see sensitive data in transit. The options available to an administrator to obfuscate and encrypt network transmissions, and the implementation complexity of those options, vary based on the type of wireless network chosen. Primarily, you will encounter Open, WEP, WPA, and WPA2 networks during your penetration tests and we will discuss each of these in turn.
Open wireless networks do not require any authentication, nor do they provide encryption for the transmitted data, so the data passing through these networks can be easily captured and valuable information can be extracted. When accessing open networks, any device sending data should use either transport or application layer encryption to protect the transmission. Thankfully, open networks are not the only way to create a wireless network.
Although there are several protection mechanisms that are put in place to protect the communications of wireless traffic, they are not bulletproof. Attacking these wireless security protocols are a key element of most wireless security assessments.
The following topics will be discussed in this chapter:
- Overview of different wireless security protocols
- Attacking WPA and WPA2 pre-shared keys
- Attacking WPA Enterprise
- Accelerating key cracking with rainbow tables
Wireless security protocols have developed over time to move the protection and encryption of wireless transmission to the network and remove the bulk of this responsibility from users. Wired Equivalent Privacy (WEP) was initially introduced by the IEEE to create a baseline security standard for wireless networks. In the years following its release, it was often a target of hackers who reduced the time required to compromise WEP-encrypted networks to mere seconds. WEP has been considered obsolete for many years now, and it is rare to run into it during a security assessment. In response to the failure of WEP, Wi-Fi Protected Access (WPA) was created. WPA is an implementation of the IEEE 802.11i standard. Temporal Key Integrity Protocol (TKIP) was introduced in WPA to overcome the drawbacks in WEP. Wi-Fi Protected Access II (WPA2) is a full implementation of the IEEE 802.11i standard that is more secure than both the earlier protocols. WPA2 is considered to be stronger than WPA and WEP.
In this chapter, we will discuss how to crack the encryption key used in WPA and WPA2 networks and how to attack networks that leverage 802.1x, extended authentication, for security.