Wireless and 802.1X Assessment
#Preparation
Confirm that the rules of engagement identify authorized SSIDs, BSSIDs, physical areas, test windows, and whether authentication testing is allowed. Passive observations can still collect identifiers from nearby out-of-scope networks, so filter and retain only approved evidence.
#Adapter Setup
iw dev
sudo airmon-ng check
sudo airmon-ng start wlan0
iw dev wlan0mon info
Do not use airmon-ng check kill without approval on a shared operator host because it stops networking services.
#Paste-Ready Passive Survey
Save as wireless-survey.sh.
#!/usr/bin/env bash
set -Eeuo pipefail
umask 077
[[ $# -eq 2 ]] || { echo "Usage: sudo $0 <monitor-interface> <approved-bssids.txt>"; exit 1; }
IFACE="$1"
BSSIDS="$(realpath "$2")"
[[ -s "$BSSIDS" ]] || { echo "Approved BSSID file is empty"; exit 1; }
[[ -n "${ENGAGEMENT_ROOT:-}" ]] || { echo "Load engagement.env before sudo with -E"; exit 1; }
command -v airodump-ng >/dev/null 2>&1 || { echo "Missing dependency: airodump-ng"; exit 1; }
OUT="$RAW_DIR/wireless-$(date -u +%Y%m%dT%H%M%SZ)"
mkdir -p "$OUT"
echo "Capturing passively for ${CAPTURE_SECONDS:-300} seconds."
echo "Stop early with Ctrl+C. No deauthentication frames are transmitted."
timeout "${CAPTURE_SECONDS:-300}" \
airodump-ng "$IFACE" --write "$OUT/survey" --output-format pcap,csv,netxml || true
awk -F, 'NR>2 && $1 ~ /:/{gsub(/ /,"",$1); print toupper($1)}' "$OUT/survey-01.csv" \
| sort -u > "$OUT/observed-bssids.txt"
tr '[:lower:]' '[:upper:]' < "$BSSIDS" | sed '/^[[:space:]]*$/d' | sort -u \
> "$OUT/approved-bssids.txt"
comm -12 "$OUT/approved-bssids.txt" "$OUT/observed-bssids.txt" \
> "$OUT/in-scope-observed-bssids.txt"
if command -v tshark >/dev/null 2>&1; then
tshark -r "$OUT/survey-01.cap" \
-Y 'wlan.fc.type_subtype == 0x08 || eapol || eap' \
-T fields -e frame.time -e wlan.bssid -e wlan.ssid -e eap.type \
> "$OUT/beacons-eap-summary.tsv" 2>/dev/null || true
fi
echo "Review only approved BSSIDs listed in:"
echo " $OUT/in-scope-observed-bssids.txt"
#WPA/WPA2 Evidence Audit
Passively captured EAPOL or PMKID material may be converted for an offline password-policy audit only when the engagement authorizes it.
hcxpcapngtool -o authorized.22000 survey-01.cap
# Test only an approved candidate list or organization-provided policy corpus.
hashcat -m 22000 authorized.22000 approved-candidates.txt \
--session authorized-wireless-audit --status
Do not capture additional handshakes by disconnecting clients. A missing handshake is a result, not permission to transmit disruption frames.
#WPS Review
# Passive WPS advertisement inventory.
sudo wash -i wlan0mon -C -s
Record whether WPS is advertised and locked. Do not run PIN attacks unless the rules of engagement explicitly authorize a controlled test against a named BSSID.
#Enterprise 802.1X and EAP Inventory
Use beacon and association traffic to identify EAP capabilities without standing up an imitation access point.
tshark -r survey-01.cap -Y 'eap' \
-T fields -e wlan.bssid -e wlan.sa -e eap.code -e eap.type \
| sort -u
tshark -r survey-01.cap -Y 'eapol' \
-T fields -e frame.time -e wlan.bssid -e wlan.sa -e wlan.da -e eapol.type
Review:
- EAP methods observed, such as EAP-TLS, PEAP, EAP-TTLS, or EAP-FAST.
- Server certificate validation requirements supplied by the organization.
- Client configuration profiles for trusted roots, expected server names, and prohibited fallback methods.
- Whether certificate-based authentication and device compliance are enforced.
- SSID-to-VLAN segmentation and guest isolation through approved association tests.
#Rogue AP Analysis
Flag, but do not automatically classify, duplicate SSIDs with unexpected BSSIDs, vendors, channels, encryption modes, or signal locations. Compare observations with the organization-provided controller inventory.