Wireless Penetration Testing Methods
Wireless Penetration Testing.
Many of our Internal Penetration Testing engagements include wireless penetration testing for one or more wireless access points. While there are many cases where the procedures outlined below may be changed, this is our standard approach to testing wireless networks. If we are given special circumstances, we may modify the methods, but this is the standard case.
Wireless Pen Test Tools.
The primary tools we use for Wireless Penetration Testing are:
- ALFA Neworks Wireless Adapters (AWUS036H and AWUS036NHR)
- The Aircrack-ng suite of testing tools, including airmon-ng, airodump-ng, aireplay-ng, and aircrack-ng
- Custom Perl Scripts
This is not a complete list, but these are the major tools. As with our other testing, we prefer simple, powerful, flexible and proven tools, and that's what all of the tools you see on the list above have in common. They are not polished, point and click GUI tools, but they are well suited to scripting and flexibility.
Alfa Cards This is hardware, shipped with our internal testing host when an engagement requires wireless penetration testing. The Alfa Networks adapters we use with our intenernal testing hosts are among the best for all around use on a wide variety of wireless bands, and are well suited to penetration testing.
Aircrack-ng is a suite of several tools for monitoring, probing, attacking and cracking wireless networks. The suite is open source, designed to run on several platforms but is primarily intended for Linux. It is not a point and click suite of tools. It requires a deep understanding and experience with wireless networks, but is highly flexible and intended to be scripted. That makes it an ideal set of tools for penetration testing.
Perl is our scripting language of choice. We use Perl for day to day on-the-fly scripting during all types of penetration testing, but we also use it to generate most of the reports used internally during a wireless penetration test.
Methods and sequence.
Passive Reconnaissance. We conduct a passive recon for many types of engagements, but for wireless penetration testing we have a more narrow purpose in mind. We find all of the publically available web pages and other documentation we can relating to your organization and run it through our custom perl scripts, which create a massive dictionary file composed of every unique word written about you or by you that we can find. It also includes all of the letter and number combinations found in the source of those pages, such as the names of the pages, java script files, directories, etc. We collect this information first, because we expect to be able to launch off-line cracking attempts on captured wireless handshakes and we want the best word list we can get. Once we have everything unique to your organization that we can find, we combine it with all of our standard cracking dictionaries, creating a massive dictionary customized for your organization.
Discovery. We use airmon-ng to scan for all wireless traffic, this includes broadcast traffic originating from WAPs, and traffic from client stations, and assemble it all into an internal report that we use for further analysis. Our analysis will include all of the key issues identified below.
Wireless Security Faults.
Here is the list of the most commonly encountered wireless security faults and potential faults we look for:
- Weak Protocols
- Default or weak administrative credentials
- Mis-association attack potential
- Dis-association attack potential
- Evil Twin attack potential
- WPA Enterprise mis-configurations
- Client Station Probe information disclosure
Manual Testing. Finally, we look at everything that has been identified for further testing. This is the point at which it is impossible to list tools or methods because there is simply too much potential ground to cover, but we will very often be using other tools in the aircrack-ng suite. Which tools we use and exactly how we go about it will depend on what our analysis has shown.
Wireless Network Penetration Testing Summary.
This is our standard methodology for a standard testing approach for a wireless engagement. We adjust as necessary for different testing objectives.
Ask us for a free, quick, no hassle quote using the contact form above.