I have recently setup a wireless network for a friend's business, and he asked me if there was any way someone could "hack" it. I assured him it would be extremely difficult once I setup a WPA2 key.
This got me thinking, how can I really be sure that no one could perform some type of hack? I know what types of hacks are out there, but I have no experience in actually performing them. I understand essentially what has to happen in order to perform, for example, a man-in-the-middle attack, but how does one actually fool a victim's ARP component into thinking that the attacker's machine is the gateway? This seems like it would require access to the victim's machine.
I've implemented a WEP attack against my own private AP to see how this funcitons and to determine if my wireless home setup was secure. Not surprisingly, the encryption failed, and I decided to run wires everywhere until I can get a newer AP with better security.
And the answer is:
Well...it all depends. Never say never, as you're trusting the fact that everything really is secure, when maybe it isn't. I would seriously look at attempting a penitration test with your own equipment against the AP you're using before going much further. It sounds like WPA-PSK can be broken under certain circumstances - like when the AP doesn't implement it properly.
I would say that using a reasonably long password, along with a very long SSID name, should provide you with the security you're after. The reason the SSID name length is important is that it appears to influence the encryption process. If you're really paranoid, do two things:
ARP poisoning is such a trivial thing to accomplish, it should scare most normal people away from wireless. Of course, you could ARP poison a wired network also, but in theory, your wired network isn't open to just anyone walking around in, or around, your building.
Have a look at Cain (one popular tool used in ARP poisoning)
Over an unencrypted network, you would use two WiFi antennas and a patched version of AirPwn.
With WPA2 and a strong passphrase (WPA-PSK), there is NO WAY to perform a MitM attack. When I say strong password, I tend toward something like you get at https://www.grc.com/passwords.htm. The only way to atack WPA2-PSK is to guess the passphrase, which can be made very difficult.
Using a *nix box (assuming you have already aircracked your way to the wireless), you can use a set of utils called dsniff, then the arpspoof command to make the lan hosts think your machine is the gateway (it sends out ARP X.X.X.X is here AAAA:BBBB:CCCC responses to the network, fooling the hosts into inserting your machine into their arp caches), from there you can intercept/redirect/mirror any connection attempt, i.e. a request to google can be redirected using iptables/ipfw to your local apache server for further mischief.
make sure you have [ gateway_enable="YES" ] for freebsd set in your rc.conf, or [ echo "1" > /proc/sys/net/ipv4/ip_forward ] for debian (may be true for other linux distro's) , so your machine will route the packets out to the real gateway after its done having fun with them.