Pentesting Unencrypted WLAN


When using unencrypted WLAN (Open Authentication), your wireless network is not protected in any way. Everyone, who is located in the surrounding of the AP and can hear a signal, can join and use the network. The whole authentication process is very simplified and consists of authentication/association exchanges as shown below −

Pentesting Unencrypted WLAN

In the lab setup, I have prepared a WLAN with SSID of "LAB-test" with open authentication. As an attacker, you first need to make some passive scanning to detect such a network, so let's do it! In the first step, I will enable my wireless card and create a WLAN monitoring interface, using airmon-ng utility.

WLAN Monitoring Interface

The next step it to check the WLANs that are heard by the wireless card using "airmon-ng mon0".

Check WLANs

My wireless card was able to see the "LAB-test" SSID on channel 1, broadcasted by AP with MAC address (BSSID) of 00:18: 0A:6D:01:30. Under encryption column, you can see the letter "OPN" – it means that there is Open Authentication (in fact, it means no authentication at all).

On the Windows PC, the WLAN that has Open Authentication is marked with exclamation mark as a warning of unsecure WLAN environment, as shown below (comparing to the lack of additional sign next to protected WLANs) −

Warning Unsecure WLAN Environment

We can try to simulate if the wireless client would be able to connect to this SSID. We can make it using aireplay-ng utility.

Connect SSID

As you can see, the authentication and association process went smooth, and any wireless client is able to join the network.

The only mechanism that you can use to improve a security of this unsecure environment is to implement MAC filtering. This feature was already described earlier, so I will jump directly to practice.

On the AP itself, I will implement a MAC filter, allowing only a client with MAC address of 98:0d: 2E:3C:C3:74 to be able to join the wireless network (this is my smartphone).

Then, when I repeat the authentication process using aireplay-ng, and this time it fails.

Authentication Process Fails

After I change the MAC address of the mon0 interface to the one that my smartphone has - I got successful authentication again.

Change MAC Address

It is very unlikely, that you will meet open authentication WLAN nowadays. But it is a very good to be aware of all those older deployment types as well.