The first step is to retrieve the keys for any vulnerable networks identified. If networks with WEP exist, perform the WEP-cracking methods explained in Chapter 4, WLAN Encryption Flaws. If WPA2-secured systems are present, you have two choices. If aiming to be stealthy, arrive on-site at times when individuals are likely to be authenticating or re-authenticating. These times are likely to be:

At this time, set up your WPA key retrieval setup as shown in Chapter 4, WLAN Encryption Flaws. Alternatively, perform the deauthentication attack, as shown in Chapter 6, Attacking the Client.

This is noisier and more likely to be detected in a mature organization.

If WPA-Enterprise is in place, bear in mind you will have to use the information gathered from the reconnaissance to target the correct network and set up your dummy Enterprise setup as shown in the Attacking PEAP section in Chapter 8, Attacking WPA-Enterprise and RADIUS.

You can attempt to break all passphrases but bear in mind that some will be unbreakable. Following the performance of the test, check with the wireless administrator for the passphrase in use. Check to see whether it is a secure passphrase and that you, as a tester, did not experience a tool failure or were merely unlucky.

If network access is gained through cracking the encryption, perform a standard network penetration test if allowed in scope. The following should be performed as a minimum:

After enumerating and testing all wireless systems, there are various types of engagements that would suit performing attacks against clients.

If necessary, after establishing which clients are vulnerable to Karma attacks, create a Honeypot to force them to connect with the methods laid out in the Attacking PEAP section in Chapter 8, Attacking WPA-Enterprise and RADIUS. There are various useful pieces of information that can be gathered through this method, but ensure that the collected data serves a purpose and is stored, transmitted, and used in an ethical and safe manner.