google-site-verification: google30a059f9a075f398.html

Wireless Penetration Testing Checklist – A Detailed Cheat Sheet

CyberWisdom Safe Harbor Commentary on Wireless Penetration Test on your WiFi

Today I came across this story from gbhackers.com that guides how to conduct a Wireless Penetration Test on your WiFi.

What is wireless penetration testing

Wireless penetration testing is the process of actively researching information security measures in wireless networks and analyzing weaknesses, technical processes, and key wireless vulnerabilities.

The most important countermeasures should focus on threat assessment, data theft detection, security control audit, risk prevention and detection, information system management, upgrade infrastructure and detailed reports.

Wireless penetration testing framework

  1. Discover devices connected to a wireless network.

  2. Record all the results of finding the wireless device.

  3. If you find a wireless device using a Wifi network, perform a common WiFi attack and use WEP encryption to check the device

  4. If you use WEP encryption to find the WLAN, perform a WEP encryption test.

  5. Check if the WLAN uses WPA/WPA2 encryption. If yes, then perform a WPA/WPA2 pen test.

  6. Check if LEAP-encrypted WLAN is used. If yes, then perform LEAP Pentesting.

  7. No other use the encryption method I mentioned above, then check the use of unencrypted WLAN.

  8. If the WLAN is not encrypted, perform a common WiFi network attack, check for vulnerabilities in the unencrypted method, and generate a report.

  9. Before generating the report, make sure that the penholder asset is not damaged.

 

Penetration testing using WEP-encrypted WLAN

  1. Check the SSID and analyze whether the SSID is visible or hidden.

  2. Use WEP encryption to check the network.

  3. If you find that the SSID is in visible mode, try sniffing the traffic and checking the packet capture status.

  4. If the packet has been successfully captured and injected, it is time to crack the WEP key using wireless crack tools such as Aircrack-ng, WEPcrack.

  5. If the packet is not reliably captured, sniff traffic and capture the packet again.

  6. If you find that the SSID is in stealth mode, use some de-authentication tools (such as Commview and Airplay-ng) to cancel the authentication of the target client.

  7. Once successfully authenticated by the client and found the SSID, follow the above steps again, which was used for the discovered SSID in the previous step.

  8. Check whether the authentication method used is OPN (Open Authentication) or SKA (Shared Key Authentication). If you use SKA, you need to implement a bypass mechanism.

  9. Check if the STA (station/client) is connected to the AP (access point). This information is necessary for the corresponding attack.

If the client is connected to an AP, an interactive packet replay or ARP replay attack needs to be performed to collect IV packets that can be used to crack the WEP key.

If no client is connected to the AP, a fragmentation attack or a Korex Chop Chop attack needs to be performed to generate a key stream that will be further used to reply to ARP packets.

  1. Once the WEP key is cracked, try connecting to the network using wpa-supplicant and check if the AP is assigning any IP address. “EAPOL Handshake”

Using WPA/WPA2 Encrypted WLAN for Penetration Testing

  1. Use WPA/WPA2 to enable and disable authentication Use WLAN tools (such as Hotspotter, Airsnarf, Karma, etc.) to protect WLAN clients.

  2. If the client is authenticated, sniff the traffic and check the status of the captured EAPOL handshake.

  3. If the client is not invalid, please execute it again.

  4. Check if EAPOL handshake is captured.

  5. Once you have captured the EAPOL handshake and then used coWPAtty, Aircrack-ng performs a PSK dictionary attack to obtain confidential information.

  6. Add Time – The memory trade-off method (Rainbow Table) is also known as WPA-PSK precomputed attack and is used to crack WPA/2 passwords. Genpmk can be used to generate pre-calculated hashes.

  7. If it fails, cancel the authentication again and try again to capture and re-execute the above steps.

Penetration testing using LEAP-encrypted WLAN

  1. Check to see if the WLAN is protected by LEAP encryption.

  2. De – Uses tools such as karma, hotspots, etc. to authenticate the LEAP protected client.

  3. If the client is authenticated, use tools like asleap to crack LEAP encryption to steal confidential information

  4. If the process is lost, then verify again

Unencrypted WLAN penetration test

  1. Check if the SSID is visible

  2. If the SSID is visible, sniff the IP range and check the MAC filtering status.

  3. If MAC filtering is enabled, use the SMAC and other tools to spoof the MAC address.

  4. Try to use the IP in the discovery range to connect to the AP.

  5. If the SSID is hidden, use Aircrack-ng to discover the SSID and follow the procedure for the visible SSID stated above.

Read More…

What is wireless Penetration Testing Wireless Penetration testing is the Actively Examine the Process of Information security Measures which is Placed in Wireless Networks and also analyses the Weakness, technical flows, and Critical wireless Vulnerabilities. Most important counter Measures we should focus on Threat  Assessment, Data theft Detection, security control auditing , Risk prevention and… Engaging post, Read More…

thumbnail courtesy of gbhackers.com

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post » Wireless Penetration Testing Checklist – A Detailed Cheat Sheet

Add a Comment

Your email address will not be published. Required fields are marked *