Modern technology gives us many things.

A Brief Introduction to Wireless Penetration Testing
0 1,334

Basic Overview

Due to the outbreak of Wireless network around the world and how every organization of all sizes has been unrolling to fit them into their operational architecture, the need to access the degree of security of the same has been on quite a surge rate. Now almost every organization is using wireless for their communication & data transfer. This internal communication contains lots of sensitive information and if an unauthorized user is able to sniff or connect to the wireless access point, the hacker will be able to retrieve lots of information, as now the hacker is a part of the internal network and may impact organizations data confidentiality, integrity, authentication and access control. Hence, securing an organization’s wireless network is a key aspect for information security professionals. Wireless penetration testing also serves us in the following ways:

  • To benchmark the level of risk for your organization compared to other similar companies.
  • To understand the level of risk that exists at a single moment in time and execute a real-world attack on critical infrastructure.
  • To gain assurance that a malicious attacker could not gain unauthorized access to wireless or connected wired resources. execute a real-world attack on critical infrastructure.
  • Performing this assessment will also help address specific regulatory requirements, such as PCI DSS requirement 11.3.1.
  • A Wireless Attack & Penetration test will identify vulnerabilities and offer advice for hardening and remediation.

Wireless Attacks

Believe it or not, wireless penetration testing is not a one trick pony. There are several ways to compromise a network and we have discussed a few below.

  1. Wireless Access Control Attacks: Wireless Access Control Attacks aims to penetrate a network by evading WLAN access control measures such as AP MAC filters and Wi-Fi port access controls.
  2. Wireless integrity Attacks: In integrity attacks, the attackers send forged control, data and management frames over the wireless network to misdirect the wireless devices in order to perform DOS attack.
For a more complete and detailed list of Wireless Attacks read this article.

Know You Tools

To get unauthorized access to a network, one needs to crack these security protocols. There are many tools which can crack Wi-Fi encryption. To name, a few would be Wifite, Fern Wifi Cracker, AirCrack Suite etc.

Also See: Top 13+ Best Wireless Penetration Testing Tools Ever Made
From this above list of all tools, the tool which I prefer to work with is “Silica”. I think it’s the best among all.
Silica from Immunity, which is a veritable Swiss army knife of wireless hacking. Silica runs on Linux; however, it’s distributed as a bootable USB drive and virtual machine image, making it easy to run on any laptop with virtualization support. What makes Silica interesting and particularly in my point of view is that it combines the features of network and client exploitation tools. Once Silica has compromised a network (say by cracking the network key) or wireless client (via MITM), it can unleash a host of client penetration exploits, much like Metasploit and this puts silica in the top section. 
Learn More about the Silica Wireless Assessment Tool Here

Like any tool, penetration testers can work with the best or worst of intention and the fact that these things exist at all should be a frightening prospect to anyone charged with network security. If you don’t have a black-belt security master on your staff, find a consultant who knows how to drive these, or similar tools, to assess the strength of your WLAN defenses.

Steps for Wireless Assessment

Wireless Security Assessment Methodologies, be it Manual or Automated, involves 5 steps

  • The first is the discovery of APs, identification of targets to be made a part of the assessment and triggering the traffic leaked outside the set boundaries.
  • The second step deals with inspecting access control, identifying vulnerabilities already on board and determining security settings.
  • The third involves investigation of additional encryption architecture.
  • The fourth step basically is enabling user, device and manual authentication and the final one, assessing the physical location of APs.
  • The final and primary goal of Wireless Security Assessment is to monitor networks and alert personnel of any unchartered irregularities in its traffic, whichever type of assessment one chooses to adopt.

Best Practices for Wireless networks

Following Best Practices as per industry standards can help secure our Wireless networks:

  • Change the default SSID after WLAN configuration
  • Set the router access password and enable firewall protection
  • Enable MAC address filtering on the AP or router
  • Enable encryption on router and change passphrase often
  • Use SSID cloaking to keep certain default wireless messages from broadcasting ID to everyone
  • Place a firewall or packet filter in between the AP and the corporate internet
  • Check the wireless devices for configuration or setup problems regularly
  • Implement a different technique for encrypting the traffic, such as IPSEC over wireless
  • Implement WPA2 Enterprise wherever possible
  • Place wireless access points in a secure location
  • Keep drivers on all wireless devices updated
  • Use a centralized server for authentication

With this, I would like to end my article. In this post, I have mail discussed the theoretical concepts behind Wireless Pentesting and my later articles on Malc0de will feature how to set up labs or perform a hands-on practical assessment for wireless networks. Stay tuned and read all the linked articles in the post to get a better and deeper insight. Your feedback is greatly appreciated, please comment and signup for our newsletter.

Article’s Acronyms:

  • USB- Universal serial bus
  • WEP- Wired equivalent privacy
  • WAP- Wireless application protocol
  • WLAN- Wireless local area network
  • PSK- Pre-shared key
  • ENT- Enterprise
  • MAC address- Media access control address (MAC address)
  • SSID- Service set identifier
  • AES- Advanced encryption standard
  • EAP- Extensible authentication protocol
  • BSSID- Basic service set identification
  • ESSID- Extended service set identification
  • ARP- Address resolution protocol
  • AP- Access point
  • IP- Internet protocol


  • Defcon:
  • Blackhat conferences:
  • Offensive Security:
  • SANS Guidelines

Leave A Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.