Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Kali Linux: Wireless Penetration Testing Beginner's Guide, Second Edition
  • Table Of Contents Toc
  • Feedback & Rating feedback
Kali Linux: Wireless Penetration Testing Beginner's Guide, Second Edition

Kali Linux: Wireless Penetration Testing Beginner's Guide, Second Edition

By : Cameron Buchanan, Vivek Ramachandran
4.5 (44)
Buy this Book
close
close
Kali Linux: Wireless Penetration Testing Beginner's Guide, Second Edition

Kali Linux: Wireless Penetration Testing Beginner's Guide, Second Edition

4.5 (44)
By: Cameron Buchanan, Vivek Ramachandran
Buy this Book

Overview of this book

If you are a security professional, pentester, or anyone interested in getting to grips with wireless penetration testing, this is the book for you. Some familiarity with Kali Linux and wireless concepts is beneficial.
Table of Contents (13 chapters)
close
close
close
Preface
Icon
Preface
Icon
What this book covers
Icon
What you need for this book
Icon
Who this book is for
Icon
Conventions
Icon
Reader feedback
Icon
Customer support
Free Chapter
1
1. Wireless Lab Setup
Icon
1. Wireless Lab Setup
Icon
Hardware requirements
Icon
Software requirements
Icon
Installing Kali
Icon
Time for action – installing Kali
Icon
Setting up the access point
Icon
Time for action – configuring the access point
Icon
Setting up the wireless card
Icon
Time for action – configuring your wireless card
Icon
Connecting to the access point
Icon
Time for action – configuring your wireless card
Icon
Summary
2
2. WLAN and its Inherent Insecurities
Icon
2. WLAN and its Inherent Insecurities
Icon
Revisiting WLAN frames
Icon
Time for action – creating a monitor mode interface
Icon
Time for action – sniffing wireless packets
Icon
Time for action – viewing management, control, and data frames
Icon
Time for action – sniffing data packets for our network
Icon
Time for action – packet injection
Icon
Important note on WLAN sniffing and injection
Icon
Time for action – experimenting with your adapter
Icon
The role of regulatory domains in wireless
Icon
Time for action – experimenting with your adapter
Icon
Summary
3
3. Bypassing WLAN Authentication
Icon
3. Bypassing WLAN Authentication
Icon
Hidden SSIDs
Icon
Time for action – uncovering hidden SSIDs
Icon
MAC filters
Icon
Time for action – beating MAC filters
Icon
Open Authentication
Icon
Time for action – bypassing Open Authentication
Icon
Shared Key Authentication
Icon
Time for action – bypassing Shared Authentication
Icon
Summary
4
4. WLAN Encryption Flaws
Icon
4. WLAN Encryption Flaws
Icon
WLAN encryption
Icon
WEP encryption
Icon
Time for action – cracking WEP
Icon
WPA/WPA2
Icon
Time for action – cracking WPA-PSK weak passphrases
Icon
Speeding up WPA/WPA2 PSK cracking
Icon
Time for action – speeding up the cracking process
Icon
Decrypting WEP and WPA packets
Icon
Time for action – decrypting WEP and WPA packets
Icon
Connecting to WEP and WPA networks
Icon
Time for action – connecting to a WEP network
Icon
Time for action – connecting to a WPA network
Icon
Summary
5
5. Attacks on the WLAN Infrastructure
Icon
5. Attacks on the WLAN Infrastructure
Icon
Default accounts and credentials on the access point
Icon
Time for action – cracking default accounts on the access points
Icon
Denial of service attacks
Icon
Time for action – deauthentication DoS attacks
Icon
Evil twin and access point MAC spoofing
Icon
Time for action – evil twins and MAC spoofing
Icon
A rogue access point
Icon
Time for action – cracking WEP
Icon
Summary
6
6. Attacking the Client
chevron up
Icon
6. Attacking the Client
Icon
Honeypot and Mis-Association attacks
Icon
Time for action – orchestrating a Mis-Association attack
Icon
The Caffe Latte attack
Icon
Time for action – conducting a Caffe Latte attack
Icon
Deauthentication and disassociation attacks
Icon
Time for action – deauthenticating the client
Icon
The Hirte attack
Icon
Time for action – cracking WEP with the Hirte attack
Icon
AP-less WPA-Personal cracking
Icon
Time for action – AP-less WPA cracking
Icon
Summary
7
7. Advanced WLAN Attacks
Icon
7. Advanced WLAN Attacks
Icon
A man-in-the-middle attack
Icon
Time for action – man-in-the-middle attack
Icon
Wireless Eavesdropping using MITM
Icon
Time for action – Wireless Eavesdropping
Icon
Session hijacking over wireless
Icon
Time for action – session hijacking over wireless
Icon
Finding security configurations on the client
Icon
Time for action – deauthentication attacks on the client
Icon
Summary
8
8. Attacking WPA-Enterprise and RADIUS
Icon
8. Attacking WPA-Enterprise and RADIUS
Icon
Setting up FreeRADIUS-WPE
Icon
Time for action – setting up the AP with FreeRADIUS-WPE
Icon
Attacking PEAP
Icon
Time for action – cracking PEAP
Icon
EAP-TTLS
Icon
Security best practices for Enterprises
Icon
Summary
9
9. WLAN Penetration Testing Methodology
Icon
9. WLAN Penetration Testing Methodology
Icon
Wireless penetration testing
Icon
Planning
Icon
Discovery
Icon
Attack
Icon
Reporting
Icon
Summary
10
10. WPS and Probes
Icon
10. WPS and Probes
Icon
WPS attacks
Icon
Time for action – WPS attack
Icon
Probe sniffing
Icon
Time for action – collecting data
Icon
Summary
11
A. Pop Quiz Answers
Icon
Chapter 1, Wireless Lab Setup
Icon
Chapter 2, WLAN and its Inherent Insecurities
Icon
Chapter 3, Bypassing WLAN Authentication
Icon
Chapter 4, WLAN Encryption Flaws
Icon
Chapter 5, Attacks on the WLAN Infrastructure
Icon
Chapter 6, Attacking the Client
Icon
Chapter 7, Advanced WLAN Attacks
Icon
Chapter 8, Attacking WPA-Enterprise and RADIUS
12
Index
Icon
Index

Time for action – AP-less WPA cracking

  1. We will set up a WPA-PSK Honeypot with the ESSID Wireless Lab. The -z 2 option creates a WPA-PSK access point, which uses TKIP:

  2. Let's also start airodump-ng to capture packets from this network:

  3. Now when our roaming client connects to this access point, it starts the handshake but fails to complete it after Message 2, as discussed previously; however, the data required to crack the handshake has been captured.

  4. We run the airodump-ng capture file through aircrack-ng with the same dictionary file as before; eventually, the passphrase is cracked as before.

What just happened?

We were able to crack the WPA key with just the client. This was possible because, even with just the first two packets, we have all the information required to launch a dictionary attack on the handshake.

Have a go hero – AP-less WPA cracking

We recommend setting different WEP keys on the client and trying this exercise a couple of times to gain confidence. You may notice many times that...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
End of Chapter 6
Next Chapter

Create a Note

Modal Close icon
You need to login to use this feature.
notes
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Delete Note

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Edit Note

Modal Close icon
Write a note (max 255 characters)
Cancel
Update Note

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY