Introduction to Wireless Penetration Testing

Wireless penetration testing is a method to test an organization’s security. It is the process of gaining unauthorized access to the wireless network, data and the applications. The objective is to find any holes in the security architecture of the organization and devise tactics that will help thwart attackers (Wireless Penetration Testing).

Wireless penetration testing in on rise nowadays wireless networks are everywhere, my main goal here is to introduce you to the wireless penetration testing methodology.

Wireless penetration testing
Wireless penetration testing

This article covers everything from the basics of wireless to the advanced technologies. The topics include WLAN fundamentals; client-to-AP security issues; Authentication, Encryption, and Key Management; Wireless Access Points and Network Infrastructure

There are many techniques to attack Wireless networks we just need to think a little bit before starting to do some damage.

My goal here is to study and understand the technology better and share everything I learn with the community will I improve my English. This is a simple technical document to help people how to design a Wireless network with minimum security and be aware of the risks.

Secure Wireless network

The wireless penetration testing methodology is a great way to understand wireless network security. However, there is a lot to be learn – from the type of devices at risk (i.e., smartphones and tablets) to the types of attacks that are used by wireline intruders.

In Wireless networks we need at least two devices, one Access Point (Router) and a STA (Client PC or Mobile) to associate with access point!

Wireless 802.11 Layer 1

The 802.11 standard defines the wireless technology it defines the frequency, bandwidth and the modulation used by devices.

802.11 Frame Types

Management , Control ,Data , Extension

Frame TypeType DescriptionSub Type ValueClass
00Management0000Association Request
00Management0001Association Response
00Management0010Reassociation Request
00Management0011Reassociation Response

There are some differences in the low-level layers between a Wireless network and a cable network, on Wi-Fi the Layer 1 uses the normalization 802.11 and on layer 2 the sub layer LLC is the same but the sub layer MAC uses the protocol CSMA/CA to detect and correct errors on frames.

A wireless network use radio waves to communicate with the clients, there are two types of operation modes: infrastructure (ESS) and Ad hoc (IBSS).

The most common these days is the infrastructure (ESS) mode, use one AP and one client (STB), if there are more than one AP the link between both APs is called DS (distribution system).

Detecting DSs is very useful if we want to hijack some network or add our AP on foreign networks to monitor or use the network to our leverage.

Ad-hoc mode is used to communicate machines directly or in peer-to-peer mode, this tutorial is focus on infrastructure mode so I don’t go deep in this mode it is to extensive but we will crack it.

Router Perspective

A router usually broadcasts his network name (ESSID) with beacons, MAC Address (BSSID), Chanel, cipher and encryption to air waiting some client connect to him. Let’s check what relevance this information has to us:

  • ESSID – It identifies the network name, could be useful sometimes with some routes from ISPs we can use Key generators to generate correct Wifi password even WPA.
  • BSSID – The BSSID is the mac address attributed to the wifi interface at router this is the interface we will connect when authenticated. The MAC address can give us some information like the router manufacture and the version of equipment (Thomson TG784n v3), if know this and we know this version of router have a bug in WPS system why wasting time trying to crack a WPA password?
  • Chanel – Wireless networks use frequencies in a defined range (2.443Mhz to 2.447Mhz) to communicate and use channels to
  • Cipher
  • Encryption

Clients Perspective

A client has less things to verify, besides everything we check on the router perspective that is necessary to establish a connection to the router.

But we are here to crack a Wireless network so we need a wifi card with a special feature like Injection with this we can inject packets between the AP and a client to force them deauthenticate and some more interest things.

  • Wifi Card with Injection – At these days there are many wifi cards with injection supported, you must verify the chipset of wifi card and install the proper drivers. But we already compile a list for you, check it here:
  • Drivers – Pay attention to the drivers they must be installed correctly without errors
  • Software – At this tutorial we will use some Linux commands and the Aircrack-ng pack and other tools like WifiPumpkin 3 , Airgeddon, Wifite



Offensive Security Wireless Attacks

 Next, we will describe a list of most common techniques and vulnerabilities on Wireless networks. Wireless pentesting can be easy or tricky most of the times it depends on the hardware being attacked.

Wifi Attacks

wireless penetration testing

wireless penetration testing

Open Networks


  • With Clients
  • No Clients


Deauthentication Attack

Handshake Capture



Bruteforce WPS


Nulll Pin

Pins DataBase


Rainbow Tables

Key Generators

Real Scenario


wireless penetration testing,wireless penetration testing services,what is wireless penetration testing,wireless security course,wifi penetration testing

Offensive Wireless – Get GWAN Certification

GIAC Certification

Categorized in: