Wireless networks are everywhere; 

they are widely available, cheap, and easy to setup. To avoid

the hassle of setting up a wired network in my own home, I chose to go wireless. After a day of
enjoying this wireless freedom, I began thinking about security. How secure is my wireless
network? 

I searched the Internet for many days, reading articles, gathering information, and participating
on message boards and forums. I soon came to the realization that the best way for me to
understand the security of my wireless network would be to test it myself. Many sources said it
was easy, few said it was hard. 

How a wireless network works

A wireless local area network (WLAN) is the linking of 2 or more computers with Network
Interface Cards (NICs) through a technology based on radio waves. All devices that can connect
to a wireless network are known as stations. Stations can be access points (APs), or clients.

Access points are base stations for the wireless network. They receive and transmit information
for the clients to communicate with.

The set of all stations that communicate with each other is referred to as the Basic Service Set
(BSS). Every BSS has an Identification known as a BSSID, also known as the MAC address, which
is a unique identifier that is associated with  every NIC.

For any client to join a WLAN, it should know the SSID of the WLAN; therefore, the access points
typically broadcast their SSID to let the clients know that an AP is in range.

Data streams, known as packets, are sent between the Access Point, and it’s clients. You need
no physical access to the network or its wires to pick up these packets, just the right tools. It is
with the transmission of these packets that pose the largest security threat to any wireless
network.

Wireless Encryption
The majority of home and small business networks are encrypted using the two most popular
methods:

1. WEP
2. WPA
WEP – Wired Equivalent Privacy – comes in 3 different key lengths: 64, 128, and 256 bits, known
as WEP 64, WEP 128, and WEP 256 respectively.  WEP provides a casual level of security but is
more compatible with older devices; therefore, it is still used quite extensively. Each WEP key
contains a 24 bit Initialization Vector (IV), and a user-defined or automatically generated key;
for instance, WEP 128 is a combination of the 24 bit IV and a user entered 26 digit hex key.
((26*4)+24=128)

WEP also comes in WEP2 and WEP+, which are not as common and still as vulnerable as the
standard WEP encryption.
WPA – WiFi Protected Access – comes in WPA and WPA2, and was created to resolve several
issues found in WEP. Both provide you with good security; however, they are not compatible
with older devices and therefore not used as widely. WPA was designed to distribute different
keys to each client; however, it is still widely used in a  (not as secure) pre-shared key (PSK)
mode, in which every client has the same passphrase.

To fully utilize WPA, a user would need an 802.1x authentication server, which small businesses
and typical home users simply cannot afford. WPA utilizes a 48 bit Initialization Vector (IV),
twice the size of WEP, which combined with other WEP fixes, allows substantially greater
security over WEP.

Packets and IVs

It’s all in the packets. The bottom line is – while you may be able to employ several security
features on your WLAN – anything you broadcast over the air can be intercepted, and could
be used to compromise the security on your network. If that frightens you, start stringing wires
throughout your home.

Every encrypted packet contains a 24 or 48 bit IV, depending on the type of encryption

used. Since the pre-shared key is static and could be easily obtained, the purpose of the IV is to
encrypt each packet with a different key. For example, to avoid a duplicate encryption key in
every packet sent, the IV is constantly changing.  The IV must be known to the client that
received the encrypted packet in order to decrypt it; therefore, it is sent in plaintext.

The problem with this method is that the Initialization Vectors are not always the same. In
theory, if every IV was different, it would be nearly impossible to obtain the network key; this is
not the case. WEP comes with a 24 bit IV; therefore, giving the encryption 16 million unique
values that can be used. This may sound like a large number, but when it comes to busy
network traffic, it’s not.

Every IV is not different; and this is where the issues arise. Network hackers know that all the
keys used to encrypt packets are related by a known IV (since the user entered WEP part of the
key is rarely changed); therefore, the only change in the key is 24 bits. Since the IV is randomly
chosen, there is a 50% probability that the same IV will repeat after just 5,000 packets; this is
known as a collision.

