Wifi Penetration Basics
██╗ ██╗██╗███████╗██╗ ██████╗ ███████╗███╗ ██╗
██║ ██║██║██╔════╝██║ ██╔══██╗██╔════╝████╗ ██║
██║ █╗ ██║██║█████╗ ██║ ██████╔╝█████╗ ██╔██╗ ██║
██║███╗██║██║██╔══╝ ██║ ██╔═══╝ ██╔══╝ ██║╚██╗██║
╚███╔███╔╝██║██║ ██║ ██║ ███████╗██║ ╚████║
╚══╝╚══╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═══╝
██████╗ █████╗ ███████╗██╗ ██████╗███████╗
██╔══██╗██╔══██╗██╔════╝██║██╔════╝██╔════╝
██████╔╝███████║███████╗██║██║ ███████╗
██╔══██╗██╔══██║╚════██║██║██║ ╚════██║
██████╔╝██║ ██║███████║██║╚██████╗███████║
╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═════╝╚══════╝
WiFi Security and Penetration Testing Guide
Types of WiFi Authentication
WiFi authentication types are crucial for securing wireless networks and protecting data from unauthorized access. The main types include WEP, WPA, WPA2, and WPA3, each progressively enhancing security standards.
1. WEP (Wired Equivalent Privacy)
The original WiFi security protocol, WEP provides basic encryption but is now considered outdated and insecure due to vulnerabilities that make it easy to breach.
2. WPA (WiFi Protected Access)
Introduced as an interim improvement over WEP, WPA offers better encryption through TKIP (Temporal Key Integrity Protocol), but it is still less secure than newer standards.
3. WPA2 (WiFi Protected Access II)
A significant advancement over WPA, WPA2 uses AES (Advanced Encryption Standard) for robust security. It has been the standard for many years, providing strong protection for most networks.
4. WPA3 (WiFi Protected Access III)
The latest standard, WPA3 enhances security with features like individualized data encryption and more robust password-based authentication, making it the most secure option currently available.
Penetration Testing Methodology
Evaluating Passphrases
This involves assessing the strength and security of WiFi network passwords or passphrases. Penetration testers employ various techniques, such as dictionary attacks, brute force attacks, and password cracking tools, to evaluate the resilience of passphrases against unauthorized access.
Evaluating Configuration
Penetration testers analyze the configuration settings of WiFi routers and access points to identify potential security vulnerabilities. This includes scrutinizing encryption protocols, authentication methods, network segmentation, and other configuration parameters to ensure they adhere to best security practices.
Testing the Infrastructure
This phase focuses on probing the robustness of the WiFi network infrastructure. Penetration testers conduct comprehensive assessments to uncover weaknesses in network architecture, device configurations, firmware versions, and implementation flaws that could be exploited by attackers to compromise the network.
Testing the Clients
Penetration testers evaluate the security posture of WiFi clients, such as laptops, smartphones, and IoT devices, that connect to the network. This involves testing for vulnerabilities in client software, operating systems, wireless drivers, and network stack implementations to identify potential entry points for attackers.
IEEE 802.11 MAC Frame Structure
All 802.11 frames utilize the MAC frame. This frame is the foundation for all other fields and actions that are performed between the client and access point, and even in ad-hoc networks. The MAC data frame consists of 9 fields:
| Field | Description |
|---|---|
| Frame Control | Contains information such as type, subtype, protocol version, to DS (distribution system), from DS, order, etc. |
| Duration/ID | Clarifies the amount of time in which the wireless medium is occupied |
| Address 1, 2, 3, and 4 | Clarify the MAC addresses involved in the communication, including the BSSID of the access point and the client MAC address |
| SC (Sequence Control) | Allows additional capabilities to prevent duplicate frames |
| Data | Contains the data that is transmitted from the sender to the receiver |
| CRC | Contains a 32-bit cyclic redundancy check for error detection |
IEEE 802.11 Frame Types
- Management (00): These frames are used for management and control, allowing the access point and client to control the active connection.
- Control (01): Control frames are used for managing the transmission and reception of data frames within WiFi networks. They provide quality control functionality.
- Data (10): Data frames are used to contain data for transmission.
Management Frame Sub-Types
Primarily, for WiFi penetration testing, we focus on management frames. These frames are used to control the connection between the access point and client. To filter them in Wireshark, specify type 00 and subtypes as follows:
Beacon Frames (1000)
Beacon frames are primarily used by the access point to communicate its presence to the client or station. They include information such as supported ciphers, authentication types, SSID, and supported data rates.
Probe Request (0100) and Probe Response (0101)
The probe request and response process allows the client to discover nearby access points. A client sends a probe request with the SSID of the access point, and the access point responds with information about itself.
Authentication Request and Response (1011)
Authentication requests are sent by the client to the access point to begin the connection process. These frames are primarily used to identify the client to the access point.
Association/Reassociation Request and Responses (0000, 0001, 0010, 0011)
After sending an authentication request and undergoing the authentication process, the client sends an association request to the access point. The access point then responds with an association response to indicate whether the client is able to associate with it or not.
Disassociation/Deauthentication (1010, 1100)
Disassociation and Deauthentication frames are sent from the access point to the client. They are designed to terminate the connection between the access point and the client. These frames contain a reason code that indicates why the client is being disconnected from the access point. These frames are utilized for handshake captures and denial of service attacks during WiFi penetration testing efforts.
The Connection Cycle
- Beacon Frames
- Probe Request and Response
- Authentication Request and Response
- Association Request and Response
- Some form of handshake or other security mechanism
- Disassociation/Deauthentication
Authentication Methods
Open System Authentication
Open System Authentication is straightforward and does not require any shared secret or credentials for initial access. This type of authentication is typically used in open networks where no password is needed, allowing any device to connect to the network without prior verification.
Process: 1. The client (station) sends an authentication request to the access point to begin the authentication process 2. The access point sends the client back an authentication response, which indicates whether the authentication was accepted 3. The client then sends the access point an association request 4. The access point responds with an association response to indicate whether the client can stay connected
Shared Key Authentication
Shared Key Authentication involves the use of a shared key. In this system, both the client and the access point verify each other's identities by computing a challenge-response mechanism based on the shared key.
Authentication with WEP
- Authentication request: The client sends the access point an authentication request
- Challenge: The access point responds with a custom authentication response which includes challenge text for the client
- Challenge Response: The client responds with the encrypted challenge, which is encrypted with the WEP key
- Verification: The AP decrypts this challenge and sends back either an indication of success or failure
Authentication with WPA
WPA utilizes a form of authentication that includes a four-way handshake. This replaces the association process with more verbose verification:
- Authentication Request: The client sends an authentication request to the AP to initiate the authentication process
- Authentication Response: The AP responds with an authentication response, indicating readiness to proceed with authentication
- Pairwise Key Generation: The client and the AP calculate the PMK from the PSK (password)
- Four-Way Handshake: The client and access point undergo each step of the four-way handshake, which involves nonce exchange, derivation, and other actions to verify that both the client and AP know the PSK
Working with WiFi Cards
Basic Configuration Commands
Check current wireless card:
sudo iw reg get
Change region:
sudo iw reg set US
Set transmission power:
sudo iwconfig wlan0 txpower 30
List all capabilities of card:
iw list
Interface Modes
Managed Mode
Managed mode allows the interface to act as a client or station. In this mode, the card actively searches for nearby networks (APs) to establish a connection.
sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode managed
sudo iwconfig wlan0 essid HTB-Wifi
Ad-hoc Mode
Ad-hoc mode operates in a decentralized, peer-to-peer approach, allowing wireless interfaces to communicate directly with one another. This mode is commonly found in residential mesh systems for their backhaul bands.
sudo iwconfig wlan0 mode ad-hoc
sudo iwconfig wlan0 essid HTB-Mesh
Master Mode
Master mode (access point/router mode) requires a management daemon to respond to stations or clients connecting to the network. Commonly, hostapd is used for this task.
Create configuration file:
nano open.conf
Configuration content:
interface=wlan0
driver=nl80211
ssid=HTB-Hello-World
channel=2
hw_mode=g
Start hostapd:
sudo hostapd open.conf
Mesh Mode
Mesh mode allows the interface to join a self-configuring and routing network. This mode is commonly used for business applications requiring large coverage across a physical space.
Monitor Mode
Monitor mode (also known as promiscuous mode) is a specialized operating mode for wireless network interfaces. In this mode, the network interface can capture all wireless traffic within its range, regardless of the intended recipient.
sudo iw wlan0 set monitor control
sudo ifconfig wlan0 up
Aircrack-ng Suite
The Aircrack-ng suite provides comprehensive tools for wireless network auditing:
- Monitoring: Packet capture and export of data to text files for further processing by third-party tools
- Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
- Testing: Checking WiFi cards and driver capabilities (capture and injection)
- Cracking: WEP and WPA PSK (WPA 1 and 2)
Airmon-ng
Airmon-ng can enable and disable monitor mode on wireless interfaces.
Start airmon-ng:
sudo airmon-ng start wlan0
Stop airmon-ng:
airmon-ng stop wlan0mon
Check for interference:
sudo airmon-ng check
Kill interfering processes (only if needed):
sudo airmon-ng check kill
Start Airmon on specific channel:
airmon-ng start wlan0 11
Airodump-ng
Airodump-ng can capture raw 802.11 frames and provides detailed network information:
| Field | Description |
|---|---|
| BSSID | MAC address of the access points |
| PWR | Power/signal strength of the network (higher = better signal) |
| Beacons | Number of announcement packets sent by the network |
| #Data | Number of captured data packets |
| #/s | Number of data packets captured in the past ten seconds |
| CH | Channel the network runs on |
| MB | Maximum speed supported by the network |
| ENC | Encryption method used by the network |
| CIPHER | Cipher used by the network |
| AUTH | Authentication used by the network |
| ESSID | Name of the network |
| STATION | MAC address of the client connected to the network |
| RATE | Data transfer rate between the client and the access point |
| LOST | Number of data packets lost |
| Packets | Number of data packets sent by the client |
| Notes | Additional information about the client (captured EAPOL or PMKID) |
| PROBES | List of networks the client is probing for |
Basic usage:
sudo airodump-ng wlan0mon
Dump on specific channel:
sudo airodump-ng -c 11 wlan0mon
Supported bands:
- a uses 5 GHz
- b uses 2.4 GHz
- g uses 2.4 GHz
airodump-ng --band abg wlan0mon
Write to file:
sudo airodump-ng wlan0mon -w filedump
Airgraph-ng
Airgraph-ng creates graphs of wireless networks using CSV files generated by Airodump-ng. It produces two distinct types of graphs:
- Clients to AP Relationship Graph: Illustrates connections between wireless clients and Access Points
- Clients Probe Graph: Shows probed networks by wireless clients
Aireplay-ng
Aireplay-ng generates wireless traffic for use in aircrack-ng for cracking WEP and WPA-PSK keys. It supports various attacks including: - Deauthentication attacks for capturing WPA handshake data - Fake authentications - Interactive packet replay - Hand-crafted ARP request injection - ARP-request reinjection
Airdecap-ng
Airdecap-ng decrypts wireless capture files once the network key has been obtained. It can: - Remove wireless headers from an open network capture (unencrypted capture) - Decrypt WEP-encrypted capture files using a hexadecimal WEP key - Decrypt WPA/WPA2-encrypted capture files using the passphrase
Aircrack-ng
Aircrack-ng can crack WEP and WPA/WPA2 networks that use pre-shared keys or PMKID, providing the final step in the wireless security assessment process.