In this chapter, we have discussed various ways to gain access to wireless devices. Vulnerabilities in firmware are often overlooked during the course of pentest. Firmware shipped on access points could contain vulnerabilities that may be publicly disclosed at the vendor's site, or on resources like the Common Vulnerabilities and Exposures database. Once the scanning phase is complete, you should have a list of access points and clients in the target network that are in scope for your penetration test. Fingerprinting the wireless devices can tell you the make and model and possibly the exact version of software running on these devices. By performing common web application security checks on the devices, you may be able to discover if any flaws or vulnerabilities are contained in the running device firmware.

We saw that the most popular attacks on the wireless devices include Authentication Bypass, Cross-Site Request Forgery, Command Injection, and Denial of Service. In addition to these attacks, we can try our hand at misconfigured services like Telnet, SSH, SNMP, and other services found on the devices. We also saw how UPnP is another popular protocol used by attackers to manipulate the router into making unauthorized changes to the configuration.

In the next chapter, we will discuss techniques to crack the wireless encryption. In particular, we will discuss WEP, WPA/WPA2 Personal, and Enterprise.