Today, most of us have wireless networks at home, it's very convenient to get rid of all cables and we're more mobile with tablets, phones and laptops that we do not want wires at all times.

We want to lie in bed or on the couch and surf or watch movies, it has become part of our everyday life

When we order broadband today, we often get a modem with built-in router function and with WiFi enabled, and it's incredibly easy to plug in your devices today.

Wi-Fi has matured

The market and users have matured a lot, gone is the time when unprotected networks could be found in all houses and the insecure WEP authentication is soon to be justa memory.

In order to get an insight into it all, I'll take a little quick reviewer of the history of breaking down wireless networks, but first of all, a bit of general knowledge.

To break Wi-Fi

As we know, all wireless data traffic is based on radio waves, and they are broadcast at different frequencies or as they are called in Wi-Fi, channels. All of us who have been in a Wi-Fi trafficed area have had problems with this sometimes, if too many networks broadcast at the same frequency, but today many access points have automatic channel switching to find the least-trafficed frequency.

As technology is based on radio waves, anyone with a radio receiver can sniff or "listen" the traffic sent there.

We can capture all devices via MAC addresses and isolate networks through access points or bssid, thus isolating the traffic we want to listen to, or capture and this information can be used to read your traffic, and in the long term, break your network.


WEP was probably the first-generation Wi-Fi authentication and it had a bug in its encryption that made it relatively easy to get your key.

WEP has a relatively short IV (initialization vector) only 24-bit and if you have picked up 2 pcs you can then calculate the keyword.

In essence, the attack went on to trick the network to yield enough IV for the same IV to be used 2 times and then you have a limited number of combinations (24-bit gives about 16 million combinations), and this was done through creating a large number of false authentications attempts against the access point and saving traffic in a cap file.

This file could later be used to calculate the key correctly.

The FBI made a demo where they cracked a WEP protected once every 3 minutes.

The only way to protect itself was to tunnel all its traffic through ssh or ipsec.


Today, WEP has almost gone into the grave and we use the next exclusively WPA or WPA2 that comes in 2 different implementations, wpa-psk and wpa-802.1x.

The wpa-802.1x is designed for business environments and is quite difficult to put up, I'm really honest, I do not think I've ever come into contact with a wpa-802.1x at any time, so I do not dare say anything about security there.

Wpa-psk, on the other hand, is the most common authentication today, psk stands for "private shared key".

This is based on a password that must be between 8 and 64 characters, and wpa-psk is considered safe.

However, there have been 2 problems and I will list both, I start with the most vulnerable part.

WPS that stands for "Wi-Fi Protected Setup" was launched in 2007 to simplify for home users to plug in their wireless devices, these methods are connect by button, pin-pin or physical contact.

By default, all routers supporting WPS also support connection via pin code and that is precisely this one that is vulnerable.

The pin code is 8-digit, the last of which is a check digit calculated on the remaining 7 digits. This gives 10 7 combinations = 10,000,000 pieces.

However, the code is verified by 4 characters at a time, which greatly simplifies it.

The first part (first 4 digits) gives 10⁴ = 10,000 possibilities and the other 10³ = 1,000 (keep in mind that the last digit is just a check digit) and this gives 11,000 combinations, which a computer can test in a few hours.

Some manufacturers have taken this and built in certain security features, such as automatic shutdown of the pin code after a certain number of attempts within a certain time.

On other routers, you can not even disable the PIN and the network is completely open for attack.

A lockdown or shutdown of the service can discourage the most demanding attacks, but an experienced system attacker always does his homework before finding out which router he is working against and looking for information about what obstacles he can face on the road.
By interfering with pauses between the attacks and the number of seconds you can wait between the router stopped responding, you can prevent the system from jamming.

An experienced cracker can easily find out which makes your router is through its unique hardware address, or MAC address as it's called.
Brute force against password

This technology requires a password list and that we have passwords between 8 to 64 characters long give us a lot of combinations and a good password

Add a comment