Basic Concepts - ikenpachi/Wireless-Attacks-Docs-Red-Team GitHub Wiki

1. Introduction

Wireless networks are essential for modern communication, but they also represent a major attack vector. This documentation explores the main vulnerabilities in Wi-Fi networks and how to test them in a Red Team context.

⚠ Legal Disclaimer: All content here is intended for educational purposes and testing in controlled environments. Misuse may violate laws and local regulations.

2. Basic Concepts

Before diving into attacks, it's essential to understand the fundamentals of wireless networks.

What is a Wi-Fi network?

Wi-Fi (Wireless Fidelity) is a wireless communication technology based on the IEEE 802.11 standard. It operates on different frequencies (2.4GHz, 5GHz, and 6GHz) and can be secured using protocols such as WEP, WPA, WPA2, and WPA3.

Key elements of a Wi-Fi network

  • SSID (Service Set Identifier) – The name of the Wi-Fi network.
  • BSSID (Basic Service Set Identifier) – The MAC address of the access point (AP).
  • Monitor Mode – Allows you to capture Wi-Fi packets without connecting to a network.
  • Handshakes – The authentication process in WPA/WPA2 networks.

Main vulnerabilities

  • Open networks – Unencrypted traffic.
  • WPA2 password cracking – Exploiting captured handshakes.
  • Evil Twin attacks – Creating fake access points.
  • Deauthentication attacks – Forcing devices to disconnect.

Pentesting Stages in Wi-Fi Networks

A structured approach is essential for conducting a Wi-Fi penetration test effectively. Below are the key stages involved in assessing wireless network security.

1. Scope Definition

Defines which Wi-Fi networks will be tested, the allowed devices, the attack methods that can be used, and the time limits for the test.

  • Identify authorized targets (SSID, BSSID, APs, and clients).
  • Define legal and ethical boundaries before testing.
  • Establish the testing methodology and tools to be used.

2. Reconnaissance, Scanning, and Enumeration

This phase involves identifying nearby Wi-Fi networks, collecting security protocol information, and mapping potential targets.

  • Network scanning – Identify SSIDs, BSSIDs, channels, and encryption types.
  • Client enumeration – Identify devices connected to access points.
  • Identifying weak configurations – Open networks, WEP encryption, weak WPA passwords, etc.

3. Authentication Attacks

Focuses on breaking or bypassing Wi-Fi authentication mechanisms such as WEP, WPA, WPA2, or WPA3 through brute-force attacks, dictionary attacks, and handshake capturing.

  • WEP cracking – Weak encryption vulnerabilities.
  • WPA/WPA2 handshake capture & cracking – Using wordlists or brute force.
  • PMKID attacks – Exploiting vulnerabilities in WPA/WPA2 authentication.
  • Evil Twin attacks – Deploying rogue access points to capture credentials.
  • Deauthentication attacks – Disconnecting clients to force reconnection.

4. Post-Exploitation

Once inside the Wi-Fi network, a pentester can perform network exploitation activities, including:

  • Traffic interception – Packet sniffing and data extraction.
  • Man-in-the-Middle (MitM) attacks – Intercepting communication.
  • Lateral movement – Scanning for vulnerable devices within the network.
  • Privilege escalation – Gaining further control over internal systems.

5. Documentation & Reporting

A detailed report should be created, listing all findings, vulnerabilities, evidence, and recommendations for remediation.

  • Summary of findings – Identified vulnerabilities and attack success rates.
  • Screenshots and logs – Proof of successful exploits.
  • Mitigation recommendations – Steps to secure the Wi-Fi network.

6. Review & Retesting (if necessary)

After implementing security patches, the network can be retested to ensure that:

  • The vulnerabilities have been successfully mitigated.
  • No new issues have emerged due to configuration changes.

Regular Wi-Fi penetration testing ensures continuous security improvements and helps protect against emerging threats.