How to Become a Wireless Security Auditor

Your country needs wireless security auditors! If you only ask yourself one question today, let it be this: Do you have the drive and initiative to become a wireless security auditor?

If you happened to say yes, then you’re on the right path so far. In my opinion, IT Security is where it’s at. Maybe I’m biased, but the career IS exciting. And specifically, being a wireless security auditor is something special in my mind. Because wireless requires you to be close to the access point, you get to travel around to all your engagements. It’s awesome, I don’t know of a single wireless security auditor who sits at a cubicle for more than a day a week. With me so far?

A Wireless Security Auditor is Super Smart

The first thing you need to do is study. Lots of studying. I’m not going to tell you to go to school or take this exam or that one.  Some of these security guys are all self-taught. What I’m saying is, in this industry, what matters is what you know. And it ends there. Walk into that interview and show the room you know what you’re taking about. As we say in the industry, “Don’t be a paper cert.” However, no matter what method of learning you undertake, one rule of them to keep in mind:

The ratio of hands-on learning to theory. Keep the hands-on training at around 80%.

Don’t get me wrong, THEORY is necessary, especially to produce a great wireless security auditor and not just a keyboard jockey. But let’s be honest, in the field, what matters most are results. If security experts can memorize charts of common TCP ports and types of viruses, worms, and trojans, but they cannot perform basic penetration testing, then they have failed. That’s the cold, hard truth. Just lean more toward hands-on and you’ll be fine.

Why Should You Become a Wireless Security Auditor?

Money isn’t everything, but the average salary for a wireless security auditor ranges from $60,000 upto $120,000 per year, more depending on experience and technical knowledge.

As you learn this stuff and take the time to actually read, follow tutorials (like the many free ones on this website), and do things hands on, you’ll start to have little “ahh ha” moments.

They will be infrequent at first but I promise you this: stick to it long enough and you will have one of these moments, and when you do, you’ll KNOW it. And they’ll come more frequently as time goes on and you continue to study. You’ll form more breakthroughs in your understanding.

You’ll deepen and broaden. And then you’ll have gotten it. You’ll be a wireless security auditor. And you know what else you’ll be? CONFIDENT! Enjoy all of the extra attention you get from this subliminal change in your behavior. But it will happen! Trust me, human nature is hardwired. Hard work pays off in the long run!

Once you do study up on this (for a long time and with great energy!) you will become armed with a keen understanding of attack methods and mannerisms. The very best wireless security auditor is the one who can analyze, attack, AND secure a wireless access point, finishing the IT Security Lifecycle full circle. You should strive to be like those guys.

You need to understand networking. Basic TCP knowledge. The best advice I can give you, that’s free, is to read up on all the different protocols from the Internet Engineering Task Force. These protocols come in the form of RFC documents.

Focus on the RFCs related to network security to get an understanding of TCP level protections. You will need to be able to read a TCP packet structure and analyze it. You will have to learn how to locate any malicious activity on any network. A wireless security auditor needs a shitload of tools to get the job done. But read up and get comfortable with IP tracing techniques and tools. Figure out where specific sources of traffic are coming from.

A wireless security auditor must offer protection against any possible attacks that might occur. Think of a wireless network like a football game. You need to develop a defense strategy from all angles. And I do mean all angles. Get creative? What if the mail guy slips into the building and jacks his laptop into the local network? Something like that happens and your entire digital security structure is bypassed.

Think especially about the security of the wireless network. You need to know how wireless security auditing is done in order to harden your own systems against the same attacks.

It will be a long process, but should you undertake the journey to becoming a wireless security auditor, you’ll reap great dividends for years to come. You’ll be able to walk into any organization and start auditing. Wireless security experts are in high demand throughout the world and studying up on this stuff will definitely help you. Choose your desired course and become a certified professional to make your future bright.

My free WiFi hacking tutorials are right here, totally free and a great place to start.

MAC Spoofing and Packet Injection

Step by step tutorial where I will walk you through every step to change (spoof) the MAC address of your wireless (WiFi) adapter using Linux BackTrack or Kali.

I originally included these steps to change your MAC address and enable packet injection in each of my other WiFi hacking tutorials. But it was redundant seeing the same thing so many times, so I’ve decided to create this separate detailed post where I show you how to spoof (fake) your MAC address.

1. Getting Kali or Back Track Linux to use your adapter in packet injection mode. This is necessary, and you cannot do any of these tutorials if your wireless adapter doesn’t use packet injection. Again, I really recommend that you check out the Alfa network cards. They’re great and they work out of the box with Kali and Back Track.

2. The last step is optional. I’ll teach you how to spoof the MAC address. Attackers regularly run MAC spoofing before an attack, so it’s helpful to know how this works and what to look out for.

