Wireless Penetration Testing Checklist – A Detailed Cheat Sheet

Wireless Penetration testing actively examines the process of Information security Measures which is Placed in WiFi Networks and also analyses the Weakness, technical flows, and Critical wireless Vulnerabilities.

Most important countermeasures we should focus on Threat Assessment, Data theft Detection, security control auditing, Risk prevention and Detection, information system Management, Upgrade infrastructure and the Detailed report should be prepared.

Framework for Wireless Penetration Testing

1. Discover the Devices which connected with Wireless Networks.

2. Document all the findings if Wireless Device is Found.

3. If wireless Device found using Wifi Networks, then perform common wifi Attacks and check the devices using WEP Encryption.

4. if you found WLAN using WEP Encryption then Perform WEP Encryption Pentesting.

5. Check whether WLAN Using WPA/WPA2 Encryption .if yes then perform WPA/WPA2 pentesting .

6. Check Whether WLAN using LEAP Encryption .if yes then perform LEAP Pentesting.

7. No other Encryption Method used which I mentioned above, Then Check whether WLAN using unencrypted.

8. If WLAN is unencrypted then perform common wifi network attacks, check the vulnerability which is placed in unencrypted method and generate a report.

9. Before generating a Report make sure no damage has been caused in the pentesting assets.

Wireless Pentesting with WEP Encrypted WLAN

1.Check the SSID and analyze whether SSID Visible or Hidden.

2. Check for networks using WEP encryption.

3.If you find the SSID as visible mode then try to sniff the traffic and check the packet capturing status.

4. If the packet has been successfully captured and injected then it’s time to break the WEP key by using a WiFi cracking tool such as Aircrack-ng, WEPcrack .

4. If packets are not reliably captured then sniff the traffic again and capture the Packet.

5. If you find SSID is the Hidden mode, then do Deauthentication the target client by using some of deauthentication tools such as Commview and Airplay-ng.

6.Once successfully Authenticated with the client and Discovered the SSID , then again follow the Above Procedure which is already used for discovered SSID in earlier steps.

7.Check if the Authentication method used is OPN (Open Authentication) or SKA (Shared Key Authentication). If SKA is used, then bypassing mechanism needs to be performed.

9.Check if the STA (stations/clients) are connected to AP (Access Point) or not. This information is necessary to perform the attack accordingly.

If clients are connected to the AP, Interactive packet replay or ARP replay attack needs to be performed to gather IV packets which can be then used to crack the WEP key.

If there’s no client connected to the AP, Fragmentation Attack or Korex Chop Chop attack needs to be performed to generate the keystream which will be further used to reply ARP packets.

10.Once the WEP key is cracked, try to connect to the network using wpa-supplicant and check if the AP is allotting any IP address or not.”EAPOL handshake”

Wireless Penetration Testing with WPA/WPA2 Encrypted WLAN

1. Start and Deauthenticate with WPA/WPA2 Protected WLAN client by using WLAN tools Such as Hotspotter, Airsnarf, Karma, etc .

2. If the Client is Deaauthenticated, then sniff the traffic and check the status of captured EAPOL Handshake.

3.If the client is not Deauthenticate then do it again.

4.Check whether EAPOL handshake is captured or Not.

5.Once you captured EAPOL handshake, then perform PSK Dictionary attack using coWPAtty , Aircrack-ng to gain confidential information.

6. Add Time-memory trade off method (Rainbow tables) also known as WPA-PSK Precomputation attack for cracking WPA/2 passphrase. Genpmk can be used to generate pre computed hashes.

7.if its Failed then Deauthenticate again and try to capture again and redo the above steps.