Wireless Penetration Tips

A list for all things wireless that you may find useful while assessing a real world Wi-Fi Enterprise Network. How-to: Evil Twin, KARMA, MANA, EAP-GTC Downgrade, passivity perform wireless recon, capture WPA2 handshakes (WPA2 full, half, PKMID), and test guest networks for known misconfigurations.

Overview

Ive tried to consolidate information from a variety of sources to assist penetration testing during a wireless assessment. This list includes plausible tactics, techniques, and procedures (TTP). I’ve decided to publish these in an easy to read, and hopefully digestible blog fashion. Some of the items below will be updated occasionally, with new attack vectors.

  1. Find a device, tool, software or environment that is reliable for RF testing. There are so many tools, wrappers and hardware to choose from.
----EAP-GTC Downgrade* PEAP [ver=1]
"t" GTC "t" [2]
----
Troubleshooting Monitor Mode# rfkill unblock all
# airmon-ng check kill
Injection Test# aireplay-ng -i wlan0mon -9 -D# Test Frequency Band and Capture Abilityairodump-ng wlan1 --band ag -M -U --wps --beacons -w captureallthewirelessPower Related# iw wlan0mon set txpower 30
# iwconfig wlan0mon txpower 30
# bccmd psget 0x0017
Channel Related# iwconfig wlan1 channel 149Driver Related

Adam is a offensive security engineer and red team operator with over 20 years of experience in IT

Adam is a offensive security engineer and red team operator with over 20 years of experience in IT