Introduction to Wireless Penetration Testing

Wireless penetration testing is a method to test an organization’s security. It is the process of gaining unauthorized access to the wireless network, data, and applications.

The objective is to find any holes in the organization’s security architecture and devise tactics to help thwart attackers (Wireless Penetration Testing).

Wireless penetration testing is on the rise nowadays wireless networks are everywhere, and my main goal here is to introduce you to the wireless penetration testing methodology.

Wireless penetration testing
Wireless penetration testing

This article covers everything from the basics of wireless to advanced technologies. The topics include WLAN fundamentals; client-to-AP security issues; Authentication, Encryption, and Key Management; Wireless Access Points and Network Infrastructure

There are many techniques to attack Wireless networks we need to think a little before starting to do some damage.

My goal here is to study and understand technology better, share everything I have learned over the years with the community, and improve my English. This is a simple technical document to help people how to design a Wireless network with minimum security and be aware of the risks.

Secure Wireless networks

The wireless penetration testing methodology is a great way to understand wireless network security. However, there is a lot to be learned – from the type of devices at risk (i.e., smartphones and tablets) to the types of attacks that are used by wireline intruders.

In Wireless networks, we need at least two devices, one Access Point (Router), and an STA (Client PC or Mobile) to associate with the access point!

Wi-Fi 802.11 Fundamentals

Wi-Fi, also known as IEEE 802.11, is a set of wireless networking standards that allows devices to communicate over wireless networks.

802.11 Layer 1 – Radio

The 802.11 standard, also known as Wi-Fi, defines the wireless communication protocols used for wireless local area networks (WLANs).

The 802.11 Layer 1, also known as the Physical Layer or Radio Layer, is the lowest layer of the 802.11 protocol stack, responsible for transmitting and receiving wireless signals over the air.

The main functions of the 802.11 Layer 1 – Radio are:

  1. Modulation and Demodulation: Layer 1 is responsible for converting digital data into analog signals suitable for wireless transmission, and vice versa. This is done through modulation, which is the process of modifying a carrier signal with digital data to create a modulated signal for transmission. Demodulation is the process of extracting the original digital data from the modulated signal received from the wireless medium.
  2. Frequency selection: The 802.11 standard defines multiple frequency bands, such as 2.4 GHz and 5 GHz, for wireless communication. Layer 1 is responsible for selecting the appropriate frequency band for transmission and reception, based on the network configuration, available channels, and regulatory requirements.
  3. Channel access: Layer 1 implements the wireless medium’s mechanisms, such as Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA), a contention-based protocol that helps prevent collisions when multiple devices attempt to transmit simultaneously on the same channel.
  4. Error detection and correction: Layer 1 includes error detection and correction mechanisms, such as cyclic redundancy check (CRC), which detects and corrects errors in the received data.
  5. Power management: Layer 1 includes power management features, such as power saving mode, which allows devices to save energy by entering sleep mode during inactivity.
  6. Antenna operations: Layer 1 is responsible for managing antenna operations, including antenna selection, diversity, and beamforming, to optimize wireless signal quality and coverage.
  7. Signal strength measurement: Layer 1 provides mechanisms for measuring the strength of the wireless signals, which is used for signal quality assessment, link establishment, and signal handoff between access points in a WLAN.
Wireless StandardFrequency BandMaximum Data RateTypical Applications
802.11a5 GHzUp to 54 MbpsHigh-speed data transfer in enterprise networks, multimedia streaming
802.11b2.4 GHzUp to 11 MbpsLegacy devices, low-cost home networks
802.11g2.4 GHzUp to 54 MbpsHome and small office networks, backward compatible with 802.11b
802.11n2.4 GHz / 5 GHzUp to 600 MbpsHigh-speed data transfer, improved range and performance
802.11ac5 GHzUp to 6.9 GbpsHigh-performance data transfer, multimedia streaming, enterprise networks
802.11ax2.4 GHz / 5 GHzUp to 10 GbpsEnhanced throughput and efficiency, improved performance in high-density environments

802.11 Layer 1 – Radio is responsible for the physical transmission and reception of wireless signals in a WLAN, and it plays a critical role in ensuring reliable and efficient wireless communication.

802.11 Layer 2 – Frame Types

Management , Control ,Data , Extension

Frame TypeType DescriptionSub Type ValueClass
00Management0000Association Request
00Management0001Association Response
00Management0010Reassociation Request
00Management0011Reassociation Response

There are some differences in the low-level layers between a Wireless network and a cable network, on Wi-Fi Layer 1 uses the normalization 802.11, and in layer 2 the sub-layer LLC is the same but the sub-layer MAC uses the protocol CSMA/CA to detect and correct errors on frames.

A wireless network uses radio waves to communicate with clients, there are two types of operation modes: infrastructure (ESS) and Ad hoc (IBSS).

The most common these days is the infrastructure (ESS) mode, which uses one AP and one client (STB), if there is more than one AP the link between both APs is called DS (distribution system).

Detecting DSs is very useful if we want to hijack some network or add our AP on foreign networks to monitor or use the network to our leverage.

Ad-hoc mode is used to communicate with machines directly or in peer-to-peer mode, this tutorial is focused on infrastructure mode so I don’t go deep into this mode it is too extensive but we will crack it.

Router Perspective

A router usually broadcasts his network name (ESSID) with beacons, MAC Address (BSSID), Chanel, cipher, and encryption to air waiting for some client to connect to him. Let’s check what relevance this information has to us:

  • ESSID – It identifies the network name, sometimes with some routes from ISPs we can use Key generators to generate the correct WiFi password even WPA.
  • BSSID – The BSSID is the Mac address attributed to the wifi interface at the router this is the interface we will connect to when authenticated. The MAC address can give us information like the router manufacture and the version of equipment (Thomson TG784n v3), if know this and we know this version of the router has a bug in the WPS system why is waste of time trying to crack a WPA password?
  • Channel – Wireless networks use frequencies in a defined range (2.443Mhz to 2.447Mhz) to communicate and use channels to
  • Cipher
  • Encryption

Encryption

  • WEP
  • WPA
  • WPA2
  • WPA3

Ciphers

  • CCMP
  • TKIP

Clients Perspective

A client has fewer things to verify, besides everything we check on the router perspective that is necessary to establish a connection to the router.

But we are here to crack a Wireless network so we need a wifi card with a special feature like Injection with this we can inject packets between the AP and a client to force them deauthenticate and do some more interesting things.

  • Wifi Card with Injection At these days there are many wifi cards with injection supported, you must verify the chipset of the wifi card and install the proper drivers. But we already compile a list for you, check it here:
  • Drivers – Pay attention to the drivers they must be installed correctly without errors
  • Software – In this tutorial, we will use some Linux commands and the Aircrack-ng pack, and other tools like WifiPumpkin 3, Airgeddon, Wifite2.

Offensive Wireless Attacks

Next, I will list the most common techniques and vulnerabilities on Wireless networks. Wireless pen-testing can be easy or tricky most of the time depending on the hardware being attacked.

Wifi Attacks

Wifi Attacks
Wifi Attacks

ScenarioResultAction Taken
Unauthorized AccessAccess DeniedStrengthened Encryption Protocols
Rogue Access PointsDetection and RemovalNetwork Monitoring and Patching
EavesdroppingSecure CommunicationImplementation of VPN
Real-World Examples: Turning Theory into Action

Open Networks

WEP

  • With Clients
  • No Clients

WPA / WPA2

Crack WPA
Crack WPA

Deauthentication Attack

A deauthentication attack is a type of wireless security attack that targets Wi-Fi networks. It involves sending deauthentication frames or packets to a wireless access point (AP) or client device, with the aim of disconnecting or “deauthenticating” them from the Wi-Fi network.

Handshake Capture

PKMID

WPS

Crack WPS
Crack WPS

Bruteforce WPS

PixieDust

Nulll Pin

Pins DataBase

Wordlists

Wordlists are our best friend when cracking WPA* passwords, over the years I’ve been collecting and generating tons of wordlists. >25TB…

Rainbow Tables

Key Generators

Real Scenario

Tools

wireless penetration testing, wireless penetration testing services, what is wireless penetration testing, wireless security course, wifi penetration testing

In an era where wireless technology drives connectivity, ensuring its security is paramount. Wireless penetration testing empowers you to mitigate risks, thwart potential threats, and foster a culture of cybersecurity readiness. By proactively addressing vulnerabilities, you’re not just defending your network; you’re fortifying your organization’s future.

Offensive Wireless – Get GWAN Certification

GIAC Certification

After