Wireless Security - Wi-Fi Pen Testing


In this section, we are skipping all the theoretical aspects of the technologies and are going directly to pure, practical activities. Beware that all the attacks from this section are performed on simulated wireless environment at home. It is against the law, to use the steps described here, to break wireless networks, out there, in real life.

Wireless Penetration Testing

Pentesting of the wireless systems is easier task than doing that on the wired network. You cannot really apply good physical security measures against a wireless medium, if you are located close enough, you are able to "hear" (or at least your wireless adapter is able to hear) everything, that is flowing over the air. As you have seen so far, there are numerous tools ready and waiting for you to use.

The additional software and hardware you need for performing Wireless Network Pentesting would be as below. This is the set that I am personally using and it works very well.

Kali Linux (old backtrack)

You can either install Kali as the only OS on your PC or you can run the .iso file. The second option is the one I am using which is the Oracle VM VirtualBox (freeware), you open the .iso of the Kali Linux.

Wireless Card

If you are running a Kali Linux as the Virtual Machine in VM VirtualBox, you can use the wireless card of your PC directly in VM. For that use, you would need an external wireless adapter (description of the good wireless cards were conducted in the initial chapters of this tutorial). Personally, I am using ALFA AWUS036NH, and I can definitely feel its "power". It has a high output power (1W) and built-in antenna with 5dBi. You can try to use it for your Wi-Fi connectivity as it is much faster than some "intel" ones, that most of the laptops are shipped with.

Having all that, you are good to go.

Wireless Penetration Testing Framework

Penetration testing of the wireless networks is always divided into 2 phases − Passive Phase and Active Phase. Every possible attack (either wireless one or any other) you can imagine, always start with some kind of passive phase.

During the passive phase, the penetration tester (or an attacker) collects the information about its target. Different types of passive parts of the attack may be −

  • Making a reconnaissance of the environment.

  • Reading about the target security measures on internet, from the news.

  • Talking to legitimate users about security controls.

  • Sniffing of the traffic.

Some of the tests may already stop at that point. There is a chance, that the attacker got all the data he needs directly from the unaware legitimate users or the traffic that was sniffed was enough to perform some offline attacks (offline brute-force, offline dictionary or relevant information like password was transferred in clear-text in the sniffed packets).

On other hand, if it was not enough, there is a second phase, the active one. This is where attackers directly interact with the victim. Those can be −

  • Sending phishing e-mails asking directly for credentials of the user.

  • Injecting wireless frames in order to stimulate some specific action (example − de-authentication frames).

  • Creating fake AP, that legitimate users will use to connect to the wireless network.

All the attacks described in this chapter belong to passive or a combination of passive and active ones. As the reader will go through them, it will be very easy to spot when passive phase ends and when the active one starts.