Scanning is the initial phase of pentesting; the test plan for the entire pentest activity depends on the outcome of the scanning phase. The main objective of this phase is to discover much of the access points and clients operating in the target environment. To perform scanning, we can use laptops, smartphones, or any other device capable of wireless sniffing. In this chapter, we will use a variety of tools available in the Kali Linux distribution in order to detect wireless networks.
Wireless scanning tools, such as airodump-ng or Kismet, can be used to discover and capture traffic from wireless networks. They work on interfaces placed in the monitor mode and hop to different channels in the wireless spectrum in order to collect wireless packets. With most tools, the output is displayed on screen or can be stored in a file for later reference. The collected packets can be analyzed manually, or you can generate visual graphs of networks using analysis tools such as airgraph-ng. We can use the output of this phase in the penetration test to eliminate unauthorized access points and clients that are not defined in the scope of the engagement. It will also be used to prioritize the networks and clients that would be ideal targets based on their importance in the organization, their ease of exploitation, or, potentially, what data is carried over them.
In the later chapters of this book, we will show you how to use other devices, such as the Raspberry Pi, to accomplish this scanning functionality and conduct other wireless attacks demonstrated in the upcoming chapters.
Although we have already covered the two methods of scanning at the beginning of the chapter in brief, we will revisit them in depth once again:
- Passive scanning
- Active scanning
Whenever you turn on the Wi-Fi on your mobile device, it discovers the access points in its range in two ways: either by passive scanning or by active scanning. This depends upon the configuration settings enabled in the client station. In passive scanning, the client station listens for the beacon frames from access points that are sent at regular intervals. The client station listens for the list of SSIDs that are already in its preferred network list; when such an SSID is seen, it tries to initiate a connection to that network. If two or more SSIDs are beaconed from nearby access points, the client station will choose the AP with the best signal. In this mode, the client station does not actively probe the target network.
One of the main limitations of passive scanning is that we may not be able to record the presence of non-beaconing APs. As a precautionary measure against wireless scanning activities, network/system administrators will often turn off the beacon feature on APs as an attempt to avoid detection. In this scenario, we may not be able to detect the WLAN in spite of its presence in our range using only a passive scanning technique. This limitation can be overcome if we are able to detect the client traffic and its association with these access points that are not beaconing.
The following figure depicts a scenario where the client is listening for beacons and thus conducting a passive scan:
Active scanning is very different from passive scanning. When leveraging passive scanning, the client station listens for beacon frames from access points; however, with active scanning, the client station sends probe request frames with the SSID field set to null or a preferred SSID. The access points in the nearby range that hear this request will answer with the probe response frame. The probe response frame contains all the information that is present in the beacon frame. When a non-beaconing AP is present in the vicinity, it will reply to the probe request, revealing its presence. Thus, in active scanning, we are typically able to discover more access points than with passive scanning alone. As a countermeasure, some network/system administrators may configure an access point to ignore probe requests set to null in order to avoid discover the configured SSIDs. In this scenario, a client properly configured with a valid SSID will only be able to discover the presence of an access point and then connect to the network.
The following diagram represents the request/response nature of a client actively scanning the network:
