offensive-wifi-recon

# Wi-Fi Reconnaissance

The first phase of any wireless engagement. Build a complete picture of the airspace before you deauth, evil-twin, or capture handshakes — every later attack depends on knowing the right BSSID, channel, encryption, and client population.

## Quick Workflow

1. Pick the right adapter for the target's band(s) and PHY
2. Verify monitor mode + injection actually work
3. Set the regulatory domain (legal channels and TX power)
4. Sweep all bands passively
5. Drill down on each in-scope BSSID for client population and PMF status
6. Record everything in a structured target list before any active attack

---

## Adapter Selection

| Chipset | Strengths | Notes |
|---------|-----------|-------|
| Atheros AR9271 (Alfa AWUS036NHA) | Solid 2.4 GHz monitor + injection | 802.11n only |
| Realtek RTL8812AU (AWUS036ACH) | Dual-band, injection | Driver: aircrack-ng/rtl8812au |
| MediaTek MT7612U (AWUS036ACM) | Stable dual-band | In-tree driver on modern kernels |
| MediaTek MT7921AU | Wi-Fi 6 monitor (limited) | Patched drivers required |
| AWUS036AXML / AXM | Wi-Fi 6E (6 GHz) | Bleeding edge — verify per release |

```bash
# Identify your radio
lsusb | grep -iE "(atheros|realtek|mediatek|alfa)"
iw dev
iw list | grep -A 8 "Supported interface modes"
iw list | grep -E "Frequencies:" -A 30
```

## Monitor Mode Setup

```bash
# Kill conflicting services
sudo airmon-ng check kill

# Enable monitor mode
sudo airmon-ng start wlan0
# Or manually
sudo ip link set wlan0 down
sudo iw wlan0 set monitor control
sudo ip link set wlan0 up

# Verify monitor mode + injection
sudo aireplay-ng --test wlan0mon
```

The injection test should report 30/30 ack rates against nearby APs. Lower scores indicate driver, antenna, or position issues.

## Regulatory Domain

```bash
# Check current
iw reg get

# Set explicitly (us = United States, jp = Japan extended, etc.)
sudo iw reg set US
```

Setting the right regdomain unlocks legitimate channels (US: 1–11 on 2.4, 36–165 on 5; JP adds 12–13 + 184+ DFS) and TX power. **Operate within the regdomain you're authorized to use.**

## Passive Multi-Band Sweep

```bash
# All bands
sudo airodump-ng wlan0mon --band abg

# 5 GHz only (helps see UNII bands)
sudo airodump-ng wlan0mon --band a

# 6 GHz (requires 6E-capable adapter and updated airodump-ng)
sudo airodump-ng wlan0mon --band ax

# Hop only specific channels
sudo airodump-ng wlan0mon -c 1,6,11,36,40,44,48
```

Capture to file for later analysis:

```bash
sudo airodump-ng wlan0mon --band abg --write recon --output-format pcap,csv
```

## Targeted Capture

Once you've identified an in-scope BSSID:

```bash
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w target wlan0mon
```

Pin to the channel — channel-hopping during a focused capture loses frames.

## Hidden SSIDs

Hidden APs broadcast beacons with empty ESSID. The name leaks during client probes (active scan) or association requests:

```bash
# Wait for legitimate client to associate, ESSID appears in airodump output
# Or, if a client is already associated, deauth them once to force reassociation:
sudo aireplay-ng --deauth 1 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
```

(Only deauth with explicit authorization — see `offensive-deauth-disassoc`.)

## Kismet for War-Driving

```bash
sudo kismet -c wlan0mon
# Open https://localhost:2501 for the dashboard
```

Kismet handles GPS integration, plots APs to a map, fingerprints by IE order, identifies probable IoT vendors from OUI prefixes, and tags known-vulnerable models.

For long-running captures, drop `--no-ncurses` and run headless under `tmux`.

## Wigle Submission

If the engagement permits:

```bash
# Export Kismet's .kismet → CSV → Wigle import format
kismetdb_dump_devices --in capture.kismet --out devices.csv
```

(Wigle aggregates wireless network observations geographically — useful for mapping but check ROE.)

## Vendor / OUI Identification

```bash
# Quick OUI lookup
echo "AA:BB:CC" | wireshark-tools/manuf-lookup
# Or check the airodump CSV's BSSID prefix against /usr/share/wireshark/manuf
```

Vendor identification informs:
- Likely default credentials (router brand → known defaults)
- Known firmware bugs (CVE per chipset)
- Whether WPS is likely vulnerable (Pixie Dust per chipset)
- Whether KRACK / FragAttacks patches are likely applied (vendor patch cadence)

## Data to Record per Target

| Field | Why |
|-------|-----|
| BSSID | Required for every active attack |
| ESSID | Match against PNL probes; client probe correlation |
| Channel + width | Pin radio for capture |
| Band | Adapter selection |
| Encryption | WPA2-PSK / WPA2-Enterprise / WPA3-SAE / Open / WEP |
| PMF (Protected Management Frames) | Whether deauth works |
| RSSI | Position planning |
| Beacon interval / TIM | Anomaly detection vs. evil-twin defenders |
| Vendor (OUI) | Likely default creds, known bugs |
| Client list (MACs + RSSI) | Targets for deauth/relay |
| WPS enabled? | Pixie Dust candidate |

## Detection Considerations

A defender's WIDS sees:
- New device entering the airspace (probe requests reveal even before association)
- Channel hopping patterns of monitor-mode interfaces
- Non-standard probe behavior (KARMA-style universal responses, see `offensive-evil-twin`)

Pure passive recon (no probes from your radio) is invisible to most WIDS deployments. Stay passive until you're committed to the active phase.

## Engagement Cheatsheet

```bash
# 1. Setup
sudo airmon-ng check kill && sudo airmon-ng start wlan0
sudo iw reg set US
sudo aireplay-ng --test wlan0mon          # confirm injection (skip if pure passive)

# 2. Sweep all bands, write to file
sudo airodump-ng wlan0mon --band abg --write recon --output-format pcap,csv

# 3. Kismet for sustained map (optional)
sudo kismet -c wlan0mon --no-ncurses --daemonize

# 4. Per BSSID drill-down
sudo airodump-ng -c <ch> --bssid <BSSID> -w <name> wlan0mon

# 5. Build target list with all fields above
```

---

## Key References

- IEEE 802.11-2020 (combined spec)
- ai