Wireless Attack Labs
WiFi reconnaissance, WPA attacks, and wireless security testing exercises
Chapter 6: Wireless Attack Labs
Lab Overview
These labs cover wireless security testing. Requires compatible wireless adapter.
Lab 6.1: Wireless Reconnaissance
Objective
Discover and analyze wireless networks.
Difficulty: Beginner | Time: 30 minutes
Hardware Required
- USB WiFi adapter supporting monitor mode (Alfa AWUS036ACH, etc.)
Instructions
Part 1: Enable Monitor Mode
# Check interface
iwconfig
# Kill interfering processes
sudo airmon-ng check kill
# Start monitor mode
sudo airmon-ng start wlan0
# Verify
iwconfig wlan0monPart 2: Passive Scanning
# Scan all channels
sudo airodump-ng wlan0mon
# Output shows:
# BSSID - MAC address
# PWR - Signal strength
# CH - Channel
# ENC - Encryption (WEP/WPA/WPA2)
# ESSID - Network namePart 3: Targeted Scan
# Scan specific channel
sudo airodump-ng -c 6 wlan0mon
# Scan specific network
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF wlan0mon
# Save capture
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0monDocumentation Template
Network: TestNetwork
BSSID: AA:BB:CC:DD:EE:FF
Channel: 6
Encryption: WPA2
Cipher: CCMP
Auth: PSK
Signal: -45 dBm
Clients: 3 connectedVerification
- Enabled monitor mode
- Discovered networks
- Documented findings
Lab 6.2: Handshake Capture
Objective
Capture WPA handshake for analysis.
Difficulty: Intermediate | Time: 30 minutes
Important
Only capture handshakes from YOUR test network.
Instructions
Part 1: Target Your Network
# Start capture on your AP
sudo airodump-ng -c YOUR_CHANNEL --bssid YOUR_BSSID -w handshake wlan0monPart 2: Force Handshake
# Option A: Wait for natural reconnection
# Option B: Deauth your test device (separate terminal)
sudo aireplay-ng -0 1 -a YOUR_BSSID -c YOUR_DEVICE_MAC wlan0mon
# Watch airodump for "WPA handshake: XX:XX..."Part 3: Verify Capture
# Check capture file
aircrack-ng handshake-01.cap
# Should show:
# "1 handshake"Verification
- Captured handshake
- Verified with aircrack-ng
- Saved capture file
Lab 6.3: Password Strength Testing
Objective
Test captured handshake against wordlist.
Difficulty: Intermediate | Time: 30 minutes
Instructions
Part 1: Dictionary Attack
# Use aircrack-ng
aircrack-ng -w /usr/share/wordlists/rockyou.txt handshake-01.cap
# Use hashcat (faster, GPU)
# First convert format
aircrack-ng -j hashfile handshake-01.cap
# Then crack
hashcat -m 22000 hashfile.hc22000 /usr/share/wordlists/rockyou.txtPart 2: Custom Wordlist
# Create targeted wordlist
# Company name + numbers
cat > custom.txt << 'EOF'
company123
Company123
COMPANY123
company2024
CompanyWiFi
EOF
# Test
aircrack-ng -w custom.txt handshake-01.capPart 3: Document Time
Password Complexity vs Crack Time:
weak123 - Found in 5 seconds (in rockyou)
Company2024 - Found in 2 minutes (predictable pattern)
K#9xM$2qL% - Not found (strong random password)Verification
- Ran dictionary attack
- Created custom wordlist
- Documented crack times
Lab 6.4: Rogue AP Detection
Objective
Detect unauthorized access points.
Difficulty: Beginner | Time: 30 minutes
Instructions
Part 1: Baseline Discovery
# Document legitimate APs
sudo airodump-ng wlan0mon --write baseline
# Create inventory:
# SSID | BSSID | Channel | ExpectedPart 2: Detection Scan
# Compare against baseline
sudo airodump-ng wlan0mon
# Look for:
# - Same SSID, different BSSID (evil twin)
# - Unknown SSIDs
# - APs on unexpected channelsPart 3: Alert Script
#!/bin/bash
# Simple rogue AP detection
KNOWN_APS="AA:BB:CC:DD:EE:FF,11:22:33:44:55:66"
while true; do
# Scan briefly
sudo timeout 10 airodump-ng wlan0mon -w /tmp/scan --output-format csv 2>/dev/null
# Check for unknown BSSIDs
cat /tmp/scan-01.csv 2>/dev/null | grep -v "^$" | tail -n +3 | while read line; do
bssid=$(echo $line | cut -d',' -f1 | tr -d ' ')
if ! echo $KNOWN_APS | grep -q $bssid; then
echo "[!] Unknown AP detected: $bssid"
fi
done
rm -f /tmp/scan-01.csv
sleep 60
doneVerification
- Created baseline inventory
- Compared against live scan
- Built detection script
Lab 6.5: 802.1X Analysis
Objective
Analyze enterprise wireless authentication.
Difficulty: Intermediate | Time: 30 minutes
Instructions
Part 1: Capture EAP Traffic
# Capture on enterprise network
sudo airodump-ng -c CHANNEL --bssid BSSID -w eap_capture wlan0mon
# Filter in Wireshark
eap or eapolPart 2: Analyze EAP Types
Wireshark filter: eap
Look for:
- EAP-Identity (username visible)
- EAP-Type (PEAP, EAP-TLS, etc.)
- Certificate exchangesPart 3: Security Assessment
EAP Security Comparison:
EAP-TLS:
- Mutual certificate authentication
- Most secure
- Complex deployment
PEAP:
- Server certificate + password
- Vulnerable to evil twin if cert not validated
EAP-TTLS:
- Similar to PEAP
- Same validation concernsVerification
- Captured EAP authentication
- Identified EAP type used
- Documented security considerations
Lab 6.6: Wireless IDS Setup
Objective
Deploy wireless intrusion detection.
Difficulty: Intermediate | Time: 45 minutes
Instructions
Part 1: Install Kismet
# Install Kismet
sudo apt install kismet
# Configure
sudo vim /etc/kismet/kismet.conf
# Set: source=wlan0monPart 2: Run Detection
# Start Kismet
kismet
# Access web UI: http://localhost:2501
# Monitor for:
# - Deauth floods
# - Rogue APs
# - Probe requestsPart 3: Alert Configuration
# Kismet alerts on:
# - DEAUTHFLOOD
# - BSSTIMESTAMP
# - CHANCHANGE
# - APSPOOF
# Review alerts in UI or log
cat /var/log/kismet/*.alertsVerification
- Installed and configured Kismet
- Monitored wireless activity
- Configured alerts
Lab Summary
Skills Acquired
- Monitor mode configuration
- Network discovery
- Handshake capture
- Password testing
- Rogue AP detection
- Wireless IDS deployment
Defense Recommendations
| Attack | Detection | Prevention |
|---|---|---|
| Evil Twin | BSSID monitoring | Client validation |
| WPA Crack | N/A (offline) | Strong passwords |
| Deauth | Deauth flood alerts | 802.11w (PMF) |