Skip to content

Latest commit

 

History

History
97 lines (60 loc) · 3.38 KB

26. Wireless Penetration Testing.md

File metadata and controls

97 lines (60 loc) · 3.38 KB

Wireless Penetration Testing

Wireless Penetration Testing Overview

Wireless networks generally fall into two categories:

  • WPA2 PSK (Pre-Shared Key): Commonly used in home networks.
  • WPA2 Enterprise: Typically used in business environments, with a more complex setup.

Since WPA2 Enterprise is more challenging to set up and test, this guide focuses on WPA2 PSK, which is quicker to attack and commonly documented in blog posts.

Activities

  1. Evaluating PSK Strength: Capture a WPA2 handshake and attempt to crack the PSK (password).

  2. Reviewing Nearby Networks: Identify and assess nearby networks for vulnerabilities.

  3. Assessing Guest Networks:

    • Check if guest networks are properly separated from main networks.
    • Attempt to crack the guest network password.

  4. Checking Network Access: Verify the level of access allowed once connected to the network.

Required Hardware

  • Alfa Wireless Card:

    • Capable of packet injection and monitoring.
    • Supports both 2.4GHz and 5GHz frequencies.
    • Alfa and Panda are recommended brands.
    • See: Best WiFi Adapters for Kali Linux

  • Router

  • Laptop

Hacking Process

  1. Switch Wireless Card to Monitor Mode: Enables capturing all wireless traffic in range.

  2. Discover Network Information: Identify channel and BSSID of the target network.

  3. Capture Data: Select the target network and capture data packets.

  4. Perform Deauthentication (Deauth) Attack: Force a connected user to reconnect to the network.

  5. Capture WPA Handshake: Obtain the handshake when a user reconnects to the network.

  6. Attempt to Crack the Handshake: Use tools to crack the WPA2 handshake and retrieve the PSK.

WPA PS2 Exploit Walkthrough

  1. Connect Router to Kali Linux:

    • Connect your router to the Kali Linux machine.
    • Verify the connection using iwconfig.

  2. Prepare the Wireless Card:

    • Stop interfering processes: airmon-ng check kill
    • Start monitor mode on the wireless card: airmon-ng start wlan0

  3. Verify Monitor Mode:

    • Check if wlan0mon appears: iwconfig

  4. Scan for Devices:

    • Use airodump-ng to scan for nearby devices: airodump-ng wlan0mon
    • Look for the TP-Link router in the scan results. Note down the channel and BSSID (e.g., 50:C7:BF:8A:00:73).

  5. Capture Data:

    • Start capturing packets from the specific channel and BSSID: 
      airodump-ng -c [CHANNEL] --bssid [BSSID] -w capture wlan0mon
      Replace [CHANNEL] with the noted channel number and [BSSID] with the router’s BSSID.

  6. Perform Deauthentication Attack:

    • Open a new terminal tab and execute the following to deauthenticate a connected user: 
      aireplay-ng -0 1 -a [BSSID] -c [CLIENT_MAC] wlan0mon
      Replace [BSSID] with the router’s BSSID and [CLIENT_MAC] with the MAC address of a connected client (found in the scan results).

  7. Verify WPA Handshake:

    • In the airodump-ng tab, ensure you see WPA Handshake at the top, indicating successful capture.

  8. Crack the Password:

    • Use aircrack-ng to crack the captured handshake with a wordlist: 
      aircrack-ng -w [WORDLIST] -b [BSSID] capture.cap
      Replace [WORDLIST] with the path to your wordlist file and [BSSID] with the router’s BSSID.