Top Ten Tips for Wireless Pentesting
A hacker’s perspective
The use of wireless networks has really taken off. With a mobile device (smartphone, tablet, laptop) anyone anywhere in the world can access their own digital environment via WiFi. That brings into the picture additional network threats such as:
- unauthorized access to information
- manipulating information
- attacking information availability.
For example, it is now quite normal for business e-mails to be read on a tablet in an airport lounge. Working wirelessly offers many advantages, but certainly, in comparison with a network with fixed connections, there are also serious and specific threats that can affect the reliability of an organization’s information supply.
Risks
A wireless network is inherently vulnerable to the interception of wireless communications. Mobile devices are also vulnerable to theft/loss, as a result of which the (company) data stored on them can end up in foreign hands. A lot of organizations that (want to) use the possibilities of a wireless network are not yet sufficiently aware of the risks that this entails, and how these risks can be successfully removed or limited.
Hackers can also spread malware via an unsecured Wi-Fi connection. If your settings allow file sharing over a network, the hacker can easily install infected software on your computer. Some clever hackers have even managed to hack into the connection point themselves. During the connection process, a pop-up window will appear offering an upgrade for a popular software product. When you click in the window, the malware will be installed.
Wireless pentesting
Assuming you want the rewards of pen testing, probably the best strategy is to try things out with a wifi pen test. It’s an extraordinary type of pen testing that consolidates both physical and virtual components to dissect one of the weakest spaces of your general network protection.
Wifi pentesting can be divided into six steps: wifi reconnaissance, identifying wifi Networks, vulnerability scanning, exploitation, reporting, and remediation.
Lets discuss the top ten tips for wireless pentesting.
Tip 1: Be aware of the rules of engagement
This will include a short Kick-off meeting with the customer to audit and recognize the pentesting rules of commitment, and testing timetable, distinguish explicit testing targets, record any testing impediments or limitations, and answer any inquiries identified with the task. Make sure to sign a security waiver that gives you permission from the owner of the network to pentest the network.
Tip 2: Have the right equipment
Be sure that you have at least the minimum amount of equipment such as a laptop and a Wi-Fi antenna, a second wireless network adapter, and packet capture and analysis software.
With this equipment, you will be able to get information about Wi-Fi networks and do analysis on the acquired data. You can discover rogue access points trying to hijack connections and get unauthorized access. But without a basic understanding of Information security, you will not be able to make it work. There are a lot of offensive security training courses out there to get up to speed.
Tip 3: Be familiar with the different WIFI pentesting methods
From the beginning, it has to be decided if it will be a White, Black, or grey box test. Then for example, when you will start the first step of wifi pentesting which is reconnaissance, you can use the method of “Wardriving”. This means you drive around to search for WIFI networks and see what kind of data you can receive from different kinds of networks. You need to know about rogue access point detection, RF signal leakage and check out the encryption keys and password strengths used.
Network segmentation needs to be investigated and you need to attempt to gain access to the internal network from your guest and authenticated wireless networks, to identify any weaknesses between your wireless environments and physical network firewalls that may need to be addressed. Evil Twin attack potential and WPA Enterprise misconfigurations are also common attack vectors.
Tip 4: Be familiar with WIFI pentesting tools for example:
- Aircrack
- AirSnort
- Kismet
- NetStumbler
- Wifiphisher
- Wireshark
- coWPAtty
- Airjack
- WepAttack
- Nmap
- Wifite
- Acrylic
- Airodump
- Reaver
- Hashcat/John the Ripper
For a more advanced list, you can view Kali Linux tool list.
Tip 5: Perform vulnerability Scanning
By conducting a vulnerability assessment, you can easily find multiple vulnerabilities and by using automated scanning tools you will spare a significant amount of time. After the results are in you have to spend some time analyzing them and rule out any false positives.
Tip 6: Increase transmission power of wireless cards
The TX-Power of USB wireless cards is 20 dBm by default, but when you execute two commands you can increase your transmission power. (Type “iw reg set BO” then “iwconfig wlan0 txpower 30”)
Tip 7: Exploitation
There are a lot of methods to get into a wireless network, you will identify that during the reconnaissance phase. It might be cracking a WPS pin, if a network is using WEP busy with clients you can capture IVs with airodump-ng and then crack it.
aircrack-ng -e essid -b 0F:F0:FF:FF:FF:00 replay_arp*.cap
For WPA/WPA2, you can capture PMKID hashes nearby and try to crack them with a tool like hashcat. But you can also capture the WPA/WPA2 handshake and start a dictionary attack against it with aircrack-ng
Use the information you have in previous testing phases to define which attack will you use.
Tip 8: Exploiting the wireless nodes
Do not forget that wireless devices have vulnerabilities too. Identify the manufacturer of the wireless devices and any network devices you can discover and check the recent vulnerabilities on them.
Tip 9: Post-Exploitation
Do not stop if you are in, try to check what is the impact of hacking your way in the wireless network. What critical assets can you reach? Can you capture sensitive information? And can pivot to other networks?
Tip 10: Reporting
Document the steps you completed, be detailed in listing the findings and how to reproduce them.
The target of creating such a report is for the customer to understand the risk to the wireless network, and understand how to reduce the risk.
Include a non-technical summary for executives and a risk explanation for them to be able to make decisions on what to fix and when to fix the findings.
Conclusion: Top ten tips for wireless pentesting
Wireless pentesting is an art, there are a lot of different methodologies to use for a wireless penetration test and that will depend on the objective of the test.
Understand the attack surface and define testing goals, follow an organized testing approach to cover all attack vectors.