Book Image

Building a Pentesting Lab for Wireless Networks

By : Andrey Popov, Vyacheslav Fadyushin, Aaron Woody
Book Image

Building a Pentesting Lab for Wireless Networks

By: Andrey Popov, Vyacheslav Fadyushin, Aaron Woody

Overview of this book

Starting with the basics of wireless networking and its associated risks, we will guide you through the stages of creating a penetration testing lab with wireless access and preparing your wireless penetration testing machine. This book will guide you through configuring hardware and virtual network devices, filling the lab network with applications and security solutions, and making it look and work like a real enterprise network. The resulting lab protected with WPA-Enterprise will let you practice most of the attack techniques used in penetration testing projects. Along with a review of penetration testing frameworks, this book is also a detailed manual on preparing a platform for wireless penetration testing. By the end of this book, you will be at the point when you can practice, and research without worrying about your lab environment for every task.
Table of Contents (15 chapters)
Building a Pentesting Lab for Wireless Networks
About the Authors
About the Reviewers

Common WLAN protection mechanisms and their flaws

To be able to protect a wireless network, it is crucial to clearly understand which protection mechanisms exist and which security flaws they have. This topic will be useful not only for those readers who are new to Wi-Fi security, but also as a refresher for experienced security specialists. Understanding this topic will help you understand one of the important aspects of this book: you should properly plan the security of your wireless penetration testing lab.

Hiding SSID

Let's start with one of the common mistakes made by network administrators: relying only on security by obscurity. In the frames of the current subject, it means using a hidden WLAN SSID (short for service set identification) or simply a WLAN name.

Hidden SSID means that a WLAN does not send its SSID in broadcast beacons advertising itself and doesn't respond to broadcast probe requests, thus making itself unavailable in the list of networks on Wi-Fi-enabled devices. It also means that normal users do not see the WLAN in their available networks list.

But the lack of WLAN advertising does not mean that an SSID is never transmitted in the air—it is actually transmitted in plaintext with a lot of packets between access points and devices connected to them, regardless of the security type used. Therefore, SSIDs are always available for all the Wi-Fi network interfaces in a range and are visible to any attacker using various passive sniffing tools.

MAC filtering

To be honest, MAC filtering cannot even be considered as a security or protection mechanism for a wireless network, but it is still called so in various sources. So let's clarify why we cannot call it a security feature.

Basically, MAC filtering means allowing only those devices that have MAC addresses from a pre-defined list to connect to a WLAN, and not allowing connections from other devices. MAC addresses are transmitted unencrypted in Wi-Fi and are extremely easy for an attacker to intercept without even being noticed (refer to the following screenshot):

An example of a wireless traffic sniffing tool easily revealing MAC addresses

Keeping in mind the extreme simplicity of changing a physical address (MAC address) of a network interface, it becomes obvious why MAC filtering should not be treated as a reliable security mechanism.


MAC filtering can be used to support other security mechanisms, but it should not be used as the only security measure for a WLAN.


Wired equivalent privacy (WEP) was born almost 20 years ago at the same time as the Wi-Fi technology and was integrated as a security mechanism for the IEEE 802.11 standard.

As often happens with new technologies, it soon became clear that WEP contained weaknesses in design and was unable to provide reliable security for wireless networks. Several attack techniques were developed by security researchers that allowed them to crack a WEP key in a reasonable amount of time and use it to connect to a WLAN or intercept network communications between WLAN and client devices.

Let's briefly review how WEP encryption works and why is it so easy to break.

WEP uses so-called initialization vectors (IV) concatenated with a WLAN's shared key to encrypt transmitted packets. After encrypting a network packet, an IV is added to a packet as it is and sent to a receiving side, for example, an access point. This process is depicted in the following flowchart:

The WEP encryption process

An attacker just needs to collect enough IVs, which is also a trivial task using additional reply attacks to force victims to generate more IVs.

Even worse, there are attack techniques that allow an attacker to penetrate WEP-protected WLANs even without connected clients, which makes those WLANs vulnerable by default.

Additionally, WEP does not have a cryptographic integrity control, which also makes it vulnerable to attacks on confidentiality.

