As the number of mobile devices increases within the world, organizations are also increasing and improving their wireless networks. Wireless networking is very common, and companies are investing in their wireless network infrastructure to support mobile devices such as laptops and smart devices. As an aspiring penetration tester, it is vital to have a solid foundational knowledge of wireless networking and how to exploit the security vulnerabilities within enterprise wireless networks.

In this chapter, you will learn about the fundamentals of wireless networks and how penetration testers can perform reconnaissance on their target's wireless network. You will gain skills in compromising WPA, WPA2, and WPA3 wireless networks, as well as personal and enterprise networks. Furthermore, you will learn how to perform an AP-less attack, create a wireless honeypot, and techniques you can use to secure wireless networks.

In this...

To follow along with the exercises in this chapter, please ensure that you have met the following hardware and software requirements:

• Kali Linux 2021.2: https://www.kali.org/get-kali/
• Windows 10 Enterprise: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise
• FreeRADIUS: https://freeradius.org/
• airgeddon: https://github.com/v1s1t0r1sh3r3/airgeddon
• An Alfa AWUS036NHA High Gain Wireless B/G/N USB adapter
• AN Alfa AWUS036ACH Long-Range Dual-Band AC1200 Wireless USB 3.0 Wi-Fi adapter
• A physical wireless router that supports WEP, WPA2-Personal, WPA2-Enterprise, and WPA3 security standards

As an aspiring penetration tester, it's important to understand the key concepts and fundamentals of wireless networking and its technologies before compromising a wireless network. Hacking a wireless network is simply part of wireless network penetration. Understanding how wireless routers and access points (APs) transmit frames between one client to another goes a long way to becoming better at wireless penetration testing.

The Institute of Electrical and Electronics Engineers (IEEE) is an organization that is responsible for creating and maintaining a lot of standards and frameworks for the electrical and electronics industry, including computers and networks. Within IEEE, there's the 802 committee, which is responsible for developing and maintaining a lot of standards such as Ethernet, Bluetooth, and even wireless networking. Within the 802 committee, there's the .11 working group, which is responsible for one of the most common...

As with any type of penetration test, the first stage is to gather as much information about the target as possible by performing reconnaissance. Reconnaissance in wireless penetration testing allows you to discover nearby wireless clients, wireless routers, and access points, perform fingerprinting on wireless devices, and even determine the manufacturer of an access point. By gathering information about a wireless network and its device, you can research security vulnerabilities that can help you exploit and compromise the wireless network.

When performing reconnaissance on a wireless network, the penetration tester does not need to be associated with or connected to the target wireless network. Using a wireless network adapter that supports packet injection and monitor mode allows the penetration tester to listen and capture messages on the 2.4 GHz and 5 GHz bands of nearby wireless clients and access points.

To start performing reconnaissance...

Many organizations would configure their wireless routers and access points to operate within autonomous mode, which means that each access point is independent of the other. This creates an issue when IT professionals have to make administrative changes to the wireless network as they will need to log in to each access point to make the configuration change.

However, in many instances where the access points are operating in autonomous mode, their wireless security configurations are usually set to WPA2-PSK (personal mode). This allows IT professionals to configure a single password/passphrase on the access point that is shared with anyone who wants to access the wireless network. Using WPA2-PSK is recommended for small networks such as home users and small organizations with few users. However, there are many medium to large organizations that use this wireless security mode.

As you can imagine, if many users are sharing the same password...

In an AP-less attack, the access point or wireless router is not present in the vicinity but a wireless client such as a laptop or even a smartphone is broadcasting probes, seeking to establish a connection with a wireless network within its preferred network list. Penetration testers can attempt to retrieve the password/passphrase of a wireless network, even if the wireless router or access point is not present within the vicinity. However, a wireless client must be sending probes to the target wireless network.

As shown in the following diagram, a penetration tester or threat actor simply needs to set up their attacker machine within the vicinity of a probing wireless client to capture the WLAN frames:

Figure 13.25 – Capturing probes

As we mentioned previously, the penetration tester can mimic a wireless network and trick the wireless client into connecting and capturing the WPA/WPA2 handshake.