If a hacker knows the content of one packet, he can use the collision to view the contents of the
other packet. If enough packets are collected with IV matches, your network’s security can be
compromised.

The Setup
My wireless network was powered by a Linksys WRT54G v6 wireless router; It is well known that
this model is the most widely used wireless router. Out of the box, the Linksys router came with
1 CD which was nothing more than a visual step by step, what you should do to connect it.
A few things concern me with this router. There was no part in the setup that allowed me, or
even told me to change my router’s default password. To change the password, I had to go into
the router’s web-based setup utility; this was accessible via the IP address 192.168.1.1 in
my Internet browser. The default username and password was admin. If someone was able to
compromise the security on my network, they could have easily done this for me; and locked
me out of my own network. Sure, I could have performed a hard reset on the router, but I’d
have little luck without the Internet or any documentation to help.
If you’re looking to find your default username and password, there is quite a comprehensive
list located at www.phenoelit.de My advice is to change this immediately, for it may save you
some trouble down the road.
Being my first time, I decided to go easy; I set my router up with a basic WEP 64 encryption; it
required a 10 digit hex key. I entered the key into the 2 other computers in my home, and I was
ready to start.

Hardware
Out of everything I’ve experienced over the last couple weeks, this was the hardest obstacle, by
far. I started with a Dell Latitude C610 notebook with a Linksys WPC54GS Wireless-G notebook
adapter (Broadcom chipset) running Windows XP Pro; looking back, it was a bad choice.

When selecting hardware, be warned, not all network cards are the equal. It turns out that
nearly 99% of the software used to crack network keys are not compatible with notebook cards
that have a Broadcom chipset; the ones that were just didn’t work.

9 out of every 10 articles I read boasted the Orinoco Gold PCMCIA network card by Lucent was
the absolute best pick and most compatible will all the good software. A trip to E-Bay, $30
later, and I was ready.

The software we will be using is strictly dependent on the chipset of the WNIC, and
unfortunately, the operating system. Your best approach would be to research what software
you will be using, and then find a card based on the chipset the software is compatible with.

There are many types of chipsets; too many, in fact, to mention. Linux-wlan.org has an

unbelievably comprehensive list of WNICs and their corresponding chipset.
All the best programs are made for Linux; windows is certainly a drag when it comes to WLAN
penetrating software, but if you don’t have Linux, don’t be too concerned.

It may be in your best interest to invest in a wireless card that has an external antenna jack. The
Orinoco Gold WNIC I purchased has one, but since I’m compromising my own network in a
short range, it won’t be necessary.

The Software
There are hundreds of applications you can use to do a variety of things with wireless networks.
The largest list of software, that I came across, can be found at Wardrive.net. The term
“wardriving” is more commonly used for this practice, and involves driving around
neighborhoods to look for wireless networks. I refuse to use this term because that is not what I
am doing; I am sitting in my home testing the vulnerabilities of my own network.
Let it be known, that it is not illegal to use software to detect the presence of wireless networks;
however, if you crack the network and start “stealing” bandwidth, you could be in a world of
trouble. Especially if you’re in Singapore.
Once I received my Orinoco card, I began re-installing software which did not previously work
with my Linksys card. It was a nightmare; Windows XP kept getting in the way, software that
had been moded to run on windows required daunting tasks for installation, some programs
simply didn’t work, some required special run time modules to be installed.

After nearly 48 hours of time-wasting, aggravating, disappointment; I came across the

answer. A small penguin shone a beam of light upon my browser and blessed me; I
found Auditor.
(2/6/07 - The link is currently not working, but you can obtain Auditor through any Torrent
service.)

Auditor Security Collection is a self booting Linux-based CD that comes pre-loaded with all the
best security software for auditing a system. It comes in a .ISO file that can be downloaded
from remote-exploit.org;the ISO image file is roughly 649 Mb, and can be burned to a CD or
DVD using most CD/DVD writing utilities.
It was truly amazing; a simple check in the Bios of the laptop to set the boot order to CD/DVD
first, a slip of the Auditor CD, and a press of the power button was all it took. I was ready. Be
not afraid of this Linux-based CD; everything is laid out on a GUI and all commands have
“shortcuts” linking to them on a desktop similar to a windows environment.