Before MAC Spoofing, enabling Packet Injection

First things first, plug in your wireless network adapter. Then open a terminal Window and run:

iwconfig

Now you need to locate your USB wireless adapter from the list of devices iwconfig prints back for you. Mine is named wlan2, but remember, yours may be named differently, and you will need to use the name of your USB adapter in place of mine. WlanO is my internal WiFi card.

Now, put the adapter into packet capture mode by running:

airmon-ng start wlan2

(Don’t forget to substitute wlan2 for the name of your wireless adapter!)
The airmon command creates a virtual WiFi interface on top of the physical one. We will be doing our WiFi hack (all the sniffing, spoofing, and injecting) through the virtual interface. Make note of the monitor mode enabled on section. In my case, Back Track named the packet-injecting interface mon0.

We are now ready to run our wireless security audits. We can choose from a huge number of wireless cracking utilities that are available to us in Kali or Back Track. We’ll run these tools while specifying the monitoring interface we just created. (In my case, mon0).

MAC Spoofing Step-by-Step

As computer and network security professions, we should also be well aware of an attacker’s ability to spoof his MAC address. MAC addresses are vendor-specified identification numbers that all networking manufacturers put on their products. Each one is different. A MAC address is similar to a vehicle’s VIN number or a mobile phone’s IMEI number. If you know an attacker’s MAC address, you can determine what type of wireless antenna he is using.

However, if he’s done MAC spoofing, any logs that you manage to capture will only show the fake MAC address and not the real one.
As you can see, spoofing the MAC address prevents us from identifying the attacker. Just the type of thing a blackhat WiFi hacker would want to do.

Now that our adapter is in packet-injection mode, we should change our MAC address to cover our tracks. Security administrators and consultants take note. The bad guys have probably changed their MAC addresses.) The macchanger tool in Back Track and Kali Linux can change your adapter’s MAC address. But, if you run the commands in the images below, you will receive permission errors.

This is because wlan2 and mon0 are both active. We have turned them on earlier. In order to spoof their MAC addresses, we must disable them, run the macchanger command, then enable the adapters again. It’s very easy, just run the commands below:
(Of course, be sure to change the name of mon0 and wlan2 if yours is different).

ifconfig wlan2 down

Hit Enter. Then run:

macchanger -r wlan2

When you hit Enter, your MAC address will change to a randomly generated MAC address and display it for you. You can now bring the wlan2 interface back up by running:

ifconfig wlan2 up

You can verify that the spoofed MAC address is active by running:

ifconfig wlan2

Compare the Faked MAC: field that the tool generated matches the one listed in the ifconfig command. See the image below.


One strange thing I noticed was that if you change the MAC address of the physical network adapter, it will not actually change the MAC address of your virtual monitoring interface you created above. This means your real MAC address will leak through the monitoring interface. We can get around this by following the same steps to change wlan2’s MAC address. We will simply do the same set of commands on our virtual interface.
(Remember to change the name of your virtual interface if it’s different!)

ifconfig monO down
macchanger -r monO
ifconfig monO up
ifconfig monO

Be sure to verify that the MAC spoofing has worked on the virtual interface as well. And now you are finished, and ready to proceed to some of the other wireless security tutorials. Have fun!

Basic WiFi Hacking – Cracking WEP Security

The WEP WiFi hack is the oldest one around. Increasingly, it’s less and less likely to be an option in your security audits and penetration tests. This is because most people now use more robust encryption methods like WPA2 and WiFi routers come with WPA/WPA2 enabled as default.

However, some IoT (Internet of things), devices that use the internet, or simply a WiFi network to work, like wireless security cameras, wireless printers, ‘smart’ thermostats, and even ‘smart’ refrigerators still use WEP security.

Numerous security holes exist in WEP which is why you’re less likely to encounter it on an engagement. WEP, or Wired Equivalency Protection) was the first serious attempt to secure wireless networks.

WEP sought to give users the same amount of protection and confidentiality as wired networks provided. We can easily perform WEP-based WiFi hacks on those access points still dumb enough to use it. By exploiting a flaw in WEP’s RC 4 stream cipher, we can decrypt the password based on traffic we collect from the access point over time.

We’ll need to capture a ton of packets (Tens of thousands). The more packets we capture from the wireless access point, the more likely we are to have enough data to perform statistical cryptanalysis to decode the password.  (But don’t worry, we’re going to drastically speed up the time it takes to collect enough packets to do this).

If you haven’t read my original post on the basics of a WiFi hack, you really should because it gives you a general understanding of WiFi security. There are, of course videos and hacking tutorials on more advanced wireless attacks. But stay here for right now, because as long as you’ve already read the overview, you can move forward in time.

The easiest WiFi hack – Cracking WEP Wireless Encryption

Let’s get started. Boot into your Back Track or Kali Linux Live CD. Make sure you are connected to the Internet, then run updates:

apt-get update

Then run:

apt-get upgrade

Connect your wireless network adapter.We need to discover the name Back Track (or Kali) has assigned to the adapter. Run the following command and hit Enter:

Before we can do this WiFi hack, we need to enable packet injection on our wireless adapter.

Now run:

airodump-ng monO

Airodump will literally dump the WiFi networks it detects in the air, as seen below:

As we can see above, only one network that airodump picks up uses WEP encryption, so we will focus our WiFi hack on this particular network. Once we make note of the BSSID and the CH, (Channel) fields, we are almost ready to perform our WiFi hack. We’ll run airodump again, but instead of a broad sweep of the WiFi spectrum, we will focus only on the access point we picked out above.

Our command syntax is:

airodump-ng -c (channel) -w (file name) —bssid (bssid) (interface)

We just need to plug in the channel, BSSID, our packet-injecting interface, and supply  a file name to save the packets to. To see the file (because you will need it soon) browse your Home directory and it should be there.

Hit Enter and let the packet capturing begin.

Now, we could simply wait to capture enough packets, but remember we need tens of thousands, and that could take way too long to reasonably wait. Wireless security consultants don’t have to to wait around. If time is short for a WiFi hack, you can use the aireplay took to inject the access points with packets. These packets trick the access point into tossing out even more of its own packets. This can happen very fast!  

(This particular WiFi hack may only take a matter of seconds, depending on the number of packets you capture and how close you are to the access point.)

Open a new terminal window.

Remember to plug in your target’s BSSID and ESSID into the correct fields, and be sure to specific the name of your monitoring interface. It’s usually monO, but yours may be different so check. Also, you need to specify your spoofed MAC address after the -h switch.

aireplay-ng -1 0 -a (bssid) -h (your spoofed MAC address) -e (essid) (interface)


You should get an Association successful message. Now you can begin flooding the access point in order to capture more packets. Plug in the target’s BSSID,your spoofed MAC address, and your interface again. Hit Enter.

aireplay-ng -3 -b (bssid) -h (your spoofed MAC address) (interface)

Plan on hanging around until enough packets are harvested to run your WiFi hack.

Go back to your second airodump window where you are capturing packets to file. Keep an eye on the number in the Data column. It needs to be between 10,000 and 20,000. When you’ve captured 10,000 to 20,000, you can hit Control C to stop the capture.

Now you can attempt the actual WiFi Hack by running the aircrack tool. Plug in the target’s BSSID and the name of the capture file you started with the airodump command.  (The capture file should be located in your Home directory.)

aircrack-ng -b (bssid) (yourcapturefilename)


If you captured enough packets, the WEP key will appear next to the triumphant message Key Found. Use that key without the colons to log into the target’s wireless network.

Read up on Aircrack’s website. You can do much more than crack WEP  (as we’ll see later), and any security consultant worth their salt should be familiar with the ins and outs of aircrack. Congratulations on your first successful WiFi hack! Keep going!

How To Enable WiFi On Kali Linux

One of the most searched for terms in wireless (WiFi) pen testing is “enable WiFi Kali Linux” and there’s no mistaking why.

One of the most popular operating systems that IT Security Professionals and Penetration Testers use is called Kali Linux. Kali is a specialized, locked down Linux OS that comes preloaded with tons of security tools and utilities. If you’re an aspiring IT Security Professional you need to be using Kali Linux. Period. Get to know this Linux distribution intimately, and you’ll be well on your way to mastering the world of IT Security.

Thus, it’s not unusual that one of the common questions is “enable WiFI Kali Linux” Or, “How do I connect to the wireless network I am auditing, once I obtain the password or passphrase?” It’s actually quite simple to do and I am going to show you how below. You’ll find that you can use an easy GUI (Graphical User Interface) tool to do so. Because, what if you’re out on a security audit or penetration test and you need to verify access to the client’s wireless network?

Again, it’s easy. So let’s take a look below. And if in the unlikely event you still aren’t able to connect, check out the troubleshooting documents from Kali.org. They are extremely helpful. In this example, I am using the Alfa Long Range USB WiFi Adapter (model AWUS036H) and if you’re serious about doing this for a living, you really should be investing in one of these adapters as well. Why? Because they’re pretty cheap, and best of all they have plug-and-play support in Kali and BackTrack Linux. Yes, you don’t have to install any drivers to get this thing working. Just plug it in and you’re ready to go.

Enable WiFi Kali Linux – GUI Method

Moving on, we’ll explore the easiest method:

1. When you are logged into Kali,open a terminal window. We first need to bring the wireless adapter online for the operating system to see it. Study the following sets of commands below to do this:

iwconfig

This first command will print a list of all wireless adapters the OS detects. Usually, it will detect the wireless adapter as wlan0 as seen in the image. If you have connected a WiFi adapter capable of packet injection like the ALFA AWUS036H you will have two WiFi adapers (wlan0 & wlan1), one is the built in adapter of your laptop or PC, and the other is the ALFA. You can use either to connect to a WiFi network if you already have the password, but for packet injection you need to make sure you select the correct one (WiFi card with a chipset that supports monitor mode and packet injection).

To bring wlan0 online run the command:

ifconfig wlan0 up

Now that the wireless adapter is up, click the icon of the computer at the upper right-hand corner of the screen.

The drop down box will display all the wireless networks that are within range, and you can connect to your target after successfully applying the wireless password.

E Safety Online – A Beginners Guide to Online Safety

Nearly everybody owns a computer, but if you haven’t taken the right “E Safety” steps to secure your online experience, you may be a sitting duck for a wireless or Internet-based attack that could destroy your family, friendships, and career. That’s the truth, and there are plenty of examples on my other post.

Worldwide hacking attacks

Your WiFi access signal often extends outside your own home, sometimes well outside and it could bleed across the street and to other people’s houses. (Just go outside your house with your cell phone, search for wireless networks, and most likely your wireless network will still show up).

If the connection to your router is not password protected, you face a huge risk. Computer security is a growing concern for consumers, businesses, and anyone who connects to wireless networks. Why is that? Because thousands of identities are stolen each and every day. PCs and servers get hacked thousands of times every day.

The Information Age is actually the greatest arms race the world has ever seen. As security administrators develop new protection tools, monitoring platforms, and virus definitions, hackers are also creating new ways to beat them. Cyber-crime studies show that 65 percent of Internet users worldwide have been hacked at one time or another. Often, this comes in the form of a wireless attack. Using wireless networking equipment exposes a user to all sorts of wireless hacking attempts, and possible liability should the hackers gain access. It’s now more important than ever to know about and practice E Safety.

Always remember:

– An attacker could connect to your unsecured WiFi network and send humiliating e-mails. They may even be able to hack any laptops and PCs you have connected to your wireless network.

-Or they may simply use your network as a staging ground to launching more hacking attacks. Using you as a “digital beachhead”, hackers can launch attacks through multiple compromised networks to cover their tracks.

– They may also download illegal content through your WiFi network. (Think of all the people locked up for illegal file sharing and child porn. Imagine if just one of those people had been victim of an attack like this.)

– A computer forensics investigation into illegal activity will point right to you. People who are wrongly accused didn’t know about E Safety. That’s the hard, bottom line.

– A WiFi hacker who has gained access to your network can try to steal your banking information by spoofing bank websites. And it’s often undetectable to anyone not looking out for it.

It’s not enough to just know about E Safety. You need to know what to do to keep yourself safe.

1   Make sure your wireless access point is using WPA2 authentication. (If you’re a medium sized business or larger, you need to be using WPA2 Enterprise.

2. Be sure that the WPA2 password you have chosen is HARD. It should include letters, numbers, and symbols. The password should be long. 15 to 20 characters are best, but do not use the minimum number of 8 characters. That’s too short. Any wireless hacking tool would have a good chance cracking an 8 character password.

3. Use a router that does not use WPS authentication. It’s marketed as being an easier way to connect devices to a WPA/WPA network (WPS lets you connect without entering the passphrase.) WPS is broken and there are several off-the-shelf tools that can decrypt the WPA/WPA2 passphrase using the WPS vulnerability. It’s complicated, and you can read more about it in my advanced WiFi password hack article. Don’t use WPS.

4. Update your wireless router or access point to the latest firmware version available. One of the things you’ll come to learn about E Safety is how important it is to keep all your software and hardware updated. Contact the manufacturers or check their websites. You should be able to find firmware updates easy. Firmware updates often fix critical issues with their devices like security tools. In fact, most access point manufactures should be releasing firmware updates to close WPS. If not, ditch that product and use one without WPS. Trust me, you’ll sleep better at night.

5.   Regularly update your operating system. Always install the latest updates and security patches for Windows, Linux, and any other devices you may be using. And yes, this includes smart phones. This is one of the easiest ways to stay safe online.

6.   When practicing good E Safety, using a firewall is a must. Windows and Linux have built-in firewalls. Use these, read about them, and did I mention use them? There are also a ton of free firewall products available for download. However, when it comes to firewalls, you get what you paid for. Free doesn’t always mean they’re the best. Paid firewall products usually offer greater levels of control as well as more accurate virus definitions.

7.  Install a decent virus scanner and spyware scanner and make sure to update the definitions every single day. As I mentioned above, the Information Age is an arms race. Digital assaults are happening every day, and virus and spyware definitions are one of the ways the good guys are combating cyber-attacks. When you know the basics of E Safety, and you use all of these steps, you can rest assured that your data, privacy, and reputation is completely under your control.

These seven steps are easy for everyone to follow, and they provide a solid foundation for a secure network. By implementing the above, you’re already ahead of the curve. Don’t stop there, keep reading! And spread the word. Online safety is important, so you should be teaching (and yes, annoying) your friends and family on E Safety, what it is, and why it’s so important.

Hacking Software for WiFi Security Professionals

Security Professionals need to be intimately familiar with all a huge assortment of hacking software. There are literally THOUSANDS of hacking tools available for download. Some of these tools are free. Some of them must be purchased. Some of them are open source. Some of them are gold. Some of them are very poor.

And let’s not forget that a lot of hacking software you find may just be trojan horses in disguise. Think about it, if you’re a malicious hacker who wants to sucker a bunch of people into giving you access to their computers, what are you going to do?

You could code a “hacking tool” and offer it for download, meanwhile add in a hidden keylogger and maybe a bot client as well…

Be careful what you download. That does without saying. However, you can rest assured that the following list of hacking software is all legitimate and will NOT infect your computer with anything bad. These tools are used every day by thousands of IT security professionals and penetration testers, and you should get to know them if you want to get paid to do this stuff. Keep reading for my list of wifi hacking software. All of the hacking tools listed are included in one or more of my tutorials on this site.

WiFi Hacking Software

The alphabetical list of tools used in the tutorials on this website:

  • Airbase
  • Aircrack
  • Aireplay
  • Airmon
  • Airodump
  • Cowpatty
  • Crunch
  • Fern WiFi Cracker
  • Gerix
  • Hashcat
  • John the ripper
  • Macchanger
  • Mdk3
  • Pyrit
  • Reaver
  • Wireshark

Don’t be alarmed. These are a lot to take in, but I’ll break them down and explain what they do here. My other articles detail how to use these tools and what you ca do with them.

Hacking Software for Security Professionals

Airbase-ng

There are a ton of uses for airbase-ng, but one of the coolest things it can do is spoof WiFi networks. Attackers regularly use airbase-ng to create fake wireless access points to trick users into connecting to them. The attackers may offer enticing names like “Free WiFi.” Security professionals can also use airbase-ng to evaluate if company employees will connect to other access points and leak information. You should learn how this tool works.

Aircrack-ng

Aircrack-ng is the grand daddy of WiFi cracking tools. It can crack WEP, WPA, and WPA2 networks. It can crack WEP using statistical analysis of captured IVs, and it can crack WPA and WPA2 using dictionary files. It is available only through a Linux OS like BackTrack or Kali, often it is already installed.

Aireplay-ng

Aireplay is a traffic generation tool. It’s used to inject WiFi frames and is usually run in conjunction with airodump and aircrack. Why would you necessarily want to generate traffic and inject it into the wireless access point you’re targeting? By generating traffic and injecting it, aireplay can greatly increase the speed with which you can crack WEP.

Airmon-ng

Airmon is used to place your wireless adapter into monitor and packet injection mode. You need a wireless adapter capable of packet injection like the Alfa wireless adapter line. We use airmon-ng a LOT on this website.

Airodump-ng

Airodump sniffs and stores wifi traffic to a file. We use airodump quite a lot as well, especially in attacking WEP and WPA or WPA2 networks. Airodump stores the packets we will later need to run password cracking tools against.

Cowpatty

Cowpatty is a WPA and WPA2 hacking software. It can attack WPA / WPA2 networks using dictionary attacks and precomputed attacks using special rainbow tables.

Crunch

Crunch is a wordlist generator. You can specify a character limit, like 1 through 8 characters, and a character set, such as all upper- and lowercase English characters, plus numbers. Crunch will then generate a list of all possible combinations and permutations, of that character set. This can result in a sort of dictionary / bruteforce attack.

Fern WiFi Cracker

Fern is a GUI (Graphical User Interface) tool for cracking WEP and WPA networks. It allows attacking WPA using either a dictionary file or by the WPS vulnerability. If you can’t handle command line tools, you can use Fern because it offers a point-and-click interface and is very easy to figure out. (However, you’ll probably be made fun of if you can’t do your job using command line tools.)

Gerix

Gerix is another GUI WiFi hacking software. Again, use it if you have to, but you should really learn to use all the command line tools as well. Don’t cop out by just sticking to GUI hacking tools.

Hashcat

Hashcat is another flavor of WPA hacking software, and it claims to be the fastest WPA cracker available. I haven’t tested that, but hashcat is a great tool to have on your resume. Hashcat is a lot more powerful than most of the other tools we use. Because hashcat lets you combine a ton of different attack options like brute force, dictionary, combination, and hybrid brute force / dictionary attacks. You’ll learn all about this on my hashcat tutorial.

John the Ripper

John is a well known and used password cracking tool. We can also leverage the power of John the Ripper into attacking WPA and WPA2 preshared keys.

Macchanger

Macchanger isn’t hacking software, but it does allow us to spoof our wireless adapter’s MAC address to avoid detection, and it’s a tool and technique that malicious hackers use often. For that reason, you should be familiar with macchanger.

MDK3

MDK3, which stands for Murder, Death, Kill 3, is a denial of service tool for WiFi networks. If you can’t hack it, DoS it. MDK3 offers many options to flood an access point and prevent legitimate users from using it.

Pyrit

Pyrit allows you to precompute databases of possible WPA/WPA2 passwords. Pyrit is similar to hashcat.

Reaver

Reaver is a one of the best WiFi hacking tools available, because it allows you to hack WPA2 networks WITHOUT dictionary files, brute force attacks, or precomputed/rainbow tables. Reaver does not attack the WPA2 password directly like the other tools do. Reaver attempts to discover the password by attacking WPS Pins, which are 8 digit number strings to enable quick WiFi access. Not all WiFi networks have WPS, but those that do are at risk from a reaver attack.

Wireshark

Wireshark is a network sniffing tool. We can use wireshark to capture WPA handshakes for WPA/WPA2 cracking. We can also use wireshark once connecting to the wireless network in order to sniff client data.


So there you have it. A very quick breakdown of wireless hacking software. The tutorials and videos on this site use all of these hacking tools at least once, so you will gain a great understanding of how they work and be on your way to a successful IT security career.

How to Hack WiFi – Learn How to Do It For Free Here

Obviously you have found this page and hope to be able to do learn how to hack WiFi.

But, it is just as important to understand how to secure WiFi. This website is all about information. You’ll find everything you need here, from WEP WiFi hacks to more advanced WiFi password hacks. But pace yourself. Start here. You need a foundation before anything else.

Wireless network security is as important today as is locking your front door before bed every night. As I will show you below, using poor or no wireless security measures can actually get you into some serious trouble. I don’t mean a slap on the wrist from your Internet Service Provider, either. I’m talking about real, federal-prison-style trouble. You may think I’m lying. You may be wondering, how can having an insecure wireless network get me into trouble? So what if my WiFi security isn’t strong? It’s my access point and I can do whatever I want with it! For an real life example of just how dangerous insecure WiFi networks are, read about the guy who decided to hack his neighbor’s WiFi.

This is the wrong way to think about the problem. Everyone should make an effort to learn, expand on, and properly implement WiFi security in their own homes and businesses. Get your hands dirty. For security administrators and consultants, knowing how to hack WiFi is a basic requirement of the job. But everyone should know how to secure a wireless access point. And, I believe, everyone should also know how to hack WiFi. Why? The more we know, the better able we are to deal with the problem. Believe me, you don’t want to be under police suspicion because someone else did illegal activities on your network. It’s about liability.

Why should you know how to hack WiFi?

You must know your enemy, how he is likely to act, what hacking tools he is likely to use, and how he is likely to use them. You must learn all of this, and more, before you can beat him. If you do, you are in a much better position to prevent wireless attacks.

You are empowered.

If you still think that the idea of getting in legal trouble for insecure WiFi networks is absurd, consider that in many areas, having a swimming pool in your yard means you must also have some of fence enclosing the yard to others from getting into the pool and possibly drowning. Again, it all comes back to liability. (And yes, you can be liable for crimes committed from your networks!)

At the end of the day it’s all about awareness – a truth in all aspects of our lives.

As an information security consultant or wireless security auditor, you need to learn how to hack WiFi in the field as part of a particular engagement. Or, your boss may have tasked you on Friday afternoon to test the company’s Wireless Access Points against an outside intruder. Tools already exist which can automate much of this process, but knowing the nuts and bolts of how something is accomplished is very important, especially when troubleshooting problems, expanding on ideas, and deciding what the best method is in any given situation. So, why learn it all over again? Isn’t it reinventing the wheel?

The answer is, I believe, is no.

Wireless Security auditors, consultants, and administrators have a unique position in the InfoSec industry to be able to combat cyber-crimes such as this. These professionals are on the front lines of defense, and they must know how to hack WiFi and secure it in order to protect against stories like this. Hackers will not stop at a password-protected access point. They have plenty of tools and tricks to break into practically anything they’re put up against. WiFi hackers can just as easily crack a password using a dictionary attack, for instance, and then committed a crime on your network, i.e in your name. As the Internet and the real world continue to merge, network security (and particularly WiFi Security) becomes more vital.

So how would you hack WiFi? With this website you’re more than halfway there. All the lessons on this website are free, easy to follow, detailed articles and many with supporting videos. (I’d recommend looking at both to maximize your understanding of how to hack WiFi). There are some additional things you will need to own or buy. It won’t be expensive.

