Red Teaming: Main tools for wireless penetration tests
Nowadays, wireless networks are everywhere, connecting people, services, computers in a network etc. To evaluate the security of these kinds of networks and devices, in this article, we need to understand the overall process of a wireless assessment and the most popular tools often used by red teaming professionals.
FREE role-guided training plans
How do you perform wireless assessments?
There are two topics everyone should be concerned about when executing a wireless assessment, namely: being familiarized with the test approach and knowing the right tools.
1. Be familiar with the different Wi-Fi devices
Although many different devices exist, understanding how the Wireless protocol works and its weaknesses could be many times the key to success.
2. Ensure you are collecting the fingerprinting of your scope
Planning a well-conducted scanning is one of the most critical steps during a red teaming assessment. The same approach should be taken into account within the wireless landscape. All the information about the target scope needs to be collected, including SSIDs, Wi-FI ranges, networks segmentation, packet examination, RF signal leakage, encryption key and password strength etc.
3. Exploitation time
After collecting all the needed information, you can prepare the assessment and exploit the targets. For example, brute-force routers with leakage or weak credentials, cracking WPA security, setting up a captive portal testing, deploying rogue ap, finding vulnerabilities between different wireless networks, and identifying devices that shouldn’t be addressed by default. For instance, Evil Twin attack potential and WPA Enterprise misconfigurations are also common attack vectors within this context.
4. Reporting everything
Document all the steps you concluded, and be detailed in listing each finding and how to reproduce it.
The most popular tools for wireless penetration testing
Aircrack
This is a suite of tools to perform Wi-Fi network assessments. The tools focus on different security layers such as packet capture, replay attacks, deauthentication, fake access points, and packet injection. On the other hand, checking Wi-Fi cards and drives capabilities are also available, as is a cracking module for WEP, WPA PSK (WPA 1 and 2).
URL: https://www.aircrack-ng.org/
Airsnort
AirSnort is a WLAN tool capable of cracking encryption keys on 802.11b WEP networks. AirSnort monitors transmissions, computing the encryption key when enough packets have been gathered.
URL: https://sourceforge.net/projects/airsnort/
Kismet
This is a wireless network and device detector. It acts as a sniffer, wardriving tool, and wireless intrusion detection framework. Kismet also works with Wi-Fi and Bluetooth interfaces, radio software and other capture hardware.
URL: https://www.kismetwireless.net/
Wifiphisher
Wifiphisher is a mature tool within the wireless landscape. This tool is a rogue access point framework that creates a MiTM agent between wireless clients by performing targeted Wi-Fi association attacks.
URL: https://github.com/wifiphisher/wifiphisher
Wireshark
Wireshark is an indispensable tool when talking about network packets. It is a network protocol analyzer and organizes all the captured traffic by protocol. This tool is a swiss army knife! More details can be accessed on the official page.
URL: https://www.wireshark.org/
Reaver
Reaver is a tool that implements a brute force mechanism against Wi-Fi Protected Setup (WPS) registrar PINs to recover WPA/WPA2 passphrases.
URL: https://github.com/t6x/reaver-wps-fork-t6x
Become a Certified Ethical Hacker, guaranteed!
Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.
Cracking WPA/WPA2 with hashcat
Hashcat is an advanced password recovery tool. In detail, it supports five unique modes of attack for over 300 highly-optimized hashing algorithms. Hashcat supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS. Another interesting part is the possibility of enabling distributed password cracking to accelerate the cracking process.
Within the wireless context, the following hash modes can be used for capturing and filtering WPA handshake output:
22000 | WPA-PBKDF2-PMKID+EAPOL
22001 | WPA-PMK-PMKID+EAPOL
More details about this topic here.
URL: https://github.com/hashcat/hashcat
Sources
- Kali tools, Kali
- Tips for wireless pentesting, Seclinq
- Wireless tools, GitBook Segurança Informática