‹ 首页

offensive-wifi-recon

@snailsploit · 收录于 1 周前 · 上游提交 2 个月前

Wi-Fi reconnaissance methodology — adapter selection, monitor mode and packet injection setup, regulatory domain handling, multi-band airspace mapping, hidden SSID discovery, BSSID/ESSID/channel/PMF/encryption fingerprinting, client probe analysis, vendor OUI lookup, war-driving with Kismet/airodump-ng/Wigle, and structured airspace data capture for downstream attacks. Use at the start of any wireless engagement to build the target map before active attacks; covers 2.4 GHz, 5 GHz, and 6 GHz (Wi-Fi 6E) bands and adapter compatibility for each.

适合你,如果需要在无线安全评估前系统化收集目标网络信息

/ 下载安装
offensive-wifi-recon.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add snailsploit/claude-red/offensive-wifi-recon
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- snailsploit/claude-red/offensive-wifi-recon
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify snailsploit/claude-red/offensive-wifi-recon
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
2669GitHub stars
~1.5K上下文体积 · 单文件
镜像托管

怎么用

商店整理自技能原文 · 版本 aeb41ec · 表述以原文为准
它做什么

装上后,Claude 会指导你完成 Wi-Fi 侦察:选择适配器、开启监听模式、扫描 2.4/5/6 GHz 频段、发现隐藏 SSID、识别客户端和加密方式,并记录目标信息用于后续攻击。

什么时候触发

在无线渗透测试开始时,需要构建目标网络地图时触发。

装好后可以这样说
Claude 会给出 airodump-ng 扫描命令。
Claude 会解释通过客户端探针或去认证获取。
Claude 会给出 iw 和 lsusb 命令。
技能原文 SKILL.md作者撰写 · MIT · aeb41ec

Wi-Fi Reconnaissance

The first phase of any wireless engagement. Build a complete picture of the airspace before you deauth, evil-twin, or capture handshakes — every later attack depends on knowing the right BSSID, channel, encryption, and client population.

Quick Workflow
  1. Pick the right adapter for the target's band(s) and PHY
  2. Verify monitor mode + injection actually work
  3. Set the regulatory domain (legal channels and TX power)
  4. Sweep all bands passively
  5. Drill down on each in-scope BSSID for client population and PMF status
  6. Record everything in a structured target list before any active attack

Adapter Selection

| Chipset | Strengths | Notes | |---------|-----------|-------| | Atheros AR9271 (Alfa AWUS036NHA) | Solid 2.4 GHz monitor + injection | 802.11n only | | Realtek RTL8812AU (AWUS036ACH) | Dual-band, injection | Driver: aircrack-ng/rtl8812au | | MediaTek MT7612U (AWUS036ACM) | Stable dual-band | In-tree driver on modern kernels | | MediaTek MT7921AU | Wi-Fi 6 monitor (limited) | Patched drivers required | | AWUS036AXML / AXM | Wi-Fi 6E (6 GHz) | Bleeding edge — verify per release |

# Identify your radio
lsusb | grep -iE "(atheros|realtek|mediatek|alfa)"
iw dev
iw list | grep -A 8 "Supported interface modes"
iw list | grep -E "Frequencies:" -A 30
Monitor Mode Setup
# Kill conflicting services
sudo airmon-ng check kill

# Enable monitor mode
sudo airmon-ng start wlan0
# Or manually
sudo ip link set wlan0 down
sudo iw wlan0 set monitor control
sudo ip link set wlan0 up

# Verify monitor mode + injection
sudo aireplay-ng --test wlan0mon

The injection test should report 30/30 ack rates against nearby APs. Lower scores indicate driver, antenna, or position issues.

Regulatory Domain
# Check current
iw reg get

# Set explicitly (us = United States, jp = Japan extended, etc.)
sudo iw reg set US

Setting the right regdomain unlocks legitimate channels (US: 1–11 on 2.4, 36–165 on 5; JP adds 12–13 + 184+ DFS) and TX power. Operate within the regdomain you're authorized to use.

Passive Multi-Band Sweep
# All bands
sudo airodump-ng wlan0mon --band abg

# 5 GHz only (helps see UNII bands)
sudo airodump-ng wlan0mon --band a

# 6 GHz (requires 6E-capable adapter and updated airodump-ng)
sudo airodump-ng wlan0mon --band ax

# Hop only specific channels
sudo airodump-ng wlan0mon -c 1,6,11,36,40,44,48

Capture to file for later analysis:

sudo airodump-ng wlan0mon --band abg --write recon --output-format pcap,csv
Targeted Capture

Once you've identified an in-scope BSSID:

sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w target wlan0mon

Pin to the channel — channel-hopping during a focused capture loses frames.

Hidden SSIDs

Hidden APs broadcast beacons with empty ESSID. The name leaks during client probes (active scan) or association requests:

# Wait for legitimate client to associate, ESSID appears in airodump output
# Or, if a client is already associated, deauth them once to force reassociation:
sudo aireplay-ng --deauth 1 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

(Only deauth with explicit authorization — see offensive-deauth-disassoc.)

Kismet for War-Driving
sudo kismet -c wlan0mon
# Open https://localhost:2501 for the dashboard

Kismet handles GPS integration, plots APs to a map, fingerprints by IE order, identifies probable IoT vendors from OUI prefixes, and tags known-vulnerable models.

For long-running captures, drop --no-ncurses and run headless under tmux.

Wigle Submission

If the engagement permits:

# Export Kismet's .kismet → CSV → Wigle import format
kismetdb_dump_devices --in capture.kismet --out devices.csv

(Wigle aggregates wireless network observations geographically — useful for mapping but check ROE.)

Vendor / OUI Identification
# Quick OUI lookup
echo "AA:BB:CC" | wireshark-tools/manuf-lookup
# Or check the airodump CSV's BSSID prefix against /usr/share/wireshark/manuf

Vendor identification informs:

  • Likely default credentials (router brand → known defaults)
  • Known firmware bugs (CVE per chipset)
  • Whether WPS is likely vulnerable (Pixie Dust per chipset)
  • Whether KRACK / FragAttacks patches are likely applied (vendor patch cadence)
Data to Record per Target

| Field | Why | |-------|-----| | BSSID | Required for every active attack | | ESSID | Match against PNL probes; client probe correlation | | Channel + width | Pin radio for capture | | Band | Adapter selection | | Encryption | WPA2-PSK / WPA2-Enterprise / WPA3-SAE / Open / WEP | | PMF (Protected Management Frames) | Whether deauth works | | RSSI | Position planning | | Beacon interval / TIM | Anomaly detection vs. evil-twin defenders | | Vendor (OUI) | Likely default creds, known bugs | | Client list (MACs + RSSI) | Targets for deauth/relay | | WPS enabled? | Pixie Dust candidate |

Detection Considerations

A defender's WIDS sees:

  • New device entering the airspace (probe requests reveal even before association)
  • Channel hopping patterns of monitor-mode interfaces
  • Non-standard probe behavior (KARMA-style universal responses, see offensive-evil-twin)

Pure passive recon (no probes from your radio) is invisible to most WIDS deployments. Stay passive until you're committed to the active phase.

Engagement Cheatsheet
# 1. Setup
sudo airmon-ng check kill && sudo airmon-ng start wlan0
sudo iw reg set US
sudo aireplay-ng --test wlan0mon          # confirm injection (skip if pure passive)

# 2. Sweep all bands, write to file
sudo airodump-ng wlan0mon --band abg --write recon --output-format pcap,csv

# 3. Kismet for sustained map (optional)
sudo kismet -c wlan0mon --no-ncurses --daemonize

# 4. Per BSSID drill-down
sudo airodump-ng -c <ch> --bssid <BSSID> -w <name> wlan0mon

# 5. Build target list with all fields above

Key References
  • IEEE 802.11-2020 (combined spec)
  • aircrack-ng documentation: aircrack-ng.org
  • Kismet documentation: kismetwireless.net
  • WIGLE: wigle.net (read the API ToS before automated submissions)
  • Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。