Book Image

Building a Pentesting Lab for Wireless Networks

By : Andrey Popov, Vyacheslav Fadyushin, Aaron Woody
Book Image

Building a Pentesting Lab for Wireless Networks

By: Andrey Popov, Vyacheslav Fadyushin, Aaron Woody

Overview of this book

Starting with the basics of wireless networking and its associated risks, we will guide you through the stages of creating a penetration testing lab with wireless access and preparing your wireless penetration testing machine. This book will guide you through configuring hardware and virtual network devices, filling the lab network with applications and security solutions, and making it look and work like a real enterprise network. The resulting lab protected with WPA-Enterprise will let you practice most of the attack techniques used in penetration testing projects. Along with a review of penetration testing frameworks, this book is also a detailed manual on preparing a platform for wireless penetration testing. By the end of this book, you will be at the point when you can practice, and research without worrying about your lab environment for every task.
Table of Contents (15 chapters)
Building a Pentesting Lab for Wireless Networks
About the Authors
About the Reviewers

Understanding wireless environment and threats

As the first and the key step towards understanding wireless security and building a highly secure wireless lab, the nature of wireless media and its place in the modern life should be understood. In this section, we will be reviewing the main specifics and threats of wireless networking.

Wired networks use cables for data transmission, thus considered a "controlled" environment, protected by a physical level of security. In order to gain access to a wired network, an attacker would need to overcome any physical security systems to access buildings or other controlled zones and also overcome logical security systems, such as firewalls and intrusion detection/prevention systems (IDPS).

In the case of wireless networks, there is an open environment used with almost complete lack of control. Providing the security level equivalent to physical security in wired networks is not that easy nowadays. Wireless network segments can become available from another floor of the same building, neighboring buildings, or even outside—only signal strength limits physical borders of a wireless network. Therefore, unlike wired networks where connection points are known, a wireless network can be accessed from anywhere—as long as the signal is strong enough.

An overview of wireless technologies

Nowadays, various technologies are used for wireless data communications. They differ in used media, frequency bands, bandwidth, encoding methods, scopes of application, and other characteristics. Let's start by defining the term wireless communications. We would say it is a remote communication between two or more devices according to certain rules or specifications without establishing a physical connection via cables or wires.

In order to understand our definition more clearly, let's define the characteristics that can be assigned to the discussed method of communication:

  • Topology:

    • Point-to-point

    • Point-to-multipoints

  • Use cases:

    • Corporate infrastructure: Office and technological

    • Providing a service

    • Personal usage

  • Range:

    • Wireless personal area networks (WPAN): Bluetooth, IrDA, and RFID

    • Wireless local area networks (WLAN): Wi-Fi

    • Wireless metropolitan area networks (WMAN) and wireless wide area networks (WWAN): WiMAX, GSM, and UMTS

  • Speed:

    • 1 Mbit/s for WPAN

    • 54 Mbit/s for WLAN

    • 300 Mbit/s for WMAN

    • 15 Mbit/s for WWAN

A brief but very capacious way of mapping the two most important characteristics of wireless technologies (the data transmission speed and the range) is depicted in the following diagram:

The classification of wireless communications based on range and data transfer speed

As we now have a clear definition, we can proceed to look at some of the types of wireless data transfer technologies and their specifics.

Let's start with the mobile cellular communication, which is probably the most common type of wireless data transmission nowadays. Cellular communication is a mobile network—a type of mobile communication that is based on the cellular network. The key feature is that the overall coverage area is divided into cells. Cells partially overlap and together form a network. A network comprises separate base stations operating in the same frequency band and each covering its own area (cell) with a radio signal and switching equipment. Cells have unique IDs allowing to determine the current locations of subscribers and provide connection continuity when a person is moving from a coverage area of one base station into a range of another one.

The history of mobile communications began in the middle of the 20th century and has passed four major milestones in its development until and the present time:

  • 1G (G is short for generation): Analog cellular communication (based on AMPS, NAMPS, and NMT-450 standards)

  • 2G: Digital cellular communication (GSM and CDMA)

  • 3G: Broadband digital cellular communication (UMTS)

  • 4G: Cellular mobile communication with high demands (LTE)

Currently, the most forward-looking solutions are UMTS and LTE. Both data transmission standards have been inherited from GSM and allow us to transmit voice or data and provide a set of various services. The distinctive feature of these standards compared with the older generations is the ability to transfer data at a higher speed (up to 21 Mbit/s for incoming data in case of UMTS and up to 300 Mbit/s for incoming data in case of LTE). These speeds allow working on the Internet in comfortable conditions.

