Introduction

Wifi refers to wireless network technology that uses radio-waves to establish wireless connection with devices. In comparison to wired network, it provides an easier and hassle-free alternative to connect a devices (especially IOT) with the absence if cables. However, it makes for an easier target for malicious hackers as it easier to detect as well as gaining network access.

Types of Wireless Pen-testing:

Since the are different types of wireless networks from open networks to encrypted networks, the the types of wireless pen-testing will also differ. This section will elaborate on the different types of wireless penetration testing.

Unencrypted WLAN:

When using an unencrypted WLAN, the network is not protected in any way. Anyone who is in the vicinity of the Access Point can join and gain access to the network. The authentication process is simple and consists of authentication/association exchanges

In order to identify the network, first a scan of the available networks need to taken.

Once done, the next step is to identify the network which is open in the current list of scanned networks. Under the ENC section of the list, there will be a sign showing as OPN. This is the unencrypted wireless network in the list.

When connecting to the network, the authentication request will be sent to the AP, and once the request is returned successfully, then the association request will be sent which should also return successfully.

WEP Encrypted LAN:

WEP was the first wireless "secure" model, that had authentication and encryption added. It is based on RC4 algorithm and 24 bits of Initialization Vector (IV) - this is the biggest drawback of the implementation that leads to WEP being crack-able. The IV is added to the

Similar to the unencrypted WLAN, a scan will need to be taken to identify the network which has a WEP encryption.

The next step is to collect data packets exchanged over the air by the client. Since the data packets include IV, having collected a substantial amount of packets will allow us to derive the WEP password

just by passively listening to the network (and collecting enough data packets), it is possible to crack the WEP encryption and derive the key.

WPA/WPA2 Encrypted WLAN:

This encryption is the next step of a secured wireless after WEP was made insecure. The encryption used in WPA/WPA2 consists of TKIP and CCMP/AES repectively, which make it much more secure that WEP.

In order to crack into the network, first step is to de-authenticate a legitimate user. Once the user reconnects to the network, the 4-way handshake is captured, a dictionary tool can be used to identify the the password

Wifi Pen-testing tools:

Aircrack-ng:

Aircrack-ng is one of the most popular wireless password cracking tools that you can use for 802.11a/b/g WEP and WPA cracking. Aircrack-ng uses the best algorithms to recover wireless passwords by capturing packets. Once enough packets have been gathered, it tries to recover the password. To make the attack faster, it implements a standard FMS attack with some optimizations.

Wifite:

Wifite is a Python script designed to simplify wireless security auditing. It runs existing wireless hacking tools for you, eliminating the need to memorize and correctly use the different tools with their various options.

Kismet:

Kismet is a wireless network sniffer that works for Wi-Fi, Bluetooth, software-defined Radio (SDR) and other wireless protocols. It passively collects packets being broadcast in its vicinity and analyzes them to detect even hidden Wi-Fi networks.

Wireshark:

Wireshark is the network protocol analyzer. It lets you check what is happening in your network. You can capture packets live and inspect them at a high level or see the values of particular fields within a packet. It runs on Windows, Linux, OS X, Solaris, FreeBSD and others.