How to hack WiFi Step by Step

You’ll need two things:

1. Before you can understand how to hack WiFi, the very first thing you’ll want to do is to download Kali Linux, or a version of BackTrack from somewhere if you can find it as Kali Linux replaced BackTrack Linux since 2013, I still have lots of copies lying around on both live CDs and Live USB sticks and I refer to BackTrack in many of my tutorials as they were written a few years ago. However, the commands still work the same on either the latest Kali Linux, or an older version of BackTrack Linux.

What is Linux Kali & BackTack Linux?

You might have heard of Linux and know it is a computer oporating system, but not much else. Linux is indeed a computer oporating system, but is used on far fewer computers than Windows, probabably 95% of the home and office computers around the world run on Microsoft Windows (the most recent being Windows 10 & 11). However many servers (the computers which are the backbone of the internet) use a Linux based oporating system. Linux is generally less user friendly and requires more techincal knowledge, such as the use of command-line interface.

One of the main differences of Kali Linux or BackTrack Linux is that you run it from a live CD or live USB, essentially you can have an entire operating system loaded onto a CD or USB stick that you plug into ANY Desktop or Laptop computer without installing it. Noramally when you press the power button on your computer running Windows 10 or 11 it will load the Windows operating system, everything you do will be recorded and logged somewhere on the hard drive. When you fire up Kali Linux or BackTrack Link from a live CD or live USB nothing is saved, stored, logged, or recorded; it’s the perfect hacking tool!

Both are special penetration testing operating systems. Yes, an entire OS loaded with a dizzying array of hacking tools. Either Kali or Back Track will do. As Kali Linux is actually the successor to BackTrack, so you should be able to follow along with the video hacking tutorials and articles with either version. (I will be using a mix of Back Track and Kali for my video tutorials.)

2. You will also need a wireless adapter capable of packet injection. Packet injection involves intercepting and inserting TCP packets in such a way as to trick other, consenting nodes on the network (laptops, tablets, mobile phones, and wireless access points, for instance) into thinking the injected packets are legitimate. In reality, we want these injected packets to go unnoticed altogether.

One of the best wireless adapter cards that support packet injecting (and will work in Back Track and Kali) is the Alfa USB wireless network adapter. This thing rocks and can easily sniff WiFi networks out of the air from a range of several hundred meters. If you place it someplace outside within 100 meters, it is sure to pick up your target access point. So, in addition to Back Track or Kali, you will definitely need an Alfa card like the one below.

ALFA-AWUS036H

Once again, you WILL need one of these adapters to follow my how to hack WiFi lessons. If your existing wireless adapter can’t enter packet injection mode, none of what I teach here will work.

With that said, I invite you to look around here. You’ll find a huge assortment of hacking tutorials and articles. Think of these as your Entry Level 101 classes. From here, you’ll understand how to hack WiFi using a variety of methods and technologies. If you’re new to all of this, I’d definitely recommend checking out all the general stuff first before diving into the harder stuff. And yes, there are plenty of more advanced methods to hack WiFi. Wireless security consultants and security administrators (and anyone who does know a thing or two about WiFi hacks) can skip ahead to the more advanced tricks. No matter what kind of wireless security you’re up against, you’ve stumbled on the mother lode.  

This will teach you how to hack WiFi. Dive in.

War Dialing Returns – Modem and VOIP Security

For anyone who hasn’t seen the movie WarGames, you may not know what war dialing is. Some of you might know about war dialing, but wrongly assume that it’s an outdated hacking method that doesn’t even work nowadays. Either way, I encourage you to check out this information-packed article on war dialing and how it can affect network and computer security even today. The truth is, war dialing is still a threat. The nature of the threat has just changed a little.

Aspiring IT security experts should be well-versed in war dialing. It’s an old technique, some may even say ancient. But it still happens today, and with the rise in Voice over IP telephone systems (VOIP systems), war dialing may even be making a big comeback.

In the late ’80s and throughout most of the ’90s, war dialing was a constant threat to IT systems worldwide. The Internet was still in its infancy, and computer security concepts were even younger. War dialers of the day would exploit company telephone and private branch exchange (PBX) systems, breaking inside the organization to steal data or map the internal networks. These early attacks and the attackers themselves utilized war dialing tools such as THC Scan.

THC Scan was an old-school DOS program, that allowed attackers a fair degree of automation. With this tool, attackers could automatically dial telephone numbers from a predetermined range or from a list of specific telephone numbers. THC Scan was also able to detect voice message systems or answering machines. Often, attackers would pair THC Scan with another tool, THC Login Hacker. Both tools in tandem allowed an attacker to war dial a set of telephone numbers and then try to brute force or password guess the modem, voice mail, and PBX passwords that had been set. Often, these passwords were extremely short and easy to guess. Many times the passwords had not been changed from their default manufacturer set values.

As time went on, and the field of computer security began to mature, the rate of war dialing attacks began to drop. It’s now considered a legacy method of hacking, and is pretty rare to see security professionals discuss it. Mostly, war dialing has been forgotten. But it shouldn’t be, because it’s still a very dangerous method of attacking computer systems. Why?

