As the number of mobile devices increases around the world, organizations are also increasing and improving their wireless networks. Wireless networking is very common and many companies are investing in enhancing their wireless network infrastructure to support mobile devices such as laptops, smartphones, tablets, and Internet-of-Things (IoT) devices. As an aspiring ethical hacker and penetration tester, it’s essential to develop solid foundational knowledge of wireless networking and understand how threat actors can identify and exploit security vulnerabilities within enterprise wireless networks.

In this chapter, you will learn about the fundamentals of wireless networks and how penetration testers can perform reconnaissance on their target’s wireless network. You will gain skills in compromising Wi-Fi Protected Access (WPA), WPA2, and WPA3 wireless networks with Access Points (APs), as well as personal and enterprise networks...

To follow along with the exercises in this chapter, please ensure that you have met the following hardware and software requirements:

• Kali Linux: https://www.kali.org/get-kali/
• FreeRadius: https://freeradius.org/
• Airgeddon: https://github.com/v1s1t0r1sh3r3/airgeddon
• An Alfa AWUS036NHA High Gain Wireless B/G/N USB adapter
• An Alfa AWUS036ACH Long-Range Dual-Band AC1200 Wireless USB 3.0 Wi-Fi adapter
• A physical wireless router that supports WPA2-Personal, WPA2-Enterprise, and WPA3 security standards

Without the Alfa network adapters, you can use another wireless adapter that supports a packet-injection chipset. However, without the recommended Alfa adapters, you won’t be able to complete the hands-on labs in this chapter.

As an aspiring ethical hacker and penetration tester, it’s important to understand the key concepts and fundamentals of wireless networking and its technologies before learning how to compromise a targeted wireless network.

Wireless penetration testing isn’t just about hacking into a targeted wireless network and gaining unauthorized access – it extends beyond this traditional concept. Wireless penetration testing is performed by employing the following systematic stages, which aim to help ethical hackers and penetration testers perform a comprehensive evaluation of an organization’s wireless network to determine its security posture:

• Network scanning – The network-scanning phase focuses on collecting and analyzing information (reconnaissance) about the targeted wireless network. This stage helps the penetration tester to identify network resources, associated clients, the manufacturer of the wireless...

As with any type of penetration test using the Cyber Kill Chain, the first stage is to gather as much information about the target as possible by performing reconnaissance. Reconnaissance in wireless penetration testing allows you to discover nearby wireless clients, wireless routers, and access points, perform fingerprinting on wireless devices, and even determine the manufacturer of an access point. By gathering information about a wireless network and its device, you can research security vulnerabilities that can help you exploit and compromise the wireless network.

The following diagram shows the Cyber Kill Chain and its stages:

Figure 14.11: Cyber Kill Chain

When performing reconnaissance on a wireless network, the penetration tester does not need to be associated with or connected to the targeted wireless network, but they do need to be within the vicinity of the target. Using a wireless network adapter that supports packet...

Many small and medium-sized organizations configure their wireless routers and access points to operate in autonomous mode, which means that each access point is independent of the others. This creates an issue when IT professionals have to make administrative changes to the wireless network as they are required to log in to each access point to make the configuration change.

However, in many instances where the access points are operating in autonomous mode, their wireless security configurations are usually set to WPA2-PSK (personal mode). This allows IT professionals to configure a single password or passphrase on the access point that is shared with anyone who wants to access the wireless network.

Using WPA2-PSK is recommended for small networks such as home users and small organizations with few users. However, there are many medium and large organizations that also use this wireless security mode.

As you can imagine, if many users are...

AP-less attacks are a type of wireless-based where the penetration tester sets up an access point to mimic a legitimate wireless network without the need to immediately access the legitimate targeted network. Sometimes, this type of attack is used to determine whether users unknowingly connect to malicious wireless networks that are pretending to be legitimate. In addition, this attack type can be used to capture the WPA handshake from a wireless client that contains the legitimate key for accessing a targeted wireless network.

In an AP-less attack, the access point or wireless router is not present in the vicinity but a wireless client such as a laptop or even a smartphone is broadcasting probes, seeking to establish a connection with a targeted wireless network that within its preferred network list. Penetration testers can attempt to retrieve the password/passphrase of a wireless network, even if the wireless router or access point is not present...

In this section, we will be utilizing the enterprise wireless lab that we built in Chapter 3, Setting Up for Advanced Penetration Testing Techniques, as it contains all the configurations needed to simulate an enterprise wireless network infrastructure that utilizes the Authentication, Authorization, and Accounting (AAA) framework with a RADIUS server.

The following diagram provides a visual representation of the wireless network for this exercise:

Figure 14.38: Network setup

As shown in the preceding diagram, our RADIUS server (virtual machine) will function as the access server, which handles the AAA functions;. The access point functions as the authenticator, which provides access to the network and relays authentication information to the RADIUS server, as well as an associated wireless client on the network.

Before proceeding, please ensure you note the following guidelines:

• You will need two wireless network adapters...

As an aspiring ethical hacker and penetration tester, you may need to perform extensive wireless security testing for your company or a client organization. Creating a rogue access point with a relevant and interesting SSID (wireless network name), such as VIP_WiFi or Company-name_VIP, will lure employees to connect their personal and company-owned mobile devices to your rogue wireless network. When creating a rogue access point, the objective is to capture users’ credentials and sensitive information, as well as to detect any vulnerable wireless clients within the targeted organization.

The following are some tips to consider when deploying your rogue access point:

• Choose a suitable location to ensure there is maximum coverage for potential victims.
• De-authenticate clients from the real access point, causing them to create an association with the rogue access point.
• Create a captive portal to capture user credentials.
...

At the time of writing, WPA3 is the latest wireless security standard in the wireless networking industry, having been released in 2018. As such, it has resolved various security concerns that existed in its predecessor, WPA2. In the previous sections, you discovered various types of attacks that a penetration tester can use to compromise an IEEE 802.11 wireless network using the WPA2 wireless security standard.

WPA2 wireless networks are highly vulnerable to wireless de-authentication attacks, which allows a threat actor or a penetration tester to send de-authentication frames to any wireless clients that are associated with a specific access point. However, WPA3 is not susceptible to de-authentication attacks because WPA3 uses Protected Management Frame (PMF), unlike its predecessors.

The following comparison will help you quickly understand the new features and technologies of WPA3:

• Opportunistic Wireless Encryption (OWE) is an implementation...

In this chapter, you learned about the fundamentals of wireless networking and the security mechanisms that are used to provide a layer of security to users and organizations who implement wireless networking within their companies. Furthermore, you now know how to compromise WPA, WPA2, WPA3, personal, and enterprise networks. Additionally, you have learned how to perform an AP-less attack, which allows a penetration tester to retrieve the password of a probing client where the desired access point is not present within the vicinity. Lastly, you learned how to create wireless honeypots, which act as an evil twin, and rogue access points.

I trust that the knowledge presented in this chapter has provided you with valuable insights, supporting your path toward becoming an ethical hacker and penetration tester in the dynamic field of cybersecurity. May this newfound understanding empower you in your journey, allowing you to navigate the industry with confidence and make a...

• Wireless attacks and mitigation – https://resources.infosecinstitute.com/topics/network-security-101/wireless-attacks-and-mitigation/
• Guidelines for securing WLANs – https://csrc.nist.gov/pubs/sp/800/153/final

Join our community on Discord

Join our community’s Discord space for discussions with the author and other readers:

https://packt.link/SecNet