There are numerous ways an attacker can abuse a WEP-protected WLAN, for example:

  • Decrypt network traffic using passive sniffing and statistical cryptanalysis

  • Decrypt network traffic using active attacks (reply attack, for example)

  • Traffic injection attacks

  • Unauthorized WLAN access

Although WEP was officially superseded by the WPA technology in 2003, it can still be sometimes found in private home networks and even in some corporate networks (mostly belonging to small companies nowadays).

But this security technology has become very rare and will not be used in future, largely due to awareness in corporate networks and because manufacturers no longer activate WEP by default on new devices.

In our humble opinion, device manufacturers should not include WEP support in their new devices to avoid its usage and increase their customers' security.


From the security specialist's point of view, WEP should never be used to protect a WLAN, but it can be used for Wi-Fi security training purposes.

Regardless of the security type in use, shared keys always add an additional security risk; users often tend to share keys, thus increasing the risk of compromising the key and reducing accountability for key privacy.

Moreover, the more devices use the same key, the greater the amount of traffic becomes suitable for an attacker during cryptanalytic attacks, increasing their performance and chances of success. This risk can be minimized by using personal identifiers (key, certificate) for users and devices.


Due to numerous WEP security flaws, the next generation of Wi-Fi security mechanisms became available in 2003: Wi-Fi Protected Access (WPA). It was announced as an intermediate solution until WPA2 became available and contained significant security improvements over WEP.

Those improvements include:

  • Stronger encryption: The new standards use longer encryption keys than WEP (256-bit versus 64- and 128-bit) and became capable of utilizing the Advanced Encryption Standard (AES) algorithm.

  • Cryptographic integrity control: WPA uses an algorithm called Michael instead of CRC used in WEP. This is supposed to prevent altering data packets on the fly and prevents resending sniffed packets.

  • Usage of temporary keys: The Temporal Key Integrity Protocol (TKIP) automatically changes the encryption keys generated for every packet. This is a major improvement over the static WEP where encryption keys could be entered manually in an AP config. TKIP also operates RC4, but the way it is used was improved.

  • Support for client authentication: The capability to use dedicated authentication servers for user and device authentication made WPA suitable for use in large enterprise networks.

The support for the cryptographically strong AES algorithm was implemented in WPA, but it was not set as mandatory, only optional.

Although WPA was a significant improvement over WEP, it was a temporary solution before WPA2 was released in 2004 and became mandatory for all new Wi-Fi devices.

WPA2 works very similarly to WPA and the main differences between WPA and WPA2 are in the algorithms used to provide security:

  • AES became the mandatory algorithm for encryption in WPA2 instead of the default RC4 in WPA

  • TKIP used in WPA was replaced by Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP)

Because of the very similar workflows, WPA and WPA2 are also vulnerable to the similar or the same attacks and are usually known as and written as one word, WPA/WPA2. Both WPA and WPA2 can work in two modes: pre-shared key (PSK) or personal mode and enterprise mode.

Pre-shared key mode

Pre-shared key or personal mode was intended for home and small office use where networks have low complexity. We are more than sure that all our readers have met this mode and that most of you use it at home to connect your laptops, mobile phones, tablets, and so on to home networks.

The general idea of PSK mode is using the same secret key on an access point and on a client device to authenticate the device and establish an encrypted connection for networking. The process of WPA/WPA2 authentication using a PSK consists of four phases and is also called a 4-way handshake. It is depicted in the following diagram:

WPA/WPA2 4-way handshake

The main WPA/WPA2 flaw in PSK mode is the possibility to sniff a whole 4-way handshake and to brute force a security key offline without any interaction with a target WLAN. Generally, the security of a WLAN mostly depends on the complexity of the chosen PSK.

Computing a PMK (short for primary master key) used in 4-way handshakes (refer to the handshake diagram) is a very time-consuming process compared to other computing operations and computing hundreds of thousands of them can take a very long time. But in the case of a short and low complexity PSK being in use, a brute-force attack does not take long even on a not-so-powerful computer. If a key is complex and long enough, cracking it can take much longer, but still there are ways to speed up this process:

  • Using powerful computers with CUDA (short for Compute Unified Device Architecture), which allows a software to directly communicate with GPUs for computing. As GPUs are natively designed to perform mathematical operations and do them much faster than CPUs, the process of cracking works several times faster with CUDA.

