Wireless Penetration testing is the Actively Examine the Process of Information security Measures which is Placed in Wireless Networks and also analyses the Weakness, technical flows, and Critical wireless Vulnerabilities.
Most important counter Measures we should focus on Threat Assessment, Data theft Detection, security control auditing , Risk prevention and Detection, information system Management, Upgrade infrastructure and the Detailed report should be prepared.
Framework for Wireless Penetration Testing
- Discover the Devices which connected with Wireless Networks.
- Document all the findings if Wireless Device is Found.
- If wireless Device found using Wifi Networks, then perform common wifi Attacks and check the devices using WEP Encryption
- if you found WLAN using WEP Encryption then Perform WEP Encryption Pentesting.
- Check whether WLAN Using WPA/WPA2 Encryption .if yes then perform WPA/WPA2pentesting
- Check Whether WLAN using LEAP Encryption .if yes then perform LEAP Pentesting.
- No other Encryption Method used which I mentioned above, Then Check whether WLAN using unencrypted.
- If WLAN is unencrypted then perform common wifi network attacks, check the vulnerability which is placed in unencrypted method and generate a report.
- Before generating a Report make sure no damage has been caused in the pentesting assets.
Penetration Testing with WEP Encrypted WLAN
- Check the SSID and analyze whether SSID Visible or Hidden.
- Check for networks using WEP encryption.
- If you find the SSID as visible mode then try to sniff the traffic and check the packet capturing status.
- If the packet has been successfully captured and injected then it’s time to break the WEP key by using a wireless cracking tool such as Aircrack-ng, WEPcrack .
- If packets are not reliably captured then sniff the traffic again and capture the Packet.
- If you find SSID is the Hidden mode, then do Deauthentication the target client by using some of deauthentication tools such as Commview and Airplay-ng.
- Once successfully Authenticated with the client and Discovered the SSID , then again follow the Above Procedure which is already used for discovered SSID in earlier steps.
- Check if the Authentication method used is OPN (Open Authentication) or SKA (Shared Key Authentication). If SKA is used, then bypassing mechanism needs to be performed.
- Check if the STA (stations/clients) are connected to AP (Access Point) or not. This information is necessary to perform the attack accordingly.
- If clients are connected to the AP, Interactive packet replay or ARP replay attack needs to be performed to gather IV packets which can be then used to crack the WEP key.
- If there’s no client connected to the AP, Fragmentation Attack or Korex Chop Chop attack needs to be performed to generate the keystream which will be further used to reply ARP packets.
- Once the WEP key is cracked, try to connect to the network using wpa-supplicant and check if the AP is alotting any IP address or not.”EAPOL handshake”