Introduction to Wireless Penetration Testing
Wireless penetration testing is a method to test an organization’s security. It is the process of gaining unauthorized access to the wireless network, data, and applications.
The objective is to find any holes in the organization’s security architecture and devise tactics to help thwart attackers (Wireless Penetration Testing).
Table of Contents
Wireless penetration testing is on the rise nowadays wireless networks are everywhere, and my main goal here is to introduce you to the wireless penetration testing methodology.
This article covers everything from the basics of wireless to advanced technologies. The topics include WLAN fundamentals; client-to-AP security issues; Authentication, Encryption, and Key Management; Wireless Access Points and Network Infrastructure
There are many techniques to attack Wireless networks we need to think a little before starting to do some damage.
My goal here is to study and understand technology better, share everything I have learned over the years with the community, and improve my English. This is a simple technical document to help people how to design a Wireless network with minimum security and be aware of the risks.
Secure Wireless networks
The wireless penetration testing methodology is a great way to understand wireless network security. However, there is a lot to be learned – from the type of devices at risk (i.e., smartphones and tablets) to the types of attacks that are used by wireline intruders.
In Wireless networks, we need at least two devices, one Access Point (Router), and an STA (Client PC or Mobile) to associate with the access point!
Wi-Fi 802.11 Fundamentals
Wi-Fi, also known as IEEE 802.11, is a set of wireless networking standards that allows devices to communicate over wireless networks.
802.11 Layer 1 – Radio
The 802.11 standard, also known as Wi-Fi, defines the wireless communication protocols used for wireless local area networks (WLANs).
The 802.11 Layer 1, also known as the Physical Layer or Radio Layer, is the lowest layer of the 802.11 protocol stack, responsible for transmitting and receiving wireless signals over the air.
The main functions of the 802.11 Layer 1 – Radio are:
- Modulation and Demodulation: Layer 1 is responsible for converting digital data into analog signals suitable for wireless transmission, and vice versa. This is done through modulation, which is the process of modifying a carrier signal with digital data to create a modulated signal for transmission. Demodulation is the process of extracting the original digital data from the modulated signal received from the wireless medium.
- Frequency selection: The 802.11 standard defines multiple frequency bands, such as 2.4 GHz and 5 GHz, for wireless communication. Layer 1 is responsible for selecting the appropriate frequency band for transmission and reception, based on the network configuration, available channels, and regulatory requirements.
- Channel access: Layer 1 implements the wireless medium’s mechanisms, such as Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA), a contention-based protocol that helps prevent collisions when multiple devices attempt to transmit simultaneously on the same channel.
- Error detection and correction: Layer 1 includes error detection and correction mechanisms, such as cyclic redundancy check (CRC), which detects and corrects errors in the received data.
- Power management: Layer 1 includes power management features, such as power saving mode, which allows devices to save energy by entering sleep mode during inactivity.
- Antenna operations: Layer 1 is responsible for managing antenna operations, including antenna selection, diversity, and beamforming, to optimize wireless signal quality and coverage.
- Signal strength measurement: Layer 1 provides mechanisms for measuring the strength of the wireless signals, which is used for signal quality assessment, link establishment, and signal handoff between access points in a WLAN.
Wireless Standard | Frequency Band | Maximum Data Rate | Typical Applications |
---|---|---|---|
802.11a | 5 GHz | Up to 54 Mbps | High-speed data transfer in enterprise networks, multimedia streaming |
802.11b | 2.4 GHz | Up to 11 Mbps | Legacy devices, low-cost home networks |
802.11g | 2.4 GHz | Up to 54 Mbps | Home and small office networks, backward compatible with 802.11b |
802.11n | 2.4 GHz / 5 GHz | Up to 600 Mbps | High-speed data transfer, improved range and performance |
802.11ac | 5 GHz | Up to 6.9 Gbps | High-performance data transfer, multimedia streaming, enterprise networks |
802.11ax | 2.4 GHz / 5 GHz | Up to 10 Gbps | Enhanced throughput and efficiency, improved performance in high-density environments |
802.11 Layer 1 – Radio is responsible for the physical transmission and reception of wireless signals in a WLAN, and it plays a critical role in ensuring reliable and efficient wireless communication.
802.11 Layer 2 – Frame Types
Management , Control ,Data , Extension
Frame Type | Type Description | Sub Type Value | Class | |
00 | Management | 0000 | Association Request | |
00 | Management | 0001 | Association Response | |
00 | Management | 0010 | Reassociation Request | |
00 | Management | 0011 | Reassociation Response |
There are some differences in the low-level layers between a Wireless network and a cable network, on Wi-Fi Layer 1 uses the normalization 802.11, and in layer 2 the sub-layer LLC is the same but the sub-layer MAC uses the protocol CSMA/CA to detect and correct errors on frames.
A wireless network uses radio waves to communicate with clients, there are two types of operation modes: infrastructure (ESS) and Ad hoc (IBSS).
The most common these days is the infrastructure (ESS) mode, which uses one AP and one client (STB), if there is more than one AP the link between both APs is called DS (distribution system).
Detecting DSs is very useful if we want to hijack some network or add our AP on foreign networks to monitor or use the network to our leverage.
Ad-hoc mode is used to communicate with machines directly or in peer-to-peer mode, this tutorial is focused on infrastructure mode so I don’t go deep into this mode it is too extensive but we will crack it.
Router Perspective
A router usually broadcasts his network name (ESSID) with beacons, MAC Address (BSSID), Chanel, cipher, and encryption to air waiting for some client to connect to him. Let’s check what relevance this information has to us:
- ESSID – It identifies the network name, sometimes with some routes from ISPs we can use Key generators to generate the correct WiFi password even WPA.
- BSSID – The BSSID is the Mac address attributed to the wifi interface at the router this is the interface we will connect to when authenticated. The MAC address can give us information like the router manufacture and the version of equipment (Thomson TG784n v3), if know this and we know this version of the router has a bug in the WPS system why is waste of time trying to crack a WPA password?
- Channel – Wireless networks use frequencies in a defined range (2.443Mhz to 2.447Mhz) to communicate and use channels to
- Cipher
- Encryption
Encryption
- WEP
- WPA
- WPA2
- WPA3
Ciphers
- CCMP
- TKIP
Clients Perspective
A client has fewer things to verify, besides everything we check on the router perspective that is necessary to establish a connection to the router.
But we are here to crack a Wireless network so we need a wifi card with a special feature like Injection with this we can inject packets between the AP and a client to force them deauthenticate and do some more interesting things.
- Wifi Card with Injection At these days there are many wifi cards with injection supported, you must verify the chipset of the wifi card and install the proper drivers. But we already compile a list for you, check it here:
- Drivers – Pay attention to the drivers they must be installed correctly without errors
- Software – In this tutorial, we will use some Linux commands and the Aircrack-ng pack, and other tools like WifiPumpkin 3, Airgeddon, Wifite2.
Offensive Wireless Attacks
Next, I will list the most common techniques and vulnerabilities on Wireless networks. Wireless pen-testing can be easy or tricky most of the time depending on the hardware being attacked.
Wifi Attacks
Scenario | Result | Action Taken |
---|---|---|
Unauthorized Access | Access Denied | Strengthened Encryption Protocols |
Rogue Access Points | Detection and Removal | Network Monitoring and Patching |
Eavesdropping | Secure Communication | Implementation of VPN |
Open Networks
WEP
- With Clients
- No Clients
WPA / WPA2
Deauthentication Attack
A deauthentication attack is a type of wireless security attack that targets Wi-Fi networks. It involves sending deauthentication frames or packets to a wireless access point (AP) or client device, with the aim of disconnecting or “deauthenticating” them from the Wi-Fi network.
Handshake Capture
PKMID
WPS
Bruteforce WPS
PixieDust
Nulll Pin
Pins DataBase
Wordlists
Wordlists are our best friend when cracking WPA* passwords, over the years I’ve been collecting and generating tons of wordlists. >25TB…
Rainbow Tables
Key Generators
Real Scenario
Tools
wireless penetration testing, wireless penetration testing services, what is wireless penetration testing, wireless security course, wifi penetration testing
In an era where wireless technology drives connectivity, ensuring its security is paramount. Wireless penetration testing empowers you to mitigate risks, thwart potential threats, and foster a culture of cybersecurity readiness. By proactively addressing vulnerabilities, you’re not just defending your network; you’re fortifying your organization’s future.
Offensive Wireless – Get GWAN Certification
After