Learning from the field : Wireless Pentesting

Recently, We got a chance to do some penetration testing. This post would cover the basics and approach.

Thanks to Girish Nemade

Basic wireless network tests could be performed by using your wireless adapter installed in your laptop. However, few external USB cards are suggested by Offsec such as

  • Netgear WN111v2 USB
  • ALFA Networks AWUS036H USB 500mW
which provide a better area coverage.

Basics

  1. Set the wireless interface in the monitor mode.
airmon-ng <start|stop> <interface> [channel] : Enable monitor mode on an interface (and specify a channel).
airmon-ng <check> [kill]                     : List all possible programs that could interfere with the wireless card. If 'kill' is specified, it will try to kill all of them.
  1. use airodump
airodump <monitor interface>
   -N, --essid                 : Filter APs by ESSID.                                  ##Name of the Access Point
   -d <bssid>, --bssid <bssid> : It will only show networks, matching the given bssid. ##MAC Address of Access Point
   -a                          : It will only show associated clients.
   -t <OPN|WEP|WPA|WPA1|WPA2>, --encrypt <OPN|WEP|WPA|WPA1|WPA2> : It will only show networks matching the given encryption.
   -R, --essid-regex              Filter APs by ESSID using a regular expression
  1. OPEN If there is no MAC authentication, and dhcp enabled, your machine would connect automatically. If there is no MAC authentication but dhcp is not enabled, it is advisable to sniff the network using wireshark and find the appropiate network range and the default gateway and set them manually. If there is MAC authentication and DHCP not enabled, you need to find valid associated clients. The catch is the valid associated clients will have an IP address whereas invalid associated clients will not have the IP address.

Find the associated clients connected to the particular access point by using the csv file produced by airodump. In the below example the access point is “24:DE:C6:C7:92:C2”.

cat PL-01.csv | grep 24:DE:C6:C7:92:C2 | cut -d , -f 1,6 | grep -v OPN

You may change your ip address of wireless adapter using

ifconfig wlan4 hw ether 30:5A:3A:B4:09:BC

or

macchanger
       -m,  --mac=XX:XX:XX:XX:XX:XX
       --mac XX:XX:XX:XX:XX:XX  Set the MAC XX:XX:XX:XX:XX:XX

Once associated, we still need to find the valid IP address and valid MAC address, sniff the network, find the network ranges, gateway. Do a nmap Ping Scan to the local subnet which will provide IP address and MAC address. Cross-verify with the associated clients. Valid associated clients will have an IP address and MAC address entry in the airodump listing. Set the IP address using

ifconfig wlan4 10.10.3.71 netmask 255.255.240.0

Set the association using

iwconfig wlan4 essid "ESSID_NAME" ap "24:DE:C6:C7:92:C2(SSID_MAC_Address)"

WEP

Abbrev:

ENC* WEP: Wired Equivalent Privacy WPA: Wi-Fi Protected Access WPA: i-Fi Protected Access II

Cipher TKIP: Temporal Key Integrity Protocol CCMP: Counter Mode CBC-MAC Protocol

AUTH** PSK: Pre-Shared Key MGT: SKA: Shared Key Authentication