Auditor Security Collection does not touch a single file on your hard drive. All files used and
saved in the ASC are stored in your notebook’s RAM; once you remove the CD and reboot,
everything is exactly as it was.

Detecting my wireless network
If you’ve come this far, believe me, you’re doing well. The first step is to find the network you
want to penetrate. As there are a variety of apps that allow you to do this, we will be focusing in
on the 2 most popular:Netstumbler, and Kismet.
Netstumber - is a widely popular tool used for detecting 802.11a/b/g wireless networks.  The
latest version is Netstumbler 0.4.0, and will run in Windows XP. For compatible hardware and
requirements, you can check the read me on the Netstumbler forums; or you could just try it.
I’d like to point out that many sources have said the Linksys WPC54G/S WNIC does not work
with Netstumbler; however, I have been able to make it work by launching the program, then
removing and re-inserting the WNIC. The Orinoco Gold works fine with Netstumbler.
Kismet – does a little more than just detecting networks. Aside from providing every detail
about a network except the encryption key, Kismet is a packet sniffer and intrusion detection
system; we’ll get into sniffing packets a little later.
 For this demonstration, we’ll be using the pre-loaded Kismet on the Auditor Security Collection.
After inserting and booting the Auditor CD, I was ready to make sure everything was working
properly.

From this point, the first thing that needed to be done was to ensure the wireless card was
recognized by Auditor; to do this, you will have to venture into the dark world of the command
prompt. In Auditor, the command prompt can be reached by clicking on the little black monitor
icon located at the bottom of your screen.

Simply typing in iwconfig will allow you to see all the wireless extensions configured on the
machine. If you see a screen full of data next to a WLAN0 or ETH0, you’re ready to continue to
the next step; otherwise, you will see a list of “no wireless extensions” messages.
Next, you will need to start the Kismet program. You’ll initially be prompted to enter a
destination to save data to; you can just select the ’desktop’ and continue. When Kismet loads,
you will see a black screen with green text showing all the wireless networks within you signal
range.

Kismet will give you all the information you need to start cracking. Pressing ‘s’ on your
keyboard will bring up a ”Sort Network” dialogue box. From there you can press any of the
desired sorting methods. This step is important as it allows you to select a particular wireless
network on a list to view more details. Select your network with the arrow keys and press enter.

You will then be looking at nearly all your network details such as name, ssid, server IP, bssid,
etc… Most are not relevant in this case, but you should write down a few things:

1. BSSID
2. Channel #
3. Encryption method
Pressing ‘x’ in Kismet will return you to the previous screen. re-select your target WLAN; then
press ‘SHFT+C’ to bring up a list of associated clients to the Access Point. Write down the MAC
address of all clients as it will prove useful.

Capturing packets
While you may have not been aware, at this point, Kismet has also been capturing packets. This
is the bread and butter of cracking any wireless encryption; without data to process you have
nothing.

Capturing packets, also known as packet sniffing,  is the process of intercepting and logging
traffic passing over a network. As information is sent and received over your wireless network,
the software captures every packet to allow you to analyze and decode it.

Capturing network traffic can be a timely process; especially if it is a slow network. With no-one
on any computers in my home, I generally capture around 3,000 packets within 5 minutes; with
users on the other 2 computers, this number is substantially greater. Don’t get confused, it’s
not the packet itself that we want; but rather the IVs in the packets.
The programs we will be using to sniff packets are Kismet and Airodump (part of the Aircrack
Suite). We’ve already touched Kismet, so lets take a look at Airodump.
Before running Airodump, you must configure your wireless interface to go into ’monitor’
mode; the methods to achieve this require you to go back to the command prompt (konsole).

