In the previous article of this series, “Wireless Pentesting Part 3 – Common Wireless Attacks”, we discussed various scenarios to give you a better grasp of how wireless networks and clients can be attacked. The real possibility of a compromise of your systems is the reason we need to test for vulnerabilities and see if they can be exploited during a wireless pentest. Successful exploitation of wireless vulnerabilities is just the beginning of what a cybercriminal could do or the sensitive information they could access.
In this fourth and final part of the series, we are going to discuss how to conduct a wireless network pentest. This article will bring together what has been discussed up to this point. Once you are finished with this series, you should have a better idea on how to conduct wireless pentests and be prepared to do a pentest after some practice in a lab setting.
Where to Start a Wireless Pentest
In the first article in this series we discussed the Penetration Testing Execution Standard (PTES) and recommended it as a great resource for performing pentests utilizing a proven method. This will give you a good starting point to begin your wireless pentest and provide some guidance through the process. We will follow the seven sections of the pentesting methodology:
- Pre-engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Post Exploitation
Scoping the Wireless Pentest
Properly scoping a pentest is going to help you more optimally conduct the pentest and provide your client with a better estimate of time. Pentesting is mainly priced based on hours needed to perform the service. You could lose money or overcharge your client, which are both bad for business.
You will need to meet with your client to better understand their goals and objectives for the pentest. Questionnaires are commonly used to collect the needed scoping information. The questionnaire should be sent out prior to meeting with the client. This allows them to get answers to the questions prior to the meeting and allows them time to create a list of any questions or concerns they may have about the pentest process and methodology. The questions should be reviewed during the meeting.
The following questions are taken from PTES and useful when scoping a wireless network pentest:
- How many wireless networks are in place?
- Is a guest wireless network used? If so: Does, the guest network require authentication?
- What type of encryption is used on the wireless networks?
- What is the square footage of coverage?
- Will enumeration of rogue devices be necessary?
- Will the team be assessing wireless attacks against clients?
- Approximately how many clients will be using the wireless network?
Rules of Engagement
Rules of Engagement defines how the testing will be done. This is a very important part of the pre-engagement interactions that is in the best interest of the client and the pentester. If something goes wrong or the pentester causes an outage, the client may get upset and this could result in a lack of return business or legal action. Discussing the process with the client and covering all the bases goes a long way in preventing misunderstandings along with ensuring a higher likelihood of customer satisfaction.
- Timeline – the duration of the pentest as well as the begin and end dates.
- Locations – the locations where pentesting will be performed.
- Evidence Handling – establish guidelines for securely storing and transmitting evidence collected during the pentest.
- Regular Status Meetings – clients sometimes like to meet during a pentest to discuss the status and findings such as critical or high risked vulnerabilities that would require prompt remediation and cannot risk waiting until the pentest has been completed.
- Time of Day to Test – clients have different preferences on pentesting times, and some want to avoid production impediments and schedule off business hours.
- Permission to Test and Legal Considerations – you need permission to legally hack, so it is important to have written permission to perform a pentest. If you are doing freelance pentesting it is a good idea to have a lawyer to protect your best interest.
Intelligence Gathering or OSINT (Open Source Intelligence), as it is more commonly referred, is an important part of any pentest, and wireless network pentesting is no exception. The OSINT you gather on your wireless targets is going to tell you the encryption type. Is the device using WEP, WPA, or WPA2? Other items that can be enumerated are the APs or client’s SSID, MAC addresses, and IP addresses. From the intel you gather you can also figure out the device manufacture. The more information you collect on the target will be helpful during Threat Modeling and Vulnerability Analysis phases of your pentest.
During this phase of the wireless network pentest, reconnaissance tools are used to sniff wireless traffic collecting AP and client communications. This information includes SSIDs, MAC addresses, IP addresses for clients and APs.
Two great tools for wireless network reconnaissance are:
When using these reconnaissance tools, they are more effectively utilized while walking around the perimeter and through the location you are assessing. While testing bigger facilities it is a good idea to divide up the area you are testing and create files for different sections. This makes it easier to analyze specific areas. If you use one file, it makes it more difficult to focus in on those areas. If you find a rogue AP, it will be easier to pinpoint the location.
During your reconnaissance pay close attention to the physical locations of APs and wireless controllers. As mentioned previously in this article and part three of this series, if an AP or wireless controller can be physically accessed, it is possible to plug an ethernet cable in the device and bypass authentication. Wireless controllers should be locked in a network equipment closet, wiring closet, equipment rack, or datacenter. The APs should be mounted on ceilings or high on walls or columns out of reach of unauthorized persons. Take pictures of these types of findings add them to your report and document the location. War driving and heat mapping would be included in this part of the pentest if conducted.
