WirelessDefence.org's Wireless Penetration Testing Framework

See http://www.vulnerabilityassessment.co.uk for the full Penetration Testing Framework

Imagemap
Wireless PenetrationWireless ToolkitWireless DiscoveryAerosolAirfartAphopperApradarkarmaKismetMiniStumblerNetstumblerWellenreiterWifi HopperWirelessMonPacket CaptureAiropeekAirtrafApsniffCainWiresharkWEP/ WPA Password Attack ToolsAircrack-ptwAircrack-ng AircrackAirsnortcowpattywep attackwep crackAirbasewzcookLeap Attack Toolsasleapthc leap crackeranwrapFrame Generation SoftwareAirgobblerairpwnAirsnarfCommviewfake apvoid 11wifi tapwifitap -b <BSSID> [-o <iface>] [-i <ifa ...Mapping SoftwareKnsgemFile Format Conversion Toolsns1 recovery and conversion toolwarbablewarkiznizwarkizniz04b.exe [kismet.csv] [kismet. ...ivstoolsIDS ToolsWIDZWar ScannerSnort-WirelessAirDefenseAirMagnetWLAN discoveryUnencrypted WLANVisible SSIDSniff for IP rangeMAC authorisedMAC filteringSpoof valid MAC Linuxifconfig [interface] hw ether [MAC]macchangerRandom Mac Address:- macchanger -r eth0mac address changer for windowsmadmacsTMACSMACHidden SSIDDeauth clientAireplay-ngaireplay -0 1 -a [Access Point MAC] -c ...CommviewTools > Node reassociationVoid11void11_penetration wlan0 -D -t 1 -B [M ...WEP encrypted WLANVisible SSIDWEPattackwepattack -f [dumpfile] -m [mode] -w [wo ...Capture / Inject packetsBreak WEPAircrack-ptwaircrack-ptw [pcap file]Aircrack-ngaircrack -q -n [WEP key length] -b [ ...AirsnortChannel > StartWEPcrackperl WEPCrack.pl ./pcap-getIV.pl -b 13 -i wlan0Hidden SSIDDeauth clientAireplay-ngaireplay -0 1 -a [Access Point MAC] -c ...CommviewTools > Node reassociationVoid11void11_hoppervoid11_penetration [interface] -D -s [t ...WPA / WPA2 encrypted WLANDeauth clientCapture EAPOL handshakeWPA / WPA 2 dictionary attackcoWPAtty./cowpatty -r [pcap file] -f [wordlist] ..../genpmk -f dictionary_file -d hashfi ..../cowpatty -r cature_file.cap -d has ...Aircrack-ngaircrack-ng -a 2 -w [wordlist] [pcap fil ...LEAP encrypted WLANDeauth clientBreak LEAPasleap./asleap -r data/libpcap_packet_captur ..../genkeys -r dictionary_file -f outp ...THC-LEAPcrackerleap-cracker -f [wordlist] -t [NT challe ...802.1x WLANCreate Rogue Access PointAirsnarfDeauth clientAssociate clientCompromise clientAcquire passphrase / certificatewzcookObtain user's certificatefake apperl fakeap.pl --interface wlan0perl fakeap.pl --interface wlan0 --chann ...HotspotterDeauth client Associate clientCompromise clientAcquire passphrase / certificatewzcookObtain user's certificate KarmaDeauth client Associate clientCompromise clientAcquire passphrase / certificatewzcookObtain user's certificate ./bin/karma etc/karma-lan.xmlLinux rogue APDeauth client Associate clientCompromise clientAcquire passphrase / certificatewzcookObtain user's certificate ResourcesURL'sWirelessdefence.orgWardrive.netWireless Vulnerabilities and Exploits (W ...White PapersBreaking 104 bit WEP in less than 60 sec ...Weaknesses in the Key Scheduling Algorit ...802.11b Firmware-Level AttacksWireless Attacks from an Intrusion Detec ...Implementing a Secure Wireless Network f ...Common Vulnerabilities and Exploits (CVE ...Vulnerabilties and exploit information r ...2007Multiple cross-site scripting (XSS) vuln ...Aruba Mobility Controllers and Alcatel-L ...Heap-based buffer overflow in the manage ...Intel 2200BG 802.11 Wireless Mini-PCI dr ...Wireless Assessment. The following info ...Site MapRF MapLines of SightSignal CoverageStandard AntennaDirectional AntennaPhysical MapTriangulate APsSatellite ImageryNetwork MapMAC FilterAuthorised MAC AddressesReaction