Please use the following...

In this section, we will be utilizing the enterprise wireless lab that we built in Chapter 3, Setting Up for Advanced Hacking Techniques, as it contains all the configurations needed to simulate an enterprise wireless network infrastructure that utilizes the AAA framework with a RADIUS server.

The following diagram provides a visual representation of the wireless network for this exercise:

Figure 13.32 – Enterprise wireless lab

As shown in the preceding diagram, the RADIUS server will function as the access server, which handles the AAA functions, the access point functions as the authenticator, which provides access to the network and relays authentication information to the RADIUS server, as well as an associated wireless client on the network.

Before proceeding, please ensure you implement the following guidelines:

• You will need two wireless network adapters.
• Ensure the access point can communicate...

As an aspiring penetration tester, you may be asked to conduct extensive wireless security testing for your company or a client organization. Creating a rogue access point with an interesting SSID (wireless network name), such as VIP_WiFi or Company-name_VIP, will lure employees to establish a connection.

When creating a rogue access point, the objective is to capture user credentials and sensitive information, as well as detecting any vulnerable wireless clients in an organization. The following are some tips to consider when deploying your rogue access point:

• Choose a suitable location to ensure there is maximum coverage for potential victims.
• De-authenticate clients from the real access point, causing them to create an association with the rogue access point.
• Create a captive portal to capture user credentials.

To get started, we are going to use Airgeddon once more as it contains a lot of features and functions that will assist...

At the time of writing, WPA3 is the latest wireless security standard within the wireless networking industry. As such, it has resolved various security concerns that existed in its predecessor; that is, WPA2. In the previous sections, you discovered various types of attacks that a penetration tester can use to compromise an IEEE 802.11 wireless network using the WPA2 wireless security standard. WPA2 wireless networks are highly vulnerable to wireless de-authentication attacks, which allows a threat actor or a penetration tester to send de-authentication frames to any wireless clients that are associated with a specific access point. However, WPA3 is not susceptible to de-authentication attacks because WPA3 uses Protected Management Frame (PMF), unlike its predecessors.

The following comparison will help you quickly understand the new features and technologies of WPA3:

• Opportunistic Wireless Encryption (OWE) is an implementation on WPA3 wireless...

As you saw in the previous section, a penetration tester or threat actor can attempt to compromise your wireless network and obtain its password. Whether you're a student taking a computer security course, an IT professional, or simply an enthusiast, this section covers some of the methods and techniques that you can use to improve the security of your network and prevent such attacks.

SSID management

When you purchase a new access point or wireless router, the default SSID is usually that of the manufacturer; SSID is the technical term that's used to identify the name of the wireless network. For example, the default SSID of a new Linksys access point would contain the name Linksys as its SSID. Many manufacturers implement their name as part of the default configuration to help the user quickly identify their wireless network when setting up a new access point. However, sometimes, individuals and organizations do not change the default...

In this chapter, you learned about the fundamentals of wireless networking and the security mechanisms that are used to provide a layer of security to users and organizations who implement wireless networking within their companies. Furthermore, you now know how to compromise WPA, WPA2, WPA3, personal, and enterprise networks. Additionally, you have learned how to perform an AP-less attack, which allows a penetration tester to retrieve the password of a probing client where the desired access point is not present within the vicinity. Lastly, you learned how to create wireless honeypots, which act as evil twin and rogue access points.

I hope this chapter has been informative for you and is helpful in your journey as an aspiring penetration tester, learning how to simulate real-world cyberattacks to discover security vulnerabilities and perform exploitation using Kali Linux. In the next chapter, Chapter 14, Performing Client-Side Attacks – Social Engineering, you will...

To learn more about the topics that were covered in this chapter, please go to the following links:

• Guidelines for Securing Wireless Local Area Networks (WLANs): https://csrc.nist.gov/publications/detail/sp/800-153/final
• Key Reinstallation Attacks: https://www.krackattacks.com/