The subversion of the routing function in ad hoc networks can lead to denial of network service. Ad hoc networks are particularly vulnerable to denial of service (DoS) attacks launched through compromised wireless routers or "intruders". Current routing algorithms for such networks contain few, if any, mechanisms for providing robust network operation in the face of DoS attacks launched on the routing infrastructure by intruders. One approach to address this issue is to design new routing protocols for ad hoc networks that can handle intruder-induced malicious faults. However, this would fail to leverage the considerable investment that has gone into the design of existing ad hoc routing algorithms. We present a new approach for building intrusion resistant ad hoc networks using wireless router extensions (WRE). The approach relies on extending the capabilities of existing ad hoc routing algorithms to handle intruders without modifying these algorithms. We describe new network layer mechanisms for detecting and recovering from intruder induced malicious faults that work in concert with existing ad hoc routing algorithms and augment their capabilities. We also present a WRE implementation architecture that allows these mechanisms to be "plugged" into existing wireless routers with little effort.