SANS Penetration Testing

Wireless Tips, Tricks and Resources

[Editor's Note: We're continuing our series on useful tips and tricks for different kinds of pen testing, based on the SANS Pen Test Poster. In this installment, Mr. Larry "Hax0r the Matrix" Pesce covers some great tips, ideas, and resources for wireless penetration tests. Great stuff!

Earlier in this series, we covered:

John Strand's tips on network penetration testing
Steve Sims' tips on exploit development
Josh Wright's tips on mobile device penetration testing


By Larry Pesce

Methodology Tips

  • Recon - Channel hopping with Kismet is your best friend while performing recon. It is passive (silent) and will cycle through all of the available wireless channels supported by the wireless driver. Be mindful that while the wireless card is channel hopping, it misses all of the activity on the channels where it is not tuned.
  • Scanning - Channel hopping is great for discovery, as it will eventually tell us about every wireless network in the environment but sometimes we need to just focus on one channel to gain more information about the network. Locking your wireless card to a specific channel can be helpful in uncloaking a hidden network, capturing WPA-PSK 4-way handshake or more packets for further exploitation (such as WEP). Having TWO (or more) wireless cards allow one to channel hop and perform discovery, while the locked cards can gather more information for additional attacks in a more directed manner.
  • Exploitation - Exploitation comes in many forms in wireless networks; weak enterprise encryption, mis-configured authentication configuration, direct client attacks through ad-hoc connections. The best place for exploitation occurs at the weakest link; often the places where corporate assets go when outside of the enterprise environment: a local coffee shop, hotel, or even employee homes where open wireless networks may be de rigueur. These are great places to attack clients directly and observe plaintext traffic that can be leveraged for additional attacks against the enterprise.
  • Post-Exploitation - While exploitation often relies on leveraging a wireless vulnerability or mis-configuration, one can leverage compromised systems to gain information about additional wireless networks, and perhaps even participate in those already in the system's preferred network list; use what you've gained access to in order to push further!
  • Misc (Reporting) - How do you get all of that information from the test into a format that makes sense as part of a vulnerability report? This will take some massaging, but output from tools (such as Kismet capture files and XML output) can often be leveraged within other standard tools to help illustrate risk. One example would be to utilize Kismet's XML output to generate graphs based on observed wireless network configurations. One could also leverage other tools in new ways, such as leveraging the GISKismet database to query discovered network configurations. ( 12/how-i-use-giskismet-for-more-than- mapping.html) GISKismet, Joshua D. Abraham —

Must-Have Tools


  • Kismet - The best passive wireless discovery and analysis tool that will find all of the Wifi networks supported by the selected adapter (even cloaked/hidden networks). It is extensible through a plug-in architecture to support attacks, and additional wireless discovery, such as Bluetooth, Zigbee, DECT and others. Linux and OSX only. By Kismet, Mike Kershaw
  • Wireshark - A packet capture and analysis tool that is continually updated to improve protocol dissectors to translate the raw captures to human-readable format. Supports 802.11, 802.15.4, DECT and many other common wireless protocols. Supported on Linux, Windows and OSX. By Wireshark, Riverbed Technology, & Gerald Combs
  • Aircrack-ng suite - A "swiss-army" collection of tools from WEP and WPA cracking, packet capture decrypting, packet capture relationship analysis, and tunnel building tools supported under Linux, Windows and OSX. By Aircrack-ng, Thomas d'Otreppe
  • Netmon - If you absolutely must capture in monitor mode under Windows, this is your huckleberry. In fact, it is the only huckleberry in town under Vista/7/8. By Netmon, Microsoft Corporation
  • Kali Linux - Need some other wireless or other penetration testing tool? Chances are that the developers of Kali Linux (the successor to Backtrack 5) have gone through the trouble of making it work for you in this preconfigured penetration testing LiveCD/VM. By Kali Linux, Offensive Security
  • Scapy - Want to take your wireless testing to the next level by fuzzing all manner of protocols? Use Scapy with python to craft your own packets from scratch. Linux only. By Scapy, Philippe Biond


*These tools are available on a commercial (cost) basis.

Great Resources for Staying Current

Associated SANS Courses

SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses

-Larry Pesce


Posted December 5, 2013 at 5:58 PM | Permalink | Reply

Andre Gironda

Your great list should include Kismet Wireless Android-Pcap (best on an Android tablet with USB Host and second-best on an Android device with USB OTG hardware support and USB OTG cable) and Farproc WiFi Analyzer.

Posted December 5, 2013 at 7:47 PM | Permalink | Reply

Robin Wood

The Android Wigle app is also quite good for basic war driving around a target.

Posted December 6, 2013 at 12:08 AM | Permalink | Reply

Larry "haxorthematrix" Pesce

Andre, Robin, GREAT suggestions. I have used all three tools that you recommended. I only had so much space and wanted to recommend some tools that would be multi-function and get you the most bang for your buck.
Certainly, don't discount the mobile devices for doing recon.

Posted December 9, 2013 at 8:15 PM | Permalink | Reply


Some fantastic suggestions here Thank you for sharing the software suggestions which will definitely come in handy!

Posted December 10, 2013 at 3:42 AM | Permalink | Reply


One of the best resource for Wireless pentesting is

Posted December 6, 2015 at 4:56 PM | Permalink | Reply


Excellent post however I was wondering if you could write a litte
more on this subject? I'd be very thankful if you could elaborate a little bit more.
Appreciate it!

Posted May 26, 2016 at 5:57 PM | Permalink | Reply


Would it be useful to take the AWUS051NH even tho it is not good capturing handshake..?
What would you do ? Get the 051NH or AWUS036NHA?

Posted May 26, 2016 at 8:24 PM | Permalink | Reply

Larry "haxorthematrix" Pesce

I personally don't have issues capturing handshakes with my 051NH. That said, I do have the 036H varieties as well, and use the right tool for the right job. I'd use my 051NH, because I've never encountered issues.

Posted May 30, 2016 at 12:10 AM | Permalink | Reply

driving theory test

Hi colleagues, its fantastic post on the topic of tutoringand entirely explained,
keep it up all the time.

Post a Comment


* Indicates a required field.