Wi-Fi Penetration Testing – Part 2 (PreConnection Attack)

Wi-Fi Penetration Testing – Part 2 (PreConnection Attack)

So, this is the Part-2 of Wi-fi Penetration Testing series in which we are going to learn about Pre-connection Attack. if you didn’t see the Part 1 please go and read it because it is highly recommended for pre-connection attack. In this blog will learn some pre connection attacks that we need in part3 & Part4 for Wifi attack.

Pre-Connection Attack

Packet Injection

What is Packet Injection what we will do with?

In computer networking, packet injection (sometimes called forging packets or spoofing packets) is the technique of tampering with an established network connection by generating packets that appear to be part of the normal communication stream. The packet injection method allows an unknown third party to interrupt or intercept packets transmitted by consenting parties, which can result in users’ ability to access particular network services or protocols being harmed or blocked. Packet injection is commonly used in man-in-the-middle attacks and denial-of-service attacks.

Is our adapter being capable of doing packet injection? Let test it….

In order to test packet injection, we need to turn on monitor mode

First put the card in monitor mode as we did in Part 1

Now, type iwconfig to confirm it and see its work now we are in monitor mode if you follows the Part 1 steps Properly. Let’s move forwards and test the packet injection

To test the Packet Injection will use a tool aireplay-ng to run this tool type aireplay-ng followed by –test followed by the interface name, Now the command look like

aireplay-ng –test [Interface Name]

If you See Injection is Working! then yes your wifi adapter is capable of doing Packet Injection

Note: – if you get injection is not working or no ap founds there are 2 conditions

  • Your adapter is not capable of doing Packet injection
  • There is no Access point nearby.

Sniffing Basics

Now that we have enabled monitor mode on our wireless interface, we are able to capture all the Wi-Fi Packets sent within our range, even if the packet is not directed to our computer.

So now we need a program that can capture these packets for us. The program that we are going to use is airodump-ng it’s a packet sniffer. It’s a program designed to capture packets while you are in monitor mode. So, it will allow us to see all the wireless networks around us and show us detailed information about it MAC address, its channel, its encryption, the Client connected to this network and so on.

Let’s sniff the packets using this, first of all you need to enable monitor mode on your wireless adapter as we did in Part 1

Now to run airodump-ng, type program name which is airodump-ng followed by the name of wireless adapter in monitor mode in my case which is wlan0. So, command will be

airodump-ng < Interface in Monitor mode>

Then hit enter

After Execution of this command, you will see it start working, discovering all the wireless network around me and displaying useful information about them.

This program will continue working unless you quite it and to quit this program, press CTRL+C

Let understand the results,

  • BSSID shows the MAC address of the target network
  • PWR shows the signal strength of the network. Higher the number has better signal
  • Beacons are the frames send by the network in order to broadcast its existence
  • #Data , shows the number of data packets or the number of data frames
  • #/s shows the number of data packets that we collect in the past 10 seconds
  • CH shows the channel on which the network works on
  • MB shows the maximum speed support by the network
  • ENC shows the encryption used by the network. It can be WEP, OPN, WPA, WPA2
  • CIPHER shows the cipher used in the network
  • AUTH shows the authentication used on the network
  • ESSID shows the name of the network

Note:-

How we can Capture Specific band network? (2.4Ghz & 5GHz)

The 2 main frequencies used in WIFI network are 2.4 GHz and 5 GHZ. Now, previously when we use airodump-ng, we were only sniffing on 2.4Ghz but you might have noticed that you won’t get all the network when you run airodump-ng in above picture.

We open our network tab and see we are having much more network mainly the 5G network

So, the main part is that I am not able to see all the network around me and the reason for this is because airodump-ng is only sniffing on2.4ghz frequencies.

So let capture 5GHz frequency Access point

To do this open your terminal put adapter in monitor mode and write airodump-ng and now we use new argument”- -band a “and that’s the band that support 5ghz and I am just giving my monitor mode interface name

airodump-ng –band a [Interface in Monitor Mode]

Yes, now we get the 5GHz Frequency Packets. Below I Mentions more Arguments Play with it and Capture Different Frequency.

  • a uses 5Ghz frequency only
  • b,g both use 2.4Ghz frequency only.
  • N uses 5 and 2.4Ghz
  • ac uses frequency lower than 6 GHZ

Sniffing our specific Target Using Airodump-ng

In this step, we will run airodump-ng to see all the devices that are connected to a particular network and collect more information about it. Once we have a network to the target, it’s useful to run airodump-ng on that network only, instead of running it on all the networks around us.

So, our Target is Testing_Wifi let sniff it and get more information about it. In last topic we run the airodump-ng and got the details of Nearby access point using those details will run airodump-ng for our target network.

To Do this Type airodump-ng

Airodump-ng –bssid [Target Mac address] –channel[Channel used by target] [Interface Name]

Let understand the results,

  • BSSID shows the MAC address of the target network
  • Station shows the number of devices that are connected to this network
  • PWR shows the power strength of each of the devices
  • Rate hows the speed
  • Lost shows the amount of data loss
  • Frames show the number of frames that we have captured

Deauthentication attack (Disconnecting any device from the network)

Through this attack we can disconnect any client from any network we don’t need password of Wi-Fi we don’t need to connect with Wi-Fi.

To do this we are going to pretend to be the client that we want to Disconnect by changing our Mac address to the MAC address of that Client and tell the router that I want to disconnect form you. Then again, we are going to pretend to be the Router again by changing our MAC address to the router MAC address and tell the client that you requested to be disconnected. So I am disconnected you. So, this will allow us to successfully disconnected or Deauthenticate any client from any network.

Now we are not going to do this manually. We are going to use a tool called airplay-ng to do this.

Type the name of the program Which is Aireplay-ng by typing –deauth we are telling that we want to run the Deauthentication attack then give the number of the Deauthentication packets that we want to send. Give a large number so that it keeps semding packets to both the router and the target device. So we can discoonet target device for a long period of time. Now type -a and type the MAC address of target network & then type -c and type the MAC address of target Client and at last type the interface name that is in monitor mode.

The command look like

aireplay-ng –deauth [#DeauthPackets] -a [NetworkMac] -c [TargetMac] [Interface]

Where

  • -deauth is used to tell airplay-ng that we want to run a Deauthentication attack and assign 100000 which is the number of packets so that it keeps sending a Deauthentication packets to both the router and client and keep the client disconnected.
  • -a is the MAC (Media Access Control) address of the target. 50:C8:E5:AF:F6:33 is the target access point.
  • -c is the target client MAC address; omit to deauthenticate all clients on AP A8:7D:12:30:E9:A4 is client’s MAC address.
  • wlan0 is the wireless adaptor in Monitor mode.

Here you see what it looks like at attacker’s system

![][]

Here you see what the victim is facing

UNLOCK HIDDEN NETWORKS (How to Discover and Connect with it)

  • A hidden network is one that does not broadcast its name or ESSID
  • Hidden Network still Broadcasts their existence (Channel, BSSID)

Problem: Can’t connect or even attempts to crack its password

Solutions

  • Airodump-ng can determine the ESSID if the Network is active
  • De-authenticate one or all connected clients For a Short Period of time and monitor reconnections thought Airodump

How to discovery a Hidden network

There are multiple techniques to discovery the Hidden network we are doing 2 Methods

  • Monitor that’s hidden network and wait till a new client trying to associate with the Hidden network.
  • De-authenticate one or all connected clients For a Short Period of time and monitor reconnections thought Airodump

One of the major obstacles that’s you might find while trying to gain access to a network is if the network does not broadcast its name, it means its hidden, If the network is hidden, then you won’t be able to connect to the network, even it does not use any password or if it uses the password then you won’t be able to use the attacks that’s we are going to do next. So literally you won’t be able to do anything until you know the name of the network.

Now we find the name of Hidden network lets connect with it

HOW to Connect to a Hidden WiFi Network?

On Windows 10

So, you have details for a Hidden Network that you want to connect to? It is fairly simple to connect to a hidden network on Windows 10. Before continuing, make sure you have the following details about the hidden network:

  • SSID (hidden SSID)
  • Security Type
  • Security Key
  • EAP Method (if using WPA2-Enterprise AES security type)

Once you have all these details handy, follow these steps to manually add a hidden wireless network:

  1. Open ‘Settings’
  2. Go to ‘Network and Internet’
  3. Select ‘Wi-Fi’ from the left menu.
  4. Click on ‘Manage Known Networks’
  5. Now click on ‘Add a new network’
  6. Enter the SSID, choose the security type and enter your password.
  7. Select ‘Connect Automatically’ if you want to connect to this network whenever available

On Kali Linux

  1. Open Settings
  2. Go to network (Network manager Issue)
  3. Click on Connect to Hidden Network
  4. Put the Ap Name That we Found
  5. Security NONe

Bypassing MAC Filtering

Mac address is unique to each network device.

Routers can us mac filtering to allow/deny devices from connecting based on the list

There Two types of implementations: –

1.Using blacklist – allow all MAC to connect except the ones in the Black list

2.Using whitelist – deny all MAC from connection except the one from the list.

Bypassing Blacklist MAC: – Bypassing it is the simplest thing just change the MAC to random one and You’ll bypass the Backlisting. Lol simple na

Hacker man

Bypassing Whitelist: – Now the main part of bypassing the mac filtering start

About Payatu

Payatu is a boutique security testing and services organization specialized in Products, Application, and Infrastructure security assessments and deep technical security training. We offer a full IoT ecosystem security assessment, including Hardware, Cloud, Web, and Mobile interface. If you are looking for security testing services then let’s talk, share your requirements:

Get in touch with us. Click on the get started button below.

Subscribe to our Newsletter
Subscription Form

Research Powered Cybersecurity Services and Training. Eliminate security threats through our innovative and extensive security assessments.

Subscribe to our newsletter

Subscription Form

Services

Products

Conference

Resources

About

Iot Security Testing
Red Team Assessment
Product Security
AI/ML Security Audit
Web Security Testing
Mobile Security Testing
DevSecOps Consulting
Code Review
Cloud Security
Critical Infrastructure
SOC Service
ExPLIoT
CloudFuzz
Nullcon
Hardwear.io
Blog
E-Book
Advisory
Media
Case Studies
MasterClass Series
BugBazaar
Securecode.wiki
About Us
Career
News
Contact Us
Payatu Bandits
WhatsApp Community
Hardware-Lab
Disclosure Policy
Corporate Partners
Youtube Linkedin Facebook Twitter Instagram Whatsapp
DOWNLOAD THE DATASHEET

Fill in your details and get your copy of the datasheet in few seconds

CTI Report
DOWNLOAD THE EBOOK

Fill in your details and get your copy of the ebook in your inbox

Ebook Download
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download ICS Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Cloud Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Code Review Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Red Team Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download DevSecOps Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Product Security Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Mobile Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Web App Sample Report

Let’s make cyberspace secure together!

Requirements

Connect Now Form

What our clients are saying!

Trade Ledger takes privacy and security of it’s customers and system very seriously. We needed an independent audit to check our systems, and wanted to partner with a team that understands the compliance environment of banks.
MARTIN MECCAN
MARTIN MECCANCEO - TradeLedger Australia

Trusted by