For most WNICs, you would use the command:

iwconfig  <interface> mode monitor
And in some instances would have to set the channel number on your WNIC to match that of
the target access point:
iwconfig  <interface> channel #
Note that you will have to replace <interface> with the network interface specific to your
machine. Using an Orinoco Gold card, my network interface was eth0; but on most machines, it
is wlan0  or  ath0. So you may have to adjust those commands accordingly. You can find out for
sure by simply typing iwconfig.
I should also point out that putting the Orinoco Gold card in ‘monitor’ mode had a different
command altogether:
iwpriv eth0 monitor 2 1
Once your in monitor mode, you’re ready to run Airodump. The command used to start
Airodump is:
airodump <interface> <output filename> [mac filter]
<output filename> can be anything you wish; Airodump will put a .cap extension on the end of
the name. The mac filter is used to only capture packets from a specific access point. For
instance, I used:
airodump eth0 george 00:18:f8:65:fe:41
to capture packets just from my access point - where 00:18:f8:65:fe:41 is the BSSID of the AP.
Airodump looks similar to Kismet, but there are no selectable objects on the screen; it gets
right down to it, capturing packets and storing them in the .cap file as defined in the command.
You’ll notice Airodump keeps a running count of all the packets captured, and better yet, shows
you the number of IVs collected.

The waiting game

The hard truth is that you will need to collect nearly 150,000 IVs to crack a 64 bit WEP key, and
around 600,000 IVs to crack a 128 bit WEP key. This number varies, but is mostly dependent on
how luck you are. If you watch the IV count in Airodump, you’ll notice that, under normal
circumstances, they do not rise rapidly.

This can cause a problem; particularly if you’re as impatient as I am. Let’s take a look at some
ways we can speed up this process.

Until now, we’ve been using a method known as a passive attack. A passive attack is basically
doing nothing other than passively capturing packets until you have achieved enough data to
perform the crack.
Most access points need their client to re-associate after a certain period of time to confirm
their connection; therefore, the AP will send out an Address Resolution Protocol (ARP) packet. 
The ARP packet is unique in that is always addressed to the MAC address
FF:FF:FF:FF:FF:FF, usually has a size of 68 bytes, and has the ToDS flag set.

We can use this information to implement an ARP replay attack. For this method, we will be
using Aireplay (part of the Aircrack Suite). Aireplay can be used to actually re-send packets that
it has received.

Leave Airodump running, and open a new command window. The command we’ll be using for
Aireplay is:
aireplay -i -m 68 -n 68 -d ff:ff:ff:ff:ff:ff -b 00:18:f8:65:fe:41 eth0
The -i tells Aireplay to capture packets on the fly; the -m 68 and -n 68tells aireplay that you
only want it to replay packets that are 68 bytes. The -d and -b are the destination MAC address
and AP MAC Address(BSSID) respectively. This is the criteria that is defined for our ARP packet,
which is usually associated with an IV.
Alternatively, you may have already captured one of these packets. You can have Aireplay check
the .cap file from Airodump with the -f switch:
aireplay -f george.cap -m 68 -n 68 -d ff:ff:ff:ff:ff:ff -b 00:18:f8:65:fe:41 eth0
In either case, If Aireplay finds a match to our specifications, it will show you the details of the
packet and ask if you would like to replay it. If the details look exactly as shown below, press ‘y’
for yes.

FromDS = 0, ToDS = 1
BSSID = <mac address of access point>
Src. MAC = <client MAC>
Dst. MAC = ff:ff:ff:ff:ff:ff
Aireplay will then begin to replay the packet; if you’ve found a winning packet, you will notice
your packet and IV count in Airodump rise extremely quick. If not, only the packet count in
Airodump will rise; If this be the case, press CTRL+C to abort the operation, restart aireplay,
and try again.

It has been noted that some routers will detect this erratic behavior and block the MAC address
of the WNIC you are using. Adding a -x switch followed by a “replay per second #” will slow
down the rate at which Airplay replays these packets.

If your lucky enough, you will have collected enough IVs in little time. For me, it took 28
minutes including booting up, writing down the network specs, and typing all those lengthy
commands.

There are other methods such as Dueth attacks which force the clients off the AP, causing them
to have to re-associate; but these methods require a second computer.

The crack
Two of the most popular programs used for actually cracking the WEP key are Airsnort and
Aircrack. Airsnort can be used with the .dump files that Kismet provides; and Aircrack can be
used with the .cap files that Airodump provides.

Airsnort can be used on it’s own without any other software capturing packets; although, it has
been reported to be extremely unstable in this state, and you should probably not chance
loosing all your captured data. A better method would be to let Airsnort recover the encryption
key from your Kismet .dump file. Kismet and Airsnort can run simultaneously.

For this demonstration, we’ll be using Aircrack. You can use Airodump to capture the packets,
and Aircrack to crack the encryption key at the same time.

With Airodump running, open a new command window and type:

aircrack  -f 3  -n 64 -q 3 george.cap
The -f  switch followed by a number is the fudgefactor; which is a variable that the program
uses to define how thoroughly it scans the .cap file. A larger number will give you a better
chance of finding the key, but will usually take longer. The default is 2.
The -n switch followed by 64 represents that you are trying to crack a WEP 64 key. I knew
because it was a setup; In the real world there is no way to determine what WEP key length a
target access point is using. You may have to try both 64 and 128.
The -q 3  switch was used to display the progress of the software. It can be left out altogether
to provide a faster crack; although, if you’ve obtained enough unique IVs, you should not be
waiting more than a couple minutes.
A -m switch can be used, followed by a MAC address, to filter a specific AP’s usable packets;
this would come in handy if you were collecting packets from multiple APs in Airodump.
Aircrack recovered my WEP 64 key within 1 minute using 76,000 unique IVs; the whole process
took around 34 minutes.

The same experiment was repeated with WEP 128 and it took about 43 minutes. The reason it
was not substantially longer is because I simply let Airplay replay more packets. Sometimes you
can get lucky and capture an ARP Request packet within a few minutes; otherwise, it could take
a couple hours.

After I had access to the network, many doors opened up. Aside from having access to the
Internet, I was able to use Networkview – a network discovery tool – to obtain my network’s
workgroup name. From there, I had access to all the shared files on my drives.
While I’m no expert in the subject, I can at least assume that many horrible things could happen
if the wrong hands were to obtain my WLAN encryption key. 

The conclusion
Always use WPA or WPA2 encryption when possible. If your using WPA with a pre-shared key,
use a strong password; hackers can use dictionary attacks, and they will be quite effective if you
have an easy password. You may want to use a strong password generator like the one
atgrc.com.
If your access point supports it, you may want to consider disabling wireless SSID broadcast;
however, this may raise some issues with the APs clients recognizing it. (Kismet will still
recognize it)

Many routers will allow you to filter what clients can access the network; this is known as
Wireless MAC Filtering. If you know the MAC address of the clients you are using, you can enter
them into your configuration utility as “Permit ONLY”. This is not a 100% effective method; MAC
addresses can be cloned to match the AP’s associated clients, but it does provide you with a
slightly higher level of security. (there is a utility on Auditor to allow you to do this)

By default, your router may be set to mixed mode; this allows 802.11b and 802.11g devices to
access your network. If you use only 802.11g devices, set your router to G-ONLY. Had my
router been set this way, I would have never been able to do any of this. The Orinoco Gold card
is 802.11b, and is obviously not compatible with a 802.11g network. Many 802.11g cards are
not supported by the software we’ve used in this tutorial, but few are. While your at it, please
change your default router username and password.

While I haven’t tried my hand at cracking a WPA encryption, the methods are similar when the
WLANs use pre-shared keys (psk); I do plan on trying it, and I will surely write an update to let
you know how/if it was done.

By no means am I claiming to be an expert in this field; If you’ve noticed anything that was
incorrect or just have something to add, please feel free to drop a comment.

Update Feb 2009: How WPA wireless networks are hacked, and how to protect yourself

 
 

Related Posts:
 How WPA wireless networks are hacked, and how to protect yourself
 How to secure a wireless network
 New York war-surveyed: 1 in 4 businesses employ open wireless networks
 Is someone stealing your Wi-Fi enabled Internet connection?
 New "paint" provides wireless network protection without encryption

Posted in Security, Tips and advice | 320 Comments » Read more from George Gardner

320 Responses to “I hacked my secure wireless network: here’s how it’s done”

1. Marvin:
February 6th, 2007 

WEP has been broken for a long time. This is old news. Come back when you’ve cracked WPA.

2. Simon:
February 6th, 2007 

you said “I could not disable remote access to my router” and that the tick box did nothing…

this is not true…remote access means from outside your network ie. the internet it does
nothing to your internal network, you can always access webconfig for any router from the
internal network.

remote access is handy if you want to forward a port or similar task when you are not at home

3. George Gardner:
February 7th, 2007 

Simon, thanks for that information. Being new to this, there is surely many areas to cover.

Marvin, I do plan on coming back when I’ve cracked WPA; of course, that has been done as well.
:)

4. Mike C:
February 7th, 2007 
 I liked this information, what was helpful to me was the info at the end that helped an end user
make their network more secure against these kinds of attacks. Sadly, most are common sense
that people who setup wireless networks in their home don’t even think about. Thanks for the
info George, great article!!!

5. Ben Dover:
February 8th, 2007 

I’m what’cha call a security professional, I make my living fixing the damage done because
folks set up networks without a clue. This article is a very good primer & a version of it should
be encluded with every new AP sold. Course, I’d get a lot less work but I can work around that.

6. Anand:
February 20th, 2007 

Hey, i used Back Track Live Linux CD to boot my computer, but i was soon disappointed
realizing that i gotta search for the driver for my wireless card ! i got a broadcom 802.11b/g
wireless card in my Compaq Presario 3015nr laptop, do u have any idea where i can find the
linux driver for my wireless card?

7. George Gardner:
February 21st, 2007 

“It turns out that nearly 99% of the software used to crack network keys are not compatible with
notebook cards that have a Broadcom chipset”

I think your best bet would be to find another card. Try Ebay. Sorry, I couldn’t be of more
assistance.

8. bob:
March 6th, 2007 

how do you find out who has used your wireless network recently like 1 week ago?

how do you know what your mac address is?

9. Paul:
March 14th, 2007 

Anand> The guys at remote exploit released a new backtrack version several days ago, which
should solve the broadcom problem.
10. George Gardner:
March 21st, 2007 

Thanks, I’ve already dowloaded it and I’m hoping to try it out in the next few days.

11. Vinicius K-Max:

March 27th, 2007 

The best post about wireless security EVER.

congratulations!

12. Dav:
April 24th, 2007 

Hi: Very interesting, but way over my head. Very comprehensive, i would have to print it and
pore over it to even begin to put any of it into practice.

I have a linksys WRT54G Router with a Macintosh. Someone also gave me a DWL 810+ Bridge. I
was able to get it to pickup my router at some distance (I used an iMAC in a RV).

Being 77 years old and having not too good short-term memory, i don’t remember the alphabet
soup of terms or numbers too well. I also do not get more patient as mine enemy grows older:).
In any case i changed the standard access 192.168.1.1 to something else; also the name of the
router. Of course the quickest way to protect a non-wireless network is just turn off the WLAN,
or at least the SSID broadcast.

I reset the DWL 810+ and then did the SSID survey. Your comment on Nets being set up
ignorantly is well taken. Somebody has a Belkin 54G that is totally unprotected. I’ll bet they
aren’t even using a wireless net. I got on the Internet at around 2Mbps thru it. Then got off.

I haven’t the foggiest idea who or where they are, within a the block i suspect. I entered the
default Belkin id 192.1.2.1 and then after it responded the password admin, admin. There i was
inside their net. Four users were connected.

I suppose i could have done all sorts of mischief there or left them a warning message, but
wouldn’t even try.

Documentation supplied with the product leaves a lot to be desired. In fact you have to read
between the lines to use it with a Macintosh.

The most desireable feature (if they could KISS it) would be a program to tell if someone else is
on my net via the Router’s command structure. The closest seems to be the DHCP clients list
under the status>local network tab. There is also a logging function.

Regards:
13. George Gardner:
April 25th, 2007 

Dav,

Disabling your SSID will help, but it’s certianly not full proof. Kismet can still detect it, and
people are most certainly able to connect to it.

As for detecting when someone is on your lan? Well, I plan on writing a piece on that very soon.
Also, many people believe that no harm can be done if someone is stealing your internet
connection. You and I agree that there is much that can be done, So I may also touch on that as
well.

14. Paul:
May 25th, 2007 

I am in the clever but not terribly tech-savvy category, and do not know what i do not know.
somebody has taked over my Belkin home wireless, and i am trying to figure out what to do
next. any suggestions are welcome. certainly i would also like to know how to better protect
myself inthe future. help?

15. Paul Pickering:

May 25th, 2007 

I am in the clever but not terribly tech-savvy category, and do not know what i do not know.
somebody has taked over my Belkin home wireless, and i am trying to figure out what to do
next. any suggestions are welcome. certainly i would also like to know how to better protect
myself inthe future. help?

16. Daniel Hoiye:

May 25th, 2007 

Yep..Already know that WEP and WPA are not save..

I set up my wireless network based on the tutorials from this website.. Pretty easy to read and
set up a secure home wireless network. Lot of info..
Home Network, Wireless Network and Computer Networking Made Easy
http://www.home-network-help.com

17. derkim:
June 25th, 2007 

is there i faster way of getting the ivs to rise quikly instead of using aireplay.
18. KonaBoy:
June 28th, 2007 

PaulPaul:
May 25th, 2007

I am in the clever but not terribly tech-savvy category, and do not know what i do not know.
somebody has taked over my Belkin home wireless, and i am trying to figure out what to do
next. any suggestions are welcome. certainly i would also like to know how to better protect
myself inthe future. help?

Paul, I would try resetting the router to defaults, usually done by pressing the reset button, then
follow directions here to apply some type of security. Good Luck!

19. Travis:
August 5th, 2007 

Hey PaulPaul,

Best thing to do when some ass has taken over your wireless router is to perform a factory reset
(which the router will have a button somewhere to perform this operation).

I know my Linksys would just need this depressed when the power plug is connected and it
returns back to factory for me to re-do setup and ensure those hackers don’t do it again.

Cheers & all the best.

20. Non American:

September 1st, 2007 

Hi there,
If you want to make your life a little more simple breaking into a wireless network then try
using the tool “Cain and Able”. This will basically do all the work for you and is available as a
windows installation (ie/ you dont need linux).

As always with software like this, you need the correct hardware to work with it. I would
suggest using the information above or buying a dedicated network “packet capture” card to do
the job. The AirPCap card is just such a device.

I am not aware yet of any advertisied successful (reproducable) penetration of a WPA / WPA2
wireless network that doesnt rely on a dictionary type attack. This doesnt mean it is impossible,
it just means that you should use really big random number and letter passwords so that this
type of attack is useless.

Another useful tool for the windows user is Wireshark. It also has links to some training on the
website as well as other useful tools.
 Never be afraid to try and break your own wireless network – it is the only way to see just how
secure it is.

Non American

21. Kamikazi:
September 3rd, 2007 

Hoiw do i run kismey?

22. tagz:
September 5th, 2007 

i have a dybex internal wireless nic and its comin up as broadcom….the prog says its not
recognizing it….lol but im talkin to u guys so what am i doin wrong?

23. tagz:
September 5th, 2007 

i meant dynex

24. DynV:
October 1st, 2007 

I was distracted by my WLAN light going crazy after diner time and that got me thinking that I
could get more than my meager 30 Gb / month for FREE. Great article, thanks ! >:)

25. Luke S:
November 20th, 2007 

Hi,

did you need to use the patched drivers with your orinoco card?

26. jenny:
December 4th, 2007 

that is to complicated is there a simpilare way to do it

27. Wolf:
December 5th, 2007 

ha,
How can u hack the VPN account? I use the VPN tunnel in my wireless network. Several people
tried to hack it, but everybody failed. It’s Impossible to hack the 128-bit encrypted channel. If u
 think that I’m not right u can go to http://strongvpn.com/ – I use their service, and check all
technical definitions.

