Learning Wireless Testing

A natural progression from doing OSCP for many would be to do OSWP. The wireless testing certification is often mentioned as being outdated and in some way labeled as being a lesser cert to get.

I’m not so sure.

Lately I bought a book called “Hacking Wireless Networks” by Andreas K Kolokithas. Among the 400 odd pages of detailed information you’ll find information on hacking:

  • WPS
  • WEP
  • WPA
  • WPA2

It’s not all about the above list. There’s detailed information on how certain keys are used for different technologies and also some background into the 802.11 standard.

I wanted to devote my time to going a little deeper into learning about WiFi so that I’m not just skimming the hacking part of it. With this book and the OSWP notes, It’s proving to be great so far.

Curiosity

I have a mini lab set up for WiFi testing, and also a home BT SmartHub for my own internet connection. While I was testing my own router, several things sprung to mind.

So we have WPS. Everything about WPS suggests that it should be a simple case of brute-forcing the 8 digit PIN and it’s jackpot every time until the victim disables it. That’s until you encounter the lockout when you get rate limited. Yes you may be able to test over a longer period of time and change you MAC address etc, but what about time limited engagements?

Also take the issues of WPA2 passkeys. Mine is 12 characters long, and while it may not be using the full keybase, I can bet that the wordlist for those hubs is going to be huge. That’s just one hub. I did think about creating wordlists for certain manufacturers.

WEP is also hardly used, especially in the UK. Obviously for certain aspects of OSWP, I’ll have to learn how to attack it. I did a little WEP testing years ago using the Aircrack-ng suite and collected IV’s etc, however, back then it wasn’t really understood and I didn’t pursue it.

Going Forward

Wireless hacking is an interesting subject, and I like that it’s an extra skill I can add. My mind is never settled on what I read on paper. There seems to be a number of tools that do several jobs and enumerating the target and connected clients seems to be hit and miss depending on the devices. For instance my Samsung S7 Edge never appears as a client when using airodump-ng even when singling out the BSSID.

I reckon once I’ve ironed out the basics, these little teething problems can be addressed. I do have some things that trouble me though. Maybe the key to all of this is to try something the hard way before you find the simpler route.

Having worked with Cisco Wireless LAN controllers, Wireless N and AC Access Points, switching and VLANS, I know that it’s not going to be as simple as it is when you test home routers. A lot of what we do relies on someones password being in a wordlist. Somehow I doubt this will be the same.

I am enjoying the study into wireless testing and I’m glad that it’s something I have started to get to grips with. Several open questions that need answered and definitely some research into a methodology of sorts will hopefully help to maintain a good level of testing for the future.

I’ll likely make a few posts on this subject. Not ‘matter of fact’ type posts, however, a more subtle journey into learning it. Some of the pitfalls and rabbit holes and hopefully some success stories.

Keep learning!