Wireless Penetration Testing actively analyzes the Information security measures that are placed in WiFi networks and analyses the weakness, technical flows and critical wireless vulnerabilities.
We should pay attention to the following: Threat assessment, data theft detection, security auditing, risk prevention and detecting, Information system management, upgrade infrastructure, and a detailed report.
Framework to Wireless Penetration Testing
1. Find out which devices are connected to wireless networks.
2. If a Wireless Device Is Found, Document All Findings
3. If wireless devices are found to be using Wifi Networks then you can perform the common wifi attacks and verify that they use .
4. If you have found WLAN that uses WEP encryption, then perform WEP encryption pentesting.
5. If WLAN is using WPA/WPA2 encryption, then do Pentesting.
6. If yes, then do LEAP Pentesting.
7. There is no other encryption method than the one I have mentioned. Next, check whether WLAN uses unencrypted.
8. WLAN that is not encrypted can be used to perform the common attacks on wifi networks.
9. Make sure that there is no damage to the pentesting assets before you generate a Report.
Please also read: for penetration.
Wireless Pentesting using WEP encrypted WLAN
1. Test the SSID to determine if it is visible or hidden.
2. Verify if networks use WEP encryption.
3. If you locate the SSID in a visible mode, then sniff traffic to check for packet capturing status.
4. Once the packet is successfully captured, it’s now time to crack the WEP key using WiFi cracking tools such as WEPcrack or Aircrack-ng.
4. If the packets cannot be reliably captured, then sniff again the traffic and capture the Packet.
5. If you discover that SSID is hidden, deauthenticate the target client using one of the many deauthentication tools like Commview or Airplay ng.
6. After you have successfully authenticated the client with the SSID, follow the above procedure. This is the same process that was used to discover the SSID earlier.
7. Check if OPN (Open Authentication), or SKA (“Shared Key Authentication”) are used. SKA must be used.
9.Inspect if STA (stations/clients), are connected to AP. You will need this information to execute the attack.
Clients connected to the AP will need to perform Interactive packet replay (or ARP replay attack) to collect IV packets that can then be used to crack the WEP secret.
To generate keystreams that can be used for replying ARP packets, and Korex Chop Chop attacks must be done if there is no client connecting to the AP.
10.Once you have cracked the WEP key, connect to your network with wpa–supplicant to verify that the AP has allotted any IP addresses.
Please also read:
Wireless Testing of Penetration with WPA/WPA2 encrypted WLAN
1. Start and deauthenticate using WPA/WPA2 protected WLAN clients by using WLAN tools such as Hotspotter or Airsnarf.
2. If Client is authenticated, sniff traffic to verify the status of the captured EAPOL handshake.
If the client does not Deauthenticate, then repeat it.
4. Verify whether EAPOL Handshake has been captured.
5. Once you have captured EAPOL handshake then use coWPAtty or Aircrack-ng for PSK Dictionary attack to obtain confidential information.
6. The Add-Time-memory trading off technique (Rainbow Tables) is also called WPA-PSK Precomputation Attack for cracking WPA/2 passphrase. Genpmk is able to create pre-computed hashes.
If it fails, deauthenticate the file again.
LEAP Encrypted WLAN
1. Verify whether WLAN is protected by LEAP encryption.
2. De-authenticate LEAP Protected Client using tools like Karma, Hotspotter, etc.
If client has been De authenticated, then you can break the LEAP encryption using a tool like to steal confidential information
If the process is stopped, then authenticate it again
Testing of Penetration with Unencrypted WLAN
1.Confirm that the SSID has been made visible
2. Scan for IP range if SSIDs are visible. Then check the status or MAC Filtering.
3. If MAC filtering is enabled, then spoof MAC Address using tools like SMAC
4. Connect to AP with IP in the range you have discovered.
5. If SSID has been hidden, use Aircrack-ng to locate it and then follow the instructions for visible SSID as i Declared above.
For daily Cybersecurity Updates, you can Follow Us on Linkedin and Twitter.