Since there is a large amount of existing standards and a lot of differences between the government requirements, various frequencies for data transmission and information protection techniques based on different encryption algorithms can be used in different countries and industries.

The next wireless technology that we are going to review is Bluetooth (representative of WPAN). Bluetooth allows information exchange between personal devices such as mobile phones, personal computers, tablets, input devices (microphones, keyboards, and joysticks), and output devices (printers and headsets). Bluetooth operates in the free and widely available radio frequencies (between 2.4 to 2.485 GHz) for short-range communication at a distance of typically up to 10 meters (but there are exceptions) between devices and supports two types of connection: point-to-point and point-to-multipoint.

Bluetooth has a multilevel architecture consisting of the main protocol and a set of auxiliary protocols that implement the following:

  • Creating and managing a radio connection between two devices

  • Discovering services provided by devices and determining parameters

  • Creating a virtual serial data stream and emulating RS-232 control signals

  • Data transmission from another protocol stack

  • Managing high-level services like audio distribution

In addition to protocols that implement these functionalities, the Bluetooth protocol stack also contains protocols such as:

  • PPP (Point-to-Point Protocol)

  • TCP/IP

  • OBEX (Object Exchange Protocol)

  • WAE (Wireless Application Environment)

  • WAP (Wireless Application Protocol)

Another interesting way of wireless data transmission is using waves of light. There is a group of standards describing protocols of physical and logical levels of data transmission using infrared light waves as environment. It is known as IrDA (Infrared Data Association). Usually, implementation of this interaction is an emitter (infrared light-emitting diode) and a receiver (photodiode) located on each side of the link.

This technology became especially popular in the late 1990s. Nowadays, it has almost entirely replaced by more modern methods of communication such as Wi-Fi and Bluetooth. But it is still used in remote controllers of home appliances and usually these devices have one-way connection (one side has an emitter only and the other side has a receiver only).

The main reasons for the rejection of IrDA were the following:

  • Limited distance of connection

  • Direct visibility requirements

  • Low speed of data transmission (in the later revisions of the standard, speed was increased but even the high-speed versions are not popular now)

Another example of wireless optics as data transmission is Free Space Optics (FSO). This exotic technology uses an infrared laser as the information carrier, and it is used for long-distance communications in open spaces. The disadvantage of this system, as in the case of IrDA, is the direct visibility requirement that is highly dependent on weather.

Usually FSO is used:

  • When cabling is not possible or too costly

  • When you require a private link that is not receptive to radio interference and does not create any (for example, at airports)

Going back to wireless data transmission using a radio signal, we need to review the IEEE 802.11 standards family, also known as Wi-Fi (Wi-Fi is a trademark of Wi-Fi Alliance for wireless networks based on IEEE 802.11 standards family).

The family of IEEE 802.11 contains a few dozen standards, but we will directly take a look at the ones designed for data transmission, omitting the auxiliary ones:

  • 802.11: This is the original standard approved in 1997, and it describes transmission at 2.4 GHz frequency with 1 Mbit/s and 2 Mbit/s speeds.

  • 802.11b: This is an improvement to 802.11 to support higher speeds (up to 5.5 Mbit/s and 11 Mbit/s). It was approved in 1999.

  • 802.11a: This is the standard approved in 1999 and used since 2001. This standard allows us to work at 5 GHz frequency with 54 Mbit/s speed.

  • 802.11g: This allows us to transfer data at 2.4 GHz frequency with 54 Mbit/s speed. It was approved in 2003.

  • 802.11n: This was approved in 2009. This standard increases the speed of data transmission up to 600 Mbit/s at 2.4 to 2.5 GHz or 5 GHz frequencies. The standard is backwards-compatible with 802.11 a/b/g.

  • 802.11ac and 802.11ad: These standards were approved in 2014. They allow data transfer at the speed up to 7 Gbit/s and have additional working frequency (60 GHz).