War Driving and Heat Mapping
During pentests war driving and heat mapping can be performed, but there are some drawbacks and it takes away time that could be better used testing for vulnerabilities. These two activities are part of the site survey process. War driving tests the signal strength of wireless networks and the distance the signal extends beyond the facility. This sounds good in theory and is why it was a part of wireless pentesting for years. Long range WiFi adapters and antennas allow attackers to intercept wireless network traffic from great distances. I recall one test where I was able to pick up a wireless signal from half a mile away from the client location. I didn’t try anything past the half mile mark, and this was the most powerful antenna I had. It was later decided to discontinue war driving for this reason and to spend time on more useful testing. Heat maps can be used to map out APs through a facility and can be used to map rogue APs. This can be time consuming and the value is not worth the time. Ekahau Heatmapper is a good tool for doing heatmaps indoors and can be used outside as well. Ekahau Heatmapper runs on Windows, and you can import images of the office floorplan to map the APs to specific locations in the facility. You can download this free tool at https://wifi.ekahau.com/heatmapper_download. Ekahau also has a commercial tool, but the free version works great and what I used on pentests.
Netspot is a heatmapper tool for MacOS and offers free and commercial versions. Netspot does however give you output similar to Kismet and other wireless tools.
Identifying Rogue Access Points
During your pentest one of your goals should be to identify rogue APs. Rouge APs can be a security risk to networks and are unauthorized APs on a network. Sometimes they are a result of shadow IT activity. Shadow IT, for those that are not familiar with this term, is when people in an organization outside of IT (including consultants) and unauthorized by IT provide IT services. This gets to be a problem, since unauthorized people do not adhere to company standards and security policies. Departments in a company or individuals install technology, software or hardware to enhance capabilities or to work around security controls. A malicious actor can setup a WiFi router or AP on the network to access the network remotely or just to bypass WiFi security controls.
To make your life easier and make more efficient use of your time, during the pre-engagement activities request a list of APs to be assessed during the pentest. Rouge AP discovery can be accomplished by comparing the list of APs in scope to the ones discovered during your reconnaissance. This is a lesson I learned from past pentests during my consulting days. Typically, we would collect APs from our reconnaissance and ask the client to validate the discovered APs were legitimate and not rouge devices. When you get onsite performing your pentests client sometimes are too busy to validate the APs you discover during reconnaissance. Having the list of APs in scope before you start the pentest allows you to focus on the correct APs, and, if the opportunity to exploit them arises, you don’t have to verify it is in scope prior to exploitation. Rogue APs are not always rogue, sometimes they belong to neighboring businesses of your client. Remember it’s illegal to hack or perform a pentest without permission. If you detect rouge APs during the assessment, it would be listed as a finding in your pentest report. During your wireless survey of the location that you are testing when you detect suspected rogue APs, note the signal strength to make sure it is not a neighboring business or residence. My recent wireless pentest I performed for my employer, our facility was bordered by other business and residential housing.
After you complete your reconnaissance, compare the APs discovered to list of APs provided by client. Create a list of any APs that are not on the client’s list of APs. APs that belong to offices neighboring your client would not be listed as rogue. Create a finding on your pentest report for any devices that are rouge devices. The remediation step for rouge APs would be to remove them from the network.
During your Threat Modeling phase of your pentest, you need to identify the following, which is referenced from OWASP on Threat Modeling https://owasp.org/www-community/Threat_Modeling:
- Assessment Scope – The first step is always to understand what’s on the line. Identifying tangible assets, like databases of information or sensitive files is usually easy. Understanding the capabilities provided by the application and valuing them is more difficult. Less concrete things, such as reputation and goodwill, are the most difficult to measure but are often the most critical.
- Threat Agents and Possible Attacks – A key part of the threat model is a characterization of the different groups of people who might be able to attack your application. These groups should include insiders and outsiders, performing both inadvertent mistakes and malicious attacks.
- Existing Countermeasures – The model must include the existing countermeasures.
- Exploitable Vulnerabilities – Once you have an understanding of the security in the application, you can then analyze for new vulnerabilities. The search is for vulnerabilities that connect the possible attacks you’ve identified to the negative consequences you’ve identified.
- Prioritize Identified Risks – Prioritization is everything in threat modeling, as there are always lots of risks that simply don’t rate any attention. For each threat, you estimate a number of likelihood and impact factors to determine an overall risk or severity level.
- Countermeasures to Reduce Threat – The last step is to identify countermeasures to reduce the risk to acceptable levels.
The more complex the target you are pentesting the more time and effort is needed to perform a thorough Threat Model. Network and wireless networks are not typically as complex as an ATM and does not require as much time and effort. The threat vectors are more commonly known or easier to identify.
Guest airport WiFi is going to have a bigger risk than a bookstore or an office for an organization. You have a higher amount of guest users on an airport guest wireless network, and you are going to have a higher risk of attempts to access the restricted employee only networks. An AP that is physically accessible is going to be a threat surface to be included in a wireless network threat model. Physical access to the AP could allow potential attackers to plug into the device with an ethernet cable to bypass the AP altogether.
Therefore, some things to keep in mind with threat modeling include the environmental and user elements, the type of device and security features. The threat vectors identified here will be useful in the Vulnerability Analysis phase. Being able to bypass existing countermeasures, knowing the device manufacturer and version information is going to be helpful in your pentest.
In this phase you are going to review and analyze the information collected from your OSINT and the threat surfaces identified during your threat modeling. You will use the OSINT and threat modeling information combined with vulnerabilities detected with wireless pentesting tools to attempt to exploit the vulnerabilities to gain access to the network and assets residing on the network.
Traditional pentesting tools like vulnerability scanners or port and service scanners aren’t an option until you gain access to the wireless network. In some cases you can access APs and wireless controllers if you have access to the network segment to which the devices are connected. Wireless pentest tools can help discover and exploit vulnerabilities.
Exploitation and Post Exploitation
This part of the pentest is going to vary based on the scope of the pentest. If wireless pentesting is part of an engagement included with the wired network, then the post exploitation part of the wireless pentest is wrapped into a single phase. For a wireless only scoped pentest then the pentest can stop once you have access to the wireless network. Don’t get caught up in the moment when you breach a wireless network and go outside of the scope. In this phase we attempt to exploit or hack the discovered vulnerability.
There are multiple tools that can used for the exploitation phase, but we will use the following tools because they automate exploitation. These tools make use of other tools installed on Kali Linux. The automation provided by these tools streamline the process and make exploitation more efficient.
- Fern WiFi Cracker
Wifite, Airgeddon, and Fern WiFi Cracker are similar tools, but I prefer Wifite and Airgeddon for the verbose output they provide. With Fern WiFi Cracker you don’t really see what is going on in the background. Wifite and Airgeddon are started and run through the command line, making it easy to see the progress and the attacks being performed. Fern WiFi Cracker has a GUI interface and does not offer all the options that Wifite and Airgeddon do.
You can mix in non-automated tools such as the Aircrack-ng suite of tools that include Airodump, Aircrack, and Aireplay. Bettercap is another tool that can be used during your pentest and has great MiTM (man in the middle) capabilities.
If your attacks are successful and you exploit one of wireless targets in scope, then post exploitation is the next step if in scope. This could include attacks against servers, PCs, printers, or other devices or applications. When scoping a wireless pentest, post exploitation can drastically affect the scope. If it’s part of an overall network pentest then post exploitation beyond the wireless devices would be in scope, and you would need more time for the pentest. If wireless alone is in scope, then you would typically stop at accessing the wired network.
During your pentest you want to document the APs you discover but also take screenshots of the APs from the tool output. Tools like Kismet have a handy report feature. You are not always going to be able to exploit your targets, so you want to add the most value to your report. Screenshots also show how the information was collected. Pictures of unsecured physical access to APs should be noted in your report.
Wireless Pentest Report
The report is the most valuable part of a pentest as it is the only deliverable to the client. In your report you will document your findings and present evidence of any vulnerabilities that you discovered during the assessment. The report should include the following sections, an Introduction and Scope, Executive Summary, Technical Report, and Conclusion.
The Introduction and Scope section should describe the goals and scope of the wireless pentest.
The Executive Summary explains the results and risks discovered during the pentest at a high level. In this section explain the risks associated with the vulnerabilities. In this section use language that is not too technical and understandable to non-IT or non-InfoSec audiences. In this section you want to list the number of findings and the risk level. For each risk level list the number of findings and list a total number of overall findings.
The Technical Report should list the details of the vulnerability, the affected item, steps to discover or duplicate, risk rating and remediation recommendations.
The Conclusion should include the detailed methodologies and standards used during the wireless pentest as well as tools used.
This concludes this four-part series. We have covered everything you need to know to complete a basic wireless pentest with professional results. We hope this was helpful and let us know if you enjoyed this series.
Until next time keep on pwning! But please have permission.
- Wireless Pentesting Part 1 – An Overview
- Wireless Pentesting Part 2 – Building a WiFi Hacking Rig
- Wireless Pentesting Part 3 – Common Wireless Attacks
Phillip Wylie is a Lead Curriculum Developer at Point3 Federal, Adjunct Instructor at Dallas College (formerly Richland College), and The Pwn School Project founder. Phillip has over two decades of experience with the last 8.5 years spent as a pentester. Phillip has a passion for mentoring and education. His passion motivated him to start teaching and founding The Pwn School Project. The Pwn School Project is a monthly educational meetup focusing on ethical hacking. Phillip teaches Ethical Hacking and Web Application Pentesting at Dallas College in Dallas, TX. Phillip is the co-author of “The Pentester BluePrint: Your Guide to Being a Pentester” holds the following certifications; CISSP, NSA-IAM, OSCP, GWAPT. Follow him @PhillipWylieTags: ethical hacking hacking highlight pentest wifi wireless wylie