Take a moment and imagine this happened to you; You are at home, minding your own business, when all of the sudden your house is raided by Law Enforcement Officers accusing you of committing some sort heinous cyber-crime! Next thing you know all of your electronics are confiscated as part of their investigation until they determine that someone else had hijacked YOUR WiFi and committed the crimes on YOUR internet connection!
You might think that this is something that would only happen on a TV show but a couple in New Jersey would say otherwise.
On September 1st, 2016, at 5:30 in the morning no less, Police Officers pulled this couple out of bed in search of a criminal, downloading and distributing child pornography (does it get any worse?).
After sweeping the couple’s computers and finding nothing, investigators then realized that their WiFi was not password protected and a neighbor was using a modified Wireless Router to connect to their network and use their connection for his criminal activities.
It’s easy to say that the reason this happened to this couple is because their WiFi did not have a password and therefore was easily compromised. This is true… BUT if your password isn’t strong and a criminal doesn’t have any other easy targets, it’s really not that hard to crack a weak WiFi password and gain access to a network.
In order to demonstrate this for you just how simple this is, I have set up a test WiFi router, a Cisco-Linksys WRT54G2 to be exact, with a phone number as the WPA2 password. Phone numbers are one of the most commonly used passwords for personal WiFi networks.
Using some free tools that are available to anyone on the internet, I can capture the encrypted “handshake” file from this router. This handshake file, or packet, is what contains the the encrypted or hashed password that is exchanged between the router and a host attempting to connect to the network for authentication. The first tool, Airodump-ng, allows me to scan for the WiFi networks in range, including the networks that do not show or “broadcast” their SSID (name of the network). I’ve highlighted the linksys network that I created for this demonstration and will be attacking.
I then used Airreplay-ng in order de-authenticate any devices currently connected to the WiFi forcing them to re-authenticate and Airodump-ng to capture the handshake.
Once this handshake has been captured, a number of different tools can be used to crack the encrypted password. This can be done off-line, away from the network that is being attacked. The simplest way to crack this, and generally only works for weak passwords, is a brute force dictionary attack. This is where the hashed file is ran against a “dictionary” of passwords (also available for free on the internet or easily created) until a match is found. I used a tool called Pyrit to run the handshake capture file against a phone number dictionary that I created myself using a tool called Crunch. As you can see below, Pyrit was able to successfully crack the handshake to obtain the password to the WiFi network.
The total amount of time that it took me to complete this whole process from beginning to end was less than 45 minutes. About 38 of those minutes were taken up by Pyrit running the handshake against the password dictionary.
The amount of time it takes can vary depending on a number of variables but since this type of attack is performed offline, a computer can be left to run this program until it either cracks the file or runs through the entire dictionary unsuccessfully. If unsuccessful, there are still other options to crack the file but they require much more computing resources and time, usually sending an attacker on to the next target. This is why a strong password is VERY important and is also why I highly recommend enabling MAC filtering or even using a tool to help monitor which, and how many, devices are connected to your network.
Do, T. (2016), Police: Man Uses Neighbor’s Unsecured Wi-Fi Connection To Download, Distribute Child Pornography. CBS Philly. Retrieved 13 September 2016 from: http://philadelphia.cbslocal.com/2016/09/12/unsecured-wifi-child-pornography/