Wireless Penetration Testing: What You Should Understand
WPA/WPA2 PSK
PSK stands for Pre-Shared Key. WPA/WPA2 PSK is a technique to secure the wireless network with Pre-Shared Key (PSK) authentication. It is not designed for enterprise use but for home users.
How it works
A plain English passphrase ranging between 0 to 63 characters is used in WPA/WPA2 PSK instead of the encryption key. Using TKIP, passphrase along with network SSID are used to generate encryption keys that are unique for each client, and these encryption keys changes constantly.
Vulnerability Analysis
In WPA/WPA2 PSK, there is a four-way handshake required in order to connect to the wireless network. Both client and AP attempt to prove that they know the PSK without leaking or disclosing any information. Client and AP compute a Pairwise-Master-Key (PMK) from the PSK passphrase and SSID.
The vulnerability is, the passphrase can be enumerated through sniffing access point packets. It can also be done by capturing a four-way handshake.
A wireless network that uses PSK authentication can be found by following command in Linux:
root@kali:~# airmon-ng start wlan0
root@kali:~# ifconfig wlan0 down
Identifying a target network using the airodump-ng:
root@kali:~# airodump-ng mon0
Our next step, target the network:
root@kali:~# airodump-ng mon0 –w home-wifi-capture –channel 1
Once a handshake has been captured, It will be displayed on the top of the screen. Now, clean up the capture file from any unnecessary packets then convert it to a hashcat capable format. We can achieve this using:
root@kali:~# wpaclean [output file] [input file]
root@kali:~# wpaclean surecloud-wifi-clean.cap surecloud-wifi-capture-01.cap
root@kali:~# aircrack-ng [input file] –J [output file]
root@kali:~# aircrack-ng surecloud-wifi-clean.cap –J surecloud-wifi-hashcat
The attacker has captured the handshake successfully.
WPS
Wi-Fi Protected Setup is the abbreviation of WPS. It is a wireless security standard between the router and wireless devices. WPS works for the passwords that are encrypted with the WPA personal or WPA2 personal. It doesn’t work with the wireless networks that use deprecated WEP security.
Dictionary Attack
The problem is with the WPS pin. It can easily be brute-forced. Depending on the CPU it tries 1 try per second to 1 try per 10 seconds. WPS pin is 8 digits long so it will take 1⁰⁸ attempts, 9999999 exactly.
Following is a demonstration of brute-forcing WPS using Bully WPS brute-forcing tool in kali Linux.
We’ll run the bully.py to install this tool in Kali Linux.
Our next step is to scan all the wireless networks available.
Now, we install the bully. After executing the bully.py we will see a GUI as follows:
After this GUI appeared on the Kali Linux machine, we have to add some information in it like BSSID we got from the wireless scan.
After adding the appropriate information in the bully prompt box, a screen will appear. Basically, it is brute-forcing the WPS pin. It will take some time and after some time the process will complete. Now we have to go to our home directory and search a file named pin.txt.
Pin.txt file contains the actual password of our WPS wireless network which we got after brute-forcing the WPS. If we open it the pin should be there.
The pin has been captured. Attack accomplished!
WPAN
WPAN stands for Wireless Personal Area Network. It is also known as a short wireless distance network. It allows a user to connect its all devices to the network and access the local network and internet using supported wireless communication technique.
Penetration techniques
Social engineering: Social engineering is the art of exploiting human vulnerabilities. Social engineering, with regards to data security, alludes to mental control of individuals into performing activities or disclosing secret data.
Virtual probe: Straying a long way from moral measures of offers procedure, such merchants will endeavor to fool you into giving them data so they can put your organization’s name on a mailing list.
Lost password: When the security of a network is very high, hackers often used this technique. They just called the IT staff and say they have lost their password and ask them to reset the password. In this way, they gain access of a valid account and after that hacker will set up his account with root access.
Social spying: Social spying is a technique of observing and then acquiring information. This type of information can be gained from company recruiting ads, their employee’s social media accounts, and relations with other vendors.
Garbage Collecting: This is a technique where attackers physically goes to the organization’s building and collect data from their trash. Sometimes, it contains very important information regarding the network.
Sniffing A sniffer can be computer software or a device itself. It captures and monitors traffic passing through the network. In wireless hacking, it is the most common and powerful technique. This technique is called sniffing.
We are using Linux distribution Kali Linux for hacking a Bluetooth device to listen and record the conversations. For this purpose we are going to use Linux most powerful tool to hack Bluetooth devices Carwhisperer, First, we are going to check our Bluetooth status:
After that, we are going to enable our Bluetooth services. For this purpose we have to execute the following command in the terminal:
We have created a class so the Bluetooth device’s auto-connect with us. The next step is to scan the Bluetooth devices near us.
In the above picture, we can see that we’ve found a Bluetooth-enabled device. We have changed our directory to the Carwhisperer. After that, we have pasted our target MAC address which we got during the previous scanning.
Everything is ok to go. Our tool has started listening. Carwhisperer started to capture the packets for us.
After this, we are going to close the terminal and then go to the file manager of Carwhisperer to check the clips.
We clicked into the Carwhisperer in the dialogue box and after that, we clicked into the open folder to open the file manager of the Carwhisperer.
We can see the voice clips are there in the file manager of the Carwhisperer. We have captured these voice clips using Carwhisperer. The file format of these voice clips is in the form of RAW. We’ve played this and it worked.
