WIPE - wireless pentesting guide

Introduction

Wireless Penetration Testing (WiFi Pentesting) is the authorized process of identifying and exploiting security vulnerabilities in wireless networks. Unlike wired networks, wireless signals extend beyond physical boundaries, making them a prime target for attackers. Understanding how to audit these networks is crucial for any cybersecurity professional to protect corporate and home infrastructure from unauthorized access, data interception, and man-in-the-middle attacks.

Wireless Basics

OSI Layer 1 & 2

WiFi operates primarily on the Physical (PHY) and Data Link (MAC) layers. Security tools manipulate the MAC layer to inject packets.

Frequencies

2.4 GHz: Long range, slower, crowded (Channels 1-11).
5 GHz: Faster, shorter range, more channels.

Identifiers

SSID: The network name broadcasted.
BSSID: The MAC address of the Access Point (AP).

Frame Types

Management: Beacons, Probes, Auth.
Control: RTS, CTS, ACK.
Data: Encrypted payload.

Security Protocols

WEP (Wired Equivalent Privacy)

Deprecated and extremely vulnerable. Uses RC4 stream cipher with static keys. Can be cracked in minutes.

WPA (Wi-Fi Protected Access)

Introduction of TKIP to solve WEP issues. Still vulnerable to specific attacks (Beck-Tews).

WPA2 (Standard)

Uses AES-CCMP encryption. Robust, but vulnerable to offline dictionary attacks via the 4-Way Handshake.

WPA3 (Latest)

Uses SAE (Simultaneous Authentication of Equals). Resistent to offline dictionary attacks and provides Forward Secrecy.

Pentesting Methodology

Reconnaissance & Monitor Mode

First, identify your wireless interface and switch it to monitor mode to capture all traffic in the air, not just traffic meant for you.

                        ip link show

                        airmon-ng check kill

                        airmon-ng start wlan0

Target Discovery

Scan for nearby networks, identifying target BSSIDs, channels, and encryption types.

airodump-ng wlan0mon

Capturing the Handshake (WPA2)

Focus on the specific target. You need a client to connect to capture the 4-way handshake.

                        airodump-ng --bssid AA:BB:CC:DD:EE:FF --channel 6 --write capture wlan0mon
                    

Forcing a Handshake (Deauth)

If no one is connecting, you can send deauthentication packets to force a client to reconnect.

aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon

Cracking

Once you have the captured handshake (.cap file), use a wordlist to crack the pre-shared key.

aircrack-ng capture.cap -w /usr/share/wordlists/rockyou.txt

Interactive Labs

Launch our dedicated simulation modules to practice safely.

Handshake & Deauth

Launch the interactive terminal to practice monitor mode and handshake capture.

Launch Lab 01

Simulate your wipe lab

Step-by-step complete attack vector simulation from recon to cracking.

Launch Lab 02

Essential Tools

Kali Linux

The standard OS for pentesting, pre-loaded with wireless drivers and suites.

Aircrack-ng

A complete suite of tools to assess WiFi network security (Monitor, Attack, Crack).

Wireshark

The world's foremost network protocol analyzer for deep packet inspection.

Kismet

Wireless network detector, sniffer, and intrusion detection system.

Bettercap

The Swiss Army knife for network attacks and monitoring. Great for MITM.

Hashcat

World's fastest password cracker. Uses GPU acceleration to crack WPA handshakes.

Attack Vectors

Evil Twin

Creating a fake Access Point with the same SSID as the target to trick users into connecting to you, often to steal credentials via a captive portal.

Deauthentication

A DoS attack where spoofed management frames are sent to the AP and Client, disconnecting them. Used to capture handshakes.

WPS Brute Force

Exploiting the Wi-Fi Protected Setup (WPS) PIN feature. If enabled, Reaver can recover the PIN and subsequently the WPA password.

MAC Spoofing

Changing your MAC address to bypass MAC filtering (Allow/Deny lists) on routers to gain unauthorized access.

Advanced Concepts

PMKID Attack

An attack against WPA2 that doesn't require a full 4-way handshake capture. It targets the RSN IE (Robust Security Network Information Element) of a single frame.

Enterprise Attacks (802.1X)

Attacking WPA-Enterprise involves setting up a Rogue Radius server (e.g., Hostapd-wpe) to capture MSCHAPv2 challenge-response hashes from victims.

Hidden SSID Discovery

Hidden networks still broadcast beacons but with an empty SSID field. The name is revealed in Probe Response frames when a legitimate client connects.

Legal Considerations

WARNING: Accessing computer networks without authorization is illegal in most jurisdictions (e.g., CFAA in the US).

Get Permission: Always have written authorization (Scope of Work) before testing.
Own the Hardware: Only practice deauth attacks on routers you personally own.
Scope: Do not attack out-of-scope targets (e.g., neighbor's wifi) even if they interfere with the client.