to Non-Authorised MAC AddressesEncryption Keys utilisedWEPKey LengthCrack TimeKeyWPA/PSKPre-Shared Key, (PSK) where every user i ...Temporal Key Integrity Protocol (TKIP)TKIP. The Interim solution to replace t ...KeyAttack TimeAdvanced Encryption Standard (AES) AES (a.k.a WPA2 and 802.11i). The prefe ...KeyAttack Time802.1xDerivative of 802.1x in useAccess PointsESSIDExtended Service Set Identifier (ESSID). ...Broadcast ESSIDsBSSIDsBasic Service Set Identifier (BSSID). VendorChannelAssociationsRogue AP ActivityWireless ClientsMAC AddressesVendorAdhoc or Infrastructure ModeESSID ProbesAssociationsIntercepted TrafficEncryptedClear Text
hideWireless Penetration
hideWireless Toolkit
hideWireless Discovery
leafAerosol
leafpenguinAirfart
leafpenguinAphopper
leafpenguinApradar
leafpenguinkarma
leafpenguinKismet
leafMiniStumbler
leafNetstumbler
leafpenguinWellenreiter
leafWifi Hopper
leafWirelessMon
hidePacket Capture
leafAiropeek
leafpenguinAirtraf
leafApsniff
leafCain
leafWireshark
hideWEP/ WPA Password Attack Tools
leafpenguinAircrack-ptw
leafpenguinAircrack-ng
leafpenguinAircrack
leafpenguinAirsnort
leafpenguincowpatty
leafpenguinwep attack
leafpenguinwep crack
leafpenguinAirbase
leafwzcook
hideLeap Attack Tools
leafpenguinasleap
leafpenguinthc leap cracker
leafpenguinanwrap
hideFrame Generation Software
leafAirgobbler
leafairpwn
leafAirsnarf
leafCommview
leafpenguinfake ap
leafpenguinvoid 11
hidepenguinwifi tap
leafwifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]
hideMapping Software
leafKnsgem
hideFile Format Conversion Tools
leafns1 recovery and conversion tool
leafwarbable
hidewarkizniz
leafwarkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]
leafivstools
hideIDS Tools
leafWIDZ
leafWar Scanner
leafSnort-Wireless
leafAirDefense
leafAirMagnet
hideWLAN discovery
hideUnencrypted WLAN
hideVisible SSID
hideSniff for IP range
leafMAC authorised
hideMAC filtering
hideSpoof valid MAC
hidepenguinLinux
leafifconfig [interface] hw ether [MAC]
hidepenguinmacchanger
leafRandom Mac Address:- macchanger -r eth0
leafmac address changer for windows
leafmadmacs
leafTMAC
leafSMAC
hideHidden SSID
hideDeauth client
hidefull-1penguinAireplay-ng
leafaireplay -0 1 -a [Access Point MAC] -c [Client MAC] [interface]
hidefull-2Commview
leafTools > Node reassociation
hidefull-3penguinVoid11
leafvoid11_penetration wlan0 -D -t 1 -B [MAC]
hideWEP encrypted WLAN
hideVisible SSID
hideWEPattack
hidewepattack -f [dumpfile] -m [mode] -w [wordlist] -n [network]
hideCapture / Inject packets
hideBreak WEP
hidefull-1penguinAircrack-ptw
leafaircrack-ptw [pcap file]
hidefull-2penguinAircrack-ng
leafaircrack -q -n [WEP key length] -b [BSSID] [pcap file]
hidefull-3penguinAirsnort
leafChannel > Start
hidefull-4penguinWEPcrack
leafperl WEPCrack.pl
leaf./pcap-getIV.pl -b 13 -i wlan0
hideHidden SSID
hideDeauth clientInternal Link
hidefull-1penguinAireplay-ng
leafaireplay -0 1 -a [Access Point MAC] -c [Client MAC] [interface]
hidefull-2Commview
leafTools > Node reassociation
hidefull-3penguinVoid11
leafvoid11_hopper
leafvoid11_penetration [interface] -D -s [type of attack] -s [station MAC] -S [SSID] -B [BSSID]
hideWPA / WPA2 encrypted WLAN
hideDeauth client
hideCapture EAPOL handshake
hideWPA / WPA 2 dictionary attack
hidefull-1penguincoWPAtty
leaf./cowpatty -r [pcap file] -f [wordlist] -s [SSID]
leaf./genpmk -f dictionary_file -d hashfile_name -s ssid
leaf./cowpatty -r cature_file.cap -d hashfile_name -s ssid
hidefull-2penguinAircrack-ng
leafaircrack-ng -a 2 -w [wordlist] [pcap file]
hideLEAP encrypted WLAN
hideDeauth client
hideBreak LEAP
hidepenguinasleap
