Wireless Penetration Testing Checklist – A Detailed Cheat Sheet


Wireless Penetration testing actively examines the procedure of Information security Procedures which is Placed in WiFi Networks and likewise analyses the Weakness, technical circulations, and Crucial wireless Vulnerabilities.

Crucial countermeasures we ought to focus on Threat Assessment, Data theft Detection, security control auditing, Risk avoidance and Detection, info system Management, Upgrade facilities and the Detailed report should be prepared.

Also Read: Top 5 Best WiFi Hacking Apps For Android

Structure for Wireless Penetration Testing

1. Discover the Devices which connected with Wireless Networks.

2. Document all the findings if Wireless Device is Found.

3. Perform common wifi Attacks and inspect the gadgets utilizing WEP Encryption if cordless Device found using Wifi Networks.

4. Then Perform WEP Encryption Pentesting, if you found WLAN using WEP Encryption.

5. Check whether WLAN Using WPA/WPA2 Encryption.if yes then carry out WPA/WPA2 pentesting.

6. Examine Whether WLAN utilizing LEAP Encryption.if yes then carry out LEAP Pentesting.

7. No other Encryption Method utilized which I mentioned above, Then Check whether WLAN using unencrypted.

8. If WLAN is unencrypted then carry out common wifi network attacks, check the vulnerability which is placed in unencrypted technique and produce a report.

9. Prior to creating a Report ensure no damage has been caused in the pentesting assets.

Read: Penetration testing with your WordPress site

Wireless Pentesting with WEP Encrypted WLAN

1. Check the SSID and examine whether SSID Visible or Hidden.

2. Check for networks utilizing WEP encryption.

3. If you find the SSID as visible mode then attempt to sniff the traffic and inspect the package recording status.

4. If the package has been effectively caught and injected then its time to break the WEP secret by utilizing a WiFi breaking tool such as Aircrack-ng, WEPcrack.

4. If packets are not reliably caught then sniff the traffic once again and capture the Packet.

5. If you find SSID is the Hidden mode, then do Deauthentication the target customer by utilizing a few of deauthentication tools such as Commview and Airplay-ng.

6. Then again follow the Above Procedure which is already utilized for found SSID in earlier steps as soon as effectively Authenticated with the customer and Discovered the SSID.

7. If the Authentication approach used is OPN (Open Authentication) or SKA (Shared Key Authentication), inspect. If SKA is utilized, then bypassing system needs to be carried out.

9. Check if the STA (stations/clients) are linked to AP (Access Point) or not. This info is needed to carry out the attack accordingly.

If theres no customer linked to the AP, Fragmentation Attack or Korex Chop attack needs to be performed to produce the keystream which will be even more utilized to reply ARP packets.

If customers are linked to the AP, Interactive packet replay or ARP replay attack needs to be performed to collect IV packets which can be then used to split the WEP key.

10. When the WEP key is split, try to link to the network utilizing wpa-supplicant and check if the AP is allocating any IP address or not.” EAPOL handshake”

Read: Web Server Penetration Testing Checklist

Wireless Penetration Testing with WPA/WPA2 Encrypted WLAN

1. Start and Deauthenticate with WPA/WPA2 Protected WLAN client by utilizing WLAN tools Such as Hotspotter, Airsnarf, Karma, etc.

2. If the Client is Deaauthenticated, then sniff the traffic and inspect the status of recorded EAPOL Handshake.

3. Then do it again, if the client is not Deauthenticate.

4. Inspect whether EAPOL handshake is captured or Not.

5. As soon as you caught EAPOL handshake, then perform PSK Dictionary attack utilizing coWPAtty, Aircrack-ng to acquire personal details.

6. Add Time-memory trade off method (Rainbow tables) also understood as WPA-PSK Precomputation attack for breaking WPA/2 passphrase. Genpmk can be used to generate pre computed hashes.

7. if its Failed then Deauthenticate again and try to catch once again and redo the above actions.

LEAP Encrypted WLAN

1. Confirm and check whether WLAN protected by LEAP Encryption or not.

2.De-authenticate the LEAP Protected Client utilizing tools such as karma, hotspotter and so on

3. if customer is De verified then break the LEAP Encryption utilizing tool such as asleap to steal the secret information

4. if procedure dropped then de validate once again

Penetration Testing with Unencrypted WLAN

1. Inspect whether SSID shows up or not

2. sniff for IP range if SSID is visible then examine the status of MAC Filtering.

3, if MAC filtering made it possible for then spoof the MAC Address by utilizing tools such as SMAC

4. Attempt to link to AP using IP within the found range.

5. If SSID is concealed then find the SSID using Aircrack-ng and follow the treatment of noticeable SSID which i Declared above.

Also Read: Advanced ATM penetration testing techniques

You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity updates

When the WEP key is cracked, attempt to connect to the network utilizing wpa-supplicant and examine if the AP is setting aside any IP address or not. Start and Deauthenticate with WPA/WPA2 Protected WLAN customer by using WLAN tools Such as Hotspotter, Airsnarf, Karma, etc.

Inspect if the Authentication method used is OPN (Open Authentication) or SKA (Shared Key Authentication). If SKA is used, then bypassing mechanism requires to be performed.

2. Genpmk can be utilized to create pre computed hashes.