28. couture:
December 31st, 2007 

i have belkin wireless and i’m trying to find my WEP key, i need it to connect to the internet for
my wii. can you help me?

29. In Reply to Couture:

January 7th, 2008 

To reset your WEP Key use a pc connected to your wireless network and type the router address
(usually 192.168.2.1) into your internet browser (without http://www.). This will allow you to
configure your router by logging in. If you have not changed your default password (though you
should have!) it is blank by default so simply press enter. Once you have logged in select
security under the heading wireless on the toolbar to the left of the screen. This will allow you
to read your WEP Key. Good Luck!

30. EPCTechno:
January 11th, 2008 

Great stuff George, was reading another one on this, but yours was the best one laid out!

31. afi:
January 19th, 2008 

any easy method to get key of a secured wireless network

32. jkey:
March 3rd, 2008 

Good information. Aircrack is very useful to hack wep password. just collect IVs as many as u
can at least 100 000. But how can i hack wireless that protected by username and password
site? is there any software can we use for that? please help me…. email me
atjackie_kennedy87@yahoo.com.my… sory for my broken english…

33. Cavin Mugarura:

March 19th, 2008 

Your article is good, however, its a tech article, the problem with techies, they cant explain
systematically how to do something, first and foremost your article was too long, i plan to write
a shorter easy guide to crack wireless LANs, i dont think a very long article is effective
34. Aimee:
March 29th, 2008 

hey, i have a belkin, and im trying to connect it up to my psp, it always comes up with a dns
error, any way i can get past this?

35. ahmed:
April 4th, 2008 

hi , i donot know much but what to ask some basic questions that i have …
1) if some body hack my wirless how can i know is that possoble that i will not b able to conect
to my wireless again after being hacked.
2) what is time average for geting these IVs.
3)and still there is no software in window means in xp that donot requires to go to linux mode
….
hope u will ans my question though i have little knowlge abotu wireless networks…..i am
working on that….

36. solari:
April 8th, 2008 

hey everybdy how can i hack a wirelless network when i have already connected to it and it
asking for username an password pls send it to my mail solari4reel@yahoo.co.uk thanks

37. Sagar:
April 10th, 2008 

Hi,
Someone in my building has an unsecured wireless network. It gets displayed in the list of
available wireless networks. I want to tell him that his/her network is unsecured and to secure it
ASAP. How do I know who is the owner of that network. I can even access the 192.168.1.1 in
the browser.It seems that person might get into serious trouble if not taken care of.

38. Rajat:
April 22nd, 2008 

Hey, thanks a ton George.. Am about to buy a wi-fi router and this was definitely interesting
and a great starting point.. Will try it out as soon as i get my router this week.. Thanks again..
have a great day.. :))

39. nadi:
April 28th, 2008 
 hey everybdy how can i hack a wirelless network when i have already connected to it and it
asking for username an password pls send it to my mail thanks

40. jordan:
April 29th, 2008 

what program do you need to hack a WEP network, i need internet at my house and i can’t
afford to get internet.

41. brad:
May 4th, 2008 

hi if there is anybody who can tell me how to hack into a wirless network it will be a great help

42. ajadwe:
May 4th, 2008 

it is really a very nice article …thanx alot

43. Julie:
May 4th, 2008 

hey really awsum article… well i have a labtop with wireless on it but i need to know how to
hack into a network that has a password so i can use the internet since i cant afford it atm im
just a little lost on what u need to download and all that if u could email me back that would be
great…

44. Kristian:
May 6th, 2008 

Hi George!

This is a great article! I’ve been reading a lot of them on the net but this is by far the best and I
was happy to read how you in detail explain the steps and software to use. Most other guides
out there do not. My WLAN is more secure now than it was before.
I have a question:
The software that is capturing packets to crack the WEP key, does it only crack the WEP key or is
my other information is also at risk? I mean is information like my passwords to websites, my
email account pwd and such also revealed in the captured packages?

Thanks for your help!