What is wireless Penetration Testing
Wireless Penetration testing is the Actively Examine the Process of Information security Measures which is Placed in Wireless Networks and also analyses the Weakness, technical flows and Critical wireless Vulnerabilities.
Most important counter Measures we should focus on Threat Assessment,Data theft Detection, security control auditing ,Risk prevention and Detection , information system Management ,Upgrade infrastructure and Detailed report should be prepared.
Framework for Wireless Penetration Testing
- Discover the Devices which connected with Wireless Networks.
- Document all the findings if Wireless Device is Found.
- If wireless Device found using Wifi Networks, then perform common wifi Attacks and check the devices using WEP Encryption
- if you found WLAN using WEP Encryption then Perform WEP Encryption Pentesting.
- Check whether WLAN Using WPA/WPA2 Encryption. If “YES” then perform WPA/WPA2 pentesting with Fluxion (see below).
- Check Whether WLAN using LEAP Encryption .if yes then perform LEAP Pentesting.
- No other Encryption Method used which i mentioned above ,Then Check whether WLAN using unencrypted .
- If WLAN is unencrypted then perform common wifi network attacks ,check the vulnerability which is placed in unencrypted method and generate a report.
- Before generate a Report make sure no damage has been caused in the pentesting assets .
Penetration Testing with WEP Encrypted WLAN
- Check the SSID and analyse whether SSID Visible or Hidden.
- If you find the SSID as visible mode then try to sniff the traffic and check the packet capturing status.
- If packet has been successfully captured and injected then its time to break the WEP key by using wireless cracking tool such as Aircrack-ng, WEPcrack .
- If packets are not reliably captured then sniff the traffic again and capture the Packet .
- If you find SSID is Hidden mode , then do Deauthentication the target client by using some of deauthentication tools such as Commview and Airplay-ng.
- Once successfully Authenticated with the client and Discovered the SSID ,then again follow the above Procedure which is already used for discovered SSID in earlier steps.
Penetration Testing with WPA/WPA2 Encrypted WLAN
- Start and Deauthenticate with WPA/WPA2 Protected WLAN client by using WLAN tools Such as Hotspotter,Airsnarf,Karma etc .
- If the Client is Deaauthenticated, then sniff the traffic and check the status of captured EAPOL Handshake .
- If the client is not Deauthenticate then do it again.
- Check whether EAPOL handshake is captured or Not.
- Once you captured EAPOL handshake ,then perform PSK Dictionary attack using coWPAtty ,Aircrack-ng to gain confidential information .
- If its Failed then Deauthenticate again and try to capture again and redo the above steps.
Penetration Testing with LEAP Encrypted WLAN
- Check and Conform whether WLAN protected by LEAP Encryption or not.
- Deauthenticate the LEAP Protected Client using tools such as karma,hotspotter etc.
- If client is De authenticated then break the LEAP Encryption using tool such as asleap to steel the confidential information
- If process dropped then de authenticate again
Penetration Testing with Unencrypted WLAN
- Check whether SSID is Visible or not
- Sniff for IP range if SSID is visible then check the status of MAC Filtering
- If MAC filtering enabled then spoof the MAC Address by using tools such as SMAC
- Try to connect to AP using IP with in the discovered range.
- If SSID is hidden then discover the SSID using Aircrack-ng and follow the procedure of visible SSID which i Declared above.
Cracking WPA/WPA2 passwords with Fluxion
What is WPA/WPA2?
WPA : WPA defined as Wi-Fi Protected Access, is a security standard for users of devices with Wireless internet Connection. WAP is the one replaced the original Wi-Fi security standard, Wired Equivalent Privacy (WEP).WPA provides more revealing data encryption than WEP.
WPA2: Wi-Fi Protected Access II (WPA2) significant improvement was the Mandatory use of AES(Advanced Encryption Standard) algorithms and CCMP(Counter Cipher Mode with Block Chaining Message Authentication Code Protocol) as a replacement for TKIP.
How Fluxion works?
- Scan the network
- Capture the Handshakes
- Use WEB Interface.
- Launch a Fake API Instance(Replicating original one)
- Spawns a MDK3(used to send valid and invalid packets) process, which un-authenticates all users connected to the target network, so they can be tempt to connect to the FakeAP and enter the WPA password.
- Fake DNS server will be launched to capture all the DNS request and to redirect them to the Host running the script.
- A captive portal is launched in order to serve a page, which prompts the user to enter their WPA password
- Every password is verified by the handshake which captured earlier.
- Attack Would terminate automatically once correct password is submitted.