Red Teaming: Main tools for wireless penetration tests
Nowadays, wireless networks are everywhere, connecting people, services, computers in a network etc. To evaluate the security of these kinds of networks and devices, in this article, we need to understand the overall process of a wireless assessment and the most popular tools often used by red teaming professionals.
Earn two pentesting certifications at once!
Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.
How do you perform wireless assessments?
There are two topics everyone should be concerned about when executing a wireless assessment, namely: being familiarized with the test approach and knowing the right tools.
1. Be familiar with the different Wi-Fi devices
Although many different devices exist, understanding how the Wireless protocol works and its weaknesses could be many times the key to success.
2. Ensure you are collecting the fingerprinting of your scope
Planning a well-conducted scanning is one of the most critical steps during a red teaming assessment. The same approach should be taken into account within the wireless landscape. All the information about the target scope needs to be collected, including SSIDs, Wi-FI ranges, networks segmentation, packet examination, RF signal leakage, encryption key and password strength etc.
3. Exploitation time
After collecting all the needed information, you can prepare the assessment and exploit the targets. For example, brute-force routers with leakage or weak credentials, cracking WPA security, setting up a captive portal testing, deploying rogue ap, finding vulnerabilities between different wireless networks, and identifying devices that shouldn’t be addressed by default. For instance, Evil Twin attack potential and WPA Enterprise misconfigurations are also common attack vectors within this context.
4. Reporting everything
Document all the steps you concluded, and be detailed in listing each finding and how to reproduce it.
The most popular tools for wireless penetration testing
Aircrack
This is a suite of tools to perform Wi-Fi network assessments. The tools focus on different security layers such as packet capture, replay attacks, deauthentication, fake access points, and packet injection. On the other hand, checking Wi-Fi cards and drives capabilities are also available, as is a cracking module for WEP, WPA PSK (WPA 1 and 2).
URL: https://www.aircrack-ng.org/
Airsnort
AirSnort is a WLAN tool capable of cracking encryption keys on 802.11b WEP networks. AirSnort monitors transmissions, computing the encryption key when enough packets have been gathered.
URL: https://sourceforge.net/projects/airsnort/
Kismet
This is a wireless network and device detector. It acts as a sniffer, wardriving tool, and wireless intrusion detection framework. Kismet also works with Wi-Fi and Bluetooth interfaces, radio software and other capture hardware.
URL: https://www.kismetwireless.net/
Wifiphisher
Wifiphisher is a mature tool within the wireless landscape. This tool is a rogue access point framework that creates a MiTM agent between wireless clients by performing targeted Wi-Fi association attacks.
URL: https://github.com/wifiphisher/wifiphisher
Wireshark
Wireshark is an indispensable tool when talking about network packets. It is a network protocol analyzer and organizes all the captured traffic by protocol. This tool is a swiss army knife! More details can be accessed on the official page.
URL: https://www.wireshark.org/
Reaver
Reaver is a tool that implements a brute force mechanism against Wi-Fi Protected Setup (WPS) registrar PINs to recover WPA/WPA2 passphrases.
URL: https://github.com/t6x/reaver-wps-fork-t6x
What should you learn next?
Cracking WPA/WPA2 with hashcat
Hashcat is an advanced password recovery tool. In detail, it supports five unique modes of attack for over 300 highly-optimized hashing algorithms. Hashcat supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS. Another interesting part is the possibility of enabling distributed password cracking to accelerate the cracking process.
Within the wireless context, the following hash modes can be used for capturing and filtering WPA handshake output:
22000 | WPA-PBKDF2-PMKID+EAPOL22001 | WPA-PMK-PMKID+EAPOL
More details about this topic here.
URL: https://github.com/hashcat/hashcat
Sources
- Kali tools, Kali
- Tips for wireless pentesting, Seclinq
- Wireless tools, GitBook Segurança Informática
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Red Teaming: Main tools for wireless penetration tests
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
- Exploiting NFS share [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness