Wireless Penetration Testing
|

Planning Wireless Penetration Testing: Tools and Techniques

ByAndrew Lugsden

Wireless penetration testing assesses the security of your wireless network, including its security protocols, authentication methods, configuration, connected devices, and access points.

Identifying vulnerabilities within a wifi network can require some specific tools and knowledge, but much of the information is readily available and the tools are largely open-source, allowing you to set up, test, and secure your Wifi networks.

Table of Contents

    Where wireless networks are used for businesses there is an increased risk to communications which is introduced which is not present for wired networks.

    As data is communicated wirelessly, anyone within range of this wireless signal may be in a position to monitor or compromise this data, and with long-range wireless network adaptors, an attacker may not need to be near your offices and can accomplish this from increasing distances.

    Instances of attackers targeting Wi-Fi networks in real-world attacks have even been conducted using drones, carrying a WiFi Pineapple to access the wireless network.

    Security Risks for Wireless Networks

    Several key risks for wireless infrastructure can be targeted for exploitation.

    • The security protocols in use, if not maintained to the latest available standards can be subject to compromise.
    • The authentication methods used may rely on relatively weak and insecure passwords or passphrases for access which can be derived by an attacker.
    • The wireless access points themselves may be misconfigured or vulnerable to compromise, which can lead to further access into internal company networks.
    • Users connecting devices to a wireless network may be compromised, which may lead to further access to internal company resources.
    • A cloned version of the wireless access point can be created, broadcasting the same network name and connection information, resulting in users joining an attacker-controlled network.

    When conducting wireless penetration testing, the potential of each threat to your organization should be considered and appropriate testing processes agreed upon with your penetration testing partner.

    Common Exploit Targets for Wireless Networks

    Wireless Penetration Testing

    While some wireless exploitation techniques are more targeted towards a specific organization, many of the initial monitoring techniques can be conducted within popular areas with many wireless networks and people using them.

    City centers with a range of shops and offices, each broadcasting a wireless network can be common targets as it allows an attacker to identify many wireless networks, gather a range of data, and then select their targets based upon the weakest configured security standards.

    Business parks can similarly be targeted, as they present an opportunity to gather information for multiple wireless networks and then choose targets at a later date.

    Using long-range network adaptors for monitoring networks it is also possible to remain in a location for a prolonged period to gather the communication data and information necessary to plan out more targeted attacks.

    “Wardriving” refers to this type of monitoring, where an attacker will set up the necessary equipment to monitor communications as they drive around certain areas. They can then return to the same locations, at a later date, for wireless networks that they intended to target.

    Wireless Penetration Testing Tools

    When establishing the security for your wireless network there are a range of freely accessible tools, as well as some equipment that can be purchased to help assess the security of your network.

    Where a third-party security testing company is used to assess your wireless network, they are also likely to make use of the following types of tools and techniques.

    Multiple toolsets have been developed to simplify the process of testing wireless infrastructure and exploiting security flaws in their implementation.

    The following is a list of some of the wireless testing tools which are available:

    Making use of operating systems designed for security testing, such as Kali Linux, makes many of the tools for wireless penetration testing readily available.

    A wireless network adaptor that can conduct packet injection or be configured as an access point will still be needed as many built-in wireless adaptors for devices do not have this ability.

    When conducting security testing of networks several tools can be useful for monitoring, testing, and establishing connections, such as the following:

    Wireless Penetration Testing Techniques

    Wireless testing techniques

    When you first set up your wireless network, and throughout the ongoing management of the network, there are multiple exploitation techniques that an attacker may attempt to take advantage of.

    When arranging wireless penetration testing, these same techniques should also be checked for by the security testing company.

    Maintaining an awareness of the potential risks involved in wireless networks, and how to mitigate them, is vital to maintain your company’s overall security posture and avoid vulnerabilities being introduced into your network.

    Throughout the wireless penetration testing process, many different types of security checks can be conducted to review your current security measures and determine the state of security for your network, devices, and users.

    Weak Security Protocols

    Wireless security protocols have undergone a lot of development and refinement over the years.

    Although the method of encrypting and securing data has matured, there are still risks involved as communications can be monitored by anyone within range of the wireless signal.

    Earlier versions of wireless security protocols were found to have fundamental flaws which grew into a significant security issue, particularly as computing speeds increased and reduced the time to compromise into minutes.

    Testing for Weak Security Protocols

    Monitoring wireless network traffic is possible using freely available software such as the AirCrack NG suite of tools, or using tools such as a WiFi Pineapple.

    The process of monitoring these wireless network communications will allow the identification of all the wireless networks within range, as well as key information such as the security protocols that are in use.

    Wired Equivalent Privacy (WEP). WEP was initially developed to provide security and data confidentiality which was considered similar to that of a wired network.

    However, due to its use of weak encryption standards, it is now considered insecure, and tools such as the AirCrack NG suite are available to create communications with unique Initialization Vectors (IV).

    After a sufficient number of communications with unique IVs, it is possible to crack WEP by calculating the in-use key. This can occur in a relatively short period, granting malicious hackers access to the network.

    Resolving Weak Security Protocols

    As WEP was found to have fundamental flaws in its implementation there isn’t a patch or method of mitigation to secure this type of communication.

    Migrating to a more modern encryption standard is the only way to avoid this type of security issue, although the implementation of more modern wireless communication standards should be set up with consideration for each of the other listed methods of exploitation.

    Wi-Fi Protected Access (WPA) was intended to act as the replacement for WEP, however, security flaws were ultimately identified within this protocol as well.

    WPA2 has become a common default option for most wireless networks and WPA3 has been developed more recently to further improve upon the security standards in use. These options with consideration for other security risks should be configured for modern networks.

    Easily Guessable Passwords

    Weak Wireless Passwords

    Wireless authentication protocols have developed and become more secure over time, however many organizations still utilize a Pre-Shared Key (PSK) or shared password as the method to access the wireless network.

    Where the PSK in use is configured as a relatively weak and easily guessable password, this can undermine the security of the organization and result in attackers gaining unauthorized access to the company network.

    In some setups, such as 802.1X, the authentication can rely upon a username and password for authentication. This can also result in insecure passwords for user accounts leading to network compromise if no additional security measures are put in place to protect the authentication process.

    Testing For Weak Passwords

    In many cases, the PSK can be configured based on the name of the company, local landmarks, or common words and phrases, which can be derived by an attacker.

    The network will then be subject to brute force password guessing attacks, where multiple passwords are tested in an attempt to establish network access.

    Several open-source tools have been developed which are freely available for use and can carry out such actions.

    Where an organization makes use of 802.1X authentication measures a username and password can be required for authentication to the wireless network.

    If no other security measures are enabled to restrict the devices that can connect, the security of the network can also become dependent on the weakest configured username and password. This opens up the potential for further brute-force password-guessing attacks.

    Avoiding Easily Guessable Passwords

    For wireless networks that utilize a PSK for authentication, it is recommended to generate a random and complex password, which does not utilize any words or keyphrases which can be connected to the company.

    Complex passwords such as this can be changed regularly to avoid a sustained brute force password guessing attack being successful, but not too frequently to avoid common bad habits from users such as writing down passwords.

    Using a brute-force password calculator against an example password of similar length and complexity, you can determine the theoretical amount of time it may take for an attacker to determine the password and plan password changes around this, although with enough complexity an annual password change may be suitable.

    Where username and password authentication measures are in use, implementing secure password requirements for your users can increase the difficulty of password brute force guessing attacks, but would not eliminate the risk.

    Where 802.1X authentication measures are in use, certificate-based authentication can be used. This ensures that only devices that have a valid certificate installed can connect to the network and removes the dependence on strong user-chosen passwords to protect the network.

    Capturing Authentication Handshakes

    Wireless Authentication Handshake

    Depending upon the wireless protocols in use, such as WPA2-PSK, an authentication handshake can be intercepted and captured by an attacker.

    For wireless networks that utilize a PSK, the capture of a handshake is not possible to prevent, as an attacker may monitor the network over a prolonged period, or use methods to de-authenticate a user from the network, requiring them to reauthenticate.

    As users join the wireless network and reauthenticate their devices, an authentication handshake takes place between the connecting device and the wireless access point.

    Capturing the Handshakes

    During a wireless penetration test, the authentication handshake can be monitored and collected by a pen tester using tools such as AirCrack NG.

    The information captured from this authentication handshake can then be subject to open-source tools such as John The Ripper and HashCat, which aim to brute force the PSK in use for the wireless network using a dictionary attack.

    The benefit of this method, unlike directly logging into the Wifi network, is that malicious hackers can capture multiple authentication handshakes from any given area and then leave.

    With the information collected, they can crack PSK passwords over time and return at a later date.

    Preventing The Capture of Authentication Handshakes

    This type of attack can be mitigated through the use of complex and randomly generated passwords which can be altered over time, to avoid password cracking techniques revealing the PSK in a short timeframe and the attacker returning with a valid PSK.

    The method of authentication can also be migrated to a more secure alternative, such as WPA2 EAP-TLS, where certificate-based authentication methods are used and the dependency on secure user-chosen passwords is removed.

    Evil Twin Attacks

    Evil Twin Attack

    An evil twin attack aims to replicate the Service Set Identifier (SSID) of a legitimate access point. This is the name of the network which is broadcast for users to connect to.

    By copying the legitimate access point and broadcasting a stronger signal, over a larger area it encourages users to select the attacker’s network to join rather than the weaker signal that appears in a device’s list of available networks.

    Methods are also available for an attacker to issue de-authentication frames over a wireless network. This works to remove a legitimate user’s connection to a network which requires them to reestablish their connection.

    With an attacker already in place with a cloned access point, this increases the probability of users joining their fake wireless network.

    Escalating with a Captive Portal

    The setup of a cloned access point can also be combined with a fake login portal, which is presented as a requirement to join the wireless network. This portal can be designed for users to disclose their legitimate login details for other services, which will be logged and collected by the attacker.

    Escalating with Man-In-The-Middle

    A sustained man-in-the-middle attack can also be conducted while the user is connected to the cloned access point. During this process, the attacker can monitor all connections and requests that are made by the user, attempting to collect login information, bank details, and other information.

    While most websites utilize encryption which provides a level of protection and prevents the information from being directly visible to an attacker, there can be techniques available to downgrade the type of encryption in use.

    Attackers can also set up cloned login portals for many common services, as they can monitor and control the flow of traffic, when attempting to access a legitimate service you may inadvertently access the attacker-controlled service instead.

    Creating a Cloned Access Point

    Simple testing tools are available with a point-and-click interface to test many vulnerabilities within wireless infrastructure, including the evil twin attack. Many open-source tools and resources are also available to conduct this type of attack, with only an additional wireless network adaptor required.

    The WiFi Pineapple provides an easy-to-use web interface that allows penetration testers to establish cloned access points and begin assessing your systems for this type of attack.

    Preventing an Evil Twin Attack

    While there is no simple solution to prevent this type of attack and stop new wireless access points from appearing, there are options available to monitor wireless networks.

    This can help identify any new access points that appear, such as using the tools developed by SolarWinds.

    Multiple best practice security measures can also be followed to mitigate the risk of compromise.

    • A simple solution for many is to avoid public wireless networks and only join trusted wireless networks, your own mobile hotspot, or utilize mobile data.
    • Most devices offer options to stop automatically joining wireless networks. This can help avoid automatically connecting to networks that may be untrusted.
    • Using an always-on VPN service with strong encryption standards minimizes the threat of a successful man-in-the-middle attack as your data should remain protected through sufficient encryption protocols.
    • When connecting to a network you are unsure of, never enter any personal information, login information, or banking information into any portal or form.
    • Stay cautious of any services you attempt to access that don’t make use of secure encrypted connections. Many browsers have options available to prevent connections to sites that do not use secure connections.

    Rogue Access Points

    Rogue Access Point

    A rogue access point is a device connected to an organization’s network without their knowledge or authority.

    Rogue access points can be intentional but also inadvertent, where a legitimate user plugs a device into their office network, for simplicity or easy access, they may mistakenly create a wireless access point that is configured with no security protocols or is easily compromised.

    Where a rogue access point is set up intentionally, this may be through social engineering or other methods that would allow for physical access to your network, if only for a short period to install wireless devices.

    Utilizing Rogue Access Points

    A rogue access point provides an attacker the ability to establish their own wireless access point into an otherwise inaccessible network.

    They can then continue to use this Wi-fi access to target vulnerabilities within other devices on the network or to monitor network traffic.

    With sufficient time and the ability to monitor network communications and identify vulnerabilities within other network-connected devices, an attacker may escalate their permissions throughout the network.

    This can lead to an attacker gradually compromising user credentials, databases, payroll information, and any critical data accessible throughout the network.

    Testing With Rogue Access Points

    The WiFi Pineapple can provide the ability to set up and test a network using a rogue access point, however, the type of security measures that are already in place may dictate the type of testing that is conducted.

    If no existing cyber security measures are in place to prevent unknown devices from connecting to your network this type of test will inevitably be successful if there is the potential to gain physical access to a connection point.

    Where security measures have been implemented, physical access tests with the goal of installing a network-connected device may be a viable testing strategy to review whether your existing security measures are working effectively.

    Preventing Rogue Access Points

    To prevent unauthorized access to your network, there are several security measures available to prevent unknown devices from connecting.

    • For ethernet connections, a simple physical security measure can be to use RJ45 Port Blockers. These are covers that will block your unused ethernet ports and prevent devices from being installed.
    • Similarly, RJ45 cable locks can be used to secure cables in place and prevent them from being removed or tampered with.
    • Port security controls can be used, such as 802.1x port security, as a more complete security solution. This prevents unauthorized devices from connecting to your network and ensures that even if devices are plugged into a connection point, they will not be able to establish a network connection.
    • Network monitoring tools can also be used to identify rogue devices that are connected to your network through solutions such as Cisco’s Detect and Locate.

    Other Directly Accessible Networks

    Where wireless access points are installed for an organization, it can be common that these devices manage both the company and guest wireless network and may connect to company firewalls and other internal devices.

    Although not a direct security weakness within the wireless network, the connections and routing information between a wireless network and a company network may be configured in a manner that allows connections to be established.

    These connections may be possible from the guest network to the company network for specific types of services or specific devices.

    If these connections are made available, an attacker may be able to identify vulnerabilities within the exposed devices or services and use this as a method to compromise the accessible device.

    With a single compromised device, an attacker may then be able to pivot their access to other devices within the company network that were previously inaccessible.

    Testing Network Connections

    To identify where misconfigurations in routing have occurred a device connected to the guest wireless network can attempt device discovery and port scans targeted towards the company network.

    Scanning tools such as Nmap would be suitable to discover any potential open connections within the target network.

    Additionally, auditing wireless networks, access points, and firewall access control lists can be conducted to determine any insecure configuration that may result in inadvertent connections being established between the two networks.

    Avoiding Connections to Internal Networks

    As this issue is the result of a misconfiguration in routing information, ensuring a secure build and configuration process that is reviewed and tested before being implemented is an important preventative action.

    Processes should also be in place to approve and verify any configuration changes which may occur after the initial setup, to ensure that misconfigurations are not introduced over time.

    Dual-Homed Devices

    Dual-Homed Wireless Devices

    A dual-homed device refers to client devices that are connected to two different networks at the same time.

    This could be through a laptop which is plugged into an ethernet cable, providing a connection to a company network, but also connected via a wireless connection to a guest or open network.

    While this is not a vulnerability directly impacting the wireless network, it can allow an attacker joining the guest/open wireless network to target and compromise dual-homed devices.

    Using the compromised device as an access point, the attacker can then begin targeting other devices on the company network.

    Cyber Security Testing for Dual-Homing

    This type of exploit would rely on several different issues which reduces its likelihood but not its potential impact.

    Assuming devices are connected to both company and guest networks at the same time an attacker could conduct a network discovery scan and port scan of accessible devices on the network, using tools such as Nmap.

    This would identify other devices present on the same guest network, but also identify the accessible ports and services which these devices are running.

    The identified services would then need to present an authentication interface, where the attacker can attempt to conduct brute force login attempts to determine a valid set of credentials for the device.

    Alternatively, the accessible services may be outdated and contain vulnerabilities that an attacker could directly target to compromise the device.

    After compromising a device connected to both networks, it would then be possible to use techniques such as port forwarding, and tools such as proxychains, to use the device as an access point and begin searching for devices and vulnerabilities within the company network.

    Preventing Dual Homed Devices

    As this process relies upon identifying vulnerabilities within devices joined to the same guest wireless network, limiting an attacker’s ability to access these devices can prevent this type of attack.

    • Software Firewalls configured on devices should be configured to avoid any services being unnecessarily accessible. This is particularly important for open and guest networks where there can be unknown devices.
      Windows devices have settings available to alter the state of the firewall for connections over public and private networks, becoming more restrictive for public networks.
    • Many Windows devices also have network adaptor properties that can be enabled which will disable the wireless network connection when a wired connection is established.
      This can prevent devices from being dual-homed and connected to two networks at the same time.
    • Wireless networks often have options available for client isolation. This prevents devices connected to the same wireless network from having direct visibility of each other and prevents an attacker’s ability to find potential devices to target for exploitation.
      This is particularly useful for many public and guest wireless networks where there should be no reason for devices to directly communicate.

    Conclusion

    Wireless network security

    While there are risks to using a wireless network, there are also benefits, and security measures are available to remove or mitigate the potential risks.

    When establishing any new network, device, or technology it is important to consider the security implications, be aware of the potential risks, follow recommended best practices, and conduct regular testing to identify security weaknesses.

    Wireless penetration testing can include checks for specific vulnerabilities that do not occur in wired networks, and require a different set of tools and knowledge to complete, although each issue should be treated as part of your vulnerability management lifecycle.

    When configuring and arranging tests against your wireless network it is important to be aware of these potential threats, ensure you maintain high security standards, and conduct the right type of security testing for your organisation.

    Where you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.

    Contact Us Today

    Similar Posts