IEEE 802.11 is used for data transmission via radio within a range of 100 meters. Typically, the IEEE 802.11 network consists of at least one access point and at least one client, but it is possible to connect two clients in a point-to-point (ad hoc) mode. In case of point-to-point connection, the access point is not used and clients are connected directly to each other.

Due to the fact that IEEE 802.11 applies to WLAN and provides high-speed data transfer for a local area, solutions based on IEEE 802.11 are ideal to solve "the last mile" problem. IEEE 802.11 allows us to reduce costs of deploying and expanding local networks and also provides network access in difficult-to-reach places, such as outdoors or inside buildings that have historical value.

An overview of wireless threats

Considering the specifics mentioned in the previous section, let's state the most common wireless threats.

In case of a radio signal as a transmission environment and in the case of a wired connection, there are a lot of threats, each with their own specifics.

The first threat in our list is information gathering. It usually begins with reconnaissance and mostly depends on the distance from the victim because of the radio waves nature—you don't need to connect to another network device to receive radio waves generated by that device. The result of reconnaissance can give answers about locations of network objects and users, what devices and technologies are being used, and so on. Usually, the captured network traffic contains important information. Traffic analysis can be done by checking the network packages data, the pattern of network packages, and running sessions between members of connections (access points and their clients). Also, it should be noted that the wireless network control packets (service traffic) are not encrypted. Besides, it is very difficult to distinguish between information collecting user and legal participant of the network. The fact that the radio signal coverage can go outside of a controlled zone creates easy opportunities for the realization of information gathering risk.

The second threat is problems in settings of network devices, such as using weak encryption keys or authentication methods with known vulnerabilities. Potential attackers primarily exploit these disadvantages. Incorrectly configured access points may become the cause of breaking into an entire corporate network. In addition, in the case of a corporate network, it is difficult to track using unauthorized access points; for example, a typical employee can bring an unregistered access point and connect it to a corporate network. This creates a serious threat not only to the wireless network, but also to the entire company's infrastructure.

Incorrectly configured wireless clients are an even greater threat than incorrectly configured access points. Such devices are on the move and often they are not specifically configured to reduce the risk or use default settings.

Following the previous point, the next threat is breaking the encryption. Attackers are well informed about the flaws of the widely used encryption algorithms, and for example, in the case of the WEP protocol, they can retrieve a pre-shared key from a client in less than 10 minutes.

The fourth threat facing wireless networks is the difficulty in tracking actions of a user. As already noted, the wireless devices are not "tied" to the network and can change their point of connection to the network. Incorrectly configuring the wireless client can automatically connect to the nearest wireless network. This mechanism allows attackers to switch the unsuspecting user host on an attacker's device instead of a legitimate access point to perform vulnerability scanning, phishing attacks, or man-in-the-middle attacks. Furthermore, if a user simultaneously connects to a wired network, it becomes a convenient entry point to a corporate network.

Impersonating a user is a serious threat to any network, not just wireless. However, in the case of wireless communication, determining the authenticity of the user is more difficult. There are network identifiers (SSID) and filtering MAC addresses in place, but both are broadcasted in clear text in service packets and can be intercepted. Impersonation allows attackers to insert wrong frames to authorized communications and carry out an attack on a corporate infrastructure.

The fact that many laptop users prefer switching to WLANs if they are dissatisfied with the quality of the wired network service (weak connection, URL-filtering, or port-filtering) increases the risk. In most cases, operating systems do it automatically when a wired network is down.

The last threat that we would like to mention is Denial of Service (DoS). The aim of a typical DoS attack is the violation of network service availability or a complete blocking of an authorized client access. Such an attack can be carried out, for example, by flooding a network with de-authentication or "junk" packets sent from a spoofed address. Tracking an attack source in this case is not an easy task. In addition, there is a possibility to organize a DoS attack on the physical level, running a fairly powerful jammer in the special frequency range.

Wi-Fi media specifics

Despite the wide variety of wireless technologies, the overwhelming majority of corporate and personal networking communications are based on Wi-Fi technology and this is the reason why we are going deep into this certain type of wireless technology.

Wi-Fi is prone to all threats mentioned earlier that are common for all the wireless technologies—the absence of any cables or other physical connections between clients and network devices creates great mobility for users, but also become the root cause for the most of Wi-Fi security flaws and challenges. This is both the main advantage and the main disadvantage of WLANs.

The first specification of Wi-Fi, the 802.11 standard, regulates operation of the equipment at a center frequency of 2.4 GHz with a maximum speed of up to 2 Mbit/s and was approved in 1997.

The standards of the 802.11 family regulate architectures of networks and devices, and describe the first and second of seven layers of the OSI model, along with the interaction protocols. The standards specify the base frequency, modulation techniques, and spread spectrum at the physical level.

The IEEE 802.11 standards strictly regulate only the two lower levels of the OSI model: the physical and data link layers that determine the specific features of local networks. The upper OSI levels are the same in wireless and wired LANs:

Levels of the OSI model

The need to distinguish features of various LANs is reflected by separating the data link layer into two sublayers: Logical Link Control (LLC) and Media Access Control (MAC). The MAC layer provides correct sharing of the overall environment. After gaining access to the environment it may use the higher LLC, which implements the functions of the interface with an adjacent network layer. In the 802.11 standard, MAC is similar to the implementation of Ethernet networks. The fundamental difference is that the 802.11 uses a half-duplex transceiver and cannot detect collisions during communication sessions. MAC uses a special protocol Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) in the 802.11 standard or the distributed coordination function (DCF). Moreover, 802.11 MAC supports two modes of energy consumption: continuous operation mode and the saving mode.

The 802.11 standard was updated to the standard 802.11b version in 1999, which operates on the same main frequency of 2.4 GHz with a maximum speed of up to 22 Mbit/s.

The base architecture, ideology, and characteristics of the new 802.11b standard are similar to the original version of 802.11, and only the physical layer with a higher access speed and data transmission layer have been changed.

The standard also introduces error corrections and the possibility to work in conditions of strong interference and weak signal. For this purpose, the standard describes automatic methods of data transmission speed modification based on current signal strength and interference. The development of the Wi-Fi technology has drastically increased the number of different wireless devices in the world and created the problem of interference and congestion at the 2.4 GHz band due to the fact that such devices as microwave ovens, mobile phones and Bluetooth equipment noticeably influence each other.

The 802.11a standard (operating on a 5 GHz frequency band) was developed to unload the 2.4 GHz band. There are fewer sources of interference in the new range comparing to the 2.4 GHz band and the average level of noise is much lower. The 802.11a standard uses two basic frequencies around 5 GHz and a maximum data transfer rate of up to 54 Mbit/s.

It should be mentioned that the 5 GHz band is adjacent to the frequencies that are partly used for satellite and microwave communications. To eliminate interference between Wi-Fi equipment and the other departmental systems, the European Telecommunications Standards Institute (ETSI) has developed two additional protocols: Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC). Wi-Fi devices can automatically change frequency channels or decrease transmission power in the case of conflict on the carrier frequencies using these protocols.

The next step in the development of Wi-Fi is the standard 802.11g, approved in 2003. 802.11g is an improved version of 802.11b and is designed for devices operating at frequencies of 2.4 GHz with a maximum speed of 54 Mbit/s.

Now, the 802.11n standard has become the most widely used Wi-Fi technology. The developers have attempted to combine all the good features that were implemented in the previous versions in this new one. The 802.11n standard is designed for equipment operating at center frequencies of 2.4 GHz to 5 GHz as quickly as possible up to 600 Mbit/s. This standard was approved by the IEEE in September 2009. The standard is based on the technology of MIMO-OFDM. In IEEE, the maximum data rate of 802.11n is several times greater than the previous ones. This is achieved by doubling the width of the channel from 20 MHz to 40 MHz and due to implementation of MIMO technology with multiple antennas.

The last standard, which is rapidly gaining popularity, is 802.11ac. It is a wireless network standard adopted in January 2014. It operates in the 5 GHz frequency band and is backward compatible with IEEE 802.11n.

This standard allows us to significantly expand the network bandwidth from 433 Mbit/s to 6.77 Gb/s at an 8x MU-MIMO-antenna. This is the most significant innovation with respect to IEEE 802.11n. In addition, significantly less energy is used, which extends the battery life of mobile devices.

A summary of the technical information is presented in the following table:


Frequencies, MHz


Speeds, Mbit/s

Power, mW




1; 2





1; 2; 5,5; 11; 22





6; 9; 12; 18; 24; 36; 48; 54; 108







1; 2; 5,5; 6; 9; 11; 12; 18; 22; 24; 33; 36; 48; 54; 108