Because, even after almost 30 years, war dialing is still pretty effective. And with more people now working from home and connecting to the internet for work, this type of attack, well, still works.

Remember, a war dialing program can be set to systematically dial thousands of telephone numbers. These programs will dial again and again, searching for modems or other telephony systems that answer.

New War Dialing Tools

With the rise in Voice Over IP (VOIP) telephone systems, war dialing has made a come back. There are a host of new tools attackers are using to continue their assault against computer networks. Security professionals need to be aware of these new war dialing methods. Penetration tests (both black, white, and grey box) should include war dialing as a part of the security audit or vulnerability assessment. If your network has any sort of security hole or vulnerability through a networked telephone system, you want to find out about it before the bad guys do.

Remember, war dialing isn’t just about hacking modems anymore (even though that’s still a part of it). Nowadays, war dialing is about hacking VOIP systems. VOIP systems are just telephone systems that are hooked up to the Internet and not a dedicated phone line. That means, the computers, servers, and wireless access points will often share the same ethernet cables that the telephones do.

Windows War Dialing Tools

Telesweep is a free modem vulnerability scanner that you can grab from the SecureLogix website. Telesweep is like an updated version of THC Scan, but with more features and updated methods of attacking VOIP systems.

SecureLogix offers TeleSweep as a free download. Security professionals can configure it to to dial corporate telephone numbers and report the number of modems connected to these lines. Modem connections are often weakly configured, or left at their default settings. These modem connections are often a forgotten (and dangerous) backdoor to the inside of your LAN. Malicious hackers and other outside intruders may use tools such as Telesweep to gain unauthorized access into your network.

VOIP War Dialing

VOIP telephone systems are all the vogue now. However, the newest technologies often aren’t the most secure. Security can lag new technology. VOIP allows telephones and computers may share the same physical network cables, switches, and firewalls. It is a breakthrough in cost-savings and ease of use. Now, companies don’t need dedicated phone lines. They can simply route all the voice and data through the same hardware. However, because of this, hackers are reviving war dialing and are developing new tools to war dial more effectively than ever.

Warvox War Dialing Software

WarVOX is a war dialing program for Windows. It is a suite of tools for exploring, classifying, and auditing telephone systems. Unlike normal war dialing tools, WarVOX does not use a modem directly, and can instead be run directly from Windows. Because of this, WarVOX can discover a large range of interesting voice lines, including modems, faxe machines, voice mail boxes, PBXs, and VOIP systems.

War Dialing Prevention

It’s not enough to just know of war dialing. IT security professionals need to know how to safeguard and protect against war dialing attacks. Luckily, there are a lot of war dialing countermeasures you can implement to prevent against this sort of attack.

Let’s start with the basic prevention methods:

1. Change all default passwords for any VOIP, PBX, voice mail, backup modem, or fax machines you may have connected to your network. This step is crucial, and it should be the first one that you take when securing VOIP and other telephone systems. Most modems and VOIP systems have default passwords already set. Make sure you change them, and make sure they are long and difficult to guess. Ask yourself, would my password appear in a hacker’s dictionary file? Would it be simple enough to guess or brute force? If so, change the password to something more difficult.

2. Check for updates and apply security patches as soon as possible. Make a list of all your VOIP, modem, fax, and other telephony hardware. Check the manufacture websites for updates, and you’re on your way to a more secure network.

3. Conduct a manual reconnaissance of your network. You should regularly scan your own network for modems and telephone systems. Perform war dialing against your own external telephone numbers, anything that could potentially dial into your own network. Be proactive! Make a baseline of every device you find and keep track of it. Often times, employees will bring in their own modems and connect them to the company network so they can bypass web filtering. Watch for this!

4. Log all successful and failed login attempts. Modern modems and VOIP systems should allow you to monitor logins. Make sure you enable this feature and store the logs on a central log management system with something like Kiwi or Splunk.

5. Use VLANs to segment voice and data. You’ll need to be using web managed switches and fairly new firewalls to implement this feature, but it’s by far one of the most secure and comprehensive ways to prevent war dialing attacks from infiltrating your network. Using VLANs, you can logically separate your voice communications from your data communications, while still allowing both to run on the same network cables and hardware. With proper VLANing, even if an attacker war dials into your phone systems, the attacker won’t be able to see your data nodes (such as servers and desktops.)

6. Lastly, you can take a look at the Sand Trap tool. Sand Trap can be configured to monitor for any war dial attempts and even answer those dials. Sand Trap can log the caller ID and provide a login banner and password prompt for the dialer. This is an awesome tool that can act as a barrier between a war dialer and a telephone or modem system. However, it won’t work with every telephone device out there, so check it out before committing to it.