leaf./asleap -r data/libpcap_packet_capture_file.dump -f output_pass+hash file.dat -n output_index_filename.idx
leaf./genkeys -r dictionary_file -f output_pass+hash file.dat -n output_index_filename.idx
hidepenguinTHC-LEAPcracker
leafleap-cracker -f [wordlist] -t [NT challenge response] -c [challenge]
hide802.1x WLAN
hideCreate Rogue Access Point
hidepenguinAirsnarf
hideDeauth client
hideAssociate client
hideCompromise client
hideAcquire passphrase / certificate
leafwzcook
leafObtain user's certificate
hidepenguinfake ap
leafperl fakeap.pl --interface wlan0
leafperl fakeap.pl --interface wlan0 --channel 11 --essid fake_name --wep 1 --key [WEP KEY]
hidepenguinHotspotter
hideDeauth client
hideAssociate client
hideCompromise client
hideAcquire passphrase / certificate
leafwzcook
leafObtain user's certificate
hidepenguinKarma
hideDeauth client
hideAssociate client
hideCompromise client
hideAcquire passphrase / certificate
leafwzcook
leafObtain user's certificate
leaf./bin/karma etc/karma-lan.xml
hidepenguinLinux rogue AP
hideDeauth client
hideAssociate client
hideCompromise client
hideAcquire passphrase / certificate
leafwzcook
leafObtain user's certificate
hideResources
hideURL's
leafWirelessdefence.org
leafWardrive.net
leafWireless Vulnerabilities and Exploits (WVE)
hideWhite Papers
leafBreaking 104 bit WEP in less than 60 seconds
leafWeaknesses in the Key Scheduling Algorithm of RC4
leaf802.11b Firmware-Level Attacks
leafWireless Attacks from an Intrusion Detection Perspective
leafImplementing a Secure Wireless Network for a Windows Environment
hideCommon Vulnerabilities and Exploits (CVE)
hideVulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless
hide2007
leafMultiple cross-site scripting (XSS) vulnerabilities in Cisco Secure Access Control Server (ACS)
leafAruba Mobility Controllers and Alcatel-Lucent OmniAccess Wireless do not properly implement authentication and privilege assignment for the guest account
leafHeap-based buffer overflow in the management interfaces in Aruba Mobility Controllers and Alcatel-Lucent OmniAccess Wireless
leafIntel 2200BG 802.11 Wireless Mini-PCI driver allows remote attackers to cause a denial of service
hideWireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting with the customer should allow you to estimate the timescales required to carry the assessment out.
hideSite Map
hideRF Map
leafLines of Sight
hideSignal Coverage
leafStandard Antenna
leafDirectional Antenna
hidePhysical Map
leafTriangulate APs
leafSatellite Imagery
hideNetwork Map
hideMAC Filter
leafAuthorised MAC Addresses
leafReaction to Non-Authorised MAC Addresses
hideEncryption Keys utilised
hideWEP
hideKey Length
leafCrack Time
leafKey
hideWPA/PSK
hidePre-Shared Key, (PSK) where every user is given the same pass-phrase. WiFi Protected Access, (WPA / WPA2) improved authentication and encryption.
hideTemporal Key Integrity Protocol (TKIP)
hideTKIP. The Interim solution to replace the notoriously weak WEP.
leafKey
leafAttack Time
hideAdvanced Encryption Standard (AES)
hide AES (a.k.a WPA2 and 802.11i). The preferred standard for the encryption for securing sensitive data.
leafKey
leafAttack Time
hide802.1x
leafDerivative of 802.1x in use
hideAccess Points
hideESSID
hideExtended Service Set Identifier (ESSID).
leafBroadcast ESSIDs
hideBSSIDs
hideBasic Service Set Identifier (BSSID).
leafVendor
leafChannel
leafAssociations
leafRogue AP Activity
hideWireless Clients
hideMAC Addresses
leafVendor
leafAdhoc or Infrastructure Mode
leafESSID Probes
leafAssociations
hideIntercepted Traffic
leafEncrypted
leafClear Text