Wireless Penetration Testing Checklist – A Detailed Cheat Sheet

  • Post author:
  • Post category:Tech

Wireless network penetration tests actively investigate the process of information security measures in WiFi networks and analyze vulnerabilities, technical procedures and critical vulnerabilities in wireless networks.

The main countermeasures should focus on threat analysis, data theft detection, security checks, risk prevention and detection, management of information systems, improvement of infrastructure and detailed reporting.

Read it:    Top 5 best Hacking Apps for Android

Structure of the wireless penetration test

1. Learn more about devices connected to wireless networks

2. Document all results when the wireless device is found.

3. If a wireless device is found on Wi-Fi networks, perform normal Wi-Fi attacks and check the devices with WEP encryption.

4. If you have found a wireless LAN with WEP encryption, perform WEP encryption with pen test.

5. Verify that a wireless local area network (WLAN) with WPA/WPA2 encryption is used. If this is the case, start WPA/WPA2 slopes.

6. Check whether WLAN is used with LEAP encryption. If so, perform an LEAP pen registration.

7. No other encryption methods have been used, which I mentioned earlier. Then check whether the WLAN is used in plain text.

8. If Wi-Fi is not encrypted, conduct a normal attack on the Wi-Fi network, check for an unencrypted vulnerability, and generate a report.

9. Before drawing up a report, make sure that no damage has been done to the penetration devices.

Read also:    Penetration test with your WordPress site

Wireless Pentecost with WEP WLAN encryption

1. Check the SSID and analyse whether the SSID is visible or hidden.

2.  Check networks using WEP encryption.

3 If you find the SSID in visible mode, try listening to the traffic and check the packet recording status.

4. Once the package has been successfully captured and seized, it is time to retrieve the WEP key using a WiFi hacking tool such as Aircrack-ng, WEPcrack.

4. If parcels are not safely intercepted, feel the traffic again and capture the parcel.

5. If you find that the SSID is a hidden mode, disable the target client with certain disauthentication tools such as Commview and Airplay-ng.

After successfully authenticating the customer and determining the SSID, follow again the above procedure, which was used previously to determine the SSID.

7. Check whether the authentication method used is OPN (Public Authentication) or SKA (Public Key Authentication) If SKA is used, a bypass mechanism must be performed.

9. Check whether the STAs (stations / customers) are connected to the Access Point (AP) or not. This information is needed to carry out the corresponding attack.

When clients are connected to an access point, an interactive packet replay attack or an ARP attack must be performed to collect IV packets, which can then be used to hack the WEP key.

If no client is connected to the access point, a fragmentation attack or a Korex Chop Chop attack must be performed to generate a key thread that will be used in the future to respond to ARP packets.

Once the WEP key has been hacked, try connecting to the network through the wpa provider and check if the access point marks an IP address or not.

Read it:   Checklist for Web Server Penetration Testing

WLANWPA/WPA2 Wireless network penetration tests

1. Start-up and de-authentication with WPA/WPA2 Protected WLAN client with WLAN tools such as Hotspotter, Airsnarf, Karma, etc.

2. If the customer has not been verified, sniff the traffic and check the status of the entered EAPOL handshake.

(3) If the customer is not authenticated, start again.

4. check whether or not the EAPOL hand shock is being picked up

5. After capturing the EAPOL handshake, perform a PSK dictionary attack with coWPAtty , Aircrack-ng to obtain confidential information.

6. Add the Rainbow Tables, also known as WPA-PSK Precomputation Attack to crack the WPA/2 passphrase. Genpmk can be used to generate pre-calculated hashes.

7.If this does not succeed, deactivate again and try to acquire again and repeat the above steps.


1. Check and confirm whether the WLAN is LEAP encrypted or not.

2. De-authentication of a LEAP protected customer with tools such as Karma, Hotspotter, etc.

3. Once the customer is verified, break the LEAP encryption with a tool such as jumping to steal sensitive information.

4. Once the process is complete, you may not re-authenticate.

Penetration testing of unencrypted wireless local area networks

1. Check whether the SSID is visible or not

2. If the SSID is visible, check the status of the MAC filter.

3 if MAC filtering is enabled, spoofing the MAC address with tools such as SMAC

4 Try to connect to the access point via IP in the detected area.

If the SSID is hidden, open the SSID with Aircrack-ng and follow the procedure announced above for the visible SSID.

Read it: Best practice in ATM penetration testing

You can follow us on Linkedin, Twitter and Facebook for daily updates on cyber security.

Related Tags:

wireless penetration testing services,wireless penetration testing scope,wifi security checklist,kismet pentest,wifi implementation checklist,network vapt checklist,wireless penetration testing methodology,wifi pentesting checklist,penetration testing checklist pdf,wireless access point penetration test,pen testing wireless networks,penetration testing techniques for wireless network