  • Using rainbow tables that contain pairs of various PSKs and their corresponding precomputed hashes. They save a lot of time for an attacker because the cracking software just searches for a value from an intercepted 4-way handshake in rainbow tables and returns a key corresponding to the given PMK if there was a match, instead of computing PMKs for every possible character combination. Because WLAN SSIDs are used in 4-way handshakes analogous to a cryptographic salt, PMKs for the same key will differ for different SSIDs. This limits the application of rainbow tables to a number of the most popular SSIDs.

  • Using cloud computing is another way to speed up the cracking process, but it usually costs additional money. The more computing power an attacker can rent (or get through another ways), the faster the process is. There are also online cloud-cracking services available on the Internet for various cracking purposes including cracking 4-way handshakes.

Furthermore, as with WEP, the more users know a WPA/WPA2 PSK, the greater the risk of compromise—that's why it is also not an option for big complex corporate networks.


WPA/WPA2 PSK mode provides the sufficient level of security for home and small office networks only when a key is long and complex enough and is used with a unique (or at least not popular) WLAN SSID.

Enterprise mode

As already mentioned in the previous section, using shared keys poses a security risk and in the case of WPA/WPA2 highly relies on a key length and complexity. But there are several factors in enterprise networks that should be taken into account when talking about WLAN infrastructure: flexibility, manageability, and accountability.

There are various components that implement those functions in big networks, but in the context of our topic, we are mostly interested in two of them: AAA (short for authentication, authorization, and accounting) servers and wireless controllers.

WPA-Enterprise or 802.1x mode was designed for enterprise networks where a high security level is needed and the use of an AAA server is required. In most cases, a RADIUS server is used as an AAA server and the following EAP (Extensible Authentication Protocol) types are supported (and several more, depending on a wireless device) with WPA/WPA2 to perform authentication:







You can find a simplified WPA-Enterprise authentication workflow in the following diagram:

WPA-Enterprise authentication

Depending on an EAP-type configuration, WPA-Enterprise can provide various authentication options.

The most popular EAP type (based on our own experience in numerous pentests) is PEAPv0/MSCHAPv2, which is relatively easily integrated with existing Microsoft Active Directory infrastructures and is relatively easy to manage. But this type of WPA protection is relatively easy to defeat by stealing and brute-forcing user credentials with a rogue access point.

The most secure EAP type (at least, when configured and managed correctly) is EAP-TLS, which employs certificate-based authentication for both users and authentication servers. During this type of authentication, clients also check server's identity and a successful attack with a rogue access point becomes possible only if there are errors in configuration or insecurities in certificate maintenance and distribution.


It is recommended to protect enterprise WLANs with WPA-Enterprise in EAP-TLS mode with mutual client and server certificate-based authentication. But this type of security requires additional work and resources.


Wi-Fi Protected Setup (WPS) is actually not a security mechanism, but a key exchange mechanism which plays an important role in establishing connections between devices and access points. It was developed to make the process of connecting a device to an access point easier, but it turned out to be one of the biggest holes in modern WLANs if activated.

WPS works with WPA/WPA2-PSK and allows devices to connect to WLANs with one of the following methods:

  • PIN: Entering a PIN on a device. A PIN is usually printed on a sticker at the back of a Wi-Fi access point.

  • Push button: Special buttons should be pushed on both an access point and a client device during the connection phase. Buttons on devices can be physical and virtual.

  • NFC: A client should bring a device close to an access point to utilize the Near Field Communication technology.

  • USB drive: Necessary connection information exchange between an access point and a device is done using a USB drive.

Because WPS PINs are very short and their first and second parts are validated separately, an online brute-force attack on a PIN can be done in several hours allowing an attacker to connect to a WLAN.

Furthermore, the possibility of offline PIN cracking was found in 2014, which allows attackers to crack pins in 1 to 30 seconds, but it works only on certain devices.

You should also not forget that a person who is not permitted to connect to a WLAN but who can physically access a Wi-Fi router or access point can also read and use a PIN or connect via the push button method.