Wireless Security Assessment
Testing the security of wireless networks from passive scanning through active attacks. Covers network discovery, client enumeration, WPA/WPA2 cracking, evil twin attacks, and rogue AP detection.
Equipment Setup and Monitor Mode
Get your wireless adapter into monitor mode. You need an adapter that supports monitor mode and packet injection - the Alfa AWUS036ACH is the standard recommendation. Put the adapter into monitor mode and verify it's capturing traffic on all channels.
Tools for this step
Aircrack-ngTip: Use 'airmon-ng start wlan0' to enter monitor mode. Check for processes that might interfere with 'airmon-ng check kill'. If you're assessing 5GHz networks, make sure your adapter supports it. The Alfa AWUS036ACH handles both 2.4GHz and 5GHz.
Passive Network Discovery
Before transmitting anything, listen. Capture beacon frames to identify all access points in range, their SSIDs, encryption types, channels, and signal strength. Also capture probe requests from client devices - these reveal what networks clients are looking for, which is useful for evil twin attacks later.
Tools for this step
Kismet
BettercapTip: Airodump-ng (part of Aircrack-ng) gives you a real-time view of all networks and connected clients. Kismet provides more detailed passive analysis. Let passive scanning run for a while - not all clients are active at the same time.
WPS Testing
Check if any target networks have WPS enabled. WPS is a common weakness - the Pixie Dust attack can recover the WPS PIN in seconds if the router's random number generator is weak, and online brute force can crack it in hours regardless. Many networks that have strong WPA2 passwords are still vulnerable through WPS.
Reaver
PixiewpsTip: Try Pixie Dust first (reaver with -K flag) - it's instant when it works. If Pixie Dust fails, online brute force with Reaver works against most WPS implementations but takes 4-10 hours. Some routers implement rate limiting or lockouts, so check the target's behavior first.
WPA/WPA2 Handshake Capture and Cracking
Capture the four-way WPA handshake by either waiting for a client to connect naturally or deauthenticating a connected client to force a reconnection. Once you have the handshake, crack it offline with a wordlist or rule-based attack.
Tools for this step
HashcatTip: Use aireplay-ng to send deauth frames and force a handshake capture. Hashcat is significantly faster than Aircrack-ng for cracking because it uses GPU acceleration. Use targeted wordlists (the company name, location, common patterns) before moving to large generic wordlists.
Evil Twin and Rogue AP Attacks
Set up a rogue access point impersonating the target network. When clients connect to your AP instead of the real one, you can capture credentials through a captive portal, intercept traffic, or harvest WPA-Enterprise credentials. This tests how well clients validate the networks they connect to.
Tools for this step
hostapd-mana
WiFi-Pumpkin3Tip: hostapd-mana automatically responds to client probe requests (karma attack). WiFi-Pumpkin3 provides a full framework with captive portal templates. For WPA-Enterprise networks, hostapd-mana can harvest RADIUS credentials from connecting clients. Position your rogue AP for stronger signal than the real one.
Protocol-Level Testing
Test the resilience of the wireless infrastructure against protocol-level attacks. This includes deauthentication flooding, beacon frame spoofing, authentication floods, and SSID brute forcing for hidden networks. These tests evaluate how the wireless infrastructure handles adversarial conditions.
Tools for this step
Tip: mdk4 provides a comprehensive suite of 802.11 protocol attacks. Be careful with flooding attacks - they affect all clients on the network, not just your test targets. Always coordinate with the client about which tests are acceptable and during what windows.
Other Workflows
OSINT Investigation Workflow
A structured approach to open-source intelligence gathering, from target identification through to reporting. Covers passive reconnaissance, social media analysis, email and phone lookups, and data correlation.
Web Application Penetration Test
A systematic approach to testing web applications for security vulnerabilities. Covers reconnaissance, mapping, vulnerability discovery, exploitation, and reporting.
Active Directory Attack Path
From initial foothold to domain admin. A step-by-step approach to enumerating and attacking Active Directory